[IS&T Security-FYI] Newsletter, December 14, 2007

Monique Yeaton myeaton at MIT.EDU
Fri Dec 14 13:46:18 EST 2007 

In this issue:

1. December 2007 Security Patches
2. Tip of the Week: Avoiding Spear Phishing Scams


-------------------------------------
1. Microsoft Security Patches
-------------------------------------

Microsoft security updates were released this month on Patch Tuesday  
(December 11). Here is a run-down of the products that were affected:

  * Microsoft Windows XP
  * Microsoft Windows Vista
  * Microsoft Windows Server
  * Microsoft Internet Explorer
  * Microsoft Windows Media Format Runtime
  * Microsoft DirectX and DirectShow

Microsoft has provided updates for 3 critical and 4 important  
vulnerabilities in the December 2007 security bulletins. The patches  
have been approved for deployment via MIT WAUS.

Details on the vulnerabilities are listed in the security bulletin:  
<http://www.microsoft.com/technet/security/bulletin/ms07-dec.mspx>


-----------------------------------------------------------------
2. Tip of the Week: Avoiding Spear Phishing Scams
-----------------------------------------------------------------

You've probably heard of the term "phishing" as it relates to  
computer security: it is the method of tricking people to willingly  
offer up personal information about themselves either through email  
or a web page.

So what is spear phishing? You probably guessed it: a highly targeted  
phishing attack, done through emailing all employees or members  
within a certain company, government agency, organization or group.  
Spear phishing scams try to gain access to a company's entire  
computer system and are more sophisticated than regular phishing  
attempts.

The message might look like it comes from your employer, or from a  
colleague who might send email messages to everyone in the company,  
such as the head of human resources or the person who manages the  
computer system, and could include requests for user names or passwords.

This week, MIT was the victim of a spear phishing attack. The warning  
that went out on December 12th about this attack was in response to  
an email sent to MIT community members that looked like it came from  
support at mit.edu asking for the recipient to send his or her password  
to the sender. The email sender information had been faked or "spoofed."

Microsoft offers these tips to avoid spear phishing scams:

-- Never reveal personal or financial information in response to an  
email request
-- If an email appears to be suspicious, call the person or  
organization listed in the "from:" line
-- Never click on links in email messages that request personal or  
financial information
-- Report any email that you suspect to be a spear phishing campaign  
to your computer help group
-- Use a browser with a phishing filter which helps identify  
suspicious web sites

If you think you're immune at MIT, think again! Eleven employees at a  
nuclear research facility (smart people, wouldn't you think?) fell  
for a phishy email, which appears to have been an attempt to steal  
information.

Read the article here: <http://www.computerworld.com/action/ 
article.do?command=viewArticleBasic&articleId=9051701>


=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

More information about the ist-security-fyi mailing list