[IS&T Security-FYI] SFYI Newsletter, March 17, 2014

Mon Mar 17 14:21:30 EDT 2014

In this issue:

1. OUCH! Newsletter on Windows XP De-Support
2. The Weakness of Passwords
3. For Fun: Help Desk
4. The Story Behind the Breach at Target, Inc.

-------------------------------------------------------------------
1. OUCH! Newsletter on Windows XP De-Support
-------------------------------------------------------------------

The March issue of OUCH! explains why Microsoft is ending support for Windows XP on April 8th.  Learn what this means to people and the steps they can take to protect themselves. Please download and share OUCH! with others.

Download the Issue<http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201403_en.pdf> (PDF)

-------------------------------------------
2. The Weakness of Passwords
-------------------------------------------

Hold Security, the same security firm that discovered the online circulation of 153 million user names and passwords during last year’s Adobe breach, has tracked almost 360 million compromised login credentials for sale in underground crime forums<http://arstechnica.com/security/2014/02/360-million-recently-compromised-passwords-for-sale-online/>. The find, containing an additional 1.25 billion records containing only email addresses, came from multiple breaches, and were likely served as user names and corresponding passwords.

The find is big enough that it likely came from hacks on poorly secured Web servers that store large caches of user credentials.

The risk is biggest for users who choose the same password for multiple services. Once an attacker has someone’s email address and password for one site, the credentials can be used to compromise every other site account that users the same user name and password.

This article covers everything you would want to know about online safety, including using lies, random characters and a password manager<http://arstechnica.com/information-technology/2013/06/the-secret-to-online-safety-lies-random-characters-and-a-password-manager/>.

Learn about best password practices for MIT<http://kb.mit.edu/confluence/x/3wNt>.

------------------------------
3. For Fun: Help Desk<http://www2.navarrocollege.edu/facultystaff/staff_pages/mrobinson/shared/images/Help_Desk_05.jpg>
------------------------------

-------------------------------------------------------------
4. The Story Behind the Breach at Target, Inc.
-------------------------------------------------------------

Businessweek.com has written an in-depth article and posted a video<http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data> explaining how Target Stores were breached and their systems infected with malware, leading to one of the biggest data thefts in retail history. According to the investigation conducted after the discovery of the theft, Target employees failed to respond to several alerts made by their security system, provided by FireEye. Had Target security staff responded appropriately to the alarms, they could have prevented the transmission of the stolen credit card data.

Even without human intervention, the breach could’ve been stopped, according to the article. “The system has an option to automatically delete malware as it’s detected. But according to two people who audited FireEye’s performance after the breach, Target’s security team turned that function off.” While not unusual, it puts pressure on a team to quickly find and neutralize the infected computers.

It was clear, according to the article, that Target was getting warnings of a serious compromise; even the company’s antivirus system by Symantec, identified suspicious behavior over several days around Thanksgiving -- pointing to the same server identified by FireEye.

Read the full story on Businessweek.com<http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data>

=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================

Monique Buchanan
IT Security Communications Consultant
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715

"Distrust and caution are the parents of security" - Benjamin Franklin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20140317/78d2795a/attachment.htm