[IS&T Security-FYI] SFYI Newsletter, December 19, 2008

Monique Yeaton myeaton at MIT.EDU
Fri Dec 19 15:18:15 EST 2008 

In this issue:

1. Patch Released for IE 7 Flaw
2. Apple Security Updates
3. Q&A About MIT's Wireless Network


----------------------------------------
1. Patch Released for IE 7 Flaw
----------------------------------------

On December 17, Microsoft released a critical security patch outside  
of the normal monthly patch cycle. This patch addresses a user based  
vulnerability in Internet Explorer, which was found on December 10.  
This patch has been approved for deployment on MIT WAUS.

It is recommended that Internet Explorer 7 users who are not  
subscribed to MIT WAUS -- especially those running Windows XP --  
download the patch or allow the Microsoft automatic update to run.

More details about the patch can be found here:
<http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx>


---------------------------------
2. Apple Security Updates
---------------------------------

Apple released Security Update 2008-008 and Mac OS X version 10.5.6 on  
December 15, to correct multiple vulnerabilities.

Software affected:

  * Apple Mac OS X versions prior to and including 10.4.11 (Tiger) and  
10.5.5 (Leopard)
  * Apple Mac OS X Server versions prior to and including 10.4.11  
(Tiger) and 10.5.5 (Leopard)

Attackers could exploit these vulnerabilities to execute arbitrary  
code, gain access to sensitive information, or cause a denial of  
service. It is recommended to install Apple Security Update 2008-008  
or Apple Mac OS X version 10.5.6. These and other updates are  
available via Software Update or via Apple Downloads.

More details about the patch can be found here:
<https://support.apple.com/kb/HT3338>


------------------------------------------------
3. Q&A About MIT's Wireless Network
------------------------------------------------

Q: I understand that MIT's wireless network is "unsecured;" i.e. it is  
not either WEP or WPA protected. What are the security risks  
associated with this for me? (I have Firewall, VirusScan, etc. on all  
my computers, I use ssh to connect to my athena terminals, etc.)

A: In its current state, the wireless infrastructure here at MIT does  
not support any client-to-Access Point encryption or authentication.  
The biggest impact this has is that any information your machine  
transmits to the access point (to other computers) can potentially be  
seen by others, if they are looking, and if the data isn't encrypted  
by the application(s) that you are using.

Your data would be vulnerable in this scenario if an attack based on  
inception of data over the wireless network were launched. For  
instance, Gmail's login process is SSL-based, however, unless  
specifically enabled in preferences, the rest of your email session is  
sent over the network in a form able to be read by others (what is  
also called "in the clear").  If someone were capturing data in  
transit while you were checking email, they would be able to read any  
emails that you did.

MIT's email client infrastructure (IMAP and Webmail) does *not*  
transmit data "in the clear," and standard configurations adopt  
encryption. So what is encryption? It is what it sounds like, the  
cryptography of messages, turning them into gibberish for anyone  
listening for or watching data traffic.

As Hal Abelson wrote back in 1997, "Without encryption, all network  
transactions are essentially public. Email has the approximate privacy  
of a postcard. Passwords, credit card numbers, and personal  
information transmitted in the clear over the network may as well be  
published in the newspaper. If the Internet is to be a suitable  
vehicle for communications and commerce, then much of the information  
that flows on it must be encrypted."

It's in your best interest to use encryption wherever possible (in  
each individual application that you use), or set up other measures to  
ensure that all of your network traffic is encrypted.  The campus  
Virtual Private Network, or VPN, is available to do exactly that.   
More information on using MIT's VPN is available here:
<http://web.mit.edu/ist/topics/network/remoteaccess.html>

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T will *NEVER* ask you  
for your password.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20081219/ceff7b5b/attachment.htm

More information about the ist-security-fyi mailing list