[IS&T Security-FYI] SFYI Newsletter, December 21, 2009
Monique Yeaton
myeaton at MIT.EDU
Mon Dec 21 13:34:51 EST 2009
In this issue:
1. Adobe Issues
2. The P2P Controversy
--------------------
1. Adobe Issues
--------------------
---- Updates Crashing Your Browser or System? ----
Last week I announced the release of security updates for Adobe Flash
Player and AIR. A reader of this newsletter mentioned that when trying
to download updates from the Adobe site his computer crashes. It is
unclear why this is happening. It may be a problem with Adobe's
compatibility with browser Internet Explorer or Windows XP.
If you have the same experience, hold off on upgrading until this bug
is fixed. In the meantime, you may want to notify Adobe via:
<http://www.adobe.com/support/contact/>.
---- New Flaw Found in Reader and Acrobat ----
There is a recently disclosed critical vulnerability in Adobe Reader
and Adobe Acrobat. The flaw is being actively exploited through
maliciously crafted PDF files to crash vulnerable systems or execute
code.
Adobe plans to release patches for the vulnerability by January 12,
2010. The flaw affects Adobe Reader 9.2 and earlier for Windows, Mac
and Unix and Acrobat 9.2 and earlier for Windows and Mac. Adobe
recommends that, if feasible, users disable JavaScript in both
programs until a fix is available.
Read the full story:
<http://www.theregister.co.uk/2009/12/17/adobe_critical_pdf_flaw/>
------------------------------
2. The P2P Controversy
------------------------------
There has been some discussion within the government recently about
the risks of peer-to-peer (P2P) file sharing to data security.
In November, bill HR 4098, the Secure Federal File Sharing Act, was
introduced in Congress to ban P2P file sharing on US government, and
government contractor computers. Sensitive Defense Department
documents were lost through P2P networks earlier this year, likely
prompting the proposal of this bill.
In higher education the use of P2P software produces a different
reaction than the one mentioned above. As a file sharing tool it has
great potential for playing a positive role in fulfilling the
institutional missions of teaching, research, and the dissemination of
knowledge. However, as we know, it is typically used for illegally
sharing copyright protected music, movies and software.
The bigger issue that Congress is considering, namely ensuring that
sensitive data and personally identifiable information is protected
against leakage via file-sharing networks, also applies to
universities. Is there any reason why computers containing sensitive
data should have such a potentially dangerous application installed on
them?
Since P2P networks are transfer tools, they are vulnerable to exposure
of data and the distribution of malware. Hackers can attack these
networks by changing legitimate files through the installation of
malware, implanting malware into shared directories, exploiting
vulnerabilities in the coding protocol of the network, and creating
denial of service and spamming attacks that attempt to harass the
users of the P2P network.
MIT does not put limits on the use of P2P programs. However, as a
result of the 2008 Higher Education Opportunity Act (HEOA),
regulations were issued and finalized by the Department of Education
in October 2009, with several of these regulations addressing
unauthorized file sharing (and the use of P2P programs) on campus
networks.
We may therefore see some changes when enforcement goes into effect in
July 2010. Changes could include possible restrictions to file sharing
networks, alternatives to illegal downloading, and disclosure to
students describing file sharing and campus policies related to
copyright law.
Risks of illegal downloading hit home quite recently. In November a
Boston University student was ordered to pay $675,000 in damages for
illegally downloading songs and sharing them online.
More information can be found here:
HEOA:
<http://www.educause.edu/Resources/Browse/HEOA/34600>
Government ban on P2P:
<http://www.sophos.com/blogs/chetw/g/2009/11/18/congress-ban-p2p-filesharing-companies-follow-suit/
>
Definition of P2P File Sharing:
<http://en.wikipedia.org/wiki/P2P_file_sharing>
Tips on P2P security:
<http://www.onguardonline.gov/topics/p2p-security.aspx>
<http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt128.shtm>
Hidden Dangers of P2P:
<http://www.gcn.com/Articles/2009/10/05/Cybereye-P2P-file-sharing-dangers.aspx
>
=
=
=
========================================================================
Find current and older issues of Security FYI Newsletter: <http://kb.mit.edu/confluence/x/ehBB
>
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20091221/a8d37fe1/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1846 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20091221/a8d37fe1/attachment.bin
More information about the ist-security-fyi
mailing list