[IS&T Security-FYI] SFYI Newsletter, March 10, 2014

[Monique Buchanan]

In this issue:

1. March 2014 Security Updates from Microsoft
2. Microsoft Offers Tool to XP Users to Assist with Upgrade
3. The Bitcoin Theft


---------------------------------------------------------------
1. March 2014 Security Updates from Microsoft
---------------------------------------------------------------

On Tuesday, March 11, Microsoft is releasing five new security bulletins<http://technet.microsoft.com/en-us/security/bulletin/ms14-mar>. Two of the bulletins are rated critical. Microsoft systems that will be affected:


  *   Windows (all current operating systems and servers)
  *   Internet Explorer (all supported versions)
  *   Microsoft Silverlight

It is recommended to accept the updates. MIT WAUS<http://ist.mit.edu/waus> subscribers will receive the updates after they have been tested for compatibility within the MIT computing environment. Installing the bulletins manually may require a restart.

The patch for Internet Explorer will resolve a zero-day vulnerability (CVE-2014-0322<http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Exploit:JS/CVE-2014-0322>), that was disclosed close to a month ago. Microsoft supplied a “fix-it” as a stopgap until a patch was ready.

Tuesday’s bulletins will also fix vulnerabilities in Windows, including for Windows XP, and these may be the last to be supplied by Microsoft for that operating system. Microsoft will no longer support Windows XP with security patches after April 8. (See more on the de-support of Windows XP in the story below.)

Read the full story in the news<http://threatpost.com/microsoft-to-patch-ie-10-zero-day-on-patch-tuesday/104653>.


------------------------------------------------------------------------------
2. Microsoft Offers Tool to XP Users to Assist with Upgrade
------------------------------------------------------------------------------

Microsoft is ending support for its popular operating system Windows XP on April 8; after that date, there will be no more security updates, leaving users vulnerable to flaws.

Starting this month, Microsoft offers a free migration tool called “PCmover Express” to help XP users ease their transition to a newer, more secure version of Windows. It copies files, music, email and user profiles and settings from a Windows XP computer to a new device running Windows 7, 8 or 8.1.  It provides transferring across a home or work network and allows users to customize exactly what they bring over. The free version does not migrate applications, but the maker of PCmover Express (Laplink) makes a migration app called PCmover Professional for XP Users<http://www.laplink.com/pcmoverexpressxpeol> which will transfer an unlimited number of applications to a new machine. It is being offered at a discounted price.

In addition, starting March 8, XP users using the Home or Professional editions who have elected to receive updates via Windows Update, will see pop-ups reminding them of the impending deadline. The notification will link to Microsoft’s End of Support website<http://windows.microsoft.com/en-US/windows/end-support-help> where users will find the free PCmover Express software (available some time later this week), all the information they need on what end of support means, and how they can stay protected against security risks and viruses after April 8th.

Read the full story at Microsoft’s blog here<http://blogs.windows.com/windows/b/windowsexperience/archive/2014/03/03/new-windows-xp-data-transfer-tool-and-end-of-support-notifications.aspx>.


--------------------------
3. The Bitcoin Theft
--------------------------

Late last month, Bitcoin exchange Mt. Gox in Tokyo declared bankruptcy, claiming hackers had exploited a vulnerability in its transactions to steal 850,000 bitcoins (worth approximately $474 million). The flaw, called transactions malleability, was known for a while and it is possible that a malicious party could have taken advantage of it to withdraw funds.

It is also possible that funds were being mismanaged through the Mt. Gox exchange. Mt. Gox had problems for some time, as users complained they could not withdraw dollars from Mt. Gox for close to a year now. The website has gone off-line as authorities look into the situation.

There is much suspicion among bitcoin users around the shut down of the exchange. "I am extremely disappointed with the company but not surprised," said investor Kolin Burges in an email. "I am thoroughly disgusted by the company and the way they have ruined so many people's lives, as well as disgusted by their conduct through this whole situation. I will be doing anything I can to ensure that anyone at the company who was to blame for this faces justice for any crimes they might have committed. I will also do anything I can to investigate what was really going on there, but hopefully the courts and police of Japan will do a thorough job," said Burges.

The issue of the latest theft appears too small to shut down one of the largest bitcoin exchanges in the world. In the news recently, anonymous hackers claim to have evidence<http://www.theverge.com/2014/3/10/5489582/mt-gox-hackers-say-exchange-still-has-customers-bitcoins> that the bitcoin from Mt. Gox are not missing, but that customers were defrauded by Mt. Gox management.

The Bitcoin network has experienced major security breaches over the past year. November saw three major Bitcoin thefts: One involving more than $1 million in bitcoin<http://www.networkworld.com/news/2013/112513-bitcoin-robbery-276352.html> from Bitcoin Internet Payment Services, a Denmark-based exchange that promoted itself as Europe's biggest. There was a heist involving about $1.4 million from Australian online wallet service Inputs.io<http://www.coindesk.com/hackers-steal-bitcoins-inputs-io-wallet-service/>. Finally, the disappearance of a Chinese Bitcoin exchange with more than $4 million in it<http://www.networkworld.com/community/blog/chinese-bitcoin-exchange-vanishes-along-bitcoins>, revealing that exchange as a con. Since the Mt. Gox theft, Canadian Bitcoin bank, Flexcoin, announced it is going out of business<http://www.cbc.ca/news/business/bitcoin-bank-flexcoin-shuts-down-after-600-000-theft-1.2559018>, following a hack which saw 896 coins stolen.

Read the full story in the news here<http://www.computerworld.com/s/article/9246659/Bitcoin_exchange_Mt._Gox_files_for_bankruptcy_with_debts_of_63.6M?taxonomyId=17> and here<http://news.cnet.com/8301-1009_3-57619708-83/bitcoin-losses-spur-mt-gox-to-bankruptcy-filing/>.


=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================



Monique Buchanan
IT Security Communications Consultant
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715

"Distrust and caution are the parents of security" - Benjamin Franklin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20140310/34a0d275/attachment.htm