Flash Zero Day receives emergency patch
Poor old Flash is in the headlines again, and this time for a zero-day flaw which is being actively exploited. Reported by a researcher and the Google Zero Day project, no details of the vulnerability have been disclosed but the update was rolled out on Friday. If you’re still using Flash then we recommend you update immediately as it’s been said that Russians hackers are already actively exploiting the vulnerability.
Dridex botnet taken down
The botnet known as ‘Dridex’ has been taken down. Famous for using Macros in Word files to infect users with malware, Dridex is reportedly responsible for the theft of 20 million sterling from British bank accounts alone. Tricks used include keylogging and web injects in order to obtain banking credentials. One US school had $999,000 stolen and transactions of 3.5million were triggered from an oil and gas company. Unfortunately, this may not be the end of Dridex as it’s believed the part taken down may have been a subnet. Yet another reminder to educate your users!
WordPress Akismet stored XSS vulnerability patched
A stored XSS vulnerability has just been patched in popular WordPress plugin Akismet. With more than 3 million users, the anti-spam plugin is very popular, thus risking the security of those 3 million web applications. The vulnerability apparently affects the comment section and a setting which allows you to disable emoticon translation. This could be exploited to trigger a payload and possibly lead to a full site takeover. This is the second stored XSS vulnerability found in a WordPress plugin this month so it’s highly recommended to make sure all your plugins are fully updated.
Chrome patched and changes made to mixed content warnings
Google have made the latest patches to Chrome and declared that as of Chrome 46, HTTPS pages with minor errors will no longer display a yellow warning icon. In their blog post on the change, the Chrome team said they hoped this would encourage users to switch to HTTPS sooner rather than later. This is due to migration of sites with mixed content usually triggering this warning, which might deter visitors. The update also includes 24 security fixes, 8 of which came from external sources and were rewarded with bug bounties.
NSA rumoured to be able to break Diffie-Hellman
You might have read recently that the US government is no longer pursuing a means to decrypt user data. Well, a paper presented at the recent ACM Computer and Communications Security Conference may go some way to explain why. According to the paper, the NSA already have the capability to break the Diffie-Hellman key-exchange protocol, using pre-computation. This breakthrough is rumoured to be several years old but this paper is the first viable theory as to how this has been done.
Cyber security insurance gets more expensive
As we might have anticipated, particularly in light of the rising cost of data breaches the cost of cyber security insurance has increased. This was confirmed last week in a report by Reuters who claim that some insurers are even capping their payouts at $100 million, which considering Target’s hack cost them a reported $264 million is unlikely to give the big corporations much peace of mind. Insurers are also cracking down on security requirements, with some turning away companies who are deemed too ‘high risk’ or have insufficient security measures in place. According to the report, following Anthem’s breach they have only been able to secure insurance with a $100 million payout, $25 million of that being the excess the company must pay themselves.
New Cybercrime laws in the Netherlands
In an implementation of an EU directive, changes have been made to Dutch cybercrime laws. Penalties for crimes such as ‘illegal distortion of data’, hacking, spam and bombing and illegal interception of data now carry a heavier custodial sentence of 2 years. Further aggravating circumstances have also been added, which allow for crimes such as owning a botnet to result in a 3 year sentence and up to 5 years for a crime resulting in ‘serious damage’. Serious damage was defined in the EU directive as crimes affecting ‘vital infrastructure’ or those being of considerable consequence to the state. No further clarification has been given by the Dutch government.
Get the latest content on web security
in your inbox each week.