Loose Leaf Security Weekly, Issue 22

Happy (belated) Valentine's Day! Roses are red, violets are blue, I'm glad we use end-to-end encryption, so no one sees my love note but you.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

Automatic, regular backups are great for getting back to work quickly when something happens to your computer, phone, or tablet, but it's also important to backup important files separately, too. If an important file is only in your regular, automatic backups, you could find yourself without information you need if you accidentally delete it and don't notice until after the oldest automatic backup containing it gets replaced. You're also protected from malware deleting an important file, like in one of the stories we're covering later in this newsletter.

You don't necessarily need a separate cloud storage account or separate hard drives for manual backups of important data, though it doesn't hurt to keep them as separated as is practical for your workflow. Even if you aren't using different accounts or hard drives for these manual backups, you do want to make sure you're storing the backups of these files in places you won't accidentally overwrite in the course of your periodic, automatic backups.

To hear more about our backup strategies, check out our episode "Backups."

In the news

Like Norway in 970, be prepared for attacks from Bluetooth: The February 2020 Android patch level includes fixes for two "critical" security bugs in Android's Bluetooth code. A group of researchers have posted a quick description of one of the bugs, which allows anyone in range of your phone to take control of your phone's Bluetooth driver, as long as you're running Android version 8 ("Oreo") or 9 ("Pie"). If you're on Android 10, the attack isn't as powerful and merely crashes the Bluetooth driver, downgrading it to just "high" instead of "critical." While the exact explanation of why the bug can't be fully exploited on Android 10 hasn't yet been published, the Android patch notes say in general, "Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform." The researchers also noted that they weren't the first to find the bug: by the time they discovered it (in the process of looking for a Bluetooth firmware bug), they found that a fix was already in the Android open-source code. The other bug allows an app to share contacts over Bluetooth even if you haven't given the app contacts access. If you have an Android phone, make sure your manufacturer has made these updates available to you.

More software updates: Microsoft and Adobe both released patches for "critical" vulnerabilities last week. While many of Microsoft's patches only affect business products, there are a few in Windows, including one actively exploited vulnerability in Internet Explorer. Adobe Flash and Reader also have important patches for actively exploited vulnerabilities, so if you have them installed, make sure you update them too (or better yet, try to uninstall Flash, which will be desupported later this year anyway).

Don't forget to update your drivers: Every internet-connected device has its own risks to privacy and security, and internet-connected cars are no exception. Security advocate Brian Krebs has a story about a driver who had leased a Ford electric vehicle between 2013 and 2016 and recently learned that his MyFordMobile.com account was still linked to the car when he received an alert about the car's clock by email. Even though he hasn't driven the car for four years, he still has access to maps of where the car has driven and can even remotely unlock it and start the engine. Ford dealers are supposed to "master reset" cars that are returned at the end of a lease, which should unlink any cloud account, but that step was apparently forgotten here. If you're buying or leasing a used car, check if there's anything like this that you should reset to make sure nobody else has access. Conversely, if you're getting rid of your car, you may need to both do a factory reset and clear out other information from the car like logged-in mobile apps and garage door codes.

Emotetris: The Emotet botnet has a new trick up its sleeve for spreading: finding nearby wifi networks with weak passwords, connecting to them, and then trying to attack devices on those networks. Even if you're careful about which devices you let onto your network, you also need to make sure your wifi password can't be easily guessed - especially if you're in a densely-populated apartment building or dorm.

Stalkerware? But I just met her: According to a recent poll from antivirus provider NortonLifeLock, 1 in 10 Americans divulged they've installed stalkerware on their partner's or ex's devices, and men are most likely to use them. It's really disheartening to hear how prevalent this sort of surveillance is, though it's not entirely unsurprising given how many users stalkware companies boast. Unfortunately, stalkerware is designed to leave no trace, which is why we keep close watch over our devices. If you've ever had reason to distrust someone who's had access to your phone or computer, you should make sure everything you need is backed up, then start over from a factory reset.

Ransomwhere: Typically, ransomware attacks don't take any of your files; they just encrypt your hard drive so you can't get to them either. That model is starting to change with the targeted Maze and REvil ransomware attacks: attackers are now stealing data instead of just encrypting it and forcing you to rely on a backup to help ensure payment. After making a copy of your data, the ransomware can remove it from your system and then wait for a period of time it believes will outlast the duration of any automatic backups you have - that is, if an attacker thinks you only kept backups for six months, they could remove part of your data and wait six months to ransom it.

Automated backups are great for getting your system back on track quickly if you know you have a backup that predates infection, but if you can't be sure you have a backup that predates the ransomware, you're better off starting from a fresh reinstall. For this reason, we recommend manually backing up important files somewhere separate from your automatic backups where they won't get overwritten or deleted by accident. (As we mentioned in today's tip of the week, this is also really helpful if you accidentally delete an important file and only notice after your last automated backup got replaced by a newer one.) Unfortunately, even if you have manual backups of everything you need, the attacker can still ask victims to pay a ransom to prevent them from leaking their data, but fortunately, the new attacks are slow and somewhat involved - they require the attacker to keep files from everyone they've infected - so it's unlikely to be deployed in a non-targeted fashion.

You have become the very thing you swore to destroy: The Intelligent Tracking Prevention feature in Apple's Safari browser blocks websites that appear to be engaging in tracking, and it turns out that this feature, itself, requires the browser to keep track of websites. In turn, a sufficiently clever tracker could trick the browser into essentially making unique identifiers for each visitor based on figuring out what ITP blocks and what it doesn't. After Google researchers put together a realistic attack, Safari fixed the bug in December by limiting the ability of websites to figure out what ITP is doing, and the researchers published an academic writeup of the attack last month. As Bruce Schneier comments, the lesson isn't that such features aren't worth trying, it's that they're genuinely difficult problems. One advantage for those trying to solve them is the ability to push frequent browser updates, which make it easy to respond to such issues with prompt fixes.

Electronic voting infrastructure as solid as ketchup: In last week's "What we're reading" section, we discussed the risks of online voting and specifically West Virginia's use of a blockchain-based mobile app called "Voatz" for elections. A group of MIT researchers reverse-engineered the Voatz app and found weaknesses, including the ability for the server to silently change vote counts as well as the risk of someone on your network being able to tell how you're voting. Their paper describes the inner workings of the app, none of which is officially documented or explained - including a strange custom cryptographic protocol involving the client and server both making 100 keys and throwing away all but the 57th.

What we're reading

A light bulb went off and companies decided to spy on your emails for profit: Motherboard takes a look at "How Big Companies Spy on Your Emails," including the Edison email app, Foxintelligence's inbox "clean up" tool Cleanfox, and Rakuten's online shopping assistant app Slice. In general, we are skeptical of anything that needs to read through your email to help you out because we generally expect our emails to be private, but at least, these tools do mention that they are in the business of selling insights based on their users' emails. This hasn't always been the case: unroll.me, another tool that helps you see what email lists you're on and helps you unsubscribe from them, wasn't as upfront with its users a couple years ago, and many users weren't informed about how the company was monetizing data gathered through reading their inboxes until The New York Times published a piece on how Uber was using this data to keep an eye on how their competitor Lyft was doing.

Edison, one of the companies mentioned in the Motherboard feature, very carefully presents an incomplete picture of how they use data gathered from their users' inboxes on their email product's site. There, Edison says they read your email to keep their product free while they also "protect your privacy by rejecting an advertising-based business model," which feels a bit disingenuous as they're directly monetizing information from your inbox instead. Further, that same product page points potential users to an Edison Trends "research page," which shows only aggregate insights such as "Starbucks Took 84% Food Delivery Market Share vs. Dunkin'" and "In Holiday Game Blitz, Call of Duty: Modern Warfare Won 175% More Online Sales Than Star Wars Jedi: Fallen Order." However, Edison also provides substantially more detailed consumer data gathered from their email customer's inboxes through their Trends Direct product. Edison "prohibits all Edison Trends subscribers from attempting to re-identify users or use the information we share for any purpose other than creating aggregate reports and understanding commerce trends," but their Trends Direct product does contain detailed enough information to pinpoint individuals if a bad actor was willing to violate their terms of service.

First, do no harm (some financial restrictions may apply): We talked about how credit reports can have incorrect information in our episode "Credit and debit card security," and while it's frustrating that the burden is on individuals to make sure their reports are accurate, it would be even worse if credit scores were based on completely opaque reports. The Tools We Need, a privacy advocacy blog written by journalist-turned-software-engineer Keith Axline, discusses a new medical credit score, which you can neither see nor audit. We're frustrated that Experian has moved into this newer, less regulated space without providing at least the limited transparency they provide for regular credit scores, and we're also disappointed that hospitals, ostensibly places that should be providing care to those in need, are choosing to use this data. As seems to be a common theme with these newsletters, more technology (and more personal data) doesn't automatically make things better.

Open source and security: While we're both personally advocates of open-source software as a means towards self-determination over your technology, we don't usually advocate it at Loose Leaf Security because it's often the wrong tradeoff in practice for personal security. For instance, in our survey of password managers, we note that the open-source options are generally the least integrated and require you to manage your own mechanism for syncing passwords between your devices. Having the ability to both know and control what's running on your devices is valuable, though, and we hope it becomes the norm. Two stories put this on our mind recently. First, Google announced an open-source software core for security keys, which you can, in theory, install onto your own hardware: it runs on a programmable USB and Bluetooth dongle sold by Nordic Semiconductor which you can buy for as little as $10. Google says that if you do so, you'll get a "fully functional" FIDO security key but they still consider it an "experimental research project" for the time being. Our own security keys are all closed-source and uninspectable, which is mostly fine because we use them as a second factor (although for the same reason, it's probably fine to use the experimental open-source security key if you're so inclined, especially if you have a backup authentication method). Google's own security keys have had a vulnerability in the past, so we're definitely excited to see this project take root.

Second, in late January, a legal settlement revealed that a health-records software maker had cut a secret deal with a pharmaceutical company to encourage doctors to prescribe addictive opioids. When a doctor filled in a patient's chart, they'd be prompted about the patient's pain level and then asked if the patient had received enough care - while also suggesting a prescription of OxyContin. The software company, Practice Fusion, gained popularity by offering free, cloud-based, ad-supported electronic medical records. When we use software written by other people that we have no ability to inspect or change, we're trusting them to treat our data responsibly, and the increasing prevalence of ad-supported cloud services (not to mention inscrutable AI decisions) makes that trust questionable.

Before we go...

Researchers at the University of Chicago have developed a microphone jamming bracelet to prevent voice activated assistants from understanding their conversations. It may still be a little too bulky to be considered high fashion, but we're pretty sure cyberpunk never goes out of style.

That wraps it up for this week - thanks so much for subscribing to our newsletter! If there's a story you'd like us to cover, send us an email at looseleafsecurity@looseleafsecurity.com. See y'all next week!

-Liz & Geoffrey