SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 200: TikTok, TV, and Time for a Checklist

Posted on September 28, 2020

On this week’s Checklist, we discuss a rapidly changing App Store story, we talk about streaming services and privacy, and we show you how to keep your wits in a cybersecurity emergency.

This week’s Checklist covers:

TikTok and WeChat: the story so far…

The Trump administration’s plans to ban TikTok and WeChat from U.S. app marketplaces are on hold for now — but that could change very soon.

For those who haven’t been following the story, U.S. politicians have expressed concern over the two apps due to their Chinese parent companies: TikTok is owned by ByteDance, and WeChat by Tencent. They say that China’s national security laws could one day be used to force the companies to hand over private user data to the Beijing government, including data on U.S. users.

There’s not much concrete evidence that the apps are actually doing anything wrong at the moment; however, there has been a great deal of speculation about their privacy practices in the United States and in other countries. Both TikTok and WeChat say that they respect their users’ privacy; and TikTok has said that they don’t even store U.S. user data on servers in mainland China, and would oppose any request by the government to surrender said data. 

It may be somewhat surprising that the United States government can actually ban apps from Google Play or the App Store, but there is legal precedent for this to happen: The International Emergency Economic Powers Act (IEEPA) gives the executive broad discretion to regulate international commerce in times of national emergency, and this could include forbidding U.S. companies from doing business with foreign entities, which is what the Commerce Department is attempting to do vis-à-vis Apple and Google. 

While it’s still unclear exactly what “national emergency” the administration is using to justify the proposed app bans, it may not matter in the end anyway: both apps got a temporary reprieve this week.

TikTok announced a deal with Oracle and Walmart to take over some of the app’s U.S. operations, a proposal that seemed to satisfy the White House; meanwhile, a judge blocked the WeChat ban in response to a lawsuit filed by the app’s users.

If the TikTok–Oracle–Walmart deal falls through, then the TikTok ban may be back on: we should know more by next week (the deadline to finalize the deal is September 27). The legal wrangling over WeChat will likely be a more protracted process.

If either of the app bans go through, and Google and Apple aren’t allowed to offer an app in the US, then users should probably remove the banned app from their devices. That may be a bitter pill for some folks to swallow, but it’s likely the wisest course of action from a security standpoint. Because security patches are handled through the App Store and Google Play, users with existing installations of a banned app won’t be able to get important updates, which could lead to an unpatched vulnerability and, worst case, a compromised device. 

In addition, everyone should be aware that high-profile tech stories like this often result in social engineering and phishing scams. Hackers know that people are aware of the issues with TikTok and WeChat, and the possible impending bans. There has already been one case of a fake Android app (which turned out to be spyware) being offered as “TikTok Pro”; in the event of an actual app ban, we can expect to see more of these fake apps, as well as phishing links to fake updates. If you receive any email, message, or pop-up related to TikTok or WeChat, be extremely cautious — and follow best practices for spotting a phishing email. 

In America, TV watches you!

It’s election season in the United States, and if you use a video streaming service, you’ve probably noticed an, ahem, “considerable uptick” in political ads. And according to research done by Mozilla Foundation, these ads may be both micro-targeted at you, specifically, and may not be checked for accuracy.

Mozilla says that streaming platforms are alarmingly opaque, with few tools available to help viewers get better insights into political ads or the organizations behind them. While many platforms have policies in place designed to prevent misleading or manipulative content, it’s less clear what — if anything — they’re actually doing to enforce these policies. 

In addition, Mozilla’s research found that streaming platforms are set up to provide incredibly detailed ad targeting to advertisers, at a level of granularity that they liken to Facebook (not exactly a heartening comparison for privacy-conscious viewers).  

We know that websites and apps track us, and that even podcasts (though not this one, thankfully!) engage in tracking. Now it seems that we need to add entertainment platforms to our list of privacy threats as well — a concern which will no doubt be relevant even after the upcoming elections. 

Checklist for a security crisis

Last week, a friend of the Checklist fell for a phishing email on their phone, and the bad guys made off with their Apple ID. Luckily, they weren’t using their Apple ID for much (just for Apple Music).

When our friend reached out to us for advice, they’d already taken some excellent first steps to contain the damage, and our team was able to come up with a few more suggestions to help them mitigate their risk. 

But what struck all of us (after the dust had settled) was just how hard it is to think clearly, and to remember everything that you need to do, in the immediate aftermath of a security incident.

Instead of relying on your memory when you’re, well, kind of freaking out, it would be better to have a checklist of steps you should take: something concrete that you can refer to, and that will help you keep calm and take quick action. 

That’s why we put together this emergency account compromise checklist. Bookmark it; download it; or print it out and stick it on your refrigerator — whatever you like — but keep it around in case of emergency.

Security Crisis Checklist

  • Change your account password immediately (ideally from another device, if you think there’s a chance you may also have been infected with malware)
  • Cancel any credit cards associated with the affected account
  • If you were using the same or a similar password on other accounts, change the passwords for those accounts too (again from a separate device if malware is a possibility)
  • If you were using the same or a similar password on physical devices, for example IoT devices or Wi-Fi routers, then change those passwords too
  • If you clicked on a suspicious link or went to a sketchy website, use a good malware detection and removal tool to scan your system for malware
  • If the hackers claimed to be from a large organization (such as the IRS or Apple), see if there’s a way to report the phishing email to them, so that you help keep others safe
  • In the coming weeks and months, monitor your credit report and all financial accounts for signs of suspicious activity or identity theft
  • In the coming weeks and months, be on the lookout for follow-up social engineering or phishing attacks, or suspicious account reset attempts, as the bad guys may use stolen personal information to attack you again

That brings us to the end of another Checklist.

We’re looking forward to many more episodes in the future, and we’d love your help with that: If you want to propose a topic for discussion, suggest an interesting interview guest, or just want to ask a security question that we can answer on the podcast, please reach out and let us know.

Join our mailing list for the latest security news and deals