[IS&T Security-FYI] SFYI Newsletter, March 13, 2009
Monique Yeaton
myeaton at MIT.EDU
Fri Mar 13 11:43:57 EDT 2009
In this issue:
1. March 2009 Security Updates
2. The Other Kind of Security
3. New Threat: In-Session Phishing
-----------------------------------------
1. March 2009 Security Updates
-----------------------------------------
---- Microsoft ----
This week Microsoft released one critical and two important security
bulletins for newly discovered vulnerabilities.
Systems affected:
* Microsoft Windows
* Windows Server
It is recommended to take the patch when prompted by Windows update.
Vulnerabilities in Windows Kernel, SChannel and DNS and WINS Server
could allow remote code execution or spoofing. Administrators are
encouraged to note these issues and test for any potentially adverse
effects. These patches are now approved for deployment via MIT WAUS.
For details on the update:
<http://www.microsoft.com/technet/security/bulletin/ms09-mar.mspx>
---- Apple ----
Apple has not issued a security bulletin since the first one of the
year in February (2009-001), but the company has since patched issues
in the following software: Time Capsule, AirPort Base Station, and
iTunes 8.1.
Systems affected:
* Airport Extreme Base Station with 802.11n
* Airport Express Base Station with 802.11n
* Time Capsule
* Mac OS X 10.4.10 or later
* Mac OS X Server 10.4.10 or later
* Windows XP or Vista (iTunes)
You can get the patches through Software Update preference or by
visiting the Apple Downloads page at <http://www.apple.com/downloads/>.
Details on these patches can be found here:
Time Capsule & Airport Base Station <http://support.apple.com/kb/HT3467>
iTunes 8.1 <http://support.apple.com/kb/HT3487>
-------------------------------------
2. The Other Kind of Security
-------------------------------------
Most of the discussions around computer security are about viruses,
scams, patching, new cyber threats, etc. But because the end-goal of
all computer security is the protection of data, especially sensitive
data, computer security must also include physical security: the
protection of devices. Computer security is, after all, about
redundancy: adding as many layers of protection as the risks call for.
(It's good to keep the door of your house locked, but it's even better
to put an alarm on it.)
Do you know what is being done to protect the systems that contain
information you don't want others to get their hands on? Systems,
which, if stolen or lost, would cause a person's business or work to
be seriously harmed.
It is strongly advised to not put sensitive data on any mobile device
(e.g., laptop or smartphone), but even if the data is stored on a
desktop, external hard drive, or USB drive locked away somewhere,
would you want to risk someone breaking into that area and taking it
away?
A cable or alarm device can be added with little cost. To learn more,
visit KSL Security, a MIT vendor, who specializes in these products
for laptops, desktops, monitors, AV equipment and more:
<http://www.kslsecurity.com/index.php>
---------------------------------------------
3. New Threat: In-Session Phishing
---------------------------------------------
A bug found in all major browsers could make it easier for criminals
to steal online banking credentials using a new type of attack called
"in-session phishing," according to researchers at security vendor
Trusteer.
Here's how an attack would work: The bad guys would hack a legitimate
Web site and plant HTML code that looks like a pop-up security-alert
window. The pop-up then would ask the victim to enter password and
logon information, and possibly answer other security questions used
by banks to verify the identity of their customers.
[Article source: Network World Magazine]
More info at:
<http://arstechnica.com/security/news/2009/01/new-method-of-phishmongering-could-fool-experienced-users.ars
>
and
<http://blogs.oracle.com/BornIdentity/2009/01/move_aside_email_phishing_inse.html
>
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T will *NEVER* ask you
for your password.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090313/a8e193c4/attachment.htm
More information about the ist-security-fyi
mailing list