[2416] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, December 5, 2011
daemon@ATHENA.MIT.EDU (Monique Yeaton)
Mon Dec 5 12:49:13 2011
From: Monique Yeaton <myeaton@mit.edu>
To: "ist-security-fyi@mit.edu" <ist-security-fyi@mit.edu>
Date: Mon, 5 Dec 2011 17:48:14 +0000
Message-ID: <3ACED3B2A8CEFB4598A845F07FD4A05F055285@OC11EXPO24.exchange.mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Cc: "itss@mit.edu" <itss@mit.edu>
Content-Type: multipart/mixed; boundary="===============1167967128=="
Errors-To: ist-security-fyi-bounces@mit.edu
--===============1167967128==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_3ACED3B2A8CEFB4598A845F07FD4A05F055285OC11EXPO24exchang_"
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F055285OC11EXPO24exchang_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. Printer Security Problems
2. Department of Education to Rollout Two-Factor Authentication
3. The Price of a Stolen Identity
-----------------------------------
1. Printer Security Problems
-----------------------------------
A report has been going around in US media recently about research done by =
Columbia University during which HP printers were hacked and, as a result o=
f a firmware change, bursting into flames. Hewlett-Packard refutes the poss=
ibility but does admit that risks to some HP LaserJet printers exist.
According to HP:
"While HP has identified a potential security vulnerability with some HP La=
serJet printers, no customer has reported unauthorized access. The specific=
vulnerability exists for some HP LaserJet devices if placed on a public in=
ternet without a firewall. In a private network, some printers may be vulne=
rable if a malicious effort is made to modify the firmware of the device by=
a trusted party on the network. In some Linux or Mac environments, it may =
be possible for a specially formatted corrupt print job to trigger a firmwa=
re upgrade.
HP is building a firmware upgrade to mitigate this issue and will be commun=
icating this proactively to customers and partners who may be impacted. In =
the meantime, HP reiterates its recommendation to follow best practices for=
securing devices by placing printers behind a firewall and, where possible=
, disabling remote firmware upload on exposed printers."
Network printer attacks are not unknown and have been around for some time.=
The best defense is to keep the firmware updated, disable remote update fe=
atures and place printers behind firewalls.
Read more on this story here<http://www.h-online.com/security/news/item/HP-=
Laserjet-printer-security-problems-1387374.html> or here<http://www.scmagaz=
ineus.com/bug-allows-hp-printers-to-be-remotely-hacked-set-on-fire/article/=
217784/>.
---------------------------------------------------------------------------=
-------
2. Department of Education to Roll Out Two-Factor Authentication
---------------------------------------------------------------------------=
-------
>From EDUCAUSE:
The U.S. Department of Education Federal Student Aid technology office anno=
unced this week at the 2011 Federal Student Aid Conference its plans to iss=
ue 90,000 tokens to privileged users who have access to Personally Identifi=
able Information on FSA systems. The privileged users will include financia=
l aid staff at your institutions. More information is available at http://n=
et.educause.edu/ir/library/pdf/CSD6059.pdf.
We will also feature the Department=92s plans next week as part of IAM Onli=
ne (www.incommon.org/iamonline<http://www.incommon.org/iamonline>) schedule=
d for Tuesday, December 6th, at 3 p.m. ET / 2 p.m. CT / Noon PT.
Please plan to join us to learn more about two-factor authentication, a pil=
ot deployment at Duke University, and implementation details for the Federa=
l Student Aid deployment. The Higher Education Information Security Council=
(HEISC) has prepared a resource on Two-Factor authentication<https://wiki.=
internet2.edu/confluence/display/itsg2/Two-Factor+Authentication>.
EDUCAUSE Policy and HEISC continue to work closely with the Department of E=
ducation=92s Chief Information Officer, Chief Security Officer, FSA=92s Chi=
ef Information Officer, and other staff to influence future technology deci=
sions and to more closely coordinate on matters of privacy, security, and i=
dentity management.
----------------------------------------
3. The Price of a Stolen Identity
----------------------------------------
We talk a lot about cyber threats, security, information protection etc. Bu=
t what exactly are we talking about protecting in the end? If you look at t=
he bigger picture, the one thing all these tools, procedures and policies a=
re there to protect is your identity.
Once your identity is taken, someone else can commit fraud in your name, by=
accessing information only you are authorized to access. This is what info=
rmation security is all about. A thief tries to get into your credit card a=
ccount, bank account or other accounts attached to financial information an=
d make off with your money. In essence, the thieves are rooting around in y=
our wallet, only now they can do it on the Internet.
This infographic<http://www.techrepublic.com/blog/security/infographic-the-=
price-of-a-stolen-identity/6957> shows how much money is involved in the in=
dustry of online identity thefts and has some suggestions for remediation i=
f you find that you or your organization have become victims of identity fr=
aud.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
Read all Security FYI Newsletter articles and submit comments online at htt=
p://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
Monique Yeaton
IT Security Communications Consultant
Information Services & Technology, MIT
http://ist.mit.edu/security
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F055285OC11EXPO24exchang_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
<html dir=3D"ltr">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
<style id=3D"owaParaStyle" type=3D"text/css">P {margin-top:0;margin-bottom:=
0;}</style>
</head>
<body ocsi=3D"0" fpstyle=3D"1">
<div style=3D"direction: ltr;font-family: Tahoma;color: #000000;font-size: =
10pt;"><font color=3D"black" face=3D"Tahoma" size=3D"2"><span style=3D"font=
-size: 10pt;" dir=3D"ltr">In this issue:<br>
<br>
1. Printer Security Problems<br>
2. Department of Education to Rollout Two-Factor Authentication<br>
3. The Price of a Stolen Identity<br>
<br>
<br>
-----------------------------------<br>
1. Printer Security Problems<br>
-----------------------------------<br>
<br>
A report has been going around in US media recently about research done by =
Columbia University during which HP printers were hacked and, as a result o=
f a firmware change, bursting into flames. Hewlett-Packard refutes the poss=
ibility but does admit that risks
to some HP LaserJet printers exist. <br>
<br>
According to HP:<br>
<br>
"While HP has identified a potential security vulnerability with some =
HP LaserJet printers, no customer has reported unauthorized access. The spe=
cific vulnerability exists for some HP LaserJet devices if placed on a publ=
ic internet without a firewall. In a
private network, some printers may be vulnerable if a malicious effort is =
made to modify the firmware of the device by a trusted party on the network=
. In some Linux or Mac environments, it may be possible for a specially for=
matted corrupt print job to trigger
a firmware upgrade.<br>
<br>
HP is building a firmware upgrade to mitigate this issue and will be commun=
icating this proactively to customers and partners who may be impacted. In =
the meantime, HP reiterates its recommendation to follow best practices for=
securing devices by placing printers
behind a firewall and, where possible, disabling remote firmware upload on=
exposed printers."<br>
<br>
Network printer attacks are not unknown and have been around for some time.=
The best defense is to keep the firmware updated, disable remote update fe=
atures and place printers behind firewalls.<br>
<br>
Read more on this story <a href=3D"http://www.h-online.com/security/news/it=
em/HP-Laserjet-printer-security-problems-1387374.html" target=3D"_blank">
here</a> or <a href=3D"http://www.scmagazineus.com/bug-allows-hp-printers-t=
o-be-remotely-hacked-set-on-fire/article/217784/" target=3D"_blank">
here</a>.<br>
<br>
<br>
---------------------------------------------------------------------------=
-------<br>
2. Department of Education to Roll Out Two-Factor Authentication<br>
---------------------------------------------------------------------------=
-------<br>
<br>
>From EDUCAUSE:<br>
<br>
The U.S. Department of Education Federal Student Aid technology office anno=
unced this week at the 2011 Federal Student Aid Conference its plans to iss=
ue 90,000 tokens to privileged users who have access to Personally Identifi=
able Information on FSA systems.
The privileged users will include financial aid staff at your institutions=
. More information is available at
<a href=3D"http://net.educause.edu/ir/library/pdf/CSD6059.pdf" target=3D"_b=
lank">http://net.educause.edu/ir/library/pdf/CSD6059.pdf</a>.<br>
<br>
We will also feature the Department=92s plans next week as part of IAM Onli=
ne (<a href=3D"http://www.incommon.org/iamonline" target=3D"_blank">www.inc=
ommon.org/iamonline</a>) scheduled for
<span style=3D"font-weight: bold;">Tuesday, December 6th, at 3 p.m. ET / 2 =
p.m. CT / Noon PT</span>.
<br>
<br>
Please plan to join us to learn more about two-factor authentication, a pil=
ot deployment at Duke University, and implementation details for the Federa=
l Student Aid deployment. The Higher Education Information Security Council=
(HEISC) has prepared
<a href=3D"https://wiki.internet2.edu/confluence/display/itsg2/Two-Factor&#=
43;Authentication" target=3D"_blank">
a resource on Two-Factor authentication</a>.<br>
<br>
EDUCAUSE Policy and HEISC continue to work closely with the Department of E=
ducation=92s Chief Information Officer, Chief Security Officer, FSA=92s Chi=
ef Information Officer, and other staff to influence future technology deci=
sions and to more closely coordinate
on matters of privacy, security, and identity management. <br>
<br>
<br>
----------------------------------------<br>
3. The Price of a Stolen Identity<br>
----------------------------------------<br>
<br>
We talk a lot about cyber threats, security, information protection etc. Bu=
t what exactly are we talking about protecting in the end? If you look at t=
he bigger picture, the one thing all these tools, procedures and policies a=
re there to protect is your identity.
<br>
<br>
Once your identity is taken, someone else can commit fraud in your name, by=
accessing information only you are authorized to access. This is what info=
rmation security is all about. A thief tries to get into your credit card a=
ccount, bank account or other accounts
attached to financial information and make off with your money. In essence=
, the thieves are rooting around in your wallet, only now they can do it on=
the Internet.<br>
<br>
<a href=3D"http://www.techrepublic.com/blog/security/infographic-the-price-=
of-a-stolen-identity/6957" target=3D"_blank">This infographic</a> shows how=
much money is involved in the industry of online identity thefts and has s=
ome suggestions for remediation if you
find that you or your organization have become victims of identity fraud.<=
br>
<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D<br>
Read all Security FYI Newsletter articles and submit comments online&n=
bsp;at <a href=3D"http://securityfyi.wordpress.com/">
http://securityfyi.wordpress.com/</a>.<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D</span></font>
<div><br>
<div class=3D"BodyFragment"><font size=3D"2">
<div class=3D"PlainText">Monique Yeaton<br>
IT Security Communications Consultant<br>
Information Services & Technology, MIT<br>
http://ist.mit.edu/security</div>
</font></div>
</div>
</div>
</body>
</html>
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F055285OC11EXPO24exchang_--
--===============1167967128==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============1167967128==--
