[IS&T Security-FYI] SFYI Newsletter, February 25, 2014

Tue Feb 25 10:24:19 EST 2014

In this issue:

1. Apple Releases Critical Security Update
2. Microsoft Releases Security Advisory on Internet Explorer
3. Upcoming Event: Sophos and Sophos Reporting on March 6th
4. The University of Maryland Data Breach

---------------------------------------------------------
1. Apple Releases Critical Security Update
---------------------------------------------------------

Late last week, Apple released a security update<http://support.apple.com/kb/ht1222> for its iOS mobile operating system to address a flaw in its SSL/TLS implementation.

SSL (Secure Sockets Layer) is part of the TLS (Transport Layer Security) protocol and is used to encrypt sensitive information, often in a browser, as it traverses the Internet. The flaw, as described by Apple, can provide "an attacker with a privileged network position [to] capture or modify data in sessions protected by SSL/TLS."

In other words, the flaw makes it easy for bad actors to create fake websites that look like sites users trust, such as banking sites, and to grab information that the users send to those sites.

Apple has not yet updated this flaw on laptops or desktops, although it is expected one will be released very soon.

It is recommended that all iOS users update their devices to iOS 7.0.6 and iOS 6.1.6 as soon as possible. This is not one you want to wait on. Information on how to update your iPhone, iPod touch, and iPad can be found on Apple's website [http://support.apple.com/kb/ht4623].

Note: iOS 6.1.6 is only available for devices that can not run iOS 7.  If you have the original iPad and iPhone 3GS or earlier versions of the iPod touch you will install iOS 6.1.6.  All other models of the iPhone, iPad, and iPod that have the ability to run iOS 7, must upgrade to iOS 7.0.6. to get the fix.

Those that need assistance updating their iOS device should contact their local IT support liaison or the IS&T Help Desk [http://ist.mit.edu/help].

Read the story in the news<http://www.washingtonpost.com/business/technology/apples-security-bug-what-to-know-about-it-and-what-to-do-about-it/2014/02/24/b59404e4-9d59-11e3-9ba6-800d1192d08b_story.html>.

--------------------------------------------------------------------------------
2. Microsoft Releases Security Advisory on Internet Explorer
--------------------------------------------------------------------------------

Microsoft released Security Advisory 2934088<http://technet.microsoft.com/security/advisory/2934088> - Vulnerability in Internet Explorer Could Allow Remote Code Execution - on February 19th.

A vulnerability in Internet Explorer 9 and 10 is subject to exploit. According to the advisory, an attacker could host a specially crafted website, convince a user to view the website and exploit the vulnerability if the site is viewed in Internet Explorer.

There is no current patch for this vulnerability, and Microsoft has not yet scheduled one, but they may provide a solution through the monthly security update release process or an out-of-cycle update. They do offer a temporary stopgap “fix it” measure<https://support.microsoft.com/kb/2934088>, allowing affected services to go into restricted mode to block attacks.

Microsoft recommends users to avoid clicking on unsolicited links. It is also a good idea to use an alternative browser until the issue has been permanently fixed.

Read the full story in the news<http://www.scmagazine.com//microsoft-issues-temporary-fix-for-ie-zero-day-targeting-service-members/article/334929/>.

---------------------------------------------------------------------------------------
3. Upcoming Event: Sophos and Sophos Reporting on March 6th
---------------------------------------------------------------------------------------

The IT Partners planning team has announced its next luncheon. Andrew Munchbach from the Security Operations team will discuss MIT's anti-virus software, Sophos<http://ist.mit.edu/sophos>, as well as running reports from Sophos.

Please join us on Thursday March 6 at 12:00 in Marlar Lounge (37-252<http://whereis.mit.edu/?go=37>).

Lunch will be served at noon, and the discussion will begin promptly at 12:15. Please confirm if you plan to attend by sending email to rsvp-itpartners at mit.edu<mailto:rsvp-itpartners at mit.edu>.

---------------------------------------------------------
4. The University of Maryland Data Breach
---------------------------------------------------------

University of Maryland President Wallace D. Loh has disclosed a breach<http://www.umd.edu/datasecurity/> of a university database that compromised personal information of more than 300,000 students and staff members.

The incident affects anyone who was associated with the university's College Park and Shady Grove campuses dating back to 1998. The exposed data include birth dates, Social Security numbers (SSNs) and school ID numbers, but not financial, academic, or health data.

Forensic investigators are examining the breached files and logs. University CIO Brian Voss said the intruder copied the information in the database.

Read the full story in the news<http://news.cnet.com/8301-1009_3-57619169-83/data-breach-at-university-of-maryland-exposes-300k-records/>.

=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================

Monique Buchanan
IT Security Communications Consultant
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715

"Distrust and caution are the parents of security" - Benjamin Franklin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20140225/f16b7866/attachment.htm