[IS&T Security-FYI] SFYI Newsletter, September 8, 2014

Mon Sep 8 16:42:43 EDT 2014

In this issue:

1. Microsoft Security Updates for September 2014
2. Firefox Enhances SSL Security
3. Celebrities’ iCloud Accounts Breached
4. Home Depot Hit By Malware Similar to Target Breach

------------------------------------------------------------------
1. Microsoft Security Updates for September 2014
------------------------------------------------------------------

Microsoft is planning to release four updates<https://technet.microsoft.com/library/security/ms14-sep> this Tuesday, September 9, to address various flaws. On the same date Microsoft is also planning to release a new security feature for Internet Explorer (IE), called out-of-date ActiveX control blocking and a new version of the Windows Malicious Software Removal Tool.

Affected software being updated includes Windows, IE (rated critical) and Lync Server.

Read the full story in the news<http://www.zdnet.com/microsoft-to-patch-windows-ie-lync-server-next-week-7000033324/>.

---------------------------------------------
2. Firefox Enhances SSL Security
---------------------------------------------

Mozilla recently released Firefox 32<https://www.mozilla.org/en-US/firefox/32.0/releasenotes/> to improve browser security. The newest incarnation of the browser now includes public key pinning<https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning> in an effort to protect users from man-in-the-middle attacks. “Key pinning allows site operators to specify which certificate authorities (CAs) may issue valid certificates for them, rather than accepting any of the many CAs that are trusted.” Read the full story in the news<http://www.eweek.com/cloud/firefox-32-debuts-with-improved-ssl-security.html>.

Note that this version of Firefox is not currently supported by IS&T. Learn more about certificates at MIT<https://ist.mit.edu/certificates>. Supported browsers at MIT<http://ist.mit.edu/software/browsers>.

------------------------------------------------------
3. Celebrities’ iCloud Accounts Breached
------------------------------------------------------

Apple has acknowledged that several celebrities’ iCloud accounts were compromised, but the company has said it was done by guessing or stealing login credentials, rather than breaching Apple’s iCloud security. According to Apple, these breaches are the result of a “very targeted attack on user names, passwords and security questions.”

According to security experts, the underlying problem with iCloud is that while Apple offers two-factor authentication for logging into iCloud and for making iTunes purchases, the authentication method did not extend to all areas of iCloud, to back ups, for example.

Read the full story in the news<http://www.darkreading.com/attacks-breaches/celeb-hack-is-apple-telling-all-it-knows/a/d-id/1306923?>.

--------------------------------------------------------------------------
4. Home Depot Hit By Malware Similar to Target Breach
--------------------------------------------------------------------------

Security researcher, Brian Krebs, published information on his security blog<http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/> yesterday about the cyber attack on Home Depot. Reportedly, the compromised credit cards were exposed through the same malware that exposed 40 million accounts of Target customers in December 2013. He points to a new variant of the malware strain “BlackPOS,” aimed at retail accounts, which has the ability to steal credit and debit card information from the physical memory of point-of-sale devices.

If this information is true, then it could mean the same people were responsible in both breaches. Credit card numbers allegedly stolen from Home Depot have appeared on an underground cybercrime shop known as Rescator, which has also been seen selling cards stolen in the Target breach. According to Krebs, the people involved harbor anti-American sentiments.

Read the story in the news<http://www.cnet.com/news/home-depot-victim-of-same-malware-that-hit-target-report/>.

=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================

Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20140908/23f1b758/attachment.htm