There are quite a few improvements included:
- It's resistant to offline brute-force attacks.
- It uses forward secrecy so that old traffic can't be decrypted even if you learn the password later.
- There's 'Wifi Easy Connect' to connect IoT devices that don't have a screen.
- It uses 'Opportunistic Wireless Encryption' (OWE) to secure connections on public Wifi.
The attacker apparently introduced malware aimed at deleting files. The Github repo is only a mirror of the 'real' source code though, but if you used any code from the Github version you better rebuild.
STARTTLS is an addition to SMTP, used by e-mail servers to transmit e-mails over an encrypted connection. The STARTTLS Everywhere software configures e-mail servers to use STARTTLS and provisions certificates using Let's Encrypt.
It was stored on an unsecured Elasticsearch instance, found by a researcher using Shodan. Meaning it was pretty easy to find for any malicious actor too. It includes detailed data on about 230 million consumers and 110 million businesses.
The attacker got access to 230.000 e-mails with hashed passwords, although they don't specify which hashing algorithm was used.
FastBooking, a vendor for hotel management software, had a data breach where personal and payment data got loose. It's unclear how much exactly, but they manage over 4.000 hotels in 100 countries, so we might see a flurry of data breach notifications from the individual hotels.
It's not super bad, because one needs Author privileges to execute. But once they do, they can change or hijack the entire website, locking everyone else out. Wordpress themselves have no fix yet, but the people from RIPS released their own hotfix.
You can opt-out if you really want. Good move though. They also introduced the ability to check passwords of AD users against a list of known passwords, and lock out bad actors who are trying to brute force accounts. More info on that here.
They created webshops with heavily discounted prices to lure customers, but paid for the inventory with stolen credit cards and sold the card details of their buyers on the black market. Quite a setup.
It uses Troy Hunt's HaveIBeenPwned service under the hood, with the added advantage of (hopefully) reaching a much wider audience. They're testing it out with 250.000 users next week, and will roll it out further if successful.
Interesting bit of research showing that you shouldn't just use any OpenVPN config file you come across, since it can contain arbitrary commands to be run.
I.e. Yubikey and similar U2F devices. Good news!
A detailed technical article which explains how malicious attackers can target vulnerable web applications running on developers' workstations to bypass corporate firewalls. This might sound far fetched, but it is very typical for developers to run vulnerable (still being developed) web applications on their computers.
Fleetsmith just released a new feature that allows you to remote lock and wipe your employee's devices if they get lost or stolen. They also let you manage your first 10 devices free, it integrates fully with G Suite, and is used by yours truly every day.