[IS&T Security-FYI] Newsletter, April 4, 2008

Fri Apr 4 15:57:21 EDT 2008

In this issue:

1. What Exactly is a Digital Certificate?
2. Account Compromises at MIT

------------------------------------------------
1. What Exactly is a Digital Certificate?
------------------------------------------------

Last week I included an article in this newsletter about security in  
browsers. A reader asked me about the certificate warnings that will  
now come up frequently in IE7 and recently in Firefox 2, because he  
was not sure what they were good for. What do you look for? How do  
you know if you should accept it?

First, what exactly is a certificate? A digital certificate is simply  
a notice which says that a secure web site is what it claims to be.  
The verification takes place when the web site owner requests the  
certificate. The value or strength of the certificate depends on the  
issuer (certificate authority) or certificate class. It is similar to  
an individual going to the department of motor vehicles and  
requesting a driver's license. So are web certificates trustworthy?  
Well, like a driver's license, which can be faked, so can  
certificates. There's no way to be 100% sure.

At MIT, web certificates are your key to accessing secure web  
services at the Institute, such as benefits, SAPweb, and Request  
Tracker. You can also get a personal certificate. Personal  
certificates expire each year and you will receive a reminder to  
install a new certificate each summer. They will not guarantee you  
access to all secure sites but will give you access to the ones that  
you should have access to depending on your affiliation with the  
Institute.

Certificates and the messages attached to them are complex for the  
average user to understand. Here are some good articles on  
understanding web certificates:
<http://www.us-cert.gov/cas/tips/ST05-010.html>
<http://www.codinghorror.com/blog/archives/001024.html>

-----------------------------------------------
2. User Account Compromises at MIT
-----------------------------------------------

By now we may have all been brought up to speed on the recent  
phishing attacks that have been plaguing MIT and other universities  
the past three or four months. If you haven't heard, these phishing  
attacks have reached some of our inboxes in the form of spam that  
looks like it comes from the "email team" or "account team" at MIT.  
The email message tells the recipient, addressed as "Dear Mit Webmail  
Subscriber" (spelling is verbatim), that he must reply with his  
password and that failure to do so will deactivate his account from  
the database. Let's be clear: THESE MESSAGES ARE NOT FROM ANYONE AT MIT.

Now what would be the goal of the spammers? To read the email of  
unsuspecting MIT account holders? Not at all. The compromised  
accounts now get used to send out even more spam. Their goal is to  
send more harmful email messages out into the world that will do more  
than compromise an email account. There will be attachments or  
malicious code added to the emails, which when downloaded will turn a  
computer into a zombie computer that will take instructions from  
other computers and push out harmful code through the networks they  
are connected to.

The amount of spam coming from compromised accounts will cause  
authenticated MIT mail to be rejected (or "blacklisted") by other  
ISPs, inconveniencing everyone at the Institute.

The message here is to guard your passwords well:

- Make them strong (= using lower and upper case letters, numbers and  
special characters, and more than 6 characters long)
- Change them on a regular basis, at least once every year or few years
- Make them easy for you to remember but difficult for others to  
guess, by using a phrase only you would know
- Never give them away via email or other means

For more tips see:
<http://web.mit.edu/ist/topics/security/passwords.html>

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security