[10225] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, May 5, 2014
daemon@ATHENA.MIT.EDU (Monique Buchanan)
Mon May 5 14:18:24 2014
Resent-From: ist-security-fyi@MIT.EDU
From: Monique Buchanan <myeaton@MIT.EDU>
To: ist-security-fyi <ist-security-fyi@MIT.EDU>
Date: Mon, 5 May 2014 18:17:03 +0000
Message-ID: <38572AD4-6FF0-4FAE-99F8-CDD6A6642354@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1885020059=="
Errors-To: ist-security-fyi-bounces@MIT.EDU
--===============1885020059==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_38572AD46FF04FAE99F8CDD6A6642354mitedu_"
--_000_38572AD46FF04FAE99F8CDD6A6642354mitedu_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. EVENT: Laptop Tagging and Registration on Wed. 5/7
2. The Rise of Identity Theft in Healthcare
3. Phishing Scheme Used VoIP to Steal Debit Card Data
4. Hackers Lurk in the Strangest Places
---------------------------------------------------------------------------=
-
1. EVENT: Laptop Tagging and Registration on Wed. 5/7
---------------------------------------------------------------------------=
-
This Wednesday, there is an opportunity to register and tag your laptop.
Where: Lobby of Building 10
When: Wed., May 7, 11:00 am - 12:30 pm
Cost: $10 cash (no cards) or MIT Cash Object
Just as you might register a bike with the police, you can also register yo=
ur laptop. Information Systems & Technology partners with MIT Police to pro=
vide STOP (Security Tracking of Office Property) tags for laptops. The tag =
is affixed to the device, has a unique number, and is registered with a wor=
ld-wide database.
Sgt. Cheryl Vossmer of the MIT Police says that although a STOP tag is not =
software that can track a device via GPS or other means, it has been very e=
ffective at providing a way for lost or stolen laptops to be returned to th=
eir rightful owners.
Read laptop recovery stories here<https://www.stoptheft.com/>.
Learn more about laptop registration at MIT<http://kb.mit.edu/confluence/di=
splay/istcontrib/MIT+Police+Laptop+Tagging+and+Registration>.
--------------------------------------------------------
2. The Rise of Identity Theft in Healthcare
--------------------------------------------------------
The Identity Theft Resource Center produced a survey last month showing tha=
t medical-related identity theft accounted for 43% of all identity thefts r=
eported in the US in 2013. This amount is far greater than identity theft i=
nvolving banking, finance, the government, military or education. Since 200=
9, between 27.8 million and 67.7 million people have had their medical reco=
rds breached.
Stolen medical information is generally used to commit insurance fraud and =
illegally obtain prescription drugs.
Unfortunately, this type of identity theft has one of the lowest recourses =
for victims. They experience financial repercussions and may often find err=
oneous information added to their medical files. According to James Pyles, =
a Washington, DC lawyer, =93It=92s almost impossible to clear up a medical =
record once medical identity theft has occurred.=94
Identity theft occurs when someone gains unauthorized access to the medical=
information, and passes it on without permission (20%) or when systems are=
hacked (14%).
But the majority of identity theft (over 50%) occurs when the theft of a co=
mputer or other medical device is involved. This is why it=92s so important=
to protect those devices. =93We say, encrypt, encrypt, encrypt,=94 says Ra=
chel Seeger, a spokesperson for the US Department of Health and Human Servi=
ces.
Read the full story online<http://www.studentdoctor.net/2014/04/the-rise-of=
-medical-identity-theft-in-healthcare/>.
---------------------------------------------------------------------------=
-
3. Phishing Scheme Used VoIP to Steal Debit Card Data
---------------------------------------------------------------------------=
-
In a new variation on phishing campaigns, thieves used text messages and Vo=
IP (voice over Internet protocol) calls to steal debit card data from custo=
mers of a number of US financial institutions. The method is called voice p=
hishing or =93vishing=94 (using a phone to scam customers).
The targeted bank customers received text messages telling them their debit=
card has been deactivated and were given a phone number to call to reactiv=
ate the card. The number sent them to an interactive voice response (IVR) s=
ystem that asked for their debit card number and PIN.
Read the full story online<http://www.computerworld.com/s/article/9248027/V=
oice_phishing_scheme_lets_hackers_steal_personal_data_from_banks>.
-----------------------------------------------------
4. Hackers Lurk in the Strangest Places
-----------------------------------------------------
When hackers were unable to gain access to Target=92s records through their=
main system, they went through its heating and cooling system. In other ca=
ses, hackers have used printers, thermostats, video-conferencing equipment =
and a Chinese takeout menu.
A Chinese takeout menu? Yes, when hackers couldn=92t breach the computer ne=
twork at a big oil company, they infected the online menu of a Chinese rest=
aurant with malware that was popular with employees of the oil company. Whe=
n workers browsed the menu, they inadvertently downloaded code that gave at=
tackers a foothold in the business=92 network.
Companies that are doing everything possible to seal up their systems are n=
ow having to look in the unlikeliest places for vulnerabilities. The situat=
ion has grown increasingly complex and urgent. Access to a network is given=
to all kinds of other computerized systems and services, including heating=
, ventilation and cooling systems, billing and expense systems, health insu=
rance providers and even vending machines.
While security researchers are often employed to find such leaks in a syste=
m, it is now becoming as difficult as finding a needle in a haystack.
Read the full story online<http://www.nytimes.com/2014/04/08/technology/the=
-spy-in-the-soda-machine.html>.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Read all archived Security FYI Newsletter articles and submit comments onli=
ne at http://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Monique Buchanan
IT Security Communications Consultant
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
--_000_38572AD46FF04FAE99F8CDD6A6642354mitedu_
Content-Type: text/html; charset="Windows-1252"
Content-ID: <D3C701E6EA0B3C45B95AC16EF9A09D0E@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;">
<span style=3D"font-family: Arial;">In this issue:</span><br>
<div apple-content-edited=3D"true">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">1. EVENT: Laptop Tagging an=
d Registration on Wed. 5/7</div>
<div style=3D"margin: 0px; font-family: Arial;">2. The Rise of Identity The=
ft in Healthcare</div>
<div style=3D"margin: 0px; font-family: Arial;">3. Phishing Scheme Used VoI=
P to Steal Debit Card Data</div>
<div style=3D"margin: 0px; font-family: Arial;">4. Hackers Lurk in the Stra=
ngest Places</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">---------------------------=
-------------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Arial;">1. EVENT: Laptop Tagging an=
d Registration on Wed. 5/7</div>
<div style=3D"margin: 0px; font-family: Arial;">---------------------------=
-------------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">This Wednesday, there i=
s an opportunity to register and tag your laptop.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Where: <b>Lobby of Buil=
ding 10</b></div>
<div style=3D"margin: 0px; font-family: Helvetica;">When: <b>Wed., May 7, 1=
1:00 am - 12:30 pm</b></div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Cost: $10 cash (no card=
s) or MIT Cash Object</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Just as you might regis=
ter a bike with the police, you can also register your laptop. Information =
Systems & Technology partners with MIT Police to provide STOP (Security=
Tracking of Office Property) tags for
laptops. The tag is affixed to the device, has a unique number, and is reg=
istered with a world-wide database.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Sgt. Cheryl Vossmer of =
the MIT Police says that although a STOP tag is not software that can track=
a device via GPS or other means, it has been very effective at providing a=
way for lost or stolen laptops to
be returned to their rightful owners.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; color: rgb(71, 135, 255)=
;"><span style=3D"color: #000000">Read
<a href=3D"https://www.stoptheft.com/">laptop recovery stories here</a>.</s=
pan></div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; color: rgb(71, 135, 255)=
;"><span style=3D"text-decoration: underline"><a href=3D"http://kb.mit.edu/=
confluence/display/istcontrib/MIT+Police+Laptop+Tagging+and=
+Registration">Learn more about laptop registration at
MIT</a></span><span style=3D"color: #000000">.</span></div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">---------------------------=
-----------------------------</div>
<div style=3D"margin: 0px; font-family: Arial;">2. The Rise of Identity The=
ft in Healthcare</div>
<div style=3D"margin: 0px; font-family: Arial;">---------------------------=
-----------------------------</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">The Identity Theft Resource=
Center produced a survey last month showing that medical-related identity =
theft accounted for 43% of all identity thefts reported in the US in 2013. =
This amount is far greater than identity
theft involving banking, finance, the government, military or education. S=
ince 2009, between 27.8 million and 67.7 million people have had their medi=
cal records breached. </div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">Stolen medical information =
is generally used to commit insurance fraud and illegally obtain prescripti=
on drugs.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">Unfortunately, this type of=
identity theft has one of the lowest recourses for victims. They experienc=
e financial repercussions and may often find erroneous information added to=
their medical files. According to
James Pyles, a Washington, DC lawyer, =93It=92s almost impossible to clear=
up a medical record once medical identity theft has occurred.=94</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">Identity theft occurs when =
someone gains unauthorized access to the medical information, and passes it=
on without permission (20%) or when systems are hacked (14%). </div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">But the majority of identit=
y theft (over 50%) occurs when the theft of a computer or other medical dev=
ice is involved. This is why it=92s so important to protect those devices. =
=93We say, encrypt, encrypt, encrypt,=94
says Rachel Seeger, a spokesperson for the US Department of Health and Hum=
an Services.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;"><a href=3D"http://www.stude=
ntdoctor.net/2014/04/the-rise-of-medical-identity-theft-in-healthcare/">Rea=
d the full story online</a>.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">---------------------------=
-------------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Arial;">3. Phishing Scheme Used VoI=
P to Steal Debit Card Data</div>
<div style=3D"margin: 0px; font-family: Arial;">---------------------------=
-------------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">In a new variation on phish=
ing campaigns, thieves used text messages and VoIP (voice over Internet pro=
tocol) calls to steal debit card data from customers of a number of US fina=
ncial institutions. The method is
called voice phishing or =93vishing=94 (using a phone to scam customers). =
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">The targeted bank customers=
received text messages telling them their debit card has been deactivated =
and were given a phone number to call to reactivate the card. The number se=
nt them to an interactive voice response
(IVR) system that asked for their debit card number and PIN.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;"><a href=3D"http://www.compu=
terworld.com/s/article/9248027/Voice_phishing_scheme_lets_hackers_steal_per=
sonal_data_from_banks">Read the full story online</a>.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;">---------=
--------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;">4. Hacker=
s Lurk in the Strangest Places</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;">---------=
--------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">When hackers were unable to=
gain access to Target=92s records through their main system, they went thr=
ough its heating and cooling system. In other cases, hackers have used prin=
ters, thermostats, video-conferencing
equipment and a Chinese takeout menu.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">A Chinese takeout menu? Yes=
, when hackers couldn=92t breach the computer network at a big oil company,=
they infected the online menu of a Chinese restaurant with malware that wa=
s popular with employees of the oil
company. When workers browsed the menu, they inadvertently downloaded code=
that gave attackers a foothold in the business=92 network.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">Companies that are doing ev=
erything possible to seal up their systems are now having to look in the un=
likeliest places for vulnerabilities. The situation has grown increasingly =
complex and urgent. Access to a network
is given to all kinds of other computerized systems and services, includin=
g heating, ventilation and cooling systems, billing and expense systems, he=
alth insurance providers and even vending machines. </div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">While security researchers =
are often employed to find such leaks in a system, it is now becoming as di=
fficult as finding a needle in a haystack. </div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;"><a href=3D"http://www.nytim=
es.com/2014/04/08/technology/the-spy-in-the-soda-machine.html">Read the ful=
l story online</a>.</div>
<div style=3D"margin: 0px; font-family: Arial;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;">
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Read all archived Secur=
ity FYI Newsletter articles and submit comments online at
<a href=3D"http://securityfyi.wordpress.com/"><span style=3D"color: rgb(4, =
46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div><br>
</div>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
Monique Buchanan<br>
IT Security Communications Consultant<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href=3D"http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<br>
</div>
</div>
</div>
<br>
</body>
</html>
--_000_38572AD46FF04FAE99F8CDD6A6642354mitedu_--
--===============1885020059==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============1885020059==--
