[IS&T Security-FYI] Newsletter, Feb. 22, 2007
Monique Yeaton
myeaton at MIT.EDU
Thu Feb 22 16:14:24 EST 2007
Covered in this issue:
1. Security Flaw in Palm OS Treo
2. MIT Releases New VirusScan Product
3. Tip: Physical Security Helps Protect Data
-----------------------------------------
1. Security Flaw in Palm OS Treo
-----------------------------------------
On February 14, Symantec released a security advisory explaining how
Palm OS Treo devices allow access to data even when the devices are
locked. Even if the user protects the device with a password lock,
anyone with physical access to the device can use the "Find" feature
on the device to search and access data including email, documents,
SMS (text) messages, etc.
Link: http://isc.sans.org/diary.html?storyid=2250
Palm, Inc. has yet to issue a fix. We will update you if and when the
fix is announced by Palm.
Meanwhile, Palm OS Treo users should be aware of this vulnerability
and consider using third-party applications that allow the device to
be wiped remotely by sending an SMS to the device.
Here are some applications that users should consider:
1. Butler: http://www.hobbyistsoftware.com/Butler-more.php
2. mSafe: http://www.motionapps.com/sphone/treo700p/_msafe.jsp
3. Warden: http://www.corsoft.com/warden.asp
Please note that the SMS Kill/Wipe command will only work when the
device has wireless turned on. So even using any of the third-party
solutions may not provide the necessary protection. In short, if you
deal with sensitive data, don't use a Palm OS Treo device to store
such information until further notice.
---------------------------------------------------
2. MIT Releases New VirusScan Product
---------------------------------------------------
This week the IS&T Software Release Team at MIT announced the release
of McAfee's VirusScan 8.5i Enterprise for Windows and VirusScan 8.5
for Mac OS X.
This newest release of VirusScan is recommended for:
- Windows XP Professional SP2 users
- Mac OS X 10.4 or later users
The new version fixes several bugs, has some additional features, and
runs natively on Intel-based Macintosh computers. It can also be used
for anyone upgrading to Windows Vista. If Windows XP users do upgrade
to Vista, they will need to uninstall VirusScan before upgrading,
then reinstall after the upgrade. (MIT advises users to wait until
this summer or fall before upgrading to Vista.)
To read product information on VirusScan, see the links below:
VirusScan 8.5i for Windows: http://itinfo.mit.edu/product.php?vid=737
VirusScan 8.5 for Macintosh: http://itinfo.mit.edu/product.php?vid=738
------------------------------------------------------
3. Tip: Physical Security Helps Protect Data
------------------------------------------------------
You don't have to look very hard to find articles either online or in
the newspapers about stolen laptops and desktop computers containing
sensitive information. Universities are also not immune to this kind
of risk. Recently the University of Idaho lost data for 331,000
people, including as many as 70,000 social security numbers because
of a computer theft.
It takes more than passwords to protect data. Even if the stolen
machine has a password to lock it, passwords can be cracked. If you
do have sensitive data on your computer, it should always be encrypted.
An additional safeguard can be to attach a STOP tag to your computer.
As a community service, the campus police provides these each fall to
anyone interested.
It is important to be vigilant about where your computers are and how
safe they are. If you think your area is not secure enough, bring it
to your site team's attention. You don't have to have financial or
personally identifiable information on your computer to be at risk.
Email content or browser settings can be used by criminals to put you
at risk for embarrassment or worse.
For any questions, please contact IT Security at security at mit.edu.
Monique
More information about the ist-security-fyi
mailing list