Watch What You Click: Part 6,452
How many times have you had to tell your users not to click on unknown links,
not to open attachments from unrecognized addresses, and so on? Are they listening?
They may well be. Even if they are, though, a
new
threat reported by Exploit Prevention Labs still gets around even the sharpest
common sense with a sneaky bit of social engineering.
Apparently, the perpetrators try to get you to click on what looks like a normal
YouTube address. The trouble is -- it's not. You're sent to a different address
that hits you with a lovely bouquet of threats like keyloggers, spyware and
rootkits. Yikes. That's like going in to watch Shrek the Third and seeing
Saw III instead.
It's classic social engineering -- preying on users' trust and getting them
to do something they think is completely safe. But then, we're never really
completely safe on the Internet any more, are we?
You can check out the blog
by EPL's Roger Thompson for more on the YouTube spam exploit. And watch
what you click.
Have you fallen victim to something like this? Have your users? How do you
go about protecting your users from social engineering like this? Send your
tales of horror (rated PG-13 or lower) to [email protected].
Microsoft Release Updates
Our buddies in the Pacific Northwest have been mighty busy. There's news about
two of the major releases coming in the fourth quarter of 2007 or the first
quarter of 2008 (which I've heard several Redmondians refer to as Q5).
System Center Configuration Manager is coming soon. And, of course, the one,
the only...Windows Server 2008 (previously called "Longhorn"). Microsoft's
long, dusty cattle drive is actually nearing completion.
Microsoft just announced the RTM (release to manufacturing, which means it's
mostly done noodling around with the code -- mostly) of SCCM 2007. Check out
the System Center Web site
for download details.
The new SCCM 2007 has several major upgrades:
- Comprehensive deployment and update tools
- Enhanced insight and control
- Extensible optimization for Windows
- Server, client and mobile device management
We hear Microsoft will soon be announcing a release candidate for Windows Server
2008. Originally scheduled to be rounded up by the end of the year, it looks
like it has slipped
into Q5, or "early" 2008. Dare I say Q1 2008?
What are your plans with all the new, major releases coming from Microsoft?
Have you upgraded? Do you plan to upgrade? Wait and see. Please let me know
as we'll be covering the acceptance and deployment of the big guns quite a bit
in the coming months. Release your thoughts at [email protected].
More on Monster
This Monster.com
breach debacle keeps getting more interesting. Apparently, Monster waited
for up to five days to inform users about the recent security breach.
Hackers got in and grabbed confidential information -- like names, physical
addresses, phone numbers and e-mail addresses -- from nearly 1.3 million job
seekers. Monster first learned about the breach from Symantec investigators
on Aug. 17, and Monster and Symantec security forces were able to shut down
the attack by late in the day on Aug. 20.
However, it wasn't until last Wednesday, Aug. 22 -- after the dust had settled
-- that Monster posted a warning on its Web site. So those affected job seekers
were blissfully ignorant of their compromised information for an extra couple
of days.
Monster maintains a database of nearly 73 million resumes, so that 1.3 million
might not sound like a very big slice of its pie. Still, I wouldn't want anyone
to grab my resume unless they were planning on adding me to their payroll and
letting me take over the corner office.
Does your organization have a policy on reporting security breaches? Have you
ever gone through this process, either on the corporate end or the customer
end? What do you think Monster should have done? Don't wait two days; tell me
now at [email protected].
Laptop Data Theft: Part 2,432
Seems like there's a story every other week about the theft of a laptop or mobile
device packed to the gills with the public's personal information. Here's this
week's installment:
The names and Social Security numbers (that's the golden nugget for ID thieves)
of more than 106,000 registered taxpayers in Connecticut were on
a laptop recently stolen from the Connecticut Department of Revenue's headquarters
in Hartford. The laptop in question is indeed password-protected and, starting
today, citizens can log on to the DoR's Web site to see if their names were
among the purloined.
At least this wasn't a case involving unnecessary risk, like carrying around
an entire agency's or citizenship's personal data on a mobile device like there's
nothing to it. Still, there clearly needs to be stronger, physical data protection
measures in place to protect people. We've spent so much time, money and effort
on electronic and online protection that sometimes the gates, guards and guns
get forgotten. Here's a plea to those who maintain public data: When you leave
your desk to go to lunch, please lock up your laptop.
Have you ever been part of one of these public disappearing data debacles?
Are you charged with maintaining public information? How do you physically safeguard
you devices? Let me know -- then lock up your laptop -- at [email protected].
Mailbag: Acer Grabs Gateway, Monster's Monster Problem
Yesterday,
Peter reported on Acer's
acquisition of Gateway. Here are some of your thoughts on the buyout --
and the PC maker with the memorable cow-themed boxes:
I hope Gateway quality does not suffer. All of the Acer PCs I have seen,
including some just a year ago, were poor quality like they have always been.
-Jim
My first computer was a Gateway, in late 1993. I think it was a 486MHz
and I remember being concerned that it was "Pentium-ready" (it was).
I eventually got the processor overdrive thingy. It had 16MB of RAM and I
think a 320MB hard drive. I spent almost every evening sitting at that PC,
eating my dinner from a plate in my lap, in order to learn "computer
skills" like typing. That Gateway served as the domain controller for
my NT domain which I built in order to learn about the technology.
It finally died at some point, but it lasted for years. I was pretty
sad when I took it to the recycler. Felt kind of like I was abandoning it.
-J.C.
Gregory gives us his 2 cents on the Monster.com
phishing saga:
I just wanted to let you know that I received a bogus e-mail from Monster
back on April 8 wanting me to download a job tool if I wanted to continue
accessing my account with Monster. Everyone is saying this started in June,
but I suspect this has been happening for much longer. I received two or three
of these e-mails, I think, before the one I kept in April.
-Gregory
Got something to add? We want to hear it! Leave a comment below or send an
e-mail to [email protected].
About the Author
Lafe Low is the editorial liaison for ECG Events.