Loose Leaf Security Weekly, Issue 23

Happy Sunday! Today we've got tips on how to stay safe on public wifi and how to keep your Twitter account safe from your former employer. We hope you're enjoying your newsletter - if you are, tell your friends to sign up too, because good digital security and privacy is for everyone!

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

While the web as a whole is steadily moving towards HTTPS, the encrypted and authenticated version of HTTP that makes sure that data sent from or to websites can't be intercepted or tampered, there's still a few good reasons to use the HTTPS Everywhere extension from the Electronic Frontier Foundation, available for Chrome, Firefox, and Opera. HTTPS Everywhere was built back when many websites supported HTTPS but didn't use it by default, and while that's much less common nowadays, upgrading you to HTTPS when available is still somewhat useful. The extension has another useful option, though: the "Encrypt All Sites Eligible (EASE)" mode, or as we like to call it, "HTTP nowhere." With EASE mode enabled, the extension will prevent you from visiting unencrypted HTTP sites. If the site …

Continue reading…

Loose Leaf Security Weekly, Issue 22

Happy (belated) Valentine's Day! Roses are red, violets are blue, I'm glad we use end-to-end encryption, so no one sees my love note but you.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

Automatic, regular backups are great for getting back to work quickly when something happens to your computer, phone, or tablet, but it's also important to backup important files separately, too. If an important file is only in your regular, automatic backups, you could find yourself without information you need if you accidentally delete it and don't notice until after the oldest automatic backup containing it gets replaced. You're also protected from malware deleting an important file, like in one of the stories we're covering later in this newsletter.

You don't necessarily need a separate cloud storage account or separate hard drives for manual backups of important data, though it doesn't hurt to keep them as separated as is practical for your workflow. Even if you aren't using different accounts or hard drives for these manual backups, you do want to make sure you're storing the backups of these files in places you won't accidentally overwrite …

Continue reading…

Loose Leaf Security Weekly, Issue 21

Happy Monday! One of our stories this week discusses the use of "cell-site simulators" or "IMSI-catchers," small devices that can trick cell phones into connecting to them instead of to actual cell towers. They're an increasingly popular law-enforcement tool, but they're also entirely too easy for casual attackers to build. In addition to detecting your location, cell-site simulators can intercept and spoof SMS messages.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

It's a good idea to use "end-to-end encrypted" messaging platforms whenever you can. Most chat systems besides SMS encrypt messages on the way to their servers, but end-to-end encrypted systems also make sure that even their servers can't see your conversations, only the ends can. This makes sure your messages can't be seen by anyone else, whether they've got a cell-site simulator or some sort of access to your chat system's servers. Options include Apple's iMessage (which unfortunately only works on Apple phones), Open Whisper Systems' Signal, and Facebook's WhatsApp, which uses the same cryptography as Signal. Even the US military suggested their users use Signal or Wickr, another end-to-end encrypted messenger, in place of SMS …

Continue reading…

Loose Leaf Security Weekly, Issue 20

"Skimmed" may be what you're looking for when selecting milk for your tea, but probably isn't something you want to hear happened to your credit card. We talk about skimming attacks in our episode "Credit and debit card security," but since a similar attack has been making the rounds lately, we figured today's newsletter would be a good time to highlight one of our favorite tips for minimizing damages if your card number gets stolen.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

Most credit and debit cards have a way to notify you for each transaction. If your card has a mobile app, it almost certainly has this feature, and if not, you can usually sign up for email or text message notifications on your card's website. (If you opt into text message notifications, don't trust phone numbers or links in those messages - SMS messages are easily spoofed. If you can, look up your bank's phone number yourself and call them instead of replying, too.) The faster you know about your card being misused, the more likely you can get the charge reversed and stop further misuse …

Continue reading…

Loose Leaf Security Weekly, Issue 19

The weather's getting just a bit warmer where we are, which means we usually don't need to wear gloves anymore. "Touchscreen gloves" with capacitive fingertips are handy, but not totally accurate, and it's annoying when you mistype your passcode enough times for your phone to say, "Try again in one minute." This feature is intended to frustrate automated cell-phone-cracking devices like Cellebrite's UFED, a favorite tool of the NYPD and perhaps the Hong Kong police, but it's occasionally frustrating to the actual phone user, too. (This happened to Geoffrey recently on a subway platform - by the time the minute passed, the train came and it was warm enough that he could take his gloves off.)

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

A long passcode is your best bet to keeping the contents of your phone private. Fingerprint-based and face-based unlocking mechanisms are regularly compelled by law enforcement agencies, but biometric unlocking methods aren't just vulnerable to law enforcement. A physical attacker can place your finger on your phone or in front of your face relatively easily, and they probably don't even have to be forceful: there …

Continue reading…