[IS&T Security-FYI] SFYI Newsletter, February 20, 2009

Fri Feb 20 14:42:52 EST 2009

On behalf of Monique, who is about to be in a much warmer place than
Cambridge.

In this issue:

1. Apple Security Update
2. Using Biometrics to Access US State Dept Network
3. Mass. Extends Data Protection Compliance Deadline Again

--------------------------------
1. Apple Security Update
--------------------------------

Apple released Security Update 2009-001 on February 12th, 2009.

Systems affected:

 * Safari 3.2.2 for Windows
 * Mac OS X 10.4.11 and 10.5.6 and later

Fixes address various components of the operating system which if left
unpatched could leave a computer vulnerable to attack. The Safari for
Windows fix addresses issues that exist in Safari's handling of embedded
JavaScript within feed: URLs.

The updates can be downloaded and installed via Software Update
preferences or from the Apple Downloads website.

For details on what is included in this update:
http://support.apple.com/kb/HT3438

-------------------------------------------------------------------
2. Using Biometrics to Access US State Dept Network
-------------------------------------------------------------------

More than half of US State Department employees who use the department's
unclassified computer network now log on with smart cards that contain
biometric data.  The cards were issued through the department's
Biometrics for Logical Access Development and Execution (BLADE) public
key infrastructure program.  The program is doubly effective in that it
requires users to provide a fingerprint that matches the data held on
the card and when the card is removed from the workstation, that
workstation is locked.

We may be seeing the use of biometrics expand due to the rollout of the
White House's new Network Security Agenda.

Read more:
http://fcw.com/articles/2009/02/11/state-biometrics.aspx
http://www.whitehouse.gov/agenda/homeland_security

------------------------------------------------------------------------------
3. Mass. Extends Data Protection Compliance Deadline Again
------------------------------------------------------------------------------

Massachusetts officials have once again extended the deadline for
compliance with the state's stringent data security regulations.
Organizations now have until January 1, 2010 to ensure that any personal
data they retain that belong to Massachusetts residents are protected in
a number of ways, including encrypting data while they are being
transmitted over public networks or stored on devices (including laptops
and other mobile devices) that can be carried from one location to
another and limiting the amount of information they retain.  

The decision to extend the deadline was based in part on the current
economic climate as well as the need to allow companies ample time to
make the necessary changes to their systems. State regulators have also
pared back their demands that third-parties with access to the data be
required to demonstrate that they were compliant with the requirements
as well.  

Originally, the compliance deadline was January 1, 2009; last November
the date was pushed back to May 1, 2009; in January, a portion was
pushed to January 1, 2010; and last week, the deadline for compliance on
all regulations was extended to January 1, 2010.

[Article source: SANS]

Read more:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127961