Loose Leaf Security Weekly, Issue 23

Happy Sunday! Today we've got tips on how to stay safe on public wifi and how to keep your Twitter account safe from your former employer. We hope you're enjoying your newsletter - if you are, tell your friends to sign up too, because good digital security and privacy is for everyone!

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

While the web as a whole is steadily moving towards HTTPS, the encrypted and authenticated version of HTTP that makes sure that data sent from or to websites can't be intercepted or tampered, there's still a few good reasons to use the HTTPS Everywhere extension from the Electronic Frontier Foundation, available for Chrome, Firefox, and Opera. HTTPS Everywhere was built back when many websites supported HTTPS but didn't use it by default, and while that's much less common nowadays, upgrading you to HTTPS when available is still somewhat useful. The extension has another useful option, though: the "Encrypt All Sites Eligible (EASE)" mode, or as we like to call it, "HTTP nowhere." With EASE mode enabled, the extension will prevent you from visiting unencrypted HTTP sites. If the site doesn't support HTTPS, the extension will block it entirely.

So, if you're using EASE mode, how do you visit those sites that do not support HTTPS at all (like one of our links today)? One reasonably safe option is to only view those sites in private browsing / incognito mode. While the site content and the information you send to the site won't be protected, private browsing ensures that your connection won't send any existing cookies you have - including cross-site tracking cookies from advertisers. It also ensures that when you close the page, your browser will completely forget about what it saw and won't cache any components or scripts. If you're on an untrusted connection like public wifi, the combination of EASE for most of your work and private browsing for the occasional HTTP site is a good way to significantly reduce your exposure to anyone who might be trying to mess with your network connection. Firefox, Chrome, and Opera all have settings to disable extensions in private/incognito mode, so if you make sure HTTPS Everywhere is disabled, that gives you a simple way to bypass EASE mode for private browsing only.

In the news

Chrome will block insecure downloads: We've previously discussed "mixed content," the problem of secure HTTPS websites including resources like images or even code from unsecured HTTP connections. Chrome and other browsers have been slowly restricting mixed content for years, but Chrome is now tackling a similar problem: secure websites offering downloads from unsecured locations. Since there's no lock icon or address bar for a download, it's not always obvious when an encrypted, authenticated website is sending you a file - possibly even an application - from an unauthenticated an unencrypted source. Starting in April, Chrome will start warning on these downloads, and later in the year, they'll start blocking them.

Alexa, play Surfin' USA: A team of academic researchers have figured out an innovative way of messing with the voice-based assistant on your mobile phone: sending ultrasonic guided waves through a table's surface to cause your phone to "hear" words and phrases that aren't audible to humans, which they refer to as "SurfingAttack". While it's probably unlikely that anyone is going to put a device under a coffee shop table just so they can tell your phone "Hey Siri, call this 900 number," it's certainly an innovative attack, and might be another good reason to turn off your voice assistant if you're not using it.

A wiretap Ring? There are many reasons to be worried about smart doorbell cameras like Amazon's Ring, whether you're a homeowner or just someone passing by a camera. A case in New Hampshire brings up another question: do these cameras violate state wiretapping laws by recording audio without consent? If this argument holds, it's likely to make these cameras a lot less useful for homeowners who wish to record evidence of crimes.

Can you prevent a virus from going viral? The Chinese government's response to the novel coronavirus outbreak has given us a glimpse of the capabilities of its surveillance apparatus, as the government tries to control the spread of both the virus itself and information about it. Reuters reports on the use of surveillance techniques to track people suspected of being infected, leading with a story about a man who had been on a business trip to a city with a number of coronavirus cases and was tracked via license plate and facial recognition. They also spoke with two surveillance camera firms that claim to be able to detect people with fevers with infrared cameras.

Meanwhile, the Chinese government is using its close relationship with popular messaging app WeChat to identify and silence criticism about its handling of the outbreak. VICE News spoke to some US-based users of WeChat, often trying to talk to friends and family in China, who have found that while they haven't quite been banned from the platform, their ability to send messages was silently removed. Some users in China have been suspended from WeChat, and as Hong Kong-based reporter Rachel Cheung points out, this is more than just losing access to messaging - in China, WeChat (Weixin) also powers payments, taxi hails, and many other services, meaning there's a lot of pressure not to do anything that could potentially endanger your WeChat account. For those of us outside China, both of these responses show a preview of how our own countries might use similar tools in a crisis: our own governments' surveillance programs and the centralization of our online data in the hands of a few private companies would allow for similar levels of control.

Don't trust devices with government back doors, says the US: The United States government has been sounding the alarm for years about Huawei, a popular Chinese manufacturer of networking infrastructure equipment. According to a Wall Street Journal report, they have evidence that Huawei does have access to networks and have been sharing that evidence with close allies, even though they haven't reported on it publicly. The US government has previously criticized Huawei because of their ties to the Chinese government and their obligation to comply with Chinese government requests for data, and the FCC recently voted to stop funding projects using Huawei equipment. Meanwhile, the US government continues to pressure US-based communications companies into setting up backdoors for law enforcement.

Playing hardball with Twitter account ownership: Lucas Hann was a volunteer writer for sports media site SB Nation who later became a paid contractor. He created a Twitter account @ClipsNationSBN to promote his posts about the Los Angeles Clippers. When SB Nation notified him they were ending the contract (in the wake of the recent California law reclassifying many contractors as employees), he renamed the account to @213Hoops to promote the new independent site he was setting up. Shortly thereafter, SB Nation executives regained control of the account with the help of Twitter, and even though he tried to reset the account's password and set up two-factor authentication, they regained the account again and changed the email address. At the moment it's been renamed to @SBNClipsNation [sic] and set to private, and Hann made a new @213Hoops account.

Hann argues that the account was his because he set it up independently when he was a volunteer for SB Nation and he wasn't asked to do so on behalf of the company. Twitter, presumably, sees that an account that was called "ClipsNationSBN" belongs to SB Nation - even if it has been renamed. Our takeaway here is to be very careful with the use of trademarked names in accounts and assume that the major social media platforms will generally side with trademark owners, so if you want people to keep following you if you leave your company, make sure your account is clearly a personal account (and perhaps also have a separate account for your work). Furthermore, tools like two-factor authentication are great against unaffiliated hackers, but they are not tools that will help you in account disputes mediated by the platform, legal disputes, or similar scenarios. We're not sure what should have happened in this case, but we aren't surprised that adding a second factor didn't give Hann clear ownership of the account.

Facebook draws the ire of regulators: Facebook was ready to expand its new Facebook Dating product in Europe on the day before Valentine's but were forced to delay the launch after forgetting to give proper notice to the Irish Data Protection Commission, the national regulator that is the company's "lead authority" for data protection under the GDPR. Facebook first contacted them ten days before the launch and did not provide a legally-required Data Protection Impact Assessment, so regulators showed up at their offices the week of the launch to demand documents - eventually finding a completed assessment. The commission has more questions for them, so Facebook released a statement saying, "It's really important that we get the launch of Facebook Dating right so we are taking a bit more time to make sure the product is ready for the European market." While the GDPR has resulted in several fines against people or groups misusing data ranging from Google to a nosy German police officer, this is a more practical long-term effect of the GDPR: ensuring that services do properly consider privacy before they launch.

What we're reading

Using dating apps without letting your privacy get punk'd: MTV has stepped into the security world with a guide to maintaining your privacy while dating online. (We appreciate their interest in privacy and wish they'd have also decided their own visitors' privacy was important by securing their site with HTTPS.) They correctly point out that dating apps can sell information in your profile to third-party advertisers, which we've discussed before in this newsletter, but the bulk of the article discusses tips about how to limit how much personal information you include in your profiles while still representing yourself accurately. For example, online dating coach Julie Spira suggests choosing a birth date within the same year as your birth so you're neither pretending you're a different age nor giving away your date of birth. Other tips include keeping your workplace and education history out of your profile, and "speaking in future tense" about things you want to do instead of talking about things you've already done. Even if you're not going to try online dating any time soon, the article is worth a read: many of the same privacy suggestions are worth thinking about for social media accounts as well, especially pseudonymous ones.

The high cost of free budgeting tools: Yodlee makes personal budgeting tools, which they market both directly to consumers and indirectly through banks and and other financial service companies. They also resell aggregate data about customer behavior, thanks to the access they have to people's accounts through these tools, which has made them the largest financial broker in the US. While the company claims that the data they resell is anonymized, Motherboard recently obtained a confidential document showing that there are unique identifiers that could de-anonymize the data. The data appears to be only pseudonymous, according to Professor Yves-Alexandre de Montjoye of Imperial College London (whose research we've linked to before: he designed a model to estimate how re-identifiable individuals are within an anonymized data set.) Additionally, Rutgers University professor Vivek Singh points out that having just three to four of the transactions Yodlee provides is likely enough to identify an individual. Unfortunately, Yodlee's claim that they "meet or exceed leading industry standards of de-identification processing" isn't very meaningful when these standards aren't likely to result in anonymity.

Yodlee also says they don't allow their clients to try to re-identify any consumer from their data, but they've also admitted in an SEC filing that they do not audit their customers to ensure this is true. As we discussed last week regarding the Edison Mail app and the data sold by Edison Trends, a bad actor willing to violate their terms of service could pinpoint individuals. While better regulations on the use of private data (like the GDPR or CCPA) would likely help here, an immediate practical step we can take is to be wary of apps like Yodlee and Edison that offer "free" services linked to highly personal data like financial transactions or email and understand why they're offered for free. Yodlee competitor Mint, for instance, mostly makes money by advertising credit cards and other products at you based on what they know about your accounts - which you might find more (or less) comfortable than your reselling data - but they do also resell aggregate data.

The best intentions...

An internet-connected smart candle with a real flame - what could possibly go wrong?

That wraps it up for this week - thanks so much for subscribing to our newsletter! If there's a story you'd like us to cover, send us an email at looseleafsecurity@looseleafsecurity.com. See y'all next week!

-Liz & Geoffrey