[898] in Security FYI
Re: [IS&T Security-FYI] Newsletter, December 14, 2007
daemon@ATHENA.MIT.EDU (Monique Yeaton)
Fri Dec 14 14:04:57 2007
In-Reply-To: <1E0185BF-E248-4CE8-8851-81A569822844@MIT.EDU>
Mime-Version: 1.0 (Apple Message framework v752.3)
Message-Id: <3EBC5368-4FAA-491E-AD1F-8F8A111AC584@mit.edu>
From: Monique Yeaton <myeaton@mit.edu>
Date: Fri, 14 Dec 2007 13:56:46 -0500
To: ist-security-fyi@mit.edu
Cc: "itss@mit.edu" <itss@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ist-security-fyi-bounces@mit.edu
Clarification: In the Spear Phishing article below, MIT was not a
"victim" of the spear phishing attempt, I meant to say it was the
"target" of a scam.
Thanks,
Monique
On Dec 14, 2007, at 1:46 PM, Monique Yeaton wrote:
>
> In this issue:
>
> 1. December 2007 Security Patches
> 2. Tip of the Week: Avoiding Spear Phishing Scams
>
>
> -------------------------------------
> 1. Microsoft Security Patches
> -------------------------------------
>
> Microsoft security updates were released this month on Patch
> Tuesday (December 11). Here is a run-down of the products that were
> affected:
>
> * Microsoft Windows XP
> * Microsoft Windows Vista
> * Microsoft Windows Server
> * Microsoft Internet Explorer
> * Microsoft Windows Media Format Runtime
> * Microsoft DirectX and DirectShow
>
> Microsoft has provided updates for 3 critical and 4 important
> vulnerabilities in the December 2007 security bulletins. The
> patches have been approved for deployment via MIT WAUS.
>
> Details on the vulnerabilities are listed in the security bulletin:
> <http://www.microsoft.com/technet/security/bulletin/ms07-dec.mspx>
>
>
> -----------------------------------------------------------------
> 2. Tip of the Week: Avoiding Spear Phishing Scams
> -----------------------------------------------------------------
>
> You've probably heard of the term "phishing" as it relates to
> computer security: it is the method of tricking people to willingly
> offer up personal information about themselves either through email
> or a web page.
>
> So what is spear phishing? You probably guessed it: a highly
> targeted phishing attack, done through emailing all employees or
> members within a certain company, government agency, organization
> or group. Spear phishing scams try to gain access to a company's
> entire computer system and are more sophisticated than regular
> phishing attempts.
>
> The message might look like it comes from your employer, or from a
> colleague who might send email messages to everyone in the company,
> such as the head of human resources or the person who manages the
> computer system, and could include requests for user names or
> passwords.
>
> This week, MIT was the victim of a spear phishing attack. The
> warning that went out on December 12th about this attack was in
> response to an email sent to MIT community members that looked like
> it came from support@mit.edu asking for the recipient to send his
> or her password to the sender. The email sender information had
> been faked or "spoofed."
>
> Microsoft offers these tips to avoid spear phishing scams:
>
> -- Never reveal personal or financial information in response to an
> email request
> -- If an email appears to be suspicious, call the person or
> organization listed in the "from:" line
> -- Never click on links in email messages that request personal or
> financial information
> -- Report any email that you suspect to be a spear phishing
> campaign to your computer help group
> -- Use a browser with a phishing filter which helps identify
> suspicious web sites
>
> If you think you're immune at MIT, think again! Eleven employees at
> a nuclear research facility (smart people, wouldn't you think?)
> fell for a phishy email, which appears to have been an attempt to
> steal information.
>
> Read the article here: <http://www.computerworld.com/action/
> article.do?command=viewArticleBasic&articleId=9051701>
>
>
> =========================
> Monique Yeaton
> IT Security Awareness Consultant
> MIT Information Services & Technology (IS&T)
> (617) 253-2715
> http://web.mit.edu/ist/security
>
>
>
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
