<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; "><div><div><div><p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Helvetica; min-height: 17.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Helvetica">In this issue:</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Helvetica; min-height: 17.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">1. Apple Patches iOS Security Hole</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">2. BrowserID: New Sign-In System from Mozilla</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">3. ZeuS Variant Targets Android Smartphones</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Helvetica; min-height: 17.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Helvetica; min-height: 17.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Helvetica">---------------------------------------------</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">1. Apple Patches iOS Security Hole</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Helvetica">---------------------------------------------</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Apple released iOS 4.3.4 (4.2.9 for those on Verizon) last week to fix a zero-day vulnerability in the software's PDF-reading capabilities. It is available as a free download to iPhone, iPod Touch and iPad users. </p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">A description of the update says it "fixes (a) security vulnerability associated with viewing malicious PDF files." That's the same one used by JailbreakMe.com, a site that allows users to jailbreak their phones without using a computer or any special software, giving the owners a way to install third-party software and make low-level system changes.</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">The zero-day PDF vulnerability could be used to not only jailbreak a device, but also install malicious applications.</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Read the story in the news:</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial"><http://news.cnet.com/8301-27076_3-20079846-248/apple-delivers-ios-4.3.4-to-patch-pdf-security-hole/></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Helvetica">------------------------------------------------------------</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">2. BrowserID: New Sign-In System from Mozilla</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Helvetica">------------------------------------------------------------</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Last week Mozilla announced the launch of a prototype of BrowserID, a new sign-in system, for community review. It answers the tough question many web developers face: how do users sign in? The classic way: an email address with a confirmation step demands a user's time and requires them to remember yet another password. BrowserID is designed to be easier to use, secure, cross-browser supported, decentralized, and respects user privacy. </p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">The system is still highly experimental, and Mozilla would love to get feedback from their users. They have provided a quick tutorial and demo site.</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">You can find out more here:</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial"><http://identity.mozilla.com/post/7616727542/introducing-browserid-a-better-way-to-sign-in></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">and here:</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial"><https://browserid.org/></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Helvetica">-----------------------------------------------------------</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">3. ZeuS Variant Targets Android Smartphones</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Helvetica">-----------------------------------------------------------</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Anti-virus vendors have detected a variant of the ZeuS Trojan horse program that can infect Android smartphones. The malware in this case is a variant of Zitmo, which stands for "Zeus in the mobile;" it pretends to be an online banking security application called Rapport, which is the name of a legitimate application from Trusteer. </p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Previous variants of the ZeuS online banking Trojan targeted Symbian, Blackberry and Windows Mobile devices. The Android variant does not require any digital certificates and is injected by manual download of an alleged security extension from Trusteer. Once installed, the Trojan masquerades as an online banking activation app. In the background, it listens to all incoming SMS messages and forwards them to a remote web server. That's a security risk, as some banks now send, via SMS, mTANs (mobile transaction authentication numbers), which is banking-speak for one-time passwords for authenticating transactions.</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Criminals need to persuade users to download and install the app. The application gets pushed by malware after it has infected the user's PC, but not until the user visits a banking website. The risk is relatively small, as not all banks use mTANs and relatively few people use smartphones for banking transactions.</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Read the full story in the news:</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial"><http://www.informationweek.com/news/231001685></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">=====</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Helvetica">Acknowledgements: I want to thank Mike and Ben for their efforts last week in putting together the newsletter while I was on vacation. </p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Helvetica; min-height: 17.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">====================================================================</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Read all Security FYI Newsletter articles online at http://securityfyi.wordpress.com/.</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">====================================================================</p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Helvetica; min-height: 17.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Helvetica; min-height: 17.0px"><br></p>
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Helvetica; min-height: 17.0px"><span class="Apple-style-span" style="font-size: 12px; ">Monique Yeaton</span></p></div><div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-family: Helvetica; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><div style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; ">IT Security Communications Consultant</span></span></span></span></span></span></div><div style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; ">MIT Information Services & Technology (IS&T)</span></span></span></span></span></span></div><div style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; ">(617) 253-2715</span></span></span></span></span></span></div><div style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; "><span class="Apple-style-span" style="font-size: 12px; ">http://ist.mit.edu/security</span></span></span></span></span></span></div><div style="font-size: 12px; "><br class="khtml-block-placeholder"></div><br class="Apple-interchange-newline"></span></span></span></span></span></span></span></div></div></div></div></body></html>