[IS&T Security-FYI] SFYI Newsletter, March 1, 2010 (text-only version)

Tue Mar 2 10:00:36 EST 2010

THIS IS THE TEXT-ONLY VERSION OF YESTERDAY'S NEWSLETTER. It appears  
that some readers were not able to access the HTML links due to the  
rich-text format. You can disregard this version if you didn't have  
that problem.

In this issue:

1. Microsoft Releases Updates for Exploit in IE
2. MIT's Written Information Security Program
3. FTC Cracking Down on File Sharing
4. Tip of the Week: Use Passwords They Can't Guess

-----------------------------------------------------------
1. Microsoft Releases Updates for Exploit in IE
-----------------------------------------------------------

Microsoft has released Security Bulletin MS10-002, which resolves  
seven privately reported vulnerabilities and one publicly disclosed  
vulnerability in Internet Explorer.

Systems affected:

Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000  
Service Pack 4
Microsoft Internet Explorer 6, 7, and 8 on supported editions of  
Windows XP, Windows Server 2003, Windows Vista, Windows 2008, Windows  
7, and Windows Server 2008 R2

Last December malicious activity was detected (now known as Operation  
Aurora) that targeted at least 20 organizations representing multiple  
industries. Further analysis revealed these users were victims of  
previous phishing scams through which threat actors successfully  
gained access to their email accounts.

Through analysis of the malware used in this incident, McAfee  
discovered one of the malware samples exploited a vulnerability in  
Microsoft Internet Explorer (IE). The vulnerability exists as an  
invalid pointer reference within IE and, if successfully exploited,  
allows for remote code execution.

Read the full bulletin:
http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx

Watch a video by McAfee on Operation Aurora:
http://www.mcafee.com/us/threat_center/aurora_video.html

[Source: US-CERT]

----------------------------------------------------------
2. MIT's Written Information Security Program
----------------------------------------------------------

If you have attended an IAP Session on Handling Sensitive Data  <http://student.mit.edu/iap/nsis.html 
 > in the last few years, you are likely to have heard about the data  
breach notification law that went into effect in Massachusetts on  
October 31, 2007. Meant to protect residents from identity theft and  
fraud, the law now include rules for handling selected types of  
personal information.

In response, MIT is rolling out a campus-wide Written Information  
Security Program (WISP), which includes administrative, technical, and  
physical safeguards for this type of data at MIT.
You can find the WISP here (pdf): <http://web.mit.edu/infoprotect/docs/WISP.pdf 
 >

-------------------------------------------------
3. FTC Cracking Down on File Sharing
-------------------------------------------------

A recent news story in the Washington Post revealed that the Federal  
Trade Commission (FTC) has uncovered widespread data breaches at  
companies, schools and local governments whose members are swapping  
music, software and movie files over the Internet.

It sent nearly 100 letters to organizations where information on  
customers and employees, including health and financial data and  
Social Security and driver's license numbers leaked through peer-to- 
peer Web services. It warned that the security breaches could lead to  
identity theft or fraud, and it recommended that the groups review  
their policies and inform the affected individuals.

Read the full story here:
http://www.washingtonpost.com/wp-dyn/content/article/2010/02/22/AR2010022204889.html

--------------------------------------------------------------------
4. Tip of the Week: Use Passwords They Can't Guess
--------------------------------------------------------------------

Students at a school in London exploited a teacher's poor password  
selection to access grades and other school records. The teacher had  
used his daughter's name as a password, but became suspicious when  
students made reference to an excursion, which had not yet been  
announced, so he changed his password to the registration number of  
his car, which was parked outside the school every day. When he  
received complaints from other teachers about grades being leaked, he  
changed it again, this time to his postcode. The students in question  
cracked this within days too.

Some password strength tips can be found on this web site:
http://ist.mit.edu/security/support/passwords

[Source: SANS]

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20100302/fd07585c/attachment.htm