[IS&T Security-FYI] SFYI Newsletter, April 22, 2013

Mon Apr 22 14:05:13 EDT 2013

In this issue:

1. Hackers Exploiting Recent Breaking News Stories

2. Oracle Updates Java

3. Microsoft to Offer Two-Factor Authentications

----------------------------------------------------------------------

1. Hackers Exploiting Recent Breaking News Stories

----------------------------------------------------------------------

Unfortunately, despite all the positive that can come out of a horrendous situation, there can also be some disturbingly negative responses. Cyber criminals were once again taking advantage of last week's news stories to spread malware.

The criminals are using the population's interest in finding information related to the Boston Marathon bombing and the explosion at the Texas fertilizer plant to catch you unawares. Links to videos on YouTube may seem harmless enough, but the web page attempts to suck in malicious content from another site, designed to infect your computer (see examples here<http://nakedsecurity.sophos.com/2013/04/18/waco-explosion-malware/> and here<http://nakedsecurity.sophos.com/2013/04/17/malware-boston-marathon-bombing/>).

The advice is to be careful when going online to search for information relating to news breaking events. Be sure to visit your regularly trusted news sources so that you can avoid web pages that contain malware and be sure to delete email messages from unknown sources that claim to have the latest news on the events.

--------------------------------

2. Oracle Updates Java

--------------------------------

Oracle has released a critical patch update for Java Standard Edition (SE). Oracle recommends that customers apply the fixes as soon as possible. Release Java SE 7u21<http://www.oracle.com/technetwork/java/javase/7u21-relnotes-1932873.html> includes 42 new and important security fixes.

Oracle has two products that implement Java SE<http://www.oracle.com/technetwork/java/javase/jdk7-relnotes-418459.html>: Java SE Development Kit (JDK) 7 and Java SE Runtime Environment (JRE) 7. JDK 7 is a superset of JRE 7 and contains everything that is in JRE 7, plus tools such as the compilers and debuggers necessary for developing applets and applications.

Users running Java SE with a browser can download the latest release here<http://java.com/en/>. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Java 8 may be delayed<http://www.informationweek.com/security/application-security/oracle-delays-java-8-to-improve-java-7-s/240153185> while Oracle works out these issues with Java 7. The release group's focus suggests they will be releasing a stable, polished version of Java 8. The scheduled date for Java 8 is June 18, 2013.

---

In related Java news<http://www.zdnet.com/apples-latest-safari-updates-add-site-by-site-java-plugin-controls-7000014207/>, Apple's most recent update for Safari includes functionality that allows users to decide whether to enable the Java plug-in on a site-by-site basis. The new feature is available for the latest versions of Safari 5 and 6. Apple has also released an update for the Java browser plug-in that addresses 21 vulnerabilities in the browser and in Java.

--------------------------------------------------------------

3. Microsoft to Offer Two-Factor Authentication

--------------------------------------------------------------

Two-factor authentication is a security protocol designed to improve the restrictions to sensitive information, such as a bank account or a website with financial or personal information. It augments a password with a one-time code that's delivered either by text or generated in an authentication application.

According to a recent news article<http://arstechnica.com/security/2013/04/microsoft-rolls-out-standards-compliant-two-factor-authentication/>, Microsoft announced last week that it is rolling out this option to the 700 million Microsoft account users, confirming rumors. The feature works essentially identical to existing schemes already available for Google accounts.

===================================================================================

Read all Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.

===================================================================================

Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20130422/320d3dcc/attachment.htm