Loose Leaf Security Weekly, Issue 14

We're back from Thanksgiving - and we're still working on eating all the leftovers in our fridges. You know, good security is kind of like leftovers: you do have to spend some time on prep work, but it pays off for a long while afterwards.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

A couple of our stories this week are about employers unexpectedly having access to your accounts or your phone after you've left a job, so our tip this week is about checking whether anyone has unexpected access to your mobile device. The major mobile platforms support a feature generically called "mobile device management," which lets you give an employer abilities ranging from requiring that you set a passcode to possibly remotely wiping your device. Because MDM is so powerful, it's also an appealing target of malware - if you're on family tech support duty for the holidays and you see a device acting strangely, such as having apps or VPNs that can't be uninstalled, you might want to check for unwanted MDM profiles and uninstall them. Apps can't set up MDM on their own - you have to tap a button to install them - but it's entirely possible to do that by mistake or without quite understanding that this is more than just a normal app permissions prompt (which you should also read carefully!).

On Android, you can see what management profiles are installed by looking in "Device administrators" in your security settings. On iOS, the corresponding setting is "Profiles" under "General," which will only show up if you have a profile installed. This screen should tell you what sort of configurations your employer is applying to your device, such as restrictions on your passcode, whether they can locate your device if it's lost, and whether they can wipe the device. On some Android models, you can set up a separate work profile, and they may have access to wipe your work profile alone instead of your whole device.

Oftentimes, these profiles are linked to an app on your phone that mediates your employer's access. For instance, if you're using G Suite, there's a Device Policy app for Android and for iOS. If you want to disable your employer's (or former employer's) access, you generally will want to remove both the app and the associated profile or administrator configuration.

If you decide you're okay with your employer being able to wipe your phone, it's particularly important to make sure you have another copy of any important personal data, from personal photos to your two-factor authentication codes. The best way to handle authenticator apps is to have more than one second factor available for your accounts - perhaps you could set up the authenticator app on an old personal phone too." Automated backups often don't cover authenticator apps, and you might lose access to the phone's backup if it's wiped, anyway.

In the news

Google fires an employee and wipes their device: Last week, Google fired four activist employees, including Rebecca Rivers, an engineer in their Boulder office who had started an internal petition against selling contract services to CBP and ICE. Rivers soon found that her personal Android phone had been wiped in its entirety. While initial speculation was that Google had abused its access as the maker of Android, the more mundane explanation is that Rivers previously had set up access to her work account on her phone, and Google's MDM setup gave them the ability to wipe her phone as her employer. While she'd removed the work accounts previously, she apparently didn't remove the Device Policy access, which meant that her G Suite admins still had access to wipe her phone when disabling her work account. This is making other Google employees reconsider whether they really need work email and calendar access on their personal devices.

Some security advice for the National Security Advisor: When John Bolton left his post as US National Security Advisor this September, he used his Twitter account to contradict the President's account of his departure and then went silent until last week. He's now returned, saying that he had to "liberate" his account because the White House refused to return access to it and he needed the help of Twitter support. In a phone call with The New York Times, he claimed, "The White House attached software to the account. They would not give it back." The Times suspects that they changed the password and the recovery email, but if you pay close attention, you can see that they did in fact "attach software" to the account - Bolton's September tweet was sent from a third-party app called "WH Digital," and his more recent tweets are all from "Twitter Web App." If you're going to give your employer's app access to your Twitter account (or any other personal online account), make sure you're being very careful with what permissions they get and know how to disable that access - and definitely don't let them log in as you and change the password or the recovery email address.

Private Investment Access: Popular VPN provider Private Internet Access is being acquired by a company called Kape Technologies for over $95 million, with the deal expected to close in 2020. PIA says they chose Kape because other potential partners "would not sign a binding and actionable pact to refuse to log" user data. However, many of their users don't believe that Kape will take their privacy seriously, largely because Kape was previously an adware company named Crossrider, pivoting only a couple years ago after finding ad-tech unprofitable. The Crossrider software was a framework for cross-browser, ad-supported browser extensions that was frequently found as a component of unwanted adware/malware. A Forbes article from 2015 looks at Crossrider's connection to the adware industry and notes that both Crossrider and many of their customers were run by alumni of Israel's Unit 8200, their analogue to the NSA. We've always been skeptical of the value of VPNs for privacy for most users - they simply shift the point of possible monitoring or interception from your ISP to the VPN provider. It's possible that the new Kape leadership is earnest about their security and privacy goals, but it seems that the previous trust in Private Internet Access (one of the better-respected VPN providers) is starting to erode.

Your password must contain at least five amendments and one upper-court judge: The Fifth Amendment to the US Constitution protects your right not to be compelled to testify against yourself. Courts have generally held that being ordered to unlock your phone with a fingerprint or other biometric authentication does not count as self-incrimination, while being ordered to produce a password is a little more ambiguous. The basic issue is that, even with a warrant to the data on the device, the fact that you know how to unlock the device counts as a form of testimony that might implicate yourself if there's a question about who did something with the device. Even when courts take that view, it's still a pretty limited protection, though: for instance, one court ruled that police can still use a password taken from an illegal interrogation and introduce what's on the device as evidence, even though the jury just can't rely on the fact that the suspect knew the password. However, the Pennsylvania Supreme Court recently ruled 4-3 that a suspect cannot be compelled to disclose his laptop's encryption password and that even though he admitted he knows the password (saying that it's 64 characters long), making him disclose the "contents of one's mind" would still be requiring him to testify against himself. Meanwhile, in another case, a federal court in Illinois said a suspect can be ordered to unlock a phone with a fingerprint and that making the subject unlock the phone with a fingerprint did not count as making them testify against themselves.

Laissez les backups rouler: The state of Louisiana was recently the victim of a ransomware attack, which they fought off by shutting off systems and restoring from backup instead of paying the ransom. Both the Secretary of State and the Office of Motor Vehicles announced that they didn't lose any data, though the OMV was still unable to issue new licenses for several days. Other agencies may not have been so lucky: Ars Technica reports that certain backups were six months old and mentions that they themselves were told that records from a freedom-of-information request were unavailable "due to the recent ransomware attack." There's never any guarantee that paying the ransom will even work, which is why having trustworthy and recent backups is so important.

Plain text data: TrueDialog, a company that provides text-messaging services for businesses and universities, accidentally left a database of tens of millions of messages unprotected on the internet. Apart from marketing messages, the data also included two-factor authentication codes and password reset codes sent via SMS. This isn't quite the usual worry about SMS, but it underscores why we don't like SMS as an authentication mechanism: it goes unencrypted between various parties on the way from the provider to you. If you're using an authenticator app or, better yet, a security key, the app or key itself calculates the needed code, so there's simply no place where the code can be intercepted in transit.

Monetize your data on Route 66: Motherboard reports the California Department of Motor Vehicles makes 50 million dollars selling drivers' personal information. It's frustrating enough when companies aren't upfront about selling our data, but we have even less choice over data we give to government agencies. Unfortunately, there's not much we can do but press our lawmakers to ban the sale of DMV data.

What we're reading

The monitors that monitor: If you've purchased a new TV on Black Friday or Cyber Monday, you may want to pay close attention to the setup prompts because smart TVs pay close attention to what you're watching. The Washington Post details how TVs can track whatever you watch on the screen, whether or not you're watching through its built-in apps. TV manufacturers track this data as often as every second, ostensibly for generating personalized recommendations, but they can also sell information about your watching habits attached to your IP address, effectively linking it to the rest of your data.

Consumer Reports has a guide to turning off smart TV tracking, but we'd also recommend thinking about whether you need to use the smart features of your TV in the first place. Other devices you may have hooked up to your TV, such as gaming consoles or a Chromecast, probably also provide streaming support, and depending on what you watch, it may make more sense to use those devices for streaming instead of your TV. For example, if everything you watch is on Google's YouTube, then watching those videos on a Chromecast doesn't reveal anything more to Google, and you can leave your TV offline. Of course, these devices could also be tracking what you watch, but they could have a less complete picture of your habits than your TV that can get information about everything you watch on it. If you aren't using your TV's "smart" streaming features, double check that it isn't connected to the internet, so it can't relay tracking information.

One other concern with newer TVs are built-in cameras, purportedly for personalization and providing a built-in webcam. If your TV does have a camera, look for settings to disable both the video and microphone, and we recommend also physically covering the camera in case there's a bug that turns your TV's camera on. If you're in the market for a new TV, we suggest looking for models without built-in cameras, and if you want to video chat over your TV, get a separate webcam you can unplug when it's not in use.

The future of another algorithmic timeline: Annalee Newitz, whose career has spanned EFF analyst, Gizmodo editor-in-chief, and now science fiction author, has a column in The New York Times about the possible next generation of social media - or more precisely, "what will replace social media the way the internet replaced television, transforming our entire culture." The article includes interviews with a variety of interesting figures (including one AI), and it makes the case that our current world of large companies monetizing our data is not inevitable. One theme is the idea of curating connections and information, deliberately moving away from the model where the goal of social media is to be reachable by anyone - from advertisers to trolls to scammers. In the physical world, we've built spaces where people can gather safely and know who participates, where slow and meaningful conversations are more valued than shouting quickly at many people as possible, and Newitz looks at how an online world can be built on those values.

The algorithm works in binary: Writing in The Advocate, Tre'Andre Valentine, executive director of the Massachusetts Transgender Political Coalition, argues against governmental use of facial-recognition technologies for identifying and classifying people. While the US doesn't yet have pervasive governmental facial recognition, various private companies are already using it in even less accountable ways, causing problems for those who don't fit the mold envisioned by the algorithm's designers. One example in the article is that Uber uses facial recognition on drivers as part of an automated "security feature," which ended up consistently flagging drivers currently undergoing gender transition.

Speaking of algorithmic recognition going in strange directions, Instagram is apparently training machine learning software to detect users' age and gender. They'll soon be asking for your birthdate to provide "age-appropriate experiences" such as "recommended privacy settings for young people," and they're considering comparing the birthdate you provide with what their algorithm detects. While Instagram definitely can run their algorithms on photos that you post, that's not the only thing they're looking at - apparently their techniques for age detection include inferring it from posts that say "Happy Birthday" and looking at what hashtags you use. Also, we find it a little odd that they're proposing to increase the privacy of young people by asking for additional personal information and mining their data.

That wraps it up for this week - thanks so much for subscribing to our newsletter! If there's a story you'd like us to cover, send us an email at looseleafsecurity@looseleafsecurity.com. See y'all next week!

-Liz & Geoffrey