There are quite a few improvements included:
- It's resistant to offline brute-force attacks.
- It uses forward secrecy so that old traffic can't be decrypted even if you learn the password later.
- There's 'Wifi Easy Connect' to connect IoT devices that don't have a screen.
- It uses 'Opportunistic Wireless Encryption' (OWE) to secure connections on public Wifi.
STARTTLS is an addition to SMTP, used by e-mail servers to transmit e-mails over an encrypted connection. The STARTTLS Everywhere software configures e-mail servers to use STARTTLS and provisions certificates using Let's Encrypt.
It was stored on an unsecured Elasticsearch instance, found by a researcher using Shodan. Meaning it was pretty easy to find for any malicious actor too. It includes detailed data on about 230 million consumers and 110 million businesses.
The attacker got access to 230.000 e-mails with hashed passwords, although they don't specify which hashing algorithm was used.
FastBooking, a vendor for hotel management software, had a data breach where personal and payment data got loose. It's unclear how much exactly, but they manage over 4.000 hotels in 100 countries, so we might see a flurry of data breach notifications from the individual hotels.
It's not super bad, because one needs Author privileges to execute. But once they do, they can change or hijack the entire website, locking everyone else out. Wordpress themselves have no fix yet, but the people from RIPS released their own hotfix.
You can opt-out if you really want. Good move though. They also introduced the ability to check passwords of AD users against a list of known passwords, and lock out bad actors who are trying to brute force accounts. More info on that here.
They created webshops with heavily discounted prices to lure customers, but paid for the inventory with stolen credit cards and sold the card details of their buyers on the black market. Quite a setup.
It uses Troy Hunt's HaveIBeenPwned service under the hood, with the added advantage of (hopefully) reaching a much wider audience. They're testing it out with 250.000 users next week, and will roll it out further if successful.
Interesting bit of research showing that you shouldn't just use any OpenVPN config file you come across, since it can contain arbitrary commands to be run.
I.e. Yubikey and similar U2F devices. Good news!