[IS&T Security-FYI] Newsletter, April 18, 2008

Fri Apr 18 08:48:06 EDT 2008

In this issue:

1. Firefox 2 Security Update
2. Security for Chocolate
3. Data Lost and Found

-----------------------------------
1. Firefox 2 Security Update
-----------------------------------

Mozilla released update 2.0.0.14 for Firefox 2 this week. Fixes for  
security problems in the JavaScript engine introduced a stability  
problem, where some users experienced crashes during JavaScript  
garbage collection. This is being fixed primarily to address stability  
concerns, however this type of vulnerability has been shown to be  
exploitable in the past.

To learn more about this update:
http://en-us.www.mozilla.com/en-US/firefox/2.0.0.14/releasenotes/

-------------------------------
2. Security for Chocolate
-------------------------------

Apparently, according to a survey conducted by Infosecurity Europe  
outside Liverpool Street Station in London, women are four times more  
likely than men to surrender their computer passwords for chocolate.  
The survey made no mention of whether other offers were made to men  
which might reverse the gender disparity. However, this social  
engineering exercise did demonstrate that it is easy to pry personal  
information from respondents when offering an incentive.

When conducting the same survey last year, the number of respondents  
was 64% versus 21% this year, so at least there has been some  
improvement.

Claire Sellick, event director at Infosecurity Europe, notes that the  
research shows how easy it is for a perpetrator posing to be someone  
else to gain access to information that is restricted.

Read the full article here:
http://www.informationweek.com/news/security/privacy/showArticle.jhtml?articleID=207400028

------------------------------
3. Data Lost and Found
------------------------------

When sensitive data is lost because of a theft or a lost drive or  
disk, I'm sure that for the person or company that was responsible for  
protecting that data it must feel like the world is dropping out from  
under them.

But what happens if you're the one who found the data and you're an  
honest person, wanting to return the disk or flash drive, or whatever  
you found to its rightful owner? Do you rifle through the data on the  
item to find a name? What if no owner name turns up but other names do  
or the company's contact information is on there? Should you contact  
the company and ask for a person who might be responsible? Do you  
notify the police?

A few months ago the NY Times tried to address this issue for a reader  
who submitted a question to the Ethicist column, and the answer given  
was to immediately notify the nearest lost and found or official and  
let them know what you found. At least the person who lost the item  
can contact them and try to get it back. This also prevents you from  
looking through someone else's files.

There are a lot of honest people that might follow this advice. There  
are also a lot of curious people out there and even if they're honest,  
they will want to find out what is on the device. A study conducted  
showed that when flash drives were left in a visible spot, the  
majority of people would pick them up and stick them into their  
computers. A dangerous thing to do if there were any malware included  
on the drive.

There are two lessons here:
1. If you travel with sensitive data, assume the worst, and make sure  
the data is encrypted. At least even if an honest person finds the  
data, they can't gain access to personal files. And if you make the  
encryption strong enough, no one will.

2. If you find a drive, do not attempt to access the data. You never  
know what could be included on the drive that can harm your computer.  
You also don't want to be implicated in a lawsuit should it ever come  
to light that you accessed data that you had no authority to access.

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security