LastPass Network Breach

On June 15, 2015, LastPass sent out a notice to its customers regarding suspicious activity on its network. The details of the activity are posted here.

LastPass Enterprise is a password management system that will be rolled out to the MIT community this summer. LastPass Enterprise encompasses access to data and passwords via Windows, Mac OS X and mobile native clients, as well as via any web browser. It is a convenient solution for the password problem of teams and unlocks features such as shared password folders and secure notes.

You can find information about LastPass Enterprise via the MIT LastPass FAQ. Note that LastPass Enterprise for MIT includes two-factor authentication using Duo, which provides an added layer of security for your account.

See the KB for answers to questions you may have about the LastPass security breach.

EVENT: Security SIG lunch on July 15

Please join us for free lunch and a talk on lessons learned from some of the biggest breaches in the healthcare industry.

Lessons Learned from the top Healthcare Information Security Breaches
Speaker: Roy Wattanasin, MITM (MIT Medical)

 The FBI has warned that hackers are or will be targeting your organization. 2014 was a rough year for data security, especially in the healthcare industry. About 43 percent of breaches came from healthcare per the Ponemon Institute. 2015 has been a trickier year with one of the largest healthcare information breaches reported to date. 

This talk highlights and walks through the top 2015 healthcare information security breaches (using public information). It gives an overview of the healthcare information landscape, covers the laws/regulations and offers recommendations to prevent these kinds of breaches whether you are in healthcare or another industry.

Where: W20-407
When: Wednesday, July 15, 2015, 12:00 – 1:30 pm, includes free lunch
How to sign up: Please email

We hope to see you there!

If you haven’t yet joined the IT Security Special Interest Group mailing list, please subscribe here.

Recent Security Flaws and Updates


Updates for the Drupal content management system are available. The Drupal security team’s advisory describes one critical and three “less critical” vulnerabilities that the updates address. The critical flaw lies in Drupal’s implementation of OpenID; it allows attackers to log in to websites as administrators. The issues affect Drupal versions 6 and 7.

Samsung Galaxy Smartphones

Samsung plans to release a fix for a critical security flaw that affects more than 600 million of its mobile phones. The issue affects Galaxy smartphones that come with the SwiftKey keyboard preinstalled. The flaw could be exploited to access data on the devices. Galaxy devices running Knox security software will receive a new security policy that makes the vulnerability invalid. Phones that are not running Knox will have to wait until a firmware update is ready. See Krebs on Security for this story and the Apple KeyChain story below.

Apple KeyChain

A security flaw (a zero-day bug) in Apple’s OS X and iOS could be exploited to steal information from the Apple keychain and from applications. The problem lies in the operating systems’ application sandboxes and can be exploited by specially created apps. Read the full story in the news.

Microsoft Security Updates for June 2015

On Patch Tuesday last week, Microsoft released eight security bulletins (MS15-056 through MS15-064). Two are labeled critical, but four address remote code execution vulnerabilities that an attacker could use to take control of a user’s machine.

Systems affected include Microsoft Windows, Internet Explorer, Microsoft Office and Microsoft Exchange Server. The security update for Internet Explorer fixes 24 vulnerabilities in the browser.

Be sure to accept the updates as they occur, or go to the Windows Update site. You may need to restart your machine after installing patches.   

Read the story in the news.

MIT Technology Review: Cyber Espionage Nightmare

An article featured on MIT Technology Review covers the disturbing state of corporate cyber espionage. According to the article, agents from China are wanted for allegedly hacking into networks at American companies, stealing emails about business strategy, documents and other information, all to benefit Chinese companies.

Although it seems unlikely that any arrests will be made in the case the US has made against these perpetrators, it does provide American companies with some valuable lessons. They are less likely to keep valuable information online, even if that information is “secured.” The most clear response is also the most drastic: unplug.

Read the full story at MIT Technology Review.

EVENT: State of Cybersecurity Today Webcast

Register for a free webcast hosted by MS-ISAC, occurring on Wednesday, June 24th, 3:00 – 4:00pm EST:

The State of CyberSecurity Today: How Far We Have Come & Where We Are Going
Presenter: Jeff Man, Tenable Network Security

This session provides a little history based on the presenter’s 20 years of experience in internet security. It explores how far we’ve come, the new and emerging challenges we face, and why old challenges continue to haunt security operations across the public and private sectors. It will dig into why we’re plagued by persistent issues, the factors driving cyber threats and what we can do to minimize their impact. It will look at information security policies, the role of compliance, and how no amount of “silver bullet” solutions are a substitute for sound processes that help increase the effectiveness of state, local, tribal and territorial government cybersecurity practices.

Save your seat by registering today.

The Cyber Generation Gap

The May issue of OUCH!, led by Guest Editor Brian Honan, is focussed on securing the cyber generation gap. Many of us have family members that may not be technically savvy and are intimidated by security.  This newsletter explains how you can help those family members and any children that may be visiting them.

Feel free to share OUCH! with anyone you want, including family, friends or as part of your security awareness program.

Download the issue here (.pdf)


Get every new post delivered to your Inbox.

Join 77 other followers