[IS&T Security-FYI] SFYI Newsletter, January 30, 2009 - CORRECTION

Monique Yeaton myeaton at MIT.EDU
Fri Jan 30 14:24:21 EST 2009 

A small correction:

In the article about the New Security Standards Adopted by  
Massachusetts below, the extensions on the dates for compliance are  
not quite accurate. The complete language of the new deadlines is here:

http://www.mass.gov/?pageID=ocapressrelease&L=1&L0=Home&sid=Eoca&b=pressrelease&f=081114_IDTheftupdate&csid=Eoca

The article below notes:
"The January 1, 2009 deadline was extended to May 1, 2009 for  
contractual compliance and general provisions of the regulation, and  
January 1, 2010 for encryption and certification."

The deadlines listed for contractual compliance, general provisions  
and certification are accurate. The certification refers to third- 
party providers. However, the encryption deadlines are May 1, 2009 for  
laptops and January 1, 2010 for other portable devices.

Thanks,

Monique


On Jan 30, 2009, at 1:28 PM, Monique Yeaton wrote:

>
> In this issue:
>
> 1. Two Big Computer Attacks Making the Rounds
> 2. New Security Standards Adopted by Massachusetts
> 3. Heartland Security Breach
> 4. Spam Levels Expected to Rise Soon
> 5. White House Posts Network Security Agenda
>
>
> --------------------------------------------------------------
> 1. Two Big Computer Attacks Making the Rounds
> --------------------------------------------------------------
>
> --Sophisticated Windows Worm Conficker--
> The Conficker worm, also known as Downadup and Kido, is troubling  
> computer systems around the globe.  This Windows worm, known by  
> different monikers due to the various anti-virus and anti-malware  
> companies out there, was first seen in Oct. 2008. Microsoft released  
> a patch to solve the problem but the past week has seen the worm  
> take hold once again due to a new strain, dubbed Conficker.B,  
> causing more problems this month than the older version,  
> Conficker.A, did at the end of last year. Officials put the total  
> number of computers infected up to 3 million.
>
> Read more here:
> <http://tech.blorge.com/Structure:%20/2009/01/17/beware-the-windows-worm-conficker-downadup-kido-rampant/ 
> >
> <http://news.bbc.co.uk/2/hi/technology/7832652.stm>
>
> --Pirated Copies of iWork 09 Contain Trojan--
> Illegal copies of Apple's iWork 09 and Adobe's Photoshop CS4 have  
> been appearing on file sharing websites.  The pirated software is  
> believed to contain a Trojan horse program known as iServices.A. The  
> Trojan has root access to infected computers.  Once in place, it  
> connects to a remote server and downloads additional software that  
> makes the infected computer part of a botnet. The Trojan has already  
> been inadvertently downloaded by an estimated 20,000 users. This  
> should send a warning to would-be downloaders of pirated software.
>
> Read more and learn how to remove the Trojan here:
> <http://kb.mit.edu/confluence/x/HRZB>
>
>
> --------------------------------------------------------------------
> 2. New Security Standards Adopted by Massachusetts
> --------------------------------------------------------------------
>
> Article by: Janine Hiller, Professor of Business Law, Virginia Tech:  
> "New Security Standards Adopted by Massachusetts"
>
> Massachusetts security regulations adopted in 2008 are so  
> controversial that the deadline for compliance has already been  
> extended, and comments about possible amendments were heard January  
> 16th, 2009. The requirements, intended to prevent identity theft,  
> incorporate a good deal of the standard FTC security provisions; a  
> comprehensive security program, identification of internal and  
> external risks, employee security policies, and the like.  
> Furthermore, the regulations list specific security actions that  
> must be implemented. Several highly debated provisions include  
> mandatory encryption of personal information of Massachusetts  
> residents held in a laptop or portable device, contractually  
> requiring third party service providers to comply with security  
> protections, and a written certificate of compliance from those  
> providers.
>
> The January 1, 2009 deadline was extended to May 1, 2009 for  
> contractual compliance and general provisions of the regulation, and  
> January 1, 2010 for encryption and certification. These seem to be  
> the most specific and strongest security regulations to date. The  
> importance of one state's specific security requirements for the  
> protection of residents' personal information can not be  
> overemphasized; as the Data Breach Notification laws showed, one  
> state's laws can affect other residents, and can spur action by  
> other states.
>
> Standards are found here:
> <http://www.mass.gov/?pageID=ocaterminal&L=3&L0=Home&L1=Consumer&L2=Identity+Theft&sid=Eoca&b=terminalcontent&f=idtheft_201cmr17&csid=Eoca 
> >
> See Massachusetts Office of Consumer Affairs and Business and  
> Business Regulation for further information.
>
>
> -------------------------------------
> 3. Heartland Security Breach
> -------------------------------------
>
> Princeton, NJ-based Heartland Payment Systems has acknowledged a  
> data security breach that may affect tens of millions of payment  
> card accounts.  The breach apparently occurred in 2008, and  
> Heartland says the only data affected by that breach were the names  
> and/or number associated with payment cards; no merchant data,  
> Social Security numbers (SSNs), addresses or phone numbers were  
> compromised. Heartland discovered the breach after MasterCard and  
> Visa contacted the company regarding suspicious activity associated  
> with certain accounts. Investigators found malware lurking on  
> Heartland's network.
>
> Heartland's system processes 100 million transactions a month and  
> were regarded PCI certified. Many of the transactions using the  
> Heartland Payment System are not over the Internet, but are done in  
> retail stores and restaurants. If you think your credit card has  
> been compromised, contact the financial institution that issued the  
> card.
>
> Read full story here:
> <http://www.msnbc.msn.com/id/28758856/>
>
> Response from Heartland:
> <http://2008breach.com/>
>
> [Article source: SANS]
>
>
> -------------------------------------------------
> 4. Spam Levels Expected to Rise Soon
> -------------------------------------------------
>
> Although spam levels dropped sharply after the hosting company  
> McColo was taken offline by its upstream providers two months ago,  
> new botnets and several resilient older ones are once again building  
> the volume of spam.  Levels are expected to reach pre-takedown  
> levels in about one month, if the recent trend continues.  McColo  
> was disconnected from the Internet by its upstream provider after  
> the provider received information indicating the hosting company had  
> numerous customers involved in cybercrime.  McColo's takedown all  
> but demolished the Srizbi botnet and crippled several others,  
> including Rustock.  However, no arrests were made and new botnets  
> have taken their places, including one called Ozdok or Mega-D that  
> takes screenshots of activity on infected machines and sends them  
> back to a remote server.
>
> Read more here:
> <http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126793&source=rss_topic17 
> >
>
> [Article source: SANS]
>
>
> ------------------------------------------------------------
> 5. White House Posts Network Security Agenda
> ------------------------------------------------------------
>
> In its recently posted Homeland Security Agenda, the Obama  
> administration has outlined its six major information network  
> protection goals:
>
>  - strengthen federal leadership on cyber security;
>  - initiate a safe computing R&D effort and harden our nation's  
> cyber infrastructure;
>  - protect the IT infrastructure that keeps America's economy safe;
>  - prevent corporate cyber espionage;
>  - develop a cyber crime strategy to minimize the opportunities for  
> criminal profit;
>  - and mandate standards for securing personal data and require  
> companies to disclose personal information data breaches.
>
> Notable under the first item is that the administration plans to  
> "establish the position of national cyber advisor who will report  
> directly to the president and will be responsible for coordinating  
> federal agency efforts and development of national cyber security  
> policy."
>
> Read more here:
> <http://www.whitehouse.gov/agenda/homeland_security/>
> <http://www.scmagazineus.com/President-Obamas-cybersecurity-plan-released/article/126252/ 
> >
>
>
>
> =========================
> Monique Yeaton
> IT Security Awareness Consultant
> MIT Information Services & Technology (IS&T)
> (617) 253-2715
> http://web.mit.edu/ist/security
>
> ---------------------------------------
> Important: DO NOT GIVE OUT YOUR PASSWORDS!
> Ignore emails asking you to provide yours. IS&T will *NEVER* ask you  
> for your password.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090130/ecbb7666/attachment.htm

More information about the ist-security-fyi mailing list