LastPass Fixes Ormandy RCE Bug; Two Outstanding Vulnerabilities Remain

Please take this situation into account if you are a LastPass user and patch your systems accordingly.  Also, take additional precautions given the browser specific vulnerabilities that exist.

Local Windows Admins Can Hijack Sessions Without Credentials

Take a moment to read this article, watch the demonstrations, and then contemplate the implications.  For a long time, protecting local administrative access meant protecting the confidentiality of the data stored on the server or PC tethered to those local admin credentials.  This exploit / vulnerability / Windows feature (select your viewpoint here) changes the game and injects another leg of the security triad stool – integrity.  Data stored or associated with a specific user session can be accessed as that user without compromising that user’s credentials and without leaving any significant forensic fingerprints.

This article alludes to the fact that Microsoft is well aware of this “feature” and most likely has no intentions of changing it.  As such, we as IT security professionals and general IT practitioners must take necessary steps to mitigate the possibility of exploitation.

What the CIA WikiLeaks dump tells us: Encryption works

This article provides an interesting discussion concerning the value of encryption as one layer of defense for sensitive data, but please do not lose sight of the absolute fact that encryption is not a panacea.  No defensive mechanism is perfect.

Defenses should be deployed in layers and plans should always be in place to mitigate the effects of eventual data compromise and loss.  You can limit the effect of the problem, but you cannot eliminate the risk.