[IS&T Security-FYI] Newsletter, August 29, 2008
Monique Yeaton
myeaton at MIT.EDU
Fri Aug 29 10:58:34 EDT 2008
In this issue:
1. Lessons from MBTA System Flaws Discovery
2. Apple to Fix iPhone Security Flaw
3. Microsoft Re-Issues Update
4. Data Breaches in 2008 Outpace 2007
-------------------------------------------------------------
1. Lessons from MBTA System Flaws Discovery
-------------------------------------------------------------
Earlier this week, a federal judge in Boston lifted a gag order that
had blocked three MIT students from publicly discussing security flaws
they discovered in the fare-payment system used by the city's mass-
transit agency.
The temporary restraining order was issued Aug. 9, one day before the
MIT students were scheduled to present a research paper detailing the
flaws during a session at the Defcon hacker convention in Las Vegas.
In asking for the gag order to be imposed, the Massachusetts Bay
Transportation Authority (MBTA) claimed that it hadn't been given
enough time or sufficient information prior to Defcon to assess the
flaws and figure out a plan for fixing them.
The case reignited the debate over responsible disclosure of
vulnerabilities, sparking outrage within some parts of the security
community that saw the gag order as a violation of the students' First
Amendment rights, while other people said they thought the students
should have given the MBTA more time to address the flaws before going
public with them.
Network World lists some takeaways for IT and security managers from
the entire episode in the full story below:
<http://www.networkworld.com/news/2008/082208-3-takeaways-from-mbta-mit.html?fsrc=rss-security
>
----------------------------------------------
2. Apple to Fix iPhone Security Flaw
----------------------------------------------
Unauthorized users may be able to exploit a security flaw in the Apple
iPhone to gain access to iPhone users' private correspondence and
contact information, even if those iPhones are locked. Reuters
reported that iPhones running the latest iPhone 2.02 software could be
hacked with only three taps.
An Apple spokewoman stated that Apple was aware of the iPhone security
flaw and that Apple was preparing a software update to fix the flaw.
Apple hasn't said specifically when the iPhone update would be
available.
Until the software update is available, iPhone users can use a
workaround -- instead of accessing the iPhone's iPod music collection
through the "Favorites" menu, iPhone users should use the iPhone
"Home" button to access their music.
Full story:
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9113753
>
--------------------------------------
3. Microsoft Re-Issues Update
--------------------------------------
Microsoft has released a new version of one of its August 11 security
bulletins because the original version was incomplete. The affected
bulletin is MS08-051, which addresses three flaws in Microsoft Office,
PowerPoint and PowerPoint Viewer.
<http://www.microsoft.com/technet/security/bulletin/MS08-051.mspx>
Users who downloaded the fix manually should apply the new version as
soon as possible. The incomplete version was only posted to the
Microsoft Download Center.
**Users whose systems were updated through Windows Update, Windows
Server Update Services, or MIT WAUS are NOT affected.**
Download Center: <http://office.microsoft.com/en-us/downloads/default.aspx
>
---------------------------------------------------
4. Data Breaches in 2008 Outpace 2007
---------------------------------------------------
The number of data breaches reported in 2008 has already surpassed
those reported in 2007, according to the Identity Theft Resource
Center (ITRC), a non-profit organization tracking the statistics.
ITRC, an organization that tracks data breaches and educates consumers
about identity protection, said its 2008 breach list of 449 incidents
surpassed the total of 446 reported in 2007. The number of compromised
records is estimated at 22 million, according to the organization.
Full story:
<http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1327048,00.html
>
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T IT staff will *NEVER*
ask you for your password.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20080829/c4ce58b4/attachment.htm
More information about the ist-security-fyi
mailing list