Loose Leaf Security Weekly, Issue 22

Happy (belated) Valentine's Day! Roses are red, violets are blue, I'm glad we use end-to-end encryption, so no one sees my love note but you.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

Automatic, regular backups are great for getting back to work quickly when something happens to your computer, phone, or tablet, but it's also important to backup important files separately, too. If an important file is only in your regular, automatic backups, you could find yourself without information you need if you accidentally delete it and don't notice until after the oldest automatic backup containing it gets replaced. You're also protected from malware deleting an important file, like in one of the stories we're covering later in this newsletter.

You don't necessarily need a separate cloud storage account or separate hard drives for manual backups of important data, though it doesn't hurt to keep them as separated as is practical for your workflow. Even if you aren't using different accounts or hard drives for these manual backups, you do want to make sure you're storing the backups of these files in places you won't accidentally overwrite …

Continue reading…

Loose Leaf Security Weekly, Issue 21

Happy Monday! One of our stories this week discusses the use of "cell-site simulators" or "IMSI-catchers," small devices that can trick cell phones into connecting to them instead of to actual cell towers. They're an increasingly popular law-enforcement tool, but they're also entirely too easy for casual attackers to build. In addition to detecting your location, cell-site simulators can intercept and spoof SMS messages.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

It's a good idea to use "end-to-end encrypted" messaging platforms whenever you can. Most chat systems besides SMS encrypt messages on the way to their servers, but end-to-end encrypted systems also make sure that even their servers can't see your conversations, only the ends can. This makes sure your messages can't be seen by anyone else, whether they've got a cell-site simulator or some sort of access to your chat system's servers. Options include Apple's iMessage (which unfortunately only works on Apple phones), Open Whisper Systems' Signal, and Facebook's WhatsApp, which uses the same cryptography as Signal. Even the US military suggested their users use Signal or Wickr, another end-to-end encrypted messenger, in place of SMS …

Continue reading…

Loose Leaf Security Weekly, Issue 20

"Skimmed" may be what you're looking for when selecting milk for your tea, but probably isn't something you want to hear happened to your credit card. We talk about skimming attacks in our episode "Credit and debit card security," but since a similar attack has been making the rounds lately, we figured today's newsletter would be a good time to highlight one of our favorite tips for minimizing damages if your card number gets stolen.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

Most credit and debit cards have a way to notify you for each transaction. If your card has a mobile app, it almost certainly has this feature, and if not, you can usually sign up for email or text message notifications on your card's website. (If you opt into text message notifications, don't trust phone numbers or links in those messages - SMS messages are easily spoofed. If you can, look up your bank's phone number yourself and call them instead of replying, too.) The faster you know about your card being misused, the more likely you can get the charge reversed and stop further misuse …

Continue reading…

Loose Leaf Security Weekly, Issue 19

The weather's getting just a bit warmer where we are, which means we usually don't need to wear gloves anymore. "Touchscreen gloves" with capacitive fingertips are handy, but not totally accurate, and it's annoying when you mistype your passcode enough times for your phone to say, "Try again in one minute." This feature is intended to frustrate automated cell-phone-cracking devices like Cellebrite's UFED, a favorite tool of the NYPD and perhaps the Hong Kong police, but it's occasionally frustrating to the actual phone user, too. (This happened to Geoffrey recently on a subway platform - by the time the minute passed, the train came and it was warm enough that he could take his gloves off.)

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

A long passcode is your best bet to keeping the contents of your phone private. Fingerprint-based and face-based unlocking mechanisms are regularly compelled by law enforcement agencies, but biometric unlocking methods aren't just vulnerable to law enforcement. A physical attacker can place your finger on your phone or in front of your face relatively easily, and they probably don't even have to be forceful: there …

Continue reading…

Loose Leaf Security Weekly, Issue 18

It's been a busy week in security news, with another reason to avoid SMS-based two-factor authentication and another reason to apply software updates as soon as you can - even on your cable modem. There's good news too, though: ad tracking has gotten significantly less effective, and Google has introduced a new way to secure your account. Also, waiting for software updates is the perfect excuse to make a pot of tea.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

One of our stories this week is new research about ways that attackers can trick your cell phone company into moving your account over to your device, an attack often called "SIM-swapping" or "SIM-jacking." Even apart from this risk, there are good reasons to prefer non-SMS-based two-factor authentication methods. The SMS protocol itself is insecure, and it's not outside the realm of possibility that an attacker could eavesdrop on a text message being sent to you. (We haven't seen any websites offer to send two-factor codes via end-to-end encrypted protocols like iMessage or Signal.) For methods other than SMS, you're usually able to set up multiple two-factor authentication mechanisms …

Continue reading…