[IS&T Security-FYI] Security FYI Newsletter, May 28, 2015

Thu May 28 11:31:46 EDT 2015

In this issue:

1. The Cyber Generation Gap
2. Android Phone Factory Reset Feature is Flawed
3. Phishing Attack List: Windows Live ID Scam

----------------------------------------
1. The Cyber Generation Gap
----------------------------------------

The May issue of OUCH!, led by Guest Editor Brian Honan, is focussed on securing the cyber generation gap. Many of us have family members that may not be technically savvy and are intimidated by security.  This newsletter explains how you can help those family members and any children that may be visiting them.

Feel free to share OUCH! with anyone you want, including family, friends or as part of your security awareness program.

Download the issue here (.pdf)<http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201505_en.pdf>

-------------------------------------------------------------------
2. Android Phone Factory Reset Feature is Flawed
-------------------------------------------------------------------

An estimated 500 million Android phones don't completely wipe data when their factory reset option is run, a weakness that may allow the recovery of login credentials, text messages, e-mails, and contacts.

In the first comprehensive study of the effectiveness of the Android feature, Cambridge University researchers found that they were able to recover data on a wide range of devices that had run factory reset. The function, which is built into Google's Android mobile operating system, is considered a crucial means for wiping confidential data off of devices before they're sold, recycled, or otherwise retired. The study found that data could be recovered even when users turned on full-disk encryption.

The findings, published in a research paper titled Security Analysis of Android Factory Resets<http://www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf> (.pdf), are sure to be a wake-up call for individual users and large enterprises alike. Based on the devices studied, the researchers estimated that 500 million devices may not fully wipe disk partitions where sensitive data is stored and 630 million phones may not wipe internal SD cards where pictures and video are often kept.

Read the story in the news<http://arstechnica.com/security/2015/05/flawed-android-factory-reset-leaves-crypto-and-login-keys-ripe-for-picking/>.

--------------------------------------------------------------
3. Phishing Attack List: Windows Live ID Scam
--------------------------------------------------------------

Kaspersky Lab experts are warning of a new scam<http://www.kaspersky.com/about/news/virus/2015/Live-ID-as-a-bait-Kaspersky-Lab-warns-of-a-new-scam> that uses Windows Live ID as bait to catch personal information stored in user profiles on services like Xbox LIVE, Zune, Hotmail, Outlook, MSN, Messenger and OneDrive.

What appears to be a typical phishing email contains a link that goes to the actual Windows Live website, with no apparent attempt to get the victims' logins and passwords. So what's the trick?

  *   After following the link and authorizing the account, users receive a prompt: an application requests permission to automatically log into the account, view the profile information and contact list, and access a list of the users' email addresses.
  *   Users who click "Yes" don't give away their login and password credentials, but they do provide their personal information, the email addresses of their contacts and the nicknames and real names of their friends.

Scammers gained access to this technique through security flaws in the open protocol for authorization, OAuth. The collected information can be used for fraudulent purposes, such as sending spam to the contacts in the victim's address book or launching spear phishing attacks.

Read the full story<http://www.kaspersky.com/about/news/virus/2015/Live-ID-as-a-bait-Kaspersky-Lab-warns-of-a-new-scam>.

=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================

Monique Buchanan
Social Communications Specialist
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu
tel: 617.253.2715

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20150528/cf6219f3/attachment.htm