[3404] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, November 14, 2012
daemon@ATHENA.MIT.EDU (Monique Yeaton)
Wed Nov 14 15:36:56 2012
From: Monique Yeaton <myeaton@mit.edu>
To: "ist-security-fyi@mit.edu" <ist-security-fyi@mit.edu>
Date: Wed, 14 Nov 2012 20:35:53 +0000
Message-ID: <3ACED3B2A8CEFB4598A845F07FD4A05F10D4846C@OC11EXPO24.exchange.mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1930527311=="
Errors-To: ist-security-fyi-bounces@mit.edu
--===============1930527311==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_3ACED3B2A8CEFB4598A845F07FD4A05F10D4846COC11EXPO24excha_"
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F10D4846COC11EXPO24excha_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. Microsoft Security Updates for November 2012
2. What is Two-Factor Authentication?
3. We Can Learn from Australia's Defense Strategy
------------------------------------------------------------------
1. Microsoft Security Updates for November 2012
------------------------------------------------------------------
Yesterday, November 13, Microsoft released security bulletins<http://techne=
t.microsoft.com/en-us/security/bulletin/ms12-nov> to address multiple vulne=
rabilities. Four of the six bulletins are rated critical. The fixes affect =
the following products:
* Microsoft Windows
* Microsoft Office
* Microsoft .NET Framework
* Internet Explorer
This update includes the first fixes for Windows 8 and Windows RT.
Security updates are available from the Windows Update tool, the Windows Se=
rver Update Services or the Download Center. MIT WAUS subscribers will rece=
ive the updates as they are tested and released.
---------------------------------------------------
2. What is Two-Factor Authentication?
---------------------------------------------------
The most recent security awareness newsletter OUCH! explains what two-facto=
r authentication is, why people should use it, and how it works.
Read the English version of the newsletter (pdf) here<http://www.securingth=
ehuman.org/newsletters/ouch/issues/OUCH-201211_en.pdf>.
--------------------------------------------------------------------
3. We Can Learn from Australia's Defense Strategy
--------------------------------------------------------------------
Earlier this year we saw what was possibly the most damaging cyber attack e=
ver. US oil company Saudi Aramco had 30,000 computers infected and wiped. W=
ith their master boot record destroyed, every machine needed on-site attent=
ion and a complete rebuild.
According to the US Department of Homeland Security, "hactivists" are getti=
ng interested in industrial control systems (ICS), the gadgets that run eve=
rything from hotel air conditioners to chocolate factories to nuclear power=
stations. We've known about the vulnerability of ICS for a long time now. =
So what can we do about it?
The Australian Defense Signals Directorate (DSD) knows what to do to stop t=
he types of attacks that are coming from nation states. The DSD has develop=
ed a list titled Top 35 Mitigation Strategies<http://dsd.gov.au/infosec/top=
35mitigationstrategies.htm>. According to SANS<http://www.technologyspectat=
or.com.au/keeping-cybergeddon-bay>, implementing just the top four strategi=
es listed can block 85 percent of targeted cyber attacks.
At the top of the list are:
1. whitelisting
2. patching applications
3. patching operating systems, and
4. limiting administrator rights to people who actually need that level =
of access.
"First do the top four," Alan Paller of SANS says. "When you are done with =
the top four, evaluate the others."
Read the story in the news<http://www.csoonline.com/article/720272/cyber-at=
tacks-have-changed-but-australia-is-doing-something-about-it-sans>.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
Read all Security FYI Newsletter articles and submit comments online at htt=
p://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F10D4846COC11EXPO24excha_
Content-Type: text/html; charset="us-ascii"
Content-ID: <DFF4B99D387C1342A591F1535A1582DB@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami=
ly: Garamond, sans-serif; ">
<div>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; ">In thi=
s issue:</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">1. Microsoft Security Up=
dates for November 2012</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">2. What is Two-Factor Au=
thentication?</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">3. We Can Learn from Aus=
tralia's Defense Strategy</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
------------------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">1. Microsoft Security Up=
dates for November 2012</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
------------------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Yesterday, November 13, =
Microsoft released
<a href=3D"http://technet.microsoft.com/en-us/security/bulletin/ms12-nov">s=
ecurity bulletins</a> to address multiple vulnerabilities. Four of the six =
bulletins are rated critical. The fixes affect the following products:</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<ul>
<li style=3D"margin: 0px; font-family: Helvetica; ">Microsoft Windows </li>=
<li style=3D"margin: 0px; font-family: Helvetica; ">Microsoft Office </li><=
li style=3D"margin: 0px; font-family: Helvetica; ">Microsoft .NET Framework=
</li><li style=3D"margin: 0px; font-family: Helvetica; ">Internet Explorer=
</li></ul>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">This update includes the=
first fixes for Windows 8 and Windows RT.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Security updates are ava=
ilable from the Windows Update tool, the Windows Server Update Services or =
the Download Center. MIT WAUS subscribers will receive the updates as they =
are tested and released.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
---------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">2. What is Two-Factor Au=
thentication?</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
---------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">The most recent security=
awareness newsletter OUCH! explains what two-factor authentication is, why=
people should use it, and how it works. </p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Read the English version=
of the newsletter (pdf)
<a href=3D"http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201=
211_en.pdf">
here</a>.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
--------------------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">3. We Can Learn from Aus=
tralia's Defense Strategy</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
--------------------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Earlier this year we saw=
what was possibly the most damaging cyber attack ever. US oil company Saud=
i Aramco had 30,000 computers infected and wiped. With their master boot re=
cord destroyed, every machine needed
on-site attention and a complete rebuild. </p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">According to the US Depa=
rtment of Homeland Security, "hactivists" are getting interested =
in industrial control systems (ICS), the gadgets that run everything from h=
otel air conditioners to chocolate factories
to nuclear power stations. We've known about the vulnerability of ICS for =
a long time now. So what can we do about it?</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">The Australian Defense S=
ignals Directorate (DSD) knows what to do to stop the types of attacks that=
are coming from nation states. The DSD has developed a list titled
<a href=3D"http://dsd.gov.au/infosec/top35mitigationstrategies.htm">Top 35 =
Mitigation Strategies</a>.
<a href=3D"http://www.technologyspectator.com.au/keeping-cybergeddon-bay">A=
ccording to SANS</a>, implementing just the top four strategies listed can =
block 85 percent of targeted cyber attacks. </p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">At the top of the list a=
re: </p>
<ol>
<li style=3D"margin: 0px; font-family: Helvetica; ">whitelisting </li><li s=
tyle=3D"margin: 0px; font-family: Helvetica; ">patching applications </li><=
li style=3D"margin: 0px; font-family: Helvetica; ">patching operating syste=
ms, and
</li><li style=3D"margin: 0px; font-family: Helvetica; ">limiting administr=
ator rights to people who actually need that level of access.
</li></ol>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">"First do the top f=
our," Alan Paller of SANS says. "When you are done with the top f=
our, evaluate the others."</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; "><a href=3D"http://www.cs=
oonline.com/article/720272/cyber-attacks-have-changed-but-australia-is-doin=
g-something-about-it-sans">Read the story in the news</a>.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Arial; ">=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</p=
>
<p style=3D"margin: 0px; font-family: Arial; ">Read all Security FYI Newsle=
tter articles and submit comments online at
<a href=3D"http://securityfyi.wordpress.com/"><span style=3D"color: rgb(4, =
48, 244); ">http://securityfyi.wordpress.com/</span></a>.</p>
<p style=3D"margin: 0px; font-family: Arial; ">=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</p=
>
</div>
<div><span class=3D"Apple-style-span" style=3D"border-collapse: separate; f=
ont-family: Calibri; font-size: medium; border-spacing: 0px; "><span class=
=3D"Apple-style-span" style=3D"border-collapse: separate; border-spacing: 0=
px; font-family: Helvetica; font-size: 14px; ">
<div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
-break: after-white-space; ">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; border=
-spacing: 0px; "><span class=3D"Apple-style-span" style=3D"border-collapse:=
separate; border-spacing: 0px; "><span class=3D"Apple-style-span" style=3D=
"border-collapse: separate; border-spacing: 0px; "><span class=3D"Apple-sty=
le-span" style=3D"border-collapse: separate; border-spacing: 0px; "><span c=
lass=3D"Apple-style-span" style=3D"border-collapse: separate; border-spacin=
g: 0px; "><span class=3D"Apple-style-span" style=3D"border-collapse: separa=
te; border-spacing: 0px; font-size: 12px; ">
<div><br>
</div>
<div><br>
</div>
<div>Monique Yeaton</div>
<div>IT Security Communications Consultant</div>
<div>MIT Information Services & Technology (IS&T)</div>
<div>(617) 253-2715</div>
<div>http://ist.mit.edu/security</div>
<div><br class=3D"khtml-block-placeholder">
</div>
<br class=3D"Apple-interchange-newline">
</span></span></span></span></span></span></div>
</span></span></div>
</body>
</html>
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F10D4846COC11EXPO24excha_--
--===============1930527311==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============1930527311==--
