[IS&T Security-FYI] Newsletter, June 6, 2008
Monique Yeaton
myeaton at MIT.EDU
Fri Jun 6 12:19:42 EDT 2008
In this issue:
1. Identity Protection
2. Safari for Windows Issues
--------------------------
1. Identity Protection
--------------------------
When we talk about cyber security or IT security these days what we're
really talking about is security aimed at protecting your identity and
your sensitive information so that others, who have ill intentions,
can't use that information in ways that will harm you and benefit
them. That is (hopefully) the end result off all these security
measures we put in place on our computers, on our networks and
systems, and on our web sites. As we've seen, last year identity theft
affected some 8 million people in the U.S. alone.
What some of us are doing.
Some merchants are getting the message about the seriousness of this
issue and are beginning to look at ways to protect customer credit
card data at the point of sale (POS). As was clear from the Hannaford
and TJX data breach occurrences, encryption over public network was by-
passed by exploiting the lack of encryption on data being transmitted
internally. This Network World article describes the move to POS
encryption:
<http://www.networkworld.com/news/2008/052008-new-attack-trend-pushes-pos.html?page=1
>
Unfortunately, the fact that these new systems and products - designed
to do the protecting for us - exist is not enough. As you may have
heard in regards to security, it is only as strong as the weakest link
in the chain. The weakest link often turns out to be people
themselves, as they do things that put their information (or more
likely, the information of others) in jeopardy, by-passing any
technical security features that have been put in place. Laws and
regulations are starting to crop up more frequently to ensure that
organizations that store sensitive information do so in a way that
protects not only their customers' assets but also their own. But what
about individuals?
What you can do.
If you don't have your sensitive information stored somewhere thieves
can access it, then you are well on your way to avoid becoming the
next victim. Find out where that information exists and see if you
can't remove it, from your paper files that you might one day throw in
the trash, to your electronic files you store on your home or work
computer. One handy tool that was mentioned at the IT Partners
conference last week was Identity Finder <http://identityfinder.com>.
It can be downloaded as a free trial or purchased and will discover
occurrences of these sensitive numbers (such as social security,
credit card, bank account, passport, and drivers' license) on your
system. It will also help you encrypt or securely delete them.
Other suggestions for what you can do are mentioned on the MIT
Protecting Sensitive Information pages here:
<http://web.mit.edu/infoprotect/>
------------------------------------
2. Safari for Windows Issues
------------------------------------
Microsoft's security team has issued an advisory recommending that
users refrain using Apple's Safari web browser on Windows until a fix
is available for a vulnerability that allows attackers to download and
execute files without user interaction. The problem is due to a
combination of the default download location in Safari and the way
Windows desktop manages executables. The flaw affects all supported
versions of Windows XP and Vista with Safari installed. Mitigating
factors states: Customers who have changed the default location where
Safari downloads content to the local drive are not affected by this
blended threat.
The Microsoft Security Advisory is posted here:
<http://www.microsoft.com/technet/security/advisory/953818.mspx>
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
More information about the ist-security-fyi
mailing list