Security Bits – WebAuthn, Pentagon Says No GPS, Reddit Breach

Followups

• We looked at WebAuthn, a new protocol for password-less authentication on the web in a Security Medium back in April. At that stage Microsoft had committed to adding support for the protocol to their Edge browser in the future, they’ve followed through, adding support to Insider (think beta) version of Windows 10. If testing goes well it could be added to this Autumn’s Windows 10 update (FireFox & Chrome already have support, but Safari doesn’t, and I’ve not found any statement from Apple about plans to support the protocol) — nakedsecurity.sophos.com/…
• 🇺🇸 In response to the Strava data ‘leak’ (sorta) from a few months ago, the Pentagon has put limits on where GPS-using apps can be used — tidbits.com/…
• 🇺🇸 ‘Attack’ on FCC over net neutrality was legitimate traffic, report says — nakedsecurity.sophos.com/…

Security Medium — The Reddit Breach

Reddit notified users that they’ve discovered a security breach that took place in June this year:

A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords.

In theory a salted hashed password should be safe, but that’s only true if the password itself was strong and, and the hash was complex. The best-practices hashing algorithms from a decade ago were nowhere near as strong as today’s best-practice algorithms, so I would advise assuming the affected passwords have been, or will soon be, cracked.

So, based on that, my advice would be to:

1. Reset your Reddit password.
2. Enable Reddit’s token-based 2FA (instructions).
3. If you used that same password anywhere else, change it there too.
4. If you’re not already using a password manager, give it serious consideration! (I recommend 1Password for families)

What’s probably the most interesting thing about this hack is how the attackers got in — they used SMS spoofing to get around 2-factor-authentication protecting some back-end systems that power the service. We’ve known for some time now that SMS is insecure, and that SMS-based 2FA really is the least-effective form of commonly used 2FA. This really underlines the point. My advice to people is only to use SMS for 2FA when the only other choice is no 2FA at all. It may be the least effective form of 2FA, but any 2FA is better than none!

Links

• Reddit’s excellent disclosure (clear, concise, and free from spin) — www.reddit.com/…
• Reddit Breach Highlights Limits of SMS-Based Authentication — krebsonsecurity.com/…
• Reddit’s serious “security incident” – what you need to know — nakedsecurity.sophos.com/…

Notable News

• Un-patched Mikrotik routers being used in a massive cryptojacking campaign — nakedsecurity.sophos.com/…
• Details have been released of an already-patched bug in Apple’s Mobile Device Management (MDM) platform that allowed Macs to be hijacked when they’re being enrolled in an organisations system. There’s no need to panic about this one because the bug was hard to exploit, only affected users who registered their devices with an MDM system, and has already been patched — www.macobserver.com/…
• 🇺🇸 The WSJ has report that Facebook is in negotiations with US banks to integrate with Facebook Messenger, and hence to have data flowing between users and their banks through Facebook. This set off a lot of people’s privacy-spidie-senses, so Facebook responded by saying they didn’t want users banking data, just to offer cool features like the ability to see your bank balances in Facebook and to chat with bots by your bank on the platform — www.macobserver.com/…

Suggested Reading

• PSAs, Tips & Advice
  • ⭐️ (Editorial by Bart: this is how I have my phone set up, it means you can disable FaceID/TouchID by 5-tapping the lock button or pressing and holding the lock and volume buttons but with your phone autodialling 112/999/911 and without your phone making a great big racket) How to stop accidentally calling 911 and emergency contacts on iPhone — www.imore.com/…
  • Porn Blackmail Scam Rattles Mac Users: What You Need to Know — www.intego.com/…
  • How to reset your Mac before selling it — www.imore.com/…
  • Cryptojacking for beginners – what you need to know — nakedsecurity.sophos.com/…
  • What Are 32-Bit and 64-Bit Apps, and Why Do They Matter? — www.intego.com/…
• Notable Breaches & Privacy Violations
  • 🇺🇸 Two flaws in Comcast Xfinity’s systems allowed attackers to translate IP addresses into exact physical addresses, and into the last 4 digits of the account holder’s SSN. The flaws have now been fixed and there’s no evidence anyone exploited the flaws before they were reported and fixed (Editorial by Bart: reading the details of the flaws is pretty depressing, clearly, telcos are staggeringly ignorant about even the most basic security principles) — nakedsecurity.sophos.com/…
  • 🇺🇸 Credit Card Issuer TCM Bank Leaked Applicant Data for 16 Months — krebsonsecurity.com/…
• News
  • 🇺🇸 High-schoolers’ data put up for sale after being scraped from surveys — nakedsecurity.sophos.com/…
  • Google to warn companies targeted in government-backed attacks — nakedsecurity.sophos.com/…
  • Facebook shuts off user data access for hundreds of thousands of apps — nakedsecurity.sophos.com/…
  • 🇺🇸 Facebook bans midterm-meddling accounts and pages — nakedsecurity.sophos.com/…
  • How Facebook Used a Psychological Trick on Teenagers — www.macobserver.com/…
  • Mozilla faces resistance over DNS privacy test — nakedsecurity.sophos.com/…
  • Snapchat source code leaked on GitHub – but no one knows why — nakedsecurity.sophos.com/…
  • The popular MacOS package manger Homebrew has had to re-set it’s GitHub API key after accidentally leaking it — nakedsecurity.sophos.com/…
  • Apple responds to US lawmaker concerns about location tracking, ‘Hey Siri,’ more — 9to5mac.com/…
• Opinion & Analysis
  • Sorry folks, the scooter craze could be a data-privacy nightmare — www.fastcompany.com/…
  • How safe is your DNA data? — nakedsecurity.sophos.com/…
  • The Year Targeted Phishing Went Mainstream — krebsonsecurity.com/…
  • Everything bad about Facebook is bad for the same reason — qz.com/…
  • The 🐄💩 Web — pxlnv.com/…
  • (from Allison) Last Week on My Mac: Is XProtect dead, or about to be replaced? – The Eclectic Light Company — eclecticlight.co/…
• Propellor Beanie Territory
  • Windows 10 to get disposable sandboxes for dodgy apps — arstechnica.com
  • How to defend yourself against SamSam ransomware — nakedsecurity.sophos.com/…
    • Related: SamSam: The (almost) $6 million ransomware — nakedsecurity.sophos.com/… & nakedsecurity.sophos.com/…
  • Leaky radio devices broadcast chipset data, discover researchers — nakedsecurity.sophos.com/…

Palate Cleansers

• If Programming Languages Were Cars, Which Would They Be? — www.macobserver.com/…