[IS&T Security-FYI] SFYI Newsletter, February 3, 2014

Mon Feb 3 15:53:12 EST 2014

In this issue:

1. Laptop Tagging and Registration on 2/5/14
2. Data Privacy Month: Is Online Privacy Possible?
3. Yahoo! User Data Compromised
4. Beware Your Chrome Extensions
5. For Fun: Cookie Problem

-------------------------------------------------------------
1. Laptop Tagging and Registration on 2/5/14
-------------------------------------------------------------

This Wednesday, there is an opportunity to register and tag your laptop:

Where: Stata Student Street (Bldg. 32, Ground level)
When: Wed., February 5, 11:00 am - 12:30 pm

Cost: $10 cash (no cards) or MIT Cash Object

Just as you might register a bike with the police, you can also register your laptop. Information Systems & Technology partners with MIT Police to provide STOP tags for laptops. The tag is affixed to the device, has a unique number, and is registered with a world-wide database.

Sgt. Cheryl Vossmer of the MIT Police says that although a STOP tag is not software that can track a device via GPS or other means, it has been very effective at providing a way for lost or stolen laptops to be returned to their rightful owners.

Read laptop recovery stories here<https://www.stoptheft.com/>.

Learn more about laptop registration at MIT<http://kb.mit.edu/confluence/display/istcontrib/MIT+Police+Laptop+Tagging+and+Registration>.

--------------------------------------------------------------------
2. Data Privacy Month: Is Online Privacy Possible?
--------------------------------------------------------------------

Data Privacy Month kicked off on January 28th, a day that is historically celebrated as Data Privacy Day. To get a sense what data privacy means to regular citizens, I interviewed Jeff Schiller, a long-time security technologist at MIT.

The information Jeff shared was somewhat sobering: privacy only goes as far as the level of protection you require. In other words, it really comes down to how much you care about your privacy and the risks you’re willing or unwilling to live with. But the situation isn’t hopeless. We reviewed some steps users can take right now to protect their privacy online.

Read the article online at IS&T News<http://ist.mit.edu/news/online_privacy>.

MIT has policies around protecting personal privacy. Review them here.<http://web.mit.edu/policies/11/11.1.html>

-----------------------------------------------
3. Yahoo! User Data Compromised
-----------------------------------------------

Last week Yahoo announced<http://yahoo.tumblr.com/post/75083532312/important-security-update-for-yahoo-mail-users> that usernames and passwords were stolen, belonging to about 450,000 of its email customers. As a result, Yahoo believes attackers have been able to gather personal information on its email customer’s contacts.

Users who were affected will get a prompt to change their passwords when they log in, and Yahoo also sent out email and SMS notifications. It is probably not a bad idea for all Yahoo email customers to reset their passwords.

Yahoo believes, based on their findings, that the usernames and passwords were accessed from a third-party database compromise and have no evidence that they were obtained from Yahoo’s systems. That third-party has not been identified, but experts note that attackers are finding ways to breach their targets by cracking systems that belong to the target’s business partners.

Read the full story online<http://www.darkreading.com/privacy/yahoo-reports-breach-of-customer-databas/240165877>.

-----------------------------------------------
4. Beware Your Chrome Extensions
-----------------------------------------------

Ad vendors can buy Chrome extensions (the plug-ins that enhance the browser’s capability) to send adware and malware-filled updates, according to Ars Technica<http://arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensions-to-send-adware-filled-updates/>. Ownership of a Chrome extension can be transferred to another party and users are never informed when an ownership change happens. Malware and adware vendors caught wind of this, and have started showing up at the doors of extension authors, looking to buy their extensions. Once the deal is done, the new owners can issue an ad-filled update over Chrome’s update service, which sends the adware out to every user of that extension.

To remove the adware, the user must disable the extension:

  *   In Chrome on a Mac, select Window > Extensions, then uncheck the box next to “Enabled.”
  *   In Chrome on Windows, select Settings > Extensions, then uncheck the box next to “Enabled.”

Read the full story online<http://arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensions-to-send-adware-filled-updates/>.

--------------------------------------
5. For Fun: Cookie problem<http://www.cagle.com/2012/09/cookie-problem/>
--------------------------------------

=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================

Monique Buchanan
IT Security Communications Consultant
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715

"Distrust and caution are the parents of security" - Benjamin Franklin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20140203/1a12c843/attachment.htm