[2186] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, February 1, 2010
daemon@ATHENA.MIT.EDU (Monique Yeaton)
Mon Feb 1 12:17:24 2010
Message-Id: <1638FA40-97CC-4004-9679-47D5C1AE8A7D@mit.edu>
From: Monique Yeaton <myeaton@MIT.EDU>
To: ist-security-fyi@MIT.EDU
Mime-Version: 1.0 (Apple Message framework v936)
Date: Mon, 1 Feb 2010 12:16:17 -0500
Cc: itss@MIT.EDU
Content-Type: multipart/mixed; boundary="===============0779880369=="
Errors-To: ist-security-fyi-bounces@MIT.EDU
--===============0779880369==
Content-Type: multipart/signed; boundary=Apple-Mail-84--1025431450; micalg=sha1;
protocol="application/pkcs7-signature"
--Apple-Mail-84--1025431450
Content-Type: multipart/alternative;
boundary=Apple-Mail-83--1025431506
--Apple-Mail-83--1025431506
Content-Type: text/plain;
charset=US-ASCII;
format=flowed;
delsp=yes
Content-Transfer-Encoding: 7bit
In this issue:
1. Follow Up to Adobe PDF Protection
Last week's issue included an article about some of the security
features in the Adobe Acrobat product that are meant to protect PDF
documents containing sensitive information. In this day and age of
data protection requirements and regulations, having a way to protect
a single document seems like a great idea.
However, there is a catch (as there is with anything to do with
security). I should have pointed out in last week's article that
whenever there's a claim about a product having some incredible
security features, there must always be some skepticism on the part of
the user. No security tool is fail-safe and security risks can not be
resolved with just one product.
Regarding the Adobe security features, namely protecting a PDF
document from access, alteration or printing, and redacting sensitive
data in the files, several of my readers shared with me ways a
determined hacker can circumvent the protections Adobe put in place.
Without going into the details of how one can do this, I recommend we
always objectively consider whether using built-in protection in a
product gives us a false sense of security. When using security tools,
remember there is likely a smarter person out there who can remove the
security we put into place.
Think about an alarm system on a building. The alarm is there to deter
thieves from breaking in, but if someone really wants to get in, an
experienced thief can likely find a way to disable the alarm and get
in undetected, no matter how good the security technology. However, we
can increase the likelihood that the thief will stop trying if we
added other features, such as a guard dog, a high, locked fence, a
moat, and more locks on the building. This is how we must think about
securing data as well.
Here are some quick tips on establishing good data protection:
Use full disk encryption with a product such as PGP to encrypt all
documents on a computer. If a computer has documents on it you may not
realize contain sensitive data, they will ALL be protected.
Don't electronically share documents that you know should not be
forwarded along to others, should not be printed because of sensitive
data, or should not be modified. Instead, print the documents out,
redact the data you deem sensitive with a marker, and then send it as
a hard copy to the person who needs to review it.
If you want to be extra safe when redacting, cross out the sensitive
numbers (social security numbers, credit card numbers, etc) with a
marker, then make a copy of the document on a copier. This should
prevent anyone from "reading through" the marker. Or you can cut the
numbers out with a scissor or hole-punch.
If you have many records in an excel file with sensitive data
included, and need to share the records, remove the column with the
sensitive data before sending it along. Many times the information
others need from the file is not the social security numbers or the
account numbers but all the other fields, which don't contain the
sensitive data.
It is a good idea to not send any files containing sensitive data
through email. Instead upload the file to a shared server to which
others can be given limited access. Remember to remove a person's
access if the he/she no longer needs it for business reasons.
If you need more information, you can go to <http://web.mit.edu/infoprotect/
> for various resources. You can also find some tips at <http://ist.mit.edu/security/support/protect
>.
An in-person information session covering what is considered sensitive
data and how to handle this type of information at MIT can be
requested by contacting Allison Dolan (adolan@mit.edu).
Thank you for doing your part in "providing the MIT community with
accurate, reliable information to authorized recipients and to
preserve vital records." (MIT Policy 13.2.2, see <http://web.mit.edu/policies/13/13.2.html
>)
=
=
=
========================================================================
Find current and older issues of Security FYI Newsletter: <http://kb.mit.edu/confluence/x/ehBB
>
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
--Apple-Mail-83--1025431506
Content-Type: text/html;
charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
<html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; ">In this issue:</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
min-height: 16px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; ">1. Follow Up to Adobe PDF =
Protection</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; min-height: 16px; "><br></div><div style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; ">Last week's issue included an =
article about some of the security features in the Adobe Acrobat product =
that are meant to protect PDF documents containing sensitive =
information. In this day and age of data protection requirements and =
regulations, having a way to protect a single document seems like a =
great idea.</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; min-height: 16px; "><br></div><div style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; ">However, there is a catch (as =
there is with anything to do with security). I should have pointed out =
in last week's article that whenever there's a claim about a product =
having some incredible security features, there must always be some =
skepticism on the part of the user. No security tool is fail-safe and =
security risks can not be resolved with just one product.</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
min-height: 16px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; ">Regarding the Adobe security =
features, namely protecting a PDF document from access, alteration or =
printing, and redacting sensitive data in the files, several of my =
readers shared with me ways a determined hacker can circumvent the =
protections Adobe put in place. </div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; min-height: 16px; =
"><br></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; ">Without going into the details of how one can do =
this, I recommend we always objectively consider whether using built-in =
protection in a product gives us a false sense of security. When using =
security tools, remember there is likely a smarter person out there who =
can remove the security we put into place. </div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
min-height: 16px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; ">Think about an alarm system on a =
building. The alarm is there to deter thieves from breaking in, but if =
someone really wants to get in, an experienced thief can likely find a =
way to disable the alarm and get in undetected, no matter how good the =
security technology. However, we can increase the likelihood that the =
thief will stop trying if we added other features, such as a guard dog, =
a high, locked fence, a moat, and more locks on the building. This is =
how we must think about securing data as well.</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
min-height: 16px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; ">Here are some quick tips on =
establishing good data protection:</div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; min-height: 16px; "><br></div>
<ul style=3D"list-style-type: disc">
<li style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Use =
full disk encryption with a product such as PGP to encrypt all documents =
on a computer. If a computer has documents on it you may not realize =
contain sensitive data, they will ALL be protected.</li>
<li style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Don't =
electronically share documents that you know should not be forwarded =
along to others, should not be printed because of sensitive data, or =
should not be modified. Instead, print the documents out, redact the =
data you deem sensitive with a marker, and then send it as a hard copy =
to the person who needs to review it.</li>
<li style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">If you =
want to be extra safe when redacting, cross out the sensitive numbers =
(social security numbers, credit card numbers, etc) with a marker, then =
make a copy of the document on a copier. This should prevent anyone from =
"reading through" the marker. Or you can cut the numbers out with a =
scissor or hole-punch.</li>
<li style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">If you =
have many records in an excel file with sensitive data included, and =
need to share the records, remove the column with the sensitive data =
before sending it along. Many times the information others need from the =
file is not the social security numbers or the account numbers but all =
the other fields, which don't contain the sensitive data.</li>
<li style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">It is =
a good idea to not send any files containing sensitive data through =
email. Instead upload the file to a shared server to which others can be =
given limited access. Remember to remove a person's access if the he/she =
no longer needs it for business reasons.</li>
</ul><div style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: =
0px; margin-left: 0px; font: normal normal normal 14px/normal Arial; =
min-height: 16px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; ">If you need more information, you can =
go to <<a =
href=3D"http://web.mit.edu/infoprotect/">http://web.mit.edu/infoprotect/</=
a>> for various resources. You can also find some tips at <<a =
href=3D"http://ist.mit.edu/security/support/protect">http://ist.mit.edu/se=
curity/support/protect</a>>. </div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; min-height: 16px; =
"><br></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; ">An in-person information session covering what is =
considered sensitive data and how to handle this type of information at =
MIT can be requested by contacting Allison Dolan (<a =
href=3D"mailto:adolan@mit.edu">adolan@mit.edu</a>).</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
min-height: 16px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; ">Thank you for doing your part in =
"providing the MIT community with accurate, reliable information to =
authorized recipients and to preserve vital records." (MIT Policy =
13.2.2, see <<a =
href=3D"http://web.mit.edu/policies/13/13.2.html">http://web.mit.edu/polic=
ies/13/13.2.html</a>>)</div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; "><br></div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; "><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; =
">=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; min-height: 16px; "><br></div><div style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; ">Find current and older issues =
of Security FYI Newsletter: <<a =
href=3D"http://kb.mit.edu/confluence/x/ehBB"><span =
style=3D"text-decoration: underline ; color: =
#2151aa">http://kb.mit.edu/confluence/x/ehBB</span></a>></div></div><di=
v style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
"><br></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; "><font class=3D"Apple-style-span" =
face=3D"Calibri"><span class=3D"Apple-style-span" style=3D"font-size: =
medium; "><font class=3D"Apple-style-span" =
face=3D"Arial"><br></font></span></font></div><div =
apple-content-edited=3D"true"><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Calibri; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Calibri; font-size: 14px; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; =
-webkit-border-vertical-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><div><div><div>Monique Yeaton</div><div>IT Security =
Awareness Consultant</div><div>MIT Information Services & Technology =
(IS&T)</div><div>(617) 253-2715</div><div><a =
href=3D"http://ist.mit.edu/security">http://ist.mit.edu/security</a></div>=
<div><br></div><br></div></div><br></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"> </div><br></body></html>=
--Apple-Mail-83--1025431506--
--Apple-Mail-84--1025431450
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIDwjCCA74w
ggMnoAMCAQICEQCgVkmJt2RPZFjUToeFtLUNMA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNVBAYTAlVT
MRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMS4wLAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3RpdHV0
ZSBvZiBUZWNobm9sb2d5MRUwEwYDVQQLEwxDbGllbnQgQ0EgdjEwHhcNMDkwNzA3MTkwNzQ1WhcN
MTAwNzMxMTkwNzQ1WjCBpTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAs
BgNVBAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxFTATBgNVBAsTDENs
aWVudCBDQSB2MTEXMBUGA1UEAxMOTW9uaXF1ZSBZZWF0b24xHjAcBgkqhkiG9w0BCQEWD215ZWF0
b25ATUlULkVEVTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL5YyEmHtimNf2l9Swh7
azen1VDYTAHPef/hu8pDiEdf51i6i/1uiI7RCvzmGt8SRR3gwx1MuJt3TCKKX7kedPK8owWHRDO1
SQTG+RJHEKa8IeG/7Fk8kXFJqBYbk5sA8YOQOwmlG2x5ssMhfoPAxc44rh9tk4VfDgASGZXQITa+
8SwLG2JSFgUlnvEJAOrw8XRXRX78mgPwkydJQNhfK+ikYm2JtyqM5cSwgLxHh0XldWAI7P4csM79
LQcG4HQZRmTCVeMuy67KgNjtg/94O5AfwLkbP6hwvqsDsfr8aTwhbrhkayJnvXeY0L2X4i9AasVP
aAC4apVYBbIQr5mW4S8CAwEAAaOBoTCBnjAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBRfbDIy
HJrY3A0bf+451r8D8oZXGjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY2EubWl0LmVkdS9jYS9t
aXRjbGllbnQuY3JsMA0GCSqGSIb3DQEBBQUAA4GBAIa1unH8mI8xbBDdr0Iqub03tHeb4/VWpsPq
GmhYH9vXRI6x7B+dAIwghm4gKo9y4d8qlgcx+1sLjRQ8DkZcXacX52a1eb1qYzXhzNGkxp4EEZIq
xYCHWJRYuitl+cpqVbS0Dxh/+gC5KL4LkMRJjQ6kP1ns99bdK132BxmyNX1+MYIDNjCCAzICAQEw
gYEwbDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAsBgNVBAoTJU1hc3Nh
Y2h1c2V0dHMgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxFTATBgNVBAsTDENsaWVudCBDQSB2MQIR
AKBWSYm3ZE9kWNROh4W0tQ0wCQYFKw4DAhoFAKCCAYkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH
ATAcBgkqhkiG9w0BCQUxDxcNMTAwMjAxMTcxNjE3WjAjBgkqhkiG9w0BCQQxFgQU1rx/VALQ5ypB
E3yzCnSd16TuWKcwgZIGCSsGAQQBgjcQBDGBhDCBgTBsMQswCQYDVQQGEwJVUzEWMBQGA1UECBMN
TWFzc2FjaHVzZXR0czEuMCwGA1UEChMlTWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUgb2YgVGVjaG5v
bG9neTEVMBMGA1UECxMMQ2xpZW50IENBIHYxAhEAoFZJibdkT2RY1E6HhbS1DTCBlAYLKoZIhvcN
AQkQAgsxgYSggYEwbDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAsBgNV
BAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxFTATBgNVBAsTDENsaWVu
dCBDQSB2MQIRAKBWSYm3ZE9kWNROh4W0tQ0wDQYJKoZIhvcNAQEBBQAEggEAZVORE+1XIxZA0zhD
OSe3ACf1Q/Rpq9IKu8eA+/KikmTGkdrRDCnPVPfjIMlkoAJy+mbFXLZiT8c4mxVbm0O+jDTRnW6o
SzPKP8WCjImttRO4vMXQb+CT47KMfHGdraUZfFw6CLjLN45LVZy7LZu1GoDxbvmTVo6nUj1+YJQ4
18UQlfTsIl48E55kWWIpcwMpR0N+bqdBb9WX+egbch4cTaDFKyZFXumRh385BR2OG88+qCQfCI2z
9QR+elmu3YINwLwatUShrBRUo78TieZNovgVo6MzQvtaQHSEAzMqGjDVvNU8BTmTDlbMPfk1y4hu
lTRLwmMAwvu5uvzTaQhmTQAAAAAAAA==
--Apple-Mail-84--1025431450--
--===============0779880369==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============0779880369==--
