[2206] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, March 1, 2010
daemon@ATHENA.MIT.EDU (Monique Yeaton)
Mon Mar 1 12:58:38 2010
Message-Id: <FCF7258A-4D45-4D34-BE50-2C0A595B1303@mit.edu>
From: Monique Yeaton <myeaton@MIT.EDU>
To: ist-security-fyi@MIT.EDU
Mime-Version: 1.0 (Apple Message framework v936)
Date: Mon, 1 Mar 2010 12:57:48 -0500
Cc: itss@MIT.EDU
Content-Type: multipart/mixed; boundary="===============1643718512=="
Errors-To: ist-security-fyi-bounces@MIT.EDU
--===============1643718512==
Content-Type: multipart/alternative; boundary=Apple-Mail-58--751223357
--Apple-Mail-58--751223357
Content-Type: text/plain;
charset=US-ASCII;
format=flowed;
delsp=yes
Content-Transfer-Encoding: 7bit
Note: I changed the way I provide links in this newsletter. If you
have trouble clicking the links to access the URLs, please let me
know. Thank you. - Monique
In this issue:
1. Microsoft Releases Updates for Exploit in IE
2. MIT's Written Information Security Program
3. FTC Cracking Down on File Sharing
4. Tip of the Week: Use Passwords They Can't Guess
-----------------------------------------------------------
1. Microsoft Releases Updates for Exploit in IE
-----------------------------------------------------------
Microsoft has released Security Bulletin MS10-002, which resolves
seven privately reported vulnerabilities and one publicly disclosed
vulnerability in Internet Explorer.
Systems affected:
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000
Service Pack 4
Microsoft Internet Explorer 6, 7, and 8 on supported editions of
Windows XP, Windows Server 2003, Windows Vista, Windows 2008, Windows
7, and Windows Server 2008 R2
Last December malicious activity was detected (now known as Operation
Aurora) that targeted at least 20 organizations representing multiple
industries. Further analysis revealed these users were victims of
previous phishing scams through which threat actors successfully
gained access to their email accounts.
Through analysis of the malware used in this incident, McAfee
discovered one of the malware samples exploited a vulnerability in
Microsoft Internet Explorer (IE). The vulnerability exists as an
invalid pointer reference within IE and, if successfully exploited,
allows for remote code execution.
Read the full bulletin.
Watch a video by McAfee on Operation Aurora.
[Source: US-CERT]
----------------------------------------------------------
2. MIT's Written Information Security Program
----------------------------------------------------------
If you have attended an IAP Session on Handling Sensitive Data in the
last few years, you are likely to have heard about the data breach
notification law that went into effect in Massachusetts on October 31,
2007. Meant to protect residents from identity theft and fraud, the
law now includes rules for handling selected types of personal
information.
In response, MIT is rolling out a campus-wide Written Information
Security Program (WISP), which includes administrative, technical, and
physical safeguards for this type of data at MIT.
You can find the WISP here (pdf).
-------------------------------------------------
3. FTC Cracking Down on File Sharing
-------------------------------------------------
A recent news story in the Washington Post revealed that the Federal
Trade Commission (FTC) has uncovered widespread data breaches at
companies, schools and local governments whose members are swapping
music, software and movie files over the Internet.
It sent nearly 100 letters to organizations where information on
customers and employees, including health and financial data and
Social Security and driver's license numbers leaked through peer-to-
peer Web services. It warned that the security breaches could lead to
identity theft or fraud, and it recommended that the groups review
their policies and inform the affected individuals.
Read the full story here.
--------------------------------------------------------------------
4. Tip of the Week: Use Passwords They Can't Guess
--------------------------------------------------------------------
Students at a school in London exploited a teacher's poor password
selection to access grades and other school records. The teacher had
used his daughter's name as a password, but became suspicious when
students made reference to an excursion, which had not yet been
announced, so he changed his password to the registration number of
his car, which was parked outside the school every day. When he
received complaints from other teachers about grades being leaked, he
changed it again, this time to his postcode. The students in question
cracked this within days too.
Some password strength tips can be found on this web site.
[Source: SANS]
=
=
=
========================================================================
Find current and older issues of Security FYI Newsletter: <http://kb.mit.edu/confluence/x/ehBB
>
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
--Apple-Mail-58--751223357
Content-Type: text/html;
charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
<html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><span class=3D"Apple-style-span" style=3D"font-family:=
Calibri; ">Note: I changed the way I provide links in this newsletter. =
If you have trouble clicking the links to access the URLs, please let me =
know. Thank you. - Monique</span></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; min-height: 17px; "><font =
class=3D"Apple-style-span" face=3D"Calibri"><br></font></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><span class=3D"Apple-style-span" style=3D"font-family:=
Calibri; font-size: medium; "><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; ">In this issue:</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; ">1. Microsoft Releases Updates for =
Exploit in IE</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Helvetica; ">2. MIT's Written Information Security =
Program</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Helvetica; ">3. FTC Cracking Down on File Sharing</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">4. =
Tip of the Week: Use Passwords They Can't Guess</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
">-----------------------------------------------------------</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">1. =
Microsoft Releases Updates for Exploit in IE</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
">-----------------------------------------------------------</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; ">Microsoft has released Security =
Bulletin MS10-002, which resolves seven privately reported =
vulnerabilities and one publicly disclosed vulnerability in Internet =
Explorer.</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
">Systems affected:</div><div style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Helvetica; min-height: 17px; "><br></div><ul =
style=3D"list-style-type: disc; "><li style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; ">Microsoft Internet Explorer 6 =
Service Pack 1 on Microsoft Windows 2000 Service Pack 4</li><li =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
">Microsoft Internet Explorer 6, 7, and 8 on supported editions of =
Windows XP, Windows Server 2003, Windows Vista, Windows 2008, Windows 7, =
and Windows Server 2008 R2</li></ul><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
">Last December malicious activity was detected (now known as Operation =
Aurora) that targeted at least 20 organizations representing multiple =
industries. Further analysis revealed these users were victims of =
previous phishing scams through which threat actors successfully gained =
access to their email accounts.</div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
">Through analysis of the malware used in this incident, McAfee =
discovered one of the malware samples exploited a vulnerability in =
Microsoft Internet Explorer (IE). The vulnerability exists as an invalid =
pointer reference within IE and, if successfully exploited, allows for =
remote code execution.</div><div style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
"><span class=3D"Apple-style-span" style=3D"font-family: Calibri; =
font-size: medium; "><a =
href=3D"http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx">=
Read the full bulletin</a>.</span></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
"><span class=3D"Apple-style-span" style=3D"font-family: Calibri; =
font-size: medium; "><a =
href=3D"http://www.mcafee.com/us/threat_center/aurora_video.html">Watch =
a video by McAfee on Operation Aurora</a>.</span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; ">[Source: US-CERT]</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
">----------------------------------------------------------</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">2. =
MIT's Written Information Security Program</div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Helvetica; =
">----------------------------------------------------------</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
min-height: 16px; "><br></div><p style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 12px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; ">If you have attended an <a =
href=3D"http://student.mit.edu/iap/nsis.html"><span =
style=3D"text-decoration: underline; color: rgb(0, 31, 232); ">IAP =
Session on Handling Sensitive Data</span></a> in the last few =
years, you are likely to have heard about the data breach notification =
law that went into effect in Massachusetts on October 31, 2007. Meant to =
protect residents from identity theft and fraud, the law now includes =
rules for handling selected types of personal information.</p><p =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 12px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; ">In =
response, MIT is rolling out a campus-wide Written Information Security =
Program (WISP), which includes administrative, technical, and physical =
safeguards for this type of data at MIT. <br><a =
href=3D"http://web.mit.edu/infoprotect/docs/WISP.pdf"><span =
style=3D"text-decoration: underline; color: rgb(0, 31, 232); ">You can =
find the WISP here (pdf)</span></a>.</p><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; min-height: 16px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; =
">-------------------------------------------------</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">3. =
FTC Cracking Down on File Sharing</div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; =
">-------------------------------------------------</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; ">A recent news story in the =
Washington Post revealed that the Federal Trade Commission (FTC) has =
uncovered widespread data breaches at companies, schools and local =
governments whose members are swapping music, software and movie files =
over the Internet. </div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">It =
sent nearly 100 letters to organizations where information on customers =
and employees, including health and financial data and Social Security =
and driver's license numbers leaked through peer-to-peer Web services. =
It warned that the security breaches could lead to identity theft or =
fraud, and it recommended that the groups review their policies and =
inform the affected individuals.</div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
"><span class=3D"Apple-style-span" style=3D"font-family: Calibri; =
font-size: medium; "><a =
href=3D"http://www.washingtonpost.com/wp-dyn/content/article/2010/02/22/AR=
2010022204889.htm">Read the full story here</a>.</span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
">--------------------------------------------------------------------</di=
v><div style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">4. =
Tip of the Week: Use Passwords They Can't Guess</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
">--------------------------------------------------------------------</di=
v><div style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; ">Students at a school in London =
exploited a teacher's poor password selection to access grades and other =
school records. The teacher had used his daughter's name as a password, =
but became suspicious when students made reference to an excursion, =
which had not yet been announced, so he changed his password to the =
registration number of his car, which was parked outside the school =
every day. When he received complaints from other teachers about grades =
being leaked, he changed it again, this time to his postcode. The =
students in question cracked this within days too.</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; "><span class=3D"Apple-style-span" =
style=3D"font-family: Calibri; font-size: medium; "><a =
href=3D"http://ist.mit.edu/security/support/passwords">Some password =
strength tips can be found on this web site</a>.</span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; ">[Source: SANS]</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
"><br></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Helvetica; "><div style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; =
">=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; min-height: 16px; "><br></div><div style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; ">Find current and older issues =
of Security FYI Newsletter: <<a =
href=3D"http://kb.mit.edu/confluence/x/ehBB"><span =
style=3D"text-decoration: underline ; color: =
#2151aa">http://kb.mit.edu/confluence/x/ehBB</span></a>></div></div></s=
pan></div><br><div apple-content-edited=3D"true"><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Calibri; font-size: 14px; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; =
-webkit-border-vertical-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><div><div><span class=3D"Apple-style-span" =
style=3D"font-size: medium;"><br></span><div>Monique Yeaton</div><div>IT =
Security Awareness Consultant</div><div>MIT Information Services & =
Technology (IS&T)</div><div>(617) 253-2715</div><div><a =
href=3D"http://ist.mit.edu/security">http://ist.mit.edu/security</a></div>=
<div><br></div><br></div></div><br></div></span><br =
class=3D"Apple-interchange-newline"></div><br =
class=3D"Apple-interchange-newline"> </div><br></body></html>=
--Apple-Mail-58--751223357--
--===============1643718512==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============1643718512==--
