[IS&T Security-FYI] Newsletter, September 28, 2007

Monique Yeaton myeaton at MIT.EDU
Fri Sep 28 13:09:46 EDT 2007 

In this issue:

1. Kerberos Consortium Launched
2. TSM Vulnerabilities
3. National Cyber Security Awareness Month

-----------------------------------------------
1. Kerberos Consortium Launched
-----------------------------------------------

The Kerberos Consortium was launched on September 27, 2007 on an  
ambitious mission to create a universal authentication platform to  
protect the world's computer networks, according to the Kerberos web  
site <www.kerberos.org/launch.html>. In the Consortium, vendors are  
coming together to formalize the use of Kerberos for e-commerce and  
mobile devices, among other things.

Kerberos was originally developed at MIT for Project Athena in the  
1980's. Currently, its network authentication protocol is mostly  
available in large corporate networks. The protocol's ability to  
require strong mutual authentication can protect consumers doing  
business on the Internet from phishing and other types of attacks.

What is Kerberos?

In short, Kerberos is a solution to network security problems. The  
Kerberos protocol uses strong cryptography so that a client can prove  
its identity to a server (and vice versa) across an insecure network  
connection. After a client and server has used Kerberos to prove  
their identity, they can also encrypt all of their communications to  
assure privacy and data integrity as they go about their business.

Learn more about Kerberos here: <http://web.mit.edu/kerberos/>

-----------------------------
2. TSM Vulnerabilities
-----------------------------

This notice was sent out by MIT's TSM Systems Team earlier today. Two  
vulnerabilities exist in TSM (Tivoli Storage Manager) 5.4.0 and  
earlier. They affect the Web Client GUI, Client Acceptor Daemon (CAD)  
managed scheduling, and server-initiated prompted scheduling.

The risks have the potential to crash the operating system due to a  
buffer overrun in CAD and, under certain conditions, use of server- 
initiated prompted scheduling can allow unauthorized access to the  
client's data.

How it affects you at MIT:

- The TSM web client is not configured for use by default. If you use  
the web client, you need to upgrade to TSM 5.4.1.2 to avoid having  
your machine at risk.

- By default on Macintosh, scheduled backups use the CAD to initiate  
the scheduler. Therefore, all Mac users that run scheduled backups  
should upgrade to TSM 5.4.1.2. Regardless of your platform, if you  
are using CAD for scheduled backups or you are not sure, the safest  
path is to upgrade the TSM client.

- At MIT we use the 'client polling' method, which is not affected,  
rather than the server-initiated prompted scheduling, so no one is  
impacted.

- The TSM Servers are not affected.

MIT's Solution:

IS&T recommends all TSM clients update to Version 5.4.1.2 which  
includes fixes for these security vulnerabilities. The MIT software  
distribution web page <http://web.mit.edu/software> has been updated  
with the new TSM client release for Linux, Macintosh and Windows. To  
download other TSM clients, go to: <http://web.mit.edu/tsmsystems/ 
download.html>.

Until you have installed the upgrade:

- do not start up or use the CAD
- do not use the Web client
- use client-initiated traditional scheduling instead of CAD-managed  
scheduling

If you have questions regarding this TSM alert, please contact <tsm- 
systems at mit.edu>. If you need assistance upgrading to TSM 5.4.1.2,  
please contact the Computing Help Desk at <computing-help at mit.edu> or  
(617) 253-1101.

------------------------------------------------------------
3. National Cyber Security Awareness Month
------------------------------------------------------------

Every year, the month of October is dedicated to National Cyber  
Security Awareness. Several universities around the country are  
hosting events to discuss Internet security and to find ways to  
protect ourselves and our children.

The widespread availability of computers and connections to the  
Internet provides everyone with 24/7 access to information, credit  
and financial services, and shopping. The Internet is also an  
incredible tool for educators and students to communicate and learn.

Unfortunately, some individuals exploit the Internet through criminal  
behavior and other harmful acts. Criminals can try to gain  
unauthorized access to your computer and then use that access to  
steal your identity, commit fraud, or even launch cyber attacks  
against others.

However, there is no single cyber security practice or technological  
solution that will prevent online crime. The National Cyber Security  
Alliance (NCSA), which sponsors the month <www.staysafeonline.org>,  
provides several security practices on its site that include Internet  
habits as well as technology solutions.

To learn more about the events in October 2007, visit: <http:// 
www.staysafeonline.info/events/index.html>

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20070928/a2ac6594/attachment.htm

More information about the ist-security-fyi mailing list