[IS&T Security-FYI] SFYI Newsletter, January 23, 2009
Monique Yeaton
myeaton at MIT.EDU
Fri Jan 23 15:34:32 EST 2009
In this issue:
1. Latest Cyber Security Alerts
2. Twitter Phishing Scams and Hacks
3. IAP on Handling Sensitive Data Was Well Attended
--------------------------------------
1. Latest Cyber Security Alerts
--------------------------------------
* Microsoft *
Microsoft Windows Does Not Disable AutoRun Properly:
AutoRun is a feature Microsoft includes in Windows as an enhancement
to the user experience, but it is hardly perfect. Parties both shady
and outright malicious have subverted AutoRun to execute code without
input from the user. To make matters worse, US-CERT recently found
that the instructions MS had published for disabling AutoRun were
ineffective.
Full details about the vulnerability and a recommended solution can be
found here:
<http://www.us-cert.gov/cas/techalerts/TA09-020A.html>
Microsoft has since this alert updated their guidelines and posted
them here:
<http://support.microsoft.com/kb/953252>
Following the instructions are not for the inexperienced user!!
If you are not sure about disabling AutoRun on your machine, or
whether the feature has already been disabled, contact your local
desktop support person or the Computer Help Desk.
* Apple *
Apple QuickTime Updates for Multiple Vulnerabilities:
Apple has released QuickTime 7.6 to correct multiple vulnerabilities
affecting QuickTime for Mac OS X and Windows. Attackers may be able to
exploit these vulnerabilities to execute arbitrary code or cause a
denial of service. Upgrade to QuickTime 7.6. This and other updates
are available via Software Update or via Apple Downloads <http://support.apple.com/downloads/
>.
About the security content of QuickTime 7.6
<http://support.apple.com/kb/HT3403>
QuickTime MPEG-2 Playback Component:
An input validation issue exists in the QuickTime MPEG-2 Playback
Component for Windows. Accessing a maliciously crafted movie file may
lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue by performing additional
validation of MPEG-2 files. This issue does not affect systems running
Mac OS X.
The QuickTime MPEG-2 Playback Component is not installed by default,
and is provided separately from QuickTime. Details are available here:
<http://www.apple.com/quicktime/mpeg2/>
More details about the QuickTime MPEG-2 Playback Component:
<http://support.apple.com/kb/HT3404>
-----------------------------------------------
2. Twitter Phishing Scams and Hacks
-----------------------------------------------
The buzz in the cyber security sphere the past few weeks has been
about the latest Twitter hack. What is Twitter? Anyone who paid
attention to this week's historic presidential inauguration is
probably now up to speed, but for those who still wonder, Twitter is a
type of micro-blog site for people who like to inform others what is
going on in their life without having to post an entire article about
it. It is very similar to the status bar on Facebook.
Learn more about Twitter:
<http://webtrends.about.com/od/socialnetworking/a/what-is-twitter.htm>
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126362
>
A few weeks ago, someone or a group of people hacked into Twitter and
began stealing usernames and passwords. They then began posting to
Twitter as if they were the trusted friends and acquaintances of other
people using Twitter. They were able to post links that would lure
these unsuspecting victims to phishing scams and malware sites.
During this same time, some celebrities had their Twitter accounts
"hijacked" and messages were posted that put them in a bad light.
These hacks were purported to be due to a weakness in the internal
support tools which Twitter is currently getting properly secured. But
another news report claims this hijacking occurred because of a weak
password of a Twitter employee, that was cracked using a simple
password-guessing program.
Read the full story here:
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=332121
>
-------------------------------------------------------------------
3. IAP on Handling Sensitive Data Was Well Attended
-------------------------------------------------------------------
The 2009 IAP session "Handling Sensitive Data - What Everyone Needs to
Know" was well attended on the three different dates. Questions and
comments from attendees showed that they, as MIT employees, are
concerned about they can do to protect the sensitive information in
their care. The various laws and regulations concerning sensitive data
and the roll out of new Massachusetts regulations this year will
impact all of us at MIT who are handling data on a regular basis or
who may have handled and stored it in the past, both in hard copy and
electronically.
For those who weren't able to attend, the handouts and presentation
are posted online at:
<http://web.mit.edu/infoprotect/resources.html>
In addition, make a note that next week, January 28 is Data Privacy
Day. Designed to raise awareness and generate discussion about data
privacy practices and rights, Data Privacy Day activities in the
United States have included privacy professionals, corporations,
government officials and representatives, academics, and students
across the country.
Learn more about Data Privacy Day:
<https://www.privacyassociation.org/index.php?option=com_content&task=view&id=1702&Itemid=70
>
<http://www.intel.com/policy/dataprivacy.htm>
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T will *NEVER* ask you
for your password.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090123/08c3cb7e/attachment.htm
More information about the ist-security-fyi
mailing list