[IS&T Security-FYI] SFYI Newsletter, February 13, 2009

Monique Yeaton myeaton at MIT.EDU
Fri Feb 13 13:01:26 EST 2009 

In this issue:

1. February 2009 Security Updates
2. Valentine's Day Trojan
3. ATM Fraud Pays Off


--------------------------------------------
1. February 2009 Security Updates
--------------------------------------------

---- Microsoft ----

This week Microsoft released two critical and two important patches  
for the Windows operating system and Office products.

Systems affected:

  * Microsoft Windows
  * Microsoft Internet Explorer
  * Microsoft Office Visio
  * Microsoft Exchange and SQL Server

These patches are now approved for deployment via MIT WAUS. This week  
Microsoft also released Service Pack 3 for MS SQL Server 2005, however  
MIT's deployment of this service pack will be delayed until further  
testing is completed.

For details on this update:
<http://www.microsoft.com/technet/security/bulletin/ms09-feb.mspx>

---- Mozilla/Firefox ----

Firefox version 3.0.6 has been released by Mozilla and addresses six  
vulnerabilities in the browser.  The most serious is a critical  
JavaScript flaw affecting Firefox's layout engine; it could be  
exploited to crash the browser and possibly run malicious code. The  
vulnerability also affects the Thunderbird email client and SeaMonkey  
Internet Suite.  Other vulnerabilities include cross-site scripting  
and a problem with tab restoration that could be exploited to steal  
local files.

Details on this update:
<http://www.mozilla.org/security/announce/2009/mfsa2009-01.html>
<http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.6 
 >


--------------------------------
2. Valentine's Day Trojan
--------------------------------

This Trojan has been around for a little over a year now and reemerges  
during a holiday, in this case Valentine's Day. The messages purport  
to be greeting card notifications bearing pictures of hearts and  
offering links or attachments to view Valentine's Day cards sent to  
recipients. Clicking these actually triggers the download of the W32/ 
Waledac.C worm which affects most Windows-based platforms.

The following subject lines have been identified so far; "short and  
sweet", "Me and You", "In Your Arms", and "With all my love."  A link  
is included in the message. If you click in the email, you download a  
malicious program called "love.exe" or "you.exe" which turns the  
infected computer into a zombie and adds it to the Waledec botnet,  
which is believed to be run by the same folks responsible for the  
Storm botnet. So far the botnet is sending an average of 11,000  
messages per hour.

This is the same group responsible for the Obama spam sent earlier  
this month. That spam attempted to lure people to a fake Obama/Biden  
site with a link to a fake news story claiming Obama had abruptly  
declined to accept the presidency of the United States. This new  
botnet is growing so quickly it's being called the new Storm botnet.

[Article source: Snopes.com]


-----------------------------
3. ATM Fraud Pays Off
-----------------------------

Maybe a sign of the economic times, or just technical ingenuity on the  
part of the criminals, but apparently a worldwide ATM heist late last  
year netted thieves with $9 million in cash in one day, according to  
published reports. The coordinated attack stemmed from a computer  
intrusion at payment processor RBS WorldPay, which affected more than  
1 million customers. The FBI is investigating and according to one of  
their reports, ATMs from 49 cities, including Atlanta, Chicago, New  
York, Moscow and Hong Kong were hit. Law enforcement sources told New  
York's Fox 5 it's one of the most frightening well-coordinated heists  
they'd ever seen. Law suits have already been filed against RBS  
WorldPay for their lack of protection.

News of the complex ATM heist was little surprise to Ori Eisen,  
founder of 41st Parameter, a company that consults with banks and  
retailers to help staunch fraud losses. Eisen said he recently heard  
from three different clients in the banking sector who told him that  
some $50 million was lost to ATM fraud in New York City alone over the  
course of one month last year. "ATM fraud is spiking," Eisen said.  
"For New York financial institutions alone to have $50 million in ATM  
fraud in one month...that's incredible. The thieves are getting a lot  
more money from the ATMs now than they used to."

Response from WorldPay: <http://www.rbsworldpay.us/prepaid_info.html>
Fox 5 news report: <http://www.myfoxny.com/dpp/news/090202_FBI_Investigates_9_Million_ATM_Scam 
 >

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T will *NEVER* ask you  
for your password.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090213/dbc0423a/attachment.htm

More information about the ist-security-fyi mailing list