[IS&T Security-FYI] Newsletter, April 4, 2008
Monique Yeaton
myeaton at MIT.EDU
Fri Apr 4 15:57:21 EDT 2008
In this issue:
1. What Exactly is a Digital Certificate?
2. Account Compromises at MIT
------------------------------------------------
1. What Exactly is a Digital Certificate?
------------------------------------------------
Last week I included an article in this newsletter about security in
browsers. A reader asked me about the certificate warnings that will
now come up frequently in IE7 and recently in Firefox 2, because he
was not sure what they were good for. What do you look for? How do
you know if you should accept it?
First, what exactly is a certificate? A digital certificate is simply
a notice which says that a secure web site is what it claims to be.
The verification takes place when the web site owner requests the
certificate. The value or strength of the certificate depends on the
issuer (certificate authority) or certificate class. It is similar to
an individual going to the department of motor vehicles and
requesting a driver's license. So are web certificates trustworthy?
Well, like a driver's license, which can be faked, so can
certificates. There's no way to be 100% sure.
At MIT, web certificates are your key to accessing secure web
services at the Institute, such as benefits, SAPweb, and Request
Tracker. You can also get a personal certificate. Personal
certificates expire each year and you will receive a reminder to
install a new certificate each summer. They will not guarantee you
access to all secure sites but will give you access to the ones that
you should have access to depending on your affiliation with the
Institute.
Certificates and the messages attached to them are complex for the
average user to understand. Here are some good articles on
understanding web certificates:
<http://www.us-cert.gov/cas/tips/ST05-010.html>
<http://www.codinghorror.com/blog/archives/001024.html>
-----------------------------------------------
2. User Account Compromises at MIT
-----------------------------------------------
By now we may have all been brought up to speed on the recent
phishing attacks that have been plaguing MIT and other universities
the past three or four months. If you haven't heard, these phishing
attacks have reached some of our inboxes in the form of spam that
looks like it comes from the "email team" or "account team" at MIT.
The email message tells the recipient, addressed as "Dear Mit Webmail
Subscriber" (spelling is verbatim), that he must reply with his
password and that failure to do so will deactivate his account from
the database. Let's be clear: THESE MESSAGES ARE NOT FROM ANYONE AT MIT.
Now what would be the goal of the spammers? To read the email of
unsuspecting MIT account holders? Not at all. The compromised
accounts now get used to send out even more spam. Their goal is to
send more harmful email messages out into the world that will do more
than compromise an email account. There will be attachments or
malicious code added to the emails, which when downloaded will turn a
computer into a zombie computer that will take instructions from
other computers and push out harmful code through the networks they
are connected to.
The amount of spam coming from compromised accounts will cause
authenticated MIT mail to be rejected (or "blacklisted") by other
ISPs, inconveniencing everyone at the Institute.
The message here is to guard your passwords well:
- Make them strong (= using lower and upper case letters, numbers and
special characters, and more than 6 characters long)
- Change them on a regular basis, at least once every year or few years
- Make them easy for you to remember but difficult for others to
guess, by using a phrase only you would know
- Never give them away via email or other means
For more tips see:
<http://web.mit.edu/ist/topics/security/passwords.html>
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
More information about the ist-security-fyi
mailing list