Weekly Security Roundup #64: Keep Fighting Security Vulnerabilities!
No piece of software is flawless, but how we manage those flaws is key to online safety
The amount of good news and bad news from this past week was kind of even. On one hand, we had major announcements from tech giants on how they’re fighting the cybercriminals (long story short: they’re cutting the access to their favorite tools). On the other hand, there were plenty of data breaches.
The week debuted with an important Security Alert: my colleague Andra explained how thousands of small websites were compromised and used as a platform for malware distribution.
On Wednesday, I shared a painful story from my past, about the time I got hacked by a former employee and lost all my work. Take a glance over what I learned from that episode.
Last but not least, we published a mega-guide that will protect you against all scams carried on social networks – make sure you check it out before you head off into the weekend.
Here are the most important security articles of this week:
Security articles of the week
Google just put another nail in the coffin of Adobe Flash. In an annoucement made on Google+, the company urges advertisers to drop Flash ads and move to HTML5.
– Starting June 30th, 2016, display ads built in Flash can no longer be uploaded into AdWords and DoubleClick Digital Marketing.
– Starting January 2nd, 2017, display ads in the Flash format can no longer run on the Google Display Network or through DoubleClick.
Because of its vulnerabilities, Flash is one of the tools preffered by cybercriminals to attack users worldwide.
Here’s a step forward against phishers and unencrypted connections: on Safer Internet Day, Google announced that we’ll see two changes regarding Gmail on web:
1. If you receive a message from, or are about to send a message to, someone whose email service doesn’t support TLS encryption, you’ll see a broken lock icon in the message.
2. If you receive a message that can’t be authenticated, you’ll see a question mark in place of the sender’s profile photo, corporate logo, or avatar.
We have even more good news: one year from now, our browsers will be Java free. Yeap, you heard that right: Oracle announced its plans to retire the highly insecure plugin.
Microsoft resolved 41 security vulnerabilities this month. Leave no patch or update behind!
In a recent statement, the U.S. IRS (Internal Revenue System) declared that they were once again hacked. This time, the cybercrooks had access to electronic tax-return credentials for 101,000 social security numbers.
“Using personal data stolen elsewhere outside the IRS, identity thieves used malware in an attempt to generate E-file PINs for stolen social security numbers. An E-file pin is used in some instances to electronically file a tax return.”
The hacker, who goes on Twitter by the username of @DotGovs, published the supposed data on an encrypted text-sharing website, including: names, job titles, phone numbers, email addresses
FBI and DHS were also hit with a major data breach. In the past week, information on 30.000 employees got leaked by a cybercriminal.
Tired of all the data breach news? We’re not done yet. Taobao, a major Chinese e-commerce website, part of the Alibaba group, was also a target of a massive data breach that affected 20 million consumers.
Good article from Greg Satell on the technology behind Hillary Clinton‘s email scandal.
If you don’t pay attention to where you fill in your credentials, your Netflix account may end up for sale on the black market. Researchers at Symantec analysed how malware and phishing campaigns targeting Netflix users contribute to the rise of credentials sold on the black market.
By the way, your Uber log-in credentials are just as attractive.
We clicked around and had plenty of fun testing old-school malware. One was advocating for the legality of cannabis, while another displayed the Italian flag and the message “Italy is the best country in the world”.