[IS&T Security-FYI] SFYI Newsletter, August 2, 2011
Monique Yeaton
myeaton at MIT.EDU
Tue Aug 2 11:57:19 EDT 2011
In this issue:
1. Mac iOS 4.3.5 Fixes Data Security Issue
2. New Tricks Used by Computer Crooks
3. Help! My Laptop Was Stolen!
------------------------------------------------------
1. Mac iOS 4.3.5 Fixes Data Security Issue
------------------------------------------------------
Last week Apple released iOS 4.3.5 for iPhone, iPad, and iPod Touch and iOS 4.2.10 for iPhone with Verizon service. It addresses a flaw with the certificate chain validation process when handling X.509 certificates.
According to Apple, "An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS. Other attacks involving X.509 certificate validation may also be possible."
Users of the above devices can take the update via iTunes on their PC or Mac.
See the notice by Apple:
<http://support.apple.com/kb/HT4824>
----------------------------------------------------
2. New Tricks Used by Computer Crooks
----------------------------------------------------
A new malware variant tries to trick people into voluntarily transferring money from their accounts to a cyber thief's account. The German police have warned consumers about a new Windows malware strain that waits until the victim logs into his bank account. The malware presents the customer with a message, stating that a credit has been made to his account by mistake, and that the account has been frozen until the errant payment is transferred back.
The victim is told to immediately make a transfer to return the funds and unlock his account. The malicious software presents an already filled-in online transfer form, with the account and routing numbers for a bank account the attacker controls.
To avoid falling victim to such scams, Kreb on Security, the blog featuring this story, recommends to "pick up the phone and call your bank… and make sure you are using the bank's real phone number" if you see something odd such as a "down for maintenance" page or an alert when logging in to your bank account.
Read the full story here:
<http://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/>
----------------------------------------
3. Help! My Laptop Was Stolen!
----------------------------------------
The unfortunate side-effect of having a mobile device such as an iPad, smart phone or laptop is that, of course, they can be easily misplaced or stolen. They are small, lightweight and could bring in a few hundred bucks for the thief who off-loads them.
If it's gone, what do you do now? The important data contained on the device is hopefully password protected or even encrypted, but what if the drive wasn't encrypted? Or you can't remotely wipe or disable the device?
Think about what it may contain: photos of your family and friends, emails you sent out and received for work or personal correspondence, a manuscript or school paper, financial documents, etc. Depending on your browser settings, sites you have visited and passwords you entered may be easy to access. In other words, your own personal private information and intellectual property is now out there in someone's hands and you have no idea what they're doing with it.
Thieves will usually wipe the drive before selling it, but it's always best to prepare for the worst:
1. Call MIT Police. Provide them with as much detail as you can, the serial number of the device, where and when it was stolen, and what it contained. Make sure you get a police report in case you need to prove fraud should that occur.
2. If the laptop had a STOP tag, there may be a chance of finding it again when the thief attempts to sell it. STOP tags can not be removed and if attempted, a tattoo is left in its place stating it is stolen material. Tell the MIT Police if there was a STOP tag affixed.
3. Email infoprotect at mit.edu. If the device did contain the sensitive information of other members of the community, it is important to determine if that information has been put at risk. Again, include as much detail as you can. The email will be received by the IT Security Team. If you include the computer's MAC address, the last known IP address and the user name on the account, they can attempt to see if the computer comes back "on line," with the possibility of tracking it down.
4. Change all your passwords, especially those to sites with your personal information.
5. Contact your account providers to let them know your information may have been compromised. They may recommend you change the account numbers of your banks or credit cards. It's easier to close your accounts and open new ones than get the money back that the thieves have taken.
6. All a thief needs is your full name and another identifying piece of information, such as your driver's license or Social Security number to steal your identity. Put a fraud alert or credit freeze on your credit cards as soon as you can.
It's very tough protecting data after a theft. Be proactive. Use software to protect your data. Use a lock to prevent theft. Other security tips for those traveling with a laptop can be found here:
<http://ist.mit.edu/security/traveling>
===================================================================================
Read all Security FYI Newsletter articles online or submit a comment at http://securityfyi.wordpress.com/.
===================================================================================
Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20110802/0a813d35/attachment.htm
More information about the ist-security-fyi
mailing list