In the headlines: LastPass vulnerability, Hillary Leaks, remote code execution vuln on Pornhub, and more

LastPass password manager vulnerability gives hackers your passwords

LastPass is one of the most popular password managers around and can also be added to your browser, allowing you to store and auto fill all your passwords, using just one master password to access them. So worryingly, a recently discovered zero day allows attackers to remotely gain access and steal all user passwords. Well known Google hacker Tavis Ormandy was the one who discovered the latest flaw, while previously another researcher also discovered a simple url-spoofing method to trick LastPass into giving up your secrets. The safest option for users would be to use a password manager which isn’t linked to their browser to avoid their passwords being compromised.

Europol team up with IT companies to fight ransomware

Just days after the EU announced its first cybersecurity directive, Europol (the European police) have revealed a new project in collaboration with IT giants including Intel, aimed at tackling ransomware. The use of ransomware is rising rapidly,with the first quarter of 2016 allegedly claiming three times the victims as the previous quarter. “For a few years now ransomware has become a dominant concern for EU law enforcement,” said Europol’s deputy director Wil van Gemert. They’ve named their initiative ‘No More Ransom’ and aim to help fight the ransomware while educating the public about keeping their devices free of malware.

Wikileaks start releasing emails, dubs their campaign ‘Hillary Leaks’

Rumours have been doing the rounds for some weeks now, that Wikileaks intend to release information which might even lead to the arrest of Hillary Clinton. On the 22nd of July Wikileaks officially announced via Twitter that they’d be doing a ‘series’ of releases about Hillary Clinton and released an initial set of 19,000 emails from the Democratic party. The emails come from some of the most senior members of the party. These have yet to spark any major controversy and it remains to be seen what other ‘dirt’ the group have on the Democratic candidate. Since they have said these emails are part of a series which has even been named ‘Hillary Leaks’ there’s no doubt we can expect more releases to follow.

EU recommends end-to-end encryption while UK continues to push for backdoors

EU Data Protection Supervisor Giovanni Buttarelli has caused a stir this week with the release of a preliminary report surrounding the encryption backdoor controversy. Following the FBI/Apple debacle earlier this year, there were calls in the US, as there have been in the UK for tech companies to create encryption ‘backdoors’ to allow agencies to access communications of suspected criminals. Tech companies including Apple have spoken against such a move and Mr Buttarelli has now categorically stated that he is also against any such provision and supports end-to-end encryption security. He calls for an extension and clarification of the EU ePrivacy Directive and also for stronger enforcement. This is in stark contrast to the UK’s Investigatory Powers Bill, also dubbed the ‘surveillance bill’ which includes requiring tech companies to decrypt communications on request, using precisely the type of encryption backdoor Mr Buttarelli is advising against.

Obama instructs FBI to lead cyber incident response

Well timed considering the DNC email leak, Obama has just outlined a new cyber incident response policy. The main consequence of the policy is that the FBI will be squarely responsible for dealing with all cyber incidents, even if they come from an international source. The agency will be responsible for coordinating the response to the attack and launching an investigation, as they have with the DNC email leak. This latest approach is apparently aimed at dealing with ‘significant’ incidents which pose a threat to national security, foreign relations or the economy, though there is no mention of how the NSA would be involved in such investigations. This policy is a supplement to the national Cyber Security Action Plan and also covers the classification of incident severity. The details can be found in the Fact Sheet released alongside the policy.

France speaks out about Windows data collection

France’s Data Protection Commission have released a report calling for changes to Windows 10’s ‘excessive’ data collection and have given Microsoft 3 months to make changes. Particular mention was made of Windows’ recording of apps downloaded by users and how long users spend time using each app. They also highlighted a security concern in that there is no limit on the amount of times a user PIN can be incorrectly entered, potentially allowing someone to use brute force to guess the PIN and gain access to an account. The report gives a 3 month deadline to Microsoft to make amendments before the country issues a sanction and Microsoft have indicated their willingness to work with the French government to address their concerns.

Whitehats find remote code execution vuln on Pornhub and weaknesses in PHP

A pair of hackers have netted themselves over $20,000 by locating a PHP weakness used by Pornhub, which could potentially allow remote code execution attacks. They studied the site as part of the Hackerone bug bounty programme and decided to look for PHP weaknesses in the architecture, which they found in the use of ‘unserialize’. Multiple areas of the site were affected and could be used to reflect Set-Cookie headers. They then tested various methods to trigger unwanted and malicious code paths. The unserialize function is a known weakness from PHP 5.6, from which the hackers located two newly categorized vulnerabilities, CVE-2016-5771 and CVE-2016-5773. Details of exactly how the vulnerabilities were discovered are provided in an article written by the hackers.

Share this post
  • Wow, bad news about Lastpass. We have already changed our company password manager to Passwork.me. It looks more secure and easy to use

  • Leave a Reply

    Your email address will not be published.