[IS&T Security-FYI] Newsletter, August 29, 2008

Fri Aug 29 10:58:34 EDT 2008

In this issue:

1. Lessons from MBTA System Flaws Discovery
2. Apple to Fix iPhone Security Flaw
3. Microsoft Re-Issues Update
4. Data Breaches in 2008 Outpace 2007

-------------------------------------------------------------
1. Lessons from MBTA System Flaws Discovery
-------------------------------------------------------------

Earlier this week, a federal judge in Boston lifted a gag order that  
had blocked three MIT students from publicly discussing security flaws  
they discovered in the fare-payment system used by the city's mass- 
transit agency.

The temporary restraining order was issued Aug. 9, one day before the  
MIT students were scheduled to present a research paper detailing the  
flaws during a session at the Defcon hacker convention in Las Vegas.  
In asking for the gag order to be imposed, the Massachusetts Bay  
Transportation Authority (MBTA) claimed that it hadn't been given  
enough time or sufficient information prior to Defcon to assess the  
flaws and figure out a plan for fixing them.

The case reignited the debate over responsible disclosure of  
vulnerabilities, sparking outrage within some parts of the security  
community that saw the gag order as a violation of the students' First  
Amendment rights, while other people said they thought the students  
should have given the MBTA more time to address the flaws before going  
public with them.

Network World lists some takeaways for IT and security managers from  
the entire episode in the full story below:

<http://www.networkworld.com/news/2008/082208-3-takeaways-from-mbta-mit.html?fsrc=rss-security 
 >

----------------------------------------------
2. Apple to Fix iPhone Security Flaw
----------------------------------------------

Unauthorized users may be able to exploit a security flaw in the Apple  
iPhone to gain access to iPhone users' private correspondence and  
contact information, even if those iPhones are locked. Reuters  
reported that iPhones running the latest iPhone 2.02 software could be  
hacked with only three taps.

An Apple spokewoman stated that Apple was aware of the iPhone security  
flaw and that Apple was preparing a software update to fix the flaw.  
Apple hasn't said specifically when the iPhone update would be  
available.

Until the software update is available, iPhone users can use a  
workaround -- instead of accessing the iPhone's iPod music collection  
through the "Favorites" menu, iPhone users should use the iPhone  
"Home" button to access their music.

Full story:
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9113753 
 >

--------------------------------------
3. Microsoft Re-Issues Update
--------------------------------------

Microsoft has released a new version of one of its August 11 security  
bulletins because the original version was incomplete.  The affected  
bulletin is MS08-051, which addresses three flaws in Microsoft Office,  
PowerPoint and PowerPoint Viewer.
<http://www.microsoft.com/technet/security/bulletin/MS08-051.mspx>

Users who downloaded the fix manually should apply the new version as  
soon as possible. The incomplete version was only posted to the  
Microsoft Download Center.

**Users whose systems were updated through Windows Update, Windows  
Server Update Services, or MIT WAUS are NOT affected.**

Download Center: <http://office.microsoft.com/en-us/downloads/default.aspx 
 >

---------------------------------------------------
4. Data Breaches in 2008 Outpace 2007
---------------------------------------------------

The number of data breaches reported in 2008 has already surpassed  
those reported in 2007, according to the Identity Theft Resource  
Center (ITRC), a non-profit organization tracking the statistics.  
ITRC, an organization that tracks data breaches and educates consumers  
about identity protection, said its 2008 breach list of 449 incidents  
surpassed the total of 446 reported in 2007. The number of compromised  
records is estimated at 22 million, according to the organization.

Full story:
<http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1327048,00.html 
 >

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T IT staff will *NEVER*  
ask you for your password.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20080829/c4ce58b4/attachment.htm