[IS&T Security-FYI] Newsletter, Feb. 22, 2007

Thu Feb 22 16:14:24 EST 2007

Covered in this issue:

1. Security Flaw in Palm OS Treo
2. MIT Releases New VirusScan Product
3. Tip: Physical Security Helps Protect Data

-----------------------------------------
1. Security Flaw in Palm OS Treo
-----------------------------------------

On February 14, Symantec released a security advisory explaining how  
Palm OS Treo devices allow access to data even when the devices are  
locked. Even if the user protects the device with a password lock,  
anyone with physical access to the device can use the "Find" feature  
on the device to search and access data including email, documents,  
SMS (text) messages, etc.

Link: http://isc.sans.org/diary.html?storyid=2250

Palm, Inc. has yet to issue a fix. We will update you if and when the  
fix is announced by Palm.

Meanwhile, Palm OS Treo users should be aware of this vulnerability  
and consider using third-party applications that allow the device to  
be wiped remotely by sending an SMS to the device.

Here are some applications that users should consider:

1. Butler: http://www.hobbyistsoftware.com/Butler-more.php
2. mSafe: http://www.motionapps.com/sphone/treo700p/_msafe.jsp
3. Warden: http://www.corsoft.com/warden.asp

Please note that the SMS Kill/Wipe command will only work when the  
device has wireless turned on. So even using any of the third-party  
solutions may not provide the necessary protection. In short, if you  
deal with sensitive data, don't use a Palm OS Treo device to store  
such information until further notice.

---------------------------------------------------
2. MIT Releases New VirusScan Product
---------------------------------------------------

This week the IS&T Software Release Team at MIT announced the release  
of McAfee's VirusScan 8.5i Enterprise for Windows and VirusScan 8.5  
for Mac OS X.

This newest release of VirusScan is recommended for:
- Windows XP Professional SP2 users
- Mac OS X 10.4 or later users

The new version fixes several bugs, has some additional features, and  
runs natively on Intel-based Macintosh computers. It can also be used  
for anyone upgrading to Windows Vista. If Windows XP users do upgrade  
to Vista, they will need to uninstall VirusScan before upgrading,  
then reinstall after the upgrade. (MIT advises users to wait until  
this summer or fall before upgrading to Vista.)

To read product information on VirusScan, see the links below:

VirusScan 8.5i for Windows: http://itinfo.mit.edu/product.php?vid=737
VirusScan 8.5 for Macintosh: http://itinfo.mit.edu/product.php?vid=738

------------------------------------------------------
3. Tip: Physical Security Helps Protect Data
------------------------------------------------------

You don't have to look very hard to find articles either online or in  
the newspapers about stolen laptops and desktop computers containing  
sensitive information. Universities are also not immune to this kind  
of risk. Recently the University of Idaho lost data for 331,000  
people, including as many as 70,000 social security numbers because  
of a computer theft.

It takes more than passwords to protect data. Even if the stolen  
machine has a password to lock it, passwords can be cracked. If you  
do have sensitive data on your computer, it should always be encrypted.
An additional safeguard can be to attach a STOP tag to your computer.  
As a community service, the campus police provides these each fall to  
anyone interested.

It is important to be vigilant about where your computers are and how  
safe they are. If you think your area is not secure enough, bring it  
to your site team's attention. You don't have to have financial or  
personally identifiable information on your computer to be at risk.  
Email content or browser settings can be used by criminals to put you  
at risk for embarrassment or worse.

For any questions, please contact IT Security at security at mit.edu.

Monique