[IS&T Security-FYI] Newsletter, September 12, 2008

Monique Yeaton myeaton at MIT.EDU
Fri Sep 12 15:40:50 EDT 2008 

In this issue:

1. September 2008 Security Updates
2. IRS Puts Taxpayer Data at Risk
3. Knowing Scams: Don't Take Candy from a Stranger


-----------------------------------------------
1. September 2008 Security Updates
-----------------------------------------------

Microsoft and Apple have both released updates this month. Below is a  
list of items affected:

----Microsoft-----

  * Microsoft Windows (XP SP2 and SP3, Vista)
  * Microsoft Windows Server (2003, 2008)
  * Microsoft Windows Media Player 11
  * Microsoft Office (XP, 2003, and 2007)

Microsoft released 4 critical updates on September 9 that address  
various vulnerabilities a remote, unauthenticated attacker could use  
to execute arbitrary code or cause a vulnerable system to crash. Apply  
the updates from Microsoft via MIT WAUS or Microsoft software update.

For more information about these updates see:
<http://www.microsoft.com/technet/security/bulletin/MS08-sep.mspx>

----Apple----

  * Bonjour for Windows 1.0.5
  * iPhone 2.1
  * iPod Touch 2.1
  * iTunes 8.0
  * QuickTime 7.5.5

Apple has release the above mentioned updates to resolve several  
vulnerabilities and bugs. The iPhone update addresses, among other  
items, the issue that was reported in August that allowed an  
unauthorized user to bypass the Passcode Lock to launch iPhone  
applications. The flaw does not affect phones prior to 2.0.

For more information about these updates see:
<http://support.apple.com/kb/HT1222?viewlocale=en_US>


-------------------------------------------
2. IRS Puts Taxpayer Data at Risk
-------------------------------------------

It is one thing when TJ Maxx or The Gap are careless with employee or  
customer data. Everyone entrusted with sensitive information such as  
addresses, birthdates, credit card information, bank account data,  
social security numbers, etc, should take the responsibility that  
comes with that trust very seriously. But, one institution that should  
put protection of personal and sensitive data above all else is the  
Internal Revenue Service (IRS).

However, a recent report from the Treasury Inspector General for  
Taxpayer Information, a government agency, shows that they discovered  
almost 2,000 rogue, unidentified web servers within the IRS. Their  
review of the IRS systems also found more than 2,000 web servers with  
at least one known vulnerability, 540 of which have at least one  
Highly Critical vulnerability.

<http://www.treas.gov/tigta/auditreports/2008reports/200820159fr.html>

[source: About.com]


--------------------------------------------------------------------
3. Knowing Scams: Don't Take Candy from a Stranger
--------------------------------------------------------------------

Scam artists will use the gullibility of their target victims in order  
to carry out their evil plans. We've all heard of phishing scams by  
now (emails used to trick recipients into revealing either sensitive  
information or log in information to personal accounts). But there are  
many other ways that scammers will try to rope us in, including:

- Callers pretending to be with a certain company. One of these  
examples includes a caller claiming to be from Visa or MasterCard and  
gives the target victim his own (real) credit card number to verify  
that they are legitimate. They then tell him to read the 7 digit  
number on the back of the card to make sure he is in possession of the  
card because they have reason to believe it was used to make  
fraudulent charges. Now they have all the information they need to  
make a purchase with that card.

- Email threats, like one that has been going around claiming they  
have hijacked your baby and asking for a $50,000 ransom. The email has  
an attachment that supposedly has a picture of your baby, the only  
problem is that it contains malware.

- Online phishing attacks, such as the real-looking auctions on eBay  
that end up being bogus.

The main thing to be aware of when faced with a scam is whether you  
feel that something is off-kilter. If you are feeling wary or  
distrustful, you should probably listen to your instinct and not  
continue. Just hang up, walk away, or delete that email.

Know the psychology of a scam:

1. It dangles the prospect of great wealth, enticing you with  
something you want but can't normally have.
2. It tries to build credibility by claiming to be with a reputable  
firm but doesn't offer any tangible evidence.
3. It leads you to believe others have already benefited from the  
offer and gives examples of supposed earlier winners or investors.
4. It offers to do a small favor for you in return for a big favor.
5. It creates a false sense of urgency by claiming limited supply or  
time to respond.

Legitimate telemarketers use these same tactics. But one key  
difference is that real deals will still be there tomorrow and have a  
way to get in touch with a person later. Always take the time to stop  
and think before making a decision.

Most of us hate to be distrustful of others, but we offer the same  
advice to our loved ones, especially those we think can be easily  
conned. How often have you heard or used this phrase: "Don't take  
candy from a stranger"?



=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T IT staff will *NEVER*  
ask you for your password.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20080912/a8d2e62f/attachment.htm

More information about the ist-security-fyi mailing list