Welcome to The Dashlane Tech Check for May 26, 2017! I’ll help you catch up on Dashlane-related news and the big news in the tech industry. And just for fun, I’ll include a useful lifehack that will keep you safe and secure all year long.
What in the (security) world?
Here’s what made headlines this week in the world of digital identity, security, and privacy:
A critical flaw in Yahoo Mail exposed user data
Security researcher Chris Evans discovered two critical vulnerabilities in a popular image-processing software used, but not updated by Yahoo Mail, which resulted in the exposure of private user data. According to Ars Technica, Evans dubbed the vulnerabilities “Yahoobleed” because they caused Yahoo Mail to leak content stored in server memory. The flaws were found in ImageMagick–an image-processing library supported by dozens of programming languages.
According to Evans, one of the vulnerabilities called “Yahoobleed1” could be exploited by sending a malicious image file to a Yahoo email address. Once opened, “chunks of Yahoo [sic] server memory began leaking to the end user.” Although both flaws are now fixed, the flaws could’ve been exploited to obtain browser cookie, image attachments, and authentication tokens. Notably, also found this vulnerability affecting other tech companies, including Box, Yahoo!, DropBox, and Ubuntu.
Hackers are using subtitles to take over your devices.
Yes, you read that correctly! Researchers at Check Point discovered that hackers can use movie subtitles to take complete control over any device running them. According to Check Point’s blog post, hackers will create “malicious subtitle files, which are then downloaded by a victim’s media player” and can allow attackers to take complete control over PCs, smart TVs, mobile devices, or any kind of device using vulnerable streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time, and strem.io.
WikiLeaks reveals CIA’s Athena malware used to spy on Windows computers
WikiLeaks has published the latest set of documents from the Vault 7 cache of CIA hacking tools, called Athena. These tools were designed to spy on communications with Windows operating systems; specifically “Windows XP Pro SP3 32-bit (Athena only), Windows 7 32-bit/64-bit, Windows 8.1 32- bit/64-bit, Windows 2008 Enterprise Server, Windows 2012 Server, and Windows 10,” according to ZDNet.
White House cybersecurity coordinator discusses administration’s priorities
During a sponsored talk by the Massachusetts Technology Leadership Council, special assistant to the president and cybersecurity coordinator Rob Joyce discussed the administration’s cybersecurity priorities. According to Threat Post, President Trump signed an executive order last week that prioritizes protections for federal networks, critical industries, and implementing the NIST Framework. “With this executive order we are going to step back and we are going to manage the federal government’s IT activity as a single enterprise. Even though we are talking millions-upon-millions of assets and thousands-upon-thousands of networks, we are going to step back and try to view it as a sum total of risks,” said Joyce.
Google announced security improvements with Android O
During Google I/O event last week, the tech giant announced that it will include some security upgrades in its upcoming Android O operating system. “In Android O there are going to be some big changes that will affect app developers directly and also that end-users and device manufacturers will benefit from by proxy,” said security researcher Andrew Blaich to Threat Post.
Scammers are peddling fake anti-WannaCry apps
Lord almighty… look at the number of WannaCry scanners for Android. Somebody’s getting adware on their phone, that’s for sure (via McAfee) pic.twitter.com/25Xl2WVRXO
— Catalin Cimpanu (@campuscodi) May 24, 2017
Scammers are preying on users looking for protection following the global WannaCry ransomware attack that affected more than 230,000 victims in over 150 countries. According to Motherboard, fake anti-WannaCry apps for Android began to appear in the Google Play store, even though the worm only targets devices with the Windows operating system. Motherboard notes that while many are just guides or pranks, McAfee has spotted malicious adware apps.
Twitter flaw allowed hackers to tweet from any account
A security researcher found a flaw in Twitter Ad Studio–a service that allows advertisers to upload media–that would’ve allowed for an attacker to tweet from any user’s account without hacking it. “By sharing media with a victim user and then modifying the post request with the victim’s account ID the media in question would be posted from the victim’s account,” Twitter said in a blog post about the bug. The vulnerability was patched in late February.
Target reaches $18.5 million settlement for 2013 data breach
Mega-retailer Target has reached a record-breaking $18.5 million settlement with 47 states and the District of Columbia following a 2013 data breach which affected 70 million consumers. According to Infosecurity Magazine, the breach occurred in 2013 after an HVAC contractor was breached and its credentials were used to access Target’s systems, where about 40 million credit cards were stolen and the personal information for 70 million customers was compromised.
Dashlane News You Shouldn’t Snooze
Dashlane named Techlicious Editor’s Pick for best password manager
Dashlane was rated Techlicious’ Editor’s Pick for the best password manager. Dashlane took home the top prize for how well our password manager and digital wallet boosts productivity and saves users time.
This Week’s Lifehack to Improve Your Security
Planning your summer vacation? Before you take off, read our roundup of tips from travel experts on how to make sure yourself and your data stay safe before, during, and after your travels.
Have any thoughts on any of the news I shared? Leave me a comment below and make sure to visit our blog next week for another edition of The Dashlane Tech Check.