[IS&T Security-FYI] SFYI Newsletter, March 1, 2010 (text-only version)
Monique Yeaton
myeaton at MIT.EDU
Tue Mar 2 10:00:36 EST 2010
THIS IS THE TEXT-ONLY VERSION OF YESTERDAY'S NEWSLETTER. It appears
that some readers were not able to access the HTML links due to the
rich-text format. You can disregard this version if you didn't have
that problem.
In this issue:
1. Microsoft Releases Updates for Exploit in IE
2. MIT's Written Information Security Program
3. FTC Cracking Down on File Sharing
4. Tip of the Week: Use Passwords They Can't Guess
-----------------------------------------------------------
1. Microsoft Releases Updates for Exploit in IE
-----------------------------------------------------------
Microsoft has released Security Bulletin MS10-002, which resolves
seven privately reported vulnerabilities and one publicly disclosed
vulnerability in Internet Explorer.
Systems affected:
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000
Service Pack 4
Microsoft Internet Explorer 6, 7, and 8 on supported editions of
Windows XP, Windows Server 2003, Windows Vista, Windows 2008, Windows
7, and Windows Server 2008 R2
Last December malicious activity was detected (now known as Operation
Aurora) that targeted at least 20 organizations representing multiple
industries. Further analysis revealed these users were victims of
previous phishing scams through which threat actors successfully
gained access to their email accounts.
Through analysis of the malware used in this incident, McAfee
discovered one of the malware samples exploited a vulnerability in
Microsoft Internet Explorer (IE). The vulnerability exists as an
invalid pointer reference within IE and, if successfully exploited,
allows for remote code execution.
Read the full bulletin:
http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx
Watch a video by McAfee on Operation Aurora:
http://www.mcafee.com/us/threat_center/aurora_video.html
[Source: US-CERT]
----------------------------------------------------------
2. MIT's Written Information Security Program
----------------------------------------------------------
If you have attended an IAP Session on Handling Sensitive Data <http://student.mit.edu/iap/nsis.html
> in the last few years, you are likely to have heard about the data
breach notification law that went into effect in Massachusetts on
October 31, 2007. Meant to protect residents from identity theft and
fraud, the law now include rules for handling selected types of
personal information.
In response, MIT is rolling out a campus-wide Written Information
Security Program (WISP), which includes administrative, technical, and
physical safeguards for this type of data at MIT.
You can find the WISP here (pdf): <http://web.mit.edu/infoprotect/docs/WISP.pdf
>
-------------------------------------------------
3. FTC Cracking Down on File Sharing
-------------------------------------------------
A recent news story in the Washington Post revealed that the Federal
Trade Commission (FTC) has uncovered widespread data breaches at
companies, schools and local governments whose members are swapping
music, software and movie files over the Internet.
It sent nearly 100 letters to organizations where information on
customers and employees, including health and financial data and
Social Security and driver's license numbers leaked through peer-to-
peer Web services. It warned that the security breaches could lead to
identity theft or fraud, and it recommended that the groups review
their policies and inform the affected individuals.
Read the full story here:
http://www.washingtonpost.com/wp-dyn/content/article/2010/02/22/AR2010022204889.html
--------------------------------------------------------------------
4. Tip of the Week: Use Passwords They Can't Guess
--------------------------------------------------------------------
Students at a school in London exploited a teacher's poor password
selection to access grades and other school records. The teacher had
used his daughter's name as a password, but became suspicious when
students made reference to an excursion, which had not yet been
announced, so he changed his password to the registration number of
his car, which was parked outside the school every day. When he
received complaints from other teachers about grades being leaked, he
changed it again, this time to his postcode. The students in question
cracked this within days too.
Some password strength tips can be found on this web site:
http://ist.mit.edu/security/support/passwords
[Source: SANS]
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20100302/fd07585c/attachment.htm
More information about the ist-security-fyi
mailing list