<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">In this issue:</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">1. Flaws in Browsers</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">2. Preventing Data Loss on Web 2.0</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">--------------------------</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">1. Flaws in Browsers</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">--------------------------</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">Watch out when browsing! Firefox and Internet Explorer 6, 7 and 8 all have flaws that were reported in the past week.</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">Firefox was found to have some poorly written extensions that could be exploited to install malware on a victim's computer:</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; "><<a href="http://blogs.techrepublic.com.com/security/?p=2710&tag=nl.e036">http://blogs.techrepublic.com.com/security/?p=2710&tag=nl.e036</a>></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">A cross-site scripting (XSS) vulnerability can be exploited in Internet Explorer 8 to allow attacks on web pages that are otherwise safe:</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; "><<a href="http://www.theregister.co.uk/2009/11/20/internet_explorer_security_flaw/">http://www.theregister.co.uk/2009/11/20/internet_explorer_security_flaw/</a>></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">Microsoft also confirmed the existence of a zero-day flaw in older versions of Internet Explorer. Proof-of-concept exploit code for the vulnerability has been posted on the Internet; an attack could crash vulnerable systems or allow arbitrary code execution:</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; "><<a href="http://www.computerworld.com/s/article/9141363/Microsoft_confirms_IE6_IE7_zero_day_bug">http://www.computerworld.com/s/article/9141363/Microsoft_confirms_IE6_IE7_zero_day_bug</a>></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">----------------------------------------------</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">2. Preventing Data Loss on Web 2.0</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">----------------------------------------------</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">Everyone is using Web 2.0 these days. From advertising to and communicating with your constituents via social media such as blogs, Facebook and Twitter, to using tools such as webmail and Google for managing your email and other documents, businesses are all using some form of the newest Web 2.0 applications. </div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">Sharing all this data on the World Wide Web makes communication so much easier, but also comes with increased data risk, compliance failure and loss of intellectual property. How can you prevent data loss when you can't turn off social media?</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">What happens if, using a Web 2.0 application, a faculty member posts the PII (personally identifiable information) of his or her students to a public Internet site? Or what if an employee uses their Facebook account to discuss confidential research information? Do you have any controls over this information and any means to remediate its exposure? Is the Institute liable?</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">In a Web 2.0 world, organizations want to look at how to ensure regulatory compliance, with the focus on risk assessment and implementing security controls that respond to the threats they face, such as the situations described above. </div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">Other than technical solutions, there should be policies and business practices in place, outlining regulatory compliance for data protection. Should employees handling sensitive data be allowed to access social media on the same computer they use for work? Rather than sharing files through Google Docs or other types of document sharing websites, are there safer ways to share files containing sensitive data? Asking and answering some of these questions could just prevent the next big data breach.</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">Here are just a few examples of universities who have had their data exposed through the Internet in the past few months:</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; "><<a href="http://www.latimes.com/news/local/la-me-cal-poly16-2009nov16,0,503569.story">http://www.latimes.com/news/local/la-me-cal-poly16-2009nov16,0,503569.story</a>></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; "><<a href="http://www.chaminade.edu/infosecure/">http://www.chaminade.edu/infosecure/</a>></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; "><<a href="http://www.ktla.com/news/landing/ktla-csula-computer-breach,0,1880242.story">http://www.ktla.com/news/landing/ktla-csula-computer-breach,0,1880242.story</a>></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; "><<a href="http://www.kentucky.com/latest_news/story/947409.html">http://www.kentucky.com/latest_news/story/947409.html</a>></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">To learn more about protecting information at MIT, visit <<a href="http://web.mit.edu/infoprotect/">http://web.mit.edu/infoprotect/</a>>. </div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Arial; "><span style="font: 14.0px Helvetica">The IT Security Services team (<a href="mailto:security@mit.edu">security@mit.edu</a>) has also been teaming up with Allison Dolan from the </span>Program to Protect Personally Identifying Information to share with the community best security practices and the newest laws and regulations for protecting sensitive information. </div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Arial; min-height: 16px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Arial; ">If you are interested in an informational session, please contact Monique Yeaton (myeaton@mit.edu) or Allison Dolan (adolan@mit.edu). They will be giving several of these sessions to the public during IAP 2010 as well: <<a href="http://student.mit.edu/iap/nsis.html">http://student.mit.edu/iap/nsis.html</a>></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Arial; ">===========================================================================</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Arial; min-height: 16px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Arial; ">Find current and older issues of Security FYI Newsletter: <<a href="http://kb.mit.edu/confluence/x/ehBB"><span style="text-decoration: underline ; color: #2151aa">http://kb.mit.edu/confluence/x/ehBB</span></a>></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Arial; min-height: 16px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div apple-content-edited="true"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Calibri; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Calibri; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div><span class="Apple-style-span" style="font-size: medium;"><br></span><div>Monique Yeaton</div><div>IT Security Awareness Consultant</div><div>MIT Information Services & Technology (IS&T)</div><div>(617) 253-2715</div><div><a href="http://ist.mit.edu/security">http://ist.mit.edu/security</a></div><div><br></div><br></div></div><br></div></span><br class="Apple-interchange-newline"></div></span><br class="Apple-interchange-newline"> </div><br></body></html>