[IS&T Security-FYI] SFYI Newsletter, August 19, 2014

Tue Aug 19 11:45:17 EDT 2014

In this issue:

1. Microsoft Security Updates for August 2014
2. Over a Billion Stolen Credentials Amassed
3. Improved Security for Internet Explorer

-------------------------------------------------------------
1. Microsoft Security Updates for August 2014
-------------------------------------------------------------

Last week Tuesday, Microsoft issued nine security bulletins<https://technet.microsoft.com/library/security/ms14-aug> to address a total of 37 security issues in its products. The bulletins include a cumulative update for Internet Explorer (IE) and fixes for vulnerabilities in Windows, Office, Share Point Server, SQL Server software, and .NET
Framework.

One of the critical patches remediates the bulk of the vulnerabilities, including 26 bugs in IE, of which the most severe could allow remote code execution (RCE). The patch fixes IE 6 through 11. Next month a new security feature will be added to IE to deal with many of these repeat vulnerabilities. See the article on “Improved Security for Internet Explorer” in this newsletter below.

Read the full story in the news<http://www.scmagazine.com/on-patch-tuesday-microsoft-releases-nine-patches-for-37-bugs/article/365944/>.

------------------------------------------------------------
2. Over a Billion Stolen Credentials Amassed
------------------------------------------------------------

Earlier this month, the NY Times reported<http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html> that a Russian crime ring has amassed 1.2 billion user name and password combinations and more than 500 million email addresses from the Internet. According to security firm Hold Security, many of the sites from which the credentials were stolen are still vulnerable.

There is a concern among the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. Last December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from Target by Eastern European hackers. This latest discovery, however, prompts security experts to call for improved identity protection on the web.

Read the full story online<http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html>.

As a result of the large amount of usernames and passwords that have fallen into the hands of criminals, one NY Times reporter came up with a two-step plan to prevent hackers from getting into his online accounts. He contacted all of the companies with which he does online financial transactions to find out if they support multi-factor authentication. He writes about his experience here<http://www.nytimes.com/2014/08/09/your-money/how-to-thwart-hackers-from-financial-accounts.html>.

If you are concerned about your online accounts and whether they are secure enough, you may want to take some similar steps or be proactive in other ways. One suggestion I would make — until all companies offer multi-factor authentication<http://twofactorauth.org/> — is to update your passwords on a regular basis and manage them using a password storage manager, either LastPass, 1Password or KeePass.

-------------------------------------------------------
3. Improved Security for Internet Explorer
-------------------------------------------------------

On September 9, 2014, Internet Explorer will release a new security feature, called “out-of-date ActiveX control blocking.” ActiveX controls are apps that let Web sites provide content, like videos and games, and also let you interact with content such as toolbars. Unfortunately, many ActiveX controls are not automatically updated. Malicious and compromised Web pages can target outdated controls to collect information, install dangerous software, or let someone else control your computer remotely.

The new feature works with IE 8 through IE 11 on Windows 7 SP1 and up, and on Windows Server 2008 SP1 and up. As of September, only out-of-date Oracle Java ActiveX controls will be affected. All other ActiveX controls will continue their existing behavior.

More information about outdated ActiveX control blocking<http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx>.

=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================

Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20140819/7c102e03/attachment.htm