[IS&T Security-FYI] SFYI Newsletter, June 14, 2011

[Monique Yeaton]

In this issue:


1. Adobe Releases Fix for Zero-Day Flash Flaw

2. The SecurID Compromise

3. Many Mobile Apps Less Than Secure



-------------------------------------------------------------

1. Adobe Releases Fix for Zero-Day Flash Flaw

-------------------------------------------------------------


Adobe has released an out-of-band fix for a zero-day vulnerability in its Flash Player. The cross-site scripting (XSS) flaw affects Flash Player versions 10.3.181.16 and earlier on Windows, Mac, Linux and Solaris and versions 10.3.185.22 and earlier for Android. A fix has already been pushed out to address the Flash flaw in Google's Chrome browser.


The flaw could be exploited "to take action on a user's behalf on any website or webmail provider" by tricking users into clicking on malicious links in email messages. Adobe is still investigating whether or not the vulnerability affects Reader and Acrobat. The flaw is reportedly being actively exploited against Gmail users.


You can find out which Flash Player version you have installed here: <http://www.adobe.com/software/flash/about/>

Get the newest Flash Player at: <http://get.adobe.com/flashplayer/>


Read the story in the news:

<http://www.informationweek.com/news/security/app-security/229900192>

<http://www.computerworld.com/s/article/9217346/Hackers_exploit_Flash_bug_in_new_attacks_against_Gmail_users>



-------------------------------------

2. The SecurID Compromise

-------------------------------------


RSA Security will be replacing the 40 million SecurID tokens currently in use as a result of a reported attack on RSA last March. The company recently sent a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin and several other clients as a result of the attack.


SecurID tokens are used in two-factor authentication systems. Two-factor authentication has been considered by many to be the gold standard for secure IT access. The idea is that you must have two things, something you have (such as a token) and something you know (such as a password). Many companies, for example, require a smart card with an imbedded identity chip to be inserted into a card reader. When the card is inserted, you're prompted for your password.


SecurID is a token that you don't have to insert. It will present a number to the user that changes every 30 seconds. The algorithm that matches the number to the token may be part of what was stolen from RSA's data systems. The thieves now have one of the two factors figured out, so if you have a weak password as the second factor, the thieves will be able to penetrate your secure system.


Do you have a strong password? <http://kb.mit.edu/confluence/x/3wNt>


Read the story in the news:

<http://arstechnica.com/security/news/2011/06/rsa-finally-comes-clean-securid-is-compromised.ars>



---------------------------------------------------

3. Many Mobile Apps Less Than Secure

---------------------------------------------------


An article on HuffingtonPost says that "computer security firm viaForensics recently found that top apps for Android and iPhone devices may leave customer data exposed to hackers." Chief Investigating Officer of viaForensics notes "Security is not a priority of app developers."


The article goes on to say that certain software often stores sensitive user data in unencrypted, readable files on mobile devices. Among the list of offenders are Foursquare, LinkedIn and Netflix. More troubling is the app Square, which processes a transaction after the user has swiped his credit card through a dongle that attaches to the phone. According to viaForensics, the iPhone version of the app safely stores passwords but fails to securely store the data of credit card numbers and user names.


For those who use such devices, I would recommend making sure you have a passcode and data protection enabled. You can find out how to secure your device using the MIT Mobile Device Ninja page: <http://kb.mit.edu/confluence/x/XQdS>.


Read the full story on HuffingtonPost:

<http://www.huffingtonpost.com/2011/06/08/app-security-viaforensics-netflix-square_n_873349.html>



====================================================================

Read all Security FYI Newsletter articles online at http://securityfyi.wordpress.com/.

====================================================================




Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20110614/74e15b7e/attachment.htm