[IS&T Security-FYI] SFYI Newsletter July 2, 2012

Mon Jul 2 16:21:46 EDT 2012

In this issue:

1. OAuth Protects Your Passwords

2. Generation Gap in Computer Security

3. Wyndham Hotels Fail to Protect Consumer Personal Information

--------------------------------------------

1. OAuth Protects Your Passwords

--------------------------------------------

If you've ever used a desktop widget or mobile app that asks you to sign in using your Google, Twitter or Facebook account, you can be pretty assured that your account information will be secure. These accounts use OAuth for this purpose, which is an open standard for authorization (see Wikipedia<http://en.wikipedia.org/wiki/OAuth>).

With OAuth, you are giving permission to the application to use your credentials, but you are not giving any secrets away, nor are you authorizing the application to expose any of your personal information unless the application specifically states what you are granting permissions for.

In other words, with OAuth, you're not giving out your username and password; those stay with Google, Twitter or Facebook. What you are doing is granting access via your existing account. This prevents third-party apps from doing shady things and it also means, if they get hacked, your Google, etc password remains safe. Understand how OAuth works<http://gizmodo.com/5918086/understanding-oauth-what-happens-when-you-log-into-a-site-with-google-twitter-or-facebook?tag=security>. More information on this topic is also included here<http://waxy.org/2012/02/the_perpetual_invisible_window_into_your_gmail_inbox/>.

I did an experiment with my Facebook account to see how many applications have access via Facebook and there were at least 40 applications in there. Many of them I don't remember ever using, so I removed a lot of them. To find yours on Facebook, go to Account Settings > Apps. You can then edit them, see what they can do on your behalf, or delete them.

For Google, go to your Account > Security and then click on the Edit button next to "Authorizing applications and sites." Here you can revoke access for the services that you use with your Google account.

I do not have a Twitter account so was not able to see how this works there, but instructions for Twitter can be found here<http://support.twitter.com/articles/76052-how-to-connect-and-revoke-third-party-applications>.

To ensure additional protection of your passwords, have unique passwords among your various accounts. If Google does get hacked, criminals won't have access to the rest of your online accounts.

---------------------------------------------------

2. Generation Gap in Computer Security

---------------------------------------------------

A broad adoption of digital media and social networking, combined with increasing amount of sensitive data stored online, is making personal computer security more important than ever. But do different generations understand this problem and protect themselves while online? See the infographic<http://i.techrepublic.com.com/blogs/the-generation-gap-in-computer-security-an-insecure-gen-y.png?tag=content;siu-container> (click the image when it opens in your browser to view the full size) to find out who is safer, Gen Y or Baby Boomers.

------------------------------------------------------------------------------------

3. Wyndham Hotels Fail to Protect Consumer Personal Information

------------------------------------------------------------------------------------

Credit card data of hundreds of thousands of consumers has been compromised, and millions of dollars lost to fraud, according to the FTC. It has filed a complaint against the Wyndham hotels and three of its subsidiaries for actions that led to three data breaches at the hotels in less than two years. The case against Wyndham is part of the FTC's ongoing efforts to make sure that companies live up to the promises they make about privacy and data security.

Read the full story here.<http://ftc.gov/opa/2012/06/wyndham.shtm>

If you have been a victim of identity theft, see the tips offered by the FTC<http://www.ftc.gov/bcp/edu/microsites/idtheft2012/>.

===================================================================================

Read all Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.

===================================================================================

Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20120702/2094154a/attachment.htm