[IS&T Security-FYI] SFYI Newsletter, May 20, 2013
Monique Yeaton
myeaton at MIT.EDU
Mon May 20 17:22:38 EDT 2013
In this issue:
1. SNMP Amplification Attacks on MIT Network
2. Software Patches for Adobe and Mozilla Products
3. Published by CSAIL, a Paper on Honeywords
---------------------------------------------------------------
1. SNMP Amplification Attacks on MIT Network
---------------------------------------------------------------
Simple Network Management Protocol (SNMP) refers to a standard Internet protocol that allows network managers to monitor and administer devices on IP networks. These devices typically include routers, switches, servers, workstations, printers, etc.
Last week an issue came to the attention of some IT administrators at MIT. The issue affects printers and similar devices on the MIT network, which have SNMP enabled, causing slow or unreliable printing behavior.
It appears that SNMP requests are being spoofed by hosts outside of MIT, targeting these devices on the network.
A way to fix the issue has been documented in the Knowledge Base.<http://kb.mit.edu/confluence/display/istcontrib/2013-05-16+SNMP+amplification+attack> If you have any questions or need additional help, please contact the IS&T Help Desk<http://ist.mit.edu/help>.
---------------------------------------------------------------------------
2. Software Patches for Adobe and Mozilla Products
---------------------------------------------------------------------------
Adobe
Adobe has issued security updates to address critical flaws in Reader, Acrobat, Flash Player and ColdFusion. The updates for Reader and Acrobat address a total of 27 vulnerabilities, 24 of which could be exploited to execute arbitrary code (malware). The updates for Flash address 13 vulnerabilities, and a hotfix for ColdFusion addresses two flaws.
Read the details in the news<http://www.computerworld.com/s/article/9239199/Adobe_releases_critical_security_updates_for_Reader_Flash_Player_and_ColdFusion>.
Mozilla
Mozilla has released Firefox 21, which addresses 13 security issues in the previous version of the browser. Firefox 21 also introduces a feature called "Health Report," which lets users see information about the browser's performance, including start-up times, total running time, and crashes, as well as the number of plug-ins, add-ons, and bookmarks. Mozilla has also released Firefox 21 for Android.
Read the details in the news<http://www.h-online.com/security/news/item/Mozilla-s-Firefox-update-fixes-three-critical-holes-1863449.html>.
----------------------------------------------------------------
3. Published by CSAIL, a Paper on Honeywords
----------------------------------------------------------------
No, this is not a paper on sweet talking, but on passwords. The paper<http://people.csail.mit.edu/rivest/pubs/JR13.pdf> (.pdf) published by Ari Juels and Ron Rivest entitled "Honeywords: Making Password-Cracking Detectable," discusses a method for improving the security of hashed passwords, using what he calls "honeywords" or false passwords.
An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword. An auxiliary server (the "honeychecker") can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.
===================================================================================
Read all Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
===================================================================================
Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20130520/83a19840/attachment.htm
More information about the ist-security-fyi
mailing list