Two-Factor Authentication With Duo

John Charles, Vice President of IS&T, announced earlier this month the upcoming requirement for using two-factor authentication to log into systems and services at MIT. Two-factor authentication secures our data by limiting the risk of a password compromise, which in turn could allow a cyber attacker to access services limited to MIT users. Duo Security is the service IS&T is using to leverage two-factor authentication.

Services that you will need to use Duo for, beginning September 30, 2015, include:

  • Touchstone and web services authenticated through Touchstone (such as Atlas, Barton, and Stellar)
  • MIT’s VPN service
  • Remote access to systems supported by IS&T or located within IS&T data center facilities.

Students are excluded from this requirement until Summer 2016.

Two-factor authentication is used in addition to a username and password to prove you are authorized to log into a system. It is based on the principle of something you know (your username and password) and something you have (your phone or a hardware token). Users are first asked to authenticate with their username and password (considered the first factor) and then prompted to retrieve a code that is sent to their phone or designated device (considered the second factor).

The code can be sent to the Duo application on your smartphone, which, when when it is received, you simply click on the message to OK. No re-entering of the code is necessary. You can also have a non-smart phone or hardware token set up for Duo.

Although this second step requires dedicating a bit of extra time to logging into a system, you have the option to have a browser remember you for the next 30 days, which turns off the prompt for the second factor during that time.

Learn more via the links below.

Using Duo Two-Factor Authentication (KB)

How do I log into MIT services that leverage Duo? (KB)

Register for Duo (sign up form)

Duo Memo (Letter to the Community)

“Stagefright” Security Hole in Android

The security bug Stagefright is in the MMS system on Android phones. MMS is similar to SMS (Short Message Service) but for multi-media such as videos, sounds, and pictures. While it is an aging system, most Android devices are still set up to receive MMS messages and will process them automatically by default.

On newer Android devices (4.4, aka KitKat and 5.x, aka Lollipop), the default SMS/MMS apps are “Messaging” and “Hangouts” and the default configuration for these apps is to download MMS content in the background as soon as the messages arrive.

The bug allows shell code to take control of your device when an infected MMS message arrives. This type of attack is known as a Remote Code Execution. Zimperium, the security company that found the bug, claims that 950 million devices may be at risk.

Google has responded to the bug and has prepared patches, but it’s possible that not all carriers will immediately patch or announce the patch to their customers. In the meantime:

  • Ask your mobile carrier whether a patch is available.
  • If not, find out when you can expect it.
  • If your messaging app supports it, turn off “Automatically retrieve MMS messages.” (Messaging and Hangouts allows this.)
  • Consider blocking messages from unknown senders.

We will send further information as more is released.

Read the story in the news here.

MIT Certificates Expire on July 31

If you haven’t done so already, be sure to renew your MIT personal web certificates and at the same time update your password (if the password is over a year old). Pick a strong password so that it’s less likely to be compromised.

Renewal of personal web certificates is not automatic, so plan to renew to ensure continued access to MIT’s secure applications, including Atlas, Benefits, SAPweb, WebSIS and software downloads.

This year, signing up for Duo Authentication (see above article) is added as an option, but next year when certificates expire it will be required, including for students.

EVENT: BroCon ’15 Coming to MIT, Aug. 4-6

This year, BroCon is coming to the MIT campus. It will be happening on Tuesday through Thursday, August 4 – 6 at the Tang Center.

This convention offers the Bro community a chance to share experiments, successes and failures to better understand and secure networks. The convention is composed of talks and training exercises from the Bro development team as well as fellow users and enthusiasts.

Bro is a powerful network analysis framework that is relied upon operationally in particular by many scientific environments for securing their cyber-infrastructure. Bro’s user community includes major universities, research labs, supercomputer centers as well as open-science communities.

Learn more at

Adobe Security Patches Released so Far in July 2015

Adobe has posted multiple security advisories and updates for its products this month:

  • Adobe Flash Player: A Security Advisory (APSA15-03) was posted earlier this month regarding a critical vulnerability in Adobe Flash Player, affecting Windows, Macintosh and Linux. Adobe did take quick steps to fix the software. The details of the updates were posted in APSA15-16. A week later, another update was released via APSA15-18. To make sure you have the latest update, go to the About Flash Player page. If using Firefox, Flash may be disabled by default. If on Windows or Macintosh, you should be running version If using Linux, you should be running version
  • Adobe Acrobat and Reader: Adobe Acrobat X and XI and Reader X and XI have security updates (APSA15-15) for critical vulnerabilities. The latest version for Adobe and Reader XI is 11.0.12 and for Acrobat and Reader X is 10.1.15.
  • Adobe Shockwave Player: A security update was released via a security bulletin (APSA15-17) for a vulnerability in Shockwave Player version and earlier. The latest version of the player is version, available via the Shockwave Player Download Center.

In all cases, Adobe recommends users update their software to the latest versions. Read more about the Adobe Flash Player update in the news here.

Several big Internet players are calling for the retirement of Adobe Flash. Read that story in the news here.

Microsoft Security Updates for July 2015

On Patch Tuesday last week, Microsoft released 14 security bulletins (MS15-058, and MS15-065 through MS15-077) to address vulnerabilities in Microsoft products. Four of these are rated critical.

Systems affected include Microsoft Windows, Office, Internet Explorer and SQL Server. Read the story in the news (This article also includes more on the Adobe Flash issues mentioned above).

One of the critical bulletins, MS15-067 included a patch to address a remote code execution vulnerability in Remote Desktop (RDP).

To exploit the vulnerability, an attacker could send a specially crafted sequence of packets to a system running the RDP server service. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RDP is heavily used throughout MIT and therefore IS&T recommends that patches are applied as soon as possible. If you have questions or need assistance, send email to the IS&T Help Desk or call 617.253.1101. You can also submit a request online.

Microsoft also released an out-of-band patch (MS15-078) this past Monday for all supported versions of Windows. It fixes a security bug in the way Windows handles custom fonts. The updates is rated as critical.

Be sure to accept the updates as they occur, or go to the Windows Update site. You may need to restart your machine after installing patches.

Microsoft Ends Support for Windows Server 2003

Microsoft ended support of Windows Server 2003 on July 14, 2015. If you have machines still running Windows Server 2003, it is very important that you upgrade to Windows Server 2012 R2 and apply the latest patches from Microsoft to minimize security risks and comply with recent Massachusetts data regulations.

IS&T recommends that Windows users subscribe to the MIT Windows Automatic Update Service (MIT WAUS) to get the latest service packs and security patches. Visit the MIT WAUS article in the KB for detailed instructions on how to subscribe.

If you have questions or need assistance, send email to the IS&T Help Desk at or call 617.253.1101. You can also submit a request online.

Learn more from Microsoft about migrating from Windows Server 2003.


Get every new post delivered to your Inbox.

Join 78 other followers