[IS&T Security-FYI] SFYI Newsletter, March 13, 2009

Monique Yeaton myeaton at MIT.EDU
Fri Mar 13 11:43:57 EDT 2009 

In this issue:

1. March 2009 Security Updates
2. The Other Kind of Security
3. New Threat: In-Session Phishing


-----------------------------------------
1. March 2009 Security Updates
-----------------------------------------

  ---- Microsoft ----

This week Microsoft released one critical and two important security  
bulletins for newly discovered vulnerabilities.

Systems affected:

  * Microsoft Windows
  * Windows Server

It is recommended to take the patch when prompted by Windows update.  
Vulnerabilities in Windows Kernel, SChannel and DNS and WINS Server  
could allow remote code execution or spoofing. Administrators are  
encouraged to note these issues and test for any potentially adverse  
effects. These patches are now approved for deployment via MIT WAUS.

For details on the update:
<http://www.microsoft.com/technet/security/bulletin/ms09-mar.mspx>

  ---- Apple ----

Apple has not issued a security bulletin since the first one of the  
year in February (2009-001), but the company has since patched issues  
in the following software: Time Capsule, AirPort Base Station, and  
iTunes 8.1.

Systems affected:

  * Airport Extreme Base Station with 802.11n
  * Airport Express Base Station with 802.11n
  * Time Capsule
  * Mac OS X 10.4.10 or later
  * Mac OS X Server 10.4.10 or later
  * Windows XP or Vista (iTunes)

You can get the patches through Software Update preference or by  
visiting the Apple Downloads page at <http://www.apple.com/downloads/>.

Details on these patches can be found here:

Time Capsule & Airport Base Station <http://support.apple.com/kb/HT3467>
iTunes 8.1 <http://support.apple.com/kb/HT3487>


-------------------------------------
2. The Other Kind of Security
-------------------------------------

Most of the discussions around computer security are about viruses,  
scams, patching, new cyber threats, etc. But because the end-goal of  
all computer security is the protection of data, especially sensitive  
data, computer security must also include physical security: the  
protection of devices. Computer security is, after all, about  
redundancy: adding as many layers of protection as the risks call for.  
(It's good to keep the door of your house locked, but it's even better  
to put an alarm on it.)

Do you know what is being done to protect the systems that contain  
information you don't want others to get their hands on? Systems,  
which, if stolen or lost, would cause a person's business or work to  
be seriously harmed.

It is strongly advised to not put sensitive data on any mobile device  
(e.g., laptop or smartphone), but even if the data is stored on a  
desktop, external hard drive, or USB drive locked away somewhere,  
would you want to risk someone breaking into that area and taking it  
away?

A cable or alarm device can be added with little cost. To learn more,  
visit KSL Security, a MIT vendor, who specializes in these products  
for laptops, desktops, monitors, AV equipment and more:

<http://www.kslsecurity.com/index.php>


---------------------------------------------
3. New Threat: In-Session Phishing
---------------------------------------------

A bug found in all major browsers could make it easier for criminals  
to steal online banking credentials using a new type of attack called  
"in-session phishing," according to researchers at security vendor  
Trusteer.

Here's how an attack would work: The bad guys would hack a legitimate  
Web site and plant HTML code that looks like a pop-up security-alert  
window. The pop-up then would ask the victim to enter password and  
logon information, and possibly answer other security questions used  
by banks to verify the identity of their customers.

[Article source: Network World Magazine]

More info at:
<http://arstechnica.com/security/news/2009/01/new-method-of-phishmongering-could-fool-experienced-users.ars 
 >

and

<http://blogs.oracle.com/BornIdentity/2009/01/move_aside_email_phishing_inse.html 
 >


=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T will *NEVER* ask you  
for your password.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090313/a8e193c4/attachment.htm

More information about the ist-security-fyi mailing list