[10235] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, August 19, 2014
daemon@ATHENA.MIT.EDU (Monique Buchanan)
Tue Aug 19 11:46:13 2014
Resent-From: ist-security-fyi@mit.edu
From: Monique Buchanan <myeaton@mit.edu>
To: ist-security-fyi <ist-security-fyi@mit.edu>
Date: Tue, 19 Aug 2014 15:45:17 +0000
Message-ID: <A66AB8A0-73B0-4805-BAC8-350C4F8990DF@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2079204730=="
Errors-To: ist-security-fyi-bounces@mit.edu
--===============2079204730==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_A66AB8A073B04805BAC8350C4F8990DFmitedu_"
--_000_A66AB8A073B04805BAC8350C4F8990DFmitedu_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. Microsoft Security Updates for August 2014
2. Over a Billion Stolen Credentials Amassed
3. Improved Security for Internet Explorer
-------------------------------------------------------------
1. Microsoft Security Updates for August 2014
-------------------------------------------------------------
Last week Tuesday, Microsoft issued nine security bulletins<https://technet=
.microsoft.com/library/security/ms14-aug> to address a total of 37 security=
issues in its products. The bulletins include a cumulative update for Inte=
rnet Explorer (IE) and fixes for vulnerabilities in Windows, Office, Share =
Point Server, SQL Server software, and .NET
Framework.
One of the critical patches remediates the bulk of the vulnerabilities, inc=
luding 26 bugs in IE, of which the most severe could allow remote code exec=
ution (RCE). The patch fixes IE 6 through 11. Next month a new security fea=
ture will be added to IE to deal with many of these repeat vulnerabilities.=
See the article on =93Improved Security for Internet Explorer=94 in this n=
ewsletter below.
Read the full story in the news<http://www.scmagazine.com/on-patch-tuesday-=
microsoft-releases-nine-patches-for-37-bugs/article/365944/>.
------------------------------------------------------------
2. Over a Billion Stolen Credentials Amassed
------------------------------------------------------------
Earlier this month, the NY Times reported<http://www.nytimes.com/2014/08/06=
/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-=
credentials.html> that a Russian crime ring has amassed 1.2 billion user na=
me and password combinations and more than 500 million email addresses from=
the Internet. According to security firm Hold Security, many of the sites =
from which the credentials were stolen are still vulnerable.
There is a concern among the security community that keeping personal infor=
mation out of the hands of thieves is increasingly a losing battle. Last De=
cember, 40 million credit card numbers and 70 million addresses, phone numb=
ers and additional pieces of personal information were stolen from Target b=
y Eastern European hackers. This latest discovery, however, prompts securit=
y experts to call for improved identity protection on the web.
Read the full story online<http://www.nytimes.com/2014/08/06/technology/rus=
sian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.htm=
l>.
As a result of the large amount of usernames and passwords that have fallen=
into the hands of criminals, one NY Times reporter came up with a two-step=
plan to prevent hackers from getting into his online accounts. He contacte=
d all of the companies with which he does online financial transactions to =
find out if they support multi-factor authentication. He writes about his e=
xperience here<http://www.nytimes.com/2014/08/09/your-money/how-to-thwart-h=
ackers-from-financial-accounts.html>.
If you are concerned about your online accounts and whether they are secure=
enough, you may want to take some similar steps or be proactive in other w=
ays. One suggestion I would make =97 until all companies offer multi-factor=
authentication<http://twofactorauth.org/> =97 is to update your passwords =
on a regular basis and manage them using a password storage manager, either=
LastPass, 1Password or KeePass.
-------------------------------------------------------
3. Improved Security for Internet Explorer
-------------------------------------------------------
On September 9, 2014, Internet Explorer will release a new security feature=
, called =93out-of-date ActiveX control blocking.=94 ActiveX controls are a=
pps that let Web sites provide content, like videos and games, and also let=
you interact with content such as toolbars. Unfortunately, many ActiveX co=
ntrols are not automatically updated. Malicious and compromised Web pages c=
an target outdated controls to collect information, install dangerous softw=
are, or let someone else control your computer remotely.
The new feature works with IE 8 through IE 11 on Windows 7 SP1 and up, and =
on Windows Server 2008 SP1 and up. As of September, only out-of-date Oracle=
Java ActiveX controls will be affected. All other ActiveX controls will co=
ntinue their existing behavior.
More information about outdated ActiveX control blocking<http://blogs.msdn.=
com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-a=
ctivex-controls.aspx>.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Read all archived Security FYI Newsletter articles and submit comments onli=
ne at http://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
--_000_A66AB8A073B04805BAC8350C4F8990DFmitedu_
Content-Type: text/html; charset="Windows-1252"
Content-ID: <DDC0B1F2D3846A488EC98486984B142B@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;">
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">In this issue:</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">1. Microsoft Security U=
pdates for August 2014</div>
<div style=3D"margin: 0px; font-family: Helvetica;">2. Over a Billion Stole=
n Credentials Amassed</div>
<div style=3D"margin: 0px; font-family: Helvetica;">3. Improved Security fo=
r Internet Explorer</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
--------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">1. Microsoft Security U=
pdates for August 2014</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
--------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Last week Tuesday, Micr=
osoft <a href=3D"https://technet.microsoft.com/library/security/ms14-aug">
issued nine security bulletins</a> to address a total of 37 security issues=
in its products. The bulletins include a cumulative update for Internet Ex=
plorer (IE) and fixes for vulnerabilities in Windows, Office, Share Point S=
erver, SQL Server software, and
.NET</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Framework.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">One of the critical pat=
ches remediates the bulk of the vulnerabilities, including 26 bugs in IE, o=
f which the most severe could allow remote code execution (RCE). The patch =
fixes IE 6 through 11. Next month
a new security feature will be added to IE to deal with many of these repe=
at vulnerabilities. See the article on =93Improved Security for Internet Ex=
plorer=94 in this newsletter below.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://www.s=
cmagazine.com/on-patch-tuesday-microsoft-releases-nine-patches-for-37-bugs/=
article/365944/">Read the full story in the news</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
-------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">2. Over a Billion Stole=
n Credentials Amassed</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
-------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Earlier this month, <a =
href=3D"http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-a=
mass-more-than-a-billion-stolen-internet-credentials.html">
the NY Times reported</a> that a Russian crime ring has amassed 1.2 billion=
user name and password combinations and more than 500 million email addres=
ses from the Internet. According to security firm Hold Security, many of th=
e sites from which the credentials
were stolen are still vulnerable. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">There is a concern amon=
g the security community that keeping personal information out of the hands=
of thieves is increasingly a losing battle. Last December, 40 million cred=
it card numbers and 70 million addresses,
phone numbers and additional pieces of personal information were stolen fr=
om Target by Eastern European hackers. This latest discovery, however, prom=
pts security experts to call for improved identity protection on the web.</=
div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://www.n=
ytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-bil=
lion-stolen-internet-credentials.html">Read the full story online</a>. =
;</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">As a result of the larg=
e amount of usernames and passwords that have fallen into the hands of crim=
inals, one NY Times reporter came up with a two-step plan to prevent hacker=
s from getting into his online accounts.
He contacted all of the companies with which he does online financial tran=
sactions to find out if they support multi-factor authentication. He writes=
about his experience
<a href=3D"http://www.nytimes.com/2014/08/09/your-money/how-to-thwart-hacke=
rs-from-financial-accounts.html">
here</a>. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">If you are concerned ab=
out your online accounts and whether they are secure enough, you may want t=
o take some similar steps or be proactive in other ways. One suggestion I w=
ould make =97
<a href=3D"http://twofactorauth.org/">until all companies offer multi-facto=
r authentication</a> =97 is to update your passwords on a regular basis and=
manage them using a password storage manager, either LastPass, 1Password o=
r KeePass.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
--------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">3. Improved Security fo=
r Internet Explorer</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
--------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">On September 9, 2014, I=
nternet Explorer will release a new security feature, called =93out-of-date=
ActiveX control blocking.=94 ActiveX controls are apps that let Web sites =
provide content, like videos and games,
and also let you interact with content such as toolbars. Unfortunately, ma=
ny ActiveX controls are not automatically updated. Malicious and compromise=
d Web pages can target outdated controls to collect information, install da=
ngerous software, or let someone
else control your computer remotely. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">The new feature works w=
ith IE 8 through IE 11 on Windows 7 SP1 and up, and on Windows Server 2008 =
SP1 and up. As of September, only out-of-date Oracle Java ActiveX controls =
will be affected. All other ActiveX
controls will continue their existing behavior.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://blogs=
.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-=
date-activex-controls.aspx">More information about outdated ActiveX control=
blocking</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Read all archived Secur=
ity FYI Newsletter articles and submit comments online at
<a href=3D"http://securityfyi.wordpress.com/"><span style=3D"color: rgb(4, =
46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div apple-content-edited=3D"true">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<br>
</div>
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<br>
Monique Buchanan<br>
IT Security Communications Coordinator<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href=3D"http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<br>
</div>
</div>
</div>
</div>
<br>
</body>
</html>
--_000_A66AB8A073B04805BAC8350C4F8990DFmitedu_--
--===============2079204730==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============2079204730==--
