Loose Leaf Security Weekly, Issue 4

As fall approaches, we at Loose Leaf Security are thinking about security questions that ask you about your favorite drink - and how many new accounts this fall could get their password reset with "pumpkin spice latte." At least as far as our accounts are concerned, our favorite drinks look a lot more like a nice cuppa AQtEgdHAgmnz97zwJ8mDfZsK or 4hrmbT9F3YrDNeAM6PUQChhm with a splash of milk, stored securely in our password manager and unique for each website.

-Liz & Geoffrey

P.S. If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

In the news

Hacking the Dalai Lama: The Citizen Lab at the University of Toronto, an interdisciplinary group with both computer science and political science expertise, has an in-depth look at targeted attacks on the Dalai Lama's office and other Tibetan organizations. The attacks took the form of chat messages from accounts pretending to be journalists or other politicians with links to malicious web pages. Most of the malicious web pages attempted to use software vulnerabilities to take control of the device, although a few of them led to malicious third-party login prompts - asking the target to grant access to their Google account to a fake app that would read and edit their Gmail inbox. The attack seems to be from the same group behind the recent iOS and Android attacks on the Uyghur minority in China, which we discussed in last week's newsletter.

Unlike those attacks, these ones weren't zero-days: they were generally exploiting vulnerabilities that had already been fixed. One web page would detect the browser version and pick one of eight exploits to cover almost every version of Chrome between 38 and 73. Citizen Lab writes, "Overall, the ruse was persuasive: in eight of the 15 intrusion attempts, the targeted persons recall clicking the exploit link. Fortunately, all of these individuals were running non-vulnerable versions of iOS or Android, and were not infected."

The lessons here apply to everyone who cares about the data on their smartphones, even if you don't work for a Tibetan human rights group: first and foremost, install software updates promptly. It's also worth being suspicious of people you don't know who send you links - although in many fields of work, you do need to open links and even files from people you don't know well. (This is probably why over half of the targets opened the link: they probably do expect that people they don't know will contact them and ask them to read documents.) Finally, be cautious with any app that asks for special permissions, even if you trust the app. Several of these exploit web pages re-opened themselves in the embedded web browser in Facebook or other apps, instead of using the normal web browser, because if the exploit worked, the malicious code would not only have immediate access to the target's Facebook account but also any camera, microphone, etc. permissions that they had given the Facebook app.

iOS 13 security: iOS 13 came out last week. In our episode "Password managers: how they should work and when they didn't," we shared our excitement for more control over how apps can track our locations. Unfortunately, the new location privacy feature isn't quite working: selecting "Never" share my location appears to actually select "Ask Next Time," which, while an annoying popup, at least seems like it isn't sharing information it shouldn't be. Apple says the fix will be included in iOS 13.1, which is out today.

iOS 13.1 also includes a fix for another lock screen bypass bug that was discovered before iOS 13 shipped but not fixed in time for the update. Jose Rodriguez (who has previously discovered similar bugs) found that after receiving a FaceTime call on a locked device, you can navigate to the contact list without unlocking the device. It seems that Apple wanted to make sure iOS 13 was available the day that the new iPhone models shipped, which is why we're seeing an update less than a week later with two important fixes. If you've already upgraded to iOS 13, make sure to check for updates again (and check again in a bit if your device hasn't seen the update yet). At the time of writing, Apple is still listing the security fixes as "details available soon" - that's probably a sign that there is some other security fix that's very much worth updating for.

Additionally, you might see more apps asking for Bluetooth permissions on your iOS devices. Apps could previously use Bluetooth to collect location information even if users had turned off Location Services for that app, and Apple closed that loophole in iOS 13. If an app asking you for Bluetooth permissions takes you by surprise, this might be why, and it's worth thinking about whether that app actually needs them.

Safari 13: Apple has also released a new version of their Safari web browser, both available as part of iOS 13 and as a separate software update within macOS. Out of the many new features are a few useful security things, including support for WebAuthn security keys, our favorite two-factor authentication method - we tried it this morning, and it works great. There's also a new cross-site tracking alert which asks questions like, "Do you want to allow 'facebook.com' to use cookies and website data while browsing 'buzzfeednews.com'? This will allow 'facebook.com' to track your activity." We saw this alert when clicking on the Facebook comment box, and we're extremely enthusiastic about how it will make people aware of how data is being shared between these sites, which isn't obvious at all. They've also added support for screen sharing directly from web pages (with a permission prompt), which should hopefully allow conferencing services to just be normal web pages instead of standalone applications. In our recent episode "Covering your webcams," we took a close look at some dangerous bugs in the videoconferencing app Zoom, one of which allowed attackers to install their own code pretending to be a Zoom update. If Zoom had been a website instead of an app, the impact of vulnerabilities in it would have been much more limited.

Safari 13 also removes support for "Legacy Safari Extensions" in favor of a newer, more restricted extension API. While this is probably good overall for security, a notable downside is it breaks some ad blockers such as uBlock Origin. A comment on the uBlock-Safari development project explains the current state: there are no plans for uBlock Origin to move to Safari's new content blocker API, but there are some other alternatives listed which are also pretty effective.

By the way, Sign in with Apple is also part of this new Safari release. We talked more about this feature in the news segment of our episode "Password managers: how they should work and when they didn't," - even though we'd prefer it to "Login with Google" and "Login with Facebook" because Apple has more incentive to keep your accounts available to you as a device manufacturer, we'll be sticking with using our password manager to generate unique passwords for every site instead of using this third-party option.

E•MO•TET: Ars Technica reports on the return of the Emotet botnet with a new spam campaign. "Botnets" consist of a large number of computers infected with some malware usually engaged in some illegal but generic activity, like sending spam or conducting DDoS attacks, while botnets usually give their controllers quite a bit of access to infected machines - because the attack isn't targeted, that access is typically not used for much and owners can continue using the machines much like normal. Emotet is starting to change that: it's spreading itself by looking at email accounts on infected machines and sending replies to existing email threads. This makes victims much more likely to open emails and click on attachments than they would be for phishing emails from unknown sources. So if you see strange-looking emails from someone you do regularly correspond with - especially if they suddenly say that you should open some attachment to see replies, when you've been exchanging regular text emails without attachments until now - maybe double-check with them before clicking on the file.

Ars cites more detailed technical reports from Cisco's Talos security research team and from researchers at anti-malware company Malwarebytes. Malwarebytes has also found emails claiming to include attachments with Edward Snowden's new book that are actually infected with Emotet.

ImageNet Roulette: NYU research professor Kate Crawford and artist Trevor Paglen launched ImageNet Roulette, a website which takes a picture of you on your webcam and classifies you using the highly influential ImageNet AI data set. The site quickly became popular and infamous on Twitter for the bizarre and often offensive categories it assigned to people - categorizing a white journalist as a "draftsman, drawer," a black journalist as "Negro, Negroid," and many women as either "smasher, stunner, knockout" or "adulteress, fornicatress." This was the creators' point - that ImageNet's training data lends it to making uncomfortable conclusions. In a companion article to ImageNet roulette, they write that the site's propensity for offensive classifications is "by design: we want to shed light on what happens when technical systems are trained using problematic training data." As facial recognition becomes more popular for everything from advertising to boarding passes, it's important that the AIs don't inherit biases from the human-built systems and datasets they are trying to replace.

ImageNet has announced that they're significantly reworking the "Person" category subtree, and in particular, they've had a research project over the last year to identify fairness and representation problems in the dataset. ImageNet Roulette, meanwhile, now has a statement that they're taking the site down this Friday after it's accomplished what they hoped for, so if you want to see what odd and perhaps inappropriate category it wants to give your face, make sure to try it this week. (And when you're done, make sure to put your camera cover back on.)

Throwback Tuesday

...to the wishful thinking present in the 2000 film Charlie's Angels, because unfortunately, we all do now have phones that the evil corporations could turn into a homing device at any moment, which we keep in our pockets and purses all the time. :(

Happy fall, y'all!

-Liz & Geoffrey