[IS&T Security-FYI] SFYI Newsletter, February 27, 2009

Fri Feb 27 21:03:43 EST 2009

In this issue:

1. It's only a PDF
2. If my computer is infected with malware

-----------------------------------------------
1. It's only a PDF -- what could go wrong?
-----------------------------------------------

Another Adobe Reader vulnerability has been announced, which affects the 
latest versions (7, 8 and 9), and is actively being exploited. 
Malicious software is being spread by the seemingly innocuous PDF. 
Adobe promises a patch to be made available March 11; this means there 
is quite a bit of opportunity between now and then for exploit 
opportunities.

Currently being reported are targeted Adobe Reader attacks on CEOs, but
it's only a matter of time until attackers attack the masses -- either
via sending spam emails containing a PDF attachment, sending links to
poisoned PDFs or, worse, a PDF embedded on a favorite website.  By all
means, patch when it becomes available!

What to do in the meantime?  For now, exploits can be mitigated by
disabling JavaScript in Adobe Acrobat and Reader.  Disabling JavaScript
is easy to do:  Edit -> Preferences -> JavaScript -> Uncheck "Enable
JavaScript".  Windows Administrators can also push a registry key via
GPO to disable.  Of course, you can also take a look at alternative PDF
viewing software: http://en.wikipedia.org/wiki/List_of_PDF_software

-----------------------------------------------
2. If My Computer is Infected With Malware
-----------------------------------------------

A few weeks ago, in SFYI, we spoke about the signs your computer might
be infected with a virus.  One of the tips to aid recovery stated:

* The technician may advise you to stop using your computer.  If so,
follow that advice.  Short-term inconvenience is better than losing all
your data or having your identity stolen.

If you know, or even suspect, that there is any Personally Identifiable
Information on your computer (sensitive institutional data), both you
and your technician should immediately stop working on the computer and
contact infoprotect at mit.edu.

Why do we say this?  One reason: To protect the forensic integrity of
the data on the computer.  If there is sensitive data stored on a
computer and the computer becomes infected with a virus, the computer
becomes a possible "crime scene".  In order to determine whether or not
the sensitive data may have been accessed by the malicious software (or
its author/controller), the condition of the file system must be
preserved.  One of the most expedient ways of determining if sensitive
data was touched is via the creation of a timeline.  Different operating
systems keep various file attributes, some of the most common attributes
being File Creation, File Modification and, most importantly, File
Access times.

So, while the temptation may be there to go digging to see if there
exists sensitive data on the computer before attempting to clean it, in
doing so evidence of prior access will be destroyed and potential clues
as to what actually happened along with it.

Remember, you can't lose what you don't have.  Right now is the perfect
time to reflect back on what files are saved on your computer, or what
old messages containing sensitive data may still be in your email and,
if there's sensitive information there that you don't need, it's a great
time to get rid of it.

-- 
Mike Halsall
Information & Network Security Analyst
IT Security Support, IS&T
MIT
(617) 253-0243

PGP Fingerprint: A8F6 D77D 3AFF 0050 700C 4E3E C674 E4B8 9E62 D0E6