Fake FDIC Emails Spread Malware

Security researchers from Sophos reported a wave of malicious e-mails posing as official notifications from the Federal Deposit Insurance Corporation (FDIC) August 30. The rogue e-mails bear a subject of “FDIC notification” and have their headers spoofed to appear as originating from a no.reply@fdic.gov address.

As most spam e-mails, the body message is full of mistakes, which should serve as indication that it did not originate from a government agency. The fake emails contain an attachment named FDIC_document.zip as well as an executable file of the same name. The file has a PDF icon and since Windows 7 does not display known file extensions, it might easily trick users. The file is actually a computer Trojan that serves as a distribution platform for other malware. This means that running it will probably result in multiple infections.

Read the full story at Softpedia.com.

Apache Warns of Denial-of-Service Attack Vulnerability

A warning has been issued to owners of websites powered by the Apache webserver software of a vulnerability which can be exploited using a relatively low number of requests directed at the server to cause a Denial of Service condition.  A tool to exploit the vulnerability called “Apache Killer” has been released onto the Internet.

The vulnerability was originally identified over four years ago and impacts servers running all versions in the 1.3 and 2.0 releases.  A patch for the vulnerability should be released by the evening of August 26, but as release 1.3 is no longer supported, the patch will only apply to versions 2.0 and 2.2.

Read the full story at TheRegister.com or at Computerworld.com.

Apache developers posted an official advisory.

[Article source: SANS.org]

Browsers with Updates

On August 23, 2011, Google released Chrome 13.0.782.215 for Linux, Mac, Windows, and Chrome Frame to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code. US-CERT encourages users and administrators to review the Google Chrome Releases page and update to Chrome 13.0.782.215 to help mitigate the risks.

On August 17, 2011 Mozilla Released Firefox 6 and 3.6.20 to address multiple vulnerabilities.  These vulnerabilities may allow an attacker to execute arbitrary code, operate with escalated privileges, or obtain sensitive information. US-CERT encourages users and administrators to review the Mozilla Foundation Security Advisories for Firefox 6 and Firefox 3.6.20 and apply any necessary updates to help mitigate the risks.

NOTE to MIT: IS&T is not yet supporting Firefox 6 and is in the process of testing IS&T supported applications to make sure they are compatible with the newest version of Firefox. If you rely on MIT administrative browser-based software, you are advised to WAIT to upgrade to Firefox 6.

Security Breach at Yale Exposes 43,000 People’s Data

Yale University notified about 43,000 staff, students and alumni that their personal data, including their names and Social Security numbers, were publicly available on a FTP server.  The breach occurred when the sensitive personal data stored on the FTP server became publicly available after Google made changes in September 2010 regarding how its search engine indexes and finds FTP servers.  Yale personnel were not aware of this change and discovered the breach in June of this year.

The breach impacts anyone affiliated with Yale University in 1999.  Yale has “secured” the file and Google has confirmed it no longer stores the data.

Read the full story at Yaledailynews.com.

Best Practices for Securing Your Home Network

The National Security Agency (NSA) just released a useful guide called “Best Practices for Securing Your Home Network” that goes beyond home networks and wireless to cover email and traveling with mobile devices and more.  It’s worth making copies and distributing to your co-workers and employees.  What makes it particularly useful is that it reflects the real-world knowledge of the NSA Blue Teams and Red Teams.

On the back page are references to five additional guides: Social Networking, Defense Against Drive By Downloads, Defense Against Malicious E-mail Attachments, Mac OSX 10.6 Hardening Tips, and Data Execution Prevention.

You’ll find the PDF at the NSA web site.

Adobe Updates for Multiple Vulnerabilities

Update:

Here is some more information on the vulnerability in Photoshop. If a user opens a malicious GIF file with Photoshop CS 5.1 or earlier, the application could crash and an attacker could take control of the affected system.

The update for Adobe Photoshop CS 5.1 and earlier is unusual in that you can not install it through the “check for updates” tool in Photoshop, nor is it accessible through the Adobe Application Manager, which is how other updates for the Adobe products are installed.

To obtain the standard multiplugin update for Adobe Photoshop CS 5.1 and earlier, click on the appropriate link below for your system:

Photoshop CS5/CS5.1 for Windows

Photoshop CS5/CS5.1 for Windows (Win64)

Photoshop CS5/CS5.1 Macintosh

Be sure to follow the installation instructions on the downloads page.

 

————————

There are multiple vulnerabilities found in various Adobe products. This month Adobe released updates to address these vulnerabilities.

Systems affected:

• Shockwave Player 11.6 and earlier
• Flash Media Server 4 and earlier
• Adobe Flash Player 10.3 and earlier
• Adobe AIR 2.7 and earlier
• Adobe Photoshop CS5.1 and earlier
• RoboHelp 9 and earlier

Users of these Adobe products should review the relevant security bulletins and follow the recommended solutions, which in most cases involves installing the newest update. An attacker may use these vulnerabilities to run malicious code (malware) or cause a denial of service on an affected system.

Click the links below to access the security bulletins for the affected systems:

Adobe Shockwave Player

Adobe Flash Media Server

Adobe Flash Player and AIR

Adobe Photoshop CS5

RoboHelp

 

Updating Your Software

Security professionals and educators repeat this slogan again and again: Update, update, update! Your software, that is. This month SANS, a great resource for everything computer security related, covers this exact topic in OUCH!, the organization’s newsletter.

In this issue they start off with why keeping your software current is so important and how this is not just for computers, but also for mobile devices and even plug-ins for your browser. They also provide examples of how users can easily update their systems, and how they can verify if they are current.

OUCH! is the free monthly security awareness newsletter provided by SANS.

Security Tips for iPhone and iPad

An article posted on http://www.h-online.com last month talks about 3 ways to make a thief’s life more difficult when trying to access your device.

The three tips provided are:

1. Use a code lock – The simple passcode is a four-number code but you can turn off the simple passcode and use one that is more than four numbers long.
2. Encrypt your backups – If you sync your device with iTunes on a computer that is vulnerable then you can put your data at risk. By encrypting the backup, you ensure that no data-seeking malware can access it.
3. Implement a kill switch – Private users can create a free MobileMe account to remotely wipe the device and to find its current location. Users with an MIT business phone or iPad can do this via the Exchange interface.

Read the full article at www.h-online.com.

More details and instructions on protecting mobile devices can be found in IS&T’s Hermes knowledge base. Type “mobile device ninja” into the search bar.

August 2011 Microsoft Security Updates

Microsoft will release fixes for 22 vulnerabilities on Tuesday, August 9. The patches will address security issues in all supported versions of:

• Internet Explorer
• Windows
• Windows Server
• Visio
• Visual Studio.

The patches are described in 13 security bulletins, two of which have been given maximum severity ratings of critical. Read the full August bulletin.

You CAN Prevent Data Leaks at MIT

The history of cyber-criminal activity over the past few decades has shown that the bad guys will always find ways into our systems if they really want to, either through viruses, malware, tricks or brute force. This is in spite of our attempts to block such occurrences from happening with secure technology. So is it a losing battle? Not if we cover all bases.

There are three basic steps to ensure that even if a system is breached, no sensitive data is accessed.

1. FIND IT: Know where the data resides so that measures can be taken to protect it. Take an audit of computers and servers to determine if sensitive data is stored on them or if they are being used to access data remotely.
2. MINIMIZE IT: Remove all the sensitive data files from the places where they are no longer needed. Either secure delete them altogether or move them to a system that is less likely to be compromised. If you have multiple versions of the data, remove the unnecessary copies.
3. SECURE IT: Comply with recommended protection methods for securing data, such as limiting access through secure authentication and encrypting systems where sensitive data resides.

Identity Finder is a software tool provided by IS&T that helps take action with all three of these steps. Identity Finder searches for data elements, such as Social Security numbers, passwords and financial account numbers. It reports when such data elements are found and gives the user the choice to shred the files, just remove the sensitive parts, or put the files in an encrypted vault. Identity Finder is supported by a console that provides centralized reporting and remote administration, remediation and scheduling.

Members of MIT who view, store or process MIT business data can obtain a free copy. For questions, please contact idfinder-help@mit.edu.