Security News

LastPass source code breach - do we still recommend password managers? DOUG. That's important to point out, because a lot of people, I think, who don't understand how password managers work - and I wasn't totally clear on this either as you write in the article, your local machine is doing the heavy lifting, and all the decoding is done *on your local machine*, so LastPass doesn't actually have access to any of the things you're trying to protect anyway.

He's so famous that even his ties - he always wears a tie, beautiful coloured ties - even his ties have a Twitter feed, Doug. There are lots of things you can do, provided that: you know where you should be; you know where you want to be; and you've got some way of differentiating the good behaviour from the bad behaviour.

If you want to understand a little more about it, your Naked Security article explains it incredibly well for people that are not normally acquainted with things like APIC controllers. Do you think, Chester, that they've targeted the Conti gang because they had a little bit of dishonour among thieves, as it were?

If we turn back the clock to five years ago, that's when Slack started leaking hashed passwords. If you're a Slack user, I would assume that if they didn't realise they were leaking hashed passwords for five years, maybe they didn't quite enumerate the list of people affected completely either.

DOUG. A critical Samba bug, yet another crypto theft, and Happy SysAdmin Day. Moving on to something not so great: a memory mismanagement bug in GnuTLS. DUCK. Yes, I thought this was worth writing up on Naked Security, because when people think of open-source cryptography, they tend to think of OpenSSL. Because that's the one that everybody's heard of, and it's the one that's probably had the most publicity in recent years over bugs, because of Heartbleed.

Leisurely bug fixes all that, and more, on the Naked Security Podcast. DOUG. We talked about an Office macro security feature that people were asking for for the better part of 20 years.

DOUG. Facebook scams, Log4Shell forever, and tips for a cybersafe summer. DOUG. OK, there you go you and I are in the full swings of summer, and we have some tips for the summertime coming up later in the show.

DOUG. A brief history of Office macros, a Log4Shell style bug, two OpenSSL crypto bugs, and more. DUCK. If you have a Windows network where you can use Group Policy, for example, then as an administrator you can turn this function on to say, "As a company, we just don't want macros off the internet. We're not going to even offer you a button that you can say, Why not? Why not let the macros run?".

Gaming giant SEGA Europe recently discovered that its sensitive data was being stored in an unsecured Amazon Web Services S3 bucket during a cloud-security audit, and it's sharing the story to inspire other organizations to double-check their own systems. The laundry list of SEGA's potentially exposed data is nauseating - API keys, internal messaging systems, cloud systems, user data and more.

Latest episode - listen now! (Yes, there are plenty of critical things to go along with Log4Shell.)