[IS&T Security-FYI] SFYI Newsletter, August 29, 2011

Monique Yeaton myeaton at MIT.EDU
Mon Aug 29 15:21:29 EDT 2011 

In this issue:


1. Apache Warns of Denial-of-Service Attack Vulnerability

2. Browsers with Updates

3. Security Breach at Yale Exposes 43,000 People's Data

4. Best Practices for Securing Your Home Network




=============================================

1. Apache Warns of Denial-of-Service Attack Vulnerability

=============================================


A warning has been issued to owners of websites powered by the Apache webserver software of a vulnerability which can be exploited using a relatively low number of requests directed at the server to cause a Denial of Service condition.  A tool to exploit the vulnerability called "Apache Killer" has been released onto the Internet.


The vulnerability was originally identified over four years ago and impacts servers running all versions in the 1.3 and 2.0 releases.  A patch for the vulnerability should be released by the evening of August 26, but as release 1.3 is no longer supported, the patch will only apply to versions 2.0 and 2.2.


Read the full story here:

<http://www.theregister.co.uk/2011/08/24/devastating_apache_vuln/>


or here:

<http://www.computerworld.com/s/article/9219471/Apache_warns_Web_server_admins_of_DoS_attack_tool>


Apache developers posted an official advisory:

<http://article.gmane.org/gmane.comp.apache.announce/58>


[Article source: SANS.org]



====================

2. Browsers with Updates

====================


On August 23, 2011, Google released Chrome 13.0.782.215 for Linux, Mac, Windows, and Chrome Frame to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code. US-CERT encourages users and administrators to review the Google Chrome Releases page and update to Chrome 13.0.782.215 to help mitigate the risks.


Google Chrome Releases: <http://googlechromereleases.blogspot.com/2011/08/stable-channel-update_22.html>


On August 17, 2011 Mozilla Released Firefox 6 and 3.6.20. The Mozilla Foundation has released Firefox 6 and Firefox 3.6.20 to address multiple vulnerabilities.  These vulnerabilities may allow an attacker to execute arbitrary code, operate with escalated privileges, or obtain sensitive information. US-CERT encourages users and administrators to review the Mozilla Foundation Security Advisories for Firefox 6 and Firefox 3.6.20 and apply any necessary updates to help mitigate the risks.


NOTE to MIT: IS&T is not yet supporting Firefox 6 and is in the process of testing IS&T supported applications to make sure they are compatible with the newest version of Firefox. If you rely on MIT administrative browser-based software, you are advised to WAIT to upgrade to Firefox 6.


Security Advisories for Firefox: <http://www.mozilla.org/security/known-vulnerabilities/firefox.html>



=============================================

3. Security Breach at Yale Exposes 43,000 People's Data

=============================================


Yale University notified about 43,000 staff, students and alumni that their personal data, including their names and Social Security numbers, were publicly available on a FTP server.  The breach occurred when the sensitive personal data stored on the FTP server became publicly available after Google made changes in September 2010 regarding how its search engine indexes and finds FTP servers.  Yale personnel were not aware of this change and discovered the breach in June of this year.


The breach impacts anyone affiliated with Yale University in 1999.  Yale has "secured" the file and Google has confirmed it no longer stores the data.


Read the full story:

<http://www.yaledailynews.com/news/2011/aug/17/yale-affiliates-ssns-were-searchable-google/>



========================================

4. Best Practices for Securing Your Home Network

========================================


The National Security Agency (NSA) just released a useful guide called "Best Practices for Securing Your Home Network" that goes beyond home networks and wireless to cover email and traveling with mobile devices and more.  It's worth making copies and distributing to your co-workers and employees.  What makes it particularly useful is that it reflects the real-world knowledge of the NSA Blue Teams and Red Teams. On the back page are references to five additional guides: Social Networking, Defense Against Drive By Downloads, Defense Against Malicious E-mail Attachments, Mac OSX 10.6 Hardening Tips, and Data Execution Prevention.


You'll find it at the NSA web site:

<http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf>


===================================================================================

Read all Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.

===================================================================================

Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20110829/47ff70b7/attachment.htm

More information about the ist-security-fyi mailing list