[IS&T Security-FYI] Newsletter, March 7, 2008

Monique Yeaton myeaton at MIT.EDU
Fri Mar 7 12:44:49 EST 2008 

In this issue:

1. Beware Phishing Attempts for MIT Webmail Passwords
2. US Data Breaches Quadrupled in 2007
3. Tip of the Week: Protecting Your Identity


------------------------------------------------------------------------ 
-
1. Beware Phishing Attempts for Webmail MIT Passwords
------------------------------------------------------------------------ 
-

Since last December, several higher education organizations have been  
hit with a repeated wave of phishing attacks, attempting to steal  
email account passwords from unsuspected recipients. MIT has been one  
of the targets of these attacks (see the December 14 Security-FYI  
newsletter). Do not reply to these emails and delete them  
immediately. To prevent receiving such emails in the future, you may  
want to set your spam threshold to a more sensitive level <https:// 
nic-too.mit.edu/cgi-bin/spamscreen#scoring>.

An example of the phishing emails reads as follows (typos intact):

====

Dear Mit Webmail Subscriber,

To complete your Mit Webmail account, you must reply to this email  
immediately and enter your password here (*********)

Failure to do this will immediately render your email address  
deactivated from our database.

You can also confirm your email address by logging into your Mit  
Webmail account at

https://webmail.mit.edu/

Thank you for using Mit Webmail !

THE  Mit Webmail TEAM

===

Efforts are being made to spread the message to the MIT community  
regarding these emails. Notices have been posted on 3-DOWN <http:// 
3down.mit.edu/3down/> and on the Webmail login page, warning email  
users to NEVER respond to emails asking for passwords. MIT would  
never request users to share their passwords with anyone at MIT,  
including email or IT administrators.


-----------------------------------------------------
2. US Data Breaches Quadrupled in 2007
-----------------------------------------------------

The loss or theft of personal data such as credit card and Social  
Security numbers soared to unprecedented levels in 2007.  While  
companies, government agencies, schools and other institutions are  
spending more to protect ever-increasing volumes of data with more  
sophisticated firewalls and encryption, the investment often is too  
little, too late.

The San Diego-based Identity Theft Resource Center  
<www.idtheftcenter.org> lists more than 79 million records reported  
compromised in the United States through December 18th — a nearly  
fourfold increase from the estimated 20 million records reported in  
all of 2006. Another group, Attrition.org, estimates more than 162  
million records were compromised through December 21st worldwide.  
Attrition reported 49 million worldwide in 2006.

[source of this article: SANS Newsbites]


------------------------------------------------------
3. Tip of the Week: Protecting Your Identity
------------------------------------------------------

Criminals have learned that they don’t need to pull a gun on you to  
get your wallet or purse. They’re using the Internet to steal  
everything in your accounts — and your good credit too. How are they  
doing this?

Phishing (such as in the example given in the article above) involves  
sending an email that claims to be a legitimate business in an  
attempt to scam the user into surrendering private information.  
Pharming involves the same goals with a different method; malicious  
users employ spyware, keyloggers, domain spoofing, domain hijacking,  
or domain cache poisoning to obtain personal or private (usually  
financial) information.

To put it bluntly, criminals try to steal your identity by getting  
you to divulge financial data such as credit card numbers, account  
usernames, passwords, and social security numbers. They sell this  
information, and it then becomes an identity theft crime.

Take a few simple steps to stop them, and don’t become an identity  
theft statistic. Here are four rules to live by:

  * Rule 1: Stop clicking links in emails that direct you to your  
bank or a financial institution. Stop filling out forms sent to you  
by your bank or financial institution. If you want to visit the site  
to see if you need to confirm/update/verify your account, open up a  
browser and type the link or retrieve it from your favorites.

  * Rule 2: If you suspect an email is part of a phishing scheme,  
report it. Report it to the financial institution, the FTC, and the  
Internet Crime Complaint Center. Often the financial institution is  
aware of the scheme and will add a message to its website to warn its  
clients.

  * Rule 3: Update your browser, your antivirus software, and any  
other security software. The latest versions of such software have  
phishing filters that detect attempts and warn you if it suspects  
you’ve surfed to a site that isn’t legitimate.

  * Rule 4: Stop using public computers to access private  
information. Internet kiosks at hotels and other business are  
convenient but often have Trojans and keyloggers installed that  
collect and transmit your information to the criminals. Access  
personal and financial information only from a computer you trust to  
be free from these evils. In addition, turn off peer-to-peer file  
sharing when on an unsecured network using your own computer.

[source of this article: TechRepublic.com]


=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

More information about the ist-security-fyi mailing list