Loose Leaf Security Weekly, Issue 24

Happy March, or as at least one Excel spreadsheet put it, "Maruary."

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

Location data can be used for a lot more than just helping you get where you need to go or find a nearby tea shop: apps can sell your location data to both advertisers and the government. A few weeks ago, we mentioned that we've both tried turning location data off for every app we use to see if we actually felt like we benefited from those apps having access to our real time locations. We recommend everyone try this - it's the best way to truly see if you need to give an app location data.

You may find that some apps work better for you with location data on, and for those apps, we'd recommend limiting their access as much as possible. (You likely don't need an app to have access to your location all the time.) If you're on iOS, you can even have an app ask for permission to get your location every time it needs it if you choose "Ask next time." We've had pretty good luck with this ourselves, as we noted - Geoffrey still has location data on for a couple of apps like maps (mostly for precise location tracking when biking), but Liz was pleasantly surprised to find that removing all location access and typing the occasional address hasn't been too annoying.

In the news

Firefox turns on DNS over HTTPS for US users: Even when you connect to an encrypted HTTPS website, a little bit of information travels over the network unprotected. One important part is your request to the Domain Name System (DNS), the service that turns human-friendly names like "looseleafsecurity.com" to routable numeric addresses. DNS is a federated system, and typically, you'll connect to a DNS server run by your own ISP, which will send requests onto other servers if it hasn't seen the answer recently. While this system works very well, it's also an opportunity for ISPs to know which sites you're visiting and possibly use the data for advertising or to potentially lie about the results.

As a result, Mozilla and many others have been working on a system called "DNS over HTTPS," where your DNS request goes over an HTTPS connection to a central server, bypassing your ISP. Firefox is now enabling DNS by HTTPS by default, in a partnership with Cloudflare and NextDNS, who are running the DNS over HTTPS servers. While this change ensures that your ISP doesn't see your DNS traffic, it's not without controversy. The most vocal group of opponents are people who operate networks and for whatever reason do want to inspect or modify DNS traffic, often at companies and schools with content filters installed. While DNS over HTTPS might be bad for them, it's arguably good for the actual Firefox users who want to visit pages without being monitored. (IT departments have a variety of other ways to monitor activity on computers they actually run, and they're also able to disable the Firefox feature and use their own DNS servers, so this primarily affects people who provide wifi for employees' personal devices and want to watch how it's being used.) There's also a valid but rare concern about the specific choice of providers - Cloudflare and NextDNS are both subject to US jurisdiction (though Firefox is only enabling this for US users, for now), and Cloudflare has made privacy missteps in the past. Still, the question isn't so much whether you trust Cloudflare and NextDNS as whether you trust them less than you trust your ISP - keep in mind that these companies don't trivially know your real identity, but your ISP, who is probably sending you bills, does. We think this is a good move and the right default; you can turn it off, but it's the extremely rare user who'd want to do so.

A new permission prompt in uBlock Origin in Firefox: If you're using Firefox and you have the uBlock Origin unwanted content blocker installed, note that the latest version of the extension requires you to approve a new permission, which Firefox calls "Access IP address and hostname information." The permission is a bit confusingly named: uBlock Origin isn't asking for your IP address or hostname information. It just needs the ability to make DNS requests about sites you're visiting to fight back against a way that advertisers/trackers are trying to sneak past its filter to correlate your identity across multiple sites. To prevent blockers from detecting third-party trackers, some sites have started creating names under their own domain that just point to a third-party site. (For example, if we were running third-party trackers - which we don't - we might be asked to make something like "analytics.looseleafsecurity.com" and point it to the third party.) With the ability to make DNS requests, uBlock Origin can tell that this new name points to the same servers as a known multi-site tracker and can block this request too. Note that Firefox disables extensions that request new permissions, so if you rely on uBlock Origin, make sure to go to the extensions screen and grant the new permission.

Throw away the key, then lock the door? Researchers at security company ESET found a bad flaw, which they've called "Kr00t," in the firmware of a popular brand of wifi chip. They've written a white paper with the full details about the bug, but it's pretty straightforward (and serious). When these chips disconnect from a wifi network, they'll clear out the encryption key they're using for sending packets. However, the affected chips will then send any data they hadn't finished sending - encrypted using the zeroed-out key. Since an attacker can make your device disconnect (as we discussed in January, wifi "deauthentication" messages aren't secured in any way), they can use this bug to inspect any traffic you send. The vulnerable chips are sold under the Broadcom and Cypress brand names and can be found in many phones, including some Apple iPhone, Google Nexus, and Samsung Galaxy models, as well as other devices like some MacBooks and Amazon Kindles. The chips can also be found wifi routers from Asus and Huawei. For phones and similar devices, software updates may already have patched the bug (Apple released updates in October), but if you're not in the habit of updating your router, now is a good time to check.

PayPal hasn't been a good pal lately: PayPal hasn't been doing too well in security news of late. First, a group of researchers wrote about their miserable experience trying to disclose security bugs to PayPal, including a way an attacker can bypass two-factor authentication and a way to get around an anti-fraud mechanism if an attacker who's broken into your account is trying to steal your money. The researchers reported that PayPal didn't see the two-factor bypass as a security problem, since the attacker had to also have your password, but that doesn't really make sense since the entire point of two-factor authentication is protection in addition to your password.

A separate group of researchers found a weakness in how the PayPal app links to Google Pay for contactless payments on Android phones. This link will generate a virtual credit card number and card verification code, but the range PayPal uses for these numbers is very small: the researchers found that one in every 170 random guesses will lead to a valid, registered card number and CVV. Users in Germany have been reporting fraudulent transactions involving linking PayPal and Google Pay, and while there's no official confirmation of the cause, it sounds very likely to be related to this discovery.

For both of these vulnerabilities, we'd give the same advice that we gave in our episode about credit and debit card security: make sure you have notifications of all activity in your PayPal, either via push notifications on your phone or via email or some other mechanism, as well as all activity in any bank account you've linked to PayPal. The faster you can report fraudulent transactions to both PayPal and to your bank, the better. Also, make particularly sure you have a strong, random password on your PayPal account since you may not be able to count on their two-factor authentication system to work, and disable the Google Pay link if you're not using it.

Area man opts out of smart apartment: We enjoyed this brief Twitter thread from Dave Cochran, who came home one day to find that his apartment building was getting "smart" locks and lights connected to an app. He reached out to Lesley Carhart, a security researcher who had her own experience of getting a "smart" apartment and has written about threat modeling and the risks of smart locks, and then followed up with questions to his leasing office about the security of these systems. In the end, he got the option to opt out and keep his regular key.

A clearer view into Clearview's clients: Clearview AI, the secretive company that is building a massive facial-recognition database from public photos, suffered a data breach that exposed its list of customers. Among the clients are the US Department of Justice, the FBI, and several local police departments, as well as companies like Macy's and a number of schools and universities. The breach appears to be of a marketing list, including potential customers who had just run demo searches. BuzzFeed News pushed several companies on the list for explanations and got a few of them to admit that they'd tried out the software, but many more denied that they were a customer. Their lawyer disputes the accuracy of the list and also wrote in a statement, "Unfortunately, data breaches are part of life in the 21st century." True, but perhaps that says something about whether it's a good idea to build a giant database of everyone's faces.

TODAY is a great time to switch to end-to-end encryption: The TODAY Show talks to the EFF about the security of apps like WhatsApp and Signal. They point out, correctly, that the biggest risk to end-to-end encrypted apps is that they can't keep your conversations secure if your end, your phone, isn't secure. They demonstrate this on air by having their reporter visit a demonstration phishing page set up by the EFF staffer, who is then able to log into iCloud and see private photos that were backed up, so it's important to make sure your phone has both a strong passcode and that you keep your phone's associated account (e.g. iCloud or Google) secure, preferably with both a password in a password manager and with two-factor authentication. There's nothing really new in this video, but we're happy to see good mainstream coverage of security and of the value of end-to-end encryption.

Android cracks down on location data used in the background: Google has announced that Android apps requesting the ability to access your location information in the background will need to justify that access. People evaluating apps for the Play Store will consider whether background data is necessary, useful, and something users would expect the app to use. We think this is a good step for Google to take, as it should help cut down on obviously malicious apps asking for more than they need.

However, an app that gets past this vetting still doesn't necessarily deserve access to your location at all times - having a legitimate use doesn't necessarily mean it's right for you. Plus, location data used for a legitimate reason could still also be used for ad tracking or even government tracking. As we mentioned in our tip of the week, it's worth trying all apps with location data turned off to see if you really benefit from their having that access because it's important to decide for yourself whether apps deserve sensitive information like location data.

The best security advice for most people isn't a product recommendation: Wirecutter, the product review website, recently tweeted a link to their 2018 article, "The Best Internet Security." While the article's overall approach is reasonable - they say you need to keep your devices updated and get into good security habits - they also suggested a paid antivirus product, saying, "The security experts we interviewed recommended that most people install Malwarebytes Premium on Windows and macOS," despite none of the security experts actually suggesting people install antivirus software. Kevin Purdy, the author of the article that contains the questionable antivirus product recommendation, states his original draft made it clear that antivirus wasn't recommended by the experts in the article and suggests the anti-recommendation got muddied after the article was out of his hands and in editing. The experts they talked to generally had similar advice to our own episode about antivirus software: you'll be a lot more secure by being thoughtful about what you download and where you get apps, and while it depends a bit on how you use your computer, you probably don't need anything more than what your OS has built in.

While we often find product recommendation sites like Wirecutter useful for things like deciding on the right electric tea kettle, we're more skeptical of their business model when it's applied to digital security because different people should have different threat models. This is a big part of why Loose Leaf Security tries to avoid specific product recommendations - it's almost always more important to understand the right approaches than to find what happens to currently be the "best" product. Also, it's a lot more important that you find a password manager or a two-factor token that you'll actually use reliably than to make sure you have the shiniest or coolest one.

What we're reading

Latacora on the false promise of encrypted email: The folks at security consultancy Latacora have a blog post called "Stop Using Encrypted Email." Their argument, in short, is that encrypted messaging apps like Signal (or WhatsApp or many others) are built to be secure in a way email isn't, and retrofitting good security on email is a lost cause. For example, people regularly quote emails they're replying to, so one failure to have encryption work properly will reveal the entire conversation. Messaging apps don't do this, and apps like Signal don't even have the option to send unencrypted messages in the first place (an ever-present risk with email). Even though the post focuses on the specific applications of email and secure messaging, the lessons are applicable to reliably secure systems in general: the real-world problems are less about the mathematics of encrypting and decrypting messages (essentially a solved problem) than about the larger questions of app design, keeping encryption keys secure, and so forth.

"The Spooky, Loosely Regulated World of Online Therapy": Jezebel takes a look at how online therapy companies BetterHelp and Talkspace aren't just in the business of matching patients to therapists - they're also in the business of selling your personal data. BetterHelp uses a short survey as a part of their "intake" process, which asks for basic personal information as well as questions about their mental health, and this information as well as metadata from patient sessions are shared with companies like Facebook, Google, Snapchat, and Pinterest. (BetterHelp's FAQ states the content of therapy sessions are encrypted, even if the metadata such as when and for how long users are having therapy sessions is leaked.)

BetterHelp also sends more detailed anonymized information to the business analytics firm Mixpanel, and so does its competitor TalkSpace. Mixpanel analyzes user behavior across sites and apps for companies like Uber, Expedia, Airbnb, and BMW. Jezebel states that while the information from BetterHelp is anonymized in accordance with HIPAA protections, it's "often quite easy to match it back to an individual patient." Unfortunately, this isn't particularly surprising - we've talked about the limited protection basic anonymization provides before in this newsletter. One ex-employee of Mixpanel told another former employee, Anna Weiner (author of the recent Silicon Valley tell-all Uncanny Valley), "We worked at a surveillance company," and while app activity surveillance isn't all that surprising these days, it's particularly disappointing coming from a healthcare service.

The other kind of anti-virus...

There's a lot of talk and fear surrounding the coronavirus, but just like with digital security, it's worthwhile to think thoughtfully about which threat models make sense and which don't. We really like UNC professor of information science and sociology Zeynep Tufekci's practical guide to preparing for the coronavirus.

That wraps it up for this week - thanks so much for subscribing to our newsletter! If there's a story you'd like us to cover, send us an email at looseleafsecurity@looseleafsecurity.com. See y'all next week!

-Liz & Geoffrey