[10216] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, March 10, 2014
daemon@ATHENA.MIT.EDU (Monique Buchanan)
Mon Mar 10 17:32:44 2014
Resent-From: ist-security-fyi@MIT.EDU
From: Monique Buchanan <myeaton@MIT.EDU>
To: ist-security-fyi <ist-security-fyi@MIT.EDU>
Date: Mon, 10 Mar 2014 21:29:15 +0000
Message-ID: <0EE6FE5E-CB3A-43E8-B7E4-2E6FA10CFC7D@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1718766280=="
Errors-To: ist-security-fyi-bounces@MIT.EDU
--===============1718766280==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_0EE6FE5ECB3A43E8B7E42E6FA10CFC7Dmitedu_"
--_000_0EE6FE5ECB3A43E8B7E42E6FA10CFC7Dmitedu_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. March 2014 Security Updates from Microsoft
2. Microsoft Offers Tool to XP Users to Assist with Upgrade
3. The Bitcoin Theft
---------------------------------------------------------------
1. March 2014 Security Updates from Microsoft
---------------------------------------------------------------
On Tuesday, March 11, Microsoft is releasing five new security bulletins<ht=
tp://technet.microsoft.com/en-us/security/bulletin/ms14-mar>. Two of the bu=
lletins are rated critical. Microsoft systems that will be affected:
* Windows (all current operating systems and servers)
* Internet Explorer (all supported versions)
* Microsoft Silverlight
It is recommended to accept the updates. MIT WAUS<http://ist.mit.edu/waus> =
subscribers will receive the updates after they have been tested for compat=
ibility within the MIT computing environment. Installing the bulletins manu=
ally may require a restart.
The patch for Internet Explorer will resolve a zero-day vulnerability (CVE-=
2014-0322<http://www.microsoft.com/security/portal/threat/encyclopedia/entr=
y.aspx?Name=3DExploit:JS/CVE-2014-0322>), that was disclosed close to a mon=
th ago. Microsoft supplied a =93fix-it=94 as a stopgap until a patch was re=
ady.
Tuesday=92s bulletins will also fix vulnerabilities in Windows, including f=
or Windows XP, and these may be the last to be supplied by Microsoft for th=
at operating system. Microsoft will no longer support Windows XP with secur=
ity patches after April 8. (See more on the de-support of Windows XP in the=
story below.)
Read the full story in the news<http://threatpost.com/microsoft-to-patch-ie=
-10-zero-day-on-patch-tuesday/104653>.
---------------------------------------------------------------------------=
---
2. Microsoft Offers Tool to XP Users to Assist with Upgrade
---------------------------------------------------------------------------=
---
Microsoft is ending support for its popular operating system Windows XP on =
April 8; after that date, there will be no more security updates, leaving u=
sers vulnerable to flaws.
Starting this month, Microsoft offers a free migration tool called =93PCmov=
er Express=94 to help XP users ease their transition to a newer, more secur=
e version of Windows. It copies files, music, email and user profiles and s=
ettings from a Windows XP computer to a new device running Windows 7, 8 or =
8.1. It provides transferring across a home or work network and allows use=
rs to customize exactly what they bring over. The free version does not mig=
rate applications, but the maker of PCmover Express (Laplink) makes a migra=
tion app called PCmover Professional for XP Users<http://www.laplink.com/pc=
moverexpressxpeol> which will transfer an unlimited number of applications =
to a new machine. It is being offered at a discounted price.
In addition, starting March 8, XP users using the Home or Professional edit=
ions who have elected to receive updates via Windows Update, will see pop-u=
ps reminding them of the impending deadline. The notification will link to =
Microsoft=92s End of Support website<http://windows.microsoft.com/en-US/win=
dows/end-support-help> where users will find the free PCmover Express softw=
are (available some time later this week), all the information they need on=
what end of support means, and how they can stay protected against securit=
y risks and viruses after April 8th.
Read the full story at Microsoft=92s blog here<http://blogs.windows.com/win=
dows/b/windowsexperience/archive/2014/03/03/new-windows-xp-data-transfer-to=
ol-and-end-of-support-notifications.aspx>.
--------------------------
3. The Bitcoin Theft
--------------------------
Late last month, Bitcoin exchange Mt. Gox in Tokyo declared bankruptcy, cla=
iming hackers had exploited a vulnerability in its transactions to steal 85=
0,000 bitcoins (worth approximately $474 million). The flaw, called transac=
tions malleability, was known for a while and it is possible that a malicio=
us party could have taken advantage of it to withdraw funds.
It is also possible that funds were being mismanaged through the Mt. Gox ex=
change. Mt. Gox had problems for some time, as users complained they could =
not withdraw dollars from Mt. Gox for close to a year now. The website has =
gone off-line as authorities look into the situation.
There is much suspicion among bitcoin users around the shut down of the exc=
hange. "I am extremely disappointed with the company but not surprised," sa=
id investor Kolin Burges in an email. "I am thoroughly disgusted by the com=
pany and the way they have ruined so many people's lives, as well as disgus=
ted by their conduct through this whole situation. I will be doing anything=
I can to ensure that anyone at the company who was to blame for this faces=
justice for any crimes they might have committed. I will also do anything =
I can to investigate what was really going on there, but hopefully the cour=
ts and police of Japan will do a thorough job," said Burges.
The issue of the latest theft appears too small to shut down one of the lar=
gest bitcoin exchanges in the world. In the news recently, anonymous hacker=
s claim to have evidence<http://www.theverge.com/2014/3/10/5489582/mt-gox-h=
ackers-say-exchange-still-has-customers-bitcoins> that the bitcoin from Mt.=
Gox are not missing, but that customers were defrauded by Mt. Gox manageme=
nt.
The Bitcoin network has experienced major security breaches over the past y=
ear. November saw three major Bitcoin thefts: One involving more than $1 mi=
llion in bitcoin<http://www.networkworld.com/news/2013/112513-bitcoin-robbe=
ry-276352.html> from Bitcoin Internet Payment Services, a Denmark-based exc=
hange that promoted itself as Europe's biggest. There was a heist involving=
about $1.4 million from Australian online wallet service Inputs.io<http://=
www.coindesk.com/hackers-steal-bitcoins-inputs-io-wallet-service/>. Finally=
, the disappearance of a Chinese Bitcoin exchange with more than $4 million=
in it<http://www.networkworld.com/community/blog/chinese-bitcoin-exchange-=
vanishes-along-bitcoins>, revealing that exchange as a con. Since the Mt. G=
ox theft, Canadian Bitcoin bank, Flexcoin, announced it is going out of bus=
iness<http://www.cbc.ca/news/business/bitcoin-bank-flexcoin-shuts-down-afte=
r-600-000-theft-1.2559018>, following a hack which saw 896 coins stolen.
Read the full story in the news here<http://www.computerworld.com/s/article=
/9246659/Bitcoin_exchange_Mt._Gox_files_for_bankruptcy_with_debts_of_63.6M?=
taxonomyId=3D17> and here<http://news.cnet.com/8301-1009_3-57619708-83/bitc=
oin-losses-spur-mt-gox-to-bankruptcy-filing/>.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Read all archived Security FYI Newsletter articles and submit comments onli=
ne at http://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Monique Buchanan
IT Security Communications Consultant
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
"Distrust and caution are the parents of security" - Benjamin Franklin
--_000_0EE6FE5ECB3A43E8B7E42E6FA10CFC7Dmitedu_
Content-Type: text/html; charset="Windows-1252"
Content-ID: <16D3BE430166D64DBE5594BF254BD119@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;">
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;">In th=
is issue:</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">1. March 2014 Security =
Updates from Microsoft</div>
<div style=3D"margin: 0px; font-family: Helvetica;">2. Microsoft Offers Too=
l to XP Users to Assist with Upgrade</div>
<div style=3D"margin: 0px; font-family: Helvetica;">3. The Bitcoin Theft</d=
iv>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
----------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">1. March 2014 Security =
Updates from Microsoft</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
----------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">On Tuesday, March 11, M=
icrosoft is releasing
<a href=3D"http://technet.microsoft.com/en-us/security/bulletin/ms14-mar">f=
ive new security bulletins</a>. Two of the bulletins are rated critical. Mi=
crosoft systems that will be affected:</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<ul>
<li style=3D"margin: 0px; font-family: Helvetica;">Windows (all current ope=
rating systems and servers)
</li><li style=3D"margin: 0px; font-family: Helvetica;">Internet Explorer (=
all supported versions)
</li><li style=3D"margin: 0px; font-family: Helvetica;">Microsoft Silverlig=
ht </li></ul>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">It is recommended to ac=
cept the updates.
<a href=3D"http://ist.mit.edu/waus">MIT WAUS</a> subscribers will receive t=
he updates after they have been tested for compatibility within the MIT com=
puting environment. Installing the bulletins manually may require a restart=
.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">The patch for Internet =
Explorer will resolve a zero-day vulnerability (<a href=3D"http://www.micro=
soft.com/security/portal/threat/encyclopedia/entry.aspx?Name=3DExploit:JS/C=
VE-2014-0322"><span style=3D"font-size: 15px; color: rgb(50, 51, 51);">CVE-=
2014-0322</span></a><span style=3D"font-size: 15px; color: rgb(50, 51, 51);=
">)</span>,
that was disclosed close to a month ago. Microsoft supplied a =93fix-it=94=
as a stopgap until a patch was ready. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Tuesday=92s bulletins w=
ill also fix vulnerabilities in Windows, including for Windows XP, and thes=
e may be the last to be supplied by Microsoft for that operating system. Mi=
crosoft will no longer support Windows
XP with security patches after April 8. (See more on the de-support of Win=
dows XP in the story below.)</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://threa=
tpost.com/microsoft-to-patch-ie-10-zero-day-on-patch-tuesday/104653">Read t=
he full story in the news</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
-------------------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">2. Microsoft Offers Too=
l to XP Users to Assist with Upgrade</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
-------------------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Microsoft is ending sup=
port for its popular operating system Windows XP on April 8; after that dat=
e, there will be no more security updates, leaving users vulnerable to flaw=
s. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Starting this month, Mi=
crosoft offers a free migration tool called =93PCmover Express=94 to help X=
P users ease their transition to a newer, more secure version of Windows. I=
t copies files, music, email and user
profiles and settings from a Windows XP computer to a new device running W=
indows 7, 8 or 8.1. It provides transferring across a home or work ne=
twork and allows users to customize exactly what they bring over. The free =
version does not migrate applications,
but the maker of PCmover Express (Laplink) makes a migration app called <a=
href=3D"http://www.laplink.com/pcmoverexpressxpeol">
PCmover Professional for XP Users</a> which will transfer an unlimited numb=
er of applications to a new machine. It is being offered at a discounted pr=
ice.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">In addition, starting M=
arch 8, XP users using the Home or Professional editions who have elected t=
o receive updates via Windows Update, will see pop-ups reminding them of th=
e impending deadline. The notification
will link to <a href=3D"http://windows.microsoft.com/en-US/windows/end-sup=
port-help">
Microsoft=92s End of Support website</a> where users will find the free PCm=
over Express software (available some time later this week), all the inform=
ation they need on what end of support means, and how they can stay protect=
ed against security risks and viruses
after April 8th.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://blogs=
.windows.com/windows/b/windowsexperience/archive/2014/03/03/new-windows-xp-=
data-transfer-tool-and-end-of-support-notifications.aspx">Read the full sto=
ry at Microsoft=92s blog here</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
---</div>
<div style=3D"margin: 0px; font-family: Helvetica;">3. The Bitcoin Theft</d=
iv>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
---</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Late last month, Bitcoi=
n exchange Mt. Gox in Tokyo declared bankruptcy, claiming hackers had explo=
ited a vulnerability in its transactions to steal 850,000 bitcoins (worth a=
pproximately $474 million). The flaw,
called transactions malleability, was known for a while and it is possible=
that a malicious party could have taken advantage of it to withdraw funds.=
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">It is also possible tha=
t funds were being mismanaged through the Mt. Gox exchange. Mt. Gox had pro=
blems for some time, as users complained they could not withdraw dollars fr=
om Mt. Gox for close to a year now.
The website has gone off-line as authorities look into the situation.</div=
>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">There is much suspicion=
among bitcoin users around the shut down of the exchange. "I am extre=
mely disappointed with the company but not surprised," said investor K=
olin Burges in an email. "I am thoroughly disgusted
by the company and the way they have ruined so many people's lives, as wel=
l as disgusted by their conduct through this whole situation. I will be doi=
ng anything I can to ensure that anyone at the company who was to blame for=
this faces justice for any crimes
they might have committed. I will also do anything I can to investigate wh=
at was really going on there, but hopefully the courts and police of Japan =
will do a thorough job," said Burges.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">The issue of the latest=
theft appears too small to shut down one of the largest bitcoin exchanges =
in the world. In the news recently,
<a href=3D"http://www.theverge.com/2014/3/10/5489582/mt-gox-hackers-say-exc=
hange-still-has-customers-bitcoins">
anonymous hackers claim to have evidence</a> that the bitcoin from Mt. Gox =
are not missing, but that customers were defrauded by Mt. Gox management.</=
div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">The Bitcoin network has=
experienced major security breaches over the past year. November saw three=
major Bitcoin thefts: One involving
<a href=3D"http://www.networkworld.com/news/2013/112513-bitcoin-robbery-276=
352.html">
more than $1 million in bitcoin</a> from Bitcoin Internet Payment Services,=
a Denmark-based exchange that promoted itself as Europe's biggest. There w=
as a heist involving about $1.4 million from Australian
<a href=3D"http://www.coindesk.com/hackers-steal-bitcoins-inputs-io-wallet-=
service/">
online wallet service Inputs.io</a>. Finally, the disappearance of a Chines=
e Bitcoin exchange with more than
<a href=3D"http://www.networkworld.com/community/blog/chinese-bitcoin-excha=
nge-vanishes-along-bitcoins">
$4 million in it</a>, revealing that exchange as a con. Since the Mt. Gox t=
heft, Canadian Bitcoin bank, Flexcoin,
<a href=3D"http://www.cbc.ca/news/business/bitcoin-bank-flexcoin-shuts-down=
-after-600-000-theft-1.2559018">
announced it is going out of business</a>, following a hack which saw 896 c=
oins stolen. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Read the full story in =
the news
<a href=3D"http://www.computerworld.com/s/article/9246659/Bitcoin_exchange_=
Mt._Gox_files_for_bankruptcy_with_debts_of_63.6M?taxonomyId=3D17">
here</a> and <a href=3D"http://news.cnet.com/8301-1009_3-57619708-83/bitcoi=
n-losses-spur-mt-gox-to-bankruptcy-filing/">
here</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Read all archived Secur=
ity FYI Newsletter articles and submit comments online at
<a href=3D"http://securityfyi.wordpress.com/"><span style=3D"color: rgb(4, =
46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div apple-content-edited=3D"true">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
Monique Buchanan<br>
IT Security Communications Consultant<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href=3D"http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<span style=3D"font-family: Helvetica;">"Distrust and caution are the =
parents of security" - Benjamin Franklin</span></div>
</div>
</div>
<br>
</body>
</html>
--_000_0EE6FE5ECB3A43E8B7E42E6FA10CFC7Dmitedu_--
--===============1718766280==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============1718766280==--
