[10207] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, December 23, 2014
daemon@ATHENA.MIT.EDU (Monique Yeaton)
Mon Dec 23 12:39:34 2013
Resent-From: ist-security-fyi@MIT.EDU
From: Monique Yeaton <myeaton@MIT.EDU>
To: ist-security-fyi <ist-security-fyi@MIT.EDU>
Date: Mon, 23 Dec 2013 17:38:16 +0000
Message-ID: <3ACED3B2A8CEFB4598A845F07FD4A05F3AAC15B4@OC11EXPO24.exchange.mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0427081624=="
Errors-To: ist-security-fyi-bounces@MIT.EDU
--===============0427081624==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_3ACED3B2A8CEFB4598A845F07FD4A05F3AAC15B4OC11EXPO24excha_"
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F3AAC15B4OC11EXPO24excha_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. Target Store Data Accessed
2. First Security Update for Apple OS X 10.9
3. What Stolen Passwords Can Teach Us
-----------------------------------------
1. Target Store Data Accessed
-----------------------------------------
Target announced on its corporate website late last week that the company e=
xperienced unauthorized access to payment card data at its US Target stores=
. The unauthorized access took place between November 27 and December 15, 2=
013. Canadian stores and the target.com website were not affected. Forensic=
s efforts are still on-going.
Read the full notice from Target here<https://corporate.target.com/discover=
/article/Important-Notice-Unauthorized-access-to-payment-ca> plus some reco=
mmendations to protect yourself against potential misuse of your credit or =
debit card information. Note the information posted specifically for Massac=
husetts residents.
-----------------------------------------------------------
2. First Security Update for Apple OS X 10.9
-----------------------------------------------------------
Last week Apple released its first major update for OS X Mavericks (10.9)<h=
ttp://support.apple.com/kb/HT6084>. The update brings a number of bug fixes=
for Mail and the voice-command user interface VoiceOver, as well as a Safa=
ri browser update. The Mail app has been improved for Gmail support, search=
and contact-groups features.
The biggest improvement was for Safari 7.0.1, which can be applied either w=
ith Mavericks or separately. The Safari patch repairs unresponsive forms on=
sites such as FedEx.com, makes the credit-card autofill easier to use and =
streamlines VoiceOver with Facebook. Apple also released fixes to Safari 6.=
1.1. which includes unexpected support for older versions of Mac OS X.
This article provides details for the security update and outlines concerns=
<http://www.tomsguide.com/us/mavericks-first-security-update,news-17995.htm=
l>, voiced by Apple customers since last October, who have not yet updated =
to Mavericks because their systems don=92t have the necessary processing sp=
eed, and are running either Lion or Mountain Lion (Apple=92s two previous v=
ersions of Mac OS X).
Apple has not provided a Security Update for older Mac OS X systems since S=
ecurity Update 2013-005 on October 15, which contained a Java update. Maver=
icks was released on October 22, 2013. According to some technology experts=
, Apple has no plans to further support Mountain Lion<http://www.zdnet.com/=
os-x-mountain-lion-still-unsupported-and-vulnerable-7000023493/>. If this i=
s correct, all Mac OS X users must upgrade to the next version in order to =
receive Apple support, including security updates.
There is a reasonable concern for waiting to upgrade to Mavericks. Staying =
on Lion (10.7) or Mountain Lion (10.8) can become risky, as unpatched vulne=
rabilities on the older systems leave them open to attack.
Information Services & Technology (IS&T) at MIT is no longer offering Mac O=
S X Lion (10.7) software through its website, but still offers Help Desk su=
pport. As of November 18, 2013, IS&T is recommending MIT users, especially =
those using TSM and SAPgui, to wait to upgrade to OS X 10.9 until these kno=
wn issues<http://kb.mit.edu/confluence/x/fjMYCQ> have been resolved.
-------------------------------------------------------
3. What Stolen Passwords Can Teach Us
-------------------------------------------------------
Early in the month of December, a botnet called =93Pony=94 was found to hav=
e stolen approximately 2 million credentials from users=92 computers. The s=
tolen data was found on a proxy server in the Netherlands. Companies that w=
ere affected and notified include payroll processor ADP, Facebook, Google, =
LinkedIn and Twitter.
The data was collected from users in as many as 102 countries and may have =
been gained by tricking users to visit compromised web pages, allowing the =
botnet to steal login credentials (usernames and passwords). Learn more abo=
ut the Pony Botnet<http://www.zdnet.com/two-million-stolen-facebook-twitter=
-yahoo-adp-passwords-found-on-pony-botnet-server-7000023915/>.
What SpiderLabs Found
Trustwave=92s SpiderLabs (a team of elite and ethical hackers) captured the=
data set. After reviewing the data, what is even more concerning about the=
2 million stolen credentials is that most of the stolen passwords were inc=
redibly weak. Hundreds of thousands of the passwords used only one characte=
r type (either numbers or letters) and most of them build off the =93123456=
=94 construct.
The top 10 most common passwords found:
123456
123456789
1234
password
12345
12345678
admin
123
1
1234567
1111111
Only 5% of the 2 million passwords were considered excellent (using all 4 c=
haracter types and longer than 8 characters). Read the full blog post by Sp=
iderLabs here<http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pon=
y.html>.
To learn how you can strengthen your passwords, go to kb.mit.edu<http://kb.=
mit.edu/confluence/x/3wNt>.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Read all archived Security FYI Newsletter articles and submit comments onli=
ne at http://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
HAPPY HOLIDAYS AND SEE YOU IN THE NEW YEAR!
Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F3AAC15B4OC11EXPO24excha_
Content-Type: text/html; charset="Windows-1252"
Content-ID: <CEFF723F91284B48BA7E878E439FF356@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami=
ly: Garamond, sans-serif;">
<div>
<p style=3D"margin: 0px; font-family: Helvetica;">In this issue:</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">1. Target Store Data Acce=
ssed </p>
<p style=3D"margin: 0px; font-family: Helvetica;">2. First Security Update =
for Apple OS X 10.9</p>
<p style=3D"margin: 0px; font-family: Helvetica;">3. What Stolen Passwords =
Can Teach Us</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">-------------------------=
----------------</p>
<p style=3D"margin: 0px; font-family: Helvetica;">1. Target Store Data Acce=
ssed </p>
<p style=3D"margin: 0px; font-family: Helvetica;">-------------------------=
----------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">Target announced on its c=
orporate website late last week that the company experienced unauthorized a=
ccess to payment card data at its US Target stores. The unauthorized access=
took place between November 27 and
December 15, 2013. Canadian stores and the target.com website were not aff=
ected. Forensics efforts are still on-going. </p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"https://corpor=
ate.target.com/discover/article/Important-Notice-Unauthorized-access-to-pay=
ment-ca">Read the full notice from Target here</a> plus some recommendation=
s to protect yourself against potential
misuse of your credit or debit card information. Note the information post=
ed specifically for Massachusetts residents.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">-------------------------=
----------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica;">2. First Security Update =
for Apple OS X 10.9</p>
<p style=3D"margin: 0px; font-family: Helvetica;">-------------------------=
---------------------------------- </p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">Last week Apple released =
its first major
<a href=3D"http://support.apple.com/kb/HT6084">update for OS X Mavericks (1=
0.9)</a>. The update brings a number of bug fixes for Mail and the voice-co=
mmand user interface VoiceOver, as well as a Safari browser update. The Mai=
l app has been improved for Gmail
support, search and contact-groups features. </p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">The biggest improvement w=
as for Safari 7.0.1, which can be applied either with Mavericks or separate=
ly. The Safari patch repairs unresponsive forms on sites such as FedEx.com,=
makes the credit-card autofill easier
to use and streamlines VoiceOver with Facebook. Apple also released fixes =
to Safari 6.1.1. which includes unexpected support for older versions of Ma=
c OS X. </p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://www.tom=
sguide.com/us/mavericks-first-security-update,news-17995.html">This article=
provides details for the security update and outlines concerns</a>, voiced=
by Apple customers since last October,
who have not yet updated to Mavericks because their systems don=92t have t=
he necessary processing speed, and are running either Lion or Mountain Lion=
(Apple=92s two previous versions of Mac OS X). </p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">Apple has not provided a =
Security Update for older Mac OS X systems since Security Update 2013-005 o=
n October 15, which contained a Java update. Mavericks was released on Octo=
ber 22, 2013.
<a href=3D"http://www.zdnet.com/os-x-mountain-lion-still-unsupported-and-vu=
lnerable-7000023493/">
According to some technology experts, Apple has no plans to further support=
Mountain Lion</a>. If this is correct, all Mac OS X users must upgrade to =
the next version in order to receive Apple support, including security upda=
tes.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">There is a reasonable con=
cern for waiting to upgrade to Mavericks. Staying on Lion (10.7) or Mountai=
n Lion (10.8) can become risky, as unpatched vulnerabilities on the older s=
ystems leave them open to attack.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">Information Services &=
; Technology (IS&T) at MIT is no longer offering Mac OS X Lion (10.7) s=
oftware through its website, but still offers Help Desk support. As of Nove=
mber 18, 2013, IS&T is recommending MIT users,
especially those using TSM and SAPgui, to wait to upgrade to OS X 10.9 unt=
il these
<a href=3D"http://kb.mit.edu/confluence/x/fjMYCQ">known issues</a> have bee=
n resolved.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">-------------------------=
------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica;">3. What Stolen Passwords =
Can Teach Us</p>
<p style=3D"margin: 0px; font-family: Helvetica;">-------------------------=
------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">Early in the month of Dec=
ember, a botnet called =93Pony=94 was found to have stolen approximately 2 =
million credentials from users=92 computers. The stolen data was found on a=
proxy server in the Netherlands. Companies
that were affected and notified include payroll processor ADP, Facebook, G=
oogle, LinkedIn and Twitter. </p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">The data was collected fr=
om users in as many as 102 countries and may have been gained by tricking u=
sers to visit compromised web pages, allowing the botnet to steal login cre=
dentials (usernames and passwords).
<a href=3D"http://www.zdnet.com/two-million-stolen-facebook-twitter-yahoo-a=
dp-passwords-found-on-pony-botnet-server-7000023915/">
Learn more about the Pony Botnet</a>.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">What SpiderLabs Found</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">Trustwave=92s SpiderLabs =
(a team of elite and ethical hackers) captured the data set. After reviewin=
g the data, what is even more concerning about the 2 million stolen credent=
ials is that most of the stolen passwords
were incredibly weak. Hundreds of thousands of the passwords used only one=
character type (either numbers or letters) and most of them build off the =
=93123456=94 construct. </p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">The top 10 most common pa=
sswords found:</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">123456</p>
<p style=3D"margin: 0px; font-family: Helvetica;">123456789</p>
<p style=3D"margin: 0px; font-family: Helvetica;">1234</p>
<p style=3D"margin: 0px; font-family: Helvetica;">password</p>
<p style=3D"margin: 0px; font-family: Helvetica;">12345</p>
<p style=3D"margin: 0px; font-family: Helvetica;">12345678</p>
<p style=3D"margin: 0px; font-family: Helvetica;">admin</p>
<p style=3D"margin: 0px; font-family: Helvetica;">123</p>
<p style=3D"margin: 0px; font-family: Helvetica;">1</p>
<p style=3D"margin: 0px; font-family: Helvetica;">1234567</p>
<p style=3D"margin: 0px; font-family: Helvetica;">1111111</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">Only 5% of the 2 million =
passwords were considered excellent (using all 4 character types and longer=
than 8 characters).
<a href=3D"http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.h=
tml">Read the full blog post by SpiderLabs here</a>.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">To learn how you can <b>s=
trengthen your passwords</b>,
<a href=3D"http://kb.mit.edu/confluence/x/3wNt">go to kb.mit.edu</a>.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D</p>
<p style=3D"margin: 0px; font-family: Helvetica;">Read all archived Securit=
y FYI Newsletter articles and submit comments online at
<a href=3D"http://securityfyi.wordpress.com/"><span style=3D"color: rgb(4, =
46, 238);">http://securityfyi.wordpress.com/</span></a>.</p>
<p style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D</p>
</div>
<div><span class=3D"Apple-style-span" style=3D"border-collapse: separate; f=
ont-family: Calibri; font-size: medium; border-spacing: 0px;"><span class=
=3D"Apple-style-span" style=3D"border-collapse: separate; border-spacing: 0=
px; font-family: Helvetica; font-size: 14px; orphans: 2; widows: 2;">
<div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
-break: after-white-space; ">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; border=
-spacing: 0px;"><span class=3D"Apple-style-span" style=3D"border-collapse: =
separate; border-spacing: 0px;"><span class=3D"Apple-style-span" style=3D"b=
order-collapse: separate; border-spacing: 0px;"><span class=3D"Apple-style-=
span" style=3D"border-collapse: separate; border-spacing: 0px;"><span class=
=3D"Apple-style-span" style=3D"border-collapse: separate; border-spacing: 0=
px;"><span class=3D"Apple-style-span" style=3D"border-collapse: separate; b=
order-spacing: 0px; font-size: 12px;">
<div><br>
</div>
<div><span style=3D"font-size: 14px; orphans: auto; widows: auto;">HAPPY HO=
LIDAYS AND SEE YOU IN THE NEW YEAR!</span></div>
<div><span style=3D"font-size: 14px; orphans: auto; widows: auto;"><br>
</span></div>
<div><br>
</div>
<div>Monique Yeaton</div>
<div>IT Security Communications Consultant</div>
<div>MIT Information Services & Technology (IS&T)</div>
<div>(617) 253-2715</div>
<div>http://ist.mit.edu/security</div>
<div><br class=3D"khtml-block-placeholder">
</div>
<br class=3D"Apple-interchange-newline">
</span></span></span></span></span></span></div>
</span></span></div>
</body>
</html>
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F3AAC15B4OC11EXPO24excha_--
--===============0427081624==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============0427081624==--
