<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;">In this issue:</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">1. March 2014 Security Updates from Microsoft</div>
<div style="margin: 0px; font-family: Helvetica;">2. Microsoft Offers Tool to XP Users to Assist with Upgrade</div>
<div style="margin: 0px; font-family: Helvetica;">3. The Bitcoin Theft</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">---------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">1. March 2014 Security Updates from Microsoft</div>
<div style="margin: 0px; font-family: Helvetica;">---------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">On Tuesday, March 11, Microsoft is releasing
<a href="http://technet.microsoft.com/en-us/security/bulletin/ms14-mar">five new security bulletins</a>. Two of the bulletins are rated critical. Microsoft systems that will be affected:</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<ul>
<li style="margin: 0px; font-family: Helvetica;">Windows (all current operating systems and servers)
</li><li style="margin: 0px; font-family: Helvetica;">Internet Explorer (all supported versions)
</li><li style="margin: 0px; font-family: Helvetica;">Microsoft Silverlight </li></ul>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">It is recommended to accept the updates.
<a href="http://ist.mit.edu/waus">MIT WAUS</a> subscribers will receive the updates after they have been tested for compatibility within the MIT computing environment. Installing the bulletins manually may require a restart.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">The patch for Internet Explorer will resolve a zero-day vulnerability (<a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Exploit:JS/CVE-2014-0322"><span style="font-size: 15px; color: rgb(50, 51, 51);">CVE-2014-0322</span></a><span style="font-size: 15px; color: rgb(50, 51, 51);">)</span>,
that was disclosed close to a month ago. Microsoft supplied a “fix-it” as a stopgap until a patch was ready. </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Tuesday’s bulletins will also fix vulnerabilities in Windows, including for Windows XP, and these may be the last to be supplied by Microsoft for that operating system. Microsoft will no longer support Windows
XP with security patches after April 8. (See more on the de-support of Windows XP in the story below.)</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;"><a href="http://threatpost.com/microsoft-to-patch-ie-10-zero-day-on-patch-tuesday/104653">Read the full story in the news</a>.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">------------------------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">2. Microsoft Offers Tool to XP Users to Assist with Upgrade</div>
<div style="margin: 0px; font-family: Helvetica;">------------------------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Microsoft is ending support for its popular operating system Windows XP on April 8; after that date, there will be no more security updates, leaving users vulnerable to flaws. </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Starting this month, Microsoft offers a free migration tool called “PCmover Express” to help XP users ease their transition to a newer, more secure version of Windows. It copies files, music, email and user
profiles and settings from a Windows XP computer to a new device running Windows 7, 8 or 8.1. It provides transferring across a home or work network and allows users to customize exactly what they bring over. The free version does not migrate applications,
but the maker of PCmover Express (Laplink) makes a migration app called <a href="http://www.laplink.com/pcmoverexpressxpeol">
PCmover Professional for XP Users</a> which will transfer an unlimited number of applications to a new machine. It is being offered at a discounted price.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">In addition, starting March 8, XP users using the Home or Professional editions who have elected to receive updates via Windows Update, will see pop-ups reminding them of the impending deadline. The notification
will link to <a href="http://windows.microsoft.com/en-US/windows/end-support-help">
Microsoft’s End of Support website</a> where users will find the free PCmover Express software (available some time later this week), all the information they need on what end of support means, and how they can stay protected against security risks and viruses
after April 8th.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;"><a href="http://blogs.windows.com/windows/b/windowsexperience/archive/2014/03/03/new-windows-xp-data-transfer-tool-and-end-of-support-notifications.aspx">Read the full story at Microsoft’s blog here</a>.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">--------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">3. The Bitcoin Theft</div>
<div style="margin: 0px; font-family: Helvetica;">--------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Late last month, Bitcoin exchange Mt. Gox in Tokyo declared bankruptcy, claiming hackers had exploited a vulnerability in its transactions to steal 850,000 bitcoins (worth approximately $474 million). The flaw,
called transactions malleability, was known for a while and it is possible that a malicious party could have taken advantage of it to withdraw funds. </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">It is also possible that funds were being mismanaged through the Mt. Gox exchange. Mt. Gox had problems for some time, as users complained they could not withdraw dollars from Mt. Gox for close to a year now.
The website has gone off-line as authorities look into the situation.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">There is much suspicion among bitcoin users around the shut down of the exchange. "I am extremely disappointed with the company but not surprised," said investor Kolin Burges in an email. "I am thoroughly disgusted
by the company and the way they have ruined so many people's lives, as well as disgusted by their conduct through this whole situation. I will be doing anything I can to ensure that anyone at the company who was to blame for this faces justice for any crimes
they might have committed. I will also do anything I can to investigate what was really going on there, but hopefully the courts and police of Japan will do a thorough job," said Burges.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">The issue of the latest theft appears too small to shut down one of the largest bitcoin exchanges in the world. In the news recently,
<a href="http://www.theverge.com/2014/3/10/5489582/mt-gox-hackers-say-exchange-still-has-customers-bitcoins">
anonymous hackers claim to have evidence</a> that the bitcoin from Mt. Gox are not missing, but that customers were defrauded by Mt. Gox management.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">The Bitcoin network has experienced major security breaches over the past year. November saw three major Bitcoin thefts: One involving
<a href="http://www.networkworld.com/news/2013/112513-bitcoin-robbery-276352.html">
more than $1 million in bitcoin</a> from Bitcoin Internet Payment Services, a Denmark-based exchange that promoted itself as Europe's biggest. There was a heist involving about $1.4 million from Australian
<a href="http://www.coindesk.com/hackers-steal-bitcoins-inputs-io-wallet-service/">
online wallet service Inputs.io</a>. Finally, the disappearance of a Chinese Bitcoin exchange with more than
<a href="http://www.networkworld.com/community/blog/chinese-bitcoin-exchange-vanishes-along-bitcoins">
$4 million in it</a>, revealing that exchange as a con. Since the Mt. Gox theft, Canadian Bitcoin bank, Flexcoin,
<a href="http://www.cbc.ca/news/business/bitcoin-bank-flexcoin-shuts-down-after-600-000-theft-1.2559018">
announced it is going out of business</a>, following a hack which saw 896 coins stolen. </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Read the full story in the news
<a href="http://www.computerworld.com/s/article/9246659/Bitcoin_exchange_Mt._Gox_files_for_bankruptcy_with_debts_of_63.6M?taxonomyId=17">
here</a> and <a href="http://news.cnet.com/8301-1009_3-57619708-83/bitcoin-losses-spur-mt-gox-to-bankruptcy-filing/">
here</a>.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">=======================================================================================</div>
<div style="margin: 0px; font-family: Helvetica;">Read all archived Security FYI Newsletter articles and submit comments online at
<a href="http://securityfyi.wordpress.com/"><span style="color: rgb(4, 46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style="margin: 0px; font-family: Helvetica;">=======================================================================================</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div apple-content-edited="true">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
Monique Buchanan<br>
IT Security Communications Consultant<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href="http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<span style="font-family: Helvetica;">"Distrust and caution are the parents of security" - Benjamin Franklin</span></div>
</div>
</div>
<br>
</body>
</html>