Loose Leaf Security Weekly, Issue 2

Hello again! We've been watching Brexit proceedings with a mixture of interest and confusion, but we're sure about one thing - there's never a good time to prorogue your personal security.

-Liz & Geoffrey

P.S. If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

In the news

SIM-Jack-ing: Last week, a group calling itself the "Chuckling Squad" got access to the Twitter account of Jack Dorsey, Twitter's own CEO. Sharp-eyed Twitter users quickly found that the tweets they posted were labeled as "via Cloudhopper," which is an app Twitter acquired years ago to facilitate their SMS service. (This 2010 CNET article about the acquisition points out that while Twitter originally had their own functionality to send and receive tweets via text message, they had scaled it back because of costs and relied on Cloudhopper to get it going again.) Apparently, the Chuckling Squad got access to Jack's phone number via "SIM-jacking," a social engineering attack where the attacker impersonates the victim to obtain a "replacement" SIM card from their cell phone provider's customer support. Once the attacker has a replacement SIM card for your phone number, all phone calls and text messages intended for you get routed to them instead. We've discussed SIM-jacking attacks before on the podcast, most notably in the news section of our episode "Comparing Android and iOS security."

Usually, SIM-jacking is a concern for SMS-based two-factor authentication, and in fact, it's one of the major reasons we say SMS is the least secure two-factor auth mechanism. However, this attack was unusual in that having access to Jack's cell phone number gave the attackers access to post to his account directly - not merely one of two factors to get to his account. Moreover, users have found that you can't have two-factor auth enabled on Twitter without an associated phone number - even if you're using other auth mechanisms besides SMS, removing your phone number will disable 2FA.

The Chuckling Squad had previously gotten into the accounts of various celebrities and online personalities, many of whom blamed AT&T for letting unauthorized people get to their accounts. Also, a few days after Jack got his attack back, Chuckling Squad similarly got access to the Twitter account of actress Chloë Grace Moretz. Later that same afternoon, Twitter announced they were temporarily disabling the ability to send tweets via text message while carriers shored up their security. They also called out their "reliance on having a linked phone number for two-factor authentication (we're working on improving this)." Hopefully, they'll remove that dependency soon.

More on the iPhone attack from last week's newsletter: Apple confirmed that the attack we discussed last week targeted the Uyghur minority in China, although they did not point a finger at the Chinese government by name, and they also took strong issue with Google Project Zero's characterization of the attack, saying that the attack was "narrowly focused" on "fewer than a dozen websites." Several commentators aren't pleased with Apple's phrasing, saying that a website that automatically attacks any visitor is hardly "narrowly focused," and in any case, Apple's responsibility is the security of their own products, not who attackers chose to attack. In a Motherboard article about Apple's response, a former Apple security employee points out that who pointed out that the attackers could have just as easily bought ads on a popular website. Former Facebook chief security officer Alex Stamos criticized Apple for downplaying the attack because it targeted a minority and - from experience - complained about PR spin undermining the efforts of security engineers trying to do good work.

Zerodium, a reseller of "zero-day" vulnerabilities to corporations and governments, has now increased payouts for fully weaponized exploits against Android and reduced payouts for similar exploits against iOS. In an interview with BleepingComputer, Zerodium's CEO said the market is "flooded by iOS exploits", while "Android security is improving with each new release". And Motherboard has, with justification, written an article entitled "This Has Been the Worst Year for iPhone Security Yet." So should you throw away your iPhone? Not necessarily - zero-day attacks against Android still happen, too, and you're still better off with an iPhone than with one of the cheaper Android devices that doesn't get updates promptly. Even so, Google has been making great strides in security, and Apple has a lot of work to do to regain their lost reputation.

The many possibilities of an iMessage vulnerability: One practical thing to consider, if you're using an iPhone, is whether it's worth having iMessage enabled. In the interview above, Zerodium called iMessage one of the "weakest parts" of iOS security, and Google's Project Zero recently posted a detailed and deeply technical look into CVE-2019-8646, a major iMessage security flaw they found earlier this year. One of the broader takeaways, which isn't stated explicitly, is that a lot of the iMessage handling code is part of the base OS - which doesn't run inside a sandbox, so no additional steps are required to get your phone to load URLs, copy files off your phone, etc. While this particular bug was fixed, it seems likely there are more to be found.

If you're using iMessage to talk to friends and family who will always use text messages, the net benefit of having end-to-end encryption via iMessage is probably worthwhile, but if they can be convinced to switch to a standalone secure messaging app like Signal or WhatsApp, the impact of vulnerabilities will be significantly reduced, because those apps run inside a fairly restrictive sandbox. If you don't actively use iMessage, it's probably worth turning it off from the Settings menu to reduce your attack surface.

Don't pay the cyber-Danegeld: This June, some of the computers belonging to the city government of New Bedford, Massachusetts were infected with the Ryuk ransomware. The attacker held their encrypted files ransom for $5.3 million, to which the city made a counteroffer of $400K. Meanwhile, their IT staff was cleaning up systems, improving their security, and restoring the affected machines from backup, to the point where the city paid nothing. Security vendor SecAlerts has a writeup of the announcement made by New Bedford's mayor at a press conference last week. The moral: make sure you have working backups so you can tell hostage-takers to get lost.

Credit card data privacy: The Washington Post did a deep dive into which companies get access to data about your credit card purchases, in part to see how meaningful the new Apple Card's privacy benefits were. If you'd like to opt out of data sharing from your credit card, most credit card companies let you make the change online, though a few will require you to call. Search their help pages for something like "privacy preferences" or "data sharing opt out."

First comes "Like," then comes marriage: Facebook Dating has launched in the US, and WIRED has a good overview of how it works. One thing that's notable to us is that you create a separate Facebook Dating profile that's connected on the back-end to your regular Facebook and Instagram profiles. In addition to hooking you up with friends-of-friends, there are some interesting potential privacy advantages to this approach - for instance, if you wish to have a very different dating persona from the persona you present to family and friends, Facebook offers a feature where they can prevent your extended network from seeing your profile. Since so many people use Facebook, they likely do have the social graph data to make this reasonably effective.

On the other hand, Facebook already has a bad track record with collecting data for one purpose and then using it for another - notably with collecting phone numbers for two-factor authentication and then using them for advertising targeting or for marketing. We're concerned that this well-intentioned feature might imply a false sense of security: if your advertising profile is linked between your Facebook Dating profile and your regular Facebook and Instagram profiles, you might start seeing ads on regular Facebook based on the stated interests and activity on your Dating profile. As a potential worst-case scenario, we're reminded of the 2012 case where Target apparently had enough data from purchasing analytics to determine that a teen girl was pregnant and mail her parents ads for childcare products. Anyway, Facebook Dating is pretty new, and we're sure we'll hear more about whether it works out for or against privacy, in time.

On the lighter side...

Twitter account "Best of Nextdoor" chronicles "quality neighborhood drama" from the popular neighbor-chat app. Recently, they posted a concern from a homeowner worried about their neighbor's "spy flowers". Let's just say that, as hidden cameras go, this seems like one of the less realistic routes....

That wraps it up for this week - thanks so much for subscribing to our new newsletter! If there's a story you'd like us to cover, send us an email at looseleafsecurity@looseleafsecurity.com. See y'all next week!

-Liz & Geoffrey