[IS&T Security-FYI] Newsletter, April 18, 2008
Monique Yeaton
myeaton at MIT.EDU
Fri Apr 18 08:48:06 EDT 2008
In this issue:
1. Firefox 2 Security Update
2. Security for Chocolate
3. Data Lost and Found
-----------------------------------
1. Firefox 2 Security Update
-----------------------------------
Mozilla released update 2.0.0.14 for Firefox 2 this week. Fixes for
security problems in the JavaScript engine introduced a stability
problem, where some users experienced crashes during JavaScript
garbage collection. This is being fixed primarily to address stability
concerns, however this type of vulnerability has been shown to be
exploitable in the past.
To learn more about this update:
http://en-us.www.mozilla.com/en-US/firefox/2.0.0.14/releasenotes/
-------------------------------
2. Security for Chocolate
-------------------------------
Apparently, according to a survey conducted by Infosecurity Europe
outside Liverpool Street Station in London, women are four times more
likely than men to surrender their computer passwords for chocolate.
The survey made no mention of whether other offers were made to men
which might reverse the gender disparity. However, this social
engineering exercise did demonstrate that it is easy to pry personal
information from respondents when offering an incentive.
When conducting the same survey last year, the number of respondents
was 64% versus 21% this year, so at least there has been some
improvement.
Claire Sellick, event director at Infosecurity Europe, notes that the
research shows how easy it is for a perpetrator posing to be someone
else to gain access to information that is restricted.
Read the full article here:
http://www.informationweek.com/news/security/privacy/showArticle.jhtml?articleID=207400028
------------------------------
3. Data Lost and Found
------------------------------
When sensitive data is lost because of a theft or a lost drive or
disk, I'm sure that for the person or company that was responsible for
protecting that data it must feel like the world is dropping out from
under them.
But what happens if you're the one who found the data and you're an
honest person, wanting to return the disk or flash drive, or whatever
you found to its rightful owner? Do you rifle through the data on the
item to find a name? What if no owner name turns up but other names do
or the company's contact information is on there? Should you contact
the company and ask for a person who might be responsible? Do you
notify the police?
A few months ago the NY Times tried to address this issue for a reader
who submitted a question to the Ethicist column, and the answer given
was to immediately notify the nearest lost and found or official and
let them know what you found. At least the person who lost the item
can contact them and try to get it back. This also prevents you from
looking through someone else's files.
There are a lot of honest people that might follow this advice. There
are also a lot of curious people out there and even if they're honest,
they will want to find out what is on the device. A study conducted
showed that when flash drives were left in a visible spot, the
majority of people would pick them up and stick them into their
computers. A dangerous thing to do if there were any malware included
on the drive.
There are two lessons here:
1. If you travel with sensitive data, assume the worst, and make sure
the data is encrypted. At least even if an honest person finds the
data, they can't gain access to personal files. And if you make the
encryption strong enough, no one will.
2. If you find a drive, do not attempt to access the data. You never
know what could be included on the drive that can harm your computer.
You also don't want to be implicated in a lawsuit should it ever come
to light that you accessed data that you had no authority to access.
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
More information about the ist-security-fyi
mailing list