<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<span style="font-family: Arial;">In this issue:</span><br>
<div apple-content-edited="true">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;">1. Zero-Day Targets Internet Explorer</div>
<div style="margin: 0px; font-family: Arial;">2. Apple Addresses “Triple Handshake” Bug </div>
<div style="margin: 0px; font-family: Arial;">3. Password Security is a Problem</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;">--------------------------------------------------</div>
<div style="margin: 0px; font-family: Arial;">1. Zero-Day Targets Internet Explorer</div>
<div style="margin: 0px; font-family: Arial;">--------------------------------------------------</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;">In a <a href="https://technet.microsoft.com/en-US/library/security/2963983">
security advisory</a> released late last week, Microsoft warns users of limited, targeted attacks attempting to exploit a vulnerability in Internet Explorer 6 through Internet Explorer 11, although the attack is only targeting IE9 through IE11.</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;">The vulnerability has not been patched and is considered a significant
<a href="http://en.wikipedia.org/wiki/Zero-day_virus">zero-day virus</a> as the vulnerable versions of IE represent about a quarter of the total browser market. We recommend applying a patch once available.</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;"><a href="http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html">To read the details of how this exploit can
occur, see this article</a>.</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;">What you can do to protect your computer:</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;">1. One mitigating factor is to <a href="http://www.microsoft.com/en-us/download/details.aspx?id=41138">
download and install Microsoft’s Enhanced Mitigation Experience Toolkit</a> (EMET), a free tool that can strengthen security on Windows. Note that EMET 3.0 does not mitigate the attack, and users should rely on EMET 4.1.
<a href="http://krebsonsecurity.com/tag/enhanced-mitigation-experience-toolkit/">
Krebs on Security discusses EMET here</a>.</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;">2. Because the attack will not work without Adobe Flash,
<a href="http://www.zdnet.com/protect-yourself-from-flash-attacks-in-internet-explorer-7000003921/">
disabling the Flash plugin within IE</a> will prevent the exploit from functioning. </div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;">3. According to FireEye, the security lab that discovered the vulnerability, Enhanced Protection Mode (EPM) in IE10 and IE11 will prevent the exploit. It is not turned on by default.
<a href="http://www.thewindowsclub.com/enhanced-protected-mode-internet-explorer-10">
This article show how to enable EPM in IE</a>. </div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;">4. The fourth option is to use another browser until a patch has been released. </div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;">----------------------------------------------------------</div>
<div style="margin: 0px; font-family: Arial;">2. Apple Addresses “Triple Handshake” Bug</div>
<div style="margin: 0px; font-family: Arial;">---------------------------------------------------------- </div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;">Last Tuesday, April 22, Apple released iOS 7.1.1 to address 19 flaws in the mobile operating system, including a critical flaw in the secure transport mechanism that could be exploited with "triple handshake" attacks
to expose user data. </div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;">Apple also released <a href="http://support.apple.com/kb/HT6207">
Security Update 2014-002</a> with updates for OS X Lion (10.7.x), Mountain Lion (10.8.x), and Mavericks (10.9.x) to address a number of flaws, including the triple handshake bug.</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;">Users should update as soon as possible.</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;"><a href="http://arstechnica.com/security/2014/04/iphones-and-macs-get-fix-for-extremely-critical-triple-handshake-crypto-bug/">Read more about the Apple updates here</a>.</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;"><a href="http://blog.cryptographyengineering.com/2014/04/attack-of-week-triple-handshakes-3shake.html">What is the Triple Handshake Bug?</a></div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;">----------------------------------------------</div>
<div style="margin: 0px; font-family: Arial;">3. Password Security is a Problem</div>
<div style="margin: 0px; font-family: Arial;">----------------------------------------------</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;">As we have learned from the Heartbleed Bug and from years of brute-force attacks on systems containing log-in credentials, the risk to passwords is still great. </div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;">But passwords fall into the hands of criminals in other ways besides through attacks on a database or web server. 40% of people have one of the top 100 most common passwords. This makes it very easy for intruders
to access your online accounts and steal your identity.</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;">As it happens, April is also Records and Information Management month and now is a good opportunity to spread awareness around the topic of password security.
<a href="http://www.singlehop.com/blog/infographic-your-password-is-obsolete/">Here is an info graphic to get you started</a>. </div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial;">The graphic mentions two-factor, which is the same as
<a href="http://en.wikipedia.org/wiki/Two-step_verification">two-factor or multi-factor authentication</a>. This verifying technique is something that IS&T is looking to implement in the near future, so stay tuned. </div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;">
<div style="margin: 0px; font-family: Helvetica;">=======================================================================================</div>
<div style="margin: 0px; font-family: Helvetica;">Read all archived Security FYI Newsletter articles and submit comments online at
<a href="http://securityfyi.wordpress.com/"><span style="color: rgb(4, 46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style="margin: 0px; font-family: Helvetica;">=======================================================================================</div>
</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style="margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
Monique Buchanan<br>
IT Security Communications Consultant<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href="http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<br>
</div>
</div>
</div>
<br>
</body>
</html>