[IS&T Security-FYI] Newsletter, August 8, 2008

Monique Yeaton myeaton at MIT.EDU
Fri Aug 8 14:25:39 EDT 2008 


In this issue:

1. DNS Flaw Still a Problem
2. Microsoft's New Protection Program
3. Security Screw-Up of the Month: Verified Identity Pass


-----------------------------------
1. DNS Flaw Still a Problem
-----------------------------------

Nearly a month after a critical flaw in the Internet's Domain Name  
System (DNS) was first reported, vendors of some of the most widely  
used firewall software packages are scrambling to fix a problem that  
can essentially undo portions of the patches that address this bug.  
The DNS flaw affects server software made by many vendors, including  
Microsoft, Cisco System, and the Internet Systems Consortium.

Short summary of the problem:
DNS has been a popular way to attack the Internet in the past -- it  
was an ill-kept secret that the DNS system is insecure. The way that  
many software applications, such as browsers, handle DNS requests has  
opened up users to attack. Microsoft has fixed a few vulnerabilities  
in the way Windows handles domain names -- issues that could have led  
to easier eavesdropping or simpler phishing attacks.

This past week it was announced that an alliance of software makers  
and network-hardware vendors are banding together to fix the flaw in  
the design of the Internet's address system. A CERT vulnerability note  
describing the issue lists more than 90 software developers and  
network equipment vendors that may be affected by the issue.

Articles covering the DNS issue and what's being done:
<http://www.securityfocus.com/news/11526>
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111500&intsrc=hm_ts_head 
 >


-------------------------------------------------
2. Microsoft's New Protection Program
-------------------------------------------------

Starting in October, Microsoft will bring security software vendors in  
the loop about security vulnerabilities prior to Patch Tuesday. The  
Microsoft Active Protection Program changes the way Microsoft  
currently alerts the industry about security threats. The idea is to  
give the vendors a leg up on the hackers. The move represents a  
significant change in how Microsoft has done things since it began the  
monthly updates several years ago, and should aid security vendors  
scrambling to document vulnerabilities and push out signatures for  
them to prevent exploitation.

“We release on the second Tuesday of every month, [and] immediately  
the hackers and defenders start reverse-engineering those patches, and  
customers immediately start downloading them and evaluating them,”  
said Andrew Cushman, senior director of the Microsoft Security  
Response and Outreach Team. “Microsoft’s goal with the Active  
Protection Program is to give the companies that are providing  
protections a head start in that race to protect against exploitation.”

Read the full article:
<http://www.darkreading.com/document.asp?doc_id=160826&f_src=darkreading_informationweek 
 >


------------------------------------------------------------------------
3. Security Screw-Up of the Month: Verified Identity Pass
------------------------------------------------------------------------

The Transportation Security Administration (TSA) suspended Verified  
Identity Pass (VIP) from enrolling travelers in its pre-screening  
program after a laptop computer containing unencrypted pre-enrollment  
records of 33,000 individuals went missing. The laptop was stolen from  
a locked office in San Francisco International Airport on July 26, the  
company said. It was found about a week later in the same office it  
disappeared from.

The laptop had the names, addresses and driver's license or passport  
numbers of mostly online applicants to the Registered Travel program,  
which allows customers to pass quickly through security checkpoints at  
17 U.S. airports, the company said in an e-mailed statement.

"We don't believe the security or privacy of these would-be members  
will be compromised in any way," said Steven Brill, chief executive of  
VIP.

VIP has more than 200,000 customers. It already started notifying the  
affected people about the breach.

Read the full article:
<http://www.mercurynews.com/ci_10103913>





Thanks,

Monique

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

More information about the ist-security-fyi mailing list