[IS&T Security-FYI] SFYI Newsletter, April 5, 2010
Monique Yeaton
myeaton at MIT.EDU
Mon Apr 5 11:07:47 EDT 2010
In this issue:
1. Microsoft Internet Explorer Update
2. Younger Workers Seek Fewer Restrictions
3. Tip of the Week: TinyURL May Be Unsafe
-----------------------------------------------
1. Microsoft Internet Explorer Update
-----------------------------------------------
Out-of-band security bulletin MS10-018 was released on March 30, 2010
for vulnerabilities in Internet Explorer.
The out-of-band bulletin is a cumulative security update and contains
fixes for reported vulnerabilities on all supported versions of
Internet Explorer. It also addresses a vulnerability described in
Microsoft Security Advisory 981374.
Microsoft rates the update as critical and recommends that all users
and system administrators apply the update immediately. The update was
approved for deployment via MIT WAUS for MIT users.
The full bulletin:
http://www.microsoft.com/technet/security/bulletin/ms10-018.mspx
Advisory 981374:
http://www.microsoft.com/technet/security/advisory/981374.mspx
---------------------------------------------------------
2. Younger Workers Seek Fewer Restrictions
---------------------------------------------------------
Security and IT professionals have always been challenged with making
security easy for computer end users while at the same time giving
users the freedom to browse the Internet, including visiting sites
that might open them and their employer's network up to possible
malware attacks and data exposure.
To mitigate these risks, many organizations have IT policies that
state what a user should and should not do to protect the network and
other users. MIT also has such policies, (see http://web.mit.edu/policies/13/13.2.html
). However, statistics in a report by IT World Canada and Harris-
Decima show that 90 percent of workers under the age of 25 admitted
violating IT policies.
Knowing this, awareness efforts by organizations should focus on end
users' understanding of security policies and why they exist.
Employees need to be aware of the consequences of their actions which
can result in a lost laptop, malware infection, data loss or
compromised account credentials.
The full story:
http://www.darkreading.com/insiderthreat/security/management/showArticle.jhtml?articleID=224200523
The report:
http://www.harrisdecima.com/hd/freedom-compute
The flipside:
http://www.itworldcanada.com/blogs/shane/2009/01/19/the-flip-side-of-freedom-to-compute/48918/
--------------------------------------------------------
3. Tip of the Week: TinyURL May Be Unsafe
--------------------------------------------------------
If you use Twitter, which restricts messages to 140 characters, you
are familiar with shortened URLs. There are many services which
provide tools for shortening URLs, such as bit.ly, tiny.cc and owl.ly.
Users are now very familiar with seeing these shortened URLs in their
messages and usually don't give them a second thought.
For all the convenience offered by URL shortening, there are also
potential problems. A shortened URL obscures the target address, and
as a result may direct you to an unexpected site. It could, for
instance, direct you to a site with spyware or a Trojan download.
Opaqueness is also used by spammers, who use such links in spam to
bypass URL blacklists.
A few ways to prevent risks associated with shortened URLs:
1. Use a Twitter client such as TweetDeck. There are options in the
application's settings for previewing the destination of shortened
URLs before landing there. Information on the destination page's
title, its full length URL, and how many others have clicked that link
will help you make an informed decision about whether to click through
and visit.
2. Install a URL-preview plug-in. Several browser plug-ins and
services have the same preview option described above. Also, if you're
considering visiting a TinyURL link, you can enable the preview
service (http://tinyurl.com/preview.php) to see the complete URL. For
this to work, you must have cookies enabled in your browser.
3. ExpandMyURL.com and LongURLPlease.com both provide Web browser plug-
ins or applets that will verify the safety of the full URLs from all
major URL-shortening services. They check destination sites in the
background and mark the short URL if they are safe.
There may be other services for checking the safety of shortened URLs
not mentioned here. But the key message here is to make sure you know
what you are clicking on before you do it.
=
=
=
========================================================================
Find current and older issues of Security FYI Newsletter: <http://kb.mit.edu/confluence/x/ehBB
>
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20100405/bb23c4c0/attachment.htm
More information about the ist-security-fyi
mailing list