The Next Security SIG Lunch: December 18, 12:00 – 1:30 pm

The next Security SIG lunch has been scheduled and we invite you all to join us. What is Security SIG?

Topic: OS Hardening Best Practices
When: Thursday, December 18, 12:00 – 1:30 pm
Where: Room W92-Back Bay

Food will be served. Please RSVP at security_sig_events@mit.edu so we can get a head count for food.

Hardening of a system often means configuration and fortification of a system. It is the process of securing a system by reducing its surface of vulnerability; the more functions a system fulfills, the larger its vulnerability. Hardening can also be the tightening of security during the design phase and construction of a system. The area of hardening can be vast, and includes ideas such as: least privilege, mandatory access control, role-based access control, a read-only file system, intrusion prevention and detection, firewalls, logging, and more.

You can shape the dialog of this lunch-time meeting by letting us know what you’re most interested in hearing about. Please take this quick 3-question survey (links to www.surveymonkey.com) so we can make sure the content of the talk addresses your interests on the topic of OS hardening best practices. Thank you.

MIT is Part of Initiative on Cybersecurity Policy

MIT will be part of an initiative, sponsored by the Hewlett Foundation, to create a smart, sustainable cybersecurity policy against the growing cyber threats faced by governments, businesses and individuals.

This is the largest-ever commitment to cybersecurity by academic organizations. MIT will be heading the Cyber Policy Initiative (CPI), one of three new academic initiatives, to establish quantitative metrics and qualitative models to help inform policy makers. Stanford University and University of California at Berkeley are the other two academies involved in the effort.

Read the full story at the MIT News site.

IAP Session on Cybersecurity 101

January 23, 1:00 – 2:00 pm
Room: 1-150

Cybersecurity plays a role in everyone’s lives. It can affect family, friends and your colleagues. It is critical to understand how to be safer with today’s online threats.

Roy Wattanasin from MIT Medical is offering an IAP class on cybersecurity. This one-hour introductory session helps you to understand more about the topic. Hear from information security professionals about their thoughts and recommendations on these topics: The threat landscape, lifecycle of an attack, Advanced Persistent Threats (APTs), passwords, and social engineering. Bring your questions and feel free to invite colleagues.

Please contact Roy Wattanasin for questions. No advance sign-up required.

Recent Critical Vulnerability Alerts from Microsoft

Last week on Patch Tuesday, four critical vulnerabilities were disclosed and addressed by Microsoft in Security Bulletins MS14-064, MS14-065, MS14-066 and MS14-067.

Let’s follow up on two of the more severe of these:

MS14-064: Microsoft Windows OLE Automation Array Remote Code Execution Vulnerability

This bulletin refers to two vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE). The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS14-066: Microsoft Secure Channel (Schannel) Vulnerability

A critical vulnerability in all supported Microsoft Windows systems could allow a remote attacker to execute arbitrary code (download malware) via specially crafted network traffic. Schannel is a security package that provides SSL and TLS on Microsoft Windows platforms. In order to exploit the vulnerability, an attacker would need to control a malicious Web page with exploit code and have users visit it. According to Microsoft’s bulletin there are no known mitigations or workarounds, but the patch released last week addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets. Johannes Ullrich of the SANS Institute recommends to patch as soon as possible: “My guess is that you probably have about a week, maybe less, to patch your systems before an exploit is released.”

Solution:

Be sure to install the updates released last week by Microsoft on your Windows computer. Managed Windows machines and subscribers of MIT WAUS have received the patches already. You may be required to restart your computer after the installation.

Both vulnerabilities are explained in more detail in this news article.

Adobe Issues Updates for Flash Player and AIR

Adobe has released updates for its Flash player and AIR to address 18 security flaws. Updates are available for Windows, Mac, and Linux. The Most current version of Flash is now 15.0.0.223; the most current version of AIR for Windows, Mac, and Android is now 15.0.0.356. Windows users who run browsers other than Internet Explorer (IE) may need to updates twice: once for IE and once for the other browser.

Read the full story in the news.

Ready for Cyber Monday?

Cyber Monday is the Monday after Black Friday and refers to the marketing efforts by companies to persuade their customers to shop online. This year Cyber Monday falls on December 1. It usually becomes the biggest online shopping day of the year.

Ways you can protect yourself during Cyber Monday:

  1. Shop using a credit card, rather than a debit card to protect yourself from fraud.
  2. Use strong passwords and a password manager, either by storing the passwords somewhere safe in your home or putting them into an electronic password manager, such as LastPass or OnePass.
  3. Shop on trustworthy sites.
  4. Make sure your computer has a secure firewall, the most recent updates installed, and is running anti-virus software.
  5. Don’t respond to emails or phone calls that seem “phishy,” often claiming an issue with your account or offering a deal that sounds too good to be true.
  6. Make sure that when you make your online purchase, the web address begins with “https” and shows a lock symbol with the URL.

Additional tips can be found in this IS&T news article.

Microsoft Security Updates for November 2014

Microsoft issued 16 security bulletins on Tuesday, November 11. Five of the bulletins were given critical ratings.

Systems affected:

  • Windows
  • Office
  • Microsoft.NET Framework
  • Microsoft Server Software
  • Internet Explorer

The updates will be available through the normal Windows Update process.

Read the full story online.

Follow

Get every new post delivered to your Inbox.

Join 67 other followers