LostPass Allows Easy Phishing to Defeat Password Manager
A security researcher has developed a phishing attack against the LastPass password manager app that is virtually impossible to detect and has the ability to mimic the LastPass login sequence perfectly. The technique takes advantage of several weaknesses in the way that LastPass handles user logout notifications and the resulting authentication sequence. Sean Cassidy, the […]
UK Government Voice Encryption Standard Built for Key Escrow, Surveillance
The U.K. government’s standard for encrypted voice communications, which already is in use in intelligence and other sectors and could be mandated for use in critical infrastructure applications, is set up to enable easy key escrow, according to new research. The standard is known as Secure Chorus, which implements an encryption protocol called MIKEY-SAKKE. The protocol was […]
Serious Yahoo Mail XSS Bug Fixed
Yahoo has fixed a serious cross-site scripting vulnerability in its webmail product that could’ve allowed an attacker to take over a victim’s email account with one malicious email. The bug is a specific kind of cross-site scripting vulnerability known as stored XSS. In order to trigger it, an attacker would only need to send a […]
On the Wire Podcast: Mike Hanley
Mike Hanley is the program manager for research and development in Duo Security‘s Labs division, and is a former senior member of the technical staff at the CERT/CC at Carnegie Mellon University. In today’s podcast, Dennis Fisher talks to Mike about the ways in which two-factor authentication is deployed right now, how 2FA use has changed, […]
Hyatt Data Breach Caused by Payment System Malware
A data breach at hundreds of Hyatt hotels that was revealed in December was caused by point-of-sale device malware that stole victims’ payment card information in transactions in hotel restaurants, spas, golf shops, and other locations. The malware was on PoS systems in more than 300 Hyatt hotels around the world, including dozens in the […]
Bug in Trend Micro Password Manager Allows Password Theft
A Google security researcher has discovered a serious, easily exploitable vulnerability in a password manager installed by default with some Trend Micro antivirus products. The bug allows an attacker not only to run arbitrary commands but also to download all of the passwords stored by the manager. The vulnerability was discovered by Tavis Ormandy, a […]
IRS Says Identity Theft Protection Services Deductible for Companies
In the face of continued data breaches and an ever-increasing pile of identity thefts, the IRS has released a new piece of guidance that says companies are able to deduct the cost of identity theft protection, even without it being connected to a specific breach. The new guidance, released Monday, comes as consumers are beset on […]
How an IRS Employee Allegedly Stole $1 Million from Taxpayers
Few, if any, companies or government agencies store more sensitive personal information than the IRS, and consumers have virtually no insight into how that data is used and secured. But, as the results of a recent Justice Department investigation show, when you start poking around in those dark corners, you sometimes find very ugly things. Beginning […]
FTC Hits LifeLock With $100M Penalty
The Federal Trade Commission many times will allow first-time offending companies to get off relatively easily when they run afoul of consumer-protection laws, often settling with non-financial penalties. But that generosity does not extend to companies that later violate those settlements. LifeLock executives found that out the hard way on Thursday when the FTC handed the company […]