[IS&T Security-FYI] Newsletter, July 25, 2008

Fri Jul 25 10:20:55 EDT 2008

!! Happy System Administrator Appreciation Day <http://www.sysadminday.com/ 
 > !!

In this issue:

1. PHISHING WARNING: E-mail Allegedly from UPS Contains Virus
2. Five Easy Ways to Compromise Your Own Security
3. Misused SSNs are Not a New Phenomenon

-------------------------------------------------------------------------------------
1. PHISHING WARNING: E-mail Allegedly from UPS Contains Virus
-------------------------------------------------------------------------------------

Here is an example of how a virus is sent from a normally trusted  
source. An e-mail informing recipients that they have a package that  
the United Parcel Service could not deliver is actually a new computer  
virus, company officials said.

The e-mail that appears to come from UPS contains an attachment that  
recipients are told to open in order to make arrangements to pick up  
their shipment. The attachment is actually a computer virus. UPS said  
it may send official notification messages on occasion, but they  
rarely contain attachments. For questions about shipments or the  
authenticity of e-mails, UPS customers are asked to send and e-mail to customerservice at ups.com 
.

IS&T at MIT has already been contacted by users whose computers were  
infected by the virus after opening the attachment. These computers  
had VirusScan installed but didn't have the definitions updated.

The email will look similar to this:

=======================
From: UPS Packet Service
Subject: UPS Packet N0328795951

Dear Sir/Madam,

Unfortunately we were not able to deliver postal package you sent on  
July the 1st in time because the recipient's address is not correct.

Please print out the invoice copy attached and collect the package at  
our office.

Your UPS Agent

Attachment included:  invoice.zip
========================

Anybody who receives such an e-mail should delete it immediately. It  
is also best practice to not open attachments you are not expecting.  
To verify where an email originated from, a recipient can check the  
full mail header. More information on full mail headers can be found  
here: <http://web.mit.edu/stopit/fullheaders.html>

If you are an MIT computer user needing help, contact computing-help at mit.edu 
.

More information on the virus can be found here:
<http://www.ups.com/content/us/en/about/news/service_updates/virus_us.html 
 >

--------------------------------------------------------------------
2. Five Easy Ways to Compromise Your Own Security
--------------------------------------------------------------------

Maybe you’ve effectively secured your IT resources against malicious  
security crackers, as much as reasonably possible. Perhaps it’s even  
secured against “acts of God.” There’s always at least one more  
danger: the danger that you’ll accidentally compromise security  
yourself.

There’s no way to compile a comprehensive list of all the ways you  
might let a well-protected system’s security slip through your  
fingers, of course. The kind of mistakes you can make are innumerable.  
The following list offers just a few all too common examples of how  
security is accidentally compromised from within, by someone  
somewhere, every day in this world.

Read full article here: <http://blogs.techrepublic.com.com/security/?p=494&tag=nl.e036 
 >

----------------------------------------------------------
3. Misused SSNs are Not a New Phenomenon
----------------------------------------------------------

Here's an interesting tidbit of information. It goes to show that  
misusing Social Security numbers (SSNs) are not a phenomenon new to  
the digital age.

The most misused SSN of all time was 078-05-1120. In 1938, wallet  
manufacturer the E. H. Ferree company in Lockport, New York decided to  
promote its product by showing how a Social Security card would fit  
into its wallets. A sample card, used for display purposes, was  
inserted in each wallet. Company Vice President and Treasurer Douglas  
Patterson thought it would be a clever idea to use the actual SSN of  
his secretary, Mrs. Hilda Schrader Whitcher.

The wallet was sold by Woolworth stores and other department stores  
all over the country. Even though the card was only half the size of a  
real card, was printed all in red, and had the word "specimen" written  
across the face, many purchasers of the wallet adopted the SSN as  
their own. In the peak year of 1943, 5,755 people were using Hilda's  
number.

Read full article here: <http://www.socialsecurity.gov/history/ssn/misused.html 
 >

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security