[IS&T Security-FYI] Newsletter, August 24, 2009
Monique Yeaton
myeaton at MIT.EDU
Mon Aug 24 15:35:38 EDT 2009
In this issue:
1. Security Updates from Apple
2. Gmail Password Recovery Vulnerability
3. Automatic Update Risks
4. Phishing Site Fooled University
----------------------------------------
1. Security Updates from Apple
----------------------------------------
Apple released several more security updates since the last issue of
this newsletter was published.
---- Safari 4.0.3 ----
Safari 4.0.3 update, includes improvements to stability, compatibility
and security including:
Stability improvements for 3rd party plug-ins, Safari's Top Sites
feature (a list of most visited sites), and web pages that use the
HTML 5 video tag
Fixes an issue that prevented some users from logging into iwork.com
Fixes an issue for Windows users that could cause Web content to be
displayed in grayscale instead of color
Systems (Windows, Vista, Tiger and Leopard) running Safari are
recommended to download the new update. It is available from Apple
Safari's Downloads page:
<http://www.apple.com/safari/download/>
---- Security Update 2009-004 ----
Available for: Mac OS X 10.4.11 and Mac OS X 10.5.8
About a week after releasing Security Update 2009-003 / Mac OS X
10.5.8, Apple released Security Update 2009-004 on August 12, to
address a single vulnerability in the BIND suite of Unix utilities
that works with the Domain Name System. There is reportedly a public
exploit of the vulnerability in wide circulation.
The update is available through Software Update or Apple's Downloads
page:
<http://support.apple.com/downloads/>
-----------------------------------------------------
2. Gmail Password Recovery Vulnerability
-----------------------------------------------------
If you are using Gmail for your personal or primary email account, you
should know about a password recovery vulnerability that could allow a
hacker to gain access to personal information. Many people forget
their passwords, so a password recovery feature is often included in
any online service. Google lets you do this 3 different ways: via
email, via text message, or after answering a personal security
question online.
Watch this video from CNET, which explains how an alleged attack on a
Twitter employee occurred, exposing sensitive company documents. Tips
for how to stay safe are also covered:
<http://blogs.techrepublic.com.com/itdojo/?p=894&tag=nl.e036>
These tips can be applied to other online applications that have
password recovery features. The best tip listed: don't opt in to
recover a password. An effective password is one that no one else can
guess, isn't shared, and is easily remembered.
----------------------------------
3. Automatic Update Risks
----------------------------------
What if an attacker could hijack the update request of a computer
application and download malware instead of the update? A lot of
applications are set to check for updates automatically, without
requiring you to enter an administrative password. A new attack tool,
called Ippon, will scan open Wi-Fi networks specifically for HTTP
update request traffic. If found, Ippon sends a message to the
application that an update is available even if it's not. Once the
connection is established, a malicious file is then downloaded from
the attacker's server.
So far Microsoft and Apple applications are not vulnerable to an Ippon
attack because they are digitally signed. The main way to avoid this
type of attack is to not use open Wi-Fi connections. If using Wi-Fi,
the suggestion is to set updates to manual rather than automatic.
Read the full story here: <http://blogs.techrepublic.com.com/security/?p=2056&tag=nl.e036
>
-------------------------------------------
4. Phishing Site Fooled University
-------------------------------------------
Earlier this summer a phishing attack hit North Carolina State
University's email system. The difference in this attack from other
email phishing attacks that target higher education is that instead of
asking for the user to submit a user name and password via email
reply, this one had a link to the university's email sign-in page.
The Web page looked identical to the university's email sign-in page,
but was actually a fake. It was hosted by the attacker, which could
capture user id and password if someone used it to log on.
Read the full news story here:
<http://chronicle.com/blogPost/Phishing-Attack-Hits-North/7272>
NCSU posted this incident here:
<http://www.ncsu.edu/it/security/webmail-phishing.html>
MIT has seen phishing emails coming in over the past few years,
claiming to be from MIT's IT department or Webmail team, and
requesting user names and passwords. Due to the latest attack at NCSU,
we should educate our community members that attacks can come in a
variety of other formats, such as a spoofed Web page.
=
=
=
========================================================================
Find current and older issues of Security FYI Newsletter: <http://kb.mit.edu/confluence/x/ehBB
>
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T will *NEVER* ask you
for your password.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090824/70d3968f/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1846 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090824/70d3968f/attachment.bin
More information about the ist-security-fyi
mailing list