[unisog] Phishing targeting University Admissions

Keith Schoenefeld schoenk at utulsa.edu
Wed Jun 16 13:22:25 GMT 2004


No, I don't.  That is yet another technical solution for a personnel 
problem.  Here, if they get infected with a virus, they get their 
computer knocked off the network (I don't care what the virus is).  They 
get their computer back when we have time to clean it and verify that it 
is clean, which sometimes takes up to three days (three support people 
for > 1000 computer systems).  They learn quickly that if they want to 
have a computer, they need to be careful with email.  Don't get me 
wrong, my users still open the occassional virus infected email, but the 
numbers who do so with any regularity have dropped significantly.  My 
hope is that by next fall we will have something in place that will 
allow us to force users to sign a statement saying that they have read 
and will abide by the following website before they receive their 
network connection back (we will provide them a hard copy of course):

http://www.ens.utulsa.edu/tech/noviruses.php

-- KS

atanner1 wrote:

>I have started to tell my users that if they get a strange attachment and
>are really dead-set on opening it, to please wait 3 days or come talk
>with me.  It is not a perfect idea, but some of them will open it no
>matter what.  If they wait the 3 days, here is what I am hoping will
>happen:
>
>1.  They hear about the virus and recognize it as such, and don't touch it
>2.  The virus protection catches up on both the desktop and mail server
>
>I know that if #2 fails, the virus will be spread.  But for my users who
>will open it *anyway*, this seems to be something they can live with.
>It's a way of thinking that makes sense to them, especially when the email
>seems legitimate because it is from someone they know.
>
>Changing the culture of email immediacy might help us all out in the long
>run.  We expect emails TODAY but what if that was changed?  What if our
>mail severs were configured to delay mail with attachments for 6 hours, or
>8 hours?  Then run virus scan and leave the queue to be delivered.  Its
>not perfect but it might help in an effort to get virus scanning to catch
>up.  Do you think most users would go for something like that?
>
>Andrea Tanner                           Academic Technology Specialist
>andrea.tanner at emich.edu                 Academic Programming
>734-487-0169                            225 Rackham
>
>
>On Wed, 16 Jun 2004, Keith Schoenefeld wrote:
>
>  
>
>>Seriously, why wouldn't people accept zip files?  If you don't allow zip
>>files, but still allow attachments, what compression program do you use,
>>rar?  If so, then what happens when viruses start getting spread via rar
>>(they already are)? If we continually decrease the level of service we
>>provide, we start changing the usability of the services we provide.  If
>>we dramatically change the usability of our services, then the virus
>>writers win.  It is far better to teach users how to properly handle
>>attachments than to block attachments of certain types.  By blocking zip
>>files, we are using a technical solution to solve a user knowledge
>>problem.  It's bound to fail.  We don't need more technology, we need
>>better trained users.
>>
>>Obviously, I'm totally against the whole idea of "Viruses are possible
>>in files with extension '.xxx' so we'd better block them".  Just like
>>the recent viruses said "type in this password and open the zip file",
>>untrained users are going to receive an email message that says "rename
>>this blah.zi_ to blah.zip and open it" and they will do it.  Again, the
>>proper solution in my opinion is user training, not band-aid technical
>>solutions.
>>
>>I suppose using my same logic, one could argue that we shouldn't block
>>any virus email.  I would argue that blocking viruses using definitive
>>signatures is a good spam blocking and mail server saving measure, but
>>that end users should be trained to handle the viruses that do get through.
>>
>>All that said, there are all sorts of arguments as to whether one should
>>really support attachments at all.  I personally would rather have some
>>sort of automated repository where all outgoing and incoming attachments
>>are stored on a server and unique http:// links are sent in place of the
>>attachments.  Maybe using something like hardlink periodically to save
>>space.  I believe such a product is a pipe dream at the moment... maybe
>>someone can correct me?
>>
>>-- KS
>>
>>
>>Sergent, Phil wrote:
>>
>>    
>>
>>>You still accept .zip files!?
>>>
>>>
>>>Phil Sergent                                      MU
>>>Systems Programmer
>>>Marshall University
>>>Computing Services/Systems Group
>>>Drinko Library 422a
>>>Huntington, WV  25755-5320
>>>304/696-3689 (Desk) 304/696-3601 (FAX)
>>>Email: sergent at marshall.edu
>>>It's not who you are that holds you back, it's who you think you're not.
>>>
>>>
>>>
>>>-----Original Message-----
>>>From: unisog-bounces at lists.sans.org
>>>[mailto:unisog-bounces at lists.sans.org] On Behalf Of Joseph Brennan
>>>Sent: Monday, June 14, 2004 8:19 AM
>>>To: UNIversity Security Operations Group
>>>Subject: Re: [unisog] Phishing targeting University Admissions
>>>
>>>
>>>
>>>--On Monday, June 14, 2004 8:46 AM -0400 Michael Holstein
>>><michael.holstein at csuohio.edu> wrote:
>>>
>>>
>>>      
>>>
>>>>Greetings,
>>>>
>>>>Late last week we saw a "phishing" attack targeting our students using
>>>>the enticement of a research assistantship (and a student visa). The
>>>>messages are written such that they appear to be from a legitimate
>>>>University International Admisions contact, and contain an
>>>>as-yet-unidentified "mailer.zip" attachment.
>>>>        
>>>>
>>>
>>>Do you have the header portion?  I assume it claimed to be from an
>>>address at your school but really came from somewhere else.  Some
>>>general rule might be made to filter out such mail.
>>>
>>>Joseph Brennan
>>>Academic Technologies Group, Academic Information Systems (AcIS)
>>>Columbia University in the City of New York
>>>
>>>
>>>_______________________________________________
>>>unisog mailing list
>>>unisog at lists.sans.org
>>>http://www.dshield.org/mailman/listinfo/unisog
>>>
>>>
>>>
>>>_______________________________________________
>>>unisog mailing list
>>>unisog at lists.sans.org
>>>http://www.dshield.org/mailman/listinfo/unisog
>>>      
>>>
>>_______________________________________________
>>unisog mailing list
>>unisog at lists.sans.org
>>http://www.dshield.org/mailman/listinfo/unisog
>>
>>    
>>
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog
>  
>




More information about the unisog mailing list