Built-in dangers: physical ports, OS defaults, and remote access

From the fancy new USB-C or Thunderbolt ports on your laptop to the software and settings that came with your operating system, there are a lot of potential security concerns with recent computers. Liz and Geoffrey finish up their series on desktop and laptop security by looking at some of the latest threats - and why computers with old-style USB ports aren't much safer. Plus, some new scams to avoid and the scoop on some juicy internal Facebook documents.

Built-in dangers: physical ports, OS defaults, and remote access episode art

Timeline

  • 1:21 - Security news: Scammers changing bank phone numbers in Google Maps
  • 2:47 - Security news: An iOS app that scams users into holding the home button to use Touch ID to make a large in-app purchase
  • 4:41 - Security news: UK Parliament releases Facebook documents, including how Facebook stealthily used the Android "read call log" feature to get call and SMS history from users
  • 8:51 - Security news: Logitech customization application sets up a WebSocket server without doing any authentication
  • 11:18 - USB-C and Thunderbolt connections
  • 15:18 - Direct memory access attacks
  • 19:35 - Regular USB attacks and the Rubber Ducky
  • 22:46 - How should I access the contents of an untrusted USB device?
  • 24:30 - OS preinstalled software and bloatware
  • 28:27 - Crash reporting and telemetry tools
  • 31:10 - Remote access

Show notes & further reading

Thunderbolt and USB-C

The Wikipedia articles about Thunderbolt and USB-C are not bad starting points. While some websites will claim that longer USB-C cables don't work properly for Thunderbolt, or Thunderbolt cables don't work properly for USB 3, note that this is solely about maximum speeds. Long USB-C cables work fine as passive Thunderbolt 3 cables, except potentially only at 20 Gbps instead of 40 Gbps - still a very high speed. And long Thunderbolt 3 cables will support USB 2, even if not USB 3.1 speeds. So while you want to get the right cable for performance reasons, note that Thunderbolt 3 cables can still conduct USB attacks, and USB-C cables can still conduct Thunderbolt attacks when connected to a Thunderbolt-enabled port.

Malicious USB devices

We mentioned the USB Rubber Ducky in the show, which is a shaped like a generic unbranded flash drive, acts like a USB keyboard, and can be pre-programmed to type in key sequences as soon as it's plugged in. The makers have a wiki containing various sample payloads, some of which will copy passwords and send them remotely, and some of which will just open Notepad and leave a message. For more advanced attacks, they also have an upgraded version that has an entire miniature computer, which can pretend to be a network device, in what looks like a slightly oversized USB drive. It's a little less stealthy but still effective if someone has access to your computer when you're not looking.

You can also build your own device for much cheaper - one blogger built a version for $7 using an Adafruit Trinket, then moved to an Arduino Pro Micro ($10) for performance. The post describes how to make it look like a thumbdrive. Another blogger found that a $3 Digispark would do the same job.

Another worrisome option is reprogramming the firmware on actual USB thumbdrives - an attack often referred to as "BadUSB." The original research from 2014 found that a variety of devices, including many popular thumbdrives as well as USB hubs and other peripherals, were vulnerable to this attack - and a particularly clever virus could infect other USB devices on the system. HackMag has a writeup of how to convert a USB thumbdrive to a Rubber Ducky clone.

Refreshing Windows 10

If you're getting a new Windows 10 laptop with preinstalled software, you might want to download Microsoft's "start fresh" tool to do a clean install, removing whatever your PC maker shipped with your computer. On an existing computer it's probably a good idea too, although you'll have to reinstall any applications you want. The tool claims to preserve your files, but it's of course safer to take a backup first - see our previous episode about backups for suggestions about how!

Downloading alternative web browsers

Also if you're getting a new laptop, and you prefer Chrome or Firefox to what's built in, you can get them from https://www.google.com/chrome and https://www.mozilla.org/firefox, respectively, which should be pretty easy to remember. (Both Safari and Edge are also good choices and have solid sandboxing technology, but we know many of our listeners prefer Chrome or Firefox.)

In the news

The Touch ID attack is a lot easier to understand if you watch the video: you can immediately see how the fake screen for scanning your fingerprint turns into a real, expensive in-app purchase. As we discussed in our episode on Android and iOS security, the fingerprint reader connects to the separate Secure Enclave, and fingerprints aren't accessible to apps at all - so this is an obvious scam. Another mechanism for protecting yourself is disabling in-app purchases in Restrictions. A few episodes back we touched on using the same screen to disable Siri.

Security researcher and former FTC Chief Technologist Ashkan Soltani published a Twitter thread of interesting bits from the Facebook email archives released by Parliament, including negotiations about access to data that call Facebook's stance of "We've never sold people's data" into question. Several news outlets, including Gizmodo and The Guardian, have published analyses of the revelations in the emails, focusing on the call tracking we discussed.

Transcript

Liz Denys (LD): Today's episode is the last in our series on securing your laptop and desktop computers.

Geoffrey Thomas (GT): Over the last three episodes, we've talked about "physical attacks to your computers and disk encryption," "backups," and "malware, antivirus, and safe downloads." Our current episode ties up the odds and ends of desktop computing. We have some hardware concerns, like USB attacks, the newer USB-C's eccentricities, and direct memory attacks through Thunderbolt connections, and also software concerns like bloatware and crash reports.

LD: While this wraps up our specific series on laptop and desktop security, we'll certainly find ourselves diving deeper into particular topics in later episodes.

GT: Right, there's no shortage of security topics related to keeping your computers secure. But hopefully by the end of this series, you'll have what you need if you're the type of person who might make a New Year's resolution to better secure your laptop.

Intro music plays.

LD: Hello and welcome to Loose Leaf Security! I'm Liz Denys,

GT: and I'm Geoffrey Thomas, and we're your hosts.

LD: Loose Leaf Security is a show about making good computer security practice for everyone. We believe you don't need to be a software engineer or security professional to understand how to keep your devices and data safe.

GT: In every episode, we tackle a typical security concern or walk you through a recent incident.

Intro music fades out.

GT: As the holiday season approaches, many of us are going to find ourselves calling up companies more often - telling your credit card company about travel plans or rebooking flights after a winter storm or so forth. But there's a scam on the rise about how you find those customer service numbers.

LD: A blogger in India reported that scammers have been changing the phone numbers in Google Maps for banks near where he lives. When you call them up and give them your account info, they'll steal your data. His local police put out a warning about this, but there's nothing stopping the same thing happening elsewhere in the world, too.

GT: Google Maps has supported user-edited data for a while - it helps them stay current with changes to things like business hours. It's similar to how sites like Yelp and Foursquare work. But that does mean this info isn't quite trustworthy.

LD: And there have been other versions of this attack, too - for instance, scammers will try to get fake customer service numbers to show up before real ones in search results. If you're just calling a restaurant to see how busy they are right now, you might not need to be too concerned if you're actually getting that restaurant, but you probably want to be more skeptical when you might need to share more sensitive information like your finances or the last four digits of your social security number or something.

GT: It's pretty much the same sort of awareness we talked about last episode, about how to download software securely. Make sure you're on the actual business's website over a secure HTTPS connection, and don't be fooled by ads.

LD: Or if you have to call up your debit or credit card, the phone number printed on the back is also a lot better than some user entered data, and it's also quick to find.

GT: A Redditor uploaded a video of an iOS app that scams its users into activating and holding Touch ID, so it can charge the user an in-app purchase of just under $150. This type of scam tells the user to scan their fingerprint to view something and requests they hold it down for some number of seconds. During that time, the app will initiate an in-app purchase that has a high chance of going through before the user notices - because their finger is already in the right position on the home button, Touch ID activates and confirms the transaction very quickly.

LD: This isn't the first app that does this. While Apple tries to keep these sorts of scam apps out of the App Store, you shouldn't rely on Apple alone to protect you from this type of attack - it's always suspicious when something wants you scan your fingerprint, and you should avoid doing so unless you have a good reason.

GT: Touch ID is primarily used for payments and for bypassing having to type a password in, so anything outside of that should automatically raise a red flag. And you should think carefully whether or not you want to use it to bypass logins - both if you trust the app enough and if you think the ease is worth avoiding the password.

LD: I sometimes use this to bypass logins for apps that I believe come from trustworthy sources for the convenience, but I also feel pretty secure in doing so because you can't unlock my phone with Touch ID in the first place. So it actually is a separate form of authentication, and everything is behind my long, strong passcode. If you have Touch ID for unlocking your phone and for unlocking apps, there's not actually an additional layer of security for those apps - if someone can find a way to bypass Touch ID to get into your phone, like while you're taking a nap at an airport or by cloning your fingerprint, they can also get into those apps.

GT: The other way you can protect yourself from these types of attacks is requiring your account password for in-app purchases. iPhones let you select whether or not Touch ID is enough to make in-app purchases or whether you need your Apple account password. Android has a similar feature in its settings menu, so if you don't use in-app purchases frequently on your phone, it's worth briefly checking that this setting is on the least convenient option possible so you don't accidentally get billed.

LD: A UK House of Commons Subcommittee released a bunch of previously sealed documents about Facebook, including a bunch of interesting internal communications. One of the internal memos discusses using the Android "read call log" permissions to influence things like People You May Know and feed ranking.

GT: Android users actually noticed their call and SMS history's inclusion in their Facebook archives earlier this year. Back in March, Ars Technica followed up with Facebook to ask how this data was used, and Facebook said that it was used to "help you make connections to make it easy to find the people you want to connect with". Ars even touched on how Facebook subtly exploited how Android asks and grants permissions as part of their scheme to get this data.

LD: Right, the new information here isn't that Facebook got phone history or even how they got it, but now, these internal memos detail that Facebook knew Android permissions screens often cause people not to grant them those permissions and thus intentionally used a sneaky way around Android permissions dialogs to get this data. A project manager at Facebook even said this permissions subversion was a "pretty high risk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it".

GT: This speaks directly to a fear I have that companies, especially those who make their money off your data, are going to do everything they can to get that data from you without your realizing it, which is why I'm pretty paranoid about using Facebook in the first place.

LD: I know Geoffrey and I are pretty paranoid people who are often happy to make our lives a little harder to avoid giving out this kind of data, but I actually think this isn't into the tin foil hat realm of paranoia yet. This is actually part of why I have an iPhone - as we discussed in our episode "Comparing Android and iOS security," Apple generally has a security and privacy focused approach to operating system design, and one of the things that Apple has been vocal about over the years is not allowing apps access to your call and text history. I don't think this is a super practical reason to decide that this is a reason you're going to switch phone platforms and go buy a new phone, but I did want to mention that as of now, iPhone users have no known reasons to be concerned about unknowingly giving over call and SMS data to apps like Facebook.

GT: Yeah, it's not really practical to just give up and get a new phone, but a practical step Android users can take is to just uninstall the Facebook app from their phone and just use Facebook in their phone's web browser. This doesn't completely isolate Facebook from all other data on your phone - it can still use cookies and tracking to get information on the other websites you're looking at in your phone's web browser - but it does put Facebook into your web browser's sandbox or snow boot as we called them in our episode "The history of the Web and an introduction to browser security."

LD: You might wonder why we'd recommend this instead of continuing to use the Facebook app on Android, after, say, a reinstall to force it to re-prompt for those permissions and then to deny that app those permissions. There's a couple big reasons for this: first, you're probably already using Facebook in your laptop's web browser, so you're probably already putting yourself at risk of Facebook seeing your other browsing data and hopefully taking steps to mitigate that.

GT: If you want to understand that better, we talk about one of the biggest tools companies like Facebook use to track you in our episode "Web security continued: cookies, plugins, and extensions."

LD: The other main reason we'd recommend Android users isolate Facebook into their phone's web browsers is because where iOS has emphasized security and privacy in its design, Android has valued backwards compatibility. In the March Ars Technica article, they reported that the likely way Facebook got this access without a clear prompt requesting it was through using an earlier Android SDK version to request permissions.

GT: While newer versions of Android have better permissions models than older ones, Android's prioritization of backwards compatibility potentially opens its users up to this kind of exploitation to get more access than users are explicitly granting. Especially given how Facebook went ahead and subtly exploited Android permissions despite how their internal discussions knew this wouldn't sit well with users, we'd recommend you don't give Facebook this opportunity again and avoid using it as an app on Android.

LD: This isn't the only thing Facebook has been using to surreptitiously get more data on its users, and there's a lot of other things detailed in these documents, but as far as personal security goes, this was the biggest thing to be concerned about.

GT: If you're interested in getting a little more insight into how Facebook thinks about your data and its role in general, there have been a couple of analyses of other interesting parts from the documents released by Parliament. We'll link to some of these in the show notes.

LD: There's one final bit of news we wanted to mention, especially because it fits in well with our series on laptop and desktop security. Google security researcher Tavis Ormandy wanted to change what the middle button on his Logitech mouse did and found that this required downloading a 150 megabyte application from Logitech.

GT: The UI seems to be a web page in a miniature web browser - which isn't too surprising, it's a popular option for making desktop applications these days. But more surprisingly, it sets up a WebSocket server so the UI can access the driver, and it does no authentication of requests to that server. Back in our series on web security, we talked about how web browsers place restrictions on websites accessing other websites, as a security design that grew up organically as the web got more powerful. But since WebSockets are a much more recent feature, browsers expect WebSocket servers to enforce authentication and don't restrict access. So any website can connect to the Logitech application running on your computer, and a browser won't stop it.

LD: The researcher found that the messages to Logitech's WebSocket server are pretty simple in format, and can be used to reprogram your keyboard and mouse very easily. Logitech also sells a customizable keyboard that uses this software for configuration.

GT: We'll talk about these sorts of attacks more in a bit, but basically, an attacker could reprogram your keyboard to send keystrokes that copy files back to them or give remote access to your machine.

LD: And this is particularly bad because Logitech exposed this to the web. It would be bad enough if it let any user on your computer, without admin access, to reprogram what your mouse does, but it's particularly bad that any website can do so silently.

GT: Logitech hasn't fixed the issues yet, so for now the best option is to uninstall their configuration tool entirely.

LD: It's also a good reminder to be wary of fancy hardware that needs fancy software and drivers to use all of its features - as we discussed last episode, most devices, including keyboards and mice, don't need custom drivers. If you can get a comparable product that doesn't require installing software or getting new drivers, it's going to be a lot better for your security.

GT: Sometimes, you'll also find pre-installed applications for hardware that came with your computer, and we'll talk a little bit more in the main segment about how to protect yourself. But first, let's dive into Thunderbolt, USB-C, and other ways attackers might try to plug things into your computer.

Interlude music plays.

LD: We talked briefly last episode about the dangers of unknown USB drives - how the OS can't track whether software on the drive should be trusted or not.

GT: But there's a bigger danger with USB devices: you don't know if a USB device is actually a USB drive at all. It could actually be acting like a keyboard or a wifi adapter or something.

LD: Right. A device doesn't actually have to have physical keys to show up as a USB keyboard; it just needs to send messages over the USB protocol and say "Hi, I'm a keyboard, and I'd like to type these letters."

GT: One thing I'm really worried about is all-USB-C laptops, where they even charge over USB-C. Every single connection is potentially a USB connection.

LD: There are also specific dangers with Thunderbolt, which is a high-performance protocol that runs over USB-C nowadays. Thunderbolt extends the internal PCI Express connection to external devices, which lets you do neat things like have external graphics cards or very high speed connections to external hard drives, but this carries a host of security risks.

GT: I don't actually have any USB-C or Thunderbolt devices, so I did a bunch of reading to make sense of all of this before this episode... it's all incredibly complicated. I respect the idea of using one connector for everything, but it quickly gets weird and complex.

LD: Thunderbolt started out as an Intel project called "Light Peak" that used optical connectors, but the they found that the regular copper wires were cheaper and more reliable. They decided to just reuse existing connectors instead of making a new one - Thunderbolt 1 and 2 used DisplayPort, and Thunderbolt 3 uses USB-C.

GT: There's a variety of cables. We won't get into the details here because this isn't a consumer hardware podcast, but basically USB-C has a couple of pins for regular old USB 1 or 2, plus a set of pins for negotiating what each side of the connection supports, some pins for high power transfer, and some pins for a high-speed protocol. The high-speed protocol is usually USB 3, but there's a system of "Alternate Modes," where you can run other protocols like DisplayPort and Thunderbolt over those wires.

LD: For longer Thunderbolt connections you can get an "active cable", which only supports Thunderbolt over the high-speed wires and uses some power to amplify the signal. But even regular USB 3 cables will let you make a Thunderbolt connection, just at slower speeds.

GT: It actually gets really confusing because Thunderbolt itself lets you establish a DisplayPort connection, so apparently if you connect your laptop over Thunderbolt 3 to a monitor, it could either use DisplayPort over USB-C or DisplayPort over Thunderbolt over USB-C.

LD: I actually use a Thunderbolt port a lot to connect to a monitor, but it's my monitor. I got it in a relatively secure way - from a store without any sort of advance notice - so I don't have a strong reason to fear that it's risky to use that Thunderbolt connection, even if it's using one of the Thunderbolt-specific modes.

GT: But that's because it's your monitor, in your physical control, right?

LD: Yeah, I wouldn't connect to someone else's monitor directly with Thunderbolt. I'd use an adapter to DVI or HDMI instead, which doesn't offer the same access to my computer.

GT: Right, so if you're giving a presentation at a hotel or a conference center or something, you should try to avoid connecting to a projector or a big TV over Thunderbolt and use an adapter like Liz mentioned.

LD: USB-C cables usually need a tiny chip inside the cable so they can say what speeds and how much power they support, which, I just feel like cables shouldn't really contain chips. But that's how USB-C works.

GT: On the security side, the important part is that if your computer supports Thunderbolt 3, your USB-C ports are probably all full-featured Thunderbolt ports. And Thunderbolt works by being an extension of PCI Express, a standard originally developed for internal cards like a graphics card or a network card.

LD: This probably includes the port you're using for charging your laptop - the new trend is to use one port for everything. So if you're plugging your computer in just to charge, you now need to be careful that the power adapter isn't secretly a Thunderbolt device.

GT: That said, one thing that isn't enough to support a Thunderbolt connection is a USB-C cable that only supports USB 2 or even just charging. For instance, the charging cables for recent MacBooks are USB-C cables with only the USB 2 and power delivery ports wired up, according to reports from the web. But, generally, USB-C cables tend to be poorly labeled in terms of what they support.

LD: You might wonder why PCI Express is a security concern. So, because PCI Express was originally built for internal use, it has a feature called direct memory access, or DMA for short. An expansion card connected over PCI Express can read and write directly from system memory, without the CPU being involved at all.

GT: This is super important for performance: it's a natural feature for things like your graphics card. If you're playing a video game or watching a movie, it would slow down processing a lot if your CPU were sending a message to the graphics card for every frame. Instead, it puts the data into memory, and the graphics card reads things from memory as it needs them.

LD: Support for DMA is why Thunderbolt is such an effective interface for high-bandwidth storage and network connections. But since a device you plug into can just start reading and writing from the system memory, it's also a serious security risk.

GT: Thunderbolt isn't the first external interface with support for DMA. FireWire has support for it, too, and ExpressCard, a popular expansion interface about 10 years ago for business laptops, was also a way of using PCI Express for new devices without needing to open up your computer.

LD: There were a number of highly visible demos of FireWire attacks: back in 2002, a hack called FireStarter would overwrite the video memory of another Mac with an animation of flames. So one common practice was to avoid plugging FireWire into untrusted devices. But that's less practical now that it affects USB-C, the port you have to use for everything.

GT: On the bright side, there is one technology that's starting to be commonplace that wasn't around in 2002 - a recent CPU feature called the IOMMU. A memory management unit or MMU is the part of the CPU that lets different programs see different views of memory - for instance, your OS kernel can see your current disk decryption key, but your word processor can't. If it tries to access the same memory address, it will find that it's inaccessible.

LD: MMUs have been commonplace since early PCs. IOMMUs refer to input/output MMUs and are much more recent, and they do the same thing to hardware that supports DMA. So your network card can complete a high-speed download by copying into memory it's allowed to see, but if it tries to use DMA to copy into the place in memory where your Christmas shopping cart is stored, the OS will just say, that memory doesn't exist.

GT: Windows 10 systems shipping with version 1803 or newer - as in March 2018 - have "Kernel DMA Protection" on by default, if your hardware supports it. If you plug in a new device and the driver doesn't support IOMMU, it will disable the device if the screen is locked.

LD: Another great reason to lock your screen when you're at a cafe and you need to get more sugar for your tea!

GT: The kernel DMA Protection feature only works on Intel chips - while AMD also has an IOMMU feature, Microsoft doesn't support it yet. Also, they claim that older systems generally will not support the features they want.

LD: On the Apple side, Macs have had IOMMU protections against Thunderbolt by default. There was an attack in late 2016 where the IOMMU was only enabled once macOS started, so an attacker who was willing to reboot your Mac could read old data from memory before it was cleared and before the IOMMU was re-enabled - including your disk encryption password. But that's been fixed now.

GT: There's a similar concern on Macs about locking your machine: in particular, one thing you can connect over Thunderbolt is a FireWire adapter, and as of a few years ago, macOS would still give unrestricted DMA permissions to those FireWire ports, even if your laptop doesn't have FireWire built in. But if you lock your Mac, it will disable DMA for FireWire.

LD: One thing to keep in mind about both the Mac and Windows lock-screen protections is that it protects you from someone trying to plug something in and walking away, but not someone leaving a malicious device attached to your computer and waiting for you to unlock your computer.

GT: Although that's a harder thing to protect against in general - they can install a hardware keylogger or just swap out your keyboard with one that logs what you type.

LD: Yeah, that brings us back to the physical types of attacks we talked about when we started this series. Along those lines, a memory attack is even easier if an attacker has a little more time to just add additional RAM - certain laptops make it easy to upgrade RAM without completely disassembling the machine - and it's true that that would also have a nasty, lasting effect on your system, but the point here is that you don't need that kind of uninterrupted time and unnoticed physical access to execute this kind of attack.

GT: Right, so you should make sure that if you have Thunderbolt ports, you're using an IOMMU, you're locking your screen when you step away, and there's no opportunity for someone to leave something permanently plugged into your computer. But there's another risk, which is regular USB devices. They're not accessing memory directly, but they can still do things you don't want.

LD: Last episode, we mentioned that security keys are a USB device shaped pretty similarly to a "regular" USB thumb drive and can act like a keyboard. This is a feature you might want in a security key, but that same keyboard mode is also a feature that could be exploited.

GT: One particularly good example that's well known among the grey hat crowd is the USB Rubber Ducky, which drives the point home by being shaped exactly like a generic USB drive. But it shows up as a keyboard, and it types some pre-programmed keystrokes.

LD: So someone picks up a Rubber Ducky thinking it's an ordinary thumbdrive and plugs it in, and it starts typing Windows key, then run, then whatever commands it wants. Or it starts up a browser, downloads a file, pauses a bit, and hits enter to get past a warning prompt.

GT: There are also much cheaper options than the Rubber Ducky. Some enterprising folks have found that the firmware on many actual USB thumbdrives can be reflashed, and you can get it to present itself as something other than a thumbdrive - such a keyboard using Rubber Ducky scripts.

LD: If you don't mind assembling things yourself, you can also buy a tiny microcontroller with USB support for under $10, and put it inside a USB drive along with any other electronics you want. Maybe a very small radio.

GT: The point is, it does not cost very much money to build something that looks like a thumbdrive - or any other USB device - and actually shows up as a keyboard or a network card or whatever else.

LD: One of the more worrisome threats is that this circuitry is small enough to fit directly inside a USB cable, regardless of the device on the other end. Researchers have built a USB cable that has a programmed keyboard built in - and it still works as a normal cable, so it doesn't immediately raise suspicion.

GT: There's actually a lot of things to worry about with malicious cables - even if they don't connect to your computer over USB, it's definitely possible to use the power supplied over USB to run a listening device connected to a radio and even a GPS tracker. You should definitely avoid using USB cables or power adapters from people you don't trust - it's safer to carry your own that you got from a sealed package from a reputable store.

LD: In our episode about securing your phone, we talked a little bit about data blockers, which are USB cables or adapters that only permit power through and not data connections, generally by connecting the power pins and not the data pins on each end of the cable. These are great when charging your phone from an untrusted device or one of those USB ports at an airport or one of those LinkNYCs all over town.

GT: If you're charging your laptop over USB-C, though, it seems you're out of luck. In order to send more than a small amount of power safely, there's a USB protocol called the power delivery specification, which seems to need full USB communication. I couldn't find any data-only USB-C cable or adapter that supports the power delivery spec, although I did find someone who used the 100 watts of power to convert their wall-powered Easy-Bake oven to a USB-C-powered Easy-Bake oven.

LD: You know, that means you could build a malicious USB Easy-Bake oven - while it bakes your cookies, it also steals your cookies.

GT: [Groan] Anyway, I guess the point here is that if you're using USB-C to charge your laptop, you really should not charge off of other people's power adapters if you can avoid it. Even the Apple default USB 2-only cable will still let a malicious power adapter show up as a keyboard.

LD: So I've been wondering one thing: if you do end up in a situation where you need to plug in an untrusted USB device, how do you do it safely?

GT: You mean like the thing you mentioned last episode, where an insurer will send you a USB drive containing the policy? Really, I still think the best answer is to call them up and just be like, "I don't have a computer. I can't read this, please send me a paper copy." Or "I have a computer but all the USB ports are broken, please email it to me." Email isn't the world's most secure thing but for an insurance policy it seems fine.

LD: One option is to plug it into a public computer, like one at a library or the local print shop. That way if it starts typing weird things once you plug it in, it can't get to any of your files. Of course, now you have to be concerned about the security of that computer, including a way to get the file off - you probably don't want to log into your email or cloud storage account from that computer. Maybe bring your own USB drive and copy it over?

GT: Another similar approach is to log into a guest account on your computer and then plug it in. You should still be wary in case it tries to switch accounts or bring up an administrator prompt, but if it just tries to download files or run some commands, it will be confined to the guest session.

LD: It's still a case you should avoid if possible. If you run a small business where you get files from customers on USB drives, it's definitely worth switching to getting them over email or some cloud storage option. It would take very little money and effort for an unhappy customer to hand you a USB stick that actually just lets them plant themselves inside your OS.

GT: Speaking of your OS, these days you usually don't get just the base OS when you buy a computer. We'll talk about this more after a quick break.

Interlude music plays.

GT: When you buy a new laptop, it often comes with a bunch of preinstalled software that you might not want. Usually people call it "bloatware," but in a couple of cases, it crosses the line into actual malware. But even regular bloatware might cause problems with your laptop's performance and stability.

LD: For instance, many laptops come with a 30-day trial of some antivirus software. It stops downloading new virus definitions after 30 days, so it's no longer useful, but it keeps starting up automatically and bugging you to pay more.

GT: Like we mentioned last episode, if you want to run antivirus, you should do some research about what products are effective and don't slow down your computer. Whatever vendor managed to get a 30-day trial bundled with your laptop isn't necessarily the best vendor.

LD: There have also been active security problems caused by preinstalled software. A few years ago, Lenovo started shipping its computers with Superfish, an advertising-supported product search app. Where by "advertising-supported," they mean that it would replace ads on web pages with ads that made money for Superfish.

GT: They needed to replace ads on secure HTTPS web pages too, so the way that they did this is that they configured your web browser to trust Superfish as a certificate authority, and intercepted all HTTPS requests. You'd see that the page was secure - but it was secured by Superfish, not by any actual trusted authority.

LD: And they included the same key for certificate signing on every laptop. So this suddenly made the whole HTTPS certificate system useless for Lenovo users: anyone on the web could get a copy of the Superfish certificate and put up fake websites, and browsers on Lenovo computers would claim they're trusted.

GT: This whole market for dodgy preinstalled software seems to be primarily a Windows problem - not because of anything fundamentally different about Windows as an operating system, but because of the way OSes are sold. Manufacturers can customize Windows to preinstall things like drivers, and one of the ways they can keep their prices low is by accepting payments from companies who want their software preinstalled.

LD: Meanwhile, Macs come only from Apple, and Google puts strict requirements on Chromebook vendors: all the driver support needs to be built into Google's version of Chrome OS. While Apple and Google both guide you to using their online services, they're not going to preinstall malware.

GT: To Microsoft's credit, they are working on this problem. A few manufacturers sell Windows Signature Edition, which isn't actually a different edition of Windows at all, just a certification program that the computer comes reasonably clean out-of-the-box. All the computers resold on Microsoft's own online store are Signature Edition, although sometimes they cost up to a hundred dollars more than the regular editions. And a few manufacturers have said that all their machines are going to be Signature Edition.

LD: Microsoft also has a tool that lets you "refresh" Windows 10, basically reinstalling the entire machine and getting rid of any apps or drivers that aren't part of Windows. It does say that it will keep your personal files, but it's safest to take a backup first, or better yet run it right after getting a new PC.

GT: It will keep a bunch of bundled apps that come with Windows, like Skype and the new Solitaire version. Microsoft is adding the ability to uninstall those, and since they come with Windows, they're unlikely to slow down your PC or cause security problems.

LD: I really dislike how a lot of Windows machines ship with things like Candy Crush preinstalled. I know it's a Windows Store app so it's isolated and doesn't start automatically, but still, it's very weird and unnecessary - especially on a so-called Professional edition.

GT: By the way, for those of you whose Windows laptop setup involves downloading a new browser, there's been a handful of problems lately with malware authors buying Bing ads for search terms like "download Chrome." These sites look visually like Google download pages, but they have URLs like "GoogleOnline2018.com", and they'll send you a download that isn't actually from Google.

LD: If you want Chrome, the canonical place to get it is https://www.google.com/chrome. This isn't super different from any other situation where you're downloading software or even checking phone numbers like we mentioned earlier. But if Microsoft Edge and Bing aren't your everyday web browser and search engine, you might not subconsciously recognize ads quite as easily. So just remember to pay a little more attention than usual until you're on your normal setup.

GT: Another thing you might want to set up, especially when getting a new laptop, is crash reporting and telemetry. This is useful for software developers to find and fix bugs, but you might not like the privacy tradeoff.

LD: Software engineers and QA professionals think about what kinds of bugs might happen but computers are incredibly complex and no two people use them exactly the same way and unexpected issues come up. They're inconvenient for you, because maybe the program you're using crashes, and software devs don't want you to experience that! But despite extensive quality assurance work, bugs still might happen that we never expect.

GT: That's why your OS and often individual pieces of software prompt you to send crash reports. If a piece of software crashes or hits an unexpected case, it will log some information about how it got to that point - like what internal functions were called and what versions of code were loaded.

LD: But there's a privacy risk, because some of that information is likely to be personal data. If your word processor's spell checker crashes on a word, the crash report would probably need to know what that word is, so the software developer can replicate the problem. Generally crash reporting tools try to avoid sending too much private data, but sending some personal data is often unavoidable.

GT: There are also telemetry tools - basically remote measurements of what parts of software are used and how often. If Microsoft finds that way more people are using joysticks than they expect and way fewer people are using CD drives than they expect, they might decide to have more engineers work on the joystick code in the next version of Windows.

LD: Different OSes have different policies about what they collect. Of course, they all are generally going to keep private data within the company, but having data stored remotely at all is a bit of a risk.

GT: The license agreement for the Windows Home edition basically doesn't promise any anonymity: you're essentially granting Microsoft permission to look through and send your entire computer's contents if needed. It's unlikely they'll look through it for fun, but they're probably going to lean towards collecting as much data as they find useful to improve the OS.

LD: We've talked in the past about how this isn't much more than the access that basically all desktop software has. But it's very rare for desktop software to intentionally go looking through files - other than malware, of course.

GT: For Windows users, you can configure what sorts of telemetry is sent to Microsoft under the Privacy screen in Settings, but it's a little buried and there are a lot of checkboxes.

LD: I'm antisocial and almost never send those bug reports in, even though when I've worked as a software developer, I've treasured them for debugging. I generally don't encounter a lot of crashes, and if a piece of software I used regularly started crashing often, I'd probably consider turning crash reports on for it.

GT: macOS and Chrome OS also have similar settings for telemetry data and sending crash reports. You can disable these too if you need to, but Apple in particular says they take special care to avoid having data that can compromise your privacy, so if you trust them and think it will be helpful to you to keep reporting your crashes, you might want to leave it on.

LD: One last thing we said we'd talk about is remote access. There are a number of forms of this, ranging from remote desktop control software to streaming files to your TV.

GT: If you're on tech support duty when you're visiting your family for the holidays, you might decide it would be easier if you had remote access to keep things working the rest of the year. Now I'm not saying you should sign up for that - but if you decide that's what you want to do, make sure you aren't letting attackers get to your family's computers too.

LD: Or if you've got a collection of photos or videos you're sharing with your friends from your home computer, there are some precautions to take when setting up that sharing software.

GT: Windows has a built-in Remote Desktop server, as long as you're not using the home edition. But it requires you to open up a port on your home router or firewall, so you can connect remotely to your home network from anywhere on the internet. And the Remote Desktop Protocol hasn't had a great security track record - it's been getting better in recent years but it's still worth avoiding.

LD: One of the problems with it is that it's hard to authenticate that a remote computer is the remote computer you think it is. You might be typing your password to an unknown computer. Most of the mechanisms Windows has to secure Remote Desktop rely on having a corporate network with some infrastructure that most people just don't have at home.

GT: A better option is some desktop-sharing app where you don't need to open a port on either side, but you connect through an encrypted tunnel run by some central service. This does give you a little more risk from the central service's login mechanism, but that's probably a worthwhile tradeoff, since they can protect you from things like floods of login attempts.

LD: For instance, Chrome has a built-in remote desktop feature, where access is tied to your Google account. If you're comfortable with the security of your Google account, it's a pretty good option.

GT: Or if you're helping family on occasion, some chat apps like Skype let you share your desktop temporarily with another user. Because it's part of a Skype conversation, you can make sure you're connected to who you think you're connected to.

LD: There are also some commercial options. Make sure you understand their security - they'll usually quote some fancy security terms that make sense for companies with infrastructure but less so for an individual trying to get it to work on their home network.

GT: And of course all of these options give people full control over your PC, as if they were sitting right at your desktop. Most of them let you set up remote access to not require any confirmation - which is what you want if it's your own computer and nobody's at home to accept the connection, but it is a risk if you're sharing the access to someone else. Even if you don't type an administrator password, they can easily get to all of your files and personal data.

LD: So avoid it if you can. If you just want to be able to edit documents both on your desktop and on your laptop, a better approach is to use some cloud storage service to keep a directory in sync between the two computers. That's a lot less exposure than full remote access.

GT: If you decide you need to keep the files on your own computer - for instance, because they're very large or you're just not comfortable with cloud storage - it's still a lot better to use something built for just file sharing instead of setting up remote access.

LD: And in general, avoid the file sharing option built into the OS: they're usually built for trusted networks, not for access from the public internet. If you trust everyone who's on your home wifi, you can use the built-in file sharing, but don't open up that port on your router.

GT: Even better still: use a separate device. If you can avoid doing your taxes, for example, on the same computer that your friends are logging into, you might as well do that. If you have an old laptop with a broken screen or something, it might still make a good file sharing host, and if something goes wrong, you have fewer files and active browsing sessions open on your older laptop.

LD: If you have a NAS, like we discussed a couple episodes back, they often have file-sharing software that you can install. It's still software you're downloading on a device you need to trust, so take some precautions about what you install and from where, and it will likely require opening a port up for remote access. But giving people access to an app on your NAS is probably better than giving people access to all of your desktop.

GT Make sure to keep the software up to date, either way. There are a few nifty build-your-own-cloud-storage projects - but they tend to be complex web apps, which are the sort of things that have vulnerabilities discovered pretty frequently. As important as it is to keep software patched in general, it's even more important to keep these applications patched, because they're intentionally exposed to the web.

LD: Again, using cloud storage if possible is still a better tradeoff for most people. That's not to say there are no risks - cloud storage providers do have bugs, too, and something could go wrong and expose all the files in that storage service. But for most people that's a lot safer than risking your entire computer.

GT: That wraps it up for our series on physical computer security.

LD: As we mentioned at the start of this episode, we'll still be touching on these issues from time to time, even if we don't make another series on the subject.

GT: Since we're both traveling again for the holidays, we're not going to be doing a recent security news segment next time.

LD: But we will have a few more personal security stories and at least one fun old bit of security news from earlier this year headed your way on the 25th.

GT: If you're celebrating any upcoming holidays, we hope you have a great time and a happy New Year.

LD: P.S. Password manager subscriptions and security keys make great gifts!

Outro music plays.

LD: Loose Leaf Security is produced by me, Liz Denys.

GT: Our theme music, arranged by Liz, is based on excerpts of "Venus: The Bringer of Peace" from Gustav Holst's original two piano arrangement of The Planets.

LD: For a transcript of this show and links for further reading about topics covered in this episode, head on over to looseleafsecurity.com. You can also follow us on Twitter, Instagram, and Facebook at @LooseLeafSecure.

GT: If you want to support the show, we'd really appreciate it if you could head to iTunes and leave us a nice review or just tell your friends about the podcast. Those simple actions can really help us.

Outro music fades out.