[IS&T Security-FYI] SFYI Newsletter, April 29, 2014

Tue Apr 29 14:48:08 EDT 2014

In this issue:

1. Zero-Day Targets Internet Explorer
2. Apple Addresses “Triple Handshake” Bug
3. Password Security is a Problem

--------------------------------------------------
1. Zero-Day Targets Internet Explorer
--------------------------------------------------

In a security advisory<https://technet.microsoft.com/en-US/library/security/2963983> released late last week, Microsoft warns users of limited, targeted attacks attempting to exploit a vulnerability in Internet Explorer 6 through Internet Explorer 11, although the attack is only targeting IE9 through IE11.

The vulnerability has not been patched and is considered a significant zero-day virus<http://en.wikipedia.org/wiki/Zero-day_virus> as the vulnerable versions of IE represent about a quarter of the total browser market. We recommend applying a patch once available.

To read the details of how this exploit can occur, see this article<http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html>.

What you can do to protect your computer:

1. One mitigating factor is to download and install Microsoft’s Enhanced Mitigation Experience Toolkit<http://www.microsoft.com/en-us/download/details.aspx?id=41138> (EMET), a free tool that can strengthen security on Windows. Note that EMET 3.0 does not mitigate the attack, and users should rely on EMET 4.1. Krebs on Security discusses EMET here<http://krebsonsecurity.com/tag/enhanced-mitigation-experience-toolkit/>.

2. Because the attack will not work without Adobe Flash, disabling the Flash plugin within IE<http://www.zdnet.com/protect-yourself-from-flash-attacks-in-internet-explorer-7000003921/> will prevent the exploit from functioning.

3. According to FireEye, the security lab that discovered the vulnerability, Enhanced Protection Mode (EPM) in IE10 and IE11 will prevent the exploit. It is not turned on by default. This article show how to enable EPM in IE<http://www.thewindowsclub.com/enhanced-protected-mode-internet-explorer-10>.

4. The fourth option is to use another browser until a patch has been released.

----------------------------------------------------------
2. Apple Addresses “Triple Handshake” Bug
----------------------------------------------------------

Last Tuesday, April 22, Apple released iOS 7.1.1 to address 19 flaws in the mobile operating system, including a critical flaw in the secure transport mechanism that could be exploited with "triple handshake" attacks to expose user data.

Apple also released Security Update 2014-002<http://support.apple.com/kb/HT6207> with updates for OS X Lion (10.7.x), Mountain Lion (10.8.x), and Mavericks (10.9.x) to address a number of flaws, including the triple handshake bug.

Users should update as soon as possible.

Read more about the Apple updates here<http://arstechnica.com/security/2014/04/iphones-and-macs-get-fix-for-extremely-critical-triple-handshake-crypto-bug/>.

What is the Triple Handshake Bug?<http://blog.cryptographyengineering.com/2014/04/attack-of-week-triple-handshakes-3shake.html>

----------------------------------------------
3. Password Security is a Problem
----------------------------------------------

As we have learned from the Heartbleed Bug and from years of brute-force attacks on systems containing log-in credentials, the risk to passwords is still great.

But passwords fall into the hands of criminals in other ways besides through attacks on a database or web server. 40% of people have one of the top 100 most common passwords. This makes it very easy for intruders to access your online accounts and steal your identity.

As it happens, April is also Records and Information Management month and now is a good opportunity to spread awareness around the topic of password security. Here is an info graphic to get you started<http://www.singlehop.com/blog/infographic-your-password-is-obsolete/>.

The graphic mentions two-factor, which is the same as two-factor or multi-factor authentication<http://en.wikipedia.org/wiki/Two-step_verification>. This verifying technique is something that IS&T is looking to implement in the near future, so stay tuned.

=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================

Monique Buchanan
IT Security Communications Consultant
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20140429/ba08cdc8/attachment.htm