Signal SMS: A Quick Plug

I just want to take another opportunity to hawk the Signal SMS app. It’s a good client, it’s run by one of the smartest and seemingly nicest people in security today, and it’s funded as a nonprofit.

Why do I mention it? This is a little political, but it’s related to everyone’s privacy and security, so I’m going to chime in about this tidbit that came out this week:

According to a transparency report (PDF) released by the Office of the Director of National Intelligence, the agency got its hands on 534 million call and text records from telecommunications companies like AT&T and Verizon in 2017. That’s over three times the number (151 million) it collected in 2016, which was the first full year since new surveillance rules under the USA Freedom Act took effect.

Google Advanced Protection

Google has introduced the Advanced Protection Program. As far as I can tell, these are the big takeaways:

To provide the strongest defense against phishing, Advanced Protection goes beyond traditional 2-Step Verification. You will need to sign into your account with a password and a physical Security Key. Other authentication factors, like codes sent via SMS or the Google Authenticator app, will no longer work.

A physical key being a Yubikey in this case, looks like.

When you sign up for new apps or services, you are sometimes asked for access to your data, like your emails or documents. By giving permission, you might introduce vulnerabilities that could be used to access your personal data. For example, an app you trust could be exploited or impersonated.

To protect you from this threat, Advanced Protection will automatically limit third-party apps from accessing your most sensitive data – your emails and your Drive files.

I suspect this is going to be implemented more broadly over time to non-Advanced Protection accounts, but we’ll see.

A common way that hackers try to gain access to your account is by impersonating you and pretending they have been locked out of your account.

To provide you with the strongest safeguards against this type of fraudulent account access, Advanced Protection adds extra steps to verify your identity. If you ever lose access to your account and both of your Security Keys, these added verification requirements will take a few days to restore access to your account.

Another thing that will probably see parts trickle to mainstream account protection, but yeah.

Looks like it’s intended to target high-risk Google users as customers, but it’s free, so I’m imagining a number of tech folks will hop on board too. Looking into signing up for it myself this morning.

I’d like to write up something about the WPA2 flaw ongoing but I’m waiting for a bit more to develop.

Paper problems

A timely reminder that good information security practices don’t necessarily have anything to do with computers:

The health insurer Aetna is facing criticism for revealing the HIV status of potentially thousands of customers after it sent out a mailer in which information about ordering prescription HIV drugs was clearly visible through the envelope’s clear window.

For example, in a letter sent to a customer in Brooklyn, the window revealed considerably more than the address. It also showed the beginning of a letter advising the customer about options “when filing prescriptions for HIV Medic … .”

It’s funny; usually those envelope letter windows are considered best practice because it lowers the risk of address/letter screw ups. In this case, though..