[IS&T Security-FYI] Newsletter, June 6, 2008

Fri Jun 6 12:19:42 EDT 2008

In this issue:

1. Identity Protection
2. Safari for Windows Issues

--------------------------
1. Identity Protection
--------------------------

When we talk about cyber security or IT security these days what we're  
really talking about is security aimed at protecting your identity and  
your sensitive information so that others, who have ill intentions,  
can't use that information in ways that will harm you and benefit  
them. That is (hopefully) the end result off all these security  
measures we put in place on our computers, on our networks and  
systems, and on our web sites. As we've seen, last year identity theft  
affected some 8 million people in the U.S. alone.

What some of us are doing.
Some merchants are getting the message about the seriousness of this  
issue and are beginning to look at ways to protect customer credit  
card data at the point of sale (POS). As was clear from the Hannaford  
and TJX data breach occurrences, encryption over public network was by- 
passed by exploiting the lack of encryption on data being transmitted  
internally. This Network World article describes the move to POS  
encryption:
<http://www.networkworld.com/news/2008/052008-new-attack-trend-pushes-pos.html?page=1 
 >

Unfortunately, the fact that these new systems and products - designed  
to do the protecting for us - exist is not enough. As you may have  
heard in regards to security, it is only as strong as the weakest link  
in the chain. The weakest link often turns out to be people  
themselves, as they do things that put their information (or more  
likely, the information of others) in jeopardy, by-passing any  
technical security features that have been put in place. Laws and  
regulations are starting to crop up more frequently to ensure that  
organizations that store sensitive information do so in a way that  
protects not only their customers' assets but also their own. But what  
about individuals?

What you can do.
If you don't have your sensitive information stored somewhere thieves  
can access it, then you are well on your way to avoid becoming the  
next victim. Find out where that information exists and see if you  
can't remove it, from your paper files that you might one day throw in  
the trash, to your electronic files you store on your home or work  
computer. One handy tool that was mentioned at the IT Partners  
conference last week was Identity Finder <http://identityfinder.com>.  
It can be downloaded as a free trial or purchased and will discover  
occurrences of these sensitive numbers (such as social security,  
credit card, bank account, passport, and drivers' license) on your  
system. It will also help you encrypt or securely delete them.

Other suggestions for what you can do are mentioned on the MIT  
Protecting Sensitive Information pages here:
<http://web.mit.edu/infoprotect/>

------------------------------------
2. Safari for Windows Issues
------------------------------------

Microsoft's security team has issued an advisory recommending that  
users refrain using Apple's Safari web browser on Windows until a fix  
is available for a vulnerability that allows attackers to download and  
execute files without user interaction.  The problem is due to a  
combination of the default download location in Safari and the way  
Windows desktop manages executables.  The flaw affects all supported  
versions of Windows XP and Vista with Safari installed. Mitigating  
factors states: Customers who have changed the default location where  
Safari downloads content to the local drive are not affected by this  
blended threat.

The Microsoft Security Advisory is posted here:
<http://www.microsoft.com/technet/security/advisory/953818.mspx>

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security