[IS&T Security-FYI] SFYI Newsletter, June 2, 2014

[Monique Buchanan]

In this issue:

1. The eBay Data Breach
2. Sites Hosted by WordPress Can Be Hijacked
3. TrueCrypt Retired?
4. Signs of a Compromised MIT Account



----------------------------------
1. The eBay Data Breach
----------------------------------

On May 21 eBay announced that it suffered a major data breach, exposing personal data of up to 233 million registered users. The company is now being investigated by three states with a joint probe into its security practices.

eBay has been criticized for taking three months to notice the breach and then a few more weeks before making an announcement. No mass email was sent, but they did post a warning to their website, originally with a “learn more” link that lead to a blank page (now fixed).

eBay is telling all customers to reset their password<http://www.ebay.com/reset?_trkparms=clkid%3D7201697038475507917>. If members used their password at other sites, they should change their passwords for those sites as well.

The data was stolen via a number of compromised employee credentials, according to eBay. The thieves were then able to access the company’s corporate network.

What did the thieves get? There was no financial or other confidential personal information in the compromised database. But the thieves did get hold of real names, email addresses, phone numbers and home addresses of customers in addition to their passwords, which were encrypted.

Read the story in the news here<http://www.techrepublic.com/article/the-ebay-data-compromise-what-you-need-to-know/> and here<http://www.fool.com/investing/general/2014/05/27/ebay-data-breach-response-teaches-everyone-how-not.aspx>.


---------------------------------------------------------------
2. Sites Hosted by WordPress Can Be Hijacked
---------------------------------------------------------------

If you run a WordPress site that is hosted by wordpress.com<http://wordpress.com>, be careful about logging in from public wifi or another unsecured network. The site could be hijacked even if two-factor authentication is in place.

The WordPress servers send an unencrypted cookie in plaintext that, if grabbed by someone else, could be used to bypass login requirements and give whoever has the cookie access to the account holder's information with the account holder's privileges. WordPress sites self-hosted on servers with full HTTPS support are not vulnerable to the attack.

According to this article<http://arstechnica.com/security/2014/05/unsafe-cookies-leave-wordpress-accounts-open-to-hijacking-2-factor-bypass/>, a fix is schedule with the next WordPress release.


-----------------------------
3. TrueCrypt Retired?
-----------------------------

The TrueCrypt open source encryption project<http://truecrypt.sourceforge.net/> has ceased operations after issuing a warning on the site that the software is no longer secure. The site includes instructions for users to migrate to BitLocker and for decrypting files that were encrypted by TrueCrypt on the various platforms (Mac, Windows and Linux).

The TrueCrypt website mentions that development stopped in May 2014 after Microsoft stopped supporting Windows XP. The reasons given as well as those not given are baffling some security experts. Some are positing that the company received a National Security Letter and is doing what Lavabit did<http://www.newyorker.com/online/blogs/closeread/2013/08/the-nsa-and-its-targets-lavabit-shuts-down.html> to avoid disclosing customer data. Others have suggested that it might be a hoax or an attack, or that the TrueCrypt developers found an overwhelming vulnerability. Another believes that the product will be available in the future<https://www.grc.com/misc/truecrypt/truecrypt.htm>, but under a different name and ownership. Earlier this year, TrueCrypt came under audit<http://istruecryptauditedyet.com/> and the project is currently in its second phase of formal cryptanalysis. TrueCrypt is also the encryption tool endorsed by Edward Snowden<http://www.wired.com/2014/05/truecrypt/>.

There are alternatives to using TrueCrypt. IS&T at MIT offers PGP Full Disk Encryption for Windows and supports FileVault on the Mac: see full information on these products in the KB<http://kb.mit.edu/confluence/x/HZIBCQ>.

These articles offer additional alternatives:


  *   PC World<http://www.pcworld.com/article/2304851/so-long-truecrypt-5-encryption-alternatives-that-can-lock-down-your-data.html>
  *   ghacks.net<http://www.ghacks.net/2014/05/29/list-truecrypt-encryption-alternatives/>
  *   techshout.com<http://www.ghacks.net/2014/05/29/list-truecrypt-encryption-alternatives/>

Read the story in the news here<http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/> and here<http://arstechnica.com/security/2014/05/truecrypt-security-audit-presses-on-despite-developers-jumping-ship/>.


------------------------------------------------------
4. Signs of a Compromised MIT Account
------------------------------------------------------

When the IS&T Security Team receives notices of spam coming from MIT, one of the things we do is verify that the emails actually came from an MIT account. If not, we ask people to block or just delete these emails. To be sure people are staying aware of bogus emails, we remind people that MIT will never ask for personal information or ask our constituents to verify their account information via email.

It happens at times that unwanted messages DO come from an MIT email account. If so, the next question is whether the messages were sent deliberately (misuse of a mailing list, for example) or whether the email account was hacked (compromised).

In the case of a compromised MIT account, the spammers have taken over the use of the account by logging in to the account as that user. They have the user’s email address and password and are able to send out messages pretending to be the account holder. This makes it trickier to prevent emails from arriving in our inboxes, because our servers will not block emails coming from within MIT.

Before responding to these emails by messaging the sender, be aware that the legitimate account holder has nothing to do with the spam being sent. A reply to their spam will also likely not be received by the account holder, but by another email account because the sender has modified the “reply-to” field.

There are a few indicators in full email headers that the message was sent by a spammer using a compromised MIT account. Find out how to spot the signs<http://kb.mit.edu/confluence/x/uF8YCQ>.



=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================


Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20140602/eb7c27c8/attachment.htm