Personal Certificates Renewal Time

Every year at MIT personal web certificates expire on July 31. Renewal is not automatic, so for continued access to MIT’s secure web applications, such as Atlas, WebSIS, COEUS Lite, and ePaystubs, be sure to renew your certificate.

When you obtain your personal certificate, if you haven’t changed your password for over a year, you will be prompted to do so as an additional security measure. You may want to review password strength requirements before choosing a new one.

Certificates obtained after June 30, 2014 are valid until July 31, 2015.

A Year After Sophos Was Released to MIT

There are over 14,000 MIT computers currently running Sophos Anti-Virus. Computers include those in the WIN domain and self-administered MIT hosts. If you aren’t familiar with Sophos, when installed, the software runs in the background, with little to no interruption to your work. When Sophos finds an infected file, the software alerts you and locks the file. You can delete the file, using the Sophos Quarantine Manager. Because the client communicates to the Sophos Management Console (administered by IS&T), various useful pieces of information, such as the status and health of the Sophos client on a machine is provided to the console.

Oracle Critical Patch Updates for July

This month’s Oracle Patch Update provides 113 new security fixes across a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, Oracle Java SE, Oracle Linux and Virtualization, Oracle MySQL, and Oracle and Sun Systems Products Suite.

As a reminder, Critical Patch Update fixes are intended to address significant security vulnerabilities in Oracle products and also include code fixes that are prerequisites for the security fixes. As a result, Oracle recommends that this Critical Patch Update be applied as soon as possible by customers using the affected products.

The Toughest Job in the Business World?

A recent NY Times article reports on the profession of the chief information security officer (CISO). This profession, which didn’t exist only a few generations ago, is not considered to be for the fainthearted. As the article describes, they must stay one step ahead of the criminal masterminds and keep close tabs on leaky vendors and reckless employees. In addition to putting out virtual fires and protecting data, they must also be skilled at communications and be experts in sophisticated technology.

Read the story in full at the NY Times.

Flash Player Updates & Microsoft Security Updates


Due to recent security vulnerabilities in Flash Player, Adobe has released version ( for Linux) this week for all platforms. All operating systems on the now out-of-date versions are vulnerable and recommended to update to the latest version. Additionally because of the severity of these vulnerabilities, Apple has blocked all out-of-date Flash Player plug-ins for OS X.

From Apple: “Due to security issues in older versions, Apple has updated the web plug-in blocking mechanism to disable all versions prior to Flash Player and”

Install or check your version of Flash Player in your browser here.

For assistance, contact the Help Desk at 617.253.1101 or You can also submit a request online.


Last week on Patch Tuesday, July 8th, Microsoft released six updates to address 29 security vulnerabilities.

Systems affected:

  • Internet Explorer (all supported versions)
  • Microsoft Windows (all supported versions)

There was also updated firmware for all Microsoft Surface tablets, labeled “System Firmware Update – 7/8/2014,” available via Windows Update, improving various hardware issues.

Read the story in the news.

Microsoft Revokes Unauthorized Certs

Microsoft has issued an emergency update to revoke 45 of the unauthorized certificates from National Informatics Centre (NIC) of India. The updates revoke trust in three intermediary certificates from NIC so that all domain certificates, including some legitimate ones, will be invalid.

“These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Web properties,” a Microsoft advisory warned. “The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.”

The update will be automatically delivered to PCs running Windows 8, 8.1, RT, RT 8.1, Server 2012, Server 2012 RS, Phone 8, and Phone 8.1.

Users running Windows 7, Vista, Server 2008, and Server 2008 RS may or may not have the automatic updater installed. See the Microsoft KB article 2677070 for details. Administrators can find details in the KB article 2813430.

There is presently no way to revoke the certificates for Windows 2003.

Read the story in the news.

The Do’s and Don’ts of Email

The July issue of OUCH!, led by Guest Editor Dr. Eric Cole, discusses how we can be our own worst enemy when using email, including accidentally emailing the wrong people, not understanding the difference between “cc” and “bcc” and the dreaded “reply all.”

Download the July issue of OUCH! (pdf) and feel free to share with colleagues.

Also, what should you do about all that spam?? Here’s a video created by IS&T with some tips on how to keep unwanted emails at bay.


Get every new post delivered to your Inbox.

Join 58 other followers