Further support of what I mentioned in my presentation
In my Cross-site scripting presentation at #heweb09, I mentioned that a North Carolina State University report from September 2008 showed that users clicked the “ok” button on message alerts 61% of the time, regardless of whether the message alert was legitimate or not. From that I concluded that we could be reasonably certain that, as an attacker, we would have a 1 in 2 shot of tricking a victim into clicking an exploited link via email, IM, twitter, etc. A recent study from the Intrepidus Group (the company behind PhishMe.com) now confirms my hypothesis: the report concludes that 60% of people click the link contained in a phishing email within the first hour of receiving it.
In addition, a 2005 study (pdf) at Indian University concluded “…that Internet users may be over four times as likely to become victims if they are solicited by someone appearing to be a known acquaintance.” So what does this mean to us in Higher Education? Given that users are even more likely to be fooled by phishing attempts from “known acquaintances” on social networking sites, it means that we need to be very diligent in protecting our university accounts on those sites. Don’t allow your admins to use frivolous applications on Facebook (see Hacked Facebook applications below), remove admins who are no longer active, and change your Facebook password frequently.
WordPress inadvertent disclosure bug
Turns out this one is actually a problem with Tiny MCE that WordPress uses as its WYSIWYG editor. If you paste content into the Visual editor, Tiny MCE will create a second hidden (style=”overflow: hidden; position: absolute; left: -10000px;”) copy of your pasted contents. The problem is that in some situations, Tiny MCE does not remove this hidden div when you publish. This means that the ORIGINAL contents of what you pasted will be published as a hidden div on your published post. Again, not the worst security issue, but could definitely cause issues if you pasted some content that you really didn’t want published.
(via Something Better to Do)
Hacked Facebook applications in the wild
Many have been saying it was only a matter of time, and it looks like that time is finally here. Several facebook applications have been hacked and are directing users to download a fake update to an out-of-date version of the Adobe Reader from a Russian site. Affected facebook applications (so far) include:
Until the developers are able to correct the issues, stay clear of any of the above apps. Also, it’s a good idea to not use ANY frivolous facebook applications if you are the admin of a university-owned page or group.
Google Wave Security Issues
The recent release of Google Wave invites over the last couple of weeks has spurred significant of interest in the Higher Ed community. Those of us who were lucky to receive an invite have rushed out and started “waves” with others in the community. As we being to utilize this tool more and more, many of us will begin to research and utilize the various plugins that are available. In fact, if you were in on the “Google Wave in Higher Education” wave, you saw a gadget in action: the “Are You Coming?” gadget was used to poll who was planning on attending the EDUCAUSE Annual Conference. I bring this up because it appears that Google has been fairly lax, security-wise, in the way it currently allows gadgets to be created and used.
We all love new technology, especially those that allow us to communicate in new, more efficient ways. But we need to remember that the attacks we are familiar with in “old” technologies follow along with us. Hopefully Google will have all of this worked out before the official launch of Wave. Until then, be leary of opening Waves from people you don’t know.
photo credit: catatronic