[IS&T Security-FYI] Security FYI Newsletter, July 30, 2015

[Monique Buchanan]

In this issue:

1. Two-Factor Authentication With Duo
2. “Stagefright” Security Hole in Android
3. MIT Certificates Expire on July 31
4. EVENT: BroCon ’15 Coming to MIT, Aug. 4-6


----------------------------------------------------
1. Two-Factor Authentication With Duo
----------------------------------------------------

John Charles, Vice President of IS&T, announced earlier this month the upcoming requirement for using two-factor authentication to log into systems and services at MIT. Two-factor authentication secures our data by limiting the risk of a password compromise, which in turn could allow a cyber attacker to access services limited to MIT users. Duo Security<https://www.duosecurity.com/> is the service IS&T is using to leverage two-factor authentication.

Services that you will need to use Duo for, beginning September 30, 2015, include:


  *   Touchstone and web services authenticated through Touchstone (such as Atlas, Barton, and Stellar)
  *   MIT’s VPN service
  *   Remote access to systems supported by IS&T or located within IS&T data center facilities.

Students are excluded from this requirement until Summer 2016.

Two-factor authentication is used in addition to a username and password to prove you are authorized to log into a system. It is based on the principle of something you know (your username and password) and something you have (your phone or a hardware token). Users are first asked to authenticate with their username and password (considered the first factor) and then prompted to retrieve a code that is sent to their phone or designated device (considered the second factor).

The code can be sent to the Duo application on your smartphone, which, when when it is received, you simply click on the message to OK. No re-entering of the code is necessary. You can also have a non-smart phone or hardware token set up for Duo.

Although this second step requires dedicating a bit of extra time to logging into a system, you have the option to have a browser remember you for the next 30 days, which turns off the prompt for the second factor during that time.

Learn more via the links below.

Using Duo Two-Factor Authentication<http://kb.mit.edu/confluence/display/istcontrib/Two-Factor+Authentication+with+Duo> (KB)
How do I log into MIT services that leverage Duo?<http://kb.mit.edu/confluence/pages/viewpage.action?pageId=151109106> (KB)
Register for Duo<http://duo.mit.edu/> (sign up form)
Duo Memo<http://web.mit.edu/itgc/letters/duo-memo.html> (Letter to the Community)


-----------------------------------------------------
2. “Stagefright” Security Hole in Android
-----------------------------------------------------

The security bug Stagefright is in the MMS system on Android phones. MMS is similar to SMS (Short Message Service) but for multi-media such as videos, sounds, and pictures. While it is an aging system, most Android devices are still set up to receive MMS messages and will process them automatically by default.

On newer Android devices (4.4, aka KitKat and 5.x, aka Lollipop), the default SMS/MMS apps are “Messaging” and “Hangouts” and the default configuration for these apps is to download MMS content in the background as soon as the messages arrive.

The bug allows shell code to take control of your device when an infected MMS message arrives. This type of attack is known as a Remote Code Execution. Zimperium, the security company that found the bug, claims that 950 million devices may be at risk<http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/>.

Google has responded to the bug and has prepared patches, but it’s possible that not all carriers will immediately patch or announce the patch to their customers. In the meantime:


  *   Ask your mobile carrier whether a patch is available.
  *   If not, find out when you can expect it.
  *   If your messaging app supports it, turn off “Automatically retrieve MMS messages.” (Messaging and Hangouts allows this.)
  *   Consider blocking messages from unknown senders.

We will send further information as more is released.

Read the story in the news here<https://nakedsecurity.sophos.com/2015/07/28/the-stagefright-hole-in-android-what-you-need-to-know/>.


-------------------------------------------------
3. MIT Certificates Expire on July 31
-------------------------------------------------

If you haven’t done so already, be sure to renew your MIT personal web certificates<https://ca.mit.edu/ca/> and at the same time update your password<http://kb.mit.edu/confluence/display/istcontrib/Strong+Passwords#StrongPasswords-Howtochangeorresetyourpassword> (if the password is over a year old). Pick a strong password<http://kb.mit.edu/confluence/x/3wNt> so that it’s less likely to be compromised.

Renewal of personal web certificates is not automatic, so plan to renew to ensure continued access to MIT’s secure applications, including Atlas, Benefits, SAPweb, WebSIS and software downloads.

This year, signing up for Duo Authentication (see above article) is added as an option, but next year when certificates expire it will be required, including for students.


---------------------------------------------------------------
4. EVENT: BroCon ’15 Coming to MIT, Aug. 4-6
---------------------------------------------------------------

This year, BroCon is coming to the MIT campus. It will be happening on Tuesday through Thursday, August 4 - 6 at the Tang Center.

This convention offers the Bro community a chance to share experiments, successes and failures to better understand and secure networks. The convention is composed of talks and training exercises from the Bro development team as well as fellow users and enthusiasts.

Bro is a powerful network analysis framework that is relied upon operationally in particular by many scientific environments for securing their cyber-infrastructure. Bro’s user community includes major universities, research labs, supercomputer centers as well as open-science communities.

Learn more at bro.org<https://www.bro.org/community/brocon2015.html>


=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================


Monique Buchanan
Communications Specialist
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu
tel: 617.253.2715







-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20150730/27d13251/attachment-0001.htm