Loose Leaf Security Weekly, Issue 30

It's been a bit since our last newsletter, sorry - we're both doing well, but just about everything's been disrupted. If you've been applying software updates regularly, you've got about half of what we were going to talk about, but read on for the other half of all the security news from the last few weeks.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

If you have any automatic payments or saved payment methods for any of your accounts, it's worth keeping track of which payment methods are connected to which accounts. That way, when one of those accounts is breached, you can both contact the issuers for any associated payment methods and also quickly switch payment methods on any other accounts that used that one so you don't accidentally forget to pay a bill or renew a service you rely on. Since breaches are unfortunately a matter of "when," not "if," it's a lot easier to not have to track down all accounts that rely on a payment method that's involved in a breach. This is also helpful if one of your credit or debit card numbers is stolen offline or you find out someone has counterfeited your checks.

Liz keeps track of automatic payments and saved payment methods as a part of household budgeting, but you can also use your password manager's tags or other searchable notes to keep track of which accounts have which payment methods saved. In addition to keeping track of saved payment methods as you add or update them, you can set aside a little time to go through your bank or card statements or sign up for transaction notifications and add recurring payments as they re-up. (Transaction notifications are also a really good way to make sure that you and only you are using your accounts!)

As we'd recommend for every account, it's also worth checking if you can secure these accounts as you go with strong, unique passwords and two-factor authentication, but it's definitely still worthwhile to keep track of linked payment information because there are other risks - a couple of our stories today cover attacks on these sorts of accounts where the usual approaches for keeping your account secure wouldn't quite have applied.

We are once again asking you to take software updates

Mozilla released Firefox 76 with a number of security fixes, as well as a corresponding update to their slower "Extended Support Release" (ESR) that lists mostly the same set of bugs. Firefox ESR syncs with regular Firefox only about once a year but also includes important bug fixes, which is useful if you want to stay safe but you worry about the risks of new features (e.g. you're an IT department at a large company or, apparently, actor Robert Pattinson or his recent GQ interviewer.)

For those of you using the regular Firefox release, version 76 includes some improvements to its built-in password manager, Lockwise, including asking you for your login password periodically (not a foolproof security measure against someone who already has access to your logged-in account, but useful in dissuading mostly-trustworthy housemates), notifications about breached sites and passwords, and more prompts for automatic password generation. For the reasons we discussed in our episode "Using a password manager effectively," we'd still prefer a standalone service, but if you're on Firefox everywhere, it might be worth a shot - especially given that it has iOS and Android companion apps that support systemwide password autofill.

Chrome has been releasing security updates just about weekly, with a couple of bugs identified "high" or "critical" fixed in releases on April 15, April 21, April 27, and May 5. Bad news for those of us with a habit of keeping a bunch of tabs open, but we're happy that despite Chrome's previous announcement that they're slowing down feature work, security fixes are still happening on a regular schedule.

Windows also had quite a few bugs fixed in May's "Patch Tuesday" release last week. Underscoring the importance of these updates, Google's Project Zero research team published a technical post describing a bug in Windows that effectively undermined the security of the Chrome and Firefox browser sandboxes, and this bug was fixed in April's Patch Tuesday under the name of a "security feature bypass vulnerability."

Adobe issued updates for Acrobat and Reader last week addressing "critical and important vulnerabilities." Among the "critical" ones were flaws discovered by Tencent researcher Yuebin Sun in the updater process: since the updater runs with administrator privileges so it can install updates systemwide, it makes an appealing target for attack. The researcher found a way to trick it into running a program of an attacker's choice in administrator mode.

In the news

BlueFrag: February's Android security release included a fix for a bug which "could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process." The bug was marked as a "moderate" denial of service on Android 10 and a "critical" remote code execution bug on Android 8 and 9. The researchers who found the bug have now written up the attack, which they call "BlueFrag." Briefly, it's a combination of two bugs, one in the Bluetooth driver and one in a core Android component called Bionic, and the clinical description in the February bulletin underplays the severity: if you have Bluetooth enabled, anyone in range of your phone could silently start running code on it, if you're on Android 8 and 9. The Bluetooth bug was still there in Android 10 until February, but changes in Bionic mean that the worst they can do is cause the Bluetooth service to crash. Apart from (of course) once again asking you to take software updates, we think this is a good example of why it's worth staying on the newest versions of software whenever possible: while security releases for older versions of software tend to only address known, identified security bugs, newer versions often have bug fixes in general that improve the sturdiness of the code and make it harder for newly-discovered bugs to be exploitable.

Into the Breach, now on Nintendo Switch: In late April, a large number of Nintendo Account holders started getting notices of logins to their accounts from unknown places. Nintendo eventually confirmed (in a notice in Japanese) that over 160,000 accounts were affected in the breach. The goal of these attacks seems to have been to use linked payment balances to buy things that can be resold for real-world money, either codes for downloading games or in-game currency.

The attack seems to have been related to the ability to link a Nintendo Network ID, the online account for their older 3DS and Wii U systems, to a Nintendo Account, which is used for Switch and smartphone games. Since you have to use the on-screen keyboard on your 3DS or Wii U to sign up for your Nintendo Network ID and enter its password, it's likely that lots of people used weak passwords and then forgot about them when making the newer Nintendo Account. As part of mitigating the attack, Nintendo discontinued the ability to use your Nintendo Network ID to sign into the linked Nintendo Account (you can still link the accounts, but you have to use the Nintendo Account's credentials to sign in).

In a statement to the media in response to early reports, Nintendo suggested that you enable two-factor authentication ("2-Step Verification") for your Nintendo Account, which is a good idea in general to keep your account safe. When you link your account to a mobile authenticator app you can use any standard authenticator app will work, even though the site points you to Google Authenticator. You'll then have to type in a six-digit code when you log in, which is much easier on a gaming console (where you can't install a password manager) than entering a super-long password with symbols - though you should still pick a reasonably long password here too.

Nintendo is also automatically resetting passwords for any affected accounts. If you have an old Nintendo account (or any other similar gaming service) that you're not actively using, it may be worth unlinking any payment information to prevent potential future headaches.

Google report on phishing: Speaking of two-factor authentication, about a month ago, Google's threat analysis group released a brief update on their account security work. The post notes the continuing interest of government-backed attackers in both phishing attacks and technical exploits, but they call out one defense in particular: "We've yet to see people successfully phished if they participate in Google's Advanced Protection Program (APP), even if they are repeatedly targeted." The Advanced Protection Program is Google's branding for a special switch on your account that requires that you use (at least) two physical security keys as your second-factor options, no code generators or anything else, and also turns off various weaker forms of authentication (like app-specific passwords), customer service resets, and so forth. You can get more-or-less the same level of protection on any site that supports security keys, even if they don't have a specific name for it. We've previously discussed how security keys keep you safe from phishing, and it's neat to see some data from Google about how effective that is in practice, even against high-value targets.

If you can't beat 'em, bribe 'em: Motherboard reports on a social engineering attack against the online video game Roblox: an attacker bribed a customer service employee to get access to the internal site for managing accounts, which gave them the ability to change two-factor authentication settings, reset passwords, and even sell items for in-game currency. Apparently, the attacker attempted to report this "problem" to get a bug bounty, was denied, and started stealing items in response. This sort of attack is a good example of why we find it particularly valuable for companies with two-factor authentication options to give you an option to prevent customer service from disabling it (as Google's APP does) and also why it's worth being aware of accounts linked to payment methods, even if you do have strong authentication enabled.

A vulnerability in iOS Mail: Security research firm ZecOps investigated evidence of attacks on the iOS's Mail application and found evidence of fairly serious bugs which have not yet been patched. The story is a bit confusing - ZecOps states that an additional vulnerability is required to exploit the phone, but their description makes it sound like a malicious email can still take over the Mail app itself even if it can't break out of the sandbox and attack other apps. Meanwhile, Apple is also downplaying the importance of the vulnerability, stating that the issues are "insufficient to bypass iPhone and iPad security protections" and disputing ZecOps' finding that they were used against customers. The latest iOS beta fixes the bugs, but it hasn't yet made it to a final release. ZecOps suggests that you switch to the Gmail or Outlook app instead in the meantime, but we're not sure we follow the reasoning: they argue that this particular bug isn't present in those apps, but the built-in Mail app gets much more research attention than those apps given its ties to the core OS, and it's not clear that the Mail app is systemically less secure than those other apps.

More COVID-19 scams: We've mentioned coronavirus-related scams and confidence tricks before (as have many others, like this roundup from EFF). Most of these have been scammers pretending to be government health agencies, but we wanted to briefly mention a new type of scam as contact tracing is rolling out: people texting you to say someone you know has been infected. This scam is a little more convincing because it's close to what real contact tracers actually do as they cold-call people to find who's been in contact with someone with a confirmed case. Still, the usual advice applies - you can call people back or visit trusted websites - but avoid clicking links, giving personal information to people who call you, and so forth.

Saudi Arabia wants to know your location: The Guardian reports that an anonymous whistleblower has evidence that Saudi Arabia's mobile providers are sending an unusual number of location requests for phones that are currently roaming in the US via SS7, the protocol used for intercommunication between cellular services. SS7 was designed many decades ago in an age when all carriers trusted each other, and in many ways it doesn't hold up to modern security and privacy realities: for instance, it's enabled attackers to reroute two-factor authentication text messages before. (It reminds us of the internet's BGP, which enables interoperability between ISPs and was also designed with the assumption of trust between ISPs. We previously discussed a case where a Nigerian ISP directed a large amount of Google traffic to Russia and China: they claimed it was a misconfiguration, but the incident demonstrates how easy it would be to maliciously divert this traffic.) While it's legitimate for a carrier to send occasional SS7 "Provide Subscriber Information" messages to bill roaming users appropriately, the responses include the phone's current cell tower location, so frequent requests would allow the carrier to know exactly where the subscriber is traveling - leading the whistleblower to claim, "Saudi Arabia is weaponising mobile technologies."

Eyes on unlock: We noted last fall that Google's Pixel 4 phones didn't require your eyes to be open to unlock your phone with its face unlock, and Google has finally fixed the issue half a year later by adding an alertness check. While we're glad someone can't simply hold your phone up to your face while you're asleep to unlock it, we believe it's still more secure and not too much of a hassle to require a long passcode to unlock your phone.

Fortnite finally in the Google Play Store: After nearly two years of asking Android users to sideload their app, Fortnite is finally available through the Google Play Store. Fortnite's maker Epic Games chose to offer the game in the Play Store because "Google puts software downloadable outside of Google Play at a disadvantage," but we'd classify the "scary, repetitive security pop-ups for [sideloaded] downloaded and updated software" and "new efforts such as Google Play Protect to outright block software obtained outside the Google Play store" as good steps to take to help keep Android users safe from accidentally downloading malware.

Psychic Paper: The latest beta of iOS 13.5 closed off a long-standing security bug in the "entitlements" subsystem, which determines what restrictions are part of each app's sandbox. iOS researcher Siguza wrote up the bug and gave it the name "Psychic Paper," after an object from the TV series Doctor Who that can trick security guards. If you're familiar with HTML, you should be able to follow how the bug works: entitlements are stored in XML, a similar format which uses the same syntax for comments as HTML (<!-- ... -->). A specific input (<!---><!-->) will trick one of the places where iOS checks an entitlements file and make it think the next part of the file is a comment and ignore it, but another place will not read it the same way and actually apply the entitlements in that part of the file. The "security.no-container" entitlement disables the sandbox completely.

The bug was useful for researchers (like Siguza) who wanted to get unrestricted access to iOS so they could investigate the system in more detail, but it also carried a direct risk for people installing sideloaded apps. While Apple doesn't have a general sideloading option like Android does, there are a few limited means of getting apps directly from developers, including test distribution (often used for beta or unlaunched software) or enterprise distribution (for companies making private apps for their employees). Apple writes entitlements files for the App Store, but if developers are distributing apps themselves, they're writing the entitlements file, and it's the buggy XML interpreter that's responsible for making sure they don't ask for any entitlements they shouldn't. Especially now that the bug is public, it would be easy for those developers to use the Psychic Paper trick to get unrestricted access to all the private data on your phone.

Explosive Runes: In yet another iOS bug that's currently unpatched, it turns out that a certain meaningless sequence of Arabic letters (mostly a pile of diacritics) causes iOS to crash whatever app is trying to display the text. This is a minor annoyance if you receive it in a chat app or see it in a comment on Twitter, since it will make the app freeze up for a few seconds and then crash, but it could be much more annoying if it shows up in a notification, since it will make the whole phone UI lock up and appear to almost reboot. Fortunately, it's otherwise harmless and isn't a sign of an attack on your data or anything (although there are a few very isolated reports about phones needing to be restored from backup if the weird characters somehow put it in a state of constantly crashing), but if you have the misfortune of having "friends" (or enemies) who might like to see your phone crash, you may want to turn off message previews in notifications for now. Some reports on the web say the strange characters are in Sindhi, a regional language in Pakistan and India that's generally written with Arabic letters, but as far as we can tell the message isn't meaningful in any language.

It's not the first time iOS has had trouble with strange sequences of letters: there were similar crashes with invalid sequences of Arabic (and other) letters in 2013 and in 2015, where a version of the message staring with the English words "effective power" went viral for some reason, as well as a case from 2018 that was most popular using a character from the Telugu language of south India, but had equivalent versions in Devanagari (the script used to write Hindi and many other languages) and Bengali, too.

Firefox Preview has more extensions: In January, we covered Firefox Preview, the redesigned version of Firefox for Android with increased privacy protections. At the time it didn't have any extension support, but they've worked with extension developers to add support for six extensions: uBlock Origin, HTTPS Everywhere, Privacy Badger, NoScript, Dark Reader, and Search by Image. We've recommended the first four of those before for various purposes.

Google Authenticator added transfer support: It's genuinely frustrating and time consuming to move all the accounts in your two-factor authenticator app to a new phone (this literally took Liz upwards of four straight hours last time), so we understand the motivations behind Google Authenticator adding transfer support to make this a lot easier. Instead of having to reconfigure two-factor over and over again for every account, you can easily scan QR codes in your old phone with your new phone. Unfortunately, the ease of transfer also extends to anyone you let browse the web or play a game you installed on your phone - they could copy your second factors onto their phone if you look away - so this feature does fundamentally weaken your security. However, if you keep your phone on a very tight leash and have a long, strong passcode as the only method to unlock it, this may be a tradeoff you're willing to make.

What we're reading

Contact tracing, continued: The Guardian's UK Technology Editor wrote that "France urges Apple and Google to ease privacy rules on contact tracing" because the French government wants to use something closer to the ROBERT protocol they co-developed with Germany. Unlike Google and Apple's approach to technology-assisted contact tracing (TACT), which has individual devices check for known infections by keeping track of random daily codes sent by other nearby devices, ROBERT uses a centralized server that keeps track of everyone's identifiers and checks everyone's interactions with known infections server-side. Using a centralized server is more analogous to traditional contact tracing methods: contact tracers call people who've tested positive and ask who they've seen in person recently and where they've been, and the contact tracers then reach out to potentially infected people to tell them they might have been exposed - without revealing who exposed them or when and where they were exposed. We think it's a misnomer to say that this fundamentally weakens privacy because it's more akin to having a different threat model with different tradeoffs: with ROBERT, you do need to trust that the government's centralized server is secure (and that the data collect isn't being used for other purposes), but if you do, there's less potential to leak individual's location information as we discussed in the last newsletter. By the way, the UK's National Health Service has also rejected Google and Apple's decentralized TACT system for a more centralized model.

In other contact tracing news, Apple and Google have banned apps that use their contact tracing API from using location data, which is a good measure to both help prevent a malicious app from revealing when and where possible infections occurred and to maintain the privacy of those who use those apps. Also, lots of people are using phones that are too old to have Bluetooth Low Energy chips or sufficiently modern operating systems to participate in Google and Apple's TACT, half of Americans with phones that are capable of TACT won't use it, and those with the biggest incentive to use TACT - and risk abuse of the increased surveillance - are already marginalized members of society. Additionally, given the significant political challenge involved in getting people to both use TACT and take known contact notifications seriously, pro-social minded individuals may not even be able to start going out more whether or not they use TACT, which begs the question as to why people would agree to the additional surveillance intrinsic to TACT if they're residing in countries that haven't taken strong enough actions to protect their residents. P.S. India is requiring all workers both in the public and private sector to use a government-backed TACT app, and Vietnam's TACT app isn't anonymous.

Krebs on scams: One of our earliest newsletter tips talked about what you should do when you get a phone call requesting passwords, two-factor codes, or other sensitive information - hang up and call the usual number you'd call to contact that company - and Krebs on Security has two detailed write-ups of recent phone phishing incidents: "When in Doubt: Hang Up, Look Up, & Call Back" and "Would You Have Fallen for This Phone Scam?"

On the lighter side...

The built-in password generator in password managers is great for handling sites with complex password requirements, and now, apparently, for naming babies.

That wraps it up for this week - thanks so much for subscribing to our newsletter! If there's a story you'd like us to cover, send us an email at looseleafsecurity@looseleafsecurity.com. See y'all next week!

-Liz & Geoffrey