Checklist 159: What That and Tencent Will Get You

This week on the Checklist, we’ll look at a troubling connection between Apple and the Chinese government. We’ll revisit the issue of IoT security (spoiler: It’s not getting any safer out there). And we’ll round out the list with a reminder that when it comes to cybersecurity, sharing is caring!

This week’s Checklist is: 

• What Website Warnings and Tencent will get you
• Security and an Internet of Things thing
• And would you please join our street team? We offer benefits! 

Apple’s silent partner

Last week MacRumors reported on a connection between Apple and Chinese tech giant Tencent.

It turns out that Safari’s Fraudulent Website Warning feature—both in iOS and macOS—was relying on Tencent’s servers to handle some of the workload required to keep the service running.

For those who aren’t familiar with what the Fraudulent Website Warning feature does, it’s basically just a way of keeping Safari users safe by letting them know when they’re about to visit a website that has security issues or seems suspicious in some way. 

The Safari feature works in partnership with Google, which maintains a database of these problematic websites. Google’s servers send Safari a truncated and encoded list of malicious URLs. If you try to visit a site that Safari matches to one of these truncated, encoded URLs, it will send the full URL to Google, which will then send Safari the full version of the URL in its database. If the two full URLs match, Safari will show you an alert.

That’s a lot of traffic going back and forth between Google’s servers and your device—and with each “ping”, Google is able to see your IP address and other system information…along with the sites you’re trying to visit. IP addresses are significant in terms of privacy, because they are very closely tied to geographic location. In other words, Google knows what you’re looking for, and where you’re searching from.

In and of itself, that might not be cause for too much concern. But what came out last week—and what Apple was not as forthcoming about as they probably should have been—was that they were relying on Tencent to play the part of Google for users in mainland China. While Tencent is a vast conglomerate which provides many services to the Chinese market, they are also very closely tied to the Chinese government, which raises obvious privacy and even human rights concerns for Safari users in China. This is because it’s possible that the government—via Tencent—could access the IP addresses of people who were trying to perform searchers or visit sites that the government doesn’t like.

There are, however, two ways to opt out of sharing your IP address and web activity with Google and Tencent.

First of all, you can use a VPN if you want to make sure that no one is looking at your IP address—and this is the option that we recommend. For iOS, Guardian Firewall + VPN is an excellent choice. There are various desktop VPNs which are both reputable and effective as well.

Unfortunately, users in China or other countries which restrict access to VPNs may have trouble using these—especially since Apple acceded to China’s demands to remove VPNs from the App Store there. And of course, some folks simply don’t want to use VPNs for their own reasons. For this group, there is a second option: Turn the Fraudulent Website Warning feature off. To do this, go to Settings > Safari. Once there, simply toggle the Fraudulent Website Warning option to off.

Staying safe in a world of Things

A recent article from Computerworld did a deep dive into all the reasons why we need HomeKit enabled routers ASAP.

HomeKit routers will allow you to restrict access for every smart device on your network—meaning no one outside your network will have access. The routers will also allow for less restrictive settings, if that’s what you prefer. 

The problem is, these routers haven’t hit the market yet, and it’s anyone’s guess when they will. So why the urgency?

Because IoT devices are notoriously insecure—and can be used as a toehold for a malicious actor looking to find a way onto your network. And if attackers do manage to get onto the network, they can go on to steal your data or infect your devices with malware. The attacks are already coming—and they’re getting worse. Kaspersky Labs conducted a study which detected over 100 million attacks on IoT devices in the first half of 2019. That’s a huge increase over the previous year, likely driven by a combination of automated attacks and the increasing proliferation of IoT devices (devices which are often rushed to market and not built with security in mind).

It seems that once again, the first line of defense in cybersecurity turns out to be…you.

So what can you do to keep your smart home safe? Luckily, there are some extremely basic precautions you can take to lock down the IoT devices on your network while you’re waiting for HomeKit routers to come out:

Create strong, unique passwords for your smart devices (and change the usernames if possible). Many IoT things ship with default credentials—and homeowners simply never get around to changing them. As you can imagine, a refrigerator with the login/password combo of “admin/admin” or “default/default” is extremely vulnerable! 

Always update everything—not only the OSes and security software on your main computers and mobile devices, but also the software and firmware on your IoT things as well. When companies become aware of a vulnerability (often after a bad actor tries to exploit it), they’ll almost always rush out a patch—but this only helps you if you’re regularly updating your devices. 

Use a VPN on your computer and mobile devices whenever possible, and make sure you’re running strong, reputable antivirus software on your desktop system.

Consider placing a sort of “homemade firewall” between your smart devices and the rest of your digital world. Set up a separate, non-public WiFi network just for running IoT devices. Create a dedicated email address which you only use to register new devices.

If a device seems to be acting strangely, or performing sluggishly, reboot it immediately. Odd behavior or degraded performance can be a sign of a malware infection, since bad actors will often hijack IoT devices for their computing power, which can then be used alongside other infected devices to launch cyberattacks or mine cryptocurrency.

Start spreadin’ the news

A recent Pew study revealed that a shocking number of Americans are still confused about basic cybersecurity topics like 2FA, encryption, private browsing, and other things which our Checklist listeners have heard about multiple times.

There were a few rays of hope: The study seemed to indicate that people were more aware of phishing threats and the privacy issues posed by tracking cookies—perhaps due to high-profile stories about successful phishing attacks and the efforts of security-themed blogs and podcasts like SecureMac and the Checklist.  

Still, only a small minority of folks could identify examples of two-factor authentication, and the majority seemed unaware that private browsing doesn’t actually hide your web activity from websites, ISPs, or network admins. 

There is, it seems, still much work to be done in order to get the word out about cybersecurity and help create safer communities—which is the real mission of the Checklist and the SecureMac blog.  

If you listen to the podcast, or read our show notes and our blog regularly, you’re probably one of that small group of people who are genuinely savvy when it comes to  cybersecurity. And yet if we had to guess, we’d say that you (like us!) are probably still discovering new things about digital security and privacy all the time—and the more you listen and read, the more you learn. There’s a lot to know, and being exposed to a regular conversation about these issues is one of the best ways to learn.
That’s why we’d like to ask your help: Please tell your friends, coworkers, and family about this show, and this blog. And if you happen to know someone who really seems “out of the loop” when it comes to security—maybe someone who uses “password” as a password, or doesn’t see the point of 2FA—we’d like to invite you to send them our way. Tell them to drop us a line at checklist@SecureMac.com! We’d be happy to answer their questions or clear up any points of confusion (we promise we won’t scare them too much).