[IS&T Security-FYI] SFYI Newsletter, June 21, 2010

Mon Jun 21 11:20:11 EDT 2010

In this issue:

1. Mac OS X Update 10.6.4 (2010-004) Released
2. Stolen Gaming Credentials Uncovered
3. Printers, Copiers and Fax Machines, Oh My!

---------------------------------------------------------------
1. Mac OS X Update 10.6.4 (2010-004) Released
---------------------------------------------------------------

On Tuesday, June 15, Apple released a security update for Mac OS X to address 28 vulnerabilities. The update fixes flaws in 17 of the operating system's components, including iChat and Flash Player.

Although the security update addresses a pair of flaws in Flash, the version of Flash included with the update is not the most recent and safest one (Adobe released Flash version 10.1 last week). Mac users should check to see which version of Flash they have on their computers. The security update does not appear to downgrade users who already had updated to Flash 10.1.

About the content of Security Update 2010-004:
<http://support.apple.com/kb/HT4188>

By default, users will automatically receive the security update through Software Update. But it can also be downloaded from the Apple site here:
<http://support.apple.com/downloads/>

----------------------------------------------------
2. Stolen Gaming Credentials Uncovered
----------------------------------------------------

Do you play games online? If you do, you may want to change your log in credentials. Symantec has unearthed a server hosting the credentials of 44 million stolen gaming accounts. As described in a blog post by Symantec, the database has accounts for at least 18 gaming sites, including World of Warcraft, Aion, PlayNC and Wayi Entertainment. The value of stolen gaming credentials can range from $35 to several thousand dollars.

The accounts are being validated by a Trojan (a type of malicious software) known as Trojan.Loginck and distributed to compromised computers. Symantec recommends users of these gaming sites to change their passwords and as always to keep their virus definitions up to date in order to ensure protection against new threats.

Read the Symantec blog post:
<http://www.symantec.com/connect/blogs/44-million-stolen-gaming-credentials-uncovered>

------------------------------------------------------------
3. Printers, Copiers and Fax Machines, Oh My!
------------------------------------------------------------

If you watched the CBS News report last month on the data security risks of office copiers, you may be a bit concerned about the security of the data on copiers here at MIT. The CBS video states that "nearly every digital copier built since 2002 contains one of these, a hard drive. Like the one in your personal computer, it sores an image of every document scanned, copied or emailed by the machine."

It is important to note that this problem is not unique to copiers. Any device that contains a flash memory or hard drive can store documents electronically, so printers, scanners, fax machines and multi-function devices are just as potentially capable of storing sensitive data.

What can be done? For owned copiers and other similar devices, the information in the CBS News report makes it clear that a determination should be made about what to do with the drive at end of life. They can either be wiped clean or removed and destroyed before the device is sold or recycled.

For leased copiers/printers/scanners/fax machines, administrators who work with the vendors should review contracts and lease agreements to ensure they include language that makes it clear no data remains on those drives after the lease expires. 

Note: Some devices do not retain data by default, so it's important to know the default settings of the devices being used.

Watch the report: <http://www.youtube.com/watch?v=y01xLquSIrc>

Educause has collected guidelines and resources addressing security concerns for copiers or multi-function devices here:
<https://wiki.internet2.edu/confluence/display/itsg2/Copier+and+MFD+Security>

I also found this article by Michael Kassner of TechRepublic.com, which has tips for securing data on some copiers:
<http://blogs.techrepublic.com.com/security/?p=3841>

===========================================================================

Find current and older issues of Security FYI Newsletter: <http://kb.mit.edu/confluence/x/ehBB>

Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20100621/9ff7d610/attachment.htm