Checklist 91 – Mix and Match 3.0

The 2018 parade of big tech and security headlines continues, and in recent episodes, we’ve touched on some pretty big developments. From Cambridge Analytica and Facebook scandals to the rollout of the General Data Protection Regulation in Europe, we’ve covered some major issues so far this year. In between all those banner headlines, though, there have been plenty of other important stories that haven’t been quite so big as to merit getting a show all their own. Today, we’re reaching into the grab bag for our third edition of Mix and Match, where we’ll look back at some new stories and provide follow-ups on some of these other topics. Let’s not waste any more time: here’s what’s on the list for today’s Checklist.

• Twitter Fesses Up to Major Password Blunder
• The End of Cambridge Analytica(?)
• Yet Another Facebook Privacy Scandal
• An Update on the Equifax Breach
• Signal and the Case of the Disappearing Reappearing Messages

Twitter has come a long way from its early days, and now boasts a truly massive number of daily users — but it looks like even this major social media platform isn’t immune to some real SNAFUs when it comes to security. That’s where we’re kicking off today’s Mix and Match.

Twitter Fesses Up to Major Password Blunder

These days, big data breaches and major failures of security are so commonplace that eye-popping large numbers of affected users no longer seem to be the sensational headline-making news they once were. We’re used to a story that plays out the same way every time, too: bad guys break into a company’s servers or exploit a specific weakness and make off with the whole username and password database. Maybe we find out right away, or maybe we find out five years later, but it results in a headache for all involved.

Recently, this script got flipped on its head as Twitter admitted to a major problem in the way they handled user passwords. In fact, Twitter took the extraordinary step of notifying all users of the problem the company identified internally and suggested that everyone using Twitter should consider changing their passwords right away. It’s typically a big deal, especially on a platform as large as Twitter, which hosts hundreds of millions of users.

We usually only see someone hitting the “panic” button and calling for a total reset when the bad guys have already stolen the password database, or when some other serious, high-level breach has occurred. In this case, though, there were no attackers and no external breach. Instead, Twitter identified the problem itself, recognized its severity, and went public with the information. That’s when they told users to change their passwords out of an abundance of caution, as a means of mitigating any future threat. So how could all this happen in the first place? In other words, how did Twitter manage to “pwn” themselves?

Back on May 3rd, Twitter announced the discovery of a flaw in the process they were using to store passwords. Put simply: the plain text passwords were going into an internal log file where someone with the right access could potentially have harvested the data. In normal operations, Twitter hashes passwords prior to storage using a common industry standard known as bcrypt. Hashing makes it a whole lot harder for the bad guys to break into accounts even if they steal a password database, as the process thoroughly obfuscates the original string entered into the hashing algorithm. If you’d like to learn more about how hashing works, we covered that topic thoroughly in Episode 41 of the Checklist on authentication and online security.

However, Twitter uncovered a bug in their processes. Before the completion of the hashing sequence, user passwords were written to a log file in the clear — exactly as you would type it in to log in to the site. Naturally, that’s not good security at all. Twitter immediately took steps to purge their systems of all the offending log files and fixed the bug to ensure it could not happen again. That’s when they went public. While there is no evidence that anyone ever actually breached Twitter and found these password-filled log files, they still suggested changing passwords “just in case” someone ever had.

Overall, this is a strange and unique situation for a couple of reasons. First, obviously, it’s not usually the company itself that reveals a password problem; usually, it’s just the bad guys stealing the data and disappearing into the night. Next, it usually takes a major company a fair amount of time to isolate and shut down one of these bugs, and even longer for them to decide to request a reset for all users. Finally, it’s even rarer for the company to own up to their mistake without any pressure from the media or the security sector. We know that more often than not, getting a company to admit responsibility for a breach, or even to confess that a breach occurred at all, is like getting blood from a stone. So, kudos to Twitter from us for being honest and up-front about their mistake and for taking quick, decisive action to get things fixed — that’s how it should be done!

The End for Cambridge Analytica(?)

As a quick refresher, who are we talking about when we refer to Cambridge Analytica? This is the data-focused company that was at the center of a major scandal involving Facebook. During the 2016 presidential election season, Cambridge Analytica used information scraped from public Facebook profiles — perhaps as many as 87 million of them — to micro-target political ads and posts to users. The goal: to sway opinions and votes in a decidedly ethically dubious way. We’ve already spoken a great deal about both this company and the surrounding issues involving Facebook back on Episode 85 of The Checklist, “Facebook Follies” — which you can check out now if you want to take a deeper dive into that subject.

Since the news around CA originally broke, the company has made several additional splashy headlines, and none of them are very good at all. Back on May 2nd, for instance, the company announced that it would be ceasing its operations altogether and immediately requesting hearings in the UK on its insolvency. Meanwhile, the company announced its US-based operations would also be entering into bankruptcy hearings. Of course, now that the bad news about what the company does and did is out, the entire house of cards is coming down — but it looks like they may not be able to escape proper scrutiny.

Late on May 15th, news hit the wires that both the FBI and the US Department of Justice had launched investigations into Cambridge Analytica’s operations. These investigations, from what we’ve been able to learn about them, seem to focus largely on CA’s financial dealings, but the methods it employed to gather and utilize user data are also a part of the investigatory scope.

The UK is acting, too, with criminal investigations underway on allegations of destruction of evidence, hacking, bribery, and violations of UK-specific data legislation. With the public outcry that occurred after the disclosure of Cambridge Analytica’s actions, these steps aren’t surprising. However, it’s likely it will take months or perhaps even years before the investigations conclude and all the facts become public knowledge.

So, is this the end of the road for Cambridge Analytica? Maybe in this current incarnation, it is. However, there is another company by the name of “Emerdata” waiting in the wings. Financially backed by the same billionaire that funded Cambridge Analytica and employing much of the same staff — the director of Emerdata is the same man who was CA’s action CEO and a chief data scientist.

For now, it looks like Emerdata is in trouble, too, as it is currently under the administration of the British courts. CA’s founder says Emerdata was meant to be a holdings company to consolidate analytical operations, and with the company’s bankruptcy, those dreams are dead. It’s unlikely that we’ve truly seen the last of companies trying to conduct operations on this type of scale, though.

Yet Another Facebook Privacy Scandal

Speaking of Cambridge Analytica, lately it seems like we can’t make it through a whole month without some new scandal surrounding Facebook and user information cropping up in the news. However, this latest one was so similar-sounding to the controversy surrounding CA that many may have overlooked it. There are quite a few similarities between the stories, after all. This latest scandal involves a Facebook personality quiz app and user data being shared between third-parties, much in the same way it was with CA. Here are the facts behind what went down back in the early days of April.

It started on April 7th, when Facebook suspended the app “myPersonality” from the entire platform and released a public statement saying that the app could have violated Facebook’s policies on the sharing of user data. Before the suspension, approximately 6 million Facebook users used the app to take personality quizzes, with about 3 million of those users clicking a button to agree to share their information with the app’s creators. Here’s an additional fun fact: one of the primary collaborators on the project is a man named Aleksandr Kogan, whom you might remember from the Facebook Follies episode. Why? Because he was the lead architect of This Is Your Digital Life, the app used by Cambridge Analytica to harvest tens of millions of profiles.

So, what’s the actual scandal here? All the data users shared through the app was supposed to be anonymous to protect their identities, but as it turns out, that was not the case at all. Every user of myPersonality received a unique numerical identifier which was generated based on certain information on their profile, such as their gender, location, age, status updates posted by the user, and the results they received for the quiz. With all this information bundled up into one user ID, it would be a trivial matter for someone with the entire data set to figure out the individual behind every unique ID.

Worse still, pretty much anyone who wanted to look at this data set could do so — and keep in mind, there were some seriously personal questions packed into these personality quizzes and stored in the data. Access to the data was meant to be protected by a login, but anyone who took the time to do a Google search for the login credentials could find a working combination with ease. And guess what—that login has worked for the past four years! It’s another big fumble for Facebook, which consistently claims to be “doing more” to safeguard user information. If apps can collect all this data and leave it out in the open, what good are those efforts?

With the app now suspended, this particular data leak has been plugged. How long will it be before we report on another app that misused or mishandled user data, though? So far, it looks like there is a clear pattern going on with these stories. Facebook authorizes the apps, trusts the developers to follow their guidelines, and then rarely investigates things to ensure that everything is kosher. The company insists that’s changing. For now, we’ll have to wait and see.

An Update on the Equifax Breach

Here’s a quick but important update on a big story that should still be major news, but which — like many data breaches — has been fading from the headlines. We’re talking about the Equifax breach, of course, which you can revisit in depth in Episode 54 of The Checklist. Back then, all we knew is that Equifax had suffered a breach on a truly massive scale and that hundreds of millions of sensitive customer records were stolen. We only had a vague idea about what they actually took, though, and that meant there were a lot of gaps in what we knew. However, we now have a chance to gain some insight into one of the most breath-taking failures of information security in recent years.

With multiple Congressional inquiries into what Equifax did wrong and how it mishandled this data, more information is coming to light on a regular basis. As part of the disclosures Equifax must make, they made a recent filing to the Securities and Exchange Commission that groups the lost records into categories. For the first time, we have a clear idea of the true scope of this breach. We’ll let the numbers speak for themselves as there is not much that we can add to emphasize the huge effect of this event:

• 146.6 million names
• 145.5 million Social Security Numbers
• 146.6 million dates of birth
• 99 million home addresses
• 20.3 million phone numbers
• 17.6 million driver license numbers
• 27 thousand driver license state identifiers
• 27.3 million gender markers
• 1.8 million email addresses
• 97.5 thousand Tax ID numbers
• 209 thousand credit card numbers with expiry dates

We’re talking about a truly staggering amount of data, and as one can imagine, it’s fertile ground for identity theft. While releasing this info doesn’t make Equifax’s poor practices any better, and it doesn’t reduce the risk, we at least now have a better sense of what’s out there. Remember that regularly checking your credit report can help to mitigate the risks of identity theft, especially given how much of this data is now out there somewhere.

Signal and the Case of the Disappearing Reappearing Messages

Way back in Episode 29 of The Checklist, where we covered effective ways to chat with encryption, we covered an app called Signal — it’s one of the most well-liked secret chat apps because of its robust end-to-end encryption. Recently, a bug in Signal created some strange behavior that drew the attention of the security community. It has to do with the Notification Center built right into macOS. You may already be familiar with it because of its usefulness; it’s the fastest way to find notifications you might have missed, check things coming up on your calendar, and see email notifications.

Well, it was this handy feature that made Signal’s signature disappearing messages reappear, as if by magic, after they should have undergone an automatic deletion process. In early May, a security researcher by the name of Alec Muffett noticed that Signal messages weren’t properly disappearing on macOS and sent out a tweet to alert other users of this potential leak. Another researcher we often mention here on the show, Patrick Wardle, decided to start digging in to the issue to uncover the actual problem. After all, Signal’s integrity is vital for many who need to communicate securely. If you can’t trust a message to disappear when it says it will, that could lead to big problems.

As it turns out, the way the Notification Center works in macOS is at the heart of the app’s strange behavior. When an app executes the code that triggers the display of a message in the Notification Center, the notification will persist unless one of three conditions occurs. The user then opens the Center and clicks the “X” button to close the notification; the app explicitly sends a dismissal command, or if it’s an alert notification, the user closes the alert altogether. Signal wasn’t sending a command to dismiss the notification, so messages meant to disappear remained — and if you’re using Signal, that means you’re at risk of exposing conversations you’d rather keep private.

Although these notifications don’t hang around forever in the Notification Center, Wardle wondered if maybe they were ending up somewhere on the hard disk, too. He dug deeper into the issue and found that by manipulating a specific database buried deep in the file system, he could recover a host of messages from Signal, including those meant to disappear. Overall, this flaw is a combination of the way Signal works on macOS and the way the Notification Center stores and logs the messages it receives — a sort of perfect storm to expose confidential information accidentally.

The good news: it didn’t take long before Signal’s vigilant developers issued a patch. With the new fix, they closed the hole for good. Now disappearing messages go and stay gone — just as they should!

With that, another edition of our Mix and Match show comes to a close. Just because these topics didn’t merit a show all their own, though, doesn’t mean there isn’t more to learn. Below you can check out links to more information about all the stories featured on today’s show so that you can dig into the details for yourself. As for us, we’ll be turning our attention to next week’s discussion.