[IS&T Security-FYI] SFYI Newsletter, May 31, 2011

Monique Yeaton myeaton at MIT.EDU
Tue May 31 12:05:59 EDT 2011 

In this issue:


1. New Mac Scareware Variant

2. Microsoft Fixes Hotmail Cross-Site Scripting Flaw

3. Can Social Media Cause You Harm?



---------------------------------------

1. New Mac Scareware Variant

---------------------------------------


A new variant of scareware that targets Mac users, called MacGuard, has been detected, and this version does not require users to submit administrator passwords to install. Earlier versions of Mac scareware, which have gone by such names as Mac Defender, Mac Security and Mac Protector, all required administrator passwords. Users are at risk if they have set their Safari browsers to automatically open files designated as safe.


Apple has acknowledged the scareware issue and says it will release an update to detect and remove the malware. The company has already published an advisory with recommendations for removing the malware or avoiding infection.


The advisory from Apple is available at <http://support.apple.com/kb/ht4650>


See the story in the news:

<http://www.h-online.com/security/news/item/Mac-Defender-variant-doesn-t-require-admin-password-1250910.html>

<http://www.informationweek.com/news/security/vulnerabilities/229625602>



------------------------------------------------------------------

2. Microsoft Fixes Hotmail Cross-Site Scripting Flaw

------------------------------------------------------------------


Microsoft has fixed a security issue in Hotmail that was being actively exploited to steal users' messages and contact lists.  Attackers sent email messages to targets containing malicious scripts.  Computers become infected when recipients open or preview the message.  The embedded code uploaded messages and contact lists to remote servers. The attack was possible due to a cross-site scripting flaw which has been remedied.


According to the article by the Register: "It's unclear how many Hotmail users may have been affected by the exploits and whether Microsoft has adequately warned users they may have been compromised. Microsoft spokesman Bryan Nairn wouldn't say how many subscribers were targeted or when the patch was put in place."


See the story in the news:

<http://www.theregister.co.uk/2011/05/24/microsoft_hotmail_email_theft_attack/>



-------------------------------------------------

3. Can Social Media Cause You Harm?

-------------------------------------------------


When using such social media communication tools as Twitter or Facebook, we may not always think about who will be able to see our comments and posts. As far as we know, only our friends and followers can see them. But is this true?


In two recent articles on the Boston Globe I found several examples listed of when posts made to Facebook led to job termination or other problems with employers. The lesson it teaches is that what for you might be a mechanism for venting or sharing your working situation with your trusted friends, is for others a reason to see you as unsuitable in your job.


In a perfect world, our online conversations are protected by the privacy settings on Facebook and in some cases the First Amendment protects us as well, but common sense tells us that these "protections" are not iron-clad. The internet, and social media by design, is a public forum for conversations. A secret is not a secret if it is conveyed to more than one person.


Best rule of thumb: If you don't want even one other person knowing about something you think or feel, it's best not to use the Internet to share those feelings and thoughts.


Read the stories at Boston.com:

<http://www.boston.com/news/local/massachusetts/articles/2011/05/27/facebook_comments_bring_firing_and_a_fight/>


<http://www.boston.com/news/local/articles/2011/05/26/facebook_misstep_gets_abington_substitute_teacher_fired/>



====================================================================

Read all Security FYI Newsletter articles online at http://securityfyi.wordpress.com/.

====================================================================



Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20110531/61599a56/attachment.htm

More information about the ist-security-fyi mailing list