<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;" class="">
<div style="margin: 0px; min-height: 17px;" class="">In this issue:</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">1. Two-Factor Authentication With Duo</div>
<div style="margin: 0px;" class="">2. “Stagefright” Security Hole in Android</div>
<div style="margin: 0px;" class="">3. MIT Certificates Expire on July 31</div>
<div style="margin: 0px;" class="">4. EVENT: BroCon ’15 Coming to MIT, Aug. 4-6</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">----------------------------------------------------</div>
<div style="margin: 0px;" class="">1. Two-Factor Authentication With Duo</div>
<div style="margin: 0px;" class="">----------------------------------------------------</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">John Charles, Vice President of IS&T, announced earlier this month the upcoming requirement for using two-factor authentication to log into systems and services at MIT. Two-factor authentication secures our data by limiting
the risk of a password compromise, which in turn could allow a cyber attacker to access services limited to MIT users.
<a href="https://www.duosecurity.com/" class="">Duo Security</a> is the service IS&T is using to leverage two-factor authentication.</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">Services that you will need to use Duo for, <b class="">
beginning September 30, 2015</b>, include:</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<ul class="">
<li style="margin: 0px;" class="">Touchstone and web services authenticated through Touchstone (such as Atlas, Barton, and Stellar)
</li><li style="margin: 0px;" class="">MIT’s VPN service </li><li style="margin: 0px;" class="">Remote access to systems supported by IS&T or located within IS&T data center facilities.
</li></ul>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">Students are excluded from this requirement until Summer 2016.</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">Two-factor authentication is used in addition to a username and password to prove you are authorized to log into a system. It is based on the principle of something you know (your username and password) and something you have
(your phone or a hardware token). Users are first asked to authenticate with their username and password (considered the first factor) and then prompted to retrieve a code that is sent to their phone or designated device (considered the second factor). </div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">The code can be sent to the Duo application on your smartphone, which, when when it is received, you simply click on the message to OK. No re-entering of the code is necessary. You can also have a non-smart phone or hardware
token set up for Duo.</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">Although this second step requires dedicating a bit of extra time to logging into a system, you have the option to have a browser remember you for the next 30 days, which turns off the prompt for the second factor during that
time. </div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">Learn more via the links below.</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class=""><a href="http://kb.mit.edu/confluence/display/istcontrib/Two-Factor+Authentication+with+Duo" class="">Using Duo Two-Factor Authentication</a> (KB)</div>
<div style="margin: 0px;" class=""><a href="http://kb.mit.edu/confluence/pages/viewpage.action?pageId=151109106" class="">How do I log into MIT services that leverage Duo?</a> (KB)</div>
<div style="margin: 0px;" class=""><a href="http://duo.mit.edu/" class="">Register for Duo</a> (sign up form)</div>
<div style="margin: 0px;" class=""><a href="http://web.mit.edu/itgc/letters/duo-memo.html" class="">Duo Memo</a> (Letter to the Community)</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">-----------------------------------------------------</div>
<div style="margin: 0px;" class="">2. “Stagefright” Security Hole in Android</div>
<div style="margin: 0px;" class="">-----------------------------------------------------</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">The security bug Stagefright is in the MMS system on Android phones. MMS is similar to SMS (Short Message Service) but for multi-media such as videos, sounds, and pictures. While it is an aging system, most Android devices
are still set up to receive MMS messages and will process them automatically by default.</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">On newer Android devices (4.4, aka KitKat and 5.x, aka Lollipop), the default SMS/MMS apps are “Messaging” and “Hangouts” and the default configuration for these apps is to download MMS content in the background as soon as
the messages arrive.</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">The bug allows shell code to take control of your device when an infected MMS message arrives. This type of attack is known as a Remote Code Execution.
<a href="http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/" class="">
Zimperium, the security company that found the bug, claims that 950 million devices may be at risk</a>.</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">Google has responded to the bug and has prepared patches, but it’s possible that not all carriers will immediately patch or announce the patch to their customers. In the meantime:</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<ul class="">
<li style="margin: 0px;" class="">Ask your mobile carrier whether a patch is available.
</li><li style="margin: 0px;" class="">If not, find out when you can expect it. </li><li style="margin: 0px;" class="">If your messaging app supports it, turn off “Automatically retrieve MMS messages.” (Messaging and Hangouts allows this.)
</li><li style="margin: 0px;" class="">Consider blocking messages from unknown senders.
</li></ul>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">We will send further information as more is released.</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">Read the story in the news <a href="https://nakedsecurity.sophos.com/2015/07/28/the-stagefright-hole-in-android-what-you-need-to-know/" class="">
here</a>.</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">-------------------------------------------------</div>
<div style="margin: 0px;" class="">3. MIT Certificates Expire on July 31</div>
<div style="margin: 0px;" class="">-------------------------------------------------</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">If you haven’t done so already, be sure to <a href="https://ca.mit.edu/ca/" class="">
renew your MIT personal web certificates</a> and at the same time <a href="http://kb.mit.edu/confluence/display/istcontrib/Strong+Passwords#StrongPasswords-Howtochangeorresetyourpassword" class="">
update your password</a> (if the password is over a year old). <a href="http://kb.mit.edu/confluence/x/3wNt" class="">
Pick a strong password</a> so that it’s less likely to be compromised. </div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">Renewal of personal web certificates is not automatic, so plan to renew to ensure continued access to MIT’s secure applications, including Atlas, Benefits, SAPweb, WebSIS and software downloads.</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">This year, signing up for Duo Authentication (see above article) is added as an option, but next year when certificates expire it will be required, including for students.</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">---------------------------------------------------------------</div>
<div style="margin: 0px;" class="">4. EVENT: BroCon ’15 Coming to MIT, Aug. 4-6</div>
<div style="margin: 0px;" class="">---------------------------------------------------------------</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">This year, BroCon is coming to the MIT campus. It will be happening on
<b class="">Tuesday through Thursday, August 4 - 6 at the Tang Center</b>. </div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">This convention offers the Bro community a chance to share experiments, successes and failures to better understand and secure networks. The convention is composed of talks and training exercises from the Bro development team
as well as fellow users and enthusiasts.</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class="">Bro is a powerful network analysis framework that is relied upon operationally in particular by many scientific environments for securing their cyber-infrastructure. Bro’s user community includes major universities, research
labs, supercomputer centers as well as open-science communities.</div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px;" class=""><a href="https://www.bro.org/community/brocon2015.html" class="">Learn more at bro.org</a></div>
<div style="margin: 0px; min-height: 17px;" class=""><br class="">
</div>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;" class=""><br class="">
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;" class="">
<div style="margin: 0px;" class="">=======================================================================================</div>
<div style="margin: 0px;" class="">Read all archived Security FYI Newsletter articles and submit comments online at
<a href="http://securityfyi.wordpress.com/" class=""><span style="color: rgb(4, 46, 238);" class="">http://securityfyi.wordpress.com/</span></a>.</div>
<div style="margin: 0px;" class="">=======================================================================================</div>
<div style="margin: 0px;" class=""><br class="">
</div>
</div>
<div apple-content-edited="true" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); font-family: Avenir; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); font-family: Avenir; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<br class="">
Monique Buchanan<br class="">
Communications Specialist<br class="">
Information Systems & Technology (IS&T)<br class="">
Massachusetts Institute of Technology<br class="">
<a href="http://ist.mit.edu" class="">http://ist.mit.edu</a><br class="">
tel: 617.253.2715</div>
<div style="color: rgb(0, 0, 0); font-family: Avenir; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<br class="">
</div>
<br class="Apple-interchange-newline">
</div>
</div>
</div>
<br class="">
</div>
<br class="Apple-interchange-newline">
</div>
<br class="Apple-interchange-newline">
<br class="Apple-interchange-newline">
</div>
<br class="">
</body>
</html>