Loose Leaf Security Weekly, Issue 3

Good evening from Loose Leaf Security! We're enjoying the last week of iced tea weather here, but remember, while there's always time for a tea break, there's never time for a break from your personal security!

-Liz & Geoffrey

P.S. If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

In the news

The "Simjacker" attack: There's a new attack on cell phones in the news - all types of cell phones this time, unfortunately. The security research firm that found it is calling it "Simjacker", but to be clear, it has no relation to the practice of fraudulently acquiring a SIM card for someone else's account known as "SIM-jacking." The "Simjacker" attack uses SMS to send commands to a particular application running on the SIM card itself (SIM cards themselves are in fact very tiny computers), which can then send commands to the phone. Many carriers have filters or firewalls for these sorts of SMS messages, and in particular, the four major US carriers (AT&T, Sprint, T-Mobile, and Verizon) have confirmed that they are immune to the attack. Unfortunately, other carriers do not, and AdaptiveMobile Security, the research firm that found the attack …

Continue reading…

Loose Leaf Security Weekly, Issue 2

Hello again! We've been watching Brexit proceedings with a mixture of interest and confusion, but we're sure about one thing - there's never a good time to prorogue your personal security.

-Liz & Geoffrey

P.S. If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

In the news

SIM-Jack-ing: Last week, a group calling itself the "Chuckling Squad" got access to the Twitter account of Jack Dorsey, Twitter's own CEO. Sharp-eyed Twitter users quickly found that the tweets they posted were labeled as "via Cloudhopper," which is an app Twitter acquired years ago to facilitate their SMS service. (This 2010 CNET article about the acquisition points out that while Twitter originally had their own functionality to send and receive tweets via text message, they had scaled it back because of costs and relied on Cloudhopper to get it going again.) Apparently, the Chuckling Squad got access to Jack's phone number via "SIM-jacking," a social engineering attack where the attacker impersonates the victim to obtain a "replacement" SIM card from their cell phone provider's customer support. Once the attacker has a replacement SIM card for your phone number, all phone calls and text messages intended for …

Continue reading…

Loose Leaf Security Weekly, Issue 1

Welcome to Loose Leaf Security's newsletter! Every week, we'll include short takes on interesting security news and summaries of any new Loose Leaf Security content. We're really glad you're here.

In a few of the stories below, we're linking to past episodes on certain topics - if you're here because your favorite type of podcast is the kind you can read, don't worry, our episodes always have both full transcripts and show notes on the web page.

-Liz & Geoffrey

P.S. If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

New from Loose Leaf Security

New episode, "Covering your webcams": Liz and Geoffrey take a look at how attackers compromise webcams and discuss why it's worth physically covering them. Malware and alleged threats of malware are only some of the avenues attackers take to access other people's webcams; vulnerabilities in legitimate software, like the recent Zoom security flaw, can also be exploited. Additionally, sharing ownership of your devices with another party like your school district or workplace may leave you and your webcams exposed. In the news, the FTC fines Facebook, weaknesses in Apple's iMessage and Visual Voicemail, and U2F support added to …

Continue reading…

Instagram 'Unusual Login Attempt' verification loop failures

In addition to podcast episodes, we'll also be covering some security- and privacy-related topics in blog-style articles, where we can go into more detail than we could in an episode. This is our first article, a deeper dive into a strange problem with Instagram logins that Liz ran into recently. Stay tuned for both upcoming posts and podcast episodes!

Liz's experiences with "Unusual Login Attempt" verification loop failures

Last week, I got locked out of my personal Instagram account for about an hour. Here's what happened and how I found another way back in.

On August 2, 2019, I logged into my personal Instagram account on my laptop and changed the password as a part of my routine security checkup. As I also post to another Instagram account, namely @looseleafsecure, I logged out after changing my personal account's password to update that account's password as well. After updating @looseleafsecure's password, I logged out and attempted to log back into my personal Instagram account. For whatever reason, I believe the 1Password extension autofilled my old password - my new password was longer than my old password, and I remember the dots representing hidden character covering less of the text field than I …

Continue reading…