For Your Calendar: Free Webcasts from SANS

Do you have about an hour of free time and want to learn something new from experts in the security field? You can find free webcasts hosted by SANS.org through their upcoming webcasts page. Recent webcasts are archived. These are some of the topics, among others:

  • What’s in your software? Reduce risk from third-party and open source components (sponsor: Veracode)
  • Watering hole attacks: Detect end-user compromise before the damage is done (sponsor: AlienVault)
  • Zen and the art of network segmentation (sponsor: Tufin Technologies)
  • Ramping up your phishing program (special from SANS)
  • Be ready for a breach with intelligent response (sponsor: McAfee/Intel Security)

You have to log in to SANS.org to access the material. MIT is a member of SANS, so there is no cost. Much of the information in the Security FYI newsletter comes from SANS sources.

Video: Cybercrime Exposed

In this 2-minute video, Trend Micro educates about the ins and outs of phishing scams, what you might lose when you fall victim, and what you can do to stay protected. This cybercrime exposé specifically looks at a phishing operation that was in affect in Brazil during the 2014 World Cup. Criminals hosted phishing site templates, malware and the victims’ personal documents in an online sharing site. It lured victims to click their links, then stole their money.

Knowing the different tactics used by bad guys will help you avoid becoming a victim of cyber crime.

View the video on YouTube.

Updates on Disabling SSL 3.0

Due to the recent POODLE flaw, Apple will stop supporting SSL 3.0 for push notifications and switch to the TLS encryption standard. Apple announced on its developer site that it will make the switch on October 29.

The push notification service from Apple forwards notifications of third-party applications to iOS devices; it may include badges, sounds or custom text alerts. Apple notes that providers that only support SSL 3.0 will need to transfer to TLS as soon as possible to ensure the service continues to perform as expected.

Other vendors are also updating their services. Twitter already notified users that is has disabled SSL 3.0 support.

Mozilla advised Firefox users to install a Mozilla security add-on that disables SSL 3.0. It will be disabling the old protocol in Firefox 34, the next version of its browser, by the end of November.

University of Michigan researchers have detailed how to disable SSL 3.0 for Internet Explorer and other sites.

Read the story online.

SSL 3.0 Vulnerability Discovered Last Week

A serious vulnerability against Secure Sockets Layer (SSL) version 3.0 has been discovered. This comes on the heels of several other (unrelated) vulnerabilities this year, including Heartbleed in April and Shellshock in September.

SSL is one of the protocols used to secure Internet traffic from eavesdroppers. SSL 3.0 is nearly 18 years old and obsolete but most browsers and web servers still allow its use for legacy browsers and/or server compatibility.

This attack, nicknamed POODLE (Padding Oracle On Downgraded Legacy Encryption), allows a man-in-the-middle — such as a malicious Wi-Fi hotspot — to extract data from secure web connections (also known as HTTPS). If successful, an attacker could gain access to online accounts by hijacking session cookies and bypassing the login mechanisms protecting certain accounts.

KB Article: Learn how you can deflect this attack.

Read more about it in the news.

NCSAM Events at MIT This Week

This week Information Systems & Technology is sponsoring two events on campus in support of National Cyber Security Awareness Month.

Thursday, Oct. 23, 12:00 – 1:30pm, in 37-252

Anonymity on the Go: The Possibilities and Problems of Tor on Mobile Devices. The speaker of this talk is Nathan Freitas, founder of the Guardian Project.

RSVP required.

Friday, Oct. 24, 10:00am – 2:00pm, in Lobby of Building 32

Shred IT! Paper as well as some electronic media will be collected and safely shredded. If you need to get rid of old hard drives, tapes, CDs or thumb drives, now is your chance.

Learn more about both of these events.

Microsoft Security Updates for October 2014

Last week Tuesday, Microsoft released 8 security updates (3 critical and 5 important) to address 24 vulnerabilities in Windows, IE and Office, including a flaw in Windows and Windows Server 2008 and 2012 that is actively exploited as part of the Sandworm Team attacks. The updates include fixes for a pair of critical flaws in the Windows kernel that could be exploited to execute code.

These patches have been approved for deployment via MIT WAUS (Windows Automatic Update Services).

Read the story online.

Patch Issued for Drupal Vulnerable to SQL Injection

I am passing along this security alert coming from Security SIG:

A nasty SQL injection vulnerability has been disclosed in Drupal that allows an anonymous user to execute code and manipulate and/or delete stored data. Exploits are currently being used and posted.

This affects all versions of Drupal 7 prior to 7.32. It is strongly recommended that all those running Drupal 7 upgrade to core 7.32.

More information can be found here https://www.drupal.org/SA-CORE-2014-005 and here https://www.drupal.org/node/2357241.

The IS&T-managed Drupal Cloud service was patched last week.

If you know other system admins and/or departments that are responsible for running Drupal, we kindly ask that you pass this message along to them.

Read the story online.

Follow

Get every new post delivered to your Inbox.

Join 63 other followers