Security Alerts & News
by Tymoteusz A. Góral

History
#1225 If you get caught using a VPN in the UAE, you'll face fines of up to $545,000
The President of the United Arab Emirates has issued a series of new federal laws relating to IT crimes, including a regulation that forbids anyone in the UAE from making use of virtual private networks to secure their web traffic from prying eyes.

The new law states that anyone who uses a VPN or proxy server can be imprisoned and fined between $136,000-$545,000 if they are found to use VPNs fraudulently.

Previously, the law was restricted to prosecuting people who used VPNs as part of an internet crime, but UK-based VPN and privacy advocate Private Internet Access says that the law has now changed to enable police in the UAE to go after anyone who uses VPNs to access blocked services, which is considered to be fraudulent use of an IP address.
#1224 Protecting Android with more Linux kernel defenses
Android relies heavily on the Linux kernel for enforcement of its security model. To better protect the kernel, we’ve enabled a number of mechanisms within Android. At a high level these protections are grouped into two categories—memory protections and attack surface reduction.
#1223 Parental control software for Windows put to the test
The Internet offers many suitable playgrounds for children, but surely many more unsuitable ones. But how can the activities of children on the Web be controlled without parents constantly standing there next to them? One solution can be parental control software. The experts of AV-TEST have examined whether the software packages work reliably and have certified two products.
#1222 Telegram app vuln recorded anything macOS users pasted—even in secret
A bug in the Telegram Messager app logged anything its users pasted into their chats in its syslog on macOS, even if they had opted for the end-to-end encrypted "secret" mode.

The vulnerability was spotted earlier this month by Russian infosec operative Kirill Firsov, who directly and publicly challenged Telegram's flamboyant founder and chief Pavel Durov about the app's latest security flaw.
#1221 LastPass: design flaw in communication between privileged and unprivileged components
I'm looking at LastPass 4.1.20a on Windows, and can see some problems with the
design. It looks like the addon works by injecting elements and event handlers
into the page.

<input> boxes are modified with some css, and a click event handler is added
that instructs the addon to create a privileged iframe. A page can click the
LastPass icon programatically with javascript by creating a MouseEvent() with
the right x:y coordinates. Normally a page would not be permitted to navigate
to a resource:// url, but this just asks the add-on to do it.
#1220 LastPass unpatched zero-day vulnerability gives hackers access to your account
A dangerous, previously unknown security vulnerability has been discovered in LastPass which permits attackers to remotely compromise user accounts.

LastPass is a password vault which pulls user passwords from a secure area and auto fills credentials for you. The system uses AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to protect the valuable data stored within, but according to Google Project Zero hacker Tavis Ormandy, the software contains a "bunch of critical problems" which could put user accounts at risk.

On Tuesday, the white hat researcher revealed on Twitter that he was exploring LastPass security, claiming that it only took a "quick look" to find "obvious" security problems.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12