By Waqas Sucuri’s cybersecurity researchers have identified a highly sophisticated phishing campaign that is specifically targeting online banking users. The attack, for now, has been directed against a Polish bank in which attackers are exploiting Google reCAPTCHA systems as well as panic-eliciting tactics to lure victims into clicking on infected, malicious links that are already embedded in […] This is a post from HackRead.com Read the original post: Android banking malware distributed with fake Google reCAPTCHA
Alice and Bob, the beloved (or not-so-beloved, depending) placeholder characters often used in cryptography examples, have been spotted in the middle of a web of deceit and intrigue by eagle-eyed Redditers. Think lies. Broken hearts. Even…murder. Yep, you heard that right. It all starts with the Wikipedia page for explaining what man-in-the-middle (MiTM) attacks are, which uses a helpful Alice-and-Bob (and Mallory) example to make things a bit clearer: Source: Wikipedia However, someone (presumably of the coder or crypto persuasion) decided to edit that example to, shall we say, move the plot along a bit further: Source: Reddit Sadly for the story of Alice and Bob (RIP), the travesty is that we’re not sure if she ever found love. And it’s unclear if Mallory was ever pinged for the crime. That’s because after being noticed, posted and thoroughly appreciated on Reddit, the Wikipedia page was alas edited back to its same old utilitarian self. Fortunately though, there’s a whole Subreddit devoted to programmer humor, so proof does still exist that coders can be funny too. What’s your favorite code-humor example? Feel free to comment below. Interested in learning about mobile enterprise security threats and best practices? Don’t miss our free Threatpost webinar on Feb. 27 at 2 p.m. ET. Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout join Threatpost senior editor Tara Seals. They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon.
By David Balaban We live in a world where anonymity and online privacy are impossible things. Your phone calls can be tapped, smartphone data can be stolen, and even the camera and microphone can be turned on remotely. You can be watched from the satellite, in real time. We all live in the matrix and its special services […] This is a post from HackRead.com Read the original post: Taking Care of Your Personal Online Security (For Paranoids)
Every app installed on your smartphone with permission to access location service “can” continually collect your real-time location secretly, even in the background when you do not use them. Do you know? — Installing the Facebook app on your Android and iOS smartphones automatically gives the social media company your rightful consent to collect the history of your precise location. If you are not aware, there is a setting called “Location History” in your Facebook app that comes enabled by default, allowing the company to track your every movement even when you are not using the social media app. So, every time you turn ON location service/GPS setting on your smartphone, let’s say for using Uber app or Google Maps, Facebook starts tracking your location. Users can manually turn Facebook’s Location History option OFF from the app settings to completely prevent Facebook from collecting your location data, even when the app is in use. However, unfortunately, disabling Location History would also break some Facebook features that rely on location data like checking into a nearby location, tagging locations in an uploaded photo or while using Nearby Friends, a feature that lets friends share their locations with each other. When talking about iOS, Apple offers its users more control over such situations at device level where users don’t want to completely stop an app from using location, allowing them to choose if an app can also access location data in the background or not. However, people using Facebook on Android have an all-or-nothing option when it comes to location sharing, which means either they have to grant Facebook full access to their location data or completely prevent the social network from seeing your location at all, without any option for accessing your location data only when the app is open. How to Stop Facebook From Tracking You When Not in Use Facebook has finally changed this behavior by introducing a new privacy setting to its Android app, giving users more explicit, granular control over background collection of their location data. Here’s how you can prevent Facebook from tracking your location when the app is not in use: Open the Facebook app on your Android smartphone Go to the Settings menu on the top right corner (looks like this ☰) Tap on Settings & Privacy Choose Privacy Shortcuts Select Manage your location settings Now, toggle “Background Location” to OFF If you enable this setting, two things will happen—”you would share your location when you weren’t using the app, and you would allow Facebook to store a history of your precise locations.” “We’re not making any changes to the choices you’ve previously made nor are we collecting any new information as a result of this update,” Facebook’s post reads. “For people who previously chose to turn their Location History setting ‘on,’ the new background location setting is ‘on.’ For people who had turned Location History ‘off’ – or never turned it on in the first place – the new background location setting is ‘off.'” With this update, Facebook gives users a dedicated way to choose whether or not to share their location when they are not using the social media app. iOS users need not worry about such features, as Apple already offers iPhone users an option to block an app from using their location in the background when the app is not open. If you are an iPhone user and have not already stop Facebook—or any other app—from tracking your location in the background, you can follow these simple steps: Go to Settings Select Privacy Choose “Location Services” If you want to completely stop all apps from tracking you, turn Location Services off. If you want to limit this setting depending on every app, tap each app and choose “Never” or “While Using.” Make sure apps that don’t require your location, like most games, photo sharing apps and editors, are set to “Never.” Meanwhile, Facebook is also sending out alerts to both Android and iOS users, asking them to review their location settings.
The bug bounty landscape continues to change along with the concept and rules around vulnerability disclosure. Meanwhile, companies such as GitHub, Microsoft and others continue to keep pace, launching or expanding bounty programs. Even the European Commission is getting in on the action. On January 14, it launched its own bug bounty program for free open source projects that EU institutions rely on. Making matters worse is a new breed of cybercriminals that target an evolving IoT device landscape. Threatpost editor Lindsey O’Donnell discusses the challenges and opportunities behind bug bounty programs with HackerOne CEO Marten Mickos, as well as the evolving landscape. Transcript below: Threatpost: Hi everyone. This is Lindsey O’Donnell with Threatpost. And I’m here today with Marten Mickos, the CEO of HackerOne. Martin, thanks for joining us today. Marten Mickos: Thanks for inviting me. TP: How are you? Mickos: Pretty good. I love it here in Boston. TP: Yeah, we’re getting a little bit of cold weather. But it could be worse. So why don’t you introduce yourself and HackerOne, for those who might not know about the company. Mickos: I’m Marten Mickos, CEO of HackerOne. HackerOne is the company that organizes bug bounty programs and what’s called vulnerability disclosure programs. So in essence, we are the world’s largest provider of hacker-powered security, meaning security services provided by freelance, security researchers, and experts that we just call hackers because we believe in the power of hackers, and we think hackers are good. TP: So I feel like bug bounty programs have really been gaining traction over the past few years, especially with the concept of vulnerability disclosure really evolving. What have you been seeing, from your perspective, throughout 2018? And what are some of the big trends that we should be keeping an eye on in 2019. Mickos: Bug bounty programs started in the tech sector and primarily in the San Francisco Bay Area. Now it’s spreading all over the world, and we see very strong interest from the government side. So the government is eager to run bug bounty programs to recommend them to everybody, even to mandate them to some. Like in the “Hack The DHS” act that passed in December 2018, they mandated DHS to run a bug bounty program. So we’re seeing how society now accepts that the best way to find what’s wrong with your system is to ask the world around you. TP: What about the demographics that you’re seeing with some of the bounty hunters? Is there any popular type of age range? What are you seeing there. Mickos: We have over 300,000 hackers signed up on the platform. So we have every type of person in that community. But if you look at the large groups, we have noted that nearly half of them are 25 or younger. So it’s a very young generation, the youngest are 14 years old. It takes them a year or two to get the hang of it, and start producing good vulnerability reports. So there’s a lot of that. When you look at what they do for a living or what their day job is, if they’re young, they are students in school or college. Many of them have a security job at daytime and this is an evening or a weekend hobby. And then we have some full time bug hunters who do nothing but hunt bugs. TP: And then looking at a company that may want to start up a bug bounty program, what are your suggestions for kind of the first steps there? I mean, what’s the very first step that such a company could take? Mickos: When a company wants to run a business bounty program, the first thing they need to make sure is that they have the capacity to fix the bugs once we find them, because we always find them. So if you’re coming to us, we say, how will you make sure your engineering group will prioritize and fix the bugs once we start finding them. And with that in shape, we can launch a program very quickly. What you do is you pick the the attack surface, the scope that you start with, then we recommend that companies start with a small scope and a limited program. And maybe even just by inviting a few known hackers to start with to get it going. Later, we can expand scope, we can expand the bounty table, we can invite more people and open up the program to everybody. But we usually recommend that they start small, start with baby steps and get going. TP: I’m curious, because IoT is something that’s near and dear to my heart, at least – what are you seeing with Internet of Things and the kind of interest around setting up programs with IoT devices? Do you think that’s something that’s really gaining traction? And would you say that IoT is different in the bug bounty landscape than some of the other products and systems? Mickos: Very good question. IoT certainly is different when it comes to bug bounty programs. And we see them come and go, and we have a good number of them on HackerOne, but it hasn’t taken fully off yet. And one reason is that if you run a bug bounty program for an IoT product, you need to get the product in the hands of the hackers and we have shipped out a lot of different devices to hackers all over the world. So we know how to do it, but it hasn’t really taken on yet. That’s one thing. The other thing for an IoT vendor is that once they find a vulnerability and fix it, they have to roll out the fix as well. So they need to have a product that can be activated from afar or updated from afar and and that’s another hurdle for them to overcome before they can be fully successful with the bug bounty program. TP: Should be interesting to see where that goes in the coming years. Mickos: Absolutely and of course, this is an area where the government is very active, because IoT devices typically are used by consumers. So it’s a question of protection of the integrity of consumers and the privacy of consumer so it becomes a legal responsibility at some point. TP: That’s really interesting. So, something that came up in the news recently, was the EU announcing that they would fund programs for finding bugs in, was it 14 open source projects? Just an array of open source projects. Can you talk a little bit about that and kind of the hope there. Mickos: We have done a number of programs for the European Commission for a while already. And this is a new initiative they call EU FOSSA, where they’ve selected open source projects that may not have the funding themselves to run a bug bounty program, and EU is funding the program on behalf of them. So it’s a very good way of going to the heart of the problem, which is open source libraries and products that are used all over the place, but there isn’t necessarily an organization or funding to fix the security vulnerabilities. But now there is. TP: Right. What kind of challenges are you seeing right now in the bug bounty landscape? I know a couple of people in the infosec space have mentioned concerns about companies relying solely on bug bounty programs. Do you see that as a challenge? Do you see any other challenges that the landscape needs to overcome at this point? Mickos: The only challenge is the hunt for the bug and the difficulty in finding them, and we always find them. Everything else is manageable and can be handled, there are always detractors who will say that this or that is not working. It’s not true. We are seeing it very clearly in the statistics of our programs, that the rate at which it is growing, the rate at which feed people are fixing the bugs, we are making huge progress progress all the time, hackers are making good money on this. Products are getting more secure, architectures are getting fixed, this is the only way we can fix our digital society. And we will stumble a little bit on the way there. But those are small, small problems in the grand scheme of things because we are fixing the world. TP: What are you most excited for in 2019 about the bug bounty landscape – any specific programs to look out for anything else? Mickos: I always get so excited by the hackers themselves, like the fact that we can have somebody as young as 14 on the platform, filing a report, fixing software that a much older software developer developed. And it gives me this conviction and belief and evidence that the future generation, they know how to fix what’s broken, and they will make sure we have a good future. I think it’s endless optimism and sort of positive vibes in that. TP: Speaking of that, I’m sure you saw the news of the Apple FaceTime bug that was discovered earlier this week, or I guess it was discovered weeks ago, essentially by a teenager. So I mean, it’s just another example of someone who is of the next generation who is really coming out and finding these bugs. Mickos: But there’s sort of a bigger question: We must trust the young, we must give the young responsibility, we must give them recognition when they do something useful, and then they will do more useful stuff. TP: Great point. Alright, well, thank you so much, Martin. Mickos: Thank you.
The data-breach onslaught continued this week with casualties sprinkled across the globe. Victims included retailers, banks and one state-owned gas station. The theme this was the Indian subcontinent, with consumers in Pakistan and India feeling the main brunt of the proceedings. A point-of-sale malware incident right here in the U.S. leads off this week’s weekly round-up. U.S. Restaurant-Goers Bitten by PoS Malware A company that provides point-of-sale (PoS) systems and services for restaurant locations said that malware was able to scrape payment-card data from diners for about three weeks in January. North Country Business Products (NCBP) said that consumers who used credit and debit cards at its business partner restaurants between January 3 and January 24 are potentially affected. It didn’t venture to put a number on how many consumers could be affected, but it’s worth noting that NCBP’s reach is long, with partner restaurants running the gamut from Collins’ Irish Pub in Flagstaff, Ariz. To Vinyl Taco in Grand Forks, N.D. The full list of affected locations is available in its website notice. As is typical with PoS malware, the specific information potentially accessed includes the cardholder’s name, card number, expiration date and CVV – everything an enterprising cybercriminal needs to clone a card, or many cards. The company didn’t offer details as to how the malware was able to make its way onto its systems. Joker’s Stash Underground Credit Card Dumps Meanwhile, three sizable dumps of credit-card information were found to have shown up on the Joker’s Stash Dark Web forum. Group-IB told ZDNet that two contain the collective card details of 69,189 Pakistani bank customers, mostly from Meezan Bank Ltd. – and, crucially, include the PIN numbers for the cards. “Pakistani banks’ cards are rarely sold on underground cardshops. This, and the fact that all the cards came on sale with PIN codes explains the high price, which was kept at 50 USD per card, while usually the price per card on Dark Web forums ranges from 10 to 40 USD,” Group-IB said. That values the two caches at $3.5 million. Also this week, a Joker’s Stash ad appeared for the “DaVinci Breach,” a dump containing the card details for over 2.15 million U.S. bank customers from 40 states – for now, it’s unclear where the data came from. Another Day, Another Misconfigured DB Also this week, security researcher Bob Diachenko found yet another example of a misconfigured database that was left open to the internet where anyone could see it. This one was a MongoDB with no password that contained 4.1GB of highly sensitive information on a half-million (458,388) individuals in India, collected by the Government of National Capital Territory of Delhi. The content, which seemed related to a company named Transerve, included “a pretty detailed portrait of a person,” Diachenko said, including names, voter card numbers, health conditions, education levels, addresses including house numbers and floor levels, and miscellany like “‘type of latrine’, ‘functional water meter’, ‘ration card number’, ‘internet facility available’ and even ‘informant name,’” Diachenko said. After Diachenko contacted CERT India, database was secured and taken offline. Elsewhere in India… Meanwhile, India’s state-owned gas company Indane, which has about 90 million customers, was found to have improperly secure the website that it uses to interact with its dealers and distributors, exposing millions of Aadhaar numbers. Aadhaar numbers are similar to Social Security numbers in the U.S. – they’re a government identity mechanism. Somehow, part of Indane’s site was indexed in Google, allowing access to the dealer database – even though the site is supposed to be password-protected. After being tipped off on Twitter, researcher Baptiste Robert wrote a Python script to crawl the database, and he estimates the total number of those affected to surpass 6.7 million. “By running this script, it gives us 11,062 valid dealer IDs,” he wrote in a blog post. “After more than one day, my script tested 9,490 dealers and found that a total of 5,826,116 Indane customers are affected by this leak. Unfortunately, Indane probably blocked my IP, so I didn’t test the remaining 1572 dealers. By doing some basic math we can estimate the final number of affected customers around 6,791,200.” Neither Indane nor Aadhaar’s regulator, the Unique Identification Authority of India (UIDAI), has responded to the news. Interested in learning more about mobile enterprise security threats and best practices? Don’t miss our free Threatpost webinar on Feb. 27 at 2 p.m. ET. Join Threatpost senior editor Tara Seals and a panel of mobile security experts, including Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout. They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon, such as 5G services.
Threatpost editors Lindsey O’Donnell and Tom Spring discuss the biggest news of the week ended Feb. 22, including a report about flaws in password managers, and a 19-year-old flaw found in WinRAR. The Threatpost team also discussed an upcoming webinar on Feb. 27 at 2 p.m. ET. Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout will join Threatpost senior editor Tara Seals to discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon. [ ](http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/8745746/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe) Transcript below: Lindsey O’Donnell: Welcome to the Threatpost news wrap for the week ended February 22, and you’ve got the Threatpost team here: myself, Lindsey O’Donnell, and editor-in-chief Tom spring. Tom, how’s it going? Tom Spring: Pretty good, Lindsey, I just heard a little ding. LO: Yes, the emails for RSA keep coming – can’t really get rid of that. TS: Is that another RSA email in your inbox? LO: Well, with RSA coming in two weeks, we’re really ramping up discussion with vendors and getting a lot of pitches for that. TS: For sure. I’m actually really psyched about RSA and there’s some really awesome sessions and I’m really looking forward to meeting some of the contacts and some of my peers and it’s going to be a really fun show. But I agree the noise factor coming out of the RSA conference in March is just enormous. I have to put my computer on mute because I just get too many pings for requests to me, new research, everything. If the noise factor is any indication of what’s going to be going on at RSA, it should be pretty good, right? LO: Yeah, I’m excited. I mean, it’s only a couple of days, but so much happens in those days, security wise, and there’s just such an opportunity to meet with researchers and really learn about new reports and what to look out for. So there’s definitely a lot to look forward to there. But looking to the present, despite starting off with having President’s Day on Monday, we really had a pretty insane week, news-wise – Tom, what are you seeing from your end of the spectrum? TS: Well, it’s kind of like you can’t cover it all and you sort of have to pick and choose. We had some some really good strong stories this week. I was a little overwhelmed by the cavalcade of news that came pouring in over the past couple days, from keyloggers, Drupal core, critical remote-execution bugs – to new research on Microsoft Edge that shows it lets Facebook run Flash code behind users’ backs to reverse location search warrants. I mean, we really ran the gamut in terms of the news, which was just a waterfall of information that we sorted through. But you did a pretty good job. I mean, you covered a couple stories in between making RSA conference appointments with that 19-year-old bug that WinRAR plugged. I love WinRAR, WinRAR is my go to media player and I was really alarmed that there was a bug that lasted so long. Tell me a little bit more about the bug. LO: Yeah, I feel like the main point and the main takeaway there was that it was 19 years old. I was thinking back to what existed 19 years ago and you know I was basically a kid at that point. So for background, WinRAR, which as you mentioned is this popular Windows data compression tool, had and patched a serious code-execution flaw. The platform itself is amazingly popular. I think they said it had 500 million users. So the issue stemmed from a third-party dynamic link library within WinRAR, and because that dynamic link library hadn’t been updated since , that allowed the researchers with Check Point who discovered this flaw to essentially extract malicious files in the tool. So what could happen is a hacker could use spear-phishing or some sort of similar tactic to send an unknowing victim a disguised malicious file, and when the victim opens that file in WinRAR, that file would automatically extract in their startup folder and then malware could quickly be planted on their system. So that was patched, and I mean it’s a fairly easy to carry out a path-traversal flaw. And not only was it patched, but then when I reached out to WinRAR, they said that in terms of that third-party library I was talking about, because it hadn’t been updated for so long, and they didn’t have access to its source code even, they decided to drop that format support in order just to completely protect its user database. TS: Yeah, the code-reuse in these repositories is notorious for creating these kind of vulnerabilities where a component is used by a developer and it hasn’t been updated, and the developer doesn’t do due diligence, and all of a sudden the component becomes an exploit or a vulnerability is found in the component, and the component is never updated. And then the repository file never gets updated and the code goes out the door. Veracode does a lot of really interesting work, they have a lot of interesting studies on code-reuse and it’s pretty alarming how many software programs really have these types of problems where they’re relying on third-party libraries to basically do basic functions in their software where you have these glitches. But there’s not much of a pass you can give WinRAR for a 19 year old bug like that, I mean that’s a different story. LO: Right and especially given the fact that the specific library hadn’t been updated since 2005 or 2006 or whatever it was, but it is kind of hard to, as you said, keep track of those types of things as well. And another point is that when I was looking on social media for some of the reaction to this and talking to different researchers, looking at a different side of the story is that as far as we can tell there hasn’t been any sort of exploit of this vulnerability. So while it has existed for 19 years, it hasn’t been found by the bad guys for 19 years – so at least there’s that. TS: Well I’ve gotta say, I’ve always wondered whether or not these exploits have actually really been discovered. I mean if you’re a criminal and you find an exploit or you find a vulnerability and it’s working for you, you’re not going to jump up and down and say, ‘hey look what I found.’ You’re going to quietly exploit it until your moneymaker, so to speak, dries up. So good for WinRAR, I gotta tell you it warms my heart to hear that they’re fixing their software and next time I launch the media player and it asks me to update I definitely will. LO: Yes, but I feel like that wasn’t the only big news we had. In fact, you wrote a very big story about a research report that was written about different password managers and a flaw found in those managers, and that really kind of piqued the interest of the security world. Can you talk a little bit about that and what their reaction to that story has been so far this week? TS: Well, you know, I think it was a big story for us. I don’t know how much it resonated throughout the internet or throughout the infosec community. I think it was a memory management issue with these password managers: 1password, DashLane, KeePass and Lastpass. These four password managers represent a huge, huge user base. These researchers, independent security evaluators took a close look at them and they found that when the actual password managers were in use, that the way that it’s saved, the master password or individual credentials, was in an insecure memory within Windows 10 PCs. Now, this doesn’t impact any of the mobile applications. But it does impact the Windows PC ecosystem in a sense that the master keys could be plucked from memory in clear text. Now, there are lots of caveats to that; the application needs to be in use. And also it would have to be from a local attacker, meaning the person would have to have access to your PC to exploit and to grab the passwords from memory. The other option would be if a remote attacker was able to have access to your system, which obviously presents a whole new host of problems that you have to contend with –nevermind them being able to pluck a password out of insecure memory. But the story gets a little more interesting in a sense that these password manager companies said, ‘yeah, you know, we understand what the issue is here and there are trade offs and it’s an acceptable risk.’ Now I’m oversimplifying what they stated, but I really feel like they pushed back on the research and they said that the storage of the password in the memory was something that they were aware of and that they did not see it as a huge risk given the prerequisite for being able to [exploit this]. And they more or less can each came out with these statements saying, “the research is interesting, we understand the problem and here’s why you shouldn’t worry about the problem too much.” And I think one of them actually did update their their tool to make sure that they had some process memory protection built in. I think it was LastPass. And then the researchers came back and said, “hey listen, you know you guys are not the only password managers on the block, and other password managers do protect the memory and it’s not an impossibility and you know … it’s not an acceptable risk.” But importantly, they also said that these password managers are awesome. And you should keep on using them. They have their flaws. And if the trade-off is you don’t use a password manager, then shame on you. Because these do serve a purpose. And they’re better than nothing, essentially. And, you know, given the incredible amount of password reuse and the incredible amount of breaches and I think it does make sense to keep on using a password manager to make sure that you use the best password-management practices possible. LO: Yeah, I mean, I think that this story is almost reminiscent if you remember that two-factor authentication report that we wrote about earlier this year. It’s almost reminiscent of that because there’s a lot of opinions about password managers and whether they’re kind of worth this specific security risk or whether it’s worth even discussing the risks if it causes people to stop using such an effective security tool. But you know for for ISE, the research firm that had written the report, at least they had, it was almost like a disclaimer that said that it’s better to have password managers than to not have password managers. So at least, you know, they took note of that. And at the same time were advocating for the password-manager firms in question to tighten up their application memory management. It’s definitely kind of a tricky balancing act there because you do want to promote the security tools but then you also, when there is a security issue with the security tool, that that raises a whole different question. But what did what did the researcher say? Did you talk to the researcher in in response to what the password managers had said? Did he have anything else to add to that? TS: Yeah, Adrian Bednarek, he was the lead researcher on this, he reached out to me, we connected via Twitter private message, and he was very vocal, and again I think I said it before, he said, “hey listen, you can use data sanitization in the context of memory and make sure that clear text passwords are not available for hackers.” And again he stressed the fact that these are great password managers, they are better than nothing and that you should still keep on using them, but he did stress the point that you can effectively fix this problem and the companies that said that it was an acceptable risk or it was a known vulnerability that they were not going to address is not acceptable. So he’s sort of, you know, responded to the criticisms that these guys said, doubling down on his assertion in this initial research saying, you could be doing better. LO: Well, I’d be curious to see if 1password and DashLane and KeePass change their view at some point, their viewpoint of memory-management issues, looking at if this is an acceptable risk or if they, like LastPass, also decide to do some sort of patch. So it should be something to keep an eye on. TS: Yeah, for sure. For sure. LO: You know, those were kind of the big stories that we saw this week. I know looking forward to next week, we actually have (for those listeners of this podcast who don’t know) a big webinar coming up on Wednesday. And I’m actually going to attach a link to this podcast article where you can learn more and register. But it should be a really great discussion about enterprise mobile security and the top mobile threats that we’ll face in the future. We’re talking with a panel of experts from Google, Gartner, Lookout — with our own editor, Tara Seals. So we’re excited about that. We’ve been preparing for that. And there’s actually been a whole lot of mobile-related news over the past month so I think it should be perfect timing to kind of discuss some of the bigger themes and implications of these these risks and threats. TS: Yeah, no, it should be a pretty interesting webinar and I’m interested to see what comes out of it especially with such great speakers. LO: Well, I think I better get back to my RSA emails and getting back to the the daily work. TS: It’s been an interesting week and we’ll rest up and do it all over again on Monday. LO: Sounds good, everyone tune in for the Threatpost news wrap next Friday and thanks for listening today. For direct download click here.
Do you use a password manager? Or do you think they pose too much of a risk, holding all the keys to the kingdom? Weigh in with our poll, below. A little background: There have been vulnerabilities found before in this kind of software, which is meant to take the headache out of remembering multiple unique passwords by remembering them for you. Malware has also been found targeting it. The latest is word that a local adversary can crack open and steal passwords stored by the 1Password, Dashlane, KeePass and LastPass utilities. Adrian Bednarek with Independent Security Evaluators (ISE) said that each of them “fails in implementing proper secrets sanitization for various reasons,” Bednarek wrote in his research report. The firms have fiercely hit back on the assessment that this poses a serious risk, and indeed, even for ISE, this was far from a deal breaker. But at the same time, they also advocated that password-manager firms tighten up their application memory management. How do you feel about password managers? Take our short poll and let us know. Also feel free to comment on this post with any meatier thoughts you may have. Take Our Poll Take Our Poll Take Our Poll Take Our Poll Take Our Poll
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email firstname.lastname@example.org