[IS&T Security-FYI] Newsletter, August 24, 2007

Monique Yeaton myeaton at MIT.EDU
Fri Aug 24 09:10:43 EDT 2007 

It's back! Security FYI took a summer break after the July 13th  
issue. The once-a-week issues are resuming starting this week.

In this issue:

1. IT Security Training for Staff
2. Software security updates in August
3. In the News: Yale Data Breach

---------------------------------------
1. IT Security Training for Staff
---------------------------------------

This summer the IT Security team launched a pilot of a new security  
awareness seminar to be presented to staff at MIT. Overwhelming  
positive response and interest was generated by the pilot. In all,  
about 70 people attended the various sessions and we are thankful to  
all who came.

The seminar is now being offered as a Quick Start. These are free,  
one-hour IS&T courses offered in the N42 Demo Center at 211 Mass Ave.  
The first two sessions will be held:

9/20/2007 @ noon
10/17/2007 @ noon

More information is posted on the Computer Training web page at
<http://web.mit.edu/ist/topics/training/index.html> and in the July/ 
August issue of the IS&T newsletter. We will also be bringing the  
seminar on the road for those interested in having it presented to  
their team or department.

This is a very basic seminar meant for an average computer user. For  
those who are looking for more advanced security training options, we  
suggest any of the SANS, EDUCAUSE or NERCOMP sessions offered at  
their many events throughout the year. They target more professional  
IT personnel.

SANS: http://www.sans.org/
EDUCAUSE: http://www.educause.edu/
NERCOMP: http://www.nercomp.org/


-------------------------------------------------
2. Software Security Updates in August
-------------------------------------------------

Microsoft, Apple and Linux security updates were released earlier  
this month. Here is a run-down of the products that were affected.

Microsoft:

-- Windows
-- Microsoft Office, Office for Mac
-- Visual Basic
-- Internet Explorer
-- Windows Media Player
-- Windows Vista
-- Microsoft Virtual PC, Virtual Server and Virtual PC for Mac

Nine patches were released on Patch Tuesday, August 14th. Six of  
these were critical.
Learn more about Microsoft security updates: <http:// 
www.microsoft.com/protect/computer/updates/bulletins/200708.mspx>

Apple:

-- Security Update 2007-007, released on July 31, addressed security  
vulnerabilities in 16 components including Kerberos and iChat for  
both OS X 10.3.9 and 10.4.10.
-- iPhone 1.0

Learn more about Apple security updates: <http://docs.info.apple.com/ 
article.html?artnum=61798>

Linux:

-- Dovecot ACL Plugin 
-- TrollTech QT QTextEdit 
-- KDE Konqueror 
-- Fail2Ban


Learn more about Linux security updates: <http://www.redhat.com/ 
security/updates/>

If you manage your own computer, install updates as soon as they  
become available. If your computer is part of a managed network,  
contact your system administrator before making changes.


------------------------------------------
3. In the News: Yale Data Breach
------------------------------------------

Social security numbers for over 10,000 current and former students,  
faculty and staff were compromised and at risk of identity theft  
following the theft of two Yale University computers earlier this  
August. As the article linked below states, "Yale is far from the  
first university to have private data compromised. Of the more than  
200 major data breaches tracked by the Privacy Rights Clearinghouse  
so far this year, about 60 have occurred at educational institutions."

We are reminding everyone -- not just MIT employees -- to not leave  
unencrypted sensitive information on their computers or laptops. That  
said, while encryption may prevent exposure of stolen data, it is not  
a security panacea. For example, TJX had its data encrypted and still  
had its data retrieved due to lax encryption key management. (As an  
aside, recent news reports mention the loss for TJX due to the theft  
is over $150 million. They will likely face even greater losses due  
to litigation.)

There are many steps that can be taken to protect data before an  
organization aggressively pursues an enterprise encryption solution.  
The IS&T department at MIT has been looking at various hard drive  
encryption options and hopes that a suitable product/technology for  
MIT emerges in the not so distant future.

Current encryption options at MIT:

-- Using TSM: <http://itinfo.mit.edu/article.php?id=7444>
-- Using FileMaker Pro: <http://web.mit.edu/ist/db/fm/encrypt.html>
-- Using SecureFX (for Windows): <http://itinfo.mit.edu/article.php? 
id=6291>

Read more about the Yale story here: <http://www.yaledailynews.com/ 
articles/view/21093>

Thank you for keeping informed of Information Security issues,

Monique
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

More information about the ist-security-fyi mailing list