Anthem Data Breach

If you are on the MIT Health Plan, you may have received an email from MIT Medical and MIT Benefits regarding the Anthem Data Breach. Anthem was the target of a sophisticated cyber attack that exposed personal data on almost 80 million customers. Read the news story here.

Attackers may have been able to access personal information from current and former members of Anthem and Blue Cross and Blue Shield (BCBSMA) insurance companies, including names, medical IDs, social security numbers, street addresses, email information and employment information, but no financial data.

The message from MIT outlines the impact this breach may have on current or former MIT members or their families who were or are on the MIT Health Plan. Only those who have received care in the fourteen states listed here could be affected.

If Anthem and/or BCBSMA believe you have been affected, they will contact you directly. Further information has been posted on the Anthem website.

The FBI says that it is “close” to identifying the parties responsible for the Anthem breach, but will not disclose the information until it is “absolutely sure.” Read the news story here.

Firefox 36 Fixes Critical Flaws

Mozilla has released Firefox 36, which includes fixes for 17 security issues. Three of the flaws are considered critical. The newest version of the browser also supports the HTTP/2 protocol. Read what’s new in this version of Firefox here.

The big emphasis in Firefox 36 is in the area of Web security. Starting with Firefox 36, Mozilla is now phasing out a number of 1,024-bit root certificates that are used for Web encryption. The move is part of a planned migration toward more secure encryption certificates that use 2,048-bit or higher encryption keys.

Also as part of Firefox 36, the browser is no longer accepting insecure RC4 encryption ciphers. RC4 at one point was a widely deployed encryption technology, but it has been shown to be theoretically exploitable.

Read the news story here.

Superfish Adware Put Lenovo Users at Risk

Per an article by ArsTechnica last week, Lenovo is selling computers with adware preinstalled that hijacks encrypted web sessions, making users vulnerable to HTTPS man-in-the-middle attacks.

The adware comes from a company called Superfish, designed to inject ads into web pages. But it is more nefarious than that. The software literally acts as a middle man, standing between you and the sites you visit. It does this by installing a self-signed root certificate authority (CA) into your browser that can intercept traffic for every HTTPS website you visit, allowing an attacker to spoof websites you log into.

According to a statement by Lenovo, the software was only installed on machines that shipped between September and December of last year and was removed in January. The statement also mentions that Superfish has disabled server side interaction since January, so that the product is no longer active.

This issue with Superfish was overlooked until last week. This week, Microsoft updated Windows to remove the Superfish software (learn more in the article below: “Microsoft Security Updates for February”). Lenovo has also issued a tool that removes the software.

This test will tell you if you have a problem with Superfish.

Read the Superfish story in the news.

Read the US-CERT alert.

Microsoft Security Updates for February

As mentioned in the previous article, Microsoft has updated Windows to detect the Superfish software that comes preinstalled on Lenovo computers. Windows Defender is now actively removing the software and will reset any SSL certificates that were circumvented by Superfish, restoring the system to proper working order. Users should update their version of Windows Defender and scan as soon as possible. Learn more.

Microsoft released nine bulletins for February on Patch Tuesday (MS15-009 through MS15-017). Systems affected are Microsoft Windows, Office, Internet Explorer and Server Software.

The security update for Internet Explorer patches 41 vulnerabilities. Be sure to accept the updates as they occur, or go to the Windows Update site.

Safety While Traveling

Staying Secure on the Road” (.pdf) is the topic for this month’s OUCH! newsletter. In this issue, you can learn how to securely connect to the Internet and get things done while Traveling. Written by Steve Armstrong, Technical Director of CyberCPR at Logically Secure.

Feel free to share this issue with colleagues who are or will be traveling this year. View a copy here (.pdf)

MIT also provides a list of great tips for those traveling with technology in the KB article Technology Tips for Travelers.

National Webcast: Emerging Trends and Threats for 2015

Steven Hurst of AT&T’s Global Customer Security Services will be presenting this month’s national webcast hosted by MS-ISAC.

Tune in on February 11th (free registration) to hear him speak about:

  • The evolution of how we communicate and what we communicate with.
  • How these changes in technology change the way we need to view the protection of data for consumers and organizations.
  • Expectations for highly probable cyber threats for 2015 and how emerging technologies will impact our risk profiles.

Learn more about this webcast or register to attend.

The Secret Life of Passwords

This rather long but very interesting NY Times article discusses what our passwords mean to us. Some people describe them as cryptic poetry, some passwords hold meaningful memories or reminders, some are playful, others dark and serious.

It’s a fascinating read if you have the time.


Get every new post delivered to your Inbox.

Join 72 other followers