[IS&T Security-FYI] SFYI Newsletter, November 26, 2012
Monique Yeaton
myeaton at MIT.EDU
Mon Nov 26 17:25:19 EST 2012
In this issue:
1. Online Shopping Risks During the Holiday Season
2. Zero-Day Threat in Adobe Reader
3. The Blackhole Exploit Kit Explored
4. From Sophos: The A-Z of Computer and Data Security Threats
-----------------------------------------------------------------------
1. Online Shopping Risks During the Holiday Season
-----------------------------------------------------------------------
The trickery involved in a different form of phishing came to my attention this weekend. You may have already heard about phishing as it relates to emails. Phishing emails<http://kb.mit.edu/confluence/x/SBhB> are spam messages that arrive in our mailboxes and pretend to come from a legitimate entity, such as a bank or your school's email administrator and then attempt to obtain your credentials so that they can access your email account, your bank account or any of your other online accounts. A keen eye and suspicious mind will go far to prevent you from falling for these scams.
What you might not be as familiar with is internet phishing. This is when you visit a website that you might already trust or which has a good reputation and so you have no reason to suspect foul-play. Even so, some scammer has managed to compromise a portion of that site so that when you are submitting your personal information, you are actually submitting it to a cyber criminal.
An example I saw this weekend involved renting a vacation property via a popular website. When submitting an inquiry or deciding to place a reservation, the victim is unaware that he is sending his information to the phisher, rather than to the property owner/manager. The phisher intercepts the client's credit card information and the victim is unaware that not only did the inquiry or reservation not go through, but his credit card could now be compromised. In this example, the phisher impersonated the owner/manager and perhaps already gained access to his or her email account.
Today is Cyber Monday, kicking off the online shopping season, and cyber criminals are out there busily setting traps for the unwary shopper.
This news article provides some tips<http://ist.mit.edu/news/shop_smart> to help you have a safe and pleasant online shopping experience this holiday season. In addition, if you experience fraud via a website, be sure to let the owners of the website know so that others don't fall victim as well.
-------------------------------------------------
2. Zero-Day Threat in Adobe Reader
-------------------------------------------------
An unpatched vulnerability recently found in Adobe Reader could be exploited when users open a PDF file in a browser other than Google Chrome (Chrome has an added defense on the Adobe Reader application). The exploit is very limited, but if triggered could evade the sandbox security feature in Adobe Reader X and XI and connect to malware. Adobe has yet to respond to the report.
Learn more about this issue in the news<http://www.onlinesafety411.com/pdf-exploit-adobe-reader-unprotected>.
--------------------------------------------------
3. The Blackhole Exploit Kit Explored
--------------------------------------------------
Malware has increased exponentially in the past years and this is mostly thanks to the use of automation and kits which facilitate its creation and distribution around the world.
Whether the malware is scareware, a form of malware payload (like Zeus), tries to control user web traffic, or is aimed primarily to infect users through web attacks (known as drive-by downloads), these exploit kits are the tools of the cyber criminal's trade.
This article<http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit-2/> examines the most recent and notorious of exploit kits on the black market, known as Blackhole.
---------------------------------------------------------------------------------------
4. From Sophos: The A-Z of Computer and Data Security Threats
---------------------------------------------------------------------------------------
Sophos has written a guide that helps even your grandmother understand phishing and encryption. "Threatsaurus," a .pdf guide you can download for free from Sophos, and is written in plain language, not security jargon.
According to Sophos, "Whether you're an IT professional, use a computer at work, or just browse the Internet, our Threatsaurus is for you." It includes an A-Z glossary on computer and data security risks as well as practical tips to stay safe from email scams, identity theft, malware and other threats.
Find the downloadable "Threatsaurus" here.<http://www.sophos.com/en-us/security-news-trends/security-trends/threatsaurus.aspx>
Disclaimer: MIT (and IS&T) does not officially endorse, support or recommend Sophos products. Please contact the company directly if you are interested in them.
===================================================================================
Read all Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
===================================================================================
Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20121126/a6a422f9/attachment.htm
More information about the ist-security-fyi
mailing list