Firefox 36 Fixes Critical Flaws

Mozilla has released Firefox 36, which includes fixes for 17 security issues. Three of the flaws are considered critical. The newest version of the browser also supports the HTTP/2 protocol. Read what’s new in this version of Firefox here.

The big emphasis in Firefox 36 is in the area of Web security. Starting with Firefox 36, Mozilla is now phasing out a number of 1,024-bit root certificates that are used for Web encryption. The move is part of a planned migration toward more secure encryption certificates that use 2,048-bit or higher encryption keys.

Also as part of Firefox 36, the browser is no longer accepting insecure RC4 encryption ciphers. RC4 at one point was a widely deployed encryption technology, but it has been shown to be theoretically exploitable.

Read the news story here.

Risks to Information When Traveling

This recent NY Times article outlines the ways your data can fall into the hands of snoops and thieves if you’re not careful when traveling. The tips the article lists include some great security best practices.

1. Take only what you need. If you can, take a loaner laptop or one that contains only what you need for the trip and nothing more. Alternatively, if you must take sensitive data, carry it on a memory stick.

2. Use encryption. Encryption can be added to MIT laptops, mobile devices and memory sticks. To learn more about how to use and enable encryption, see:

3. Install a virtual private network (VPN). The VPN that MIT provides gives users an encrypted network connection, even when accessing the Internet via public or open wifi (such as at a hotel or cafe). This prevents anyone on the same public wifi from accessing your communications. Install the VPN client from the IS&T website:

4. Protect using a password. If you must take a phone, laptop or tablet with you on your trip, make sure it has a code or password on it. Some smartphones now have fingerprint sensors for locking/unlocking. Choose a strong password for your laptops (learn how). Create strong passwords for the mobile apps or websites you use for accessing sensitive information, and don’t leave passwords written down and stored near the devices you use them for.

5. Use layered protection. This means, for example, having extra copies of files safely stored elsewhere (not on your computer’s hard drive), or having your files backed up within the cloud. MIT offers CrashPlan, the new backup service that replaces TSM. Mobile devices can also use CrashPlan via CrashPlan apps.

Note: while having files in Dropbox can be convenient for sharing files with other colleagues, if you have installed Dropbox on your computer, the files are accessible to a thief who has stolen your computer. A recommendation would be to remove the DropBox folder from the computer prior to traveling and to access your Dropbox files via the Dropbox website. On mobile devices, the folder can be password protected within the Dropbox app. See these security tips for Dropbox users.

Find more tips for MIT Travelers in this KB article.

Ten Ideas for Improving Cyber Security

Forbes asked ten cyber experts’ best ideas for thwarting digital security threats include changing the way we think about security and being proactive about protecting sensitive data; encouraging transparency from cloud services about data handling; making better use of encryption; developing systems that present smaller attack surfaces; developing a new secure network for critical infrastructure; and establishing privacy and data security regulation and enforcement for companies. Most acknowledged that there are no easy and quick fixes.

Read the story in the news.

TrueCrypt Retired?

The TrueCrypt open source encryption project has ceased operations after issuing a warning on the site that the software is no longer secure. The site includes instructions for users to migrate to BitLocker and for decrypting files that were encrypted by TrueCrypt on the various platforms (Mac, Windows and Linux).

The TrueCrypt website mentions that development stopped in May 2014 after Microsoft stopped supporting Windows XP. The reasons given as well as those not given are baffling some security experts. Some are positing that the company received a National Security Letter and is doing what Lavabit did to avoid disclosing customer data. Others have suggested that it might be a hoax or an attack, or that the TrueCrypt developers found an overwhelming vulnerability. Another believes that the product will be available in the future, but under a different name and ownership. Earlier this year, TrueCrypt came under audit and the project is currently in its second phase of formal cryptanalysis. TrueCrypt is also the encryption tool endorsed by Edward Snowden.

There are alternatives to using TrueCrypt. IS&T at MIT offers PGP Full Disk Encryption for Windows and supports FileVault on the Mac: see full information on these products in the KB.

These articles offer additional alternatives:

Read the story in the news here and here.

Securing the Human’s Video of the Month: Encryption

Basic_securityTo raise awareness, each month SANS offers free access to its Securing the Human training videos. This month’s video is on encryption, one of the key methods to securing data, yet many people do not understand what it is or how it works. It takes less than 2 minutes to watch the video.

If you have extra time, watch a full range of the Securing the Human videos within the MIT Learning Center. 

Data Security for Online Classrooms

Online learning and classrooms are now a way of life. Many teachers are using online learning tools for their classes. But in this Internet age, we know that with these new technologies come additional risks, especially to our privacy.

In a NY Times article, Mr. Porterfield, a parent of elementary school students, who happens to also be an engineer at Cisco Systems, talks about how he did a bit of his own research when he heard that his kids’ teachers were using an online learning network. He found that the site did not encrypt user sessions using a standard encryption protocol called Secure Sockets Layer (or SSL for short).

SSL protects many sites, such as those for online banking and e-commerce. When logged in over an open (unencrypted) Wi-Fi network, SSL protects your personal information from snoopers.

Even if the information being shared on a site is not necessarily secret information, according to Mr. Porterfield, “There’s a lot of contextual information you could use to gain trust, to make yourself seem familiar to the child. As a parent, that’s the scariest thing.”

Learn more about protecting a child’s privacy. Take the Securing the Human course “Beyond Basics” that discusses the dangers children face when online. To access the course in the SAP Learning Center, you need an MIT certificate, and make sure the browser pop-up blocker is turned off.

Beefing Up Public-Key Encryption

Public-key encryption is used by most financial transactions on the Internet. This cryptographic technique uses two keys that are mathematically related. One, the public key, is published on the Internet and any sender can use it to encrypt a message. The second, the private key, is known only to the recipient, and is required for decryption.

Financial institutions are seeking security against sophisticated attacks, called chosen-cyphertext attacks (CCA), that are able to successfully decrypt these public-key encrypted messages. The challenge is coming up with a scheme to protect public-key encryption from these attacks.

A pair of MIT postdocs presented a way to do so at MIT’s Computer Science and Artificial Intelligence Lab. They showed a way to take a vulnerable public-key encryption scheme and turn it into a secure scheme.

Read the story online at the MIT News Office.