Loose Leaf Security Weekly, Issue 7

Good afternoon! Today, we're taking a look at some security news from around the world. China and India, which are ramping up facial recognition, also happen to be two of the world's major tea producers. Meanwhile, activists in Morocco were targeted by advanced phone malware. Morocco doesn't have a climate to grow the tea plant, but they import green tea and brew it with native spearmint to make a mint tea. Delicious!

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

Have I Been Pwned is a volunteer-run service from security professional Troy Hunt that tracks breaches and compromises ("pwning" in hacker-speak) of websites that leak personal information. You can see known breaches that have involved your email address there. In some cases, these breaches only include email addresses, which you may be less concerned about - especially if your email address is already public like ours are. However, if you see "Compromised data: Passwords," you should definitely make sure you've changed your password for that account since the breach. (If you aren't sure, update it again just in case.)

You can also sign up for future breach alerts: whenever your email address is seen in another known breach, you'll get an email. We highly recommend signing up for this service so you can change your compromised passwords promptly.

P.S. Using a digital password manager helps make password changes easier!

In the news

One weird trick to unlock Samsung smartphones: Samsung confirmed a report that adding a cheap screen protector to a Galaxy S10 causes the fingerprint sensor to misbehave, allowing anyone's fingerprint to unlock the phone. There aren't many details yet, but it seems that the sensor is picking up on small air gaps under the screen protector. The flaw was discovered by Lisa Neilson, a British customer who noticed that her left thumb would unlock her phone even though only her right thumbprint was involved, demonstrating the old saying that the most exciting phrase in science - and in computer security - isn't "Eureka" but "That's funny." Neilson confirmed that her husband could also unlock the phone and that she could unlock her sister's phone after applying the screen protector, so it seems this is a problem even if you're not currently using a screen protector. Samsung has promised to fix this in an upcoming software update, but in the meantime, if you have a Galaxy S10, you might want to switch from fingerprint authentication to another mechanism temporarily.

Why is Apple sending your URLs to China? Cryptography professor Matthew Green noticed something odd in Safari's privacy help page - a statement that Safari now sends "information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if your website is fraudulent." Tencent is a Chinese conglomerate whose size rivals Google and Facebook - among other things they own Riot Games, maker of popular video game League of Legends, and they made the WeChat messaging app and the QQ instant messenger. Dr. Green wrote up an explanation of the safe browsing feature and whether it's trustworthy: basically, it computes and sends only a cryptographic fingerprint to the safe browsing service to check against the fingerprints of known malicious sites, which limits the ability of the service to track which actual websites you're visiting. However, he says that the limiting isn't foolproof and relies on some amount of trust in the company not to dedicate serious computing power to identifying their users - which he says might be justifiable for Google but not necessarily Tencent. The Verge also has a good explainer of the situation, including a response from Apple in which they confirm both that actual URLs aren't sent and that the Tencent Safe Browsing service is only chosen if the device's region is set to mainland China. Their article also connects this news with other recent security and privacy news about Apple devices in China - for example, Apple's recent removal of an app that was helping protestors in Hong Kong.

Facial recognition in China: The People's Republic now requires that consumers signing up for mobile phone or data service get their face scanned and checked against a database, nominally in an attempt to combat fraud. China has been growing their facial recognition system recently: in our December 2018 security stories episode, we talked about their use of facial recognition to identify people at concerts with outstanding warrants.

Facial recognition in India: The government of India is soliciting bids to create a central facial recognition system under the National Crime Records Bureau. BuzzFeed News has a look at the plan and at existing facial recognition databases in India. They talked to lawyers at groups opposing the system as well as to leaders of companies running existing facial recognition services for local governments, one of whom said, "America had Palantir. China had SenseTime. India didn't have a single brand like that in this space."

No facial recognition in Berkeley: Berkeley, California has become the fourth U.S. city to ban facial recognition, joining Oakland, CA, San Francisco, CA, and Somerville, MA. Berkeley Councilmembers cited concerns that the facial recognition was not "sufficiently narrow" surveillance. As we've discussed in an earlier newsletter, facial recognition software isn't just broad-reaching but also shows significant gender and racial bias.

Pegasus in Morocco: Researchers from Amnesty International reported that an activist and a human rights lawyer in Morocco had their phones targeted with attempts to install Pegasus, an advanced spyware kit developed by Israeli company NSO Group. In one of the cases, the activist noticed that his attempts to visit "yahoo.fr" were being redirected to a malicious site, possibly because simply typing "yahoo.fr" makes an insecure non-HTTPS request. An attacker could therefore easily modify the request - as long as they had either access to the cellular network infrastructure itself or a fake cell tower intercepting network requests. The activist noticed the problem and ended up searching for "yahoo.fr" in a search engine and clicking on the first link, which brought him to the HTTPS version of the site. Ars Technica has some additional reporting on the attack, including discussions of previous uses of Pegasus.

May contain microphones, cameras, or tree nuts: A U.S. Senator introduced the Protecting Privacy in Our Homes Act, which would create regulations that require packaging to inform consumers of any cameras or microphones in products. The Ars Technica article points out that most products with cameras and microphones do disclose this information, but "most" isn't "all" - in the news segment of our episode "Using a password manager effectively," we talked about how the Google Nest Guard had a surprise always-on microphone that they only announced when a software update enabled it.

A vulnerability in iTunes for Windows: Security firm Morphisec discovered an active attack taking advantage of a bug in the Windows version of iTunes - or more specifically in the Apple Software Update component. The bug has now been fixed, but there are two things we'd like to note. First, as their blog post calls out, if you had previously installed iTunes and then uninstalled it, that wouldn't by itself remove the Apple Software Update component. So, when you're uninstalling software, make sure to check for other related components to reduce your attack surface to future vulnerabilities. (This reminds us of the vulnerability in the Zoom videoconferencing app that became more exploitable if you had previously uninstalled Zoom, because that process left a vulnerable component to reinstall it.) Second, iTunes for Windows itself had clearly been no longer a priority product for Apple for quite some time, even before Apple sunsetted iTunes for Mac in the most recent macOS version, and it's a bit of a risk to run native desktop applications that aren't well-maintained, even if they're from big companies. For ourselves, we try to install desktop apps for the few things we run regularly and really need a desktop app for, and we prefer finding a web app when there isn't actually a need to install software locally, because web apps don't have these sort of risks.

What we're reading

G Suite and confidential reporting: Google Docs, Sheets, Drive, etc. might be convenient for collaboration, but it's worth knowing that anything you put there is readable by Google. The Freedom of the Press Foundation's recent article "Newsrooms, let's talk about G Suite" discusses the downsides of storing confidential data in G Suite. This is the flip side of preferring web apps to desktop apps: while they're more convenient and there's less risk to your computer itself, there's more risk to the data you store in the app because everything is accessible in some way to the people running the website. While you might not care about Google Play Music knowing your secret favorite bands, you might care about Google Docs knowing about your secret sources.

Instagram removes the activity feed: Slate and New Statesman both discuss Instagram's removal of the "Following" tab, which let you see the activity of people you followed on Instagram - including what posts they liked and who they themselves started following. As non-public figures who don't lead double lives, we prefer our like and following data not to be dumped into a feed for everyone who follows us to see. "Liking" a friend's photo in front of that friend and anyone who sees that particular photo is quite different from announcing that you like that photo to everyone who follows you, and we've heard anecdotally that seeing friends like other people's posts but not your own can create a sense of loneliness. Plus, apparently lots of people didn't even know this feature existed - and thus, they never knew their data was being displayed in this way. Both because you could use Instagram without ever seeing this tab and because this is such a big departure from how other social media sites use this data, we're happy Instagram removed the "Following" tab since it violated the principle of least surprise - users deserve to understand how their data is being used.

All that said, Instagram's "Following" tab did provide an interesting insight into how public figures have spent their time. If you never noticed the feature while it existed (only one of us did, and by accident), the Slate and New Statesman articles give a good overview of how it used to work.

That wraps it up for this week - thanks for subscribing to our newsletter! If there's a story you'd like us to cover, send us an email at looseleafsecurity@looseleafsecurity.com. See y'all next week!

-Liz & Geoffrey