[10214] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, February 25, 2014
daemon@ATHENA.MIT.EDU (Monique Buchanan)
Tue Feb 25 10:25:44 2014
Resent-From: ist-security-fyi@MIT.EDU
From: Monique Buchanan <myeaton@MIT.EDU>
To: ist-security-fyi <ist-security-fyi@MIT.EDU>
Date: Tue, 25 Feb 2014 15:24:19 +0000
Message-ID: <CE5469DD-29E1-416D-B49F-7D630980CB49@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1907892791=="
Errors-To: ist-security-fyi-bounces@MIT.EDU
--===============1907892791==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_CE5469DD29E1416DB49F7D630980CB49mitedu_"
--_000_CE5469DD29E1416DB49F7D630980CB49mitedu_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. Apple Releases Critical Security Update
2. Microsoft Releases Security Advisory on Internet Explorer
3. Upcoming Event: Sophos and Sophos Reporting on March 6th
4. The University of Maryland Data Breach
---------------------------------------------------------
1. Apple Releases Critical Security Update
---------------------------------------------------------
Late last week, Apple released a security update<http://support.apple.com/k=
b/ht1222> for its iOS mobile operating system to address a flaw in its SSL/=
TLS implementation.
SSL (Secure Sockets Layer) is part of the TLS (Transport Layer Security) pr=
otocol and is used to encrypt sensitive information, often in a browser, as=
it traverses the Internet. The flaw, as described by Apple, can provide "a=
n attacker with a privileged network position [to] capture or modify data i=
n sessions protected by SSL/TLS."
In other words, the flaw makes it easy for bad actors to create fake websit=
es that look like sites users trust, such as banking sites, and to grab inf=
ormation that the users send to those sites.
Apple has not yet updated this flaw on laptops or desktops, although it is =
expected one will be released very soon.
It is recommended that all iOS users update their devices to iOS 7.0.6 and =
iOS 6.1.6 as soon as possible. This is not one you want to wait on. Informa=
tion on how to update your iPhone, iPod touch, and iPad can be found on App=
le's website [http://support.apple.com/kb/ht4623].
Note: iOS 6.1.6 is only available for devices that can not run iOS 7. If y=
ou have the original iPad and iPhone 3GS or earlier versions of the iPod to=
uch you will install iOS 6.1.6. All other models of the iPhone, iPad, and =
iPod that have the ability to run iOS 7, must upgrade to iOS 7.0.6. to get =
the fix.
Those that need assistance updating their iOS device should contact their l=
ocal IT support liaison or the IS&T Help Desk [http://ist.mit.edu/help].
Read the story in the news<http://www.washingtonpost.com/business/technolog=
y/apples-security-bug-what-to-know-about-it-and-what-to-do-about-it/2014/02=
/24/b59404e4-9d59-11e3-9ba6-800d1192d08b_story.html>.
---------------------------------------------------------------------------=
-----
2. Microsoft Releases Security Advisory on Internet Explorer
---------------------------------------------------------------------------=
-----
Microsoft released Security Advisory 2934088<http://technet.microsoft.com/s=
ecurity/advisory/2934088> - Vulnerability in Internet Explorer Could Allow =
Remote Code Execution - on February 19th.
A vulnerability in Internet Explorer 9 and 10 is subject to exploit. Accord=
ing to the advisory, an attacker could host a specially crafted website, co=
nvince a user to view the website and exploit the vulnerability if the site=
is viewed in Internet Explorer.
There is no current patch for this vulnerability, and Microsoft has not yet=
scheduled one, but they may provide a solution through the monthly securit=
y update release process or an out-of-cycle update. They do offer a tempora=
ry stopgap =93fix it=94 measure<https://support.microsoft.com/kb/2934088>, =
allowing affected services to go into restricted mode to block attacks.
Microsoft recommends users to avoid clicking on unsolicited links. It is al=
so a good idea to use an alternative browser until the issue has been perma=
nently fixed.
Read the full story in the news<http://www.scmagazine.com//microsoft-issues=
-temporary-fix-for-ie-zero-day-targeting-service-members/article/334929/>.
---------------------------------------------------------------------------=
------------
3. Upcoming Event: Sophos and Sophos Reporting on March 6th
---------------------------------------------------------------------------=
------------
The IT Partners planning team has announced its next luncheon. Andrew Munch=
bach from the Security Operations team will discuss MIT's anti-virus softwa=
re, Sophos<http://ist.mit.edu/sophos>, as well as running reports from Soph=
os.
Please join us on Thursday March 6 at 12:00 in Marlar Lounge (37-252<http:/=
/whereis.mit.edu/?go=3D37>).
Lunch will be served at noon, and the discussion will begin promptly at 12:=
15. Please confirm if you plan to attend by sending email to rsvp-itpartner=
s@mit.edu<mailto:rsvp-itpartners@mit.edu>.
---------------------------------------------------------
4. The University of Maryland Data Breach
---------------------------------------------------------
University of Maryland President Wallace D. Loh has disclosed a breach<http=
://www.umd.edu/datasecurity/> of a university database that compromised per=
sonal information of more than 300,000 students and staff members.
The incident affects anyone who was associated with the university's Colleg=
e Park and Shady Grove campuses dating back to 1998. The exposed data inclu=
de birth dates, Social Security numbers (SSNs) and school ID numbers, but n=
ot financial, academic, or health data.
Forensic investigators are examining the breached files and logs. Universit=
y CIO Brian Voss said the intruder copied the information in the database.
Read the full story in the news<http://news.cnet.com/8301-1009_3-57619169-8=
3/data-breach-at-university-of-maryland-exposes-300k-records/>.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Read all archived Security FYI Newsletter articles and submit comments onli=
ne at http://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Monique Buchanan
IT Security Communications Consultant
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
"Distrust and caution are the parents of security" - Benjamin Franklin
--_000_CE5469DD29E1416DB49F7D630980CB49mitedu_
Content-Type: text/html; charset="Windows-1252"
Content-ID: <A82D9A60F8D64640901FE1E0A9E4601B@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;">
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;">In th=
is issue:</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">1. Apple Releases Criti=
cal Security Update</div>
<div style=3D"margin: 0px; font-family: Helvetica;">2. Microsoft Releases S=
ecurity Advisory on Internet Explorer</div>
<div style=3D"margin: 0px; font-family: Helvetica;">3. Upcoming Event: Soph=
os and Sophos Reporting on March 6th</div>
<div style=3D"margin: 0px; font-family: Helvetica;">4. The University of Ma=
ryland Data Breach</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
----------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">1. Apple Releases Criti=
cal Security Update</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
----------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Late last week, Apple r=
eleased a
<a href=3D"http://support.apple.com/kb/ht1222">security update</a> for its =
iOS mobile operating system to address a flaw in its SSL/TLS implementation=
. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">SSL (Secure Sockets Lay=
er) is part of the TLS (Transport Layer Security) protocol and is used to e=
ncrypt sensitive information, often in a browser, as it traverses the Inter=
net. The flaw, as described by Apple,
can provide "an attacker with a privileged network position [to] capt=
ure or modify data in sessions protected by SSL/TLS."</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">In other words, the fla=
w makes it easy for bad actors to create fake websites that look like sites=
users trust, such as banking sites, and to grab information that the users=
send to those sites.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Apple has not yet updat=
ed this flaw on laptops or desktops, although it is expected one will be re=
leased very soon. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">It is recommended that =
all iOS users update their devices to iOS 7.0.6 and iOS 6.1.6 as soon as po=
ssible. This is not one you want to wait on. Information on how to update y=
our iPhone, iPod touch, and iPad can
be found on Apple's website [<a href=3D"http://support.apple.com/kb/ht4623=
">http://support.apple.com/kb/ht4623</a>].</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><b>Note</b>: iOS 6.1.6 =
is only available for devices that can not run iOS 7. If you have the=
original iPad and iPhone 3GS or earlier versions of the iPod touch you wil=
l install iOS 6.1.6. All other models
of the iPhone, iPad, and iPod that have the ability to run iOS 7, must upg=
rade to iOS 7.0.6. to get the fix.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Those that need assista=
nce updating their iOS device should contact their local IT support liaison=
or the IS&T Help Desk [<a href=3D"http://ist.mit.edu/help">http://ist.=
mit.edu/help</a>].</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://www.w=
ashingtonpost.com/business/technology/apples-security-bug-what-to-know-abou=
t-it-and-what-to-do-about-it/2014/02/24/b59404e4-9d59-11e3-9ba6-800d1192d08=
b_story.html">Read the story in the
news</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
---------------------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">2. Microsoft Releases S=
ecurity Advisory on Internet Explorer</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
---------------------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Microsoft released <a h=
ref=3D"http://technet.microsoft.com/security/advisory/2934088">
Security Advisory 2934088</a> - Vulnerability in Internet Explorer Could Al=
low Remote Code Execution - on February 19th. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">A vulnerability in Inte=
rnet Explorer 9 and 10 is subject to exploit. According to the advisory, an=
attacker could host a specially crafted website, convince a user to view t=
he website and exploit the vulnerability
if the site is viewed in Internet Explorer.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">There is no current pat=
ch for this vulnerability, and Microsoft has not yet scheduled one, but the=
y may provide a solution through the monthly security update release proces=
s or an out-of-cycle update. They
do offer a <a href=3D"https://support.microsoft.com/kb/2934088">temporary =
stopgap =93fix it=94 measure</a>, allowing affected services to go into res=
tricted mode to block attacks.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Microsoft recommends us=
ers to avoid clicking on unsolicited links. It is also a good idea to use a=
n alternative browser until the issue has been permanently fixed.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://www.s=
cmagazine.com//microsoft-issues-temporary-fix-for-ie-zero-day-targeting-ser=
vice-members/article/334929/">Read the full story in the news</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
----------------------------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">3. Upcoming Event: Soph=
os and Sophos Reporting on March 6th</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
----------------------------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">The IT Partners plannin=
g team has announced its next luncheon. Andrew Munchbach from the Security =
Operations team will discuss MIT's
<a href=3D"http://ist.mit.edu/sophos">anti-virus software, Sophos</a>, as w=
ell as running reports from Sophos.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Please join us on Thurs=
day March 6 at 12:00 in Marlar Lounge (<a href=3D"http://whereis.mit.edu/?g=
o=3D37">37-252</a>).</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Lunch will be served at=
noon, and the discussion will begin promptly at 12:15. Please confirm if y=
ou plan to attend by sending email to
<a href=3D"mailto:rsvp-itpartners@mit.edu">rsvp-itpartners@mit.edu</a><span=
style=3D"text-decoration: underline ; color: #4787ff">.</span></div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
----------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">4. The University of Ma=
ryland Data Breach</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
----------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">University of Maryland =
President Wallace D. Loh has
<a href=3D"http://www.umd.edu/datasecurity/">disclosed a breach</a> of a un=
iversity database that compromised personal information of more than 300,00=
0 students and staff members. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">The incident affects an=
yone who was associated with the university's College Park and Shady Grove =
campuses dating back to 1998. The exposed data include birth dates, Social =
Security numbers (SSNs) and school
ID numbers, but not financial, academic, or health data. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Forensic investigators =
are examining the breached files and logs. University CIO Brian Voss said t=
he intruder copied the information in the database.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://news.=
cnet.com/8301-1009_3-57619169-83/data-breach-at-university-of-maryland-expo=
ses-300k-records/">Read the full story in the news</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Read all archived Secur=
ity FYI Newsletter articles and submit comments online at
<a href=3D"http://securityfyi.wordpress.com/"><span style=3D"color: rgb(4, =
46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div apple-content-edited=3D"true">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
Monique Buchanan<br>
IT Security Communications Consultant<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href=3D"http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<span style=3D"font-family: Helvetica;">"Distrust and caution are the =
parents of security" - Benjamin Franklin</span></div>
</div>
</div>
<br>
</body>
</html>
--_000_CE5469DD29E1416DB49F7D630980CB49mitedu_--
--===============1907892791==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============1907892791==--
