Loose Leaf Security Weekly, Issue 19

The weather's getting just a bit warmer where we are, which means we usually don't need to wear gloves anymore. "Touchscreen gloves" with capacitive fingertips are handy, but not totally accurate, and it's annoying when you mistype your passcode enough times for your phone to say, "Try again in one minute." This feature is intended to frustrate automated cell-phone-cracking devices like Cellebrite's UFED, a favorite tool of the NYPD and perhaps the Hong Kong police, but it's occasionally frustrating to the actual phone user, too. (This happened to Geoffrey recently on a subway platform - by the time the minute passed, the train came and it was warm enough that he could take his gloves off.)

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

A long passcode is your best bet to keeping the contents of your phone private. Fingerprint-based and face-based unlocking mechanisms are regularly compelled by law enforcement agencies, but biometric unlocking methods aren't just vulnerable to law enforcement. A physical attacker can place your finger on your phone or in front of your face relatively easily, and they probably don't even have to be forceful: there …

Continue reading…

Loose Leaf Security Weekly, Issue 18

It's been a busy week in security news, with another reason to avoid SMS-based two-factor authentication and another reason to apply software updates as soon as you can - even on your cable modem. There's good news too, though: ad tracking has gotten significantly less effective, and Google has introduced a new way to secure your account. Also, waiting for software updates is the perfect excuse to make a pot of tea.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

One of our stories this week is new research about ways that attackers can trick your cell phone company into moving your account over to your device, an attack often called "SIM-swapping" or "SIM-jacking." Even apart from this risk, there are good reasons to prefer non-SMS-based two-factor authentication methods. The SMS protocol itself is insecure, and it's not outside the realm of possibility that an attacker could eavesdrop on a text message being sent to you. (We haven't seen any websites offer to send two-factor codes via end-to-end encrypted protocols like iMessage or Signal.) For methods other than SMS, you're usually able to set up multiple two-factor authentication mechanisms …

Continue reading…

Loose Leaf Security Weekly, Issue 17

Happy 2020! Neither of us is particularly the type to make New Year's resolutions, which makes sense since security is a year-round, all the time concern. Let's get to it.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

Right before the holidays, we talked about keeping your devices safe if you must charge them via untrusted connections. For iOS users, there's one more setting worth disabling to keep your device safe from both untrusted chargers and automated cell phone decryption devices like Cellebrite's UFED or Grayshift's GrayKey: in the Settings app, under "Touch ID & Passcode" or "Face ID & Passcode," make sure that "Allow Access When Locked" for "USB Accessories" is disabled. This prevents your iPhone or iPad from making any sort of connection to a USB device plugged into it while the phone is locked, preventing such a device from trying to attack your phone. (Your phone can still charge, and audio connections over Lightning still work.)

Forbes recently found a search warrant where police were able to use a GrayKey to get data from an "iPhone 12.5" - apparently a reference to the internal model number of …

Continue reading…

Loose Leaf Security Weekly, Issue 16

Last night was the solstice, the longest night of the year. Over the next six months, the days will get longer - unless, of course, you're in the southern hemisphere, when it was the summer solstice, the shortest night of the year. Still, day or night, there's never a bad time for security.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

With lots of people traveling over the winter holidays, it's a good idea to think about what information is available on your phone's lock screen versus what can only be accessed behind your passcode. In particular, if you use mobile boarding passes, it's worth putting them in Apple Wallet or the passes section of Google Pay so that you don't have to unlock your phone and expose the rest of its contents for an agent to scan your ticket.

Notifications can also expose sensitive information, and it's worth thinking about whether or not the convenience of email and message previews are helpful or a liability. On iOS, Settings > Notifications > Show Previews allows you to you can choose the default setting for when apps show more than just the …

Continue reading…

Loose Leaf Security Weekly, Issue 15

It's finally snowing (at least where we are), and soon there will be enough snow to build a snowman. Be careful with giving your snowman a corncob pipe and a button nose, though. Those distinctive features can be easily identified by facial recognition cameras, and if your snowman plans to run and have some fun past the traffic cop who hollers, "Stop," it will make him much easier to track. Your neighbors' smart doorbells might even be sending video of his face straight to the police department. It's much safer to stick with the classic carrot nose if you want Frosty to be back again someday.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

When you're traveling or otherwise away from your home or office all day, you may find your phone's battery drained before you get back to your normal charging locations. USB charging stations are increasingly common, especially at airports or train stations, but since USB connections were designed to transfer power and data, it's possible that "charging-only" USB port will try to plant malware on your device or access your files - an attack known as …

Continue reading…