Information Security

Fake "shipping confirmation" and similar unexpected confirmation messages containing malicious attachments have been increasing in frequency recently. Some of these are correctly spam-tagged and will be filtered into your spam mailbox or detected and quarantined by antivirus, but some may get through. Legitimate sites will not send a confirmation message whose important details are present only in an attachment.

Client-side attacks are on the rise and are currently the most common way for computer workstations to be compromised, leading to data theft, spamming, botnet participation, further system compromise using the workstation as a jumping-off point, etc. Client-side attacks can be conducted via email messages that include malicious attachments or point the user to a malicious website, or via malicious websites that the user encounters via web browsing. Some malicious website are intentionally so, and some are legitimate sites that are compromised and hosting malicious code without the knowledge of the site's owner. Client-side attacks may rely on either tricking the user into installing malicious software, but increasingly they also take advantage of out-of-date software installed on the victim's computer. Operating system updates such as Windows Update do not update all of the software installed on a computer. Some examples of software that needs to be kept up to date on security patches include Adobe PDF Reader, QuickTime, Adobe Flash, Microsoft Office, Firefox, Java, RealPlayer. In addition to keeping your software up to date on security patches, a big security improvement can be gained by changing the account you use for routine computing to an unprivileged one.

Like many other universities, Caltech has been targeted recently by scammers who send email to Caltech users demanding that the recipient respond with username/password information, with a threat of account deletion if the recipient does not comply. IMSS will never ask you for your password, and we strongly recommend against ever sending passwords in unencrypted email messages.

Did you know? Caltech has a policy regarding the handling of sensitive or private information. If your work involves data such as social security numbers, credit card numbers, bank account numbers, or people's personal information, be sure you are in compliance with this policy. And make sure that you really need this information. The best way to prevent exposure of private data is not to be storing it in the first place.

Browser vulnerabilities can be exploited by a malicious website visited by unsuspecting users as part of a set of web search results, by clicking a malicious link in an email or instant message, or by visiting an otherwise-legitimate site that has been compromised. Consider taking the following steps to help guard against browser-based exploits:
- Use another browser as your default, reserving Internet Explorer for sites that don't work correctly without it. Be sure to keep your default browser up to date on patches, since other browsers are not immune to security problems either. The most current version of Firefox includes some security and stability fixes. Opera is another popular alternative browser.
- Take advantage of IE's "zones" feature to restrict Active X scripting and Javascript support for sites in the "Internet" zone. See the Microsoft link in the item below for more information.
- Configure your mail client to display mail in plain text, not rendered HTML.
- Configure your instant messaging client to display messages in plain text, not rendered HTML, and exercise the same caution in clicking on URL's received via IM as you would via email. Note that several Windows worms with rootkit functionality propagate via malicious links sent over instant messaging to everyone in an infected system's buddy list.

IMSS Security Alerts mailing list and archive

last updated 14 October 2009