[IS&T Security-FYI] SFYI Newsletter, February 13, 2012

[Monique Yeaton]

In this issue:


1. Microsoft Security Updates for February 2012

2. PGP Desktop and Mac Support

3. Tip: How to Handle Spam at MIT

4. OUCH! Newsletter, February 2012: Mobile App Security



-------------------------------------------------------------

1. Microsoft Security Updates for February 2012

-------------------------------------------------------------


Microsoft will issue nine security bulletins this Tuesday, February 14, to address a total of 21 vulnerabilities in Windows, Internet Explorer (IE), Office, .Net, and Silverlight.


Four of the bulletins have been given maximum severity rating of critical; the other five have been rated important. While all modern versions of the Windows operating system are affected by the Patch Tuesday updates, Server 2008 R2 is affected by the greatest number of bulletins.


Tuesday's IE update will address one or more vulnerabilities in all versions of the browser, from the decade-old IE6 to last year's IE9.


Read the story in the news<http://www.scmagazine.com/microsoft-issues-patch-plans-includes-internet-explorer-fix/article/227171/>.

Read the Microsoft Security Bulletin Advanced Notification<http://technet.microsoft.com/en-us/security/bulletin/ms12-feb>.



-------------------------------------------

2. PGP Desktop and Mac Support

-------------------------------------------


Scenario: You are using a Mac computer at MIT and would like to secure your hard drive with PGP Desktop encryption. You have, however, noticed that when Apple releases a new version of the operating system, or when the company releases a security update to the current operating system, Symantec is not providing a version of PGP Desktop that can run on it.


Symantec purchased PGP Desktop last year, and there has been hope that the larger company would be able to support Mac OS X operating system patches and new versions. However, to date, it has been slow to do so.


For example, Apple released Mac OS X 10.7.3 last month but the current version of PGP Desktop for Mac is not working on it. Symantec has told users to NOT upgrade to 10.7.3 if running PGP Desktop<http://www.symantec.com/business/support/index?page=content&id=TECH178069>.


What do you do? Should you wait to take the update?


We don't think this choice is always feasible. IS&T has therefore suggested that Mac users try FileVault 2 as an encryption option instead, with the caveat that it has some additional risks. Recommendations for using FileVault 2 have been documented in Hermes<http://kb.mit.edu/confluence/x/AoAiAw>.


Please send any questions about using PGP Desktop at MIT to pgp-help at mit.edu (note: this email is for MIT community members only).



---------------------------------------------

3. Tip: How to Handle Spam at MIT

---------------------------------------------


You may have seen a slight uptick in the spam arriving to your inbox lately. There is no clear explanation for why spam numbers fluctuate; it can be due to a number of reasons.


Regardless of the number of spam messages you receive, our main recommendation stays the same: never open them or click on anything within the email such as links or attachments. It's not a good idea to reply to them either, such as to ask them to please stop. Often the "from" email address has been spoofed and the right persons behind the spam aren't going to see it. Or if they do see your reply, they'll just take that as encouragement to send more spam since they now know your email address has a real person attached to it.


There is a limited number of configurations in Spam Quarantine that can help reduce spam coming into your inbox. Learn more: If you're using Exchange<http://ist.mit.edu/services/email/exchange/spamquarantine>. If you're using IMAP<http://ist.mit.edu/services/email/nospam/spamquarantine>.


We are also aware that some of the spam may appear to be coming from a legitimate MIT email address. Don't be fooled! Especially if any of these messages ask you to reply with personal information or to click a link to update your email account or any other account. These are phishing messages. MIT will never send email asking for personal information or threaten account holders with de-activation if they don't update or verify their account. See some examples of "phishy" emails<http://kb.mit.edu/confluence/x/VxhB> that appear to come from MIT.



--------------------------------------------------------------------------

4. OUCH! Newsletter, February 2012: Mobile App Security

--------------------------------------------------------------------------


This month's issue of OUCH! from SANS.org covers mobile app security. Instead of focussing on just the device itself, the newsletter explains the risks of using apps and how to install, configure and use them safely.


Read or download the newsletter in PDF format here<http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201202_en.pdf>.



===================================================================================

Read all Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.

===================================================================================


Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20120213/156aa224/attachment.htm