[IS&T Security-FYI] Newsletter, August 8, 2008
Monique Yeaton
myeaton at MIT.EDU
Fri Aug 8 14:25:39 EDT 2008
In this issue:
1. DNS Flaw Still a Problem
2. Microsoft's New Protection Program
3. Security Screw-Up of the Month: Verified Identity Pass
-----------------------------------
1. DNS Flaw Still a Problem
-----------------------------------
Nearly a month after a critical flaw in the Internet's Domain Name
System (DNS) was first reported, vendors of some of the most widely
used firewall software packages are scrambling to fix a problem that
can essentially undo portions of the patches that address this bug.
The DNS flaw affects server software made by many vendors, including
Microsoft, Cisco System, and the Internet Systems Consortium.
Short summary of the problem:
DNS has been a popular way to attack the Internet in the past -- it
was an ill-kept secret that the DNS system is insecure. The way that
many software applications, such as browsers, handle DNS requests has
opened up users to attack. Microsoft has fixed a few vulnerabilities
in the way Windows handles domain names -- issues that could have led
to easier eavesdropping or simpler phishing attacks.
This past week it was announced that an alliance of software makers
and network-hardware vendors are banding together to fix the flaw in
the design of the Internet's address system. A CERT vulnerability note
describing the issue lists more than 90 software developers and
network equipment vendors that may be affected by the issue.
Articles covering the DNS issue and what's being done:
<http://www.securityfocus.com/news/11526>
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111500&intsrc=hm_ts_head
>
-------------------------------------------------
2. Microsoft's New Protection Program
-------------------------------------------------
Starting in October, Microsoft will bring security software vendors in
the loop about security vulnerabilities prior to Patch Tuesday. The
Microsoft Active Protection Program changes the way Microsoft
currently alerts the industry about security threats. The idea is to
give the vendors a leg up on the hackers. The move represents a
significant change in how Microsoft has done things since it began the
monthly updates several years ago, and should aid security vendors
scrambling to document vulnerabilities and push out signatures for
them to prevent exploitation.
“We release on the second Tuesday of every month, [and] immediately
the hackers and defenders start reverse-engineering those patches, and
customers immediately start downloading them and evaluating them,”
said Andrew Cushman, senior director of the Microsoft Security
Response and Outreach Team. “Microsoft’s goal with the Active
Protection Program is to give the companies that are providing
protections a head start in that race to protect against exploitation.”
Read the full article:
<http://www.darkreading.com/document.asp?doc_id=160826&f_src=darkreading_informationweek
>
------------------------------------------------------------------------
3. Security Screw-Up of the Month: Verified Identity Pass
------------------------------------------------------------------------
The Transportation Security Administration (TSA) suspended Verified
Identity Pass (VIP) from enrolling travelers in its pre-screening
program after a laptop computer containing unencrypted pre-enrollment
records of 33,000 individuals went missing. The laptop was stolen from
a locked office in San Francisco International Airport on July 26, the
company said. It was found about a week later in the same office it
disappeared from.
The laptop had the names, addresses and driver's license or passport
numbers of mostly online applicants to the Registered Travel program,
which allows customers to pass quickly through security checkpoints at
17 U.S. airports, the company said in an e-mailed statement.
"We don't believe the security or privacy of these would-be members
will be compromised in any way," said Steven Brill, chief executive of
VIP.
VIP has more than 200,000 customers. It already started notifying the
affected people about the breach.
Read the full article:
<http://www.mercurynews.com/ci_10103913>
Thanks,
Monique
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
More information about the ist-security-fyi
mailing list