<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;">In this issue:</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">1. SSL 3.0 Vulnerability Discovered Last Week</div>
<div style="margin: 0px; font-family: Helvetica;">2. NCSAM Events at MIT This Week</div>
<div style="margin: 0px; font-family: Helvetica;">3. Microsoft Security Updates for October 2014</div>
<div style="margin: 0px; font-family: Helvetica;">4. Patch Issued for Drupal Vulnerable to SQL Injection</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">--------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">1. SSL 3.0 Vulnerability Discovered Last Week</div>
<div style="margin: 0px; font-family: Helvetica;">--------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">A serious <a href="http://kb.mit.edu/confluence/x/GIEwCQ">
vulnerability against Secure Sockets Layer (SSL) version 3.0</a> has been discovered. This comes on the heels of several other (unrelated) vulnerabilities this year, including Heartbleed in April and Shellshock in September.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">SSL is one of the protocols used to secure Internet traffic from eavesdroppers. SSL 3.0 is nearly 18 years old and obsolete but most browsers and web servers still allow its use for legacy browsers and/or server
compatibility.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">This attack, nicknamed POODLE (Padding Oracle On Downgraded Legacy Encryption), allows a man-in-the-middle — such as a malicious Wi-Fi hotspot — to extract data from secure web connections (also known as HTTPS).
If successful, an attacker could gain access to online accounts by hijacking session cookies and bypassing the login mechanisms protecting certain accounts.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">KB Article: <a href="http://kb.mit.edu/confluence/x/5IEwCQ">
Learn how you can deflect this attack</a>.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;"><a href="http://www.techrepublic.com/article/poodle-vulnerability-hastens-the-death-of-ssl-3-0/">Read more about it in the news</a>.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">2. NCSAM Events at MIT This Week</div>
<div style="margin: 0px; font-family: Helvetica;">------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">This week Information Systems & Technology is sponsoring two events on campus in support of National Cyber Security Awareness Month. </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;"><b>Thursday, Oct. 23, 12:00 - 1:30pm, in 37-252</b></div>
<div style="margin: 0px; font-family: Helvetica;">Anonymity on the Go: The Possibilities and Problems of Tor on Mobile Devices. The speaker of this talk is Nathan Freitas, founder of the Guardian Project.</div>
<div style="margin: 0px; font-family: Helvetica;">RSVP required.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;"><b>Friday, Oct. 24, 10:00am - 2:00pm, in Lobby of Building 32</b></div>
<div style="margin: 0px; font-family: Helvetica;">Shred IT! Paper as well as some electronic media will be collected and safely shredded. If you need to get rid of old hard drives, tapes, CDs or thumb drives, now is your chance.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;"><a href="http://kb.mit.edu/confluence/x/WR4YCQ">Learn more about both of these events</a>.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">--------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">3. Microsoft Security Updates for October 2014</div>
<div style="margin: 0px; font-family: Helvetica;">--------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Last week Tuesday, Microsoft released 8
<a href="https://technet.microsoft.com/library/security/ms14-oct">security updates</a> (3 critical and 5 important) to address 24 vulnerabilities in Windows, IE and Office, including a flaw in Windows and Windows Server 2008 and 2012 that is actively exploited
as part of the <a href="http://www.geekwire.com/2014/patches-must-flow-microsoft-fixes-vulnerability-used-sandworm-team-attacks/">
Sandworm Team attacks</a>. The updates include fixes for a pair of critical flaws in the Windows kernel that could be exploited to execute code.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">These patches have been approved for deployment via
<a href="http://ist.mit.edu/waus">MIT WAUS</a> (Windows Automatic Update Services).</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;"><a href="http://www.zdnet.com/microsoft-updates-windows-ie-office-in-busy-patch-tuesday-7000034657/">Read the story online</a>.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">------------------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">4. Patch Issued for Drupal Vulnerable to SQL Injection</div>
<div style="margin: 0px; font-family: Helvetica;">------------------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">I am passing along this security alert coming from
<a href="https://mailman.mit.edu:444/mailman/listinfo/security_sig">Security SIG</a>:</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">A nasty SQL injection vulnerability has been disclosed in Drupal that allows an anonymous user to execute code and manipulate and/or delete stored data.
<a href="http://www.volexity.com/blog/?p=83">Exploits</a> are currently being used and posted.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">This affects all versions of Drupal 7 prior to 7.32. It is strongly recommended that all those running Drupal 7 upgrade to core 7.32.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">More information can be found here
<a href="https://www.drupal.org/SA-CORE-2014-005">https://www.drupal.org/SA-CORE-2014-005</a> and here
<a href="https://www.drupal.org/node/2357241">https://www.drupal.org/node/2357241</a>.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">The IS&T-managed Drupal Cloud service was patched last week.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">If you know other system admins and/or departments that are responsible for running Drupal, we kindly ask that you pass this message along to them. </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;"><a href="http://www.computerworld.com/article/2834650/drupal-releases-patch-for-serious-sql-injection-flaw.html">Read the story online</a>.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;">
<div style="margin: 0px;">=======================================================================================</div>
<div style="margin: 0px;">Read all archived Security FYI Newsletter articles and submit comments online at
<a href="http://securityfyi.wordpress.com/"><span style="color: rgb(4, 46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style="margin: 0px;">=======================================================================================</div>
<div style="margin: 0px;"><br>
</div>
<div style="margin: 0px;"><br>
</div>
</div>
<div apple-content-edited="true">
<div style="color: rgb(0, 0, 0); font-family: Avenir; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="color: rgb(0, 0, 0); font-family: Avenir; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
Monique Buchanan<br>
IT Security Communications Coordinator<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href="http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715</div>
<div style="color: rgb(0, 0, 0); font-family: Avenir; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<br>
</div>
<br class="Apple-interchange-newline">
</div>
</div>
</div>
<span><img height="100" width="360" apple-inline="yes" id="469059D7-4A22-43A0-A675-BB00DD302CA3" apple-width="yes" apple-height="yes" src="cid:B0BFCD69-2454-4597-9B79-36CDA1F0EA6E@mit.edu"></span>
</div>
<br>
</body>
</html>