[IS&T Security-FYI] SFYI Newsletter, December 5, 2011

Mon Dec 5 12:48:14 EST 2011

In this issue:

1. Printer Security Problems
2. Department of Education to Rollout Two-Factor Authentication
3. The Price of a Stolen Identity

-----------------------------------
1. Printer Security Problems
-----------------------------------

A report has been going around in US media recently about research done by Columbia University during which HP printers were hacked and, as a result of a firmware change, bursting into flames. Hewlett-Packard refutes the possibility but does admit that risks to some HP LaserJet printers exist.

According to HP:

"While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access. The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.

HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted. In the meantime, HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers."

Network printer attacks are not unknown and have been around for some time. The best defense is to keep the firmware updated, disable remote update features and place printers behind firewalls.

Read more on this story here<http://www.h-online.com/security/news/item/HP-Laserjet-printer-security-problems-1387374.html> or here<http://www.scmagazineus.com/bug-allows-hp-printers-to-be-remotely-hacked-set-on-fire/article/217784/>.

----------------------------------------------------------------------------------
2. Department of Education to Roll Out Two-Factor Authentication
----------------------------------------------------------------------------------

>From EDUCAUSE:

The U.S. Department of Education Federal Student Aid technology office announced this week at the 2011 Federal Student Aid Conference its plans to issue 90,000 tokens to privileged users who have access to Personally Identifiable Information on FSA systems. The privileged users will include financial aid staff at your institutions. More information is available at http://net.educause.edu/ir/library/pdf/CSD6059.pdf.

We will also feature the Department’s plans next week as part of IAM Online (www.incommon.org/iamonline<http://www.incommon.org/iamonline>) scheduled for Tuesday, December 6th, at 3 p.m. ET / 2 p.m. CT / Noon PT.

Please plan to join us to learn more about two-factor authentication, a pilot deployment at Duke University, and implementation details for the Federal Student Aid deployment. The Higher Education Information Security Council (HEISC) has prepared a resource on Two-Factor authentication<https://wiki.internet2.edu/confluence/display/itsg2/Two-Factor+Authentication>.

EDUCAUSE Policy and HEISC continue to work closely with the Department of Education’s Chief Information Officer, Chief Security Officer, FSA’s Chief Information Officer, and other staff to influence future technology decisions and to more closely coordinate on matters of privacy, security, and identity management.

----------------------------------------
3. The Price of a Stolen Identity
----------------------------------------

We talk a lot about cyber threats, security, information protection etc. But what exactly are we talking about protecting in the end? If you look at the bigger picture, the one thing all these tools, procedures and policies are there to protect is your identity.

Once your identity is taken, someone else can commit fraud in your name, by accessing information only you are authorized to access. This is what information security is all about. A thief tries to get into your credit card account, bank account or other accounts attached to financial information and make off with your money. In essence, the thieves are rooting around in your wallet, only now they can do it on the Internet.

This infographic<http://www.techrepublic.com/blog/security/infographic-the-price-of-a-stolen-identity/6957> shows how much money is involved in the industry of online identity thefts and has some suggestions for remediation if you find that you or your organization have become victims of identity fraud.

===================================================================================
Read all Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
===================================================================================

Monique Yeaton
IT Security Communications Consultant
Information Services & Technology, MIT
http://ist.mit.edu/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20111205/ebe13d54/attachment.htm