Why fingerprints should not be used for access control

A presentation at the Chaos Communication Congress (a large hacker convention in Hamburg, Germany that attracted about 10,000 visitors this year – sort of, kind of, like  Defcon here) demonstrated the ability to reproduce fingerprints of a target subject from just photographs.  Reports in PC Magazine say that the researcher, Jan Krissler, took photographs of Ursula von der Leyen, Germany’s Federal Minister of Defense, while she was speaking in public.  From those photographs he was able to create fingerprints.

Of course, having the fingerprints is not very useful unless you have a use for them – like a stolen iPhone or perhaps a door system that is controlled by a fingerprint reader.

It has been known for a long time that you could lift fingerprints off a smooth surface like a glass that the target used, but this is the first time that I am aware of that fingerprints have been recreated from a photograph.

Lets assume that, unlike Apple Pay, that you have to use your fingerprint plus a PIN.  If so, having the fingerprint doesn’t totally compromise the system but it reduces the security of the system down to that of a PIN, which is not very good.

Unlike a password which can be different for different purposes, using your fingerprint would be the same for different purposes, increasing the damage from the crime of a stolen fingerprint.  In theory, you could use all 10 fingers, but do you really think people are going to remember which finger they used for each web site?  Didn’t think so.

Therefore, the big problem is how do you go about requesting a new fingerprint after your old one is compromised?  Not quite sure about that one.

Apple, to their credit, wanted something that was easy to use.  Unfortunately, most of the time, easy to use means easy to compromise.  And sometimes, it also means, hard to recover from that compromise.


Is your encryption secure? – Sure, just like flying pigs (keep reading)

Der Spiegel wrote an article on efforts by the NSA and GCHQ (their British equivalent) to crack encryption of various sorts.

Take the article at what it is worth;  it is based on documents that Snowden released, so it is a little bit old.

I apologize that this post is pretty long, but there is a lot of information in the article and I think it is useful to understand what the state of the art is.  If you think the NSA is, in any way, trying to accomplish different goals than say the Russian FSB, then you are wrong. They are likely ahead of the hacker community only because they have a $10 billion annual budget.

For most people, keeping the NSA out is not your goal, but if the NSA figures out a sneaky way to break something, it is likely that, at some point, a hacker may figure it out too.  If the NSA has to spend a million dollars to crack something, that is probably out of the realm of possibility of the hackers – until next year when it costs a quarter of that.  Unless, of course, that hacker works for an unfriendly government.

The Cliff Notes version goes like this.  If you want a longer version, read the article :).  When I refer to the NSA below, I really mean all the NSA like agencies in every country, friendly or not.

  • Sustained (meaning, I assume, ongoing) Skype data collection began in February 2011, according to an NSA training document.  In the fall of 2011, the code crackers declared their mission accomplished.
  • Since that same time (February 2011), Skype has been under order from the secret U.S. FISA court to not only supply information to the NSA, but also to make itself accessible as a source of data for the agency.  Whatever that exactly means is unclear, but it is likely not good for your privacy.
  • The NSA considers all use of encryption (except by them, I assume) a threat to their mission and it likely is.  If they cannot snoop, what use are they?  If people start using high quality encryption, they will make the snoop’s jobs that much harder.  But not impossible.
  • If you look in the dictionary for the word “packrat”, it will say, “see U.S. NSA”.  They horde data like you would not believe.  In fact, the rules that govern how long the NSA can keep data exclude encrypted data.  That they can keep forever.  So, if they ever figure out how to decrypt something, they can go back and look at the stuff that they have in inventory and figure out how much of that they can now decrypt and analyze.
  • In the leaked Snowden documents was a presentation from 2012 talking about NSA successes and failures regarding crypto.  Apparently, they categorize crypto into 5 levels from trivial to catastrophic.
  • Monitoring a document’s path through the Internet is considered trivial.
  • Recording Facebook chats is considered minor.
  • Decrypting mail sent via the Russian mail service Mail.ru is considered moderate.
  • The mail service Zoho and TOR are considered major problems (level 4).
  • Truecrypt also causes them major problems as does OTR, the encrypted IM protocol.  The Truecrypt project mysteriously shut down last year with no explanation.  Was it because the NSA was pressuring them?  No one knows or if they do, they are not talking.
  • It seems clear that open source software, while it probably contains as many weaknesses and bugs as closed source software, is much harder for organizations like the NSA to compromise because people CAN look at the source code.  Most people don’t have the skills, but there are enough geeks out there that obvious back doors in the code will likely be outed.  With Microsoft or Apple, that check and balance does not exist.
  • Things become catastrophic for the NSA at level 5.  The IM system CSpace and the VoIP protocol ZRTP (the Z stands for Phil Zimmerman for those of you who know of him) are or were level 5.  ZRTP is used by Redphone, an open source, encrypted, VoIP solution.
  • Apparently PGP, although it is 20 years old, also lands in the NSA’s category 5.
  • Cracking VPNs is also high on the NSA’s list. The Der Spiegel article doesn’t go into a lot of detail here other than to say that the NSA  has a lot of people working on it.  They were processing 1,000 VPN decrypt requests an hour in 2009 and expected to process 100,000 per hour by the end of 2011.  Their plan, according to Der Spiegel, was to be able to decrypt 20% of these  – i.e. 20,000 VPN connections per hour.  That was in 2011.  This is almost 2015.  You do the math.
  • The older VPN protocol PPTP is reported to be easy for them to crack while IPSEC seems to be harder.
  • SSL or it’s web nickname HTTPS is apparently no problem for them at all.  According to an NSA document, they planned to crack 10 million SSL connections a day by 2012.
  • Britian’s GCHQ has a database called FLYING PIG that catalogs SSL and TLS activity and produces weekly trend reports.  The number of cataloged SSL connections in FLYING PIG for just one week for the top 40 sites was in the billions.  This is a big database, apparently.
  • The NSA Claims that it can sometimes decrypt SSH sessions (I assume this is due to the user’s choice of bad cryptographic keys).  SSH is often used by admins to remotely access servers.
  • NSA participates in the standards processes to actively weaken cryptographic standards – even though this ultimately hurts U.S. businesses;  it also furthers the NSA’s mission.
  • The NSA steals cryptographic keys whenever possible.  Why do things the hard way when the simple way is an option.

While most hackers are not as smart or well funded as the NSA or the British GCHQ, sometimes luck is on their side.  Other, less friendly governments (think IRAN for example), might be willing to spend hundreds of millions of dollars to mess with the U.S. and since the don’t have to pay their scientists very much (the alternative to working for those governments might be being dead), their money likely goes further.

Would Iran or someone like them enjoy taking down the northeast power grid and darken the U.S from Boston to Virginia.  To quote a former vice presidential candidate – You betcha.  If they could damage the grid so that it took longer to get the lights back on (see the item from the other day on the attack on the German steel plant) would that be an extra benefit. You betcha.

So while I am using the NSA as an example, you could just as easily replace that with Iran, or Russia or China.

Being prepared is probably a good plan.



Hackers break in to German steel mill and cause “serious damage”

BBC and others are reporting that a German steel mill was hacked.  The report came not from the news media or the mill, but rather the German Federal Office for Information Security (BSI).

As a result, not a lot of details are known, but the posting are new, so perhaps more information will come out in time.

Apparently, the hackers started out the usual way – spear phishing attacks on the business network.  Once in, they used that access to get access to the factory floor network.

Using that access, they were apparently able to take over a blast furnace used for melting steel and stop the plant from shutting the furnace down in a normal fashion, causing “massive” damage.  Exactly what that means is unclear, but it was apparently significant effort for the BSI to report on it.

What are the take aways from this little bit of information that we have –

1. There apparently was not enough separation between the factory floor network and the business network.

2. There apparently were not enough safeguards in the factory control system to retake control of the physical factory after hackers got into the network.

3. Possibly, there was not an adequate incident response plan to deal with a situation like this.

4. Cyber attacks can cause “massive” physical damage.

2015 looks to be an interesting year.



Major breaches of 2014

This is the time of year that people make lists, so I will also.  These are not in any particular order, but the total is pretty amazing.  I had already forgotten some of these —

  • Michaels and its subsidiary Aaron Bros Art Framing (January) – 3.4 million records, credit and debit cards information from their POS system
  • LivingSocial (April) – more than 50 million records, names, emails, birthdays and encrypted passwords stolen.
  • eBay (May) – an unknown number, but eBay asked all 145 million customers to changes their passwords, so we might assume it was all of them.  Usernames, encrypted email addresses and passwords were stolen
  • American Express (June) – almost 76,000 California residents.  Names, account numbers, expiration dates and CVS numbers were stolen.  While the number of cards stolen is relatively low, since Amex doesn’t have the traditional card credit limit, the rewards might be priceless
  • P.F. Changs (August) – exact number unknown.  Credit card numbers, expiration dates and customer names were reportedly stolen
  • Staples – 1.16 million cards.  Staples said the hackers got customer names, card numbers, expiration dates and CVV numbers.
  • Snapchat (October) – Almost 98,000 files were stolen and posted on The Pirate Bay.  Again, not a large number, but an unfortunate number of pictures were child porn – selfies from kids under the age of understanding, err, 18.
  • The Home Depot (September)  – 56 million credit cards and an additional 53 million email addresses.
  • JP Morgan Chase (October) – 76 million households and 8 million small businesses.  Chase said that the hackers only got names, addresses and phone numbers.
  • Sony (December) – Hackers broke into Sony’s, erased hundreds if not thousands of machines, stole tens of millions of files and almost got the movie The Interview cancelled.  Sony is still doing damage control and trying to recover.

All in all, that is a lot of compromised information






Las Vegas Review Journal

Krebs On Security

Business Wire

 Risk Based Security

How to shut down an entire factory with one text message

Seems far fetched, but it is not.

Of course, it is expensive.  It took Stephen Hilt almost two weeks and $400.  Of course that is the “quantity one” price.  With a little work and volume, the price would go down.

Dark Reading is reporting that Stephen, who works for the industrial control security firm Digital Bond, took a normal factory automation controller case, added a few off the shelf components like a Raspberry Pi CPU and a DroneCell cellular modem, add a dash of metasploit-like software and VOILA!, the factory is toast.

The DroneCell card allowed Stephen to bypass the airgap;  the software allowed him to issue a stop command to every controller on the network and the factory or power plant comes to a complete halt.  Now all he has to do is send a text message to his cell card to start things off.

All in the case of an Allen Bradley PLC controller.

Next he would need to payoff some disgruntled maintenance person at the plant to install it.  That might cost him another hundred bucks.  Or, if that person is really disgruntled, he might do it for free.  He could get a job with a contractor that maintains the plant and get PAID to install his attack tool.

Given the state of (lack of) controls at most factories or utilities, if the very normal looking box was stuck in an out of the way place, it might take a while to find it.  IF they even think to look for a rogue controller.  Shut down the plant every week or two at random times and watch them scratch their heads.

Stephen does give credit where credit is due. The idea came from a similar but different effort by DARPA and the Department of Energy’s Idaho National Laboratory who built a hacking tool inside a power strip.


SS7 flaws enable listening to cell phone calls and reading texts

SC Magazine is reporting that a flaw signaling System 7, the telephone industry standard for setting up, managing and tearing down phone calls allows anyone to listen in on cell phone calls, read texts and locate a user.

Two separate researchers have identified the flaw and are going to demonstrate it at a hackers conference in Hamburg.

SS7, a protocol built in the 1970s by the major phone companies and now an international standard was built long before security was a concern.

The Washington Post reported that countries were buying systems to exploit these weaknesses and use it to locate cell phone users.

One should assume that every major spy organization knows about this and has been using it forever.

This “hack” was tested on 20 carrier’s networks around the globe with 100 percent success.

The logical conclusion would be that you should assume that cell phone conversations, absent an extra layer of security are guaranteed compromised.

An additional fun fact is that the conversations can be recorded and decrypted later.