[10223] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, April 29, 2014
daemon@ATHENA.MIT.EDU (Monique Buchanan)
Tue Apr 29 14:50:09 2014
Resent-From: ist-security-fyi@MIT.EDU
From: Monique Buchanan <myeaton@MIT.EDU>
To: ist-security-fyi <ist-security-fyi@MIT.EDU>
Date: Tue, 29 Apr 2014 18:48:08 +0000
Message-ID: <E1D3733C-0C82-4238-8B89-C06128BB9217@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0212946580=="
Errors-To: ist-security-fyi-bounces@MIT.EDU
--===============0212946580==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_E1D3733C0C8242388B89C06128BB9217mitedu_"
--_000_E1D3733C0C8242388B89C06128BB9217mitedu_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. Zero-Day Targets Internet Explorer
2. Apple Addresses =93Triple Handshake=94 Bug
3. Password Security is a Problem
--------------------------------------------------
1. Zero-Day Targets Internet Explorer
--------------------------------------------------
In a security advisory<https://technet.microsoft.com/en-US/library/security=
/2963983> released late last week, Microsoft warns users of limited, target=
ed attacks attempting to exploit a vulnerability in Internet Explorer 6 thr=
ough Internet Explorer 11, although the attack is only targeting IE9 throug=
h IE11.
The vulnerability has not been patched and is considered a significant zero=
-day virus<http://en.wikipedia.org/wiki/Zero-day_virus> as the vulnerable v=
ersions of IE represent about a quarter of the total browser market. We rec=
ommend applying a patch once available.
To read the details of how this exploit can occur, see this article<http://=
www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-i=
nternet-explorer-versions-9-through-11-identified-in-targeted-attacks.html>=
.
What you can do to protect your computer:
1. One mitigating factor is to download and install Microsoft=92s Enhanced =
Mitigation Experience Toolkit<http://www.microsoft.com/en-us/download/detai=
ls.aspx?id=3D41138> (EMET), a free tool that can strengthen security on Win=
dows. Note that EMET 3.0 does not mitigate the attack, and users should rel=
y on EMET 4.1. Krebs on Security discusses EMET here<http://krebsonsecurity=
.com/tag/enhanced-mitigation-experience-toolkit/>.
2. Because the attack will not work without Adobe Flash, disabling the Flas=
h plugin within IE<http://www.zdnet.com/protect-yourself-from-flash-attacks=
-in-internet-explorer-7000003921/> will prevent the exploit from functionin=
g.
3. According to FireEye, the security lab that discovered the vulnerability=
, Enhanced Protection Mode (EPM) in IE10 and IE11 will prevent the exploit.=
It is not turned on by default. This article show how to enable EPM in IE<=
http://www.thewindowsclub.com/enhanced-protected-mode-internet-explorer-10>=
.
4. The fourth option is to use another browser until a patch has been relea=
sed.
----------------------------------------------------------
2. Apple Addresses =93Triple Handshake=94 Bug
----------------------------------------------------------
Last Tuesday, April 22, Apple released iOS 7.1.1 to address 19 flaws in the=
mobile operating system, including a critical flaw in the secure transport=
mechanism that could be exploited with "triple handshake" attacks to expos=
e user data.
Apple also released Security Update 2014-002<http://support.apple.com/kb/HT=
6207> with updates for OS X Lion (10.7.x), Mountain Lion (10.8.x), and Mave=
ricks (10.9.x) to address a number of flaws, including the triple handshake=
bug.
Users should update as soon as possible.
Read more about the Apple updates here<http://arstechnica.com/security/2014=
/04/iphones-and-macs-get-fix-for-extremely-critical-triple-handshake-crypto=
-bug/>.
What is the Triple Handshake Bug?<http://blog.cryptographyengineering.com/2=
014/04/attack-of-week-triple-handshakes-3shake.html>
----------------------------------------------
3. Password Security is a Problem
----------------------------------------------
As we have learned from the Heartbleed Bug and from years of brute-force at=
tacks on systems containing log-in credentials, the risk to passwords is st=
ill great.
But passwords fall into the hands of criminals in other ways besides throug=
h attacks on a database or web server. 40% of people have one of the top 10=
0 most common passwords. This makes it very easy for intruders to access yo=
ur online accounts and steal your identity.
As it happens, April is also Records and Information Management month and n=
ow is a good opportunity to spread awareness around the topic of password s=
ecurity. Here is an info graphic to get you started<http://www.singlehop.co=
m/blog/infographic-your-password-is-obsolete/>.
The graphic mentions two-factor, which is the same as two-factor or multi-f=
actor authentication<http://en.wikipedia.org/wiki/Two-step_verification>. T=
his verifying technique is something that IS&T is looking to implement in t=
he near future, so stay tuned.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Read all archived Security FYI Newsletter articles and submit comments onli=
ne at http://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Monique Buchanan
IT Security Communications Consultant
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
--_000_E1D3733C0C8242388B89C06128BB9217mitedu_
Content-Type: text/html; charset="Windows-1252"
Content-ID: <E9863334A005524998033BF4596B135D@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;">
<span style=3D"font-family: Arial;">In this issue:</span><br>
<div apple-content-edited=3D"true">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">1. Zero-Day Targets Interne=
t Explorer</div>
<div style=3D"margin: 0px; font-family: Arial;">2. Apple Addresses =93Tripl=
e Handshake=94 Bug </div>
<div style=3D"margin: 0px; font-family: Arial;">3. Password Security is a P=
roblem</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">---------------------------=
-----------------------</div>
<div style=3D"margin: 0px; font-family: Arial;">1. Zero-Day Targets Interne=
t Explorer</div>
<div style=3D"margin: 0px; font-family: Arial;">---------------------------=
-----------------------</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">In a <a href=3D"https://tec=
hnet.microsoft.com/en-US/library/security/2963983">
security advisory</a> released late last week, Microsoft warns users of lim=
ited, targeted attacks attempting to exploit a vulnerability in Internet Ex=
plorer 6 through Internet Explorer 11, although the attack is only targetin=
g IE9 through IE11.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">The vulnerability has not b=
een patched and is considered a significant
<a href=3D"http://en.wikipedia.org/wiki/Zero-day_virus">zero-day virus</a> =
as the vulnerable versions of IE represent about a quarter of the total bro=
wser market. We recommend applying a patch once available.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;"><a href=3D"http://www.firee=
ye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-e=
xplorer-versions-9-through-11-identified-in-targeted-attacks.html">To read =
the details of how this exploit can
occur, see this article</a>.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">What you can do to protect =
your computer:</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">1. One mitigating factor is=
to <a href=3D"http://www.microsoft.com/en-us/download/details.aspx?id=3D41=
138">
download and install Microsoft=92s Enhanced Mitigation Experience Toolkit</=
a> (EMET), a free tool that can strengthen security on Windows. Note that E=
MET 3.0 does not mitigate the attack, and users should rely on EMET 4.1.
<a href=3D"http://krebsonsecurity.com/tag/enhanced-mitigation-experience-to=
olkit/">
Krebs on Security discusses EMET here</a>.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">2. Because the attack will =
not work without Adobe Flash,
<a href=3D"http://www.zdnet.com/protect-yourself-from-flash-attacks-in-inte=
rnet-explorer-7000003921/">
disabling the Flash plugin within IE</a> will prevent the exploit from func=
tioning. </div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">3. According to FireEye, th=
e security lab that discovered the vulnerability, Enhanced Protection Mode =
(EPM) in IE10 and IE11 will prevent the exploit. It is not turned on by def=
ault.
<a href=3D"http://www.thewindowsclub.com/enhanced-protected-mode-internet-e=
xplorer-10">
This article show how to enable EPM in IE</a>. </div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">4. The fourth option is to =
use another browser until a patch has been released. </div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">---------------------------=
-------------------------------</div>
<div style=3D"margin: 0px; font-family: Arial;">2. Apple Addresses =93Tripl=
e Handshake=94 Bug</div>
<div style=3D"margin: 0px; font-family: Arial;">---------------------------=
------------------------------- </div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">Last Tuesday, April 22, App=
le released iOS 7.1.1 to address 19 flaws in the mobile operating system, i=
ncluding a critical flaw in the secure transport mechanism that could be ex=
ploited with "triple handshake" attacks
to expose user data. </div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">Apple also released <a href=
=3D"http://support.apple.com/kb/HT6207">
Security Update 2014-002</a> with updates for OS X Lion (10.7.x), Mountain =
Lion (10.8.x), and Mavericks (10.9.x) to address a number of flaws, includi=
ng the triple handshake bug.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">Users should update as soon=
as possible.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;"><a href=3D"http://arstechni=
ca.com/security/2014/04/iphones-and-macs-get-fix-for-extremely-critical-tri=
ple-handshake-crypto-bug/">Read more about the Apple updates here</a>.</div=
>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;"><a href=3D"http://blog.cryp=
tographyengineering.com/2014/04/attack-of-week-triple-handshakes-3shake.htm=
l">What is the Triple Handshake Bug?</a></div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">---------------------------=
-------------------</div>
<div style=3D"margin: 0px; font-family: Arial;">3. Password Security is a P=
roblem</div>
<div style=3D"margin: 0px; font-family: Arial;">---------------------------=
-------------------</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">As we have learned from the=
Heartbleed Bug and from years of brute-force attacks on systems containing=
log-in credentials, the risk to passwords is still great. </div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">But passwords fall into the=
hands of criminals in other ways besides through attacks on a database or =
web server. 40% of people have one of the top 100 most common passwords. Th=
is makes it very easy for intruders
to access your online accounts and steal your identity.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">As it happens, April is als=
o Records and Information Management month and now is a good opportunity to=
spread awareness around the topic of password security.
<a href=3D"http://www.singlehop.com/blog/infographic-your-password-is-obsol=
ete/">Here is an info graphic to get you started</a>. </div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">The graphic mentions two-fa=
ctor, which is the same as
<a href=3D"http://en.wikipedia.org/wiki/Two-step_verification">two-factor o=
r multi-factor authentication</a>. This verifying technique is something th=
at IS&T is looking to implement in the near future, so stay tuned. =
;</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;">
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Read all archived Secur=
ity FYI Newsletter articles and submit comments online at
<a href=3D"http://securityfyi.wordpress.com/"><span style=3D"color: rgb(4, =
46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
Monique Buchanan<br>
IT Security Communications Consultant<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href=3D"http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<br>
</div>
</div>
</div>
<br>
</body>
</html>
--_000_E1D3733C0C8242388B89C06128BB9217mitedu_--
--===============0212946580==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============0212946580==--
