Loose Leaf Security Weekly, Issue 15

It's finally snowing (at least where we are), and soon there will be enough snow to build a snowman. Be careful with giving your snowman a corncob pipe and a button nose, though. Those distinctive features can be easily identified by facial recognition cameras, and if your snowman plans to run and have some fun past the traffic cop who hollers, "Stop," it will make him much easier to track. Your neighbors' smart doorbells might even be sending video of his face straight to the police department. It's much safer to stick with the classic carrot nose if you want Frosty to be back again someday.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

When you're traveling or otherwise away from your home or office all day, you may find your phone's battery drained before you get back to your normal charging locations. USB charging stations are increasingly common, especially at airports or train stations, but since USB connections were designed to transfer power and data, it's possible that "charging-only" USB port will try to plant malware on your device or access your files - an attack known as "juice-jacking."

Instead of worrying about unknown USB ports, we prefer carrying our own extra portable charging battery, sometimes known as a "power bank", which has the added benefit of allowing you to top off your devices even when charging stations are full. Like we suggest for buying all new devices, if possible, we suggest going to a store you trust without preordering to pick one up. (It's a little paranoid, but we mention it because it's generally pretty easy. Even though it's unlikely someone is trying to target you in particular by shipping you a malicious USB device or pre-hacked cell phone, you might as well avoid this potential attack if the device you want is in stock at a local store.)

If you do find yourself out of charge, without a charging battery, and near a USB charging station, we recommend turning your phone off before connecting it. Recent versions of both Android and iOS keep most of your data encrypted with your passcode, and when your phone reboots, it isn't decrypted until the first time you unlock it. If your phone turns on while charging, don't unlock it, and make sure to unplug it before you unlock. If you need to keep your phone on while it's charging - maybe you're expecting a call - the safest thing to do is to reboot it before plugging it in. If you can't do that, it's still worth locking your phone before plugging it in; data connections generally require your phone to be unlocked. When the phone rings, make sure to unplug it before answering. Of course, make sure that you've set a (preferably long) passcode, since many of these protections don't work without a passcode, and that your phone is up-to-date with software updates.

You could also get a "data blocker," a small adapter or cable that passes power but not the data pins. If you want to use a data blocker, we recommend you quickly test that it does what it claims to do: plug your phone into it through your laptop, and make sure your laptop and phone don't see each other. We don't personally carry these because charging batteries have gotten small enough that we always have those in our bags instead, just in case.

In the news

Loggin' with Facebook: The developers at SimpleLogin wrote a post advising their fellow web developers not to add the "Login with Facebook" button to their sites. While SimpleLogin's product is something of a competitor to "Login with Facebook," their argument is nonetheless valid: if a website contains code from Facebook's JavaScript software development kit (SDK), Facebook gets to know exactly what pages are being visited on the website and which Facebook user (or shadow profile) is accessing the website. This is because the SDK adds an "inline frame" or "iframe" that embeds Facebook's own site, so any Facebook cookies or other information known to Facebook can be correlated with your activity on the outer site. (Our first episode on web security talks about how data from separate websites usually stays separate in your browser, but by adding the Facebook SDK, independent websites are intentionally sharing data with Facebook's website.) As a web user, a good defense against this is an extension like Privacy Badger or the recent tracking-prevention features in some browsers - Safari has a particularly proactive one that makes it quite clear what Facebook's SDK is doing.

What's worse than a zero-day? A negative-two-year: Maddie Stone, a security researcher at Google's Project Zero, has a very technical deep dive into a recent security issue on Android. The short version: they received second-hand information about a bug used by Pegasus, the infamous phone spyware from Israeli firm NSO Group, and they were able to identify the bug from information about which phones and which kernel configurations were affected. If you scroll past the technical details, there's a very interesting observation at the end: the bug was fixed in the Linux kernel in version 4.14, released in November 2017, but Android devices with an older kernel only got the fix almost two years later. Right now, just about all Android models keep the kernel version they came with, getting only specific security fixes instead of a whole new version, so any device that shipped with a kernel older than 4.14 wouldn't have gotten the fix until recently. (If you want to check your own device, make sure that either its kernel version is at least 4.14 or its Android security patch level is at least October 6, 2019.)

This is yet another example of why we think security-conscious Android users should make sure to get a phone from a manufacturer with a track record of both issuing prompt security updates and continuing to issue security updates for years after the device launched. New software versions often fix bugs that only turn out to be security bugs in retrospect, and for the most part, the only people going and looking at old versions of code are malware authors. (As it happens, many years ago Geoffrey co-authored a paper making the same point - we found that it regularly took weeks to recognize that a fixed Linux kernel bug was actually a security bug.) The Project Zero blog post suggests, "To prevent issues like this, Android could force all devices to sync to both upstream Linux and the Android common kernel at a regular cadence." The Android team has been investigating ways to separate the kernel from device-specific code, which will hopefully make it much easier for new kernel versions to come to older phones.

The Mystery of the iPhone 11 Location Indicator: Some iPhone 11 users were recently surprised to see the location icon at the top of their screen showing up every so often, indicating that something was tracking their location - even when they weren't running any apps with location permissions. After some public confusion, including a report on Brian Krebs' blog, Apple answered the mystery: the new Ultra Wideband (UWB) communication feature for linking two nearby phones is prohibited by regulation in a few countries, so the iPhone needs to check periodically whether it's in such a country. There's no real explanation for why it needs to check so frequently whether you've moved the phone to a whole different country, and there's also not yet a way to turn the feature off. Apple says that they'll be adding a switch for UWB in a coming OS update and that turning off UWB will avoid the periodic location checks. One positive point is that this mysterious feature did in fact trigger the location indicator, even though there wasn't any documentation about it and it wasn't listed under location settings. It's a sign that the location indicator does in fact accurately report when anything on your iPhone is using your current location, even if it's undocumented - although it's still confusing if it doesn't say what is using your location.

Facial recognition at the US border: US airports have been increasingly using facial recognition to track those departing the country as part of US Homeland Security's efforts to identify visitors who overstay their visas. US citizens and green card holders have been exempt from these checks - though how to opt-out is not typically obvious - but Homeland Security recently considered removing the option to opt-out. However, that change is not moving forward due to backlash, including over privacy concerns. We're still concerned with how facial recognition and the data gathered from this program is being used to track travelers and residents without permanent visa, but it's good to know that public objection can actually put the brakes on automated use of facial recognition, even from a major government.

Der Ring des Dataleaken: Ring, the Amazon subsidiary that produces internet-connected video doorbells, has been in the privacy news for a couple of reasons. First, it came out that Ring had been giving some US police departments a detailed map of Ring doorbells and what areas they covered for over a year. We've covered Ring's relationship with police departments before, but this is clearer information than we've previously known on just how much detailed data these police departments can access. Furthermore, a Gizmodo investigation found that this data wasn't even properly protected: Ring devices published information with their detailed location and what they saw in a manner that anyone could access. The reporters found that they just needed to send a message to Ring's servers pretending to be a device in a certain area (there's no good way for their servers to verify the accuracy of location data that's sent to it) and it would send back information about nearby devices (which are generally being truthful about their location). The data includes a latitude and longitude with six decimal places, enough to identify a single square inch on the Earth's surface, though it's not immediately clear whether Ring devices are actually measuring their location with this much accuracy.

In other Ring news, there's apparently a "podcast" that's going around "hacking" Ring users. "Podcast" seems to mean a forum of internet trolls and griefers, and "hacking" refers to using stolen passwords to log into people's Ring accounts and make two-way calls to their Ring devices and stream the prank call live. It seems the passwords are mostly harvested from breaches of other sites, and the victims reused passwords between Ring and other sites, though in at least one case, the victim says she was using a unique, long password. Ring claims that there's nothing they can do about reused passwords, which isn't quite true: they can monitor for known breached passwords and require password changes. Still, if indeed the attack is through stolen passwords, there's an easy way to defend yourself: use unique passwords for each site, preferably from a password manager, and consider enabling two-factor authentication on your account, which Ring supports.

Total Protection Racket: Researcher Wladimir Palant takes a look at the WebAdvisor extension in the latest version of McAfee's "Total Protection" product. The extension claims to be able to block malicious websites, but it's got a few flaws. First, it only blocks malicious websites after they've loaded, leaving a brief window of attack. Second, the extension has a few bugs that allow malicious websites that are aware of the extension to bypass it. The most troubling problem, though, is that the extension permits websites to bypass a built-in browser security feature that prevents access to certain special pages like configuration dialogs for other extensions or local files. While you can visit these pages manually, browsers generally prevent other sites from interacting with these pages (linking to them, loading them in an iframe, etc.) because they're usually powerful and not designed with the security model of the public web in mind. McAfee's extension provides a way for any website to interact with these special pages.

Palant previously found a number of issues with the Kaspersky Protection extension. Not only could malicious websites uninstall the extension silently and remove all the "protection," the extension adds unique user identifiers that could facilitate tracking, and it also allows sites to bypass HTTPS error pages without your awareness. We're not sure we've seen a "web protection" product that's actually made your browsing net safer. These vulnerabilities remind us of the issues with Trend Micro's "Secure Browser," part of their antivirus product, that we covered in our episode about password manager security track records. While web protection software is popular with tech gift guides, we'd strongly recommend leaving them out of the stockings this year. (If you're looking for something to give your friends and family to keep them safe, maybe point them to our episode on staying safe on the web without third-party antivirus.)

They're selling Avast amount of personal data: Avast's antivirus product may not cost its over 400 million users money, but as with most free products, it doesn't come for free: Avast has been selling its users' web browsing data since at least 2013. Mozilla Firefox and Opera have both removed some of Avast's tools from their add-ons due to concerns about this overly broad data collection (Wladimir Palant has a post about what data Avast collects, too). At Loose Leaf Security, we're generally skeptical of antivirus software that relies on intercepting HTTPS connections to scan for malware inside the encrypted connection because it's difficult to get right from a security perspective, even if companies aren't intentionally harvesting your web history for profit like Avast.

One thing that's interesting about the data Avast is selling is that it is aggregated data "insights" like what "percentage of visitors who went from one website to another." If you're going to monetize data, this approach is actually pretty reasonable: there aren't any individual data points - a type of data that is extremely difficult to truly anonymize. However, Avast's choice to aggregate user data doesn't deserve any praise as they shouldn't be collecting this data through an antivirus product in the first place.

But can the cameras detect drop bears? Australia is rolling out cameras on their highways that can detect when drivers are using handheld mobile phones, and it seems like this plan has broad public support. Just like the many recent stories about large-scale facial recognition, this is a good reminder that technological advancements in computer vision are making it possible to automate efforts like this. It's nothing that was theoretically impossible in years past - a highway patrol with sharp eyes or binoculars could do the same - but it can run 24/7 on all highways for a lot cheaper.

What we're reading

Spy's kids: One US school district now has an annual "Data Deletion Week", where tech companies that collect data on students must delete all the data they've collected. It just so happens that this district, Montgomery County in Maryland, is near the NSA and CIA's headquarters, so many children of many federal employees go to school there. The district gives lends laptops to students and has monitoring software installed on those laptops, and parents are worried about the "student data surveillance industrial complex" collecting as much about schoolchildren as it can. This is an entirely sensible worry: in a recent episode, we looked at a case of a Pennsylvania school district watching children at home in their bedrooms via the webcam on school-issued laptops. So we're glad that parents have been able to push back on this.

More generally, this story reminds us that endless data collection is not an inevitability. Even though we may feel like we have limited power as individuals, a group of parents can push back on what their school district does, and a company or non-profit organization can certainly choose not to use a team chat app that stores unencrypted chats forever (and leaves it at risk of exposure). The model of for-profit data collection (like Avast's "security" software) isn't the only way for the web to run. One particular example we saw recently was that of an anti-racism activism group in North Carolina that had its records subpoenaed as part of a DHS and ICE investigation. The group used email services from Riseup, a volunteer-run collective that provides services for activist organizations with a focus on privacy, and Riseup was able to say that they did not keep enough records to answer the subpoena. Riseup has previously stated that they "will shut down rather than endanger activists," a promise that few commercial providers - even those that sell privacy as a feature - can comfortably make.

Biased Algorithms Are Easier to Fix Than Biased People: We often talk about algorithms encoding and amplifying both the conscious and unconscious biases of their creators, and often the stories surrounding algorithmic bias focus on where those biases come from. University of Chicago professor of behavioral and computational science Sendhil Mullainathan focuses on the other, more actionable side of the issue in The New York Times: where human bias is time-consuming to identify and difficult to correct, algorithmic bias can be identified quickly through statistical methods and corrected through software updates.

That's it for this week - if there's a story you'd like us to cover, send us a note at looseleafsecurity@looseleafsecurity.com. Until next week, enjoy this video of a pig keeping warm during the winter.

-Liz & Geoffrey