<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">In this issue:</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">1. The ShellShock Bug</div>
<div style="margin: 0px; font-family: Helvetica;">2. Event on Oct. 7: Free Coffee and Donut with a Slice of Security</div>
<div style="margin: 0px; font-family: Helvetica;">3. The CryptoWall Attack</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">-------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">1. The ShellShock Bug</div>
<div style="margin: 0px; font-family: Helvetica;">-------------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">A critical vulnerability in bash Unix shell, nicknamed “shellshock” was reported by the security community last week. It is said to be more serious than the Heartbleed vulnerability.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Bash is a command language interpreter and is available on almost all non-Windows systems, including OS X. Especially vulnerable are web servers that are hosting CGI scripts, and certain other network services
such as DHCP and FTP, so it’s imperative that bash is patched on these systems.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">If you are an IS&T managed-server hosted customer, your systems were patched on 9/24. When doing a scan of the network, IS&T found only a handful of systems vulnerable to the bug, which indicates that maintainers
patched their systems quickly.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Please refer to this Knowledge Base article for instructions on patching Red Hat Enterprise and Ubuntu Linux systems:
<a href="http://kb.mit.edu/confluence/x/7wgrCQ">http://kb.mit.edu/confluence/x/7wgrCQ</a><span style="text-decoration: underline ; color: #4787ff">.</span> Note that the patch CVE-2014-7169 is the patch to apply (it supersedes the earlier patch).</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Unfortunately, the patches released by the bash scripting team did not fix *all* of the bash problems.
<a href="http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/">
See this article on ArsTechnica for more on the situation</a>. </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">The vulnerability is being actively exploited. It is recommended to be careful of any unusual attachments to emails.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Additional information: </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<ul>
<li style="margin: 0px; font-family: Helvetica;"><a href="https://isc.sans.edu/forums/diary/Webcast+Briefing+Bash+Code+Injection+Vulnerability/18709">A webcast briefing from the Internet Storm Center (ISC) on how shellshock works and what to do about it</a>
</li><li style="margin: 0px; font-family: Helvetica;"><a href="https://isc.sans.edu/forums/diary/Update+on+CVE-2014-6271+Vulnerability+in+bash+shellshock+/18707">The ISC blog, summarizing the problem</a>
</li><li style="margin: 0px; font-family: Helvetica;"><a href="https://www.youtube.com/watch?v=W7GaVyzkCs0">Direct link to YouTube video of the ISC briefing</a>
</li></ul>
<div style="margin: 0px; font-family: Helvetica; color: rgb(71, 135, 255); min-height: 17px;">
<span style="text-decoration: underline"></span><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">---------------------------------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">2. Event on Oct. 7: Free Coffee and Donut with a Slice of Security</div>
<div style="margin: 0px; font-family: Helvetica;">---------------------------------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Next week Tuesday, October 7, IS&T is hosting a table in W20 from 9:00 until 11:00 am, in support of National Cyber Security Awareness Month (NCSAM). </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Have any security concerns? Want help with securing your computer or smartphone?</div>
<div style="margin: 0px; font-family: Helvetica;">IS&T personnel will be on hand to help.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Think you’re pretty savvy when it comes to phishing or other cyber attacks? Test your threat level with our security quiz cards.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">And don’t forget to grab a free coffee and donut.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">---------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">3. The CryptoWall Attack</div>
<div style="margin: 0px; font-family: Helvetica;">---------------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">A form of ransomware, CryptoWall is one of the viruses trying to hit unpatched machines. Should you fall victim, CryptoWall will encrypt your folders and attempt to extort money from you to decrypt/release them.
They ask $750. </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Your best defense against this type of virus is having virus detection software, such as
<a href="http://ist.mit.edu/sophos">Sophos</a>, installed on your machine. Keep all your software, including browsers, up to date with the latest
<a href="http://ist.mit.edu/security/patches">security patches</a>. </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;"><a href="https://msisac.cisecurity.org/daily-tips/cryptowall-indicators.cfm">CyptoWall Indicators</a></div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div apple-content-edited="true">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin: 0px; font-family: Helvetica;">=======================================================================================</div>
<div style="margin: 0px; font-family: Helvetica;">Read all archived Security FYI Newsletter articles and submit comments online at
<a href="http://securityfyi.wordpress.com/"><span style="color: rgb(4, 46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style="margin: 0px; font-family: Helvetica;">=======================================================================================</div>
</div>
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<br>
</div>
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<br>
Monique Buchanan<br>
IT Security Communications Coordinator<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href="http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<br>
</div>
</div>
</div>
</div>
<br>
</body>
</html>