Status of Heartbleed at MIT

Last week after the OpenSSL issue was discovered, IS&T took measures to protect systems at MIT affected by the vulnerability. What exactly has happened or is still happening?

This article lays it out in detail. You may also find answers to some of your questions at the first KB article that recorded the vulnerability.

If you have any further questions or concerns, please contact the Help Desk at helpdesk@mit.edu.

If you need assistance with finding a vulnerable host on the MIT domain, please contact security@mit.edu.

Lessons Learned from Heartbleed

Now that the world is aware of the Heartbleed Bug, and scrambling to fix servers, routers, virtual machines and VPNs, what are some lessons we, as web surfers, can take away from this security disaster?

  1. Don’t use your passwords in multiple places. When setting strong passwords, it might be tempting to use that strong password in multiple places. But if one of the web sites where it is used gets compromised, then all the accounts that use that password become vulnerable to exposure.
  2. Change your password at least once a year. Even when you’ve set a strong password, if an event like the Heartbleed Bug happens, where captured data from an affected site includes your log in credentials, your password is now potentially exposed. If you change your password on a regular basis, the password that a thief has stolen from the affected site becomes outdated and useless.
  3. Use multi-factor authentication where available. A password can be guessed if it’s not strong enough, or hacked using tools and computers that can crack thousands of password possibilities in seconds. But when a site offers two-factor or multi-factor authentication for logging in, then just having your log in name and password isn’t enough. The thief would need another item, a key that is usually a one-time number, to access your account. You can set up a preference on the account to have the key sent to your mobile phone. Without that key, your user name and password are useless.
  4. Password managers can be our friends. A tool such as LastPass or KeePass manages your passwords for you, so you don’t have to remember them. When you don’t have to remember a password, you can make it as complex as you like and can access it as needed. In addition, tools such as LastPass have security features built in, so that if there is any vulnerability regarding a password, you will be notified.
  5. Be very, very suspicious of emails asking you to verify an account. Because cyber thieves now know that people are concerned about this vulnerability, they are going to take advantage of people’s fears. They will try to trick you via a phishing email by telling you your account is at risk if you don’t take action, then suggesting you click a link that goes to an affected or bogus site where they can capture your login information.

Safe computing is all about knowledge and changing behavior. If this disaster has taught us anything, I hope it has been that we are more aware of the risks and will change some of the ways we use a computer and the Internet.

Seven Heartbleed Myths Debunked

An article by readwrite.com debunks 7 of the major myths going around about the Heartbleed Bug.

The top 7 myths:

  1. Heartbleed is a virus
  2. The bug only affects web sites
  3. Hackers use it to remote control your phones
  4. Windows XP users are screwed because Microsoft abandoned them
  5. All of our banks are open for heart bleeding
  6. My site/service isn’t at risk, or I patched, so I’m safe now
  7. The NSA has been using Heartbleed to spy on us

Much of this misinformation is going around as news reports come out. Learn about what is true and what isn’t.

For Fun: XKCD on Heartbleed

Heartbleed and How the Heartbleed Bug Works

April 2014 Security Updates from Microsoft

Today, April 8, Microsoft is releasing four new security bulletins. Two of the bulletins are rated critical. Microsoft systems that will be affected:

  • Windows (all current operating systems and servers)
  • Internet Explorer (all supported versions)
  • Microsoft Word and Office for Mac
  • Microsoft Publisher 2003 and 2007

It is recommended to accept the updates. MIT WAUS subscribers will receive the updates after they have been tested for compatibility within the MIT computing environment. Installing the bulletins manually may require a restart.

One of the bulletins released today addresses the RTF (Rich Text Format) hole in Word (CVE-2014-1761), on all supported platforms, including on the Mac.

Serious OpenSSL Vulnerability

This week a serious vulnerability in the OpenSSL cryptographic software library was discovered. This weakness, dubbed The Heartbleed Bug, allows a remote attacker to access system memory which may contain encryption keys, user credentials or other sensitive information.

OpenSSL provides communication security and privacy over the Internet for many applications, including web, email, instant messaging (IM) and some virtual private networks (VPNs).

Fixes

Vendors are currently releasing patches to address this vulnerability. Please consult with your vendor and patch immediately.

In high risk areas (i.e. dealing with protected/regulated data) consider replacement of both keys and certificates. Some Certificate Authorities may charge a few to issue a new certificate.

What is the risk?

This bug can leave large amounts of sensitive data exposed to attackers. Exploitation of the Heartbleed bug leaves no trace, and thus requires us to take this exposure seriously.

In a worst-case scenario, leaked encryption keys allow an attacker to decrypt traffic, both current and past, to the protected services. An attacker may also impersonate the service at will.

If you require any assistance, please contact security@mit.edu.

Read the full story online.

Windows XP Final Fixes Released

Today’s security updates from Microsoft include a final fix for Windows XP and Office 2003. Today marks the end of an era. Windows XP was first rolled out in 2001 and was the most widely adopted operating system.

As users migrate to the newer operating systems, there will still be some organizations and individuals who run older systems and can’t yet upgrade. As a result, organizations will continue to struggle with left-over Windows XP boxes on their networks, leaving them open to vulnerabilities and exploits. The market for exploits will therefore remain into the foreseeable future and it is recommended to keep network-based intrusion prevention solutions tuned to blocking exploits, even those against Windows XP.

If you must run a Windows XP-based system, disconnect it from the Internet. Keep in mind that not only will Windows XP be retired, but all the software running on that system, such as Internet Explorer and Word 2003 will no longer be updated for Windows XP. Run up-to-date anti-virus software

If you are still running Windows XP and want to figure out what to do now, this article has some helpful tips for the current Windows XP user.

Follow

Get every new post delivered to your Inbox.

Join 55 other followers