[IS&T Security-FYI] SFYI Newsletter, November 1, 2011

Monique Yeaton myeaton at MIT.EDU
Tue Nov 1 14:09:46 EDT 2011 

In this issue:


1. McAfee Issues Hotfix for Apple FileVault Users

2. Multiple Certificate Authorities Breached

3. Tip of the Week: Malware and Websites



--------------------------------------------------------------

1. McAfee Issues Hotfix for Apple FileVault Users

--------------------------------------------------------------


McAfee has released a hotfix for its Security Suite 1.1 for Mac product to address a potential conflict with Apple's FileVault encryption system. The conflict, which affects machines running Mac OS X 10.5 (Leopard) and 10.6 (Snow Leopard), can cause systems to become unresponsive after a user logs in.


IS&T recommends that all those utilizing FileVault and McAfee Security Suite 1.1 concurrently apply hotfix HF688476<https://downloads.mit.edu/released/mcafee/McAfee-Security-for-Mac-Anti-malware-1.1-1321-HF688476.dmg>.


A similar note has been posted to IS&T's McAfee Security Suite product page<http://ist.mit.edu/services/software/macsecurity/1x>.


For assistance with McAfee Security Suite, contact the Help Desk at 617.253.1101 or helpdesk at mit.edu<mailto:helpdesk at mit.edu>. You can also submit a request online<http://ist.mit.edu/support#form>.


Those using plain-text email can view the formatted announcement in Hermes: http://kb.mit.edu/confluence/x/AoD1Aw.



------------------------------------------------------

2. Multiple Certificate Authorities Breached

------------------------------------------------------


Since June 2011 at least four certificate authorities have been compromised, adding to the 14 total, according to research from the Electronic Frontier Foundation (EFF). There are more than 600 authorities, and the breadth of the situation raises questions about the long term security of the technology.


EFF questions the strength of HTTPS in its blog article, "How secure is HTTPS today?"<https://www.eff.org/deeplinks/2011/10/how-secure-https-today>  They warn that even when websites do everything right, there are a lot of ways to break HTTPS / TLS / SSL.


The biggest and most highlighted breach occurred in September with DigiNotar, a Dutch certificate authority. Browser and operating system vendors have since released patches to plug the vulnerability.



------------------------------------------------------

3. Tip of the Week: Malware and Websites

------------------------------------------------------


WordPress, Joomla!, ExpressionEngine and Drupal are examples of applications that enable website owners to build websites using templates and other handy features. These sites can often require little to no coding by a developer. They are managed by the web master or the content authors through a portal requiring a username and password. Once logged in, they can add or edit content, pages and images, as well as change some of the design elements of the site.


Users of such site builders want to be aware of the vulnerabilities that hackers take advantage of, to embed malware on to the site or to use the site to send out spam.


Sophos recently found a vulnerability<http://nakedsecurity.sophos.com/2011/09/19/malware-wordpress-installations/> that allows malicious code to inject itself into the PHP code used on some websites running WordPress. If these sites were visited when running Internet Explorer, the visitor could be exposing him or herself to a malware attack. Other such hacks, that take advantage of vulnerabilities in browsers or the site software, are not uncommon.


Top recommendations for protection:


 *   Choose strong passwords<http://kb.mit.edu/confluence/x/3wNt> and do not use the password on any other sites.
 *   Do a regular auditing of the site, to ensure there have not been any unauthorized changes to the code.
 *   Be sure to take the website software's latest updates when they become available.


Educate yourself if you are such a site user. Courses can be found through the software's support pages or through online courses offered by training resources such as Lynda.com. MIT community members can use Lynda.com for free through lynda.mit.edu<http://lynda.mit.edu> (requires an MIT certificate). Search on the topic "secure sites."



===================================================================================

Read all Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.

===================================================================================


Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20111101/6268b437/attachment.htm

More information about the ist-security-fyi mailing list