[IS&T Security-FYI] SFYI Newsletter, December 3, 2014

Wed Dec 3 10:43:54 EST 2014

In this issue:

1. EVENT: Laptop Tagging and Registration on Wed. 12/3
2. The Importance of Multi-Factor Authentication
3. Mozilla Releases Firefox 34

------------------------------------------------------------------------------
1. EVENT: Laptop Tagging and Registration on Wed. 12/3
------------------------------------------------------------------------------

This Wednesday, there is an opportunity to register and tag your laptop. The next laptop tagging session is on February 4th, 2015.

Where: Lobby of Building 10
When: Wed., December 3, 11:00 am - 1:15 pm

Cost: $10 cash (no cards) or MIT Cash Object

Just as you might register a bike with the police, you can also register your laptop. Information Systems & Technology partners with MIT Police to provide STOP (Security Tracking of Office Property) tags for laptops. The tag is affixed to the device, has a unique number, and is registered with a world-wide database.

Sgt. Cheryl Vossmer of the MIT Police says that although a STOP tag is not software that can track a device via GPS or other means, it has been very effective at providing a way for lost or stolen laptops to be returned to their rightful owners.

Read recovery stories here<https://www.stoptheft.com/> of laptops with STOP tags.

Learn more about laptop registration at MIT<http://kb.mit.edu/confluence/display/istcontrib/MIT+Police+Laptop+Tagging+and+Registration>.

----------------------------------------------------------------
2. The Importance of Multi-Factor Authentication
----------------------------------------------------------------

Over the past year, several university employees around the country were targeted by successful phishing attacks.

Cyber criminals sent emails to employees, appearing to come from their university, that warned them about an issue requiring them to log in to their employee portal. When the employees clicked the link to what appeared to be their university’s legitimate login portal, they landed on a page that was hosted by the criminals. Criminals were able to successfully use the victims’ credentials to modify direct deposit information so that salaries could be re-routed to an account they controlled.

These types of attacks, called phishing attacks, are an attempt to steal login credentials, and as a result, gain access to your online accounts. This is how they are able to take your money or your sensitive information. With your credentials in hand, they can behave online as if they were you.

One way of defeating this type of fraud is for online systems to require an additional factor for authentication. This factor should be something the attacker has no way of accessing. It will prevent an attacker from pretending to be you, even if they have accessed your credentials.

Factors in authentication are:

  *   something the user “is” such as a fingerprint
  *   something the user “knows” such as a password
  *   something the user “has” such as a smartphone.

In direct response to these attacks, a new feature has been added to Atlas<https://atlas.mit.edu/>, in addition to the web certificate authentication that is already in place. It requires users to enter the last four digits of their Social Security Number to better authenticate their identity when accessing their personal sensitive information.

Multi-factor technology will be added to Touchstone<http://ist.mit.edu/touchstone>, called Duo Security<http://guide.duosecurity.com/>, that in the future will be required when users access critical MIT services and applications. This feature is not yet available to the MIT community.

Read the full story in IS&T News<http://ist.mit.edu/news/payroll_scam>

REN-ISAC Advisory: University Payroll Theft Scheme<http://www.ren-isac.net/alerts/REN-ISAC_ADVISORY_University_Payroll_Theft_20141112_TLPWHITE.pdf> (.pdf)

----------------------------------------
3. Mozilla Releases Firefox 34
----------------------------------------

This week Mozilla released Firefox 34.0.5. Users of this browser will notice that the default search engine in Firefox 34 is Yahoo, rather than Google. Also included in this version are an improved search bar, and the launch of WebIDE<https://developer.mozilla.org/en-US/docs/Tools/WebIDE> (the replacement for App Manager). SSL 3.0 support has been removed from this update due to known security issues.<http://kb.mit.edu/confluence/x/GIEwCQ>

Read the Notes for Firefox 34.0.5<https://www.mozilla.org/en-US/firefox/34.0.5/releasenotes/>

=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================

Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715

Please note I work from home on Fridays.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20141203/09cb853d/attachment.htm