[IS&T Security-FYI] Newsletter, December 14, 2007
Monique Yeaton
myeaton at MIT.EDU
Fri Dec 14 13:56:46 EST 2007
Clarification: In the Spear Phishing article below, MIT was not a
"victim" of the spear phishing attempt, I meant to say it was the
"target" of a scam.
Thanks,
Monique
On Dec 14, 2007, at 1:46 PM, Monique Yeaton wrote:
>
> In this issue:
>
> 1. December 2007 Security Patches
> 2. Tip of the Week: Avoiding Spear Phishing Scams
>
>
> -------------------------------------
> 1. Microsoft Security Patches
> -------------------------------------
>
> Microsoft security updates were released this month on Patch
> Tuesday (December 11). Here is a run-down of the products that were
> affected:
>
> * Microsoft Windows XP
> * Microsoft Windows Vista
> * Microsoft Windows Server
> * Microsoft Internet Explorer
> * Microsoft Windows Media Format Runtime
> * Microsoft DirectX and DirectShow
>
> Microsoft has provided updates for 3 critical and 4 important
> vulnerabilities in the December 2007 security bulletins. The
> patches have been approved for deployment via MIT WAUS.
>
> Details on the vulnerabilities are listed in the security bulletin:
> <http://www.microsoft.com/technet/security/bulletin/ms07-dec.mspx>
>
>
> -----------------------------------------------------------------
> 2. Tip of the Week: Avoiding Spear Phishing Scams
> -----------------------------------------------------------------
>
> You've probably heard of the term "phishing" as it relates to
> computer security: it is the method of tricking people to willingly
> offer up personal information about themselves either through email
> or a web page.
>
> So what is spear phishing? You probably guessed it: a highly
> targeted phishing attack, done through emailing all employees or
> members within a certain company, government agency, organization
> or group. Spear phishing scams try to gain access to a company's
> entire computer system and are more sophisticated than regular
> phishing attempts.
>
> The message might look like it comes from your employer, or from a
> colleague who might send email messages to everyone in the company,
> such as the head of human resources or the person who manages the
> computer system, and could include requests for user names or
> passwords.
>
> This week, MIT was the victim of a spear phishing attack. The
> warning that went out on December 12th about this attack was in
> response to an email sent to MIT community members that looked like
> it came from support at mit.edu asking for the recipient to send his
> or her password to the sender. The email sender information had
> been faked or "spoofed."
>
> Microsoft offers these tips to avoid spear phishing scams:
>
> -- Never reveal personal or financial information in response to an
> email request
> -- If an email appears to be suspicious, call the person or
> organization listed in the "from:" line
> -- Never click on links in email messages that request personal or
> financial information
> -- Report any email that you suspect to be a spear phishing
> campaign to your computer help group
> -- Use a browser with a phishing filter which helps identify
> suspicious web sites
>
> If you think you're immune at MIT, think again! Eleven employees at
> a nuclear research facility (smart people, wouldn't you think?)
> fell for a phishy email, which appears to have been an attempt to
> steal information.
>
> Read the article here: <http://www.computerworld.com/action/
> article.do?command=viewArticleBasic&articleId=9051701>
>
>
> =========================
> Monique Yeaton
> IT Security Awareness Consultant
> MIT Information Services & Technology (IS&T)
> (617) 253-2715
> http://web.mit.edu/ist/security
>
>
>
More information about the ist-security-fyi
mailing list