Loose Leaf Security Weekly, Issue 19

The weather's getting just a bit warmer where we are, which means we usually don't need to wear gloves anymore. "Touchscreen gloves" with capacitive fingertips are handy, but not totally accurate, and it's annoying when you mistype your passcode enough times for your phone to say, "Try again in one minute." This feature is intended to frustrate automated cell-phone-cracking devices like Cellebrite's UFED, a favorite tool of the NYPD and perhaps the Hong Kong police, but it's occasionally frustrating to the actual phone user, too. (This happened to Geoffrey recently on a subway platform - by the time the minute passed, the train came and it was warm enough that he could take his gloves off.)

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

A long passcode is your best bet to keeping the contents of your phone private. Fingerprint-based and face-based unlocking mechanisms are regularly compelled by law enforcement agencies, but biometric unlocking methods aren't just vulnerable to law enforcement. A physical attacker can place your finger on your phone or in front of your face relatively easily, and they probably don't even have to be forceful: there are multiple stories of children unlocking their sleeping parents' phones, including one where the victim was a cryptography professor! If you're worried about any sort of "physical attacker," a long passcode is safer.

With the ubiquity of automated "brute-force" unlocking technologies like Cellebrite, it's more important than ever to have random, long passcodes, despite their relative inconvenience compared to biometric unlocking methods. We've personally found that switching away from biometric unlocking methods takes a little getting used to but eventually becomes second nature. Longer, entirely numeric passcodes are a lot easier to type on a phone compared to slightly shorter alphanumeric passcodes and can still provide a high level of security. Brute-force attacks must wait to see if each passcode works, and many phone models, including all iPhones and recent Google Pixels, have specialized chips that enforce a timeout after a series of wrong tries. Since there are only ten thousand possible four-digit passcodes, even with a limit of six tries every ten seconds as on Apple phones (which the article above about the NYPD mentions as Cellebrite's limiting factor), it takes merely 28 hours to try all of them. On devices without this sort of hardware protection, phone OSes generally tune their encryption algorithm to take a small fraction of a second (short enough that you don't notice) to try a guess, but that makes four-digit passcodes even faster to crack - just a couple of minutes. With a six-digit passcode, though, trying all of the one million possible six-digit passcodes on an Apple device would take 115 days. On devices without hardware to slow down passcode attempts, brute-forcing every six-digit passcode would take a bit over a day and trying every eight-digit numeric passcode would take a couple of months. Eight-digit passcodes are still pretty easy to remember. We'd recommend making your passcode as long as you can manage - we've found that even 10-12 digit passcodes are quite manageable once you get used to typing them. Since humans are bad at generating truly random passcodes, we'd suggest either adding a few digits to get yourself an extra safety margin or using a tool (like your password manager or 10-sided dice) to pick a passcode.

For more information on various unlocking methods, including our thoughts on advanced options to erase your phone after several incorrect passcode attempts, check out our episode "Securing your phone."

In the news

The end-to-end justifies the means: If you read Apple's iCloud security overview, you'll notice that it says, "For certain sensitive information, Apple uses end-to-end encryption." The list of what they consider "sensitive" is later on the page and includes health data and keychain information but not your iPhone or iPad backups as a whole, including contacts, messages, or other app data. "End-to-end encryption" refers to using encryption keys that are only in the possession of the "end" of the conversation, such that the cloud platform is only serving as an intermediary and cannot decrypt the conversation itself. For device backups, that key is derived from the passcode or password you use to lock the device. Skipping end-to-end encryption for backups means there's a way to recover your backups even without your passcode because there's now another key that can decrypt them. This is good if you're worried about losing your passcode, but bad if you're worried about Apple (or someone who finds Apple's key) getting into your device.

Reuters reports that the reason Apple doesn't encrypt everything with end-to-end encryption is pressure from the FBI. Since Apple has a decryption key, the FBI can get a warrant to ask Apple to decrypt backups if they think the information would help in an investigation. Apple has historically refused requests from law enforcement agencies including the FBI to build a "back door" key to unlock encrypted iOS devices directly, so this is a little surprising. (Perhaps it's Apple's way of compromising with the FBI, allowing them to get to some data that's already stored on Apple's servers but not weakening the security of devices themselves.)

If you want to back up your phone without worrying about the risk of Apple decrypting your backups, you can always back up your phone to your own computer instead of to iCloud. That backup is encrypted with a password you choose and can't be decrypted with any other key. Just make sure not to forget it.

iPhone 11 has a UWB switch: About a month ago we discussed the mystery of the iPhone 11's location-tracking indicator showing up periodically - it turned out to be part of regulatory compliance for the new Ultra Wideband (UWB) feature for communicating with a nearby phone. Some countries don't permit use of UWB, so the phone has to check periodically what country it's in, but Apple's delay at explaining it made iPhone users wonder what was asking for their location so often. The latest iOS beta now has a checkbox to disable Ultra Wideband. Doing so should prevent the iPhone from needing to check your location ever so often and make the location indicator a little more useful.

Slidin' malware into the DMs of the richest person in the world: The Guardian has a report that Amazon CEO Jeff Bezos's phone was hacked by Mohammed bin Salman, the Saudi crown prince who's been making friends with business and tech leaders around the world (and is also believed to have ordered the killing of journalist Jamal Khashoggi). According to the report, Bezos received a WhatsApp message from the crown prince that included a malicious video file that exploited some kind of bug and installed malware on his phone. Motherboard looked at the full report, which has more details, including that the two of them had apparently had a friendly-enough texting relationship for "MBS" to have previously sent Bezos a meme about arguing with women. Several information security professionals have raised questions about the quality of the forensic report: in particular, the investigators claimed to not have the right encryption keys to decrypt the video and figure out exactly what the exploit was, but since they were working on behalf of Bezos, they should have had access to Bezos's keys. WhatsApp does use end-to-end encryption, but since the "end" was Bezos's phone itself, video attachments stored in WhatsApp history should be accessible to a team with access to Bezos' phone. There's also been little evidence of malware actually being installed on Bezos's phone.

The BBC interviewed Nick Clegg, VP for communications at Facebook (and former UK deputy prime minister), about the role of WhatsApp, which is owned by Facebook. He, also, was a little bit confused about end-to-end encryption, stating, "We're as sure as you can be that the technology of end-to-end encryption cannot be hacked into," and using that to argue that it's unlikely Bezos was hacked through WhatsApp. While it's true that WhatsApp's end-to-end encryption is strong and well-reviewed, the alleged attack here didn't involve breaking the encryption at all - it involved one end sending a malicious file to the other end (through an encrypted, untampered channel). The malicious file would need to take advantage of a bug in WhatsApp's own code to break into the device, which is a difficult task, but as we've discussed before, technology from Israeli spy firm NSO Group was used in a fairly high-profile attack along these lines recently, in which various government and military officials around the world had NSO's Pegasus malware installed on their phone via exploiting WhatsApp. It's been previously reported that Saudi Arabia, and MBS in particular, bought Pegasus, so while the evidence that this attack happened might be shaky, it's certainly plausible that it could have happened.

We hope most of our readers aren't text buddies with MBS, so perhaps that specific risk is a little lower. The New York Times has an opinion piece arguing that we commoners probably have a better shot of securing our digital lives than the rich and famous do, partly because we're less likely to be targeted by a crown prince with access to world-class malware. As it turns out, the rich and famous aren't even very good at using generally-accessible security improvements like two-factor authentication and password managers - so if you do, you're already better off than they are.

We can't get to your money because it ransomware: Currency-exchange company Travelex suffered a ransomware attack at the beginning of the year and is still mostly inoperative after having taken most of their computer systems offline. Over a week after the attack, customers were left without access to their money. One customer, who had ordered foreign currency via a service at her local supermarket, was told that not only did they not have a timeline for her, they also couldn't even file a complaint for her because doing that required access to Travelex's computer systems. While Travelex has been claiming no personal information was taken, the attackers are threatening to release credit card and social security numbers. On January 17, Travelex's systems slowly started coming online: according to their website's FAQ, they brought back some systems in the UK and are still working on the "phased restoration of our systems globally."

We think there's a few lessons worth noting here. First, as always, backups are a key component of being prepared for ransomware and other disasters, which can affect individuals just as much as companies. It seems Travelex did not have a tested backup program, as they've been asking for laptops back and categorizing them in a red/yellow/green system for cleanup instead of just reinstalling everyone's laptop and restoring from backup. Second, software updates are important, and unpatched software does put you at risk of attack: the ransomware apparently entered Travelex's network through a bug in Pulse Secure, a popular corporate VPN, which had been widely publicized - and fixed - last fall. Finally, as a customer, it's worth thinking about your own personal exposure to companies that might not have the best security practices. Travelex isn't a fly-by-night company or a fragile startup, but even so, customers who went on vacation in early January with just a Travelex ATM card would have had a difficult time getting money. If you're traveling, make sure you have a backup option if your usual bank or credit card somehow becomes useless, because, unfortunately, we do live in a world where large companies that should know better don't have the best security practices. (Even when you're at home, keeping an emergency fund in an unrelated bank is a good plan - the local bank or credit union you love might not be so good at their security infrastructure.)

I'm a Mac, but I'll still install malware: Russian cybersecurity company Kaspersky reports on a new wave of malware attacks targeting macOS users. There are a lot of clever tricks the malware uses to gain access once it's installed, including popping up an innocent-looking dialog box that covers most of a System Preferences permission dialog box, but has a cutout for the "OK" button, but the easiest way to stay safe is to avoid letting the malware run in the first place. Apparently, it disguises itself as an installer for the Adobe Flash plugin, and it's delivered as a disk image containing an application program, the standard way to install Mac software (outside of the App Store). Macs have a historic reputation of being less susceptible to viruses and other malware than Windows computers, but they still won't prevent an actual application installed on your computer from running malicious code - they have the same model as Windows and other desktop OSes where applications outside of the App Store have full access to your account. Our episode "Malware, antivirus, and safe downloads" has more about how to keep yourself safe - if you truly need to download an app, make sure it's from an official website. You probably don't need Flash at all in 2020 (and you potentially don't need to download it even if you do - Chrome, for instance, has it built in, but you need to specifically allow Chrome to run Flash), but if you do need to download it, the safest way is to go to https://www.adobe.com and get it from there, not from some website that's trying to tell you to download Flash. (It's at the very bottom and tiny; even Adobe doesn't think you need Flash anymore.)

Firefox for Android now blocks many ads by default: Firefox for Android has a "brand new browsing experience," currently available in the Nightly release and soon available in the standard Firefox for Android app. The post is a bit rambly, but essentially they're adopting the changes previously seen in the most recent Firefox Preview Beta for Android, including a redesigned UI and more aggressive protection against trackers - usually advertising trackers. Mozilla previously explained the difference between the Enhanced Tracking Protection on desktop and the behavior in the mobile browser: Firefox for desktop "prevents third-party trackers from (re)using cookies to identify a user while still allowing the trackers to run on the site," which is similar to how other browsers and the Privacy Badger extension work, whereas the "strict" mode, which is now the default in Firefox for Android, "actually blocks the trackers, which makes the browser up to 20% percent faster." This behavior is closer to that of an ad blocker like uBlock Origin, which also means there's a slight risk of overestimating what components of the page are ads and breaking a site. As with ad blockers, there's an easy way to turn it off if that does happen. While "strict mode" isn't billed as an ad blocker, that's likely to be the effect in practice since most ads do attempt to track viewers across the web, and avoiding loading animated ads and their tracking scripts seems particularly likely to be useful for slow mobile connections.

What we're reading

I gave up my privacy and all I got was a measly discount: A couple issues ago, we talked about the California Consumer Privacy Act and how it not only applies to websites but also to in-person establishments - sometimes, in rather surprising ways. The Los Angeles Times took a look at the new privacy CCPA disclosure for the rewards program at Ralphs, a supermarket chain owned by Kroger, in "Is a supermarket discount coupon worth giving away your privacy?" Customers who opt to join the Ralphs Rewards loyalty program are told the supermarket chain will potentially collect a lot of data about the their lives outside of their grocery habits, including job, education, heath, and insurance coverage information, and the company discloses they may collect "geolocation data" as well, which could potentially include both where you spend time browsing inside their stores or how you spend your time outside their stores. Joel Reidenberg, an information technology law professor at Fordham University, notes, "this is one of the most intrusive data-gathering programs I've ever seen from a supermarket," and while we are certainly used to assuming we are the product when we get discounts or products for free, we are also concerned by how far this data gathering goes beyond tracking customer purchases and selling aggregate customer grocery habits.

On the one hand, we're glad the CCPA sheds light on how companies like Ralphs are collecting data on us in unexpected ways. On the other, this story highlights a key limitation of this relatively unique privacy law: the burden and costs of maintaining privacy are ultimately still pushed onto consumers. We don't think people should need to pay more for their groceries to protect their privacy.

(If you're not protected by the CCPA and pay for groceries through a credit or debit card or another payment method that tells the store who you are, a grocery store could correlate your purchases together and collect vast amounts of personal information to add to your account - whether or not you choose to opt into a rewards program. Ironically, this effectively removes the privacy cost to joining a rewards program as grocery stores can aggressively track you whether or not you get the discounts.)

Financial data privacy and control in India: India's central bank now requires financial data to be reported in a standardized format, and the country is close to passing new data privacy laws which would give individuals significant control over that data, including the ability to share their own information with others or to request that the data be erased. Bloomberg's "India's About to Hand People Data Americans Can Only Dream Of" discusses the possibilities of sharing your financial data with lenders, arguing that this new "open banking" system could help India's "predominantly poor" population obtain access to loans instead of continuing to be "excluded from the formal banking system." For individuals that India's relatively new credit rating system doesn't cover, lenders can ask to see detailed transaction histories to determine cashflow and creditworthiness on their own, and borrowers can control how long the lenders have access to the information.

Limited access to credit and small loans isn't an issue unique to India. The US model, where a small number of agencies determine your credit score, has the downside of making it difficult for people without much credit history to get a loan from anywhere - plus, it magnifies the security risks of incorrect credit history (such as through identity theft) and the privacy risk of the agencies mishandling your data, and you have little choice in whether the credit agencies see your data. India's system promises to address those challenges, but it may not be much of a win for privacy if the practical implication is that you have to voluntarily give others access to your data. We're frustrated that those who have the fewest financial options and the least privilege within India's banking system will be the ones forced to hand over the most in-depth financial information to get the same access to loans as those with more money and privilege - effectively, India's new data privacy laws could only apply to those who already have access.

Too cute for Twitter, I am

The internet is enthralled with "Baby Yoda," the officially-unnamed small creature from the Star Wars TV series The Mandalorian who is of the same (also still unnamed) species as Yoda. Screen captures and memes of "Baby Yoda" have become popular, with one fan-run Twitter account accumulating hundreds of thousands of followers - before being abruptly suspended by Twitter for "platform manipulation and spam," whatever that means. Liz's personal blog has an in-depth look at the account's suspension and more generally at Twitter's spam policies and its future directions. We're hoping Baby Yoda finds their way back to Twitter soon, but we didn't just mention this because we're fans of cute gifs - keeping your social media account online is closely related to personal privacy and security.

That wraps it up for this week - thanks so much for subscribing to our newsletter! If there's a story you'd like us to cover, send us an email at looseleafsecurity@looseleafsecurity.com. See y'all next week!

-Liz & Geoffrey