MIT Certificates Expire on July 31

If you haven’t done so already, be sure to renew your MIT personal web certificates and at the same time update your password (if the password is over a year old). Pick a strong password so that it’s less likely to be compromised.

Renewal of personal web certificates is not automatic, so plan to renew to ensure continued access to MIT’s secure applications, including Atlas, Benefits, SAPweb, WebSIS and software downloads.

This year, signing up for Duo Authentication (see above article) is added as an option, but next year when certificates expire it will be required, including for students.

EVENT: BroCon ’15 Coming to MIT, Aug. 4-6

This year, BroCon is coming to the MIT campus. It will be happening on Tuesday through Thursday, August 4 – 6 at the Tang Center.

This convention offers the Bro community a chance to share experiments, successes and failures to better understand and secure networks. The convention is composed of talks and training exercises from the Bro development team as well as fellow users and enthusiasts.

Bro is a powerful network analysis framework that is relied upon operationally in particular by many scientific environments for securing their cyber-infrastructure. Bro’s user community includes major universities, research labs, supercomputer centers as well as open-science communities.

Learn more at bro.org

Adobe Security Patches Released so Far in July 2015

Adobe has posted multiple security advisories and updates for its products this month:

  • Adobe Flash Player: A Security Advisory (APSA15-03) was posted earlier this month regarding a critical vulnerability in Adobe Flash Player, affecting Windows, Macintosh and Linux. Adobe did take quick steps to fix the software. The details of the updates were posted in APSA15-16. A week later, another update was released via APSA15-18. To make sure you have the latest update, go to the About Flash Player page. If using Firefox, Flash may be disabled by default. If on Windows or Macintosh, you should be running version 18.0.0.209. If using Linux, you should be running version 11.2.202.491.
  • Adobe Acrobat and Reader: Adobe Acrobat X and XI and Reader X and XI have security updates (APSA15-15) for critical vulnerabilities. The latest version for Adobe and Reader XI is 11.0.12 and for Acrobat and Reader X is 10.1.15.
  • Adobe Shockwave Player: A security update was released via a security bulletin (APSA15-17) for a vulnerability in Shockwave Player version 12.1.8.158 and earlier. The latest version of the player is version 12.1.9.159, available via the Shockwave Player Download Center.

In all cases, Adobe recommends users update their software to the latest versions. Read more about the Adobe Flash Player update in the news here.

Several big Internet players are calling for the retirement of Adobe Flash. Read that story in the news here.

Microsoft Security Updates for July 2015

On Patch Tuesday last week, Microsoft released 14 security bulletins (MS15-058, and MS15-065 through MS15-077) to address vulnerabilities in Microsoft products. Four of these are rated critical.

Systems affected include Microsoft Windows, Office, Internet Explorer and SQL Server. Read the story in the news (This article also includes more on the Adobe Flash issues mentioned above).

One of the critical bulletins, MS15-067 included a patch to address a remote code execution vulnerability in Remote Desktop (RDP).

To exploit the vulnerability, an attacker could send a specially crafted sequence of packets to a system running the RDP server service. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RDP is heavily used throughout MIT and therefore IS&T recommends that patches are applied as soon as possible. If you have questions or need assistance, send email to the IS&T Help Desk or call 617.253.1101. You can also submit a request online.

Microsoft also released an out-of-band patch (MS15-078) this past Monday for all supported versions of Windows. It fixes a security bug in the way Windows handles custom fonts. The updates is rated as critical.

Be sure to accept the updates as they occur, or go to the Windows Update site. You may need to restart your machine after installing patches.

Microsoft Ends Support for Windows Server 2003

Microsoft ended support of Windows Server 2003 on July 14, 2015. If you have machines still running Windows Server 2003, it is very important that you upgrade to Windows Server 2012 R2 and apply the latest patches from Microsoft to minimize security risks and comply with recent Massachusetts data regulations.

IS&T recommends that Windows users subscribe to the MIT Windows Automatic Update Service (MIT WAUS) to get the latest service packs and security patches. Visit the MIT WAUS article in the KB for detailed instructions on how to subscribe.

If you have questions or need assistance, send email to the IS&T Help Desk at helpdesk@mit.edu or call 617.253.1101. You can also submit a request online.

Learn more from Microsoft about migrating from Windows Server 2003.

Security SIG Talk: Slides are Available

Thank you to all who attended the Security SIG talk last week on Lessons Learned from the Top Healthcare Information Security Breaches. If you were not able to attend, or did attend but would like to review the information again, the slides are available here. (MIT certificate required.)

LastPass Network Breach

On June 15, 2015, LastPass sent out a notice to its customers regarding suspicious activity on its network. The details of the activity are posted here.

LastPass Enterprise is a password management system that will be rolled out to the MIT community this summer. LastPass Enterprise encompasses access to data and passwords via Windows, Mac OS X and mobile native clients, as well as via any web browser. It is a convenient solution for the password problem of teams and unlocks features such as shared password folders and secure notes.

You can find information about LastPass Enterprise via the MIT LastPass FAQ. Note that LastPass Enterprise for MIT includes two-factor authentication using Duo, which provides an added layer of security for your account.

See the KB for answers to questions you may have about the LastPass security breach.