Sophos AV Ends Support for Mac OS X 10.6 and 10.7

Sophos Anti-Virus is ending support for Mac OS X 10.6 (Snow Leopard) and 10.7 (Lion) on October 31, 2015. Computers running those operating systems will stop receiving Sophos updates after that date. Information regarding this change can be found at:

https://www.sophos.com/en-us/support/knowledgebase/122477.aspx

Apple stopped releasing security updates for both OS X 10.6 (in February 2014) and 10.7 (in September 2014), so continuing to run computers with those operating systems on the network is not recommended. IS&T strongly encourages you to upgrade those machines to the latest Mac OS if possible to ensure that they are protected.

As always, MIT users who need help or have questions, can contact the IS&T Help Desk at 617.253.1101 or helpdesk@mit.edu, or submit a request online.

Two-Factor Authentication With Duo

John Charles, Vice President of IS&T, announced earlier this month the upcoming requirement for using two-factor authentication to log into systems and services at MIT. Two-factor authentication secures our data by limiting the risk of a password compromise, which in turn could allow a cyber attacker to access services limited to MIT users. Duo Security is the service IS&T is using to leverage two-factor authentication.

Services that you will need to use Duo for, beginning September 30, 2015, include:

  • Touchstone and web services authenticated through Touchstone (such as Atlas, Barton, and Stellar)
  • MIT’s VPN service
  • Remote access to systems supported by IS&T or located within IS&T data center facilities.

Students are excluded from this requirement until Summer 2016.

Two-factor authentication is used in addition to a username and password to prove you are authorized to log into a system. It is based on the principle of something you know (your username and password) and something you have (your phone or a hardware token). Users are first asked to authenticate with their username and password (considered the first factor) and then prompted to retrieve a code that is sent to their phone or designated device (considered the second factor).

The code can be sent to the Duo application on your smartphone, which, when when it is received, you simply click on the message to OK. No re-entering of the code is necessary. You can also have a non-smart phone or hardware token set up for Duo.

Although this second step requires dedicating a bit of extra time to logging into a system, you have the option to have a browser remember you for the next 30 days, which turns off the prompt for the second factor during that time.

Learn more via the links below.

Using Duo Two-Factor Authentication (KB)

How do I log into MIT services that leverage Duo? (KB)

Register for Duo (sign up form)

Duo Memo (Letter to the Community)

MIT Technology Review: Cyber Espionage Nightmare

An article featured on MIT Technology Review covers the disturbing state of corporate cyber espionage. According to the article, agents from China are wanted for allegedly hacking into networks at American companies, stealing emails about business strategy, documents and other information, all to benefit Chinese companies.

Although it seems unlikely that any arrests will be made in the case the US has made against these perpetrators, it does provide American companies with some valuable lessons. They are less likely to keep valuable information online, even if that information is “secured.” The most clear response is also the most drastic: unplug.

Read the full story at MIT Technology Review.

Anthem Data Breach

If you are on the MIT Health Plan, you may have received an email from MIT Medical and MIT Benefits regarding the Anthem Data Breach. Anthem was the target of a sophisticated cyber attack that exposed personal data on almost 80 million customers. Read the news story here.

Attackers may have been able to access personal information from current and former members of Anthem and Blue Cross and Blue Shield (BCBSMA) insurance companies, including names, medical IDs, social security numbers, street addresses, email information and employment information, but no financial data.

The message from MIT outlines the impact this breach may have on current or former MIT members or their families who were or are on the MIT Health Plan. Only those who have received care in the fourteen states listed here could be affected.

If Anthem and/or BCBSMA believe you have been affected, they will contact you directly. Further information has been posted on the Anthem website.

The FBI says that it is “close” to identifying the parties responsible for the Anthem breach, but will not disclose the information until it is “absolutely sure.” Read the news story here.

The Importance of Multi-Factor Authentication

Over the past year, several university employees around the country were targeted by successful phishing attacks.

Cyber criminals sent emails to employees, appearing to come from their university, that warned them about an issue requiring them to log in to their employee portal. When the employees clicked the link to what appeared to be their university’s legitimate login portal, they landed on a page that was hosted by the criminals. Criminals were able to successfully use the victims’ credentials to modify direct deposit information so that salaries could be re-routed to an account they controlled.

These types of attacks, called phishing attacks, are an attempt to steal login credentials, and as a result, gain access to your online accounts. This is how they are able to take your money or your sensitive information. With your credentials in hand, they can behave online as if they were you.

One way of defeating this type of fraud is for online systems to require an additional factor for authentication. This factor should be something the attacker has no way of accessing. It will prevent an attacker from pretending to be you, even if they have accessed your credentials.

Factors in authentication are:

  • something the user “is” such as a fingerprint
  • something the user “knows” such as a password
  • something the user “has” such as a smartphone.

In direct response to these attacks, a new feature has been added to Atlas, in addition to the web certificate authentication that is already in place. It requires users to enter the last four digits of their Social Security Number to better authenticate their identity when accessing their personal sensitive information. 

Multi-factor technology will be added to Touchstone, called Duo Security, that in the future will be required when users access critical MIT services and applications. This feature is not yet available to the MIT community.

Read the full story in IS&T News

REN-ISAC Advisory: University Payroll Theft Scheme (.pdf)

Apple Issues iCloud Security Advisory

Last week Apple issued a security warning about attacks attempting to steal information from iCloud users with fraudulent certificates. An Apple support page warns users to heed invalid certificate warnings while visiting iCloud, saying they should never enter login information into websites that present certificate warnings.

Learn to verify that your browser is securely connected to iCloud.com

What Happened in the JP Morgan Chase Breach?

According to news released last Thursday, 76 million household accounts and 7 million small businesses were affected by a breach that occurred earlier this year. JP Morgan Chase is one of the oldest, best-known and largest financial institutions in the world. The cyber attack leaked names, addresses, phone numbers and email addresses. There is no evidence yet of passwords, sensitive personal information, or account information being stolen.

The bank discovered the intrusion on its servers in mid-August and believes the breach may have begun as early as June, a spokesperson for the bank has said. They have “identified and closed all known access paths.” It is possible the original access point came by getting a password from an employee.

In a post on their website, they told customers there’s no need to change their password or account information. No cards will be reissued.

Because email addresses were accessed by the hackers, beware of any phishing emails; don’t click on links from email addresses you don’t know or links inside messages that look like they might come from Chase or another trusted source, and were received unexpectedly.

Read the full story in the news.