[10211] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, February 3, 2014
daemon@ATHENA.MIT.EDU (Monique Buchanan)
Mon Feb 3 15:54:32 2014
Resent-From: ist-security-fyi@MIT.EDU
From: Monique Buchanan <myeaton@MIT.EDU>
To: ist-security-fyi <ist-security-fyi@MIT.EDU>
Date: Mon, 3 Feb 2014 20:53:12 +0000
Message-ID: <435CB4F2-6A7B-4040-90B3-E53685422A82@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1452571037=="
Errors-To: ist-security-fyi-bounces@MIT.EDU
--===============1452571037==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_435CB4F26A7B404090B3E53685422A82mitedu_"
--_000_435CB4F26A7B404090B3E53685422A82mitedu_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. Laptop Tagging and Registration on 2/5/14
2. Data Privacy Month: Is Online Privacy Possible?
3. Yahoo! User Data Compromised
4. Beware Your Chrome Extensions
5. For Fun: Cookie Problem
-------------------------------------------------------------
1. Laptop Tagging and Registration on 2/5/14
-------------------------------------------------------------
This Wednesday, there is an opportunity to register and tag your laptop:
Where: Stata Student Street (Bldg. 32, Ground level)
When: Wed., February 5, 11:00 am - 12:30 pm
Cost: $10 cash (no cards) or MIT Cash Object
Just as you might register a bike with the police, you can also register yo=
ur laptop. Information Systems & Technology partners with MIT Police to pro=
vide STOP tags for laptops. The tag is affixed to the device, has a unique =
number, and is registered with a world-wide database.
Sgt. Cheryl Vossmer of the MIT Police says that although a STOP tag is not =
software that can track a device via GPS or other means, it has been very e=
ffective at providing a way for lost or stolen laptops to be returned to th=
eir rightful owners.
Read laptop recovery stories here<https://www.stoptheft.com/>.
Learn more about laptop registration at MIT<http://kb.mit.edu/confluence/di=
splay/istcontrib/MIT+Police+Laptop+Tagging+and+Registration>.
--------------------------------------------------------------------
2. Data Privacy Month: Is Online Privacy Possible?
--------------------------------------------------------------------
Data Privacy Month kicked off on January 28th, a day that is historically c=
elebrated as Data Privacy Day. To get a sense what data privacy means to re=
gular citizens, I interviewed Jeff Schiller, a long-time security technolog=
ist at MIT.
The information Jeff shared was somewhat sobering: privacy only goes as far=
as the level of protection you require. In other words, it really comes do=
wn to how much you care about your privacy and the risks you=92re willing o=
r unwilling to live with. But the situation isn=92t hopeless. We reviewed s=
ome steps users can take right now to protect their privacy online.
Read the article online at IS&T News<http://ist.mit.edu/news/online_privacy=
>.
MIT has policies around protecting personal privacy. Review them here.<http=
://web.mit.edu/policies/11/11.1.html>
-----------------------------------------------
3. Yahoo! User Data Compromised
-----------------------------------------------
Last week Yahoo announced<http://yahoo.tumblr.com/post/75083532312/importan=
t-security-update-for-yahoo-mail-users> that usernames and passwords were s=
tolen, belonging to about 450,000 of its email customers. As a result, Yaho=
o believes attackers have been able to gather personal information on its e=
mail customer=92s contacts.
Users who were affected will get a prompt to change their passwords when th=
ey log in, and Yahoo also sent out email and SMS notifications. It is proba=
bly not a bad idea for all Yahoo email customers to reset their passwords.
Yahoo believes, based on their findings, that the usernames and passwords w=
ere accessed from a third-party database compromise and have no evidence th=
at they were obtained from Yahoo=92s systems. That third-party has not been=
identified, but experts note that attackers are finding ways to breach the=
ir targets by cracking systems that belong to the target=92s business partn=
ers.
Read the full story online<http://www.darkreading.com/privacy/yahoo-reports=
-breach-of-customer-databas/240165877>.
-----------------------------------------------
4. Beware Your Chrome Extensions
-----------------------------------------------
Ad vendors can buy Chrome extensions (the plug-ins that enhance the browser=
=92s capability) to send adware and malware-filled updates, according to Ar=
s Technica<http://arstechnica.com/security/2014/01/malware-vendors-buy-chro=
me-extensions-to-send-adware-filled-updates/>. Ownership of a Chrome extens=
ion can be transferred to another party and users are never informed when a=
n ownership change happens. Malware and adware vendors caught wind of this,=
and have started showing up at the doors of extension authors, looking to =
buy their extensions. Once the deal is done, the new owners can issue an ad=
-filled update over Chrome=92s update service, which sends the adware out t=
o every user of that extension.
To remove the adware, the user must disable the extension:
* In Chrome on a Mac, select Window > Extensions, then uncheck the box =
next to =93Enabled.=94
* In Chrome on Windows, select Settings > Extensions, then uncheck the =
box next to =93Enabled.=94
Read the full story online<http://arstechnica.com/security/2014/01/malware-=
vendors-buy-chrome-extensions-to-send-adware-filled-updates/>.
--------------------------------------
5. For Fun: Cookie problem<http://www.cagle.com/2012/09/cookie-problem/>
--------------------------------------
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Read all archived Security FYI Newsletter articles and submit comments onli=
ne at http://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Monique Buchanan
IT Security Communications Consultant
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
"Distrust and caution are the parents of security" - Benjamin Franklin
--_000_435CB4F26A7B404090B3E53685422A82mitedu_
Content-Type: text/html; charset="Windows-1252"
Content-ID: <FB1FA8593F5698438184FD3568687739@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;">
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;">In th=
is issue:</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">1. Laptop Tagging and R=
egistration on 2/5/14</div>
<div style=3D"margin: 0px; font-family: Helvetica;">2. Data Privacy Month: =
Is Online Privacy Possible?</div>
<div style=3D"margin: 0px; font-family: Helvetica;">3. Yahoo! User Data Com=
promised</div>
<div style=3D"margin: 0px; font-family: Helvetica;">4. Beware Your Chrome E=
xtensions</div>
<div style=3D"margin: 0px; font-family: Helvetica;">5. For Fun: Cookie Prob=
lem</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
--------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">1. Laptop Tagging and R=
egistration on 2/5/14</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
--------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">This Wednesday, there i=
s an opportunity to register and tag your laptop:</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Where: <b>Stata Student=
Street (Bldg. 32, Ground level)</b></div>
<div style=3D"margin: 0px; font-family: Helvetica;">When: <b>Wed., February=
5, 11:00 am - 12:30 pm</b></div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Cost: $10 cash (no card=
s) or MIT Cash Object</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Just as you might regis=
ter a bike with the police, you can also register your laptop. Information =
Systems & Technology partners with MIT Police to provide STOP tags for =
laptops. The tag is affixed to the device,
has a unique number, and is registered with a world-wide database.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Sgt. Cheryl Vossmer of =
the MIT Police says that although a STOP tag is not software that can track=
a device via GPS or other means, it has been very effective at providing a=
way for lost or stolen laptops to
be returned to their rightful owners.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; color: rgb(71, 135, 255)=
;"><span style=3D"color: #000000">Read
<a href=3D"https://www.stoptheft.com/">laptop recovery stories here</a>.</s=
pan></div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; color: rgb(71, 135, 255)=
;"><span style=3D"text-decoration: underline"><a href=3D"http://kb.mit.edu/=
confluence/display/istcontrib/MIT+Police+Laptop+Tagging+and=
+Registration">Learn more about laptop registration at
MIT</a></span><span style=3D"color: #000000">.</span></div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
---------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">2. Data Privacy Month: =
Is Online Privacy Possible?</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
---------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Data Privacy Month kick=
ed off on January 28th, a day that is historically celebrated as Data Priva=
cy Day. To get a sense what data privacy means to regular citizens, I inter=
viewed Jeff Schiller, a long-time
security technologist at MIT. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">The information Jeff sh=
ared was somewhat sobering: privacy only goes as far as the level of protec=
tion you require. In other words, it really comes down to how much you care=
about your privacy and the risks
you=92re willing or unwilling to live with. But the situation isn=92t hope=
less. We reviewed some steps users can take right now to protect their priv=
acy online. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://ist.m=
it.edu/news/online_privacy">Read the article online at IS&T News</a>.</=
div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">MIT has policies around=
protecting personal privacy.
<a href=3D"http://web.mit.edu/policies/11/11.1.html">Review them here.</a><=
/div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">3. Yahoo! User Data Com=
promised</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Last week <a href=3D"ht=
tp://yahoo.tumblr.com/post/75083532312/important-security-update-for-yahoo-=
mail-users">
Yahoo announced</a> that usernames and passwords were stolen, belonging to =
about 450,000 of its email customers. As a result, Yahoo believes attackers=
have been able to gather personal information on its email customer=92s co=
ntacts. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Users who were affected=
will get a prompt to change their passwords when they log in, and Yahoo al=
so sent out email and SMS notifications. It is probably not a bad idea for =
all Yahoo email customers to reset
their passwords.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Yahoo believes, based o=
n their findings, that the usernames and passwords were accessed from a thi=
rd-party database compromise and have no evidence that they were obtained f=
rom Yahoo=92s systems. That third-party
has not been identified, but experts note that attackers are finding ways =
to breach their targets by cracking systems that belong to the target=92s b=
usiness partners.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://www.d=
arkreading.com/privacy/yahoo-reports-breach-of-customer-databas/240165877">=
Read the full story online</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">4. Beware Your Chrome E=
xtensions</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Ad vendors can buy Chro=
me extensions (the plug-ins that enhance the browser=92s capability) to sen=
d adware and malware-filled updates,
<a href=3D"http://arstechnica.com/security/2014/01/malware-vendors-buy-chro=
me-extensions-to-send-adware-filled-updates/">
according to Ars Technica</a>. Ownership of a Chrome extension can be trans=
ferred to another party and users are never informed when an ownership chan=
ge happens. Malware and adware vendors caught wind of this, and have starte=
d showing up at the doors of extension
authors, looking to buy their extensions. Once the deal is done, the new o=
wners can issue an ad-filled update over Chrome=92s update service, which s=
ends the adware out to every user of that extension.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">To remove the adware, t=
he user must disable the extension:</div>
<ul>
<li style=3D"margin: 0px; font-family: Helvetica;">In Chrome on a Mac, sele=
ct <b>Window</b> >
<b>Extensions</b>, then uncheck the box next to =93<b>Enabled</b>.=94 =
</li><li style=3D"margin: 0px; font-family: Helvetica;">In Chrome on Windo=
ws, select <b>
Settings</b> > <b>Extensions</b>, then uncheck the box next to =93<b>Ena=
bled</b>.=94 </li></ul>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://arste=
chnica.com/security/2014/01/malware-vendors-buy-chrome-extensions-to-send-a=
dware-filled-updates/">Read the full story online</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
---------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">5. For Fun: <a href=3D"=
http://www.cagle.com/2012/09/cookie-problem/">
Cookie problem</a></div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
---------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Read all archived Secur=
ity FYI Newsletter articles and submit comments online at
<a href=3D"http://securityfyi.wordpress.com/"><span style=3D"color: rgb(4, =
46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><span=
style=3D"font-family: Avenir;">Monique Buchanan</span><br style=3D"font-fa=
mily: Avenir;">
<span style=3D"font-family: Avenir;">IT Security Communications Consultant<=
/span><br style=3D"font-family: Avenir;">
<span style=3D"font-family: Avenir;">Information Systems & Technology (=
IS&T)</span><br style=3D"font-family: Avenir;">
<span style=3D"font-family: Avenir;">Massachusetts Institute of Technology<=
/span><br style=3D"font-family: Avenir;">
<span style=3D"font-family: Avenir;"><a href=3D"http://ist.mit.edu/secure">=
http://ist.mit.edu/secure</a></span><br style=3D"font-family: Avenir;">
<span style=3D"font-family: Avenir;">tel: 617.253.2715</span><br style=3D"f=
ont-family: Avenir;">
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">"Distrust and caut=
ion are the parents of security" - Benjamin Franklin</div>
<div><br>
</div>
<div apple-content-edited=3D"true">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<br>
<br>
<br>
</div>
</div>
</div>
<br>
</body>
</html>
--_000_435CB4F26A7B404090B3E53685422A82mitedu_--
--===============1452571037==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============1452571037==--
