{"id":16091,"date":"2018-08-12T18:23:58","date_gmt":"2018-08-13T01:23:58","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=16091"},"modified":"2018-08-12T18:23:58","modified_gmt":"2018-08-13T01:23:58","slug":"sb-webauthn-pentagon-says-no-gps-reddit-breach","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2018\/08\/sb-webauthn-pentagon-says-no-gps-reddit-breach\/","title":{"rendered":"Security Bits &#8211; WebAuthn, Pentagon Says No GPS, Reddit Breach"},"content":{"rendered":"<h3>Followups<\/h3>\n<ul>\n<li>We looked at WebAuthn, a new protocol for password-less authentication on the web in a <a href=\"https:\/\/www.podfeet.com\/blog\/2018\/04\/sb-2018-04-13\/\">Security Medium back in April<\/a>. At that stage Microsoft had committed to adding support for the protocol to their Edge browser in the future, they&#8217;ve followed through, adding support to <em>Insider<\/em> (think beta) version of Windows 10. If testing goes well it could be added to this Autumn&#8217;s Windows 10 update (FireFox &amp; Chrome already have support, but Safari doesn&#8217;t, and I&#8217;ve not found any statement from Apple about plans to support the protocol) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/02\/microsoft-edge-adds-webauthn-as-passwords-near-the-end\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; In response to the Strava data <em>&#8216;leak&#8217;<\/em> (sorta) from a few months ago, the Pentagon has put limits on where GPS-using apps can be used \u2014 <a href=\"https:\/\/tidbits.com\/2018\/08\/07\/pentagon-puts-limits-on-gps-usage\/\">tidbits.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/09\/attack-on-fcc-over-net-neutrality-was-legitimate-traffic-report-says\/\"><em>&#8216;Attack&#8217;<\/em> on FCC over net neutrality was legitimate traffic, report says \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<p><!--more--><\/p>\n<h3>Security Medium \u2014 The Reddit Breach<\/h3>\n<p>Reddit notified users that they&#8217;ve discovered a security breach that took place in June this year:<\/p>\n<blockquote><p>\n  A hacker broke into a few of Reddit\u2019s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords.\n<\/p><\/blockquote>\n<p>In theory a salted hashed password should be safe, but that&#8217;s only true if the password itself was strong and, and the hash was complex. The best-practices hashing algorithms from a decade ago were nowhere near as strong as today&#8217;s best-practice algorithms, so I would advise assuming the affected passwords have been, or will soon be, cracked.<\/p>\n<p>So, based on that, my advice would be to:<\/p>\n<ol>\n<li>Reset your Reddit password.<\/li>\n<li>Enable Reddit&#8217;s token-based 2FA (<a href=\"https:\/\/www.reddithelp.com\/en\/categories\/using-reddit\/your-reddit-account\/how-set-two-factor-authentication\">instructions<\/a>).<\/li>\n<li>If you used that same password anywhere else, change it there too.<\/li>\n<li>If you&#8217;re not already using a password manager, give it serious consideration! (I recommend <a href=\"https:\/\/1password.com\/families\/\">1Password for families<\/a>)<\/li>\n<\/ol>\n<p>What&#8217;s probably the most interesting thing about this hack is how the attackers got in \u2014 they used SMS spoofing to get around 2-factor-authentication protecting some back-end systems that power the service. We&#8217;ve known for some time now that SMS is insecure, and that SMS-based 2FA really is the least-effective form of commonly used 2FA. This really underlines the point. My advice to people is only to use SMS for 2FA when the only other choice is no 2FA at all. It may be the least effective form of 2FA, but any 2FA is better than none!<\/p>\n<h4>Links<\/h4>\n<ul>\n<li>Reddit&#8217;s excellent disclosure (clear, concise, and free from spin) \u2014 <a href=\"https:\/\/www.reddit.com\/r\/announcements\/comments\/93qnm5\/we_had_a_security_incident_heres_what_you_need_to\/\">www.reddit.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2018\/08\/reddit-breach-highlights-limits-of-sms-based-authentication\/\">Reddit Breach Highlights Limits of SMS-Based Authentication \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/02\/reddits-serious-security-incident-what-you-need-to-know\/\">Reddit\u2019s serious \u201csecurity incident\u201d \u2013 what you need to know \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable News<\/h3>\n<ul>\n<li>Un-patched Mikrotik routers being used in a massive cryptojacking campaign \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/03\/routers-turned-into-zombie-cryptojackers-is-yours-one-of-them\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Details have been released of an already-patched bug in Apple&#8217;s Mobile Device Management (MDM) platform that allowed Macs to be hijacked when they&#8217;re being enrolled in an organisations system. There&#8217;s no need to panic about this one because the bug was hard to exploit, only affected users who registered their devices with an MDM system, and has already been patched \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/apple-mac-mdm-security-flaw\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; The WSJ has report that Facebook is in negotiations with US banks to integrate with Facebook Messenger, and hence to have data flowing between users and their banks through Facebook. This set off a lot of people&#8217;s <em>privacy-spidie-senses<\/em>, so Facebook responded by saying they didn&#8217;t want users banking data, just to offer cool features like the ability to see your bank balances in Facebook and to chat with bots by your bank on the platform \u2014 <a href=\"https:\/\/www.macobserver.com\/link\/facebook-wants-bank-account-activity\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li>&#x2b50;&#xfe0f; (<strong>Editorial by Bart:<\/strong> this is how I have my phone set up, it means you can disable FaceID\/TouchID by 5-tapping the lock button or pressing and holding the lock and volume buttons but with your phone autodialling 112\/999\/911 and without your phone making a great big racket) <a href=\"https:\/\/www.imore.com\/iphone-x-how-stop-accidentally-calling-911-emergency-sos-auto-call\">How to stop accidentally calling 911 and emergency contacts on iPhone \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/porn-blackmail-scam-rattles-mac-users-what-you-need-to-know\/\">Porn Blackmail Scam Rattles Mac Users: What You Need to Know \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/how-to-prepare-mac-for-sale\">How to reset your Mac before selling it \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/07\/31\/cryptojacking-for-beginners-what-you-need-to-know\/\">Cryptojacking for beginners \u2013 what you need to know \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/what-are-32-bit-and-64-bit-apps-and-why-do-they-matter\/\">What Are 32-Bit and 64-Bit Apps, and Why Do They Matter? \u2014 www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li>&#x1f1fa;&#x1f1f8;  Two flaws in Comcast Xfinity&#8217;s systems allowed attackers to translate IP addresses into exact physical addresses, and into the last 4 digits of the account holder&#8217;s SSN. The flaws have now been fixed and there&#8217;s no evidence anyone exploited the flaws before they were reported and fixed (<strong>Editorial by Bart:<\/strong> reading the details of the flaws is pretty depressing, clearly, telcos are staggeringly ignorant about even the most basic security principles) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/10\/comcast-xfinity-web-flaws-exposed-customer-data\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/krebsonsecurity.com\/2018\/08\/credit-card-issuer-tcm-bank-leaked-applicant-data-for-16-months\/\">Credit Card Issuer TCM Bank Leaked Applicant Data for 16 Months \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/01\/high-schoolers-data-put-up-for-sale-after-being-scraped-from-surveys\/\">High-schoolers\u2019 data put up for sale after being scraped from surveys \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/09\/google-to-warn-companies-targeted-in-government-backed-attacks\/\">Google to warn companies targeted in government-backed attacks \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/02\/facebook-shuts-off-user-data-access-for-hundreds-of-thousands-of-apps\/\">Facebook shuts off user data access for hundreds of thousands of apps \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/02\/facebook-bans-midterm-meddling-accounts-and-pages\/\">Facebook bans midterm-meddling accounts and pages \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/facebook-psychological-trick-teenagers\/\">How Facebook Used a Psychological Trick on Teenagers \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/07\/mozilla-faces-resistance-over-dns-privacy-test\/\">Mozilla faces resistance over DNS privacy test \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/08\/snapchat-source-code-leaked-on-github\/\">Snapchat source code leaked on GitHub \u2013 but no one knows why \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>The popular MacOS package manger <a href=\"https:\/\/brew.sh\/\">Homebrew<\/a> has had to re-set it&#8217;s GitHub API key after accidentally leaking it \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/10\/how-one-man-could-have-hacked-every-mac-developer-73-of-them-anyway\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/9to5mac.com\/2018\/08\/07\/apple-responds-to-lawmakers-privacy\/\">Apple responds to US lawmaker concerns about location tracking, \u2018Hey Siri,\u2019 more \u2014 9to5mac.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li><a href=\"https:\/\/www.fastcompany.com\/90208689\/sorry-folks-the-scooter-craze-could-be-a-data-privacy-nightmare\">Sorry folks, the scooter craze could be a data-privacy nightmare \u2014 www.fastcompany.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/03\/how-safe-is-your-dna-data\/\">How safe is your DNA data? \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2018\/08\/the-year-targeted-phishing-went-mainstream\/\">The Year Targeted Phishing Went Mainstream \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/qz.com\/1342757\/everything-bad-about-facebook-is-bad-for-the-same-reason\/\">Everything bad about Facebook is bad for the same reason \u2014 qz.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/pxlnv.com\/blog\/bullshit-web\/\">The &#x1f404;&#x1f4a9; Web \u2014 pxlnv.com\/\u2026<\/a><\/li>\n<li>(from Allison) <a href=\"https:\/\/eclecticlight.co\/2018\/07\/22\/last-week-on-my-mac-is-xprotect-dead-or-about-to-be-replaced\/\">Last Week on My Mac: Is XProtect dead, or about to be replaced? \u2013 The Eclectic Light Company \u2014 eclecticlight.co\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Territory\n<ul>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1356239\">Windows 10 to get disposable sandboxes for dodgy apps \u2014 arstechnica.com<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/02\/how-to-defend-yourself-against-samsam-ransomware\/\">How to defend yourself against SamSam ransomware \u2014 nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/07\/31\/samsam-the-almost-6-million-ransomware\/\">SamSam: The (almost) $6 million ransomware \u2014 nakedsecurity.sophos.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/08\/07\/how-bitcoin-and-the-dark-web-hide-samsam-in-plain-sight\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/07\/31\/leaky-radio-devices-broadcast-chipset-data-discover-researchers\/\">Leaky radio devices broadcast chipset data, discover researchers \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Palate Cleansers<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/columns-opinions\/editorial\/programming-languages-like-cars\/\">If Programming Languages Were Cars, Which Would They Be? \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Followups We looked at WebAuthn, a new protocol for password-less authentication on the web in a Security Medium back in April. At that stage Microsoft had committed to adding support for the protocol to their Edge browser in the future, they&#8217;ve followed through, adding support to Insider (think beta) version of Windows 10. If testing [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":14958,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[50,569],"class_list":["post-16091","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2018\/04\/Security-Bits-Logo_1000px.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/16091","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=16091"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/16091\/revisions"}],"predecessor-version":[{"id":16093,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/16091\/revisions\/16093"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/14958"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=16091"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=16091"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=16091"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}