Loose Leaf Security Weekly, Issue 1

Welcome to Loose Leaf Security's newsletter! Every week, we'll include short takes on interesting security news and summaries of any new Loose Leaf Security content. We're really glad you're here.

In a few of the stories below, we're linking to past episodes on certain topics - if you're here because your favorite type of podcast is the kind you can read, don't worry, our episodes always have both full transcripts and show notes on the web page.

-Liz & Geoffrey

P.S. If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

New from Loose Leaf Security

New episode, "Covering your webcams": Liz and Geoffrey take a look at how attackers compromise webcams and discuss why it's worth physically covering them. Malware and alleged threats of malware are only some of the avenues attackers take to access other people's webcams; vulnerabilities in legitimate software, like the recent Zoom security flaw, can also be exploited. Additionally, sharing ownership of your devices with another party like your school district or workplace may leave you and your webcams exposed. In the news, the FTC fines Facebook, weaknesses in Apple's iMessage and Visual Voicemail, and U2F support added to Firefox for Android. (August 22, 2019)

New article, Instagram 'Unusual Login Attempt' verification loop failures: A couple of weeks ago, Liz was temporarily locked out of Instagram because its "Unusual Login Attempt" verification loop was failing. We report on the incident and cover security-related takeaways for social media users. (August 9, 2019)

In the news

Android 10 security improvements: The next version of Android, named simply "Android 10", is out today. Codenamed Android Q, Google has dropped the cute dessert/sweet names like "Nougat," "Oreo," and "Pie." (They probably had trouble coming up with a good "Q" name... we think they probably just never had a really good quince jam with their scones.) Android 10 comes with a handful of neat security improvements, including:

  • Scoped storage, so that apps can keep their files isolated. Handy for keeping photos you take for dating apps away from text messages with your parents.
  • A new permission for cameras that allows you to restrict which apps get your camera metadata. We talk about how much camera metadata leaks by default in our episode "Digital photos and privacy," and this new feature will make keeping that information private even easier.
  • Foreground-only location permission so that you don't have to let apps have access to your location all the time to use your location in the app. iOS already had a setting for using location only while using the app, and it's great that Android users will get this soon, too.

As always, when you get Android updates depends on your carrier and manufacturer, and Google's phones will probably get them first. Conveniently, there's finally a more affordable phone from Google, the Pixel 3a, so you no longer have to shell out substantially more money to get one of Google's phones compared to other brand's Android phones. However, getting a new phone - no matter how relatively affordable - is still a big investment. Fortunately, Project Treble, which allows the Android core operating system to stay separate from manufacturer customization, is actually helping updates to happen faster as everyone hoped it would, so we're optimistic that more Android users will get the update soon after it's released. OnePlus customer support says they're expecting to release the update on launch day, which would be a first for a third-party manufacturer.

Other notable security improvements in Android 10 include the new "Adiantum" disk encryption mode for devices without special CPU support for encryption (which we previously covered in the news section of our episode "Checks, mobile banking, cash transfer apps, and a bit more on credit cards.") WIRED has good coverage of this and other architectural changes in Android 10 that will help your security.

iPhone rolls back a security patch: iOS 12.4 came with a handful of security fixes, and one un-fix. In the June update, Apple accidentally reintroduced a security bug that they had previously fixed in iOS 12.3 - which incidentally led to the first working public jailbreak for an up-to-date iPhone in many years. Remember that if you can jailbreak your phone by visiting a website, a malicious attacker who gets you to visit their website can jailbreak you too, and make themselves the admin of your device! After almost two weeks of the vulnerability being open again, Apple re-fixed it in iOS 12.4.1 this past Thursday - head to General > Software Updates in the Settings app to make sure you've taken this update.

A long-running attack on iPhones: Google's security research division Project Zero published a very technically detailed look at a campaign of iOS attacks in the wild. Google found that certain websites were attempting to hack any iOS user who visited them and install malicious monitoring software, with a collection of five different "exploit chains," each relying on a separate series of security bugs to make its way out of the web browser. Together, the exploit chains were able to exploit iOS 10 through iOS 12. These were "zero-day" vulnerabilities - the bugs were not known to Apple in advance of them being exploited, so even fully-patched iPhones weren't protected. In some cases, the vulnerabilities were later discovered by independent researchers and fixed, but the last of them were fixed in iOS 12.1.4 this February, which was prompted by Project Zero analyzing the exploits and giving Apple a one-week deadline to fix them.

Project Zero didn't identify the malicious websites or who was targeted, beyond saying that the websites received "thousands of visitors per week" and that being targeted "might mean simply being born in a certain geographic region or being part of a certain ethnic group." TechCrunch reported over the weekend that, according to "sources," it was a state-sponsored against the Uyghur minority in China, which has long been a target of invasive surveillance by the Chinese government. A Project Zero researcher says they only found exploits against iOS on these websites, but security firm Volexity found a similar campaign against Android users, also targeting Uyghurs, with some apparent overlap with the sites Project Zero found - some of the attack infrastructure they found went offline just after the Project Zero blog post. These attacks involved compromising websites whose audience is the Uyghur diaspora (outside the Great Firewall), including websites supporting the "East Turkistan" independence movement.

Apple sues an iPhone research environment: In our latest episode's news section, we mentioned how Apple announced a new program to give trusted researchers iPhones with some security measures disabled (hopefully to make it easier for them to find exploits like the one Project Zero found before they're used against actual targets) and how the previous state of the art was internal "dev-fused" iPhones that made their way from Apple engineering to the grey market. Another popular research tool is Corellium, which provides virtual iPhones in the cloud for use by researchers. Last month Apple sued Corellium for copyright infringement, claiming that Corellium encourages its users to sell vulnerabilities on the black market instead of reporting them to Apple. While we are sympathetic to Apple's concerns here, we think that keeping iOS closed is ultimately a losing game. Attackers already are finding and exploiting severe, longstanding vulnerabilities in iOS despite its closed nature, like the attack above, and Apple needs to ensure that white hats can find and report these vulnerabilities before well-funded, state-sponsored black hats do.

Security key with a Lightning connector: The YubiKey, the original security key supporting the FIDO and now WebAuthn standards, now comes in a version with a Lightning connector for iPhones and iPads (and a USB-C connector on the other end). For now, support only works in certain iOS apps, including four popular password managers as well as the Brave web browser for WebAuthn support. Other web browsers like Safari don't currently support WebAuthn, although support is apparently in progress - we're hopeful it will show up in the next iOS release.

What not to do when your app gets removed for malware: Popular document-scanning app "CamScanner" was removed from Android devices and the Google Play Store for containing advertising-related malware. CamScanner decided it would be a good idea to tell users that they verified their own app for security so you should simply download it from their own website. Needless to say, don't do this. As we've mentioned before, enabling Android to "sideload" apps from outside the Play Store is a risk - one which might make sense in some limited circumstances, but getting an app that Google specifically removed for malware is not one of them. There are plenty of other Android document scanners, including one built into the Google Drive app, which most Android users probably have already.

NYC considering a ban on selling cell phone location data: We talked about how readily available your location is through data brokers in our episode "Securing your phone," and as New Yorkers, we're really hopeful an NYC bill to ban the sale of cell phone location data will pass! Fingers crossed that other legislators introduce similar bans, too.

Malicious Lightning cables: Security Researcher MG brought prototypes of malicious Lightning cables to DEF CON last month - and they look just like the lightning cables you'd get at an Apple Store. As we discuss in our episode "Built-in dangers: physical ports, OS defaults, and remote access," you shouldn't plug your devices into cables or power adapters from people you don't trust; it's a lot safer to carry your own cable that you bought in a sealed package at a reputable store.

Emergency SOS works: One bright spot in Hong Kong's surveillance dystopia is that Apple's Emergency SOS did successfully disable biometric unlocking mechanisms! Our episode "Securing your phone" discusses Emergency SOS as well as how to choose secure methods to lock your phone. By the way, if you're traveling and need to access something like a boarding pass or a museum ticket on your phone, you might want to configure your phone to let you access that without having to unlock it so you can get to immediately relevant information to show any security guards without giving them access to your unlocked phone.

Free one-day delivery on police surveillance: Amazon has been working with police departments to create a surveillance network through subsidies for their Ring doorbells. Ring has finally responded and disclosed that they already have partnerships with over 400 police departments. It's not clear that people realize that they're adding to this police network when they're buying these doorbells with cameras for their homes. We're glad we're not Ring's social media manager.

Defeating HTTPS by asking nicely: ISPs in Kazakhstan recently told all their users to install an HTTPS certificate authority issued by the government. As we discuss in our episode "Keeping your web browsing private," web browsers ship with a set of generally-trusted HTTPS certificate authorities (CAs), which have the ability to attest that an HTTPS website is actually who they claim to be. You can install your own, which is helpful for people using HTTPS internally on a corporate network or similar. However, a CA can attest to any website, and if it wants, it can attest that a "man-in-the-middle" inspecting, modifying, or blocking your traffic is the website you're looking for. Kazakhstan's government was doing exactly this, bypassing the browsers' review process (which would certainly have rejected it) by asking users to install their CA directly. As the EFF reports, Chrome, Firefox, and Safari have all specifically blocked the ability to install and trust the Kazakhstan certificate. The government had stopped the interception program a bit earlier, so the practical effect of the block is to prevent them from turning it back on.

Adobe's ad platform implicated in malvertising: Google removed Adobe's advertising platform from Google Ads, which serves as a reminder that even ads from what seem like legitimate sources could distribute malware. We suggest using unwanted content blockers and disabling third-party cookies and trackers; to learn more, check out our episode "Web security continued: cookies, plugins, and extensions."

Throwback Tuesday

...to an ad we saw on the London Underground 5 years ago that suggests:

Single word passwords are weak. ... Strong passwords are made of 3 or more random words. Make them even stronger with numbers and symbols.

This ad's advice is on the right track, but you can do even better than DIY passwords. We'd recommend leaving password generation to a trustworthy digital password manager - they're an easy way to make unique, strong passwords for every site. If you're not currently using a password manager, we'd recommend starting with "Securing your online account passwords" and "Using a password manager effectively." When you're ready to pick a password manager, check out "Password managers: how they should work and when they didn't" to hear about the security records of specific password managers and their extensions.

Thanks so much for subscribing to our new newsletter! If there's a story you'd like us to cover, send us an email at looseleafsecurity@looseleafsecurity.com. See y'all next week!

-Liz & Geoffrey