Loose Leaf Security Weekly, Issue 8

Did you know that October is National Cybersecurity Awareness Month? We just found out, though we try to be aware of cybersecurity all the time. It feels a lot like having a tea month when you could be drinking delicious tea all year. (Did you know that January is National Hot Tea Month?)

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

If you ever get a pick up a call and the caller asks you for personal information like a password, two-factor code, social security number, or even your address, you should hang up. If they say they're from a bank you have accounts with, an online shopping service you use, or something else that sounds important, look up their main number yourself and call there to ask if there's anything on your account that requires attention. If you don't know the right phone number, look it up on their website over a secure HTTPS connection - don't just trust numbers aggregated into search results - and if there's another canonical place to find it, like the back of credit or debit cards, you can verify that's a reasonable number to call by looking there.

Often, people phishing over the telephone try to pressure you into staying on the line with you, such as by telling you there's a major issue with your account or that you won't be directed to the right department, but reputable businesses will not mind your calling back - and the couple extra minutes can help prevent phishers from tricking you into giving them enough information to do things like nearly remove your second factor from your account.

In the news

Resting unlock face: Google's new Pixel 4 phone is shipping with an unfortunate flaw in its face unlock - your eyes don't need to be open to unlock your phone, so someone can hold the phone up to you while you're sleeping and unlock it. Since face unlocks don't require physical contact like a fingerprint unlock, it's possible for someone to unlock your phone without your noticing. Other facial biometric systems typically check that your eyes are open, and Android's previous face unlock required blinking as a way to help ensure phone owners know their phones are being unlocked. Google says they won't be ready with the fix for a while, but we recommend using a long passcode to unlock your phone instead of biometric methods anyway.

OK Google, what's the latest from Emily Post?: Google devices chief Rick Osterloh said it's proper etiquette to tell guests that connected home devices like Google Homes and Nest security cameras could be listening in on them. We agree informing your guests that other (corporate computer) guests might be listening in on your dinner parties is the polite thing to do and are curious to see if Google and other smart home device manufacturers follow up on Osterloh's idea for the products themselves to indicate their presence to guests.

Goodbye, but not yet: Researchers at German group Security Research Labs found that they could create apps for the Alexa and Google Home voice assistants that kept listening even after they pretended they were done. For both platforms, they found a way to trick the devices into periodically "speaking" a phrase that didn't generate any sound, which would keep their app active and listening. For Alexa in particular, they were able to customize their reply to "Stop," the usual command word to end an interaction, to keep speaking this silent phrase indefinitely. Both Google and Amazon have introduced additional vetting to prevent this particular attack from happening again, but it's a good reminder to be careful about what "skills" or "actions" you install. It's fun to play with apps on these devices, but untrusted apps can magnify the problem of having an always-on listening device in your home by sending audio not just to your device's manufacturer but also to some random app developer.

Unfortunately, it can be hard to determine which Alexa Skills and Google Assistant Actions are trustworthy. Many popular and featured Skills and Actions are developed by individual developers - sometimes because they're relatively niche, sometimes just because, as far as software projects go, these are fairly easy to spin up. The ability for anyone to innovate on these platforms is really neat and brings a lot of range to these voice assistants, but it also gives just anyone the ability to potentially listen in on you while you don't even notice, like Security Research Labs demonstrated.

No more green lock in Firefox: Firefox currently shows a green lock in the address bar for secure HTTPS sites and a grey info symbol for plaintext HTTP sites. Mozilla announced that they're changing that to a grey lock for secure HTTPS sites and a red slash symbol for HTTP sites, to emphasize that "normal" sites are now HTTPS and plaintext HTTP is insecure. Chrome has also been making similar changes to their address bar, so Firefox following suit is a good sign that secure connections really are the new normal for the web.

Both Firefox and Chrome are also no longer showing "Extended Validation" information for websites by default anymore. We talked a bit about EV (and HTTPS in general) in our episode "Keeping your web browsing private": the short version is that they're an attempt to display the actual business name behind a site to enhance trust, but they never worked reliably enough to be useful for security.

Virtually public network: Virtual private networks (VPNs) are marketed to two groups of users: people who want to get to an internal network when they're traveling (usually business users) and people hoping to enhance their privacy by trying to anonymize their web traffic. NordVPN is a popular commercial VPN service that targets the latter crowd, letting you securely tunnel your web browsing away from your ISP to their servers... which only helps you if their servers are secure. Unfortunately, they just confirmed that one of their servers had been accessed without authorization back in March 2018 as a result of an insecure configuration at a Finnish datacenter they were using. The company states that no account or billing data was available to this server because this server was just used for routing data - but also insists that a "personalized and complicated man-in-the-middle attack" on its users' web traffic is unlikely. We find this claim a bit puzzling, given that the whole point of VPNs for security is to protect against these attacks.

More broadly, we're generally not a fan of using VPNs for security because they don't actually reduce your risk to these attacks - they just move the point of attack from your ISP to your VPN provider. If you want to reduce your risk to people trying to inspect and modify your browsing traffic, you're better off using tools like HTTPS Everywhere, which will keep your connection private regardless of who you send it through. Cryptographer Scott Arciszewski has a brief Twitter thread about these options and agrees with the conclusion that VPN services aren't worth using. (Of course, if you just want to pretend to be in Finland so you can stream Eurovision live, then a VPN will still accomplish that goal - but that's not a security or privacy goal.)

The FTC and stalkerware: The US Federal Trade Commission has issued a ruling against the company behind three "stalkerware" apps, mobile software which monitors activity and sends it to someone else. This software is marketed to questionably legitimate uses, from parents monitoring a child's phone to jilted lovers snooping on their ex, and it often requires disabling device security so it can gather data from other apps. As it happens, though, Retina-X, the company behind these apps, had already effectively shut down last year after an anonymous hacker took out their customer databases and leaked some of the monitored activity to the media. So in practice, this ruling mostly serves as a warning to future commercial stalkerware apps in the US.

When you were counting on your rosary: Smart devices have become so ubiquitous that even the Vatican is getting in on them. The Roman Catholic Church recently announced a "smart rosary," basically a wrist bracelet with a cross-shaped device that works like a smartwatch with prayer features. Unfortunately, just after the launch, Fidus InfoSecurity and Security researcher Elliot Alderson both discovered a flaw in the Vatican's Click to Pray eRosary's authentication method: login PINs sent to your email were also viewable in plaintext over network traffic. It's probably a good idea to make sure you only put sensitive data on devices from reputable, experienced manufacturers. After all, the pope only claims to be infallible in matters of faith and morals - not in matters of digital security.

Want car black box data? A warrant is ... inevitable: The Supreme Court of Georgia confirmed in Mobley v. State that a warrant is required to access data in the airbag control modules (ACM) of cars involved in a crash. The ACMs record data much like the "black box" recorders of aircraft: in this case, it recorded that the defendant was going one hundred miles an hour in his Dodge Charger when he collided with a Chevy Corvette pulling out of a driveway and killed both occupants. Police at the scene collected data from the ACMs in both devices and only later got a warrant, which the defendant challenged. A judge on the appellate court had argued that there is no expectation of privacy in this data, since any observer could have seen how fast the Charger was going, but the Supreme Court ruled that, whether or not there's an expectation of privacy, entering your car to get data is a search of "effects" protected by the Fourth Amendment. Journalist Kim Zetter points out that this is the first state supreme court to confirm that this access needs a warrant.

US courts have an "exclusionary rule" to prevent using information improperly gained without a warrant - as the decision points out, this is not so much for justice in the one case as to ensure that police have a strong incentive to get a warrant in the future. The prosecutors attempted to argue that they made a practice of getting warrants for ACM data (which would have saved them under the "inevitable discovery" exception to the exclusionary rule), but the Supreme Court found that they didn't: in fact, in a footnote to the decision, they note that the police department "sincerely believed that they did not need a warrant to download ACM data at the scene of a serious crash, a belief that was based on advice that they received in the course of their law enforcement training, as well as legal advice that the Henry County Police Department apparently received at some point from an assistant district attorney. It appears that they were not well advised."

What we're reading

Niantic is becoming enlightened about your location data - where's the resistance?: Kotaku takes a close look at how Niantic, the company behind Pokémon Go, Wizards Unite, and Ingress, has been aggressively gathering detailed location data from their players. Niantic records the location of Wizards Unite players up to 13 times a minute, enough to create a fairly complete picture of their lives. Kotaku also details how Niantic created their map of the world and discusses how the data they've collected and the augmented reality technologies they've created could shape our lives in the future.

Me and cameras down by the schoolyard: In our episode "Covering your webcams," we talked about how the school district of Lower Merion, Pennsylvania was spying on their students through webcams on school-issued computers equipped with theft tracking software. While the abuse of those students' webcams was exceptionally egregious, student surveillance is increasingly becoming the norm. The Guardian's "Under digital surveillance: how American schools spy on millions of kids" examines how increased surveillance, primarily through tracking students online activities like web searches and emails, has become more "politically palatable" and how this increased monitoring is putting marginalized students at risk.

Nothing says "your privacy is important to us" quite like...

...getting a 10% off code to Zappos because they were irresponsible with user data. Incentivizing additional business doesn't quite feel like compensation.

That's all for this week - thanks so much for subscribing to our newsletter! If there's a story you'd like us to cover, send us an email at looseleafsecurity@looseleafsecurity.com. See y'all next week!

-Liz & Geoffrey