[IS&T Security-FYI] SFYI Newsletter, November 30, 2009

Monique Yeaton myeaton at MIT.EDU
Mon Nov 30 16:13:48 EST 2009 

In this issue:

1. Flaws in Browsers
2. Preventing Data Loss on Web 2.0


--------------------------
1. Flaws in Browsers
--------------------------

Watch out when browsing! Firefox and Internet Explorer 6, 7 and 8 all  
have flaws that were reported in the past week.

Firefox was found to have some poorly written extensions that could be  
exploited to install malware on a victim's computer:
<http://blogs.techrepublic.com.com/security/?p=2710&tag=nl.e036>

A cross-site scripting (XSS) vulnerability can be exploited in  
Internet Explorer 8 to allow attacks on web pages that are otherwise  
safe:
<http://www.theregister.co.uk/2009/11/20/internet_explorer_security_flaw/ 
 >

Microsoft also confirmed the existence of a zero-day flaw in older  
versions of Internet Explorer. Proof-of-concept exploit code for the  
vulnerability has been posted on the Internet; an attack could crash  
vulnerable systems or allow arbitrary code execution:
<http://www.computerworld.com/s/article/9141363/Microsoft_confirms_IE6_IE7_zero_day_bug 
 >


----------------------------------------------
2. Preventing Data Loss on Web 2.0
----------------------------------------------

Everyone is using Web 2.0 these days. From advertising to and  
communicating with your constituents via social media such as blogs,  
Facebook and Twitter, to using tools such as webmail and Google for  
managing your email and other documents, businesses are all using some  
form of the newest Web 2.0 applications.

Sharing all this data on the World Wide Web makes communication so  
much easier, but also comes with increased data risk, compliance  
failure and loss of intellectual property. How can you prevent data  
loss when you can't turn off social media?

What happens if, using a Web 2.0 application, a faculty member posts  
the PII (personally identifiable information) of his or her students  
to a public Internet site? Or what if an employee uses their Facebook  
account to discuss confidential research information? Do you have any  
controls over this information and any means to remediate its  
exposure? Is the Institute liable?

In a Web 2.0 world, organizations want to look at how to ensure  
regulatory compliance, with the focus on risk assessment and  
implementing security controls that respond to the threats they face,  
such as the situations described above.

Other than technical solutions, there should be policies and business  
practices in place, outlining regulatory compliance for data  
protection. Should employees handling sensitive data be allowed to  
access social media on the same computer they use for work? Rather  
than sharing files through Google Docs or other types of document  
sharing websites, are there safer ways to share files containing  
sensitive data? Asking and answering some of these questions could  
just prevent the next big data breach.

Here are just a few examples of universities who have had their data  
exposed through the Internet in the past few months:

<http://www.latimes.com/news/local/la-me-cal-poly16-2009nov16,0,503569.story 
 >
<http://www.chaminade.edu/infosecure/>
<http://www.ktla.com/news/landing/ktla-csula-computer-breach,0,1880242.story 
 >
<http://www.kentucky.com/latest_news/story/947409.html>

To learn more about protecting information at MIT, visit <http://web.mit.edu/infoprotect/ 
 >.

The IT Security Services team (security at mit.edu) has also been teaming  
up with Allison Dolan from the Program to Protect Personally  
Identifying Information to share with the community best security  
practices and the newest laws and regulations for protecting sensitive  
information.

If you are interested in an informational session, please contact  
Monique Yeaton (myeaton at mit.edu) or Allison Dolan (adolan at mit.edu).  
They will be giving several of these sessions to the public during IAP  
2010 as well: <http://student.mit.edu/iap/nsis.html>

= 
= 
= 
========================================================================

Find current and older issues of Security FYI Newsletter: <http://kb.mit.edu/confluence/x/ehBB 
 >



Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20091130/ab77fad4/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1846 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20091130/ab77fad4/attachment.bin

More information about the ist-security-fyi mailing list