Security Bits Logo

Security Bits – 23 March 2019

Followups

  • The Reply All podcast released an episode about the Momo panic mentioned on the previous Security Bits — overcast.fm/…

Security Medium — Facebook Accidentally Store Passwords in Plain Text Since 2012

Brian Krebs broke this story, and sourced it from “a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press”.

What Krebs reports is that an internal Facebook audit found that poorly written apps logged plain-text passwords into some kind of searchable logs. These logs was theoretically accessible by “thousands” of Facebook employees.

The investigation is on-going, but Facebook have now admitted that they did log plain-text passwords for hundreds of thousands of users, and did so since at least 2012.

Facebook have found no evidence that any of their employees ever abused these passwords, or, that they were ever compromised by outside hackers of any kind. But, audit logs show that approximately 2,000 engineers ran approximately 9 million queries which produced results that contained plain text passwords.

Facebook have promised to contact users they know for sure were affected, but they will not be forcing and password resets. In their official response to Krebs Facebook said it expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users”.

If you trust that no Facebook employee ever abused this treasure-trove of data, then you don’t need to take any action. If, on the other hand, you have a Facebook account and believe there could easily be one or more proverbial bad apples on staff in Facebook, it would make sense to change your Facebook password ASAP. What’s a little more annoying is that you should not just change your current password on Facebook. Any password you’ve ever used on Facebook and then re-used anywhere else needs to be updated everywhere.

If you’ve been putting off getting a password manager, this might be an opportune moment to finally give in and accept the inevitable!

Links:

Notable Security Updates

Notable News

  • Windows users, beware .reg files, a security researcher has found a way to alter the warning dialogue content, including the text within the buttons by simply including some special characters in the filename. This literally allows an attacker to turn the button to back out of the registry changes into the one to accept them! What’s worse is that Microsoft have no plans to fix this issue ATM — nakedsecurity.sophos.com/…
  • Security Researchers have found a way of extracting Microsoft Bit Locker encryption keys when the full-disk encryption software is configured in its least-secure configuration. Microsoft were already advising against this configuration, and the attack involves creating some custom hardware to intercept the key as it moves across busses within the computer, so, for now at least, this attack is only likely to affect high-value targets — nakedsecurity.sophos.com/…
  • Security researchers have found two zero-day exploits against Safari, one which allows complete take-over of a Mac simply by tricking the victim into visiting a malicious URL. Thankfully both came to light in a hacking contest run by the Zero Day Initiative (ZDI), so they have been responsibly disclosed to Apple, and details have not been published — 9to5mac.com/…
  • Google Hit With $1.69 billion EU Anti-Trust Fine Over Adsense Restrictions — www.macobserver.com/…
  • Google have released details of some privacy improvements that will be included in Android Q (the next major Android release which is scheduled for this summer). The most notable is a switch to iOS-style control over location data (three choices for each apps: when using the app, always, or never). Android Q will also curtail access to device identifiers being abused by app for tracking users against their will, and greatly improve the security of app data stored on SSD cards — nakedsecurity.sophos.com/…
  • Microsoft worked with Google’s Project Zero team for over a year to get to the bottom of a whole new class of Windows security vulnerability. Thankfully, after all that work they found there are no currently usable exploits, and, they have developed improvements to Windows 10 that will harden the OS against this new class of problem. The improvements will be included in the 1903 Spring Update for Windows 10. Microsoft are also recommending that driver vendors similarly harden their code. It’s notable that Google chose not to publish details of this vulnerability after its usual 90 day window — arstechnica.com/… & nakedsecurity.sophos.com/…
  • Microsoft is re-branding its Windows Defender AV offerings as Microsoft Defender because it is bringing its enterprise AV offering to the Mac as part of it’s Advanced Threat Protection (ATM) suite. The software is only available as a preview ATM, but will launch soon — arstechnica.com/… & www.macobserver.com/…
  • The pro-privacy social media site MeWe has reached 4M members — www.macobserver.com/…
    • Editorial by Bart: I’ve done a little digging, and they are a for-profit company based on a freemium model (very much like Slack, the premium products are aimed more at enterprises than home users).
  • DARPA Is Building a $10 Million, Open Source, Secure Voting System — motherboard.vice.com/…
  • Mozilla have released Firefox Send (send.firefox.com), a new and easy to use tool for securely sharing files — www.wired.com/…

Suggested Reading

Palate Cleansers

2 thoughts on “Security Bits – 23 March 2019

  1. Bruno - March 25, 2019

    Here’s another site that lets you securely transfer large files. They just started this service a few months ago. Transfer is free for files up to 25GB:
    https://www.swisstransfer.com

  2. Allister - March 26, 2019

    The randomness game is a bit lamer than I was thinking. I gave up at 1001 presses where it had scored 69% over me (it never crossed 70% after the first 50 or so presses). Randomness of only two choices is not anywhere near the same as randomness of passwords. After many years using xkpasswd-generated passwords I have now developed a system where I *can* come up with passwords, if I need to in a pinch, that I believe are random enough to make no difference to any guesser or brute-force algorithm than had I used a computer-generated one. Case in point — here’s a random one I will make up right now on the spot… 733!gravel+locomotive+greenery!182. Every component of that password comes from my local environment (my study), though not necessarily directly. Though the symbols I just chose on the fly. Can humans be random? Not over a large domain, but for the purposes of passwords… yes, with some thought.

Leave a Reply

Your email address will not be published.

Scroll to top