[10222] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, April 14, 2014
daemon@ATHENA.MIT.EDU (Monique Buchanan)
Mon Apr 14 14:36:52 2014
Resent-From: ist-security-fyi@MIT.EDU
From: Monique Buchanan <myeaton@MIT.EDU>
To: ist-security-fyi <ist-security-fyi@MIT.EDU>
Date: Mon, 14 Apr 2014 18:35:40 +0000
Message-ID: <AAA7E888-7AA8-42FD-9CC9-4EA468ACFAD9@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1888804950=="
Errors-To: ist-security-fyi-bounces@MIT.EDU
--===============1888804950==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_AAA7E8887AA842FD9CC94EA468ACFAD9mitedu_"
--_000_AAA7E8887AA842FD9CC94EA468ACFAD9mitedu_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
In this (Heartbleed) issue:
1. Status of Heartbleed at MIT
2. Lessons Learned from Heartbleed
3. Seven Heartbleed Myths Debunked
4. For Fun: XKCD on Heartbleed
-----------------------------------------
1. Status of Heartbleed at MIT
-----------------------------------------
Last week after the OpenSSL issue was discovered, IS&T took measures to pro=
tect systems at MIT affected by the vulnerability. What exactly has happene=
d or is still happening?
This article lays it out in detail.<http://kb.mit.edu/confluence/x/5lMYCQ> =
You may also find answers to some of your questions at the first KB article=
that recorded the vulnerability<http://kb.mit.edu/confluence/x/g1MYCQ>.
If you have any further questions or concerns, please contact the Help Desk=
at helpdesk@mit.edu<mailto:helpdesk@mit.edu>.
If you need assistance with finding a vulnerable host on the MIT domain, pl=
ease contact security@mit.edu<mailto:security@mit.edu>.
-------------------------------------------------
2. Lessons Learned from Heartbleed
-------------------------------------------------
Now that the world is aware of the Heartbleed Bug, and scrambling to fix se=
rvers, routers, virtual machines and VPNs, what are some lessons we, as web=
surfers, can take away from this security disaster?
1. Don=92t use your passwords in multiple places. When setting strong pa=
sswords<http://kb.mit.edu/confluence/x/3wNt>, it might be tempting to use t=
hat strong password in multiple places. But if one of the web sites where i=
t is used gets compromised, then all the accounts that use that password be=
come vulnerable to exposure.
2. Change your password at least once a year. Even when you=92ve set a s=
trong password, if an event like the Heartbleed Bug happens, where captured=
data from an affected site includes your log in credentials, your password=
is now potentially exposed. If you change your password<http://kb.mit.edu/=
confluence/x/X5A7> on a regular basis, the password that a thief has stolen=
from the affected site becomes outdated and useless.
3. Use multi-factor authentication where available. A password can be gu=
essed if it=92s not strong enough, or hacked using tools and computers that=
can crack thousands of password possibilities in seconds. But when a site =
offers two-factor or multi-factor authentication<http://en.wikipedia.org/wi=
ki/Multi-factor_authentication> for logging in, then just having your log i=
n name and password isn=92t enough. The thief would need another item, a ke=
y that is usually a one-time number, to access your account. You can set up=
a preference on the account to have the key sent to your mobile phone. Wit=
hout that key, your user name and password are useless.
4. Password managers can be our friends. A tool such as LastPass or KeeP=
ass manages your passwords for you<http://kb.mit.edu/confluence/display/ist=
contrib/Strong+Passwords#StrongPasswords-Arepasswordmanagersagoodidea%3F>, =
so you don=92t have to remember them. When you don=92t have to remember a p=
assword, you can make it as complex as you like and can access it as needed=
. In addition, tools such as LastPass have security features built in<https=
://lastpass.com/features_free.php>, so that if there is any vulnerability r=
egarding a password, you will be notified.
5. Be very, very suspicious of emails asking you to verify an account. B=
ecause cyber thieves now know that people are concerned about this vulnerab=
ility, they are going to take advantage of people=92s fears. They will try =
to trick you via a phishing email<http://kb.mit.edu/confluence/x/SBhB> by t=
elling you your account is at risk if you don=92t take action, then suggest=
ing you click a link that goes to an affected or bogus site where they can =
capture your login information.
Safe computing is all about knowledge and changing behavior. If this disast=
er has taught us anything, I hope it has been that we are more aware of the=
risks and will change some of the ways we use a computer and the Internet.
--------------------------------------------------
3. Seven Heartbleed Myths Debunked
--------------------------------------------------
An article by readwrite.com<http://readwrite.com/2014/04/14/heartbleed-myth=
s-debunked-fact-fiction> debunks 7 of the major myths going around about th=
e Heartbleed Bug.
The top 7 myths:
1. Heartbleed is a virus
2. The bug only affects web sites
3. Hackers use it to remote control your phones
4. Windows XP users are screwed because Microsoft abandoned them
5. All of our banks are open for heart bleeding
6. My site/service isn=92t at risk, or I patched, so I=92m safe now
7. The NSA has been using Heartbleed to spy on us
Much of this misinformation is going around as news reports come out. Learn=
about what is true and what isn=92t<http://readwrite.com/2014/04/14/heartb=
leed-myths-debunked-fact-fiction>.
---------------------------------------------
4. For Fun: XKCD on Heartbleed
---------------------------------------------
Heartbleed<http://xkcd.com/1353/> and How the Heartbleed Bug Works<http://x=
kcd.com/1354/>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Read all archived Security FYI Newsletter articles and submit comments onli=
ne at http://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Monique Buchanan
IT Security Communications Consultant
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
--_000_AAA7E8887AA842FD9CC94EA468ACFAD9mitedu_
Content-Type: text/html; charset="Windows-1252"
Content-ID: <EF3111503E2CC14B9317D91807B29E81@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;">
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;">In th=
is (Heartbleed) issue:</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">1. Status of Heartbleed=
at MIT</div>
<div style=3D"margin: 0px; font-family: Helvetica;">2. Lessons Learned from=
Heartbleed</div>
<div style=3D"margin: 0px; font-family: Helvetica;">3. Seven Heartbleed Myt=
hs Debunked</div>
<div style=3D"margin: 0px; font-family: Helvetica;">4. For Fun: XKCD on Hea=
rtbleed</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">1. Status of Heartbleed=
at MIT</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Last week after the Ope=
nSSL issue was discovered, IS&T took measures to protect systems at MIT=
affected by the vulnerability. What exactly has happened or is still happe=
ning?</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://kb.mi=
t.edu/confluence/x/5lMYCQ">This article lays it out in detail.</a> You may =
also find answers to some of your questions at the
<a href=3D"http://kb.mit.edu/confluence/x/g1MYCQ">first KB article that rec=
orded the vulnerability</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">If you have any further=
questions or concerns, please contact the Help Desk at
<a href=3D"mailto:helpdesk@mit.edu">helpdesk@mit.edu</a>. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">If you need assistance =
with finding a vulnerable host on the MIT domain, please contact
<a href=3D"mailto:security@mit.edu">security@mit.edu</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
--------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">2. Lessons Learned from=
Heartbleed</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
--------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Now that the world is a=
ware of the Heartbleed Bug, and scrambling to fix servers, routers, virtual=
machines and VPNs, what are some lessons we, as web surfers, can take away=
from this security disaster?</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<ol>
<li style=3D"margin: 0px; font-family: Helvetica;"><span style=3D"text-deco=
ration: underline">Don=92t use your passwords in multiple places</span>. Wh=
en setting
<a href=3D"http://kb.mit.edu/confluence/x/3wNt">strong passwords</a>, it mi=
ght be tempting to use that strong password in multiple places. But if one =
of the web sites where it is used gets compromised, then all the accounts t=
hat use that password become vulnerable
to exposure. </li><li style=3D"margin: 0px; font-family: Helvetica;"><span=
style=3D"text-decoration: underline">Change your password at least once a =
year</span>. Even when you=92ve set a strong password, if an event like the=
Heartbleed Bug happens, where captured data from an affected
site includes your log in credentials, your password is now potentially ex=
posed. If you
<a href=3D"http://kb.mit.edu/confluence/x/X5A7">change your password</a> on=
a regular basis, the password that a thief has stolen from the affected si=
te becomes outdated and useless.
</li><li style=3D"margin: 0px; font-family: Helvetica;"><span style=3D"text=
-decoration: underline">Use multi-factor authentication where available</sp=
an>. A password can be guessed if it=92s not strong enough, or hacked using=
tools and computers that can crack thousands
of password possibilities in seconds. But when a site offers two-factor or=
<a href=3D"http://en.wikipedia.org/wiki/Multi-factor_authentication">
multi-factor authentication</a> for logging in, then just having your log i=
n name and password isn=92t enough. The thief would need another item, a ke=
y that is usually a one-time number, to access your account. You can set up=
a preference on the account to have
the key sent to your mobile phone. Without that key, your user name and pa=
ssword are useless.
</li><li style=3D"margin: 0px; font-family: Helvetica;"><span style=3D"text=
-decoration: underline">Password managers can be our friends</span>. A tool=
such as LastPass or KeePass
<a href=3D"http://kb.mit.edu/confluence/display/istcontrib/Strong+Passw=
ords#StrongPasswords-Arepasswordmanagersagoodidea%3F">
manages your passwords for you</a>, so you don=92t have to remember them. W=
hen you don=92t have to remember a password, you can make it as complex as =
you like and can access it as needed. In addition, tools such as LastPass h=
ave
<a href=3D"https://lastpass.com/features_free.php">security features built =
in</a>, so that if there is any vulnerability regarding a password, you wil=
l be notified.
</li><li style=3D"margin: 0px; font-family: Helvetica;"><span style=3D"text=
-decoration: underline">Be very, very suspicious of emails asking you to ve=
rify an account</span>. Because cyber thieves now know that people are conc=
erned about this vulnerability, they are
going to take advantage of people=92s fears. They will <a href=3D"http://k=
b.mit.edu/confluence/x/SBhB">
try to trick you via a phishing email</a> by telling you your account is at=
risk if you don=92t take action, then suggesting you click a link that goe=
s to an affected or bogus site where they can capture your login informatio=
n.
</li></ol>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Safe computing is all a=
bout knowledge and changing behavior. If this disaster has taught us anythi=
ng, I hope it has been that we are more aware of the risks and will change =
some of the ways we use a computer
and the Internet.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
---------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">3. Seven Heartbleed Myt=
hs Debunked</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
---------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">An article by <a href=
=3D"http://readwrite.com/2014/04/14/heartbleed-myths-debunked-fact-fiction"=
>
readwrite.com</a> debunks 7 of the major myths going around about the Heart=
bleed Bug.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">The top 7 myths:</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<ol>
<li style=3D"margin: 0px; font-family: Helvetica;">Heartbleed is a virus </=
li><li style=3D"margin: 0px; font-family: Helvetica;">The bug only affects =
web sites </li><li style=3D"margin: 0px; font-family: Helvetica;">Hackers u=
se it to remote control your phones
</li><li style=3D"margin: 0px; font-family: Helvetica;">Windows XP users ar=
e screwed because Microsoft abandoned them
</li><li style=3D"margin: 0px; font-family: Helvetica;">All of our banks ar=
e open for heart bleeding
</li><li style=3D"margin: 0px; font-family: Helvetica;">My site/service isn=
=92t at risk, or I patched, so I=92m safe now
</li><li style=3D"margin: 0px; font-family: Helvetica;">The NSA has been us=
ing Heartbleed to spy on us
</li></ol>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Much of this misinforma=
tion is going around as news reports come out.
<a href=3D"http://readwrite.com/2014/04/14/heartbleed-myths-debunked-fact-f=
iction">
Learn about what is true and what isn=92t</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
----------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">4. For Fun: XKCD on Hea=
rtbleed</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
----------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://xkcd.=
com/1353/">Heartbleed</a> and
<a href=3D"http://xkcd.com/1354/">How the Heartbleed Bug Works</a></div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Read all archived Secur=
ity FYI Newsletter articles and submit comments online at
<a href=3D"http://securityfyi.wordpress.com/"><span style=3D"color: rgb(4, =
46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div apple-content-edited=3D"true">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
Monique Buchanan<br>
IT Security Communications Consultant<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href=3D"http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<br>
</div>
</div>
</div>
<br>
</body>
</html>
--_000_AAA7E8887AA842FD9CC94EA468ACFAD9mitedu_--
--===============1888804950==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============1888804950==--
