[10270] in Security FYI
[IS&T Security-FYI] Security FYI Newsletter, May 28, 2015
daemon@ATHENA.MIT.EDU (Monique Buchanan)
Thu May 28 11:33:40 2015
Resent-From: ist-security-fyi@mit.edu
From: Monique Buchanan <myeaton@mit.edu>
To: ist-security-fyi <ist-security-fyi@mit.edu>
Date: Thu, 28 May 2015 15:31:46 +0000
Message-ID: <47BD34CE-51C0-4458-AB78-548DF8C12FA6@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1863096637=="
Errors-To: ist-security-fyi-bounces@mit.edu
--===============1863096637==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_47BD34CE51C04458AB78548DF8C12FA6mitedu_"
--_000_47BD34CE51C04458AB78548DF8C12FA6mitedu_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. The Cyber Generation Gap
2. Android Phone Factory Reset Feature is Flawed
3. Phishing Attack List: Windows Live ID Scam
----------------------------------------
1. The Cyber Generation Gap
----------------------------------------
The May issue of OUCH!, led by Guest Editor Brian Honan, is focussed on sec=
uring the cyber generation gap. Many of us have family members that may not=
be technically savvy and are intimidated by security. This newsletter exp=
lains how you can help those family members and any children that may be vi=
siting them.
Feel free to share OUCH! with anyone you want, including family, friends or=
as part of your security awareness program.
Download the issue here (.pdf)<http://www.securingthehuman.org/newsletters/=
ouch/issues/OUCH-201505_en.pdf>
-------------------------------------------------------------------
2. Android Phone Factory Reset Feature is Flawed
-------------------------------------------------------------------
An estimated 500 million Android phones don't completely wipe data when the=
ir factory reset option is run, a weakness that may allow the recovery of l=
ogin credentials, text messages, e-mails, and contacts.
In the first comprehensive study of the effectiveness of the Android featur=
e, Cambridge University researchers found that they were able to recover da=
ta on a wide range of devices that had run factory reset. The function, whi=
ch is built into Google's Android mobile operating system, is considered a =
crucial means for wiping confidential data off of devices before they're so=
ld, recycled, or otherwise retired. The study found that data could be reco=
vered even when users turned on full-disk encryption.
The findings, published in a research paper titled Security Analysis of And=
roid Factory Resets<http://www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf> (.=
pdf), are sure to be a wake-up call for individual users and large enterpri=
ses alike. Based on the devices studied, the researchers estimated that 500=
million devices may not fully wipe disk partitions where sensitive data is=
stored and 630 million phones may not wipe internal SD cards where picture=
s and video are often kept.
Read the story in the news<http://arstechnica.com/security/2015/05/flawed-a=
ndroid-factory-reset-leaves-crypto-and-login-keys-ripe-for-picking/>.
--------------------------------------------------------------
3. Phishing Attack List: Windows Live ID Scam
--------------------------------------------------------------
Kaspersky Lab experts are warning of a new scam<http://www.kaspersky.com/ab=
out/news/virus/2015/Live-ID-as-a-bait-Kaspersky-Lab-warns-of-a-new-scam> th=
at uses Windows Live ID as bait to catch personal information stored in use=
r profiles on services like Xbox LIVE, Zune, Hotmail, Outlook, MSN, Messeng=
er and OneDrive.
What appears to be a typical phishing email contains a link that goes to th=
e actual Windows Live website, with no apparent attempt to get the victims'=
logins and passwords. So what's the trick?
* After following the link and authorizing the account, users receive a=
prompt: an application requests permission to automatically log into the a=
ccount, view the profile information and contact list, and access a list of=
the users' email addresses.
* Users who click "Yes" don't give away their login and password creden=
tials, but they do provide their personal information, the email addresses =
of their contacts and the nicknames and real names of their friends.
Scammers gained access to this technique through security flaws in the open=
protocol for authorization, OAuth. The collected information can be used f=
or fraudulent purposes, such as sending spam to the contacts in the victim'=
s address book or launching spear phishing attacks.
Read the full story<http://www.kaspersky.com/about/news/virus/2015/Live-ID-=
as-a-bait-Kaspersky-Lab-warns-of-a-new-scam>.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Read all archived Security FYI Newsletter articles and submit comments onli=
ne at http://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Monique Buchanan
Social Communications Specialist
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu
tel: 617.253.2715
--_000_47BD34CE51C04458AB78548DF8C12FA6mitedu_
Content-Type: text/html; charset="us-ascii"
Content-ID: <C39CDB088DBD8242BE0E80402E619229@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;" class=3D"">
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">In this issu=
e:</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">1. The Cyber=
Generation Gap</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">2. Android P=
hone Factory Reset Feature is Flawed</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">3. Phishing =
Attack List: Windows Live ID Scam</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">------------=
----------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">1. The Cyber=
Generation Gap</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">------------=
----------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">The May issu=
e of OUCH!, led by Guest Editor Brian Honan, is focussed on securing the cy=
ber generation gap. Many of us have family members that may not be technica=
lly savvy and are intimidated by security.
This newsletter explains how you can help those family members and a=
ny children that may be visiting them. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">Feel free to=
share OUCH! with anyone you want, including family, friends or as part of =
your security awareness program.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D""><a href=3D"h=
ttp://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201505_en.pdf" =
class=3D"">Download the issue here (.pdf)</a></div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">------------=
-------------------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">2. Android P=
hone Factory Reset Feature is Flawed</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">------------=
-------------------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">An estimated=
500 million Android phones don't completely wipe data when their factory r=
eset option is run, a weakness that may allow the recovery of login credent=
ials, text messages, e-mails, and contacts. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">In the first=
comprehensive study of the effectiveness of the Android feature, Cambridge=
University researchers found that they were able to recover data on a wide=
range of devices that had run factory
reset. The function, which is built into Google's Android mobile operating=
system, is considered a crucial means for wiping confidential data off of =
devices before they're sold, recycled, or otherwise retired. The study foun=
d that data could be recovered even
when users turned on full-disk encryption. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">The findings=
, published in a research paper titled
<a href=3D"http://www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf" class=3D"">=
Security Analysis of Android Factory Resets</a> (.pdf), are sure to be=
a wake-up call for individual users and large enterprises alike. Based on =
the devices studied, the researchers estimated
that 500 million devices may not fully wipe disk partitions where sensitiv=
e data is stored and 630 million phones may not wipe internal SD cards wher=
e pictures and video are often kept. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D""><a href=3D"h=
ttp://arstechnica.com/security/2015/05/flawed-android-factory-reset-leaves-=
crypto-and-login-keys-ripe-for-picking/" class=3D"">Read the story in the n=
ews</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">------------=
--------------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">3. Phishing =
Attack List: Windows Live ID Scam</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">------------=
--------------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">Kaspersky La=
b experts are warning of a
<a href=3D"http://www.kaspersky.com/about/news/virus/2015/Live-ID-as-a-bait=
-Kaspersky-Lab-warns-of-a-new-scam" class=3D"">
new scam</a> that uses Windows Live ID as bait to catch personal informatio=
n stored in user profiles on services like Xbox LIVE, Zune, Hotmail, Outloo=
k, MSN, Messenger and OneDrive. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">What appears=
to be a typical phishing email contains a link that goes to the actual Win=
dows Live website, with no apparent attempt to get the victims' logins and =
passwords. So what's the trick? </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<ul class=3D"">
<li style=3D"margin: 0px; font-family: Helvetica;" class=3D"">After followi=
ng the link and authorizing the account, users receive a prompt: an applica=
tion requests permission to automatically log into the account, view the pr=
ofile information and contact list,
and access a list of the users' email addresses. </li><li style=3D"=
margin: 0px; font-family: Helvetica;" class=3D"">Users who click "Yes&=
quot; don't give away their login and password credentials, but they do pro=
vide their personal information, the email addresses of their contacts and =
the nicknames and real names of their
friends. </li></ul>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">Scammers gai=
ned access to this technique through security flaws in the open protocol fo=
r authorization, OAuth. The collected information can be used for fraudulen=
t purposes, such as sending spam to
the contacts in the victim's address book or launching spear phishing atta=
cks. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D""><a href=3D"h=
ttp://www.kaspersky.com/about/news/virus/2015/Live-ID-as-a-bait-Kaspersky-L=
ab-warns-of-a-new-scam" class=3D"">Read the full story</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;" class=
=3D""><br class=3D"">
</div>
<div apple-content-edited=3D"true" class=3D"">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;" class=3D"">
<div style=3D"color: rgb(0, 0, 0); font-family: Avenir; font-size: 14px; fo=
nt-style: normal; font-variant: normal; font-weight: normal; letter-spacing=
: normal; line-height: normal; orphans: auto; text-align: start; text-inden=
t: 0px; text-transform: none; white-space: normal; widows: auto; word-spaci=
ng: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbs=
p-mode: space; -webkit-line-break: after-white-space;" class=3D"">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;" class=3D"">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;" class=3D"">
<div style=3D"color: rgb(0, 0, 0); font-family: Avenir; font-size: 14px; fo=
nt-style: normal; font-variant: normal; font-weight: normal; letter-spacing=
: normal; line-height: normal; orphans: auto; text-align: start; text-inden=
t: 0px; text-transform: none; white-space: normal; widows: auto; word-spaci=
ng: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbs=
p-mode: space; -webkit-line-break: after-white-space;" class=3D"">
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">Read all arc=
hived Security FYI Newsletter articles and submit comments online =
;at
<a href=3D"http://securityfyi.wordpress.com/" class=3D""><span style=3D"col=
or: rgb(4, 46, 238);" class=3D"">http://securityfyi.wordpress.com/</span></=
a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D"">=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D""><br class=3D=
"">
</div>
<div style=3D"margin: 0px; font-family: Helvetica;" class=3D""><br class=3D=
"">
</div>
Monique Buchanan<br class=3D"">
Social Communications Specialist<br class=3D"">
Information Systems & Technology (IS&T)<br class=3D"">
Massachusetts Institute of Technology<br class=3D"">
<a href=3D"http://ist.mit.edu" class=3D"">http://ist.mit.edu</a><br class=
=3D"">
tel: 617.253.2715</div>
<div style=3D"color: rgb(0, 0, 0); font-family: Avenir; font-size: 14px; fo=
nt-style: normal; font-variant: normal; font-weight: normal; letter-spacing=
: normal; line-height: normal; orphans: auto; text-align: start; text-inden=
t: 0px; text-transform: none; white-space: normal; widows: auto; word-spaci=
ng: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbs=
p-mode: space; -webkit-line-break: after-white-space;" class=3D"">
<br class=3D"">
</div>
<br class=3D"Apple-interchange-newline">
</div>
</div>
</div>
<br class=3D"">
</div>
<br class=3D"Apple-interchange-newline">
<br class=3D"Apple-interchange-newline">
</div>
<br class=3D"">
</body>
</html>
--_000_47BD34CE51C04458AB78548DF8C12FA6mitedu_--
--===============1863096637==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============1863096637==--
