Loose Leaf Security Weekly, Issue 25

We're a bit sad to admit daylight savings time caught us both by surprise on Sunday, but hopefully, security issues won't catch you by surprise because you read this newsletter.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

Strong passwords and two-factor authentication aren't just for the accounts you use every day. If you've got an old, inactive account that you're keeping around, it's worth making sure you remain in control of it. There's probably still data in them that you want to keep private, and as we cover in one of our stories this week, old accounts with weak passwords are an attractive target for hackers who resell established accounts to get around spam filters. Many sites have added stronger forms of two-factor authentication in the last few years, and for those of you who only started using a password manager recently, you probably have weak passwords for the accounts that you set up a while ago. See if there are accounts you haven't logged into in a while (old email addresses, social media services that you haven't kept up with) and bring them up to your current security standards.

Alternatively, if you no longer want the account, maybe it's best to just delete it. We'd caution against fully deleting old accounts that are associated with either your real name or a commonly used username, though, as you wouldn't want someone else to be able to grab it and impersonate you.

In the news

Clearview AI clearly violating Apple's rules: BuzzFeed News found that Clearview AI, the secretive company that built a massive facial recognition database by aggressively scraping photos on social media, was distributing their app by side-stepping the Apple App Store. BuzzFeed News reported Clearview AI's misuse of the Apple Developer Enterprise Program to Apple, and Apple has since suspended Clearview AI's developer account - a move that effectively renders Clearview AI's iOS app unusable.

The Apple Developer Enterprise Program is designed for distributing internal-use apps within a company, and it's generally incredibly suspicious when companies choose to distribute apps to their customers through this program. (By the way, if you're beta testing an app on iOS, it also would not be distributed through this program, but through a program intended specifically for beta testing, like TestFlight.) As we discuss briefly in our episode "Malware, antivirus, and safe downloads," one of the reasons your phone is generally more secure than your laptop or desktop computer is because it's easy to only use software distributed through your phone's app store, and the Apple App Store and Google Play Store both vet apps as they are submitted and remove apps that are reported to be malicious. If a company only offers their software to you through a program they shouldn't be using with customers, like Clearview AI was doing through the Apple Developer Enterprise Program, or requests you sideload their app like Fortnite tells Android users to do, you probably should seek out a competitor's app that's distributed through your phone's app store or see if you can access their services through your phone's web browser instead. (If using a website works well, creating a bookmark on your homescreen is a great way to get app-like convenience without installing an app.) There aren't particularly compelling reasons for a legitimate company to distribute their apps outside of your phone's app store.

Let us now encrypt famous sites: Let's Encrypt, a service that issues HTTPS certificates for free, recently announced that they've issued their billionth certificate. In years past, HTTPS certificates often cost hundreds of dollars, which discouraged many websites from switching away from unsecured HTTP. Let's Encrypt launched in 2014 as a non-profit certificate authority, with funding from various parts of the tech industry who wanted to see wider adoption of HTTPS. That effort has been successful at changing the norm of the web from HTTP to HTTPS, to the point where sites that ask for login details or credit card information over HTTP are now pretty inherently suspicious, and browsers can now warn about sites missing HTTPS. If your favorite business still has an unsecured HTTP website, even if they hand off payments to someone else, maybe tell them about Let's Encrypt so they can make sure nobody's tampering with their pages when you visit.

Every bread you take: In 2018, Amazon opened the first "Amazon Go" store, a chain of convenience stores in major US cities that replace the usual checkout line with an all-seeing array of cameras and sensors. You enter through subway-style gates by scanning a code on the Amazon smartphone app, and the store watches every item you pick up and put back, charging you automatically as you walk out. Now, Amazon is extending that model beyond just packaged meals and snacks. Two weeks ago, they opened the first Amazon Go Grocery in Seattle, where you can also put fruits and vegetables into your own bag and simply walk out with them because their sensors can watch you pick up loose items, too. Amazon also announced that they're making their "Just Walk Out" technology available to other stores, and they say they've signed several deals already. Amazon will doubtless be using the information from their own stores, including what items you think hard about and put back on the shelf, to adapt its own recommendations to you. For reselling Just Walk Out, they say they'll only use the data for "supporting Just Walk Out retailers," but it remains to be seen what they mean by that.

I got the accounts like Bloomberg: Guardian tech reporter Julia Carrie Wong recently found that whenever she tweeted her not-so-positive opinion about erstwhile presidential candidate Mike Bloomberg, she got a pile of replies from many different Twitter accounts with the same response defending him, word for word, typo for typo. Twitter suspended the associated accounts but couldn't determine who was behind it, and the Bloomberg campaign claimed it wasn't them (and wondered if it was from someone trying to discredit the campaign). In a now-deleted tweet, one Twitter user claims to have recognized the name of one of the astroturfing accounts as a high-school classmate and asked her if she actually sent the reply - she denied it, saying she hadn't been on Twitter for years. One likely possibility is that this account had a weak password and was harvested by a group reselling old accounts for profit. This is one of the reasons we believe it's important to be keep track of and maintain your old accounts, as we mentioned in today's tip of the week.

Exterminate extraneous extensions: Security reporter Brian Krebs takes a detailed look into the story behind how malware ended up on Blue Shield of California's website. One employee edited a page on that website with a Chrome extension called "Page Ruler" installed - a gadget that lets you precisely measure things in your browser. A few years back, the original developer of Page Ruler sold the extension, and the new owner added some less-helpful "features" to it. If you're editing a page via a blog or CMS system, the new version of Page Ruler secretly injects malicious HTML code when you save the page.

Unfortunately, the market for reselling or "monetizing" browser extensions seems to be profitable for extension authors precisely because extensions give such a deep level of control over the browser - and extensions like Page Ruler that have a legitimate reason to modify every page fetch high prices. Krebs argues that you should be extremely cautious with browser extensions, even those that seem to have a good reason right now for their permission requests. We agree, and we'd add that you should check whether there's a reason to trust that the author of the extension won't resell it. One reasonably strong assurance would be that it's developed by a trustworthy group and not an individual: for instance, HTTPS Everywhere and Privacy Badger are developed by the EFF, an organization that's unlikely to sell its extensions (and its users) to unknown people for profit.

If it quacks like a third-party tracker: Privacy-focused search engine DuckDuckGo announced the public availability of their dataset of web-based trackers. Since they're a search engine, DuckDuckGo is crawling the whole web anyway and analyzing site content, so they've been able to use that data to try to identify which sites track you across multiple third-party sites. Broadly speaking, there are two approaches to blocking trackers: using heuristics to notice sites that seem to be trying to track you or building in a curated list of pre-determined trackers. Safari's Intelligent Tracking Prevention takes the heuristic approach, as does EFF's Privacy Badger (although it now ships with an initial list of trackers based on running those heuristics on popular sites, to ensure that it's productive from the moment it's installed). Firefox's Enhanced Tracking Protection, which uses a curated list from Disconnect.me, and the uBlock Origin extension are both examples of the list-based approach. Identifying trackers is a hard problem and neither approach is perfect, so we're happy to see DuckDuckGo's contribution here, generating a list automatically using their web-crawling data. (They've also released their own tracker-blocking extension that uses their list, but we admit that it hasn't crossed our bars for installing yet another extension with full access to our browsing.)

Verified to be a fake: CNN has an interview with a high-school student who created a Twitter account for a fake Congressional candidate - and got it verified. The student, who said he was bored over Christmas break, took an image from AI-powered face generator This Person Does Not Exist, added a bio about wanting to "make change in Washington together," and sent the account for verification. He also created a profile on Ballotpedia, which Twitter uses to verify political candidates. Ballotpedia says they frequently see candidates set up an online presence before they even file papers to run, so the behavior didn't strike them as particularly unusual. We tend to trust that big tech platforms will at least mean something when they mark an account verified (even if it's not clear what, exactly, it means to be the verified Thoughts of Dog account), but this experiment shows that even people wholly nonexistent people can get the coveted blue checkmark - while real candidates, as CNN points out, might still be overlooked.

Nothing says "deterrent" like a slap on the wrist: We previously covered the FCC's decision regarding cell phone carriers who sold location data, saying that regardless of the size of the fine, it was valuable that they ruled that this was an impermissible use of of private customer data. Sadly, it seems like that decision will be the biggest value of the FCC's enforcement action: they issued fines of a fraction of a percent of the major carriers' revenues, an amount that one congressperson criticized as "little more than the cost of doing business."

You can no longer hide behind the mask: Typically, facial recognition algorithms are often thwarted by people who partially cover their faces, including people wearing face masks because of the recent coronavirus, but Chinese company Hanwang Technology Ltd, also known in English as Hanvon, claims they have developed facial recognition technologies that can identify people who are wearing face masks about 95% of the time. Unsurprisingly, one of their big customers is the Chinese Ministry of Public Security, which runs the police.

What we're reading

Panopticovid: China has been employing many strategies to help contain the coronavirus epidemic, and The New York Times reports that the latest is an app made by Alibaba sister company Ant Financial that assigns people a color code of green, yellow, or red that corresponds to their health status. Green means someone can travel freely, while yellow means someone should stay home for seven days and red corresponds to a two-week quarantine. An official web page gives some insight into how colors are determined, but it leaves a lot of questions unanswered. People are confused why they have yellow or red codes despite neither showing symptoms of COVID-19 nor being in direct contact with others who've shown symptoms or tested positive for the virus. These color codes are checked as people move around China, and some housing complexes are even banning those without green statuses from coming back to their own apartments. Additionally, analysis by The Times shows that the app reports its users' locations to the police.

The Times notes that "surveillance creep would have historical precedent" during epidemics, but even if increased surveillance is necessary to contain epidemics, better transparency into the criteria for limiting movement would go a long way to improve public trust. We can think of a lot of criteria, especially in the modern age of social networking, that would be easy to measure but fairly nonsensical. For example, an app could change someone's color status based on their social media connections - even though many connections on social media have nothing to do with who someone has recently interacted with in person. Restricting someone's movement can have a massive impact on their financial, physical, and emotional wellbeing, and while we aren't public health experts by any stretch, we're confused why an app with secretive criteria is being used in place of established criteria built by health professionals that may not even need an app.

Until next time...

If all the security advice in our newsletters fails you, there's always the approach Virgin Media took: repeatedly insist that you can't possibly have been "hacked," you simply left a database unprotected.

That wraps it up for this week - thanks so much for subscribing to our newsletter! If there's a story you'd like us to cover, send us an email at looseleafsecurity@looseleafsecurity.com. See y'all next week!

-Liz & Geoffrey