June 15, CNN.com – Irony alert: Password-storing company is hacked. On Monday, LastPass announced that hackers broke into its computer system and got access to user email addresses, password reminders, and encrypted versions of people's master passwords. Source
June 15, Threatpost – (International) Popular WordPress SEO plugin fixes XSS bug. Security researchers discovered a cross-site scripting (XSS) vulnerability in the Yoast WordPress SEO plugin in which an attacker could leverage “snippet preview” functionality to force a vulnerable site to execute arbitrary hypertext markup language (HTML) code. Source
June 15, Securityweek – (International) Wikimedia rolling out HTTPS to encrypt all Wikipedia traffic. The Wikimedia Foundation announced that all Wikpedia and organization Web site traffic will employ Hyptertext Transfer Protocol Secure (HTTPS) and HTTP Strict Transport Security (HSTS) to protect data security and guard against attempts to break HTTPS and intercept traffic. Source
June 12, Softpedia – (International) Pop-under malvertising spreads CryptoWall via Magnitude exploit kit. Security researchers at Malwarebytes discovered a new malvertising campaign leveraging pop-under advertisements over the Popcash ad network to distribute the Magnitude exploit kit (EK), which delivers exploits for Microsoft Internet Explorer and Adobe Flash Player vulnerabilities to inject the Necurs dropper and CryptoWall ransomware on affected systems. Source
June 12, New York Times – (National) White House weighs sanctions after second breach of a computer system. FBI officials revealed June 12 that hackers breached a second data computer system at the U.S. Office of Personnel Management containing additional information regarding friends, family members, and associates of Federal employees, and that the President is considering financial sanctions against the attackers who gained access to the files of millions of Federal workers. The impact of the second breach remains unknown. Source