Security Bits Logo

Security Bits – Google Plus Data Breach, SSH Vulnerability, WhatsApp and D-Link Vulnerabilities, Apple Privacy Portal

Followup

Security Medium 1 — Google Plus Data Breach & Death

The Wall St. Journal reported that back in March of this year, Google became aware of a bug in the Google Plus APIs that exposed user data that should not have been exposed, patched it, and then pro-actively chose not to disclose the breach. Here are the key passages from the report:

A software glitch in the social site gave outside developers potential access to private Google+ profile data between 2015 and March 2018, when internal investigators discovered and fixed the issue, according to the documents and people briefed on the incident

Chief Executive Sundar Pichai was briefed on the plan not to notify users after an internal committee had reached that decision, the people said.

Google’s logic for not disclosing is simple — they only keep logs for a short amount of time, this bug was there for ages, so they could never know who had and had not been compromised, and FaceBook were getting all the bad press at the time, so best to say nothing and not draw attention to Google and away from FaceBook.

The problem was with Google’s People API and it meant that apps could use the API to read profile data of the current user’s friends that they had marked as private (or rather, not marked as public). The information available included things like name, email, occupation, gender and age, but not post contents or passwords or anything like that. This is nowhere near as catastrophic as it could have been, but it is still very useful information for cyber criminals looking to target users with phishing attacks, and, to companies trying to build profiles for sale to advertisers and political campaigns (think Cambridge Analytica).

Note that this breach was discovered before the GDPR went into effect. Had this been discovered in a post-GDPR world then Google could have been in deep trouble. One of the clever aspects of GDPR is the broad definition of a data breach. One option would have been to only consider something a breach if you know it has been exploited by a third party, but that would not work at all well when you think about it. It would set up a perverse incentive for companies to lessen what they know about the systems they’re responsible for, and, it would mean spending pointless time debating whether or not a given vulnerability or other exposure really is a data breach. GDPR went another way, if the information is exposed to potential inappropriate access, then it’s a data breach. In this case, the API allowed access to data that should have been kept private, so regardless of what Google’s logs do or do not show, the mere exposure of the private data is enough for the vulnerability to count as a data breach.

Links

Security Medium 2 — SSH Vulnerability

This is an great example of the kind of security news that initially sounds horrifically scary and serious, but is thankfully proves a lot less catastrophic on closer inspection.

It is true that an authentication bypass has been found in an open source SSH library, libssh to be precise. This vulnerability really does allow an attacker to log in to an affected SSH server without knowing the user’s password!

libssh sounds like the canonical SSH library that you would expect to find in just about every Linux/Unix OS, but thankfully that’s not the case. The most popular SSH server is openssh. When it comes to SSH libraries another very popular one is libssh2. Despite its name, it has nothing to do with libssh, and is not vulnerable. There’s also a leaner SSH library named DropBear that’s becoming popular on low-powered devices like home routers, and that too is not affected.

Thankfully, most (probably nearly all) Linux & BSD distributions, and macOS, are using openssh and/or libssh2, and so are not vulnerable to this very nasty bug. Windows doesn’t have SSH by default, and the most popular SSH implementation for Windows, PuTTY, is not affected, so most Windows computers should be safe too. And most home routers use DropBear, so they’re not affected either.

If in doubt, update your Computers/VMs, routers, and SSH apps, but don’t be surprised to find no updates waiting for you.

The biggest danger from this bug is IoT devices. It’s very hard to test what version of SSH may or may not be on any such device, so the best thing you can do is make sure the IoT devices you’re concerned about are not directly accessible from the internet. It might be worth using a tool like Shields Up to scan your public IP and make sure nothing you don’t need is directly accessible from the internet. For most home users that means there should should be nothing listening for connections from the public internet on your home router’s public IP.

Links

Notable Security Updates

Notable News

  • Continuing poor security practices at Chinese OEM manufacturer Xiongmai leaves millions of IoT webcams vulnerable to takeover and recruitment into another Mirai-style botnet. The original Mirai botnet’s growth was powered by previous problems with Xiongmai IoT devices. Since Xiongmai are an OEM manufacturer, the actual branding on affected devices is very broad — nakedsecurity.sophos.com/…
    • Detailed report from security firm SEC Consult, including instructions for figuring out whether or not your camera is affected — sec-consult.com/…
  • Security researchers have detailed an attack against WhatsApp users who leave their voicemail passwords at the default. TL;DR, WhatsApp will fall back to a voice call to deliver your 2FA code, which will go to voicemail if you don’t answer, so attackers wait till the middle of the night in your timezone, rely on you not noticing the SMS and not answering the phone, and then use your default voicemail password to get the 2FA token. Bottom line – make sure you set a custom password/pin on your voicemail! — nakedsecurity.sophos.com/…
  • A Polish security researcher has published details of critical vulnerabilities in eight D-Link router models. D-Link have said six of the eight models are EOL, with the clear implication being that they will not be patching them. It also doesn’t appear that the other two models have been patched either. The eight affected models are the DWR-116, DWR-140L, DWR-512, DWR-640L, DWR-712, DWR-912, DWR-921, & DWR-111. (Editorial by Bart: I think the only thing owners of these routers can do is upgrade to a newer model, it’s not safe to run an un-patchable router IMO) — nakedsecurity.sophos.com/…
  • 🇬🇧 Facebook Brings Political Ad Shake-up to UK — www.macobserver.com/…
  • Apple privacy updates
  • Google’s GSuite now warns users of government attacks by default (it was previously and op-in feature) — nakedsecurity.sophos.com/…
  • Google have announced that Android Pie will support a new feature that increases the security of Android backups and makes it impossible for Google to decrypt them by using the lock screen password on the phone to secure the encryption key — nakedsecurity.sophos.com/…

Suggested Reading

Palate Cleansers

Leave a Reply

Your email address will not be published.

Scroll to top