[IS&T Security-FYI] SFYI Newsletter, December 21, 2009

Monique Yeaton myeaton at MIT.EDU
Mon Dec 21 13:34:51 EST 2009 

In this issue:

1. Adobe Issues
2. The P2P Controversy


--------------------
1. Adobe Issues
--------------------

  ---- Updates Crashing Your Browser or System? ----

Last week I announced the release of security updates for Adobe Flash  
Player and AIR. A reader of this newsletter mentioned that when trying  
to download updates from the Adobe site his computer crashes. It is  
unclear why this is happening. It may be a problem with Adobe's  
compatibility with browser Internet Explorer or Windows XP.

If you have the same experience, hold off on upgrading until this bug  
is fixed. In the meantime, you may want to notify Adobe via:
<http://www.adobe.com/support/contact/>.


  ---- New Flaw Found in Reader and Acrobat ----

There is a recently disclosed critical vulnerability in Adobe Reader  
and Adobe Acrobat. The flaw is being actively exploited through  
maliciously crafted PDF files to crash vulnerable systems or execute  
code.

Adobe plans to release patches for the vulnerability by January 12,  
2010.  The flaw affects Adobe Reader 9.2 and earlier for Windows, Mac  
and Unix and Acrobat 9.2 and earlier for Windows and Mac. Adobe  
recommends that, if feasible, users disable JavaScript in both  
programs until a fix is available.

Read the full story:
<http://www.theregister.co.uk/2009/12/17/adobe_critical_pdf_flaw/>


------------------------------
2. The P2P Controversy
------------------------------

There has been some discussion within the government recently about  
the risks of peer-to-peer (P2P) file sharing to data security.

In November, bill HR 4098, the Secure Federal File Sharing Act, was  
introduced in Congress to ban P2P file sharing on US government, and  
government contractor computers. Sensitive Defense Department  
documents were lost through P2P networks earlier this year, likely  
prompting the proposal of this bill.

In higher education the use of P2P software produces a different  
reaction than the one mentioned above. As a file sharing tool it has  
great potential for playing a positive role in fulfilling the  
institutional missions of teaching, research, and the dissemination of  
knowledge. However, as we know, it is typically used for illegally  
sharing copyright protected music, movies and software.

The bigger issue that Congress is considering, namely ensuring that  
sensitive data and personally identifiable information is protected  
against leakage via file-sharing networks, also applies to  
universities. Is there any reason why computers containing sensitive  
data should have such a potentially dangerous application installed on  
them?

Since P2P networks are transfer tools, they are vulnerable to exposure  
of data and the distribution of malware. Hackers can attack these  
networks by changing legitimate files through the installation of  
malware, implanting malware into shared directories, exploiting  
vulnerabilities in the coding protocol of the network, and creating  
denial of service and spamming attacks that attempt to harass the  
users of the P2P network.

MIT does not put limits on the use of P2P programs. However, as a  
result of the 2008 Higher Education Opportunity Act (HEOA),  
regulations were issued and finalized by the Department of Education  
in October 2009, with several of these regulations addressing  
unauthorized file sharing (and the use of P2P programs) on campus  
networks.

We may therefore see some changes when enforcement goes into effect in  
July 2010. Changes could include possible restrictions to file sharing  
networks, alternatives to illegal downloading, and disclosure to  
students describing file sharing and campus policies related to  
copyright law.

Risks of illegal downloading hit home quite recently. In November a  
Boston University student was ordered to pay $675,000 in damages for  
illegally downloading songs and sharing them online.

More information can be found here:

HEOA:
<http://www.educause.edu/Resources/Browse/HEOA/34600>

Government ban on P2P:
<http://www.sophos.com/blogs/chetw/g/2009/11/18/congress-ban-p2p-filesharing-companies-follow-suit/ 
 >

Definition of P2P File Sharing:
<http://en.wikipedia.org/wiki/P2P_file_sharing>

Tips on P2P security:
<http://www.onguardonline.gov/topics/p2p-security.aspx>
<http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt128.shtm>

Hidden Dangers of P2P:
<http://www.gcn.com/Articles/2009/10/05/Cybereye-P2P-file-sharing-dangers.aspx 
 >

= 
= 
= 
========================================================================

Find current and older issues of Security FYI Newsletter: <http://kb.mit.edu/confluence/x/ehBB 
 >



Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20091221/a8d37fe1/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1846 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20091221/a8d37fe1/attachment.bin

More information about the ist-security-fyi mailing list