[IS&T Security-FYI] Newsletter, October 19, 2007

Monique Yeaton myeaton at MIT.EDU
Fri Oct 19 14:31:55 EDT 2007 

In this issue:

1. Security Awareness Might Not Be Enough
2. IT Bloopers: MediaDefender Internal Communications Leaked
3. Tip of the Week: When Hard Drives Fail


--------------------------------------------------------
Security Awareness Might Not Be Enough
---------------------------------------------------------

A study conducted by Harvard and MIT earlier this year to determine  
online gullibility shows that education alone will not stop all  
people from behaving dangerously on the Internet. When we go online  
to do a specific thing (for instance pay bills or chat with friends),  
our last concern is about security. The study showed this is true  
even when we are reminded to pay attention to warnings.

The problem seems to be that people are lulled into a false sense of  
security. When asked for a username and password, we may assume we  
are accessing a "secure" area of a website. But without paying  
attention to details such as the "HTTPS" before a web address or  
noticing a browser padlock icon, there is no guarantee that the  
information given is being encrypted. With multi-tasking behavior  
being the norm these days, who has the time or inclination to slow  
down enough to check these things?

Is there a way to relieve computer users of some of the  
responsibility for security? Some ISPs are already offering security  
software to reduce the risks of spam and malware. But it may be time  
for the IT industry to step in and close the gap left by consumer  
inaction. One way is to write software and build websites using  
secure code, which requires some skill.

The good news is that more than 70 enterprise partners have committed  
to using the GIAC Secure Software Programmer (GSSP) exam for IT  
employee skill development and to ensure outsourcers and suppliers  
have the necessary skills to create secure code. University partners  
will also teach secure coding as part of their core curriculum.

If you write code for a living, go here to learn more about the SANS  
Institute Certification Exam:
<http://www.sans.org/gssp/>

Read about the Harvard-MIT study:
<http://cgi.advisorsites.net/cgi-bin/articles/formatarticle.pl? 
type=finbriefs&page=finbriefs&domain=cliftonfinancial.com&article=119142 
7157&override=true&alllinks=true>

------------------------------------------------------------------------ 
---------------
2. IT Bloopers: MediaDefender Internal Communications Leaked
------------------------------------------------------------------------ 
---------------

This new topic, IT Bloopers, introduces mistakes made in IT that I  
consider to be in the "funny" category. Usually they are funny only  
in the sense of the irony of the situation and the idea that these  
people *especially* should know better.

Our first story is about MediaDefender. This company has made a name  
for itself waging war against intellectual property pirates on behalf  
of the movie and music industries. Some of the practices they used to  
prevent alleged pirates from doing their work are a bit sketchy, for  
instance flooding the Internet with fake files that mimic real  
content to make it difficult for pirates to find the real thing.

Last month detailed information about these practices was revealed  
when more than 6500 of this company's emails were accessed by a group  
of hackers who call themselves "Media Defender Defenders." The  
company emails that were posted onto the Internet by this group  
revealed tactics MediaDefender had been testing to entrap peer-to- 
peer users.

How did these company emails get accessed in the first place? The  
company is still investigating this, but it most likely happened when  
an employee forwarded all his emails to a Gmail account, thereby  
circumventing the company's email security. Not too smart! It also  
shows how the company underestimated its opponents ingenuity.

To read more about this story:

TorrentFreak: <http://torrentfreak.com/mediadefender-emails- 
leaked-070915/>
Wall Street Journal: <http://online.wsj.com/article_email/ 
SB118998414197229169-lMyQjAxMDE3ODE5NjkxODY0Wj.html>


--------------------------------------------------------
3. Tip of the Week: When Hard Drives Fail
--------------------------------------------------------

Last week I was speaking to a friend who had just experienced a hard  
drive failure on his laptop. He had no backup for the files on his  
computer and lost all his emails and work he'd done in the past 9  
months. While he was distraught over this loss, he did learn an  
important lesson: Make a back up!

While hard drive failures or computer crashes probably happen more  
often than we care to know about, there is some light on the horizon.  
There are tools to recover "lost" files from broken hard drives. If  
you do find yourself in this situation, your first step to seeing if  
it is even possible to recover the files would be to contact your  
local IT administrator or the IS&T Help Desk Service Center. One of  
the services IS&T can provide is a disaster recovery assessment. If  
they can't help you, they can point you towards who might, but be  
aware data recovery can be very expensive.

For more info on IS&T's services see: <http://web.mit.edu/ist/topics/ 
hardware/hwsw.html>


=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20071019/2b325f9f/attachment.htm

More information about the ist-security-fyi mailing list