Loose Leaf Security Weekly, Issue 28

Happy April! Though the world around us seems to be on hold in many ways, security and privacy news isn't slowing down - we're pretty happy to see lots of media attention on Zoom, which we discuss in detail in this newsletter. Also, attackers and miscreants can do their work just as well from home, so there's been no shortage of security updates.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

Among the many types of corporate misbehavior in response to the pandemic is a sudden popularity of software that spies on your personal computer to "ensure" that you're still working. We discussed this sort of thing in our episode "Covering your webcams," in which we also covered the case of a school district that had installed camera-monitoring software on the laptops they sent home with students. Another common case of remote-monitoring spyware is for so-called "online proctored" exams: schools and colleges are often requiring students to install software that both watches their activity on the computer and watches them by webcam. In the episode, we suggested that - if possible - we'd try to get a work-owned or school-owned laptop, and failing that, see if we can use an Android or iOS device instead of a traditional desktop or laptop. While desktop computers generally give any app you download unrestricted access to your files and other apps, mobile OSes support a system called "mobile device management," which lets you restrict what your employer can do (although be sure to check what exact permissions you're giving it).

HR consultant Alison Green recently addressed this issue on her advice blog Ask A Manager, and if this is happening to you, we'd recommend her response for the actual question you're likely to have - how to respond if your company insists that you install spyware on your computer. Green points out that your company is required to pay you nonetheless and suggests either banding with your coworkers to push back or simply pleading ignorance - saying that the software won't install and you don't know why. (One option, if you can make it convincing, is to say you have a Chromebook or a laptop with Windows 10 S Mode, since both platforms simply can't install unrestricted software.)

In the news

OK Zoomer: There's been a lot of security news going around about popular videoconferencing app Zoom, spanning from legitimate bugs and misrepresentations by Zoom to just general fear. Most notably, online trespassers took to "Zoombombing," joining other people's meetings and trolling or harassing them, with attacks ranging from mere spam to crashing Alcoholics Anonymous meetings and extolling the virtues of drinking. Part of the trouble here is the sudden popularity of Zoom, which was designed for use by businesses, in so many other contexts. Meetings like Alcoholics Anonymous or religious services are generally intentionally public or semi-public, and keeping trolls and spammers from clicking a button to join places where they're not welcome is a problem as old as the internet itself. Several of the other Zoom issues raised in the last few weeks also seem to come out of Zoom being built as a business-internal platform, notably an attack that is claimed to let people steal your Windows credentials - the bug (which is really a Windows design problem, not a Zoom one) essentially only affects misconfigured corporate networks, but in an age where everyone is suddenly using corporate laptops at home, misconfigured "corporate" networks are fairly likely. The bug was that Zoom would automatically create links out of "UNC paths," a way of referencing Windows file servers, and Windows would automatically try to log in if it believed the file server was part of the same network. Sharing links to files on a Windows file server is essentially useless across the general public but convenient within a company. Still, as of last week, Zoom no longer creates those links. (Another sign of Zoom's workplace focus is the concept of personal meeting rooms, which comes with warnings about who you share it with. In a company, you can generally expect that people won't walk into your physical office without permission, and you can probably map that expectation onto a virtual office, but if you make your personal meeting ID publicly available, anyone can join that meeting at any time.)

There have been a few questionable security and privacy decisions at Zoom, though. For instance, Zoom's mobile app would send information about your usage to Facebook via the Graph API whether or not you were logging in through Facebook. That, too, has been fixed as of last week. There's also the weird situation of Zoom setting an HTTP option to restrict which sites can load JavaScript, yet including a large number of sites including all of Amazon's CloudFront, a web host that anyone can use. To us, this sounds like some customer performed a security audit and insisted they used that option, but Zoom wasn't in a place to restrict their site enough to make the option meaningful - which along with last summer's major Zoom issue doesn't paint the best picture of their security culture. To Zoom's credit, after the significant bad press, their CEO announced a number of concrete steps, including fixing several of these vulnerabilities (as well as removing the maligned "attention tracker" feature, which could tell a meeting organizer whether you had switched apps away from Zoom), but more importantly, the company will be freezing all feature work on Zoom and shifting focus to privacy and security. They've also enabled passwords by default on all meetings - which means people joining semi-public events have to go through at least one more step to get the password. While that extra step can potentially be burdensome, it should prevent "Zoombombing" of both support groups and the British cabinet.

So, what should you do? As before, we continue to be fans of systems that have been focused on security and privacy - if you can use something like Signal or FaceTime, we'd suggest it. For one, both are end-to-end encrypted systems - though Zoom previously claimed to be one too, and it's a subtle question as to whether they do in fact count. The practical difference is that Signal and FaceTime both use encryption keys generated by your devices (the "ends"), whereas Zoom generates the encryption key on their servers and simply says that they "do not decrypt" audio or video - as opposed to "cannot". (Still, Zoom's approach is far better than apps like Google Hangouts, Slack's video calls, or Skype, where video is only encrypted en route to the provider's servers and are decrypted there as a matter of course. There's also a legitimate argument to be made about whether, say, Apple truly "cannot" decrypt FaceTime data, given that they control not only the FaceTime app and the OS but also the database of which phones are authorized to log into a FaceTime account.) We'd say, however, that a bigger factor should be track records at delivering secure software. Signal is a well-acknowledged leader in secure communications, and Apple has a reputation for privacy, especially with iOS and FaceTime, which Zoom simply does not have today. Still, Zoom's response is promising, and there are many features Zoom has that the more secure platforms don't (a commonly cited one is "breakout rooms," which let you seamlessly split a large meeting into smaller groups). If those features are valuable to you, it may not make sense to avoid Zoom categorically - especially given their new focus on righting their security wrongs. While we understand why, for instance, NYC schools have a new mandate to avoid Zoom, it seems like a hugely disruptive overcorrection just as teachers have started figuring out how to use it effectively, especially when the company is responsive about issues and there are measures (like meeting passwords) to improve your security and privacy. In particular, we continue to think it makes sense to use Zoom via a mobile app (despite the Facebook mis-step) or a browser when possible, as we discussed last issue.

By the way, we'd also avoid using Zoom for chats or sending links, mostly to reduce the risk of someone joining the meeting and seeing old conversations and not just current video. Most of the time, you have another channel for sending text information that you're already keeping secure, and it's safest to just keep using it.

Alexa, pretend you didn't hear that: We've talked a bit in the past about the risks of voice assistants like those on your phone or on dedicated devices like Amazon's Alexa: they're definitely useful, but sending background audio to internet services for processing has its dangers, and you should think about where they land in your personal threat model. Bloomberg has an article pointing out that many people's threat models are changing these days with regards to the sensitivity of audio at home: lawyers who are now making confidential calls to their clients at home may want to think about unplugging any smart home devices with microphones, at least during their working hours. On that subject, if you're working from home in a shared household, you might want to think a bit about low-tech ways of keeping your conversations private, both from other people and from their devices. Therapists have long used white-noise machines to mask sounds: if you have one (Liz keeps one in the bedroom to drown out noises from outside during sleep), or even if you have a portable fan, you could try putting one by your home office door or apartment door to keep things a bit more private.

Face-to-face with Clearview's data: Now that the California Consumer Privacy Act has taken effect, business that operate in California must give members of the public access to data collected bout them. On Medium's OneZero, Thomas Smith has an account of his own CCPA request to Clearview, including the photos Clearview found. They weren't able to look him up by name, since their database is keyed on faces, so they requested a photo with a "clear view" of his face and found many more social media profile pictures - almost all belonging to him and one belonging to a doppelganger.

I am once again asking for you to take software updates: Mozilla just announced security updates for Firefox that fix two bugs being used by "targeted attacks in the wild." The fixes are in version 74.0.1 of the regular release and 68.6.1 of their extended-support release, a slower-moving release channel for people (especially companies) that don't like frequent feature updates but still want prompt security fixes. Both vulnerabilities are "use-after-free" bugs, which means that Firefox's code cleans up some data in memory before it's actually done using it. A clever web page can attempt to put its own data in the same spot in memory, now that it's been marked free, and trick Firefox's core code into misbehaving. Both attacks are also "zero-day" attacks, meaning you have zero days of advance notice before attackers start exploiting it - unfortunately the bad guys found these bugs first.

Blue team has the flag: Microsoft announced that a security bug that they haven't yet issued a patch for is being used by "limited targeted" attacks, making it a particularly bad kind of zero-day exploit - more like a negative-couple-of-weeks exploit. The bug is in a Windows driver for handling fonts, a responsibility that historically was part of the Windows kernel, the most privileged part of the OS. Fortunately, recent versions of Windows have started moving the font-handling code out of the kernel and sandboxing it to limit the impact of bugs, especially zero-days. While Microsoft has some listed workarounds if you're particularly concerned, they're all for Windows 7, where the bug is particularly serious. On Windows 10, this code has started being sandboxed, and in Windows 10 versions 1703 and up (that is, in major updates since 2017), all the affected code is fully sandboxed. This is yet again a reason to stay with the newest versions of software - even if you find Cortana even more annoying in the Start Menu than she was in Halo, it's still worth upgrading your Windows 7 machines to Windows 10 to get font sandboxing and various other architectural improvements Microsoft has made over the years.

Delays in security release schedules: One of the many disruptions from the COVID-19 pandemic is that many software companies have decided to push back the release of new features, including security features, as both their teams and the software industry as a whole adjust to working from home under new priorities. For instance, we mentioned two issues ago that Apple was mandating Sign in with Apple for apps that offered other third-party login features: the deadline for implementing that change, as well as some other App Store policy requirements, has been extended to June 30. Chrome is adjusting their release schedule, delaying the release of version 81 and skipping version 82 to get back on track. They're continuing to ship security fixes as part of the current version, Chrome 80, but some systemic security improvements have been delayed. Notably, they aren't yet removing support for older and less robust versions of TLS, the security protocol behind HTTPS, which prompted Firefox to also defer their own removal of old TLS versions.

Furthermore, Chrome rolled back the change to cookie behavior they'd already shipped as part of version 80 in February, "to ensure stability for websites providing essential services including banking, online groceries, government services and healthcare that facilitate our daily life during this time." We covered the change back in January: the new cookie behavior protects against a common class of attacks but has a risk of breaking existing websites that relied on weak cookie handling, which most often would mean that you couldn't log into these websites. Chrome now plans to flip the switch back during the summer.

In short, you may no longer see the version number of certain software go up, and if there were specific features you had their eye on, they might slip, but software companies are generally continuing to respond to security issues and ship fixes, so as always, make sure you're restarting your browser and other software when prompted. It's unfortunate that systemic security improvements (akin to Windows 10 sandboxing its font-handling code) aren't being shipped as quickly, but overall, it's a sensible tradeoff.

Update like everything: Tesla recently released a software update for a security bug in the embedded web browser that can crash the entire display, including the speedometer. The researcher who found the bug recorded a somewhat stressful video of trying out the bug while driving on the highway, showing that the Autopilot feature cuts out without indication and the screen gets stuck at 60 mph even as he takes an exit. The attack relies on a somewhat old bug in Chromium, which powers the Tesla UI. It's a good reminder that as everything around us gets "smart" or gets a web browser built in, all of it will need software updates, too.

What we're reading

Who called it an "air gap" and not "software distancing": While many companies have been shifting to remote work (or shutting down), some essential infrastructure businesses have continued to operate with employees coming into their workplaces for security reasons. WIRED takes a look at some of these high-security workplaces and the security model that led them to continue to need employees to come in even during the pandemic. Some companies with particularly sensitive data or critical operations like power grids use an "air gap," a physical barrier between computers with critical information, as one of their security measures, and by design, anything behind these air gaps aren't accessible over the internet.

Air gap security relies entirely on physical security, which means it's both a single point of failure if someone is able to get past any physical security measures and a risk in terms of reliability if it's no longer feasible for someone to get to the secure site. Additionally, many workplaces and sites started relying on air gap security before newer technologies were available to help keep sensitive information out of the wrong hands. While we certainly wouldn't say that air gaps are no longer necessary, we're big fans of some other methods that would potentially allow remote work, too. Some other ways to increase security are to segment off permissions as granularly as possible, require hardware security keys as a strong second factor, and require more than one person to log in to unlock particularly sensitive data or operations.

Big Brother would love to help out: Facial recognition has been on the rise to monitor movement during the COVID-19 pandemic through the efforts of both governments, such as China and Iran, and private companies, including Israel-based NSO Group and now, Austin, Texas's Athena Security. In response, EFF policy analyst Matthew Guariglia has written "Face Surveillance Is Not the Solution to the COVID-19 Crisis." It's a good summary of why the drawbacks of increased facial recognition outweigh the benefits, even during a pandemic, and includes a serious risk we briefly mentioned in the discussion of China's plan: "It is all too likely that any new use of face surveillance to contain COVID-19 would long outlive the public health emergency." There are alternatives to increased surveillance based in facial recognition that allow us to monitor how effective various policies are at reduce contact between households while preserving more privacy, such as Google's COVID-19 Community Mobility Reports, though we are also concerned by companies like Google having this much information on our movements.

By the way...

If you're looking to get a new security key, Wirecutter has a roundup of which ones will and will not get destroyed if a car accidentally runs over them. We talked before about how product recommendation sites aren't always the right way to figure out what your security needs should be, but if you already believe a security product is valuable, like how security keys provide both a strong second factor and phishing protection, those sites can help you understand the pros and cons of different models.

That wraps it up for this week! We're going to be taking a break next week while we adjust our own schedules around the new normal, but we'll be back the week afterwards. We'll keep an eye on security news, but if there's anything in particular you'd like us to cover, as always, send us an email at looseleafsecurity@looseleafsecurity.com. Stay well and see you all soon!

-Liz & Geoffrey