Loose Leaf Security Weekly, Issue 10

Hello again! As the sun rises later and later each day, we're finding ourselves really appreciating the value of a cup of hot tea in the morning - nothing fancy or elaborate, just plain, good tea before we head out the door. In the same way, as the internet gets more dangerous and new threats are discovered each day, we're appreciating the value of security basics, like strong passwords in a password manager. Two of today's stories cover new reports of attacks where giving each site a unique, strong password would have kept you safe.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

We've talked before about how useful computer backups can be, and we've also talked about the risk of social media companies disabling your account without warning. In addition to backups of your computer, it's useful to have backups of your social media data. If you ever lose access to your account for any reason, you won't lose access to any photos or posts you only posted to social media.

Many social media sites make it easy to download your data, including Facebook, Instagram, and Twitter. There's often a delay between requesting and receiving your data, so we recommend downloading your data periodically in case you need something urgently or suddenly get the urge to delete older posts, maybe because the information you're interested in sharing on social media has changed since you started posting. (For example, we both have different approaches to sharing photos now than we did before facial recognition technologies became as advanced.)

In the news

Bypass two-factor auth on your bank with this one weird trick: Security journalist Brian Krebs reports that NCR, a major provider of banking infrastructure, blocked Mint and QuickBooks Online from accessing their systems while fending off a concerted attack last month. These are popular online budgeting services that aggregate your financial data from your various accounts by logging into those banks on your behalf, and they often store your password to do so. We talked about some of the tradeoffs with these aggregators in our episode "Checks, mobile banking, cash transfer apps, and a bit more on credit cards," but Krebs reports on an interesting twist: many banks are configured to allow these services to bypass two-factor authentication when connecting to customers' accounts. While the logic sort of makes sense - the budgeting service needs to fetch your banking records automatically, and the entire point of two-factor authentication is to require more than a single unchanging password - it introduces the risk that these services could be unwittingly used by an attacker to try to break into accounts without having to get past two-factor authentication.

Krebs recommends that you ensure you're using a strong, unique password for your bank, even if you have two-factor authentication, to protect against this risk. Frustratingly, many banks have upper limits on password complexity, so we encourage using your password manager's generator to make a complex password that still fits within the limits.

Virtually public passwords: Ars Technica is reporting that the credentials of many NordVPN users have been exposed through what they term a "credential stuffing" attack - or what we'd just call password reuse. Unlike last week's story, this isn't the result of anything going wrong at NordVPN: the passwords seem to be either weak/common passwords or passwords that an individual user used on multiple sites, where some other site was breached and had its passwords dumped. We've argued before that the biggest risk to passwords is automated attacks in search of breached or weak passwords, and this is a textbook example of that.

LASERS: This week's baffling security news is that MEMS microphones somehow pick up light in addition to sound, so devices that use them - including smartphones, Amazon Echo, and Google Home devices - will respond to "Hey Siri" or "OK Google" modulated in a focused laser beam just as well as they'll respond when it's actually spoken out loud. A team of researchers from the University of Electro-Communications (what a name!) in Tokyo and the University of Michigan announced their research on Light Commands in which they use about $600 of equipment to trigger voice command responses in devices in an adjacent building.

There's not a lot of information into how, physically, the attack works - the researchers discovered the effect in this paper, and there's no additional research. They say that standard techniques for blocking light, like building devices where the microphones face inwards, should help resist this attack in the future. Since the attack involves a visible bright spot on your phone or smart assistant, you probably don't need to worry about your neighbor pointing lasers into your house, but you might still want to place them so they don't directly face windows - and definitely make sure you've set up your voice assistants so they can't directly make purchases or cause other serious annoyances. (As a bonus, that protects you from both laser-wielding neighbors and poorly-behaved houseguests!)

KeePassXC update: We took a look at KeePassXC in our survey of password managers. They've recently released version 2.5, which includes the ability to import passwords from a 1Password export, among other improvements. If you specifically want an open-source password manager, it's one of the best options, though the tradeoff is that you have to figure out how to securely synchronize your password store between devices on your own. For now, both of us are personally sticking with a commercial password manager and its cloud service, but if you want to switch from 1Password to KeePassXC, it's now quite a bit easier.

Sideloading goes the way of sidetalking: Firefox is removing support for sideloaded extensions in version 74, which will be released next March. Typically, to add an extension to Firefox, one would go to Mozilla's official site for distributing Firefox extensions, but it's currently also possible to add an extension by dropping an extension file into the correct folder on your computer. Unfortunately, it's possible for malware to drop an extension file into that folder, too. Sideloaded extensions don't show up in the Add-ons Manager, so you have to know where to look if you want to remove them - and you might not even know they're there in the first place. (By the way, if you're intentionally sideloading any extensions, those will be copied into your user profile and managed like regular extensions this December with the release of Firefox 73.) We're happy to hear Firefox is removing this attack vector, and they've confirmed that they're not removing the ability to install custom extensions that aren't on their official site - they're only preventing extensions from being silently sideloaded.

This is the pop-up that never ends: Some unscrupulous tech support websites are exploiting an unpatched Firefox bug to repeatedly spam users with pop-up messages directing them to enter their computer passwords or call a provided number for support. In general, you should be skeptical of pop-ups asking for your passwords or, honestly, any other information, and you should never trust phone numbers from them - always double check that you're getting the right phone number by looking it up on the canonical website over a secure HTTPS connection. (If this sounds familiar, you might be thinking of our tip of the week from a couple weeks ago regarding unsolicited calls offering support for your accounts.) As for getting out of the pop-up loop, we suggest force quitting your browser and not restoring tabs when you open it back up.

DNAvailable: A Florida judge granted a warrant that allowed police full access to GEDmatch's genetic databases, including genetic profiles that weren't marked as available for law enforcement uses. This is the first time a judge has overridden a company's policy regarding law enforcement access to their user's genetic information and could set a precedent to access other private databases of genetic information. We're alarmed by this decision, especially since one person's genetic information can be used to track and reveal information about extended family members as well.

Leaks et veritas: A different DNA testing company, Veritas Genetics, also exposed customer information. In this case, the company says the breached customer-facing site did not contain any DNA- or health-related data, but government access to genetic data isn't the only thing to be concerned about if you're thinking of taking a DNA test.

Facial recognition in the United States: In January, the ACLU filed a Freedom of Information Act request to the US Department of Justice, FBI, and Drug Enforcement Agency for their policies towards facial recognition programs and other biometric tracking technologies. The US government has yet to respond, and the ACLU is now suing these agencies in hopes of learning more about how the US federal government is using or plans on using biometric tracking programs. We're looking forward to seeing how this case unfolds.

In which Facebook are the privacy good guys: Facebook has sued Israeli cybersecurity firm NSO Group after discovering their exploits broke into the phones of 1,400 WhatsApp users. We recently covered NSO's flagship product, Pegasus, being found on the phones of activists and lawyers in Morocco. NSO insists that, while they may be the computer security equivalent of an arms dealer, their software is for law enforcement purposes and they only work with authorized governments. However, according to a Reuters report, a WhatsApp investigation found that NSO had attacked the phones of senior government and military officials at various (unnamed) US allies, indicating that it's not just being used for domestic law enforcement.

Josephine Wolff, a cybersecurity policy professor at Tufts, has an opinion piece in the New York Times about why this lawsuit marks an important change in how the world sees NSO Group. While she's not positive the lawsuit itself will prevail in court (it's not clear that Facebook themselves were victims) and she sees it as more of a PR move to portray Facebook as the pro-privacy side, she still finds it a sign that the world is starting to hold NSO themselves responsible for how their malware is used and for how they choose their customers.

Twitter employees spying for Saudi Arabia: In the security news section of our episode "Backups," we covered a Twitter engineer who was recruited by the Saudi government to look at the accounts of dissidents and privacy researchers. The Justice Department has now charged two former Twitter employees involved in this with spying for Saudi Arabia. As a reminder, even if you trust a company as a whole, that company is still made up of lots of employees with a lot of different personal motivations.

Facebook exposes your data - again: Facebook disclosed a bug in one of their developer APIs that gave companies building Facebook apps more access to information about group members than intended. Even if you have your privacy settings locked down, it's worth thinking twice about what information you share on Facebook at all as this is hardly the first time Facebook has accidentally allowed third parties to access overly-detailed information about users, and given how resistant Facebook has been to reply to the California Attorney General's requests for documents, we have a hard time believing they'll always be forthcoming when their users are exposed.

The mailman who reads your mail: Security researcher Vahagn Vardanian posted on Twitter a demonstration that when you send a PDF over Facebook Messenger, Facebook's servers open all the links. There's speculation that they do this to check for malware, and in any case, Messenger isn't end-to-end encrypted by default. Still, we're now feeling particularly cautious about sharing things on social media apps that we're not comfortable with the world seeing, thanks to this discovery, the other social media breaches above, and also the particuarly egregious incident earlier this year where Facebook accidentally stored passwords in internally-accessible records.

What we're reading

We leave fingerprints on everything we touch: We've talked about some of the ways websites track you before, most notably in our episode "Web security continued: cookies, plugins, and extensions." The Washington Post has a detailed look at how websites are no longer just using cookies and localStorage to track you, but also another technique known as "fingerprinting" as well - and unlike with third-party cookies and localStorage, you can't easily disable this type of tracking in your browser's settings.

"Browser fingerprinting" is a tracking method that looks at your browser's configuration and settings, things like what browser you're using, whether you have third-party cookies enabled, your operating system, the resolution of your screen, and which fonts your device has installed. On its own, your browser fingerprint may or may not be particularly unique - if you're using a relatively common device without a lot of customization (Apple's iPhones and iPads are less likely to have unique fingerprints because there aren't that many different models on the market relative to the number of people using them), your fingerprint is less likely to be unique - but when browser fingerprints are combined with other signals like your IP address or supercookies, websites may still be able to pinpoint even users with common fingerprints relatively accurately. If you're curious how unique your browser fingerprints are, you can check out the EFF's Panopticlick, which can analyze your browser fingerprint and give you an idea of how unique it and its various individual components are.

Another type of fingerprint used for tracking is the AudioContext Fingerprint, and if a website has ever surprised you by asking for access to your microphone, it could have been searching for your audio setup to pinpoint your computer more precisely than with the browser fingerprint alone. If you want to know what your AudioContext Fingerprint looks like, Princeton CITP's Web Transparency and Accountability Project has an AudioContext Fingerprint visualization tool, but it doesn't analyze the fingerprint to give you an idea of how unique it makes you. By the way, apps can also use a form of fingerprinting to target you, and because apps run outside the browser sandbox, they can often learn even more about you, e.g., which other apps you have installed or even how you hold your phone. App fingerprinting may also have additional signals from how you use the app itself.

While it is often difficult for individuals to change their specific browser fingerprint - you can't easily adjust the resolution of your device and you might not be able to uninstall more identifying fonts if you need them for your job - browsers can limit the information they share when a website requests your fingerprint. Apple's Safari browser already returns a set list of built-in fonts instead of including additional custom ones you have and asks before giving a website your device's orientation and motion information. Firefox has some protection against browser fingerprinting users can turn on in settings, and Chrome is still in the process of adding defenses to reduce the effectiveness of browser fingerprinting. Browsers have recently been taking a more proactive approach to tracking prevention and treating it as the security problem it is. The Safari team has explicitly started treating fingerprinting as unwanted tracking that they're taking technical measures to stop, and we're optimistic that as more browsers take measures to prevent websites from learning user-specific settings, fingerprinting will become a much less effective method of tracking.

That's it for today's Loose Leaf Security newsletter! Now it's time for us to confront the other type of loose leaf that comes with fall and rake the yard. If there's a story you'd like us to cover, send us an email at looseleafsecurity@looseleafsecurity.com. See y'all next week!

-Liz & Geoffrey