[IS&T Security-FYI] Newsletter, August 24, 2009

Mon Aug 24 15:35:38 EDT 2009

In this issue:

1. Security Updates from Apple
2. Gmail Password Recovery Vulnerability
3. Automatic Update Risks
4. Phishing Site Fooled University

----------------------------------------
1. Security Updates from Apple
----------------------------------------

Apple released several more security updates since the last issue of  
this newsletter was published.

  ---- Safari 4.0.3 ----

Safari 4.0.3 update, includes improvements to stability, compatibility  
and security including:

Stability improvements for 3rd party plug-ins, Safari's Top Sites  
feature (a list of most visited sites), and web pages that use the  
HTML 5 video tag
Fixes an issue that prevented some users from logging into iwork.com
Fixes an issue for Windows users that could cause Web content to be  
displayed in grayscale instead of color

Systems (Windows, Vista, Tiger and Leopard) running Safari are  
recommended to download the new update. It is available from Apple  
Safari's Downloads page:
<http://www.apple.com/safari/download/>

  ---- Security Update 2009-004 ----

Available for: Mac OS X 10.4.11 and Mac OS X 10.5.8

About a week after releasing Security Update 2009-003 / Mac OS X  
10.5.8, Apple released Security Update 2009-004 on August 12, to  
address a single vulnerability in the BIND suite of Unix utilities  
that works with the Domain Name System. There is reportedly a public  
exploit of the vulnerability in wide circulation.

The update is available through Software Update or Apple's Downloads  
page:
<http://support.apple.com/downloads/>

-----------------------------------------------------
2. Gmail Password Recovery Vulnerability
-----------------------------------------------------

If you are using Gmail for your personal or primary email account, you  
should know about a password recovery vulnerability that could allow a  
hacker to gain access to personal information. Many people forget  
their passwords, so a password recovery feature is often included in  
any online service. Google lets you do this 3 different ways: via  
email, via text message, or after answering a personal security  
question online.

Watch this video from CNET, which explains how an alleged attack on a  
Twitter employee occurred, exposing sensitive company documents. Tips  
for how to stay safe are also covered:
<http://blogs.techrepublic.com.com/itdojo/?p=894&tag=nl.e036>

These tips can be applied to other online applications that have  
password recovery features. The best tip listed: don't opt in to  
recover a password. An effective password is one that no one else can  
guess, isn't shared, and is easily remembered.

----------------------------------
3. Automatic Update Risks
----------------------------------

What if an attacker could hijack the update request of a computer  
application and download malware instead of the update? A lot of  
applications are set to check for updates automatically, without  
requiring you to enter an administrative password. A new attack tool,  
called Ippon, will scan open Wi-Fi networks specifically for HTTP  
update request traffic. If found, Ippon sends a message to the  
application that an update is available even if it's not. Once the  
connection is established, a malicious file is then downloaded from  
the attacker's server.

So far Microsoft and Apple applications are not vulnerable to an Ippon  
attack because they are digitally signed. The main way to avoid this  
type of attack is to not use open Wi-Fi connections. If using Wi-Fi,  
the suggestion is to set updates to manual rather than automatic.

Read the full story here: <http://blogs.techrepublic.com.com/security/?p=2056&tag=nl.e036 
 >

-------------------------------------------
4. Phishing Site Fooled University
-------------------------------------------

Earlier this summer a phishing attack hit North Carolina State  
University's email system. The difference in this attack from other  
email phishing attacks that target higher education is that instead of  
asking for the user to submit a user name and password via email  
reply, this one had a link to the university's email sign-in page.

The Web page looked identical to the university's email sign-in page,  
but was actually a fake. It was hosted by the attacker, which could  
capture user id and password if someone used it to log on.

Read the full news story here:
<http://chronicle.com/blogPost/Phishing-Attack-Hits-North/7272>

NCSU posted this incident here:
<http://www.ncsu.edu/it/security/webmail-phishing.html>

MIT has seen phishing emails coming in over the past few years,  
claiming to be from MIT's IT department or Webmail team, and  
requesting user names and passwords. Due to the latest attack at NCSU,  
we should educate our community members that attacks can come in a  
variety of other formats, such as a spoofed Web page.

= 
= 
= 
========================================================================

Find current and older issues of Security FYI Newsletter: <http://kb.mit.edu/confluence/x/ehBB 
 >

Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security

---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T will *NEVER* ask you  
for your password.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090824/70d3968f/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1846 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090824/70d3968f/attachment.bin