[IS&T Security-FYI] SFYI Newsletter, December 23, 2014
Monique Yeaton
myeaton at MIT.EDU
Mon Dec 23 12:38:16 EST 2013
In this issue:
1. Target Store Data Accessed
2. First Security Update for Apple OS X 10.9
3. What Stolen Passwords Can Teach Us
-----------------------------------------
1. Target Store Data Accessed
-----------------------------------------
Target announced on its corporate website late last week that the company experienced unauthorized access to payment card data at its US Target stores. The unauthorized access took place between November 27 and December 15, 2013. Canadian stores and the target.com website were not affected. Forensics efforts are still on-going.
Read the full notice from Target here<https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca> plus some recommendations to protect yourself against potential misuse of your credit or debit card information. Note the information posted specifically for Massachusetts residents.
-----------------------------------------------------------
2. First Security Update for Apple OS X 10.9
-----------------------------------------------------------
Last week Apple released its first major update for OS X Mavericks (10.9)<http://support.apple.com/kb/HT6084>. The update brings a number of bug fixes for Mail and the voice-command user interface VoiceOver, as well as a Safari browser update. The Mail app has been improved for Gmail support, search and contact-groups features.
The biggest improvement was for Safari 7.0.1, which can be applied either with Mavericks or separately. The Safari patch repairs unresponsive forms on sites such as FedEx.com, makes the credit-card autofill easier to use and streamlines VoiceOver with Facebook. Apple also released fixes to Safari 6.1.1. which includes unexpected support for older versions of Mac OS X.
This article provides details for the security update and outlines concerns<http://www.tomsguide.com/us/mavericks-first-security-update,news-17995.html>, voiced by Apple customers since last October, who have not yet updated to Mavericks because their systems don’t have the necessary processing speed, and are running either Lion or Mountain Lion (Apple’s two previous versions of Mac OS X).
Apple has not provided a Security Update for older Mac OS X systems since Security Update 2013-005 on October 15, which contained a Java update. Mavericks was released on October 22, 2013. According to some technology experts, Apple has no plans to further support Mountain Lion<http://www.zdnet.com/os-x-mountain-lion-still-unsupported-and-vulnerable-7000023493/>. If this is correct, all Mac OS X users must upgrade to the next version in order to receive Apple support, including security updates.
There is a reasonable concern for waiting to upgrade to Mavericks. Staying on Lion (10.7) or Mountain Lion (10.8) can become risky, as unpatched vulnerabilities on the older systems leave them open to attack.
Information Services & Technology (IS&T) at MIT is no longer offering Mac OS X Lion (10.7) software through its website, but still offers Help Desk support. As of November 18, 2013, IS&T is recommending MIT users, especially those using TSM and SAPgui, to wait to upgrade to OS X 10.9 until these known issues<http://kb.mit.edu/confluence/x/fjMYCQ> have been resolved.
-------------------------------------------------------
3. What Stolen Passwords Can Teach Us
-------------------------------------------------------
Early in the month of December, a botnet called “Pony” was found to have stolen approximately 2 million credentials from users’ computers. The stolen data was found on a proxy server in the Netherlands. Companies that were affected and notified include payroll processor ADP, Facebook, Google, LinkedIn and Twitter.
The data was collected from users in as many as 102 countries and may have been gained by tricking users to visit compromised web pages, allowing the botnet to steal login credentials (usernames and passwords). Learn more about the Pony Botnet<http://www.zdnet.com/two-million-stolen-facebook-twitter-yahoo-adp-passwords-found-on-pony-botnet-server-7000023915/>.
What SpiderLabs Found
Trustwave’s SpiderLabs (a team of elite and ethical hackers) captured the data set. After reviewing the data, what is even more concerning about the 2 million stolen credentials is that most of the stolen passwords were incredibly weak. Hundreds of thousands of the passwords used only one character type (either numbers or letters) and most of them build off the “123456” construct.
The top 10 most common passwords found:
123456
123456789
1234
password
12345
12345678
admin
123
1
1234567
1111111
Only 5% of the 2 million passwords were considered excellent (using all 4 character types and longer than 8 characters). Read the full blog post by SpiderLabs here<http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html>.
To learn how you can strengthen your passwords, go to kb.mit.edu<http://kb.mit.edu/confluence/x/3wNt>.
=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================
HAPPY HOLIDAYS AND SEE YOU IN THE NEW YEAR!
Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20131223/6670301b/attachment.htm
More information about the ist-security-fyi
mailing list