As with most phish messages, this one also attempts to direct users to email their password and reply via email.

The savvy Case User knows that ITS will never ask for such information.
Please continue to report any phishing events to the Case Help Desk.

*ELSEVIER:*

*BUILDING INSIGHTS; BREAKING BOUNDARIES*

*MANUSCRIPTS SUBMISSION*

The spoofed message is gathering technical papers and asking for documents to be sent to an email address ending with "...@live.co.uk"

The real Elsevier does not solicit publications via email, and their email address ends with "...@elsevier.com."

Unlike the general phishing messages that are trying to dupe users into giving up sensitive information (e.g. userID and passwords), this phish will likely land the user on a spam list of persons with research interests.

As ususal, phish can be reported to pirt@castlecops.com or simply used to tune your spam filters.

Mac users are advised to update operating systems via the Software Update function as soon as practicable.

The Apple Article HT2163 provides additional details.

Due to the significant use of Adobe Flash in many academic and research pursuits, Case users are strongly encouraged to immediately update to the latest version of Adobe Flash, v. 9.0.124.0.

For Mac users, the Apple Security Update 2008-03, released May 28, 2008, includes this update. Running the Software Update from the System Preferences panel will address this vulnerability, along with a number of other fixes that have been bundled into this software udpate.

Overall protection of the browser is the high-level recommendation to prevent the casual compromise of a user workstation due to web browsing. The SANS Institute recommends some simple configuration fixes that would prevent such an exploit:
* In Firefox, you can use either of the following add-ons, NoScript (one of our favorites, found here or here) or FlashBlock (here or here).
* In IE, see here for how to set the "killbit", the CLSID is BD96C556-65A3-11D0-983A-00C04FC29E36.

The US-CERT provides some great guidelines for Browser Security which Case recommends for all users.

Case Unix admins and Linux users are advised to review their SSH logs and report any attempted exploits, successful or not, to the Case Help Desk, 368-HELP.

The SANS Internet Storm Center (ISC) provides specific guidance on how to protect their systems (the first url below).
-http://isc.sans.org/diary.html?storyid=4408
-http://www.scmagazine.com/uk/news/article/809222/brute-force-ssh-attacks-surge/
-http://www.securityfocus.com/news/11518

Case has received several in the past few weeks. As usual, keep in mind the modus operandi is to collect your credentials (userID and password). These items are Tier III information and should not be disclosed to anybody.

Case will never ask you for such information, especially via email. Email is like a postcard. You should never send sensitive information via email.

The new practice involves a closure of network accounts within one business day of termination of employment status. This window applies to faculty and staff. Students will retain their current 180-day grace period. The policy has been coordinated with HR procedures and defines the extent of IT privileges based on the individual's relationship with the University.

Supervisors and managers are advised to take notice of the changes, and coordinate in advance when staff depart. Once accounts are closed, no incoming email or access is available for that terminated staff. The use of a mailing list alias at lists.case.edu is recommended for ensuring the consistency of incoming email communications.

"IMPORTANT NOTICE FROM THE CWRU SUPPORT TEAM"

The message purports to ask users for passwords to, "...secure from Hacker."

Users should delete the message or use the techniques to forward the message to the Phishing Incident Response Team (PIRT) at castlecops.com.

1. The Adobe Flash viewer, a core component to many media rich applications such as YouTube and AdobeConnect, has a security update according to US CERT. This has a large potential impact due to the high incidence of Case users accessing Flash-based content, and affects all operating systems.

2. An update to the Adobe Acrobat is available to address a security vulnerability in version 8.0. This vulnerability could result in remote code execution if a victim opens a specially crafted Adobe Acrobat (.pdf) document in an affected version of Adobe Reader or Adobe Acrobat. Case users can upgrade to 8.1.2 to patch this vulnerability.

3. Microsoft Patch Tuesday: Micosoft today released 8 new updates, 5 of which are deemed by the vendor to be critical in nature.

That old GDI vulnerability is back as well.

Users should run Microsoft software updates immediately. Happy Patching!

Today some Case users received a "Dear Webmail Subscriber..." email message from an address called 'support case.edu' that is a fraudulent email requesting users to send their userID and password.

Users should disregard this message, or call the Case Help Desk at 368-HELP to request further assistance.

Read on to see and example of the message.

This scam has been weaving its way around other universities worldwide and appears to originate from other countries, but the phish received by case users today was from a host at another university. People who have responded to the phish in other universities have had their accounts used by the attackers within minutes of becoming victims.

If you were taken in by this scam and sent your CaseID and Password to the return address, please immediately notify the Case Help Desk (http://help.case.edu) you will need to change your Case password immediately with the Case Password Change Utility. Users also need to check their secret questions, which can be changed by someone with your password.

Users are reminded that Case will never request such information via email, and commend all those many users who have recognized the 'phishyness' of the message and forwarded these messages to our attention.

Note that the recently Tier I baseline controls require security updates to be applied in a timely fashion. Thes are best applied in the form of Automatic Updates of the operating system. Case users are advised to apply these updates immediately.

Some common applications are not typically updated when the operating system updates are applied, so Case users need to be diligent in addressing vulnerabilities in major applications. Applications pertinent to Case users that also require current updates this week are:

Adobe Acrobat Reader version 8.1.2 has updates for all operating systems.

Apple's iPhoto
for the MacOS and QuickTime
for all operating systems.

These controls are the baseline suite for all information tiers, and are the most risk tolerant. As information sensitivity increases, (Tier III is the highest) the controls add increasing depth to assure information confidentiality. Tier II and III controls are built upon these Tier I controls, and thus Tier I controls apply to all networked hosts in the Case environment.

The implementation phase will begin with all new hosts registered in the network, and administrators will be contacted for random audits of hosts in their areas. A majority of the managed environments meet these standards at present.

The MS08-001: "Vulnerabilities in Windows TCP/IP Could Allow Remote Code
Execution (941644)" is the first Microsoft vulnerability of the calendar year. This permits remote exploit of the host computer, and affects all versions of Windows 2000, Windows XP, Windows Vista, and Windows Server 2003.

Users are advised to apply the updates immediately.

To restore network services, a full security assessment and configuration mitigation of the host will be necessary. Upon determination that the system is clean of malware and the user is aware of safe computing practices, the system will receive network service after payment of a $100.00 return-to-service fee. This fee covers the additional resource usage incurred in reconnecting a host.

This change is effective November 8, 2007.

The driver for this change is that users have been unresponsive to Help Desk calls to address quarantined systems, and thus we have network availability outages. This is especially a problem for multiple users who use the same network faceplate (e.g. roommates). The availability of the CaseGuest wireless infrastructure also is seen as a cause for users to ignore the quarantine process.