[IS&T Security-FYI] SFYI Newsletter, April 5, 2010

Mon Apr 5 11:07:47 EDT 2010

In this issue:

1. Microsoft Internet Explorer Update
2. Younger Workers Seek Fewer Restrictions
3. Tip of the Week: TinyURL May Be Unsafe

-----------------------------------------------
1. Microsoft Internet Explorer Update
-----------------------------------------------

Out-of-band security bulletin MS10-018 was released on March 30, 2010  
for vulnerabilities in Internet Explorer.

The out-of-band bulletin is a cumulative security update and contains  
fixes for reported vulnerabilities on all supported versions of  
Internet Explorer. It also addresses a vulnerability described in  
Microsoft Security Advisory 981374.

Microsoft rates the update as critical and recommends that all users  
and system administrators apply the update immediately. The update was  
approved for deployment via MIT WAUS for MIT users.

The full bulletin:
http://www.microsoft.com/technet/security/bulletin/ms10-018.mspx

Advisory 981374:
http://www.microsoft.com/technet/security/advisory/981374.mspx

---------------------------------------------------------
2. Younger Workers Seek Fewer Restrictions
---------------------------------------------------------

Security and IT professionals have always been challenged with making  
security easy for computer end users while at the same time giving  
users the freedom to browse the Internet, including visiting sites  
that might open them and their employer's network up to possible  
malware attacks and data exposure.

To mitigate these risks, many organizations have IT policies that  
state what a user should and should not do to protect the network and  
other users. MIT also has such policies, (see http://web.mit.edu/policies/13/13.2.html 
  ). However, statistics in a report by IT World Canada and Harris- 
Decima show that 90 percent of workers under the age of 25 admitted  
violating IT policies.

Knowing this, awareness efforts by organizations should focus on end  
users' understanding of security policies and why they exist.  
Employees need to be aware of the consequences of their actions which  
can result in a lost laptop, malware infection, data loss or  
compromised account credentials.

The full story:
http://www.darkreading.com/insiderthreat/security/management/showArticle.jhtml?articleID=224200523

The report:
http://www.harrisdecima.com/hd/freedom-compute

The flipside:
http://www.itworldcanada.com/blogs/shane/2009/01/19/the-flip-side-of-freedom-to-compute/48918/

--------------------------------------------------------
3. Tip of the Week: TinyURL May Be Unsafe
--------------------------------------------------------

If you use Twitter, which restricts messages to 140 characters, you  
are familiar with shortened URLs. There are many services which  
provide tools for shortening URLs, such as bit.ly, tiny.cc and owl.ly.  
Users are now very familiar with seeing these shortened URLs in their  
messages and usually don't give them a second thought.

For all the convenience offered by URL shortening, there are also  
potential problems. A shortened URL obscures the target address, and  
as a result may direct you to an unexpected site. It could, for  
instance, direct you to a site with spyware or a Trojan download.  
Opaqueness is also used by spammers, who use such links in spam to  
bypass URL blacklists.

A few ways to prevent risks associated with shortened URLs:

1. Use a Twitter client such as TweetDeck. There are options in the  
application's settings for previewing the destination of shortened  
URLs before landing there. Information on the destination page's  
title, its full length URL, and how many others have clicked that link  
will help you make an informed decision about whether to click through  
and visit.

2. Install a URL-preview plug-in. Several browser plug-ins and  
services have the same preview option described above. Also, if you're  
considering visiting a TinyURL link, you can enable the preview  
service (http://tinyurl.com/preview.php) to see the complete URL. For  
this to work, you must have cookies enabled in your browser.

3. ExpandMyURL.com and LongURLPlease.com both provide Web browser plug- 
ins or applets that will verify the safety of the full URLs from all  
major URL-shortening services. They check destination sites in the  
background and mark the short URL if they are safe.

There may be other services for checking the safety of shortened URLs  
not mentioned here. But the key message here is to make sure you know  
what you are clicking on before you do it.

= 
= 
= 
========================================================================

Find current and older issues of Security FYI Newsletter: <http://kb.mit.edu/confluence/x/ehBB 
 >

Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20100405/bb23c4c0/attachment.htm