Tis the season for… cyber threats: How to stay safe online

While a bit late for Christmas, this article offers tips for shoppers to stay safe online… any time of the year.

The Monday after Thanksgiving is known as “Cyber Monday” – traditionally one of the busiest online shopping days of the year. In fact, The National Retail Federation (NRF) reports 42 percent of Americans plan to shop online this season.

Unfortunately, just as shoppers hit the Internet to search for deals, cybercriminals are trolling the Web for their next victim. According to the Identity Theft Resource Center (ITRC), November and December are the months when the majority of online identity theft problems occur. And, a significant increase in malicious shopping Web sites are launched between October and December, according to Webroot, an antivirus and antispyware software company.

Practice safe online techniques this holiday season. Protect your personal information and make the most of your cyber shopping experience with these online safety tips offered by the financial educators at Money Management International (MMI):

  • Think before you click. Never click links to unfamiliar Web sites. If you use a search engine to find gifts, treat every result with caution – especially the ones promising a link to an unbelievable deal.
  • Install Security Software. At a minimum, protect your PC with up-to-date security software and antivirus protection.
  • Know the retailer. If you are unfamiliar with the retailer you want to purchase from, look for more information about the company by contacting the Better Business Bureau.
  • Use a Credit Card, not a debit card. If you are a victim of fraud or cybercrime, most credit card agreements limit your liability for the charges.
  • Monitor your credit report. It is important to monitor your credit report on a regular basis to quickly spot anything unusual or suspicious. Visit annualcreditreport.com for one free annual credit report from each of the three bureaus.
  • Keep your password safe. Never reveal your password to anyone. When selecting a password, do not use commonly known information, such as your birth date or driver’s license number. The best passwords are hard to guess and have at least eight characters and include numbers and letters.
  • Finally, only make purchases from secure Web sites. The easiest way to tell if a site is secure is to look at the web address on the page where you’re entering your credit card information. Secured Web site start with “https:” instead of “http:.”

For more tips on how to stay safe while shopping online, visit the FTC’s “Fight Back Against Identity Theft” Web site.

[Article was written by Money Management International (MMI)]


The P2P Controversy

There has been some discussion within the government recently about the risks of peer-to-peer (P2P) file sharing to data security.

In November, bill HR 4098, the Secure Federal File Sharing Act, was introduced in Congress to ban P2P file sharing on US government, and government contractor computers. Sensitive Defense Department documents were lost through P2P networks earlier this year, likely prompting the proposal of this bill.

In higher education the use of P2P software produces a different reaction than the one mentioned above. As a file sharing tool it has great potential for playing a positive role in fulfilling the institutional missions of teaching, research, and the dissemination of knowledge. However, as we know, it is typically used for illegally sharing copyright protected music, movies and software.

The bigger issue that Congress is considering, namely ensuring that sensitive data and personally identifiable information is protected against leakage via file-sharing networks, also applies to universities. Is there any reason why computers containing sensitive data should have such a potentially dangerous application installed on them?

Since P2P networks are transfer tools, they are vulnerable to exposure of data and the distribution of malware. Hackers can attack these networks by changing legitimate files through the installation of malware, implanting malware into shared directories, exploiting vulnerabilities in the coding protocol of the network, and creating denial of service and spamming attacks that attempt to harass the users of the P2P network.

MIT does not put limits on the use of P2P programs. However, as a result of the 2008 Higher Education Opportunity Act (HEOA), regulations were issued and finalized by the Department of Education in October 2009, with several of these regulations addressing unauthorized file sharing (and the use of P2P programs) on campus networks.

We may therefore see some changes when enforcement goes into effect in July 2010. Changes could include possible restrictions to file sharing networks, alternatives to illegal downloading, and disclosure to students describing file sharing and campus policies related to copyright law.

Risks of illegal downloading hit home quite recently. In November a Boston University student was ordered to pay $675,000 in damages for illegally downloading songs and sharing them online.

More information can be found here:

Adobe Issues

Updates Crashing Your Browser or System?

Last week I announced the release of security updates for Adobe Flash Player and AIR. A reader of this newsletter mentioned that when trying to download updates from the Adobe site his computer crashes. It is unclear why this is happening. It may be a problem with Adobe’s compatibility with browser Internet Explorer or Windows XP.

If you have the same experience, hold off on upgrading until this bug is fixed. In the meantime, you may want to notify Adobe via their contact page.

New Flaw Found in Reader and Acrobat

There is a recently disclosed critical vulnerability in Adobe Reader and Adobe Acrobat. The flaw is being actively exploited through maliciously crafted PDF files to crash vulnerable systems or execute code.

Adobe plans to release patches for the vulnerability by January 12, 2010.  The flaw affects Adobe Reader 9.2 and earlier for Windows, Mac and Unix and Acrobat 9.2 and earlier for Windows and Mac. Adobe recommends that, if feasible, users disable JavaScript in both programs until a fix is available.

Read the full story here.

Adobe Security Updates

Systems affected:

* Adobe Flash Player and earlier versions
* Adobe AIR 1.5.2 and earlier versions

Adobe has released Security Bulletin APSB09-19, which describes vulnerabilities affecting Adobe Flash Player and Adobe AIR. An attacker could exploit these vulnerabilities by convincing a user to visit a website that hosts a specially crafted SWF file.

The Adobe Flash browser plugin is available for multiple web browsers and operating systems, any of which could be affected.

Users are encouraged to update Flash Player and earlier versions as well as Adobe AIR 1.5.2 and earlier versions to the latest version.

Flash Player latest update
Adobe AIR latest update

The full bulletin

SANS WebCasts

SANS (SysAdmin, Audit, Network, Security) provides regular webcasts by experts in the field of computer security. These are live web broadcasts that allow you to hear knowledgeable speakers while viewing presentation slides that you download in advance. They are free and informative. If interested, you can also subscribe to the Webcast Calendar.

To learn more see: https://www.sans.org/webcasts/

Removing Sensitive Data

The past few weeks I have included articles in this newsletter on data security in higher education. Much of this information will be discussed during the IAP seminar “Handling Sensitive Data.”

Part of the IAP seminar will review paper shredding and electronic data wiping techniques. At MIT the responsibility of data destruction falls to the departments who store the information. When paper files are no longer needed or computers are repurposed or recycled, it is up to the data stewards to ensure that the information is destroyed beyond recovery.

Don’t let a data leak occur at MIT! Below are just a few examples of schools whose data was not correctly disposed of:

Data protection information at MIT: