Important News
Targeted Attacks Spoof Dept. of Justice & Better Business Bureau (November 19 & 21, 2007) There are reports that targeted email messages with malicious attachments are spreading; these messages appear to come from the US Department of Justice (DOJ) and the Better Business Bureau (BBB) and address the recipients by name. The bodies of the messages refer to complaints made against the recipients and/or their companies. The attachments accompanying the messages contain malware hidden in screensaver files.
http://blog.washingtonpost.com/securityfix/2007/11/a_fresh_round_of_targeted_emai.html?nav=rss_blog
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62034626-39000005c
http://www.vnunet.com/vnunet/news/2203920/companies-warned-doj-virus
Facebook Users Give Beacon a Thumbs Down (November 21 & 22, 2007) Facebook users are protesting a new feature called Beacon that informs Facebook friends about their recent online purchases. Following purchases at participating online retailers, users are alerted to the imminent sharing of the purchase information with Facebook by a small box that appears in the corner of a screen for less than half a minute.
If they don't click "no thanks' in the box within the allotted time, their consent to share the information is assumed. The next time they log on to Facebook, they are notified that the information is going to be shared with friends, but that alert is apparently easy to miss as well. Privacy rights advocates say the program violates user privacy because it is not an opt-in system.
http://www.smh.com.au/news/web/facebook-users-arc-up-over-tracking/2007/11/22/1195321910925.html
http://www.eweek.com/article2/0,1895,2220367,00.asp
"Verified by Visa" Phishing Scam Targets BofA Customers (September 24 & 26, 2007) Phishing emails have been detected that pretend to be related to the legitimate Verified by Visa program. Participants in the program enroll their Visa cards so that online transactions will require a password.
The link provided in the message takes people to a fraudulently constructed site where they are asked to supply their card information purportedly to activate the authentication program. The message concludes by threatening that if they do not enroll, their card may be temporarily disabled, an indication that the email is not legitimate.
The phony messages specifically mention Bank of America (BofA); because so many people have cards from BofA, the likelihood that these messages result in theft of financial information is higher.
http://www.theregister.co.uk/2007/09/26/verified_by_visa/print.html
http://www.consumeraffairs.com/news04/2007/09/visa_scam.html
From Microsoft's Technet
If you are running Windows Vista Sidebar Gadgets, they are subject to cross-site scripting style bugs. These bugs are extremely serious because script in the Sidebar is capable of running arbitrary code in the context of the locally logged-on user. This article outlines some of the secure programming best practices that should be considered when building Windows Vista Sidebar Gadgets. Check out Inspect Your Gadget for some of the secure programming best practices that should be considered when building Windows Vista Sidebar Gadgets.
Identity Fraud Through Peer-to-Peer File Sharing: Kopiloff Arrested (September 6, 2006) Seattle Police have arrested Gregory Thomas Kopiloff for allegedly using file-sharing software to gather information used in identity fraud.
Kopiloff allegedly used Limewire and Soulseek peer-to-peer (P2P) file sharing programs to dig through other users' computers for financial data. He then allegedly opened credit cards with that information, made more than US $ 37,000 in purchases, and resold them at discounts.
Charges against Kopiloff include mail fraud, accessing a protected computer, and two counts of aggravated identity theft. This appears to be the first case of someone being arrested for using P2P software to deliberately commit identity fraud.
http://www.forbes.com/feeds/ap/2007/09/06/ap4091243.html
Flux Bot Spreads Through Infected MySpace Pages (June 29, 2007) MySpace users are being targeted by a drive-by exploit that surreptitiously recruits their computers to be used in a sophisticated bonet scheme. When MySpace users visit profile pages infected with certain malicious JavaScript, they are redirected to a known Internet Explorer (IE) exploit that installs a proxy network bot, or flux bot, on the machine. Infected profile pages are being shut down as they are detected.
http://www.scmagazine.com/us/news/article/667981/myspace-users-warned-drive-by-exploit-attack/
http://isc.sans.org/diary.html?storyid=3060&rss
Not surprisingly, phishers have already begun exploiting the popularity of iPhones to spread malware. The emails tell the recipients they have won an iPhone; when they click on the provided link, they are directed to a site that tries to install malware on their computers. The site hosts more than 10 different exploits to take advantage of a variety of browser vulnerabilities to boost the likelihood that malware will be installed on their computers. Users whose computers try to access the malicious code site more than once are redirected to a benign site.
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339279440-130061744t-110000005c
Storm Trojan Variant Spreading Through Phony eCard Links (June 28 & July 2, 2007) Malware believed to be a variant of the Storm Trojan horse program spreads through email claiming to offer a link to an e-card sent by a relative. The link leads to a site that attempts to exploit three different vulnerabilities in the hope of downloading malware onto users'
computers. This particular attack checks to see if JavaScript is enabled; if it is not, users are prompted to download an .exe file so that they become infected. The Storm Trojan recruits infected computers to be used as part of a botnet.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=200001991
http://www.theregister.co.uk/2007/06/29/ecard_storm_trojan/print.html
In a bold move to quash illegal music file sharing, the Recording Industry Association of America (RIAA) stated on Thursday, March 1, 2007 it would be notifying university student offenders across the country of a last chance opportunity to settle with the industry before legal actions would be filed in the courts. The first round of letters to be sent out on Thursday span the country with (the) University of South Florida with 31
http://www.worldmusiccentral.org/article.php/20070301190517518
People's natural curiosity and desire to help were exploited by consultant Steve Stasiukonis, who was hired to check security awareness at a credit union. He loaded malicious software on old thumbnail drives and left the drives on the ground and tables in the parking lot and smoking areas. Each time a curious, helpful person plugged any of the thumb drives into his computer, it loaded software and reported who had taken the bait. His test was harmless, but criminals can use the same technique to take control of our computers. The full story can be found at this link:
http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1
SANS Security Tip of the Day
If you get up from your computer, lock it!
"I sent an email to your boss letting him know what you really think of
him". This Notepad message was on my screen when I got back to my
cubicle after getting up to stretch my legs. What? I had been gone for
180 seconds -- three quick minutes. Lucky for me, the note turned out
to be from our systems administrator who wanted to make a point. All it
takes is about one minute for a disgruntled colleague to send a message
on your behalf to the boss and there is no way for you to prove you
didn't send it. In about 30 seconds, a cracker could install a keystroke
logger to capture everything you type including company secrets, user
names and passwords. In about 15 seconds, a passerby could delete all
your documents.
Staff
Tim Bulu
Director of Information Security
E-mail: tbulu@hsc.usf.edu
Phone: 813-974-6288
Ben Glover
Desktop Security Analyst
E-mail bglover@hsc.usf.edu
Phone (813) 974-6288