[IS&T Security-FYI] SFYI Newsletter, January 3, 2011

Mon Jan 3 15:08:25 EST 2011

The newsletter author took last month off from writing Security-FYI issues, but she's back, so keep an eye out for these weekly security updates in 2011.

In this issue:

1. IAP Session on Protecting Personal Information

2. McAfee Vulnerable to Metasploit Attack

3. Word 2004 for Windows Still Vulnerable

4. Security (or Lack Thereof) of New Gadgets

---------------------------------------------------------------

1. IAP Session on Protecting Personal Information

---------------------------------------------------------------

Tim McGovern and Monique Yeaton of the IT Security team will be hosting an IAP session on Protecting Personal Information at MIT. This is an update to the 2010 IAP session on Handling Sensitive Data.

We will discuss:

 *   What MIT has been doing over the last year to help reduce MIT's risk of a serious data breach involving personal information.
 *   What each of us need to do in our own offices, and on our computers, to minimize the collection of, and to protect sensitive data needed for our business activities.
 *

There will be an opportunity to ask questions and participate in the discussion. This is a mostly non-technical session, although we will talk about technology tools that can help in this effort. We hope to see you there!

For full information: <http://student.mit.edu/searchiap/iap-a709.html>

-----------------------------------------------------

2. McAfee Vulnerable to Metasploit Attack

-----------------------------------------------------

McAfee is aware of a publicly disclosed attack that could disable VirusScan Enterprise (VSE) running on a customer’s machine.  This attack is not a stand-alone attack, but acts as a payload to be chained via another attack.

Affected software:

 *   VirusScan Enterprise 8.7 and earlier (Windows only)

If the attack is successful, it disables both VSE and the connection to ePO.  It would leave the McAfee Shield visible, so it may not be immediately apparent that antivirus protection has been disabled.  In addition to the immediate disabling of VSE, the attack changes settings for VSE, resulting in diminished capacity for scanning going forward.

McAfee has already developed a strategy that would prevent this from happening in the upcoming VSE 8.8 release. They have released a DAT file (6209) that detects the metasploit plugin used to run this attack. It is recommended that users update their McAfee software to receive the latest DAT file.

Read the full bulletin: <https://kc.mcafee.com/corporate/index?page=content&id=SB10014&actp=LIST_RECENT>

-----------------------------------------------------

3. Word 2004 for Windows Still Vulnerable

-----------------------------------------------------

Microsoft communicated a warning about active attacks on Windows machines, exploiting a vulnerability in Microsoft Word.  The exploit involves using a RTF (rich text format) file to create a stack overflow in Word running on Windows.  The vulnerability was patched in Microsoft Word 2002, 2003, 2007 and 2010 in last November's batch of updates (Security Bulletin MS10-087); the flaw has also been fixed in Word 2008 and 2011, but Word 2004 is still vulnerable.  Users who have not downloaded the November patch are urged to do so as soon as possible at http://update.microsoft.com or by using Microsoft Update or Windows Server Update Services (WSUS).

Read the full story here: <http://www.computerworld.com/s/article/9202819/Microsoft_warns_of_Word_attacks>

----------------------------------------------------------

4. Security (or Lack Thereof) of New Gadgets

----------------------------------------------------------

New gadgets designed to connect to the Internet, such as smartphones and certain HDTV's, are not always being designed with security in mind. Hackers are shifting their focus to these devices as they become more ubiquitous. As mobile device applications are intended for a single user, there is little to no authentication and authorization built in. Critical security functions such as data encryption and auditing are almost always missing. Protecting the devices from attacks will also require new approaches. A few important steps you can take are:

 1.  turn off Bluetooth and other services that are not needed,
 2.  always run some form of security, such as encryption, on your wireless network,
 3.  put any web enabled devices behind a firewall.

Read the full story here: <http://www.nytimes.com/2010/12/27/technology/27hack.html>

===========================================================================================

To read all current and archived articles online, visit the Security-FYI Blog at <http://securityfyi.wordpress.com/>

Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20110103/aa3a080c/attachment.htm