[IS&T Security-FYI] Newsletter, September 12, 2008
Monique Yeaton
myeaton at MIT.EDU
Fri Sep 12 15:40:50 EDT 2008
In this issue:
1. September 2008 Security Updates
2. IRS Puts Taxpayer Data at Risk
3. Knowing Scams: Don't Take Candy from a Stranger
-----------------------------------------------
1. September 2008 Security Updates
-----------------------------------------------
Microsoft and Apple have both released updates this month. Below is a
list of items affected:
----Microsoft-----
* Microsoft Windows (XP SP2 and SP3, Vista)
* Microsoft Windows Server (2003, 2008)
* Microsoft Windows Media Player 11
* Microsoft Office (XP, 2003, and 2007)
Microsoft released 4 critical updates on September 9 that address
various vulnerabilities a remote, unauthenticated attacker could use
to execute arbitrary code or cause a vulnerable system to crash. Apply
the updates from Microsoft via MIT WAUS or Microsoft software update.
For more information about these updates see:
<http://www.microsoft.com/technet/security/bulletin/MS08-sep.mspx>
----Apple----
* Bonjour for Windows 1.0.5
* iPhone 2.1
* iPod Touch 2.1
* iTunes 8.0
* QuickTime 7.5.5
Apple has release the above mentioned updates to resolve several
vulnerabilities and bugs. The iPhone update addresses, among other
items, the issue that was reported in August that allowed an
unauthorized user to bypass the Passcode Lock to launch iPhone
applications. The flaw does not affect phones prior to 2.0.
For more information about these updates see:
<http://support.apple.com/kb/HT1222?viewlocale=en_US>
-------------------------------------------
2. IRS Puts Taxpayer Data at Risk
-------------------------------------------
It is one thing when TJ Maxx or The Gap are careless with employee or
customer data. Everyone entrusted with sensitive information such as
addresses, birthdates, credit card information, bank account data,
social security numbers, etc, should take the responsibility that
comes with that trust very seriously. But, one institution that should
put protection of personal and sensitive data above all else is the
Internal Revenue Service (IRS).
However, a recent report from the Treasury Inspector General for
Taxpayer Information, a government agency, shows that they discovered
almost 2,000 rogue, unidentified web servers within the IRS. Their
review of the IRS systems also found more than 2,000 web servers with
at least one known vulnerability, 540 of which have at least one
Highly Critical vulnerability.
<http://www.treas.gov/tigta/auditreports/2008reports/200820159fr.html>
[source: About.com]
--------------------------------------------------------------------
3. Knowing Scams: Don't Take Candy from a Stranger
--------------------------------------------------------------------
Scam artists will use the gullibility of their target victims in order
to carry out their evil plans. We've all heard of phishing scams by
now (emails used to trick recipients into revealing either sensitive
information or log in information to personal accounts). But there are
many other ways that scammers will try to rope us in, including:
- Callers pretending to be with a certain company. One of these
examples includes a caller claiming to be from Visa or MasterCard and
gives the target victim his own (real) credit card number to verify
that they are legitimate. They then tell him to read the 7 digit
number on the back of the card to make sure he is in possession of the
card because they have reason to believe it was used to make
fraudulent charges. Now they have all the information they need to
make a purchase with that card.
- Email threats, like one that has been going around claiming they
have hijacked your baby and asking for a $50,000 ransom. The email has
an attachment that supposedly has a picture of your baby, the only
problem is that it contains malware.
- Online phishing attacks, such as the real-looking auctions on eBay
that end up being bogus.
The main thing to be aware of when faced with a scam is whether you
feel that something is off-kilter. If you are feeling wary or
distrustful, you should probably listen to your instinct and not
continue. Just hang up, walk away, or delete that email.
Know the psychology of a scam:
1. It dangles the prospect of great wealth, enticing you with
something you want but can't normally have.
2. It tries to build credibility by claiming to be with a reputable
firm but doesn't offer any tangible evidence.
3. It leads you to believe others have already benefited from the
offer and gives examples of supposed earlier winners or investors.
4. It offers to do a small favor for you in return for a big favor.
5. It creates a false sense of urgency by claiming limited supply or
time to respond.
Legitimate telemarketers use these same tactics. But one key
difference is that real deals will still be there tomorrow and have a
way to get in touch with a person later. Always take the time to stop
and think before making a decision.
Most of us hate to be distrustful of others, but we offer the same
advice to our loved ones, especially those we think can be easily
conned. How often have you heard or used this phrase: "Don't take
candy from a stranger"?
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T IT staff will *NEVER*
ask you for your password.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20080912/a8d2e62f/attachment.htm
More information about the ist-security-fyi
mailing list