SecureMac, Inc.

Checklist 158: Catalina Bound

October 10, 2019

On this Checklist, we’ll take a look at the latest version of macOS. We’ll revisit two-factor authentication by way of a somewhat disappointing story involving Twitter. And we’ll round out the show with news of yet another data breach.

Checklist 158: Catalina Bound

On this Checklist, we’ll take a look at the latest version of macOS. We’ll revisit two-factor authentication by way of a somewhat disappointing story involving Twitter. And we’ll round out the show with news of yet another data breach.

Here’s the Checklist for this week:

  • Setting sail for Catalina
  • The trouble with Twitter and 2FA
  • A few words about Words with Friends

Catalina has arrived!

This week, Apple released macOS 10.15 (“Catalina”) to the general public. 

We’ve covered the security and privacy features of the new Mac OS in depth on the blog, but there are plenty of other features—and a couple of compatibility issues—to discuss.

Probably the most exciting of the non-security features is what’s being done to iTunes: Namely, iTunes is going the way of the dodo. While the app had enjoyed a good run, in recent years it was becoming clear that its user interface was no longer able to deliver the kind of experience that the public demanded. It remains to be seen if splitting the app into separate Music, TV, and Podcasts apps will work out—but it seems a step in the right direction if it moves us away from the unwieldy and monolithic iTunes app. 

Other cool Catalina features include Sidecar, which allows Mac users to turn their iPads into second screens, and improvements to Voice Control, which reaffirms Apple’s commitment to accessibility.

On the developer front, Catalyst will provide a way for iOS devs to quickly and easily turn their iOS apps into Mac apps, which will hopefully translate into a richer and higher-quality selection of apps for macOS users.

However, despite all of the improvements, Catalina may not be ideal for all users just yet.

One issue that’s raised eyebrows in the music scene has to do with Catalina’s Music app: It will no longer be possible to export XML playlists in real time to other apps. This  means that users will no longer be able to grant other apps—for example DJ apps—the ability to search through a Music database in order to locate tracks quickly and easily. Obviously, this is far from ideal for DJs using Macs to play music during live events—and so for the time being this demographic is probably best advised to stay with Mojave. 

This may leave you wondering if other apps won’t play well with Catalina. The good news is that most of them should be compatible (after all, developers have been aware of the changes coming in macOS 10.15 for quite some time). 

But one potential source of problems has to do with the fact that Catalina will no longer support 32-bit apps—from now on, only 64-bit apps will function on macOS.

Again, most developers have known about this for a long time, and have hopefully upgraded their apps to 64-bit versions. But Mac users running older apps and looking to switch to Catalina may need to change over to updated versions of those apps…and this won’t necessarily be free.  

In order to see if you have 32-bit apps on your system, you need to go to Apple menu > About This Mac > System Report > Software > Applications. From there, you can sort by 32-bit apps and see a full list of all the older apps that, alas, won’t work if you upgrade to Catalina.

If you see any 32-bit versions of apps that you really depend on, you can contact the developer to see if a 64-bit version is available—or you could simply hold off on updating your version of macOS and stay with an older version for a while.

Apple issues security patches and updates for older OSes, so it’s not as if you’ll be completely exposed by not updating. However, it’s also fair to say that for the best, most secure experience, one really should be using the most up-to-date version of macOS available. 

Two-factor shenanigans at Twitter

News surfaced recently of a somewhat worrying story about how Twitter was handling its users’ two-factor authentication data.

Before we delve into the gory details, let’s take a moment for a quick review of two-factor authentication, or “2FA” for short.

2FA is basically a way of enhancing security by requiring users to provide more than one type of evidence, or “factor”, in order to authenticate themselves and access an account or service.

The “factors” in two-factor authentication fall into one of three classes.

There are knowledge factors: Things that you know. This would include things like passwords, PINs, or the answer to a security question like “What was your first pet’s name?”

There are ownership factors: Things that you have. This could mean something like a one-time security code or token sent by the authenticating service to your email address or perhaps even to something that you physically have, like your phone.

Finally, there are inherence factors: Things that you are. These refer to biometric data—and are used with authentication methods like fingerprint scans, voice identification, or Apple’s famous Face ID. 

Two-factor authentication is generally regarded as an excellent security measure, and is something we’ve recommended numerous times on the Checklist and our blog. The reason why it’s such a powerful tool is that it adds an extra layer of security to the authentication process, making it far less likely that a bad actor would be able to come into possession of enough of your authentication factors to cause you harm. In other words, while someone might get hold of the username and password for your bank account, they would be unlikely to also have physical access to your iPhone—and would never be able to get into an account protected by Face ID.

So far, so good—but what happened over at Twitter?

It turns out that some of the user data collected by Twitter in order to facilitate 2FA—including phone numbers and email addresses—was also used to serve targeted ads to some users.

Obviously, this could be construed as a fairly grotesque violation of privacy. Many Twitter users value their anonymity—some of them for personal or even political reasons. Twitter, in their own defense, explained that the situation arose because their existing marketing program allows advertisers to upload their internal marketing lists—lists containing contact data like phone numbers and email addresses—to the company’s Tailored Audiences program. According to Twitter, the system accidentally matched the contact details in these lists to specific Twitter users…through the data they’d submitted for purposes of two-factor authentication. In other words, it was an error. A very big error.

Whether or not you believe that explanation probably depends on your level of cynicism as well as your opinion of Twitter as a company. It’s certainly not out of the realm of possibility that this was simply poor implementation and/or buggy code. But if nothing else, it further underscores the need for consumers to take responsibility for their own digital security and privacy, as even the largest, most tech-oriented companies have less than perfect records when it comes to securing user data.

Znyga gets hacked…and Facebook to the rescue?!?

News broke last week of a data breach affecting players of Words with Friends and Draw Something, two popular games put out by social game developer Zynga.

According to the hacker himself, the massive haul of data included names, usernames, and email addresses; hashed passwords and phone numbers; as well as Facebook IDs and password reset tokens.

That’s a huge amount of personal data, and anyone who wasn’t using strong, unique passwords is at risk for anything from an account hack to identity theft.

If you’ve ever used one of these games, you’re strongly advised to change your passwords on both Words with Friends as well as Draw Something—and to make sure you’re not using your old (now hacked) passwords on other sites.

Interestingly, the breach doesn’t seem to have affected users who only logged in through their Facebook accounts, since third-party login services like Facebook Login or Google Sign-In are responsible for storing user credentials (instead of the actual service or app being used). Players who always logged in with their Facebook accounts would therefore never have had their passwords stored in Zynga’s databases. Of course, your information would still be in the hands of Mr. Zuckerberg and friends, which might give you pause (and is yet another reason to check out Sign in with Apple). This whole story is, ultimately, a further reminder that creating strong passwords is the cornerstone of digital security and privacy. 

Join our mailing list for the latest security news and deals