[IS&T Security-FYI] SFYI Newsletter, February 13, 2009
Monique Yeaton
myeaton at MIT.EDU
Fri Feb 13 13:01:26 EST 2009
In this issue:
1. February 2009 Security Updates
2. Valentine's Day Trojan
3. ATM Fraud Pays Off
--------------------------------------------
1. February 2009 Security Updates
--------------------------------------------
---- Microsoft ----
This week Microsoft released two critical and two important patches
for the Windows operating system and Office products.
Systems affected:
* Microsoft Windows
* Microsoft Internet Explorer
* Microsoft Office Visio
* Microsoft Exchange and SQL Server
These patches are now approved for deployment via MIT WAUS. This week
Microsoft also released Service Pack 3 for MS SQL Server 2005, however
MIT's deployment of this service pack will be delayed until further
testing is completed.
For details on this update:
<http://www.microsoft.com/technet/security/bulletin/ms09-feb.mspx>
---- Mozilla/Firefox ----
Firefox version 3.0.6 has been released by Mozilla and addresses six
vulnerabilities in the browser. The most serious is a critical
JavaScript flaw affecting Firefox's layout engine; it could be
exploited to crash the browser and possibly run malicious code. The
vulnerability also affects the Thunderbird email client and SeaMonkey
Internet Suite. Other vulnerabilities include cross-site scripting
and a problem with tab restoration that could be exploited to steal
local files.
Details on this update:
<http://www.mozilla.org/security/announce/2009/mfsa2009-01.html>
<http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.6
>
--------------------------------
2. Valentine's Day Trojan
--------------------------------
This Trojan has been around for a little over a year now and reemerges
during a holiday, in this case Valentine's Day. The messages purport
to be greeting card notifications bearing pictures of hearts and
offering links or attachments to view Valentine's Day cards sent to
recipients. Clicking these actually triggers the download of the W32/
Waledac.C worm which affects most Windows-based platforms.
The following subject lines have been identified so far; "short and
sweet", "Me and You", "In Your Arms", and "With all my love." A link
is included in the message. If you click in the email, you download a
malicious program called "love.exe" or "you.exe" which turns the
infected computer into a zombie and adds it to the Waledec botnet,
which is believed to be run by the same folks responsible for the
Storm botnet. So far the botnet is sending an average of 11,000
messages per hour.
This is the same group responsible for the Obama spam sent earlier
this month. That spam attempted to lure people to a fake Obama/Biden
site with a link to a fake news story claiming Obama had abruptly
declined to accept the presidency of the United States. This new
botnet is growing so quickly it's being called the new Storm botnet.
[Article source: Snopes.com]
-----------------------------
3. ATM Fraud Pays Off
-----------------------------
Maybe a sign of the economic times, or just technical ingenuity on the
part of the criminals, but apparently a worldwide ATM heist late last
year netted thieves with $9 million in cash in one day, according to
published reports. The coordinated attack stemmed from a computer
intrusion at payment processor RBS WorldPay, which affected more than
1 million customers. The FBI is investigating and according to one of
their reports, ATMs from 49 cities, including Atlanta, Chicago, New
York, Moscow and Hong Kong were hit. Law enforcement sources told New
York's Fox 5 it's one of the most frightening well-coordinated heists
they'd ever seen. Law suits have already been filed against RBS
WorldPay for their lack of protection.
News of the complex ATM heist was little surprise to Ori Eisen,
founder of 41st Parameter, a company that consults with banks and
retailers to help staunch fraud losses. Eisen said he recently heard
from three different clients in the banking sector who told him that
some $50 million was lost to ATM fraud in New York City alone over the
course of one month last year. "ATM fraud is spiking," Eisen said.
"For New York financial institutions alone to have $50 million in ATM
fraud in one month...that's incredible. The thieves are getting a lot
more money from the ATMs now than they used to."
Response from WorldPay: <http://www.rbsworldpay.us/prepaid_info.html>
Fox 5 news report: <http://www.myfoxny.com/dpp/news/090202_FBI_Investigates_9_Million_ATM_Scam
>
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T will *NEVER* ask you
for your password.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090213/dbc0423a/attachment.htm
More information about the ist-security-fyi
mailing list