[4219] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, April 22, 2013
daemon@ATHENA.MIT.EDU (Monique Yeaton)
Mon Apr 22 14:07:50 2013
Resent-From: ist-security-fyi@MIT.EDU
From: Monique Yeaton <myeaton@MIT.EDU>
To: ist-security-fyi <ist-security-fyi@MIT.EDU>
Date: Mon, 22 Apr 2013 18:05:13 +0000
Message-ID: <3ACED3B2A8CEFB4598A845F07FD4A05F2536090D@OC11EXPO24.exchange.mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0487851999=="
Errors-To: ist-security-fyi-bounces@MIT.EDU
--===============0487851999==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_3ACED3B2A8CEFB4598A845F07FD4A05F2536090DOC11EXPO24excha_"
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F2536090DOC11EXPO24excha_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. Hackers Exploiting Recent Breaking News Stories
2. Oracle Updates Java
3. Microsoft to Offer Two-Factor Authentications
----------------------------------------------------------------------
1. Hackers Exploiting Recent Breaking News Stories
----------------------------------------------------------------------
Unfortunately, despite all the positive that can come out of a horrendous s=
ituation, there can also be some disturbingly negative responses. Cyber cri=
minals were once again taking advantage of last week's news stories to spre=
ad malware.
The criminals are using the population's interest in finding information re=
lated to the Boston Marathon bombing and the explosion at the Texas fertili=
zer plant to catch you unawares. Links to videos on YouTube may seem harmle=
ss enough, but the web page attempts to suck in malicious content from anot=
her site, designed to infect your computer (see examples here<http://nakeds=
ecurity.sophos.com/2013/04/18/waco-explosion-malware/> and here<http://nake=
dsecurity.sophos.com/2013/04/17/malware-boston-marathon-bombing/>).
The advice is to be careful when going online to search for information rel=
ating to news breaking events. Be sure to visit your regularly trusted news=
sources so that you can avoid web pages that contain malware and be sure t=
o delete email messages from unknown sources that claim to have the latest =
news on the events.
--------------------------------
2. Oracle Updates Java
--------------------------------
Oracle has released a critical patch update for Java Standard Edition (SE).=
Oracle recommends that customers apply the fixes as soon as possible. Rele=
ase Java SE 7u21<http://www.oracle.com/technetwork/java/javase/7u21-relnote=
s-1932873.html> includes 42 new and important security fixes.
Oracle has two products that implement Java SE<http://www.oracle.com/techne=
twork/java/javase/jdk7-relnotes-418459.html>: Java SE Development Kit (JDK)=
7 and Java SE Runtime Environment (JRE) 7. JDK 7 is a superset of JRE 7 an=
d contains everything that is in JRE 7, plus tools such as the compilers an=
d debuggers necessary for developing applets and applications.
Users running Java SE with a browser can download the latest release here<h=
ttp://java.com/en/>. Users on the Windows and Mac OS X platforms can also u=
se automatic updates to get the latest release.
Java 8 may be delayed<http://www.informationweek.com/security/application-s=
ecurity/oracle-delays-java-8-to-improve-java-7-s/240153185> while Oracle wo=
rks out these issues with Java 7. The release group's focus suggests they w=
ill be releasing a stable, polished version of Java 8. The scheduled date f=
or Java 8 is June 18, 2013.
---
In related Java news<http://www.zdnet.com/apples-latest-safari-updates-add-=
site-by-site-java-plugin-controls-7000014207/>, Apple's most recent update =
for Safari includes functionality that allows users to decide whether to en=
able the Java plug-in on a site-by-site basis. The new feature is available=
for the latest versions of Safari 5 and 6. Apple has also released an upda=
te for the Java browser plug-in that addresses 21 vulnerabilities in the br=
owser and in Java.
--------------------------------------------------------------
3. Microsoft to Offer Two-Factor Authentication
--------------------------------------------------------------
Two-factor authentication is a security protocol designed to improve the re=
strictions to sensitive information, such as a bank account or a website wi=
th financial or personal information. It augments a password with a one-tim=
e code that's delivered either by text or generated in an authentication ap=
plication.
According to a recent news article<http://arstechnica.com/security/2013/04/=
microsoft-rolls-out-standards-compliant-two-factor-authentication/>, Micros=
oft announced last week that it is rolling out this option to the 700 milli=
on Microsoft account users, confirming rumors. The feature works essentiall=
y identical to existing schemes already available for Google accounts.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
Read all Security FYI Newsletter articles and submit comments online at htt=
p://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F2536090DOC11EXPO24excha_
Content-Type: text/html; charset="us-ascii"
Content-ID: <944D3310CDE3BD48BCC500A8CA54AB38@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami=
ly: Garamond, sans-serif; ">
<div>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; ">In thi=
s issue:</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">1. Hackers Exploiting Re=
cent Breaking News Stories</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">2. Oracle Updates Java</=
p>
<p style=3D"margin: 0px; font-family: Helvetica; ">3. Microsoft to Offer Tw=
o-Factor Authentications</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
----------------------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">1. Hackers Exploiting Re=
cent Breaking News Stories</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
----------------------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Unfortunately, despite a=
ll the positive that can come out of a horrendous situation, there can also=
be some disturbingly negative responses. Cyber criminals were once again t=
aking advantage of last week's news
stories to spread malware. </p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">The criminals are using =
the population's interest in finding information related to the Boston Mara=
thon bombing and the explosion at the Texas fertilizer plant to catch you u=
nawares. Links to videos on YouTube
may seem harmless enough, but the web page attempts to suck in malicious c=
ontent from another site, designed to infect your computer (see examples
<a href=3D"http://nakedsecurity.sophos.com/2013/04/18/waco-explosion-malwar=
e/">here</a> and
<a href=3D"http://nakedsecurity.sophos.com/2013/04/17/malware-boston-marath=
on-bombing/">
here</a>).</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">The advice is to be care=
ful when going online to search for information relating to news breaking e=
vents. Be sure to visit your regularly trusted news sources so that you can=
avoid web pages that contain malware
and be sure to delete email messages from unknown sources that claim to ha=
ve the latest news on the events.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
--------</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">2. Oracle Updates Java</=
p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
--------</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Oracle has released a cr=
itical patch update for Java Standard Edition (SE). Oracle recommends that =
customers apply the fixes as soon as possible.
<a href=3D"http://www.oracle.com/technetwork/java/javase/7u21-relnotes-1932=
873.html">
Release Java SE 7u21</a> includes 42 new and important security fixes.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Oracle has two products =
that implement
<a href=3D"http://www.oracle.com/technetwork/java/javase/jdk7-relnotes-4184=
59.html">
Java SE</a>: Java SE Development Kit (JDK) 7 and Java SE Runtime Environmen=
t (JRE) 7. JDK 7 is a superset of JRE 7 and contains everything that is in =
JRE 7, plus tools such as the compilers and debuggers necessary for develop=
ing applets and applications. </p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Users running Java SE wi=
th a browser can download the latest release
<a href=3D"http://java.com/en/">here</a>. Users on the Windows and Mac OS X=
platforms can also use automatic updates to get the latest release. <=
/p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; "><a href=3D"http://www.in=
formationweek.com/security/application-security/oracle-delays-java-8-to-imp=
rove-java-7-s/240153185">Java 8 may be delayed</a> while Oracle works out t=
hese issues with Java 7. The release
group's focus suggests they will be releasing a stable, polished version o=
f Java 8. The scheduled date for Java 8 is June 18, 2013.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">--- </p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; "><a href=3D"http://www.zd=
net.com/apples-latest-safari-updates-add-site-by-site-java-plugin-controls-=
7000014207/">In related Java news</a>, Apple's most recent update for Safar=
i includes functionality that allows
users to decide whether to enable the Java plug-in on a site-by-site basis=
. The new feature is available for the latest versions of Safari 5 and 6. A=
pple has also released an update for the Java browser plug-in that addresse=
s 21 vulnerabilities in the browser
and in Java.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
--------------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">3. Microsoft to Offer Tw=
o-Factor Authentication</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
--------------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Two-factor authenticatio=
n is a security protocol designed to improve the restrictions to sensitive =
information, such as a bank account or a website with financial or personal=
information. It augments a password
with a one-time code that's delivered either by text or generated in an au=
thentication application.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">According to a recent <a=
href=3D"http://arstechnica.com/security/2013/04/microsoft-rolls-out-standa=
rds-compliant-two-factor-authentication/">
news article</a>, Microsoft announced last week that it is rolling out this=
option to the 700 million Microsoft account users, confirming rumors. The =
feature works essentially identical to existing schemes already available f=
or Google accounts. </p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Arial; ">=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</p=
>
<p style=3D"margin: 0px; font-family: Arial; ">Read all Security FYI Newsle=
tter articles and submit comments online at
<a href=3D"http://securityfyi.wordpress.com/">http://securityfyi.wordpress.=
com/</a>.</p>
<p style=3D"margin: 0px; font-family: Arial; ">=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</p=
>
</div>
<div><span class=3D"Apple-style-span" style=3D"border-collapse: separate; f=
ont-family: Calibri; font-size: medium; border-spacing: 0px; "><span class=
=3D"Apple-style-span" style=3D"border-collapse: separate; border-spacing: 0=
px; font-family: Helvetica; font-size: 14px; ">
<div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
-break: after-white-space; ">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; border=
-spacing: 0px; "><span class=3D"Apple-style-span" style=3D"border-collapse:=
separate; border-spacing: 0px; "><span class=3D"Apple-style-span" style=3D=
"border-collapse: separate; border-spacing: 0px; "><span class=3D"Apple-sty=
le-span" style=3D"border-collapse: separate; border-spacing: 0px; "><span c=
lass=3D"Apple-style-span" style=3D"border-collapse: separate; border-spacin=
g: 0px; "><span class=3D"Apple-style-span" style=3D"border-collapse: separa=
te; border-spacing: 0px; font-size: 12px; ">
<div><br>
</div>
<div><br>
</div>
<div>Monique Yeaton</div>
<div>IT Security Communications Consultant</div>
<div>MIT Information Services & Technology (IS&T)</div>
<div>(617) 253-2715</div>
<div>http://ist.mit.edu/security</div>
<div><br class=3D"khtml-block-placeholder">
</div>
<br class=3D"Apple-interchange-newline">
</span></span></span></span></span></span></div>
</span></span></div>
</body>
</html>
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F2536090DOC11EXPO24excha_--
--===============0487851999==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============0487851999==--
