In the headlines: Windows 10, Drupal, GitHub and more

Windows 10 due to support SSH

As you should now have heard, or as you might notice from the new little Windows icon on your taskbar, Windows 10 is due to be released at the end of July. The most interesting bit of news from a security point of view is that Microsoft are introducing support for the SSH protocol, great news for the Linux and open source fans out there. Users will now be able to remotely control, automate and interoperate between Windows and Linux. No fixed release date but you can read the official announcement here.

Critical Drupal patch released

If you’re a Drupal user, make sure you’ve updated your website. In an urgent update released on Friday, Drupal announced a critical vulnerability in the Drupal core along with two other ‘less critical’ vulnerabilities. The critical vulnerability apparently makes it possible for attackers to hijack user accounts. The less critical vulnerabilities are redirect vulnerabilities, allowing malicious users to redirect visitors to other sites. Drupal is the third biggest content management system, powering around 2% of all websites, which is why patching these vulnerabilities asap is crucial.

Sony Pictures’ breach woes continue

The future isn’t getting any brighter for Sony Pictures this week, with the release of another 276,000 documents by WikiLeaks. Among details of travel plans and expenses there is one set of documents which should stimulate media interest; attorney records. Mention was made to a bribery case and there could well be other skeletons in the closet which might make an appearance soon.

Bypass of chrome’s XSS security found and fixed

Although already fixed, the news that Chrome’s own XSS security mechanism could potentially have been bypassed was of interest last week. Proof that even the highest level of developers can make mistakes, fortunately this was fixed before it could be exploited.

Weak crypto keys revoked by GitHub

GitHub has revoked a number of weak cryptokeys recently discovered by a London-based developer. The weak keys allow authorized access to public repository accounts of users such as UK government developers and those from Yandex and Spotify. These keys are the remnants of the randomness bug, introduced accidentally in 2006. Users with affected keys have apparently been contacted by email.

Free vpn service selling users into a giant botnet

While the notion that owners of vpn services might not be the most moral amongst us is nothing new, it’s still disappointing to find out that one such provider has been caught selling user bandwidth. Hola is a popular vpn service amongst Americans living abroad who use it to access services such as Netflix, among countless others. It now emerges that the service is supporting itself by selling user bandwidth to a third party, effectively creating a voluntary botnet which it’s claimed has already been used to take down sites. Users of other VPN services should also be wary as recent findings reported by Brian Krebs show that a majority of proxy servers force users to download pages without encryption, meaning the proxy owners could easily monitor http traffic and steal information such as login credentials.

4 million US Federal Agency personnel records breached

While the breach of 100,000 IRS records may have raised eyebrows earlier this month, it was quickly followed by the government-acknowledged breach of 4 million US Federal Agency personnel records, from the Office of Personnel Management. Data breached reportedly includes personal details, credit card information, banking records, security clearance information and three decades of background check details. The Obama administration has already declared that this attack originated from China and an investigation by the FBI and other agencies is underway.

Stolen certificate was used to hack Kaspersky Labs

Security is taking another blow lately with security certificates proving increasingly unreliable. It has emerged that the recent hack of Kaspersky Labs was carried out using malware with a stolen certificate, allowing it to browser and OS security by appearing to be a legitimate piece of software. The attack, dubbed Duqu 2.0, is believed to be the work of the same team who produced Stuxnet and of course Duqu 1.0.

Repentant malware author releases antidote

To end on a lighter note, the author of a piece of ransom ware which locks various types of documents has seen the error of his ways. On Saturday, the keys to unlock affected documents were released online and the author initiated a mechanism to automatically decrypt the files of infected users.