<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; "><div><div><div><p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px">The newsletter author took last month off from writing Security-FYI issues, but she's back, so keep an eye out for these weekly security updates in 2011.</p><p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">In this issue:</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">1. IAP Session on Protecting Personal Information</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">2. McAfee Vulnerable to Metasploit Attack</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">3. Word 2004 for Windows Still Vulnerable</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">4. Security (or Lack Thereof) of New Gadgets</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">---------------------------------------------------------------</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">1. IAP Session on Protecting Personal Information</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">---------------------------------------------------------------</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Tim McGovern and Monique Yeaton of the IT Security team will be hosting an IAP session on Protecting Personal Information at MIT. This is an update to the 2010 IAP session on Handling Sensitive Data. </p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">We will discuss:</p>
<ul style="list-style-type: disc">
<li style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">What MIT has been doing over the last year to help reduce MIT's risk of a serious data breach involving personal information.</li>
<li style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">What each of us need to do in our own offices, and on our computers, to minimize the collection of, and to protect sensitive data needed for our business activities.</li>
<li style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></li>
</ul>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">There will be an opportunity to ask questions and participate in the discussion. This is a mostly non-technical session, although we will talk about technology tools that can help in this effort. We hope to see you there!</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">For full information: <http://student.mit.edu/searchiap/iap-a709.html></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">-----------------------------------------------------</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">2. McAfee Vulnerable to Metasploit Attack</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">-----------------------------------------------------</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 12.0px 0.0px; font: 14.0px Arial">McAfee is aware of a publicly disclosed attack that could disable VirusScan Enterprise (VSE) running on a customer’s machine. This attack is not a stand-alone attack, but acts as a payload to be chained via another attack.</p>
<p style="margin: 0.0px 0.0px 12.0px 0.0px; font: 14.0px Arial">Affected software:</p>
<ul style="list-style-type: disc">
<li style="margin: 0.0px 0.0px 12.0px 0.0px; font: 14.0px Arial">VirusScan Enterprise 8.7 and earlier (Windows only)</li>
</ul>
<p style="margin: 0.0px 0.0px 12.0px 0.0px; font: 14.0px Arial">If the attack is successful, it disables both VSE and the connection to ePO. It would leave the McAfee Shield visible, so it may not be immediately apparent that antivirus protection has been disabled. In addition to the immediate disabling of VSE, the attack changes settings for VSE, resulting in diminished capacity for scanning going forward.</p>
<p style="margin: 0.0px 0.0px 12.0px 0.0px; font: 14.0px Arial">McAfee has already developed a strategy that would prevent this from happening in the upcoming VSE 8.8 release. They have released a DAT file (6209) that detects the metasploit plugin used to run this attack. It is recommended that users update their McAfee software to receive the latest DAT file.</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Read the full bulletin: <https://kc.mcafee.com/corporate/index?page=content&id=SB10014&actp=LIST_RECENT></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">-----------------------------------------------------</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">3. Word 2004 for Windows Still Vulnerable</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">-----------------------------------------------------</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Microsoft communicated a warning about active attacks on Windows machines, exploiting a vulnerability in Microsoft Word. The exploit involves using a RTF (rich text format) file to create a stack overflow in Word running on Windows. The vulnerability was patched in Microsoft Word 2002, 2003, 2007 and 2010 in last November's batch of updates (Security Bulletin MS10-087); the flaw has also been fixed in Word 2008 and 2011, but Word 2004 is still vulnerable. Users who have not downloaded the November patch are urged to do so as soon as possible at http://update.microsoft.com or by using Microsoft Update or Windows Server Update Services (WSUS).</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Read the full story here: <http://www.computerworld.com/s/article/9202819/Microsoft_warns_of_Word_attacks></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">----------------------------------------------------------</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">4. Security (or Lack Thereof) of New Gadgets</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">----------------------------------------------------------</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">New gadgets designed to connect to the Internet, such as smartphones and certain HDTV's, are not always being designed with security in mind. Hackers are shifting their focus to these devices as they become more ubiquitous. As mobile device applications are intended for a single user, there is little to no authentication and authorization built in. Critical security functions such as data encryption and auditing are almost always missing. Protecting the devices from attacks will also require new approaches. A few important steps you can take are: </p>
<ol style="list-style-type: decimal">
<li style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">turn off Bluetooth and other services that are not needed,</li>
<li style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">always run some form of security, such as encryption, on your wireless network,</li>
<li style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">put any web enabled devices behind a firewall.</li>
</ol>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Read the full story here: <http://www.nytimes.com/2010/12/27/technology/27hack.html></p></div><div><br></div><div><p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">===========================================================================================</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">To read all current and archived articles online, visit the Security-FYI Blog at <<a href="http://securityfyi.wordpress.com/"><span style="text-decoration: underline ; color: #3369b5">http://securityfyi.wordpress.com/</span></a>></p><p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial"><br></p><p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial"><br></p><p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial"><br></p></div><div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-family: Helvetica; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><div style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; ">Monique Yeaton</span></span></span></span></span></span></div><div style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; ">IT Security Awareness Consultant</span></span></span></span></span></span></div><div style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; ">MIT Information Services & Technology (IS&T)</span></span></span></span></span></span></div><div style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; ">(617) 253-2715</span></span></span></span></span></span></div><div style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; ">http://ist.mit.edu/security</span></span></span></span></span></span></div><div style="font-size: 12px; "><br class="khtml-block-placeholder"></div><br class="Apple-interchange-newline"></span></span></span></span></span></div></div></div></div></body></html>