The Threatpost team breaks down the top data privacy-related news this week, including:
- Google’s acknowledgement that G Suite passwords had been stored in plaintext – since 2005.
- The database of golfing app Game Golf left misconfigured, exposing millions of data points on games played plus sensitive information.
- Mozilla’s focus on privacy in its new release of Firefox 67, which comes with protections against cryptomining and digital fingerprints.
- The upcoming Threatpost webinar focusing on Identity Management solutions picking up the slack as passwords are increasingly viewed as security liabilities (you can register here)
Below is a lightly-edited transcript of the news wrap podcast.
Lindsey O’Donnell: Welcome to another Threatpost weekly news wrap podcast. We’re here to discuss the biggest news in the infosec space for the week ended may 24. You’ve got myself Lindsey O’Donnell and Tom Spring and Tara Seals with Threatpost here today. Hello to you both.
Tom Spring, Tara Seals: Hey, Lindsey.
Lindsey: So there’s been a bunch of big data privacy news stories this week and a lot of really good themes about how data is stored and secured and what happens when it leaks and kind of the impact there. And to me, it’s a bit ironic because we’re really coming up on the one year anniversary of the General Data Protection Regulation laws, or GDPR, which were passed a year ago Saturday. So that’s interesting timing there.
Tara: Yeah. That has obviously impacted the way a lot of people look at privacy as being more of a corporate risk factor now – not just an ethical thing. So it’s interesting.
Tom: I’m interested to know how many websites or how many companies are compliant with GDPR too at this anniversary. I would guess, at least for companies within the US it’s not necessarily 100 percent compliance.
Lindsey: Yeah, going off that I’d be curious too because, obviously, this is an EU-based law, so not the US. So I am curious about the impact that it’s had on the US, especially with US-based companies like Facebook who have had to comply in Europe and now maybe would be changing up their policies in the US. I know we wrote a lot about this a year ago and when it first came about, so would be curious to check in on that.
Tom: Well, many companies are impacted, I mean, even Threatpost was impacted in the way that we do our permissions now for our newsletters and for the various different things that we asked people to sign up for. I mean the impact of GDPR it while it may be a European law has had a huge effect on US companies right back to Threatpost.
Lindsey: Right, hits home there. But anyways, we had a bunch of data leak stories coming out of this week that were impacting everyone from golfers, which Tara I know you wrote that one, to Instagram influencers, so it hit everyone this week, but I just wanted to start with the biggest one in my opinion, because this one kind of blew my mind regarding the timeline – but Google storing and hash G Suite passwords since 2005. That was the big news earlier this week. And in my opinion, I think that kind of takes the cake for the biggest privacy security faux pas.
Tara: It’s really interesting because you know, Google actually got hit by so far, the largest GDPR fine, that has been issued, not too long ago. But yet here we go, with yet another issue so, what did you uncover when you when you delved into that Lindsey?
Lindsey: So this impacted G Suite accounts, which as you may know is Google’s brand of cloud computing collaboration tools and software. And I think I said that there were 5 million users on G Suite. So Google said that enterprise users not consumer were impacted but essentially the company made an error implementing a G Suite console that is used by domain administrators. And that resulted in an unknown number of passwords being stored in plain text. And then they also mentioned that in a separate issue, they discovered that starting in January of this year, they had inadvertently stored subset of hash passwords for I think it was two weeks that were in its encrypted infrastructure. I mean, it’s kind of mind blowing, but also not that surprising, because, over the past year, Facebook and Twitter have also done the same exact thing. So, at the same time, it is such a big privacy issue that we keep coming across.
Tom: I take my relationship with Google so much more seriously than I do with my social media accounts. It did sort of give me a little bit of a jolt when I heard the news. Just because, there are some accounts for me – I should take all of my accounts very seriously – but there’s so much more to protect behind my Google accounts and services.
Tara: It sort of brings up this idea, I think the thing that alarms people maybe isn’t so much the username because people can kind of guess it if they know they know your name, but passwords though, you know, it’s just yet one more example of why this sort of post-password beyond the password conversation continues to be a drumbeat. And I know Tom you’re going to be focusing on that next week a little bit with your webinar, right?
Tom: Yeah, yeah. On Wednesday where you’ve got a panel of experts from Forrester Research, Okta, and CyberArk, and we’re going to talk a lot about the sort of the post password world that we live in and Identity and Access management. I don’t know if it necessarily would impact too much the Google story we’re talking about, but it does speak to the authentication and the password issues that are behind, according to the Verizon data breach report, close to 80 percent of breaches in the past year, where insecure usernames and passwords – and the hijacking of identities – have been behind 80 percent of breaches, which is a lot of breaches.
Tom: A lot of money.
Lindsey: Yeah, that’s crazy. For the Google story, you know, one of the impacts of this is that if someone steals these credentials, they can go sell them on the Dark Web. And I think I was talking to someone as a reaction to the story. And that was their biggest concern was that, you know, there’s a huge quantity of user credentials available for purchase for pennies on the dark web. So I think that it’s such a swath of information and you know, I’m excited Tom to hear you guys talk a little bit more about new solutions for this.
Tom: Well register, hit Threatpost and you can’t avoid the banners and please do register.
Lindsey: Speaking of privacy issues, we had two other data exposure issues this week impacted two very different sets of people. And Tara, we had your story about the millions of golfer records leaking from a golfing app due to a cloud misconfiguration. And then we also had a separate AWS database that exposed thousands of so-called Instagram influencer data points. So two very different victims in that case. But Tara, can you talk a little bit more about the golfing issue?
Tara: Yeah, I was actually really taken aback by this because the takeaways on this one are dual-fold. So first of all, yeah, it was a database that was left exposed due to cloud misconfiguration as, we’re seeing more and more and more of those incidents. And so in this case, it was an application called Game Golf, which is an app that you can get on your phone that is basically like a caddy in your pocket if you’re a golfer so it will measure the length of your shots it will calculate what club you need to use according to the wind speed and things like that. It also tracks your geolocation, because it goes with you as you are going through the courses to kind of do some analysis on the back end as to, why you did a par five instead of a par four, stuff like that. So, a really useful app, but because of all that functionality, it collects a lot of data, including, like I said, the location data. And then also, you have to have an account so there are usernames and passwords and then they have the “Login with Facebook” functions. So it had Facebook login tokens and that database and you know, all of this was not password protected and visible in any browser and, once you took all of those data points together, there were just literally millions and millions of them. Which, you know, any bad guy could take a lot of that information and create a pretty good profile and mount some social engineering attacks, phishing, that type of thing. So, the story is more than just “oh my data was exposed.” It’s what people can do with it because it was kind of a rich data set. There’s that aspect of it. But then the other aspect is – is the app actually collecting just the information that it needs to function? Or is it over collecting data? This is something that one of the security researchers kind of brought up as a question. And it makes sense for us to kind of pay attention to what all our mobile apps are actually collecting, and we don’t do that often enough, probably.
Lindsey: So what would be an example of data that it was over collecting? Because I know you’d mentioned too that one of the data points was the courses where they had been golfing. So was location part of that?
Tara: Yeah, I think you probably need the location data to do what they’re trying to do in terms of analyzing your performance on a given course. But do you really need the Facebook data, for example? Do you need a person’s weights, or their age, or some of the bio stuff that that they were collecting? I mean, you could argue that this is a physical fitness app, but come on, it’s golf. It’s not really, right?
Lindsey: I was loving by the way all the puns in your article.
Tara: Yeah I was going for the hole in one on that you know?
Lindsey: Well, I mean, on the heels of that, too. We also had that Instagram influencer data leak, which came from the AWS database. So that was kind of similar but then obviously a bit different. And in that one, a researcher found a massive database earlier this week that had information for millions of these Instagram influencers, who were anyone from food bloggers, to the celebrities. That database which was hosted by AWS was left exposed and without a password, which meant anyone could look inside of it. And I believe they said it had 49 million records. And that was increasing, the more that they discovered, but they found that that was owned by a social media marketing firm called Chtrbox, spelled ch-tr-box, and then Chtrbox also said that 350,000 influencers were affected. So that just goes to show, just another one of these data leakage data exposure incidents that are becoming so common and that we’re seeing almost every week at this point.
Tom: Well, with GDPR, hopefully next year we’ll see maybe the tightening of the privacy belt and people will start to lock down their stuff a little bit more diligently. But that does speak to the fact that the US really doesn’t have a lot of the privacy rules. And you know, the call for a US version of GDPR will be interesting to see if we see any more movement on that with this continued sort of breach fatigue that we were getting, you know?
Lindsey: Well separate from GDPR I know that a couple of browsers and other companies are taking privacy matters into their own hands. And I know Tom, you wrote about Firefox 67.
Tom: This is the good news story of the week. I mean, it’s sort of bittersweet because there were some serious patches and some critical flaws that were patched with the release of Mozilla’s Firefox 67 but if you’ve upgraded you don’t need to worry about those critical flaws. But one of the things that Mozilla rolled out was a much more beefed up browser. And I’m not going to get into speeds and feeds of what made Mozilla 67 a lot better than 66. I will say that they are advertising much faster speeds. But the one thing that caught our attention, obviously are some of the privacy enhancements that are being delivered with Mozilla Firefox 67. And that is a new blocking of cryptomining scripts and, also of the browser digital fingerprints. And as we all know, there are a lot of cryptomining scripts. I mean, Lindsey wrote about cryptomining scripts on Thursday, or cryptomining in terms of the rise in the price of bitcoin and how that impacts the amount of cryptomining we’re seeing out there on the wild web. But so Mozilla is now blocking crypto miningscripts, which should relief to anybody who’s worried about malvertising or rogue websites that are trying to utilize through the browser this cryptomining, that takes place too often. And the other thing that Mozilla Firefox is doing is it’s blocking the browser digital fingerprints, which if you’re not familiar with, these are where websites can track you not by your name, not by your username, not by your IP address, but by the unique configuration of your browser and your system to where they can bring in, you know, dozens of different miscellaneous pieces of information from the resolution of your screen, to cookies to plugins to the way you have your browser configured. And they can track you all over the web. And so Firefox is no longer doing that if you upgrade and the other boon for people who are keeping score is that when you go into Mozilla private browsing mode, you can – and oftentimes that has meant that you need to, if you go to like a password protected website, because it’s incognito, or I should say private browsing, you need to put in your username and password – Now with Mozilla private browsing, they will recognize your username and passwords when you hit websites when you’re in private mode. And then lastly, I feel like I’m trying to sell a Mozilla browser here. Lastly, what they’ve done is they allow you to disable and enable web extensions much more easily than they have in the past. So if you’re concerned about that web extension, and whether or not it’s tracking you or slowing you down or collecting information that you don’t want it to about your browsing habits, you can click and it’s done, and you don’t have to actually uninstall it. So, you know, I mean, I guess, that kind of speaks to the private market and, what can be done beyond regulations, which is encouraging, where you have better privacy tools and defenses that are being offered by good companies.
Tara: Yeah. And that’s interesting, too, because, it kind of brings up that there are a bunch of different dimensions of privacy and privacy controls that can be implemented. And I know Lindsey you wrote about the HCL data exposure, which doesn’t sound as though what Tom was just talking about would have done anything to prevent that, that was just company error. And it’s also it has nothing to do with cloud storage repositories either – different kinds of data exposure, but really impactful.
Lindsey: Yeah, know for sure that HCL Technologies data exposure was definitely – to go back to being a downer – that had a big impact. And essentially, what happened is that researchers found HCL domain pages that were exposing sensitive data, including data of its own employees as well as data – of because it’s an IT services provider – of its customers. So I believe they found passwords for new hire employees, as well as new employee names, email addresses, phone numbers, and then in terms of customers because it wasn’t just personnel data, they found thousands of records from project reports and, supply chain types of reports, just things customers don’t want to get out. So yeah, it does speak to an issue that, there’s certain things when it comes to privacy that you can control, such as these new steps taken by Firefox 67. But then there’s also things that are completely out of your control, especially when third parties are involved.
Tom: Well, I mean, I think that the two can be connected in a sense, there’s nothing you can do about an employer, or somebody who’s collecting information on you who leaves that database open for the public. But you know, there are a lot of advertisers who use these digital fingerprints, for instance, to meet little dossiers on who this person is, and they can actually do cross referencing and I’m guessing with enough commitment can figure out who’s behind these digital fingerprints. But if they can’t collect them in the first place, then then that’s a win for consumers. I mean, it’s kind of like the ad blocking technology. If the ads get so obnoxious and everybody has ad blockers, then you know, then who loses?
Lindsey: I mean, I feel like Mozilla too has done – I don’t know if other creators of browsers have done this as well – but they seem like they’ve done a bunch to try to implement these privacy measures. I know back in August I think they were trying to block tracking cookies in Firefox and so I don’t know if like Chrome and Internet Explorer are doing the same thing but it does seem like that’s you know, something that they’re starting to look at a bit more.
Tom: Yeah, yeah. What was the mobile browser that just – there’s a Tor mobile browser now. There you go, there’s another little consumer win for privacy, the first Android based Tor mobile browser was just released this week. We should have a good news section every week.
Lindsey: Especially on Friday. I’m not sure that people want to hear all bad news.
Tara: If it bleeds it leads, Lindsey.
Lindsey: Yeah. Well, let’s wrap this up on a good note. But we’ve got tons of other interesting things coming up next week. Tara, I think you’re going to a conference, right? Are you going to the Mobile 360?
Tara: Yep. The GSMA is putting that on. It’s over in The Hague, in Holland and it should be really good. It’s focused on security for 5G and consumer stuff, but also IoT and smart factories, smart cities, those types of applications. So lots of really good sort of top tier speakers and it’s strictly a conference, not an expo so it’s really geared towards that education. So I’m really excited. I’m going to be writing some stuff from there and hopefully some podcasts and, you know, should be good.
Lindsey: Yeah, looking forward to seeing what comes out of that. But all right, without further ado, let’s wrap up. Have a great weekend, everyone. Hopefully no big data breaches drop at 4:55 p.m. on a Friday before Memorial Day weekend.
Tara: You just jinxed it Lindsey.
Tom: Well the disclosure will happen not the breaches.
Lindsey: Exactly. All right. Well, have a great weekend, everyone.
Lindsey: Catch us next week on the Threatpost news wrap.
For direct download, click here.