Tag Archives: Biometrics

Security News for the Week Ending August 16, 2019

Unencrypted Biometric Data Database Found

A database called Biostar2,  of the fingerprints and face Scans of over a million people that are used by police, defense contractors and banks was found unencrypted and exposed on the Internet.  That was bad enough.

Then the article said that the database included user names, passwords and other personal information.  Can this get worse?

Yes.  The database was writable, so a hacker could add names to it.  How could that possibly be used for bad purposes?

The story goes downhill from there.  Source: UK Computing.

 

Is Your MacBook Allowed to Fly?

15 inch MacBook Pros purchased between September 2015 and February 2 017 are now banned from airliners by the FAA, even in the cabin due to the risk of catching fire.  I am not sure how the airlines plan to deal with this ban as it is basically serial number related.  In any case, if you own one, Apple will repair it for free, so you probably should do that.  Source: PCMag.

 

Capital One Hacker Breached Many Companies

Paige Thompson, the hacker being charged in the Capital One breach, may have hacked as many as 30 companies, although the Justice Department is not saying who.  Media reports say the companies include Vodafone, Ford, Michigan State University and the Ohio Department of Transportation, among others.  I am guessing that at some point these organizations will be forced to disclose that they were breached.  Source: Techcrunch.

 

Security News Bites For The Week Ending January 18, 2019

City of Del Rio, Texas Reverts to the 1950s – Paper and Pen – After Ransomware Attack

Update:  The city says that it cannot issue utility bills which means that it won’t get utility revenue from residents.

Del Rio, Texas, on the Texas-Mexico border was hit by a ransomware attack this week and as a result, went back to pencil and paper.  All computers and servers were turned off and the city disconnected from the Internet.  While writing a receipt by hand for your library fines is quaint and works, I am not what happens if you want to, for example, buy or sell a house and need to pull up official city documents which likely only exist online.

Del Rio is working with the Secret Service to figure out what to do next.  It is unknown if they have insurance or even effective backups.

Del Rio’s population is about 40,000,   We have seen a number of small cities fall victim to ransomware, likely because they do not have the budget or staff to combat today’s sophisticated attacks.  Source: City of del Rio.

iPhones Being Discounted in China

Following on Tim Cook’s announcement that the iPhone company’s revenue will be down in the quarter ending December 29th (from November’s estimate of $89 to $93 billion down to $84 billion.  Retailers in China are discounting the newest iPhones (the XRs and XSs) from 10 to 20 percent.  China is a very important growth market for China since most of the western world is i-saturated.  If sales slow down in China and the rest of Asia, that won’t bode well for Apple’s future sales.   Given that an iPhone XS max sells, even when discounted, for over $1,400 and China’s strong nationalist tendencies, citizens may be buying phones from Huawei and other Chinese companies instead.  Apple’s stock has taken a tumble from $230 on October 3 to to $153 on January 10.  While revenue from iPads, wearables and other Apple products and services grew 19%, together they represent a blip on what should be known as iPhoneCo’s revenue (it represents less than 1 percent of the company’s total revenue).  Not to worry though, Apple still has over $100 billion in cash in the bank.  (source: Bleeping Computer).

Apple was forced to remove the more affordable iPhone 7 and 8s from German stores due to a patent dispute with Qualcomm.  In addition Chinese courts made Apple stop importing iPhones from the 6 to the X due to the same dispute (which seems sort of funny since Foxconn and a couple of competitors build most iPhones in China).  This leaves Apple with only the insanely expensive XR and XS lines to sell in China, which could explain the discounts above.  (Source: Bleeping Computer).

 

Some of the Biggest Web Hosters Are Vulnerable

A well known security researcher has found significant security holes in five of the largest web hoster’s systems – holes that would allow for an account takeover.  The hosters are Bluehost, Dreamhost, Hostgator, OVH and iPage.   It is reasonable to assume if we found these holes, there are more to be discovered.  In total, this represents about 7 million web sites at risk – enough to keep hackers busy for years.

This points out the importance of vendor cyber risk management.  Just because a vendor is big does not mean that it is secure.  Source: Tech Crunch.

Judge Says Feds Can’t Force You to Unlock Biometrically Protected Phone, Even with a Warrant

In what is likely going to be appealed, a Northern California Magistrate Judge says that the Feds can’t force you to unlock biometrically secured phones, even with a warrant.

There has been a lot of give and take in this area, with judges saying you can’t be forced to incriminate yourself by unlocking your password protected phone until now.  Somehow, in the law’s view, a password is testimony and a fingerprint is not.

The Feds wanted the judge to issue a warrant forcing anyone on the premises at the time of a raid to unlock their phones for them.

In this case, the judge said the warrant request was over broad.

But he also said that forcing people to unlock their phones runs afoul of the Fourth and Fifth amendments to the Constitution.

The Feds were in a hurry because if the phones “age” in their evidence lockers, biometrics will no longer work, even if they convinced people to do that.

It seems to me that this is the right answer, but stay tuned.  Source: The Hacker News.

The DoD is Horrible at Cybersecurity

According to the Department of Defense’s Inspector General, there were 266 cybersecurity recommendations open, some dating back to 2008.

This includes unlocked server racks and unencrypted disks at Ballistic Missile Defense Sites.

If this was bad, wait till you hear about contractors.

The IG examined 7 ballistic missile contractors.  Of them, 5 did not always use multi-factor authentication when accessing missile information.  They also failed to conduct risk assessments and encrypt data.

The list goes on and on.

No one has been arrested and/or charged with any crimes.  That fundamentally is the problem.  If there are no consequences to ignoring the rules, then many people just won’t bother.  Source: Motherboard.

 

Peace Sign Could Mean Trouble – For Your Identity

Japanese researchers released a paper talking about the (hypothetical) risk of flashing the peace sign.

As we saw a couple of years ago with a German politician, a high definition photo from close enough (a few meters away according to the researchers) , with the right lighting, allowed the researchers to replicate the fingerprint.

Apparently, in Japan, taking selfies with the peace sign is popular, so people are posting many pictures with their fingers in them with their prints facing the camera.

While Snopes went all crazy on it and said the article was no longer there, it is there tonite, at least for me.

Since we know that this has already been done, there is really not much new here.

What is important to understand is that this is technically feasible and will only become more practical for an actual attack as digital cameras get better or people take better photographs.

In fairness to Snopes, they didn’t deny this was possible, they suggested that we should not panic.  I agree with Snopes on that, there is always time to panic later.

However, this is a good opportunity to point out that people are using biometrics in the place of passwords and I suggest (and many people agree) that this is a terrible idea.

One more time, we are trading security for convenience.

If you lock your iPhone with your fingerprint and someone compromises your fingerprint, how do you change your fingerprint?  I guess, the good news is that most people have ten fingers so you can keep rotating fingers until you run out.  If your fingerprints are compromised several at a time (say by lifting the prints of all of your fingers of one hand off a glass, then you might only be able to change it one time.

For most people, protecting their iPhone (and I am only using Apple as an example) is a pretty low priority and a low risk.

For other people biometrics protect a higher value asset, such as a safe.

For those of us who have seen Mission Impossible and other movies, they use biometrics incorrectly.

There is a distinction to security folks, between identifying someone and authenticating them.

Using biometrics to identify a person is fine.  Think of using your fingerprint (or iris or retina or other biometric) as a replacement for your user NAME, not your password.

Using it in that way is fine because it is not required to remain secret.

In data centers it is common to use biometrics to control access.  You look into a retina scanner or use a fingerprint to identify yourself.  Then you enter an 8 digit, for example, PIN to authenticate that it is really you.

This is a form of two factor authentication, there are two things that are required to gain access – something you have – like a fingerprint or hand geometry and something you know – a PIN.

So while I agree with Snopes that we should not panic over this Japanese report, I also think it is a reminder about the appropriate way to use biometrics and that is NOT to use it for authentication.

We have seen a few cases where law enforcement has forced people to press their finger on their phone to unlock it.  This is because your fingerprint is something your have.  There have been way fewer courts that have said that you can be compelled to unlock a device protected by a password.  That subtle distinction – something you have vs. something you know, makes all the difference when it comes to the Fifth Amendment.

And, on a more practical plane, whether it is the Japanese or the Germans or anyone else, you just make life much harder for the bad guys if you use two factor authentication.

So, it all boils down to security or convenience.  Your choice.  And all risks are not created equal, so sometimes convenience is fine.  Just not always.  Just make an informed decision.

Information for this post came from Japan Times and Snopes.

Why Biometrics Are Good For Identification, Bad For Authorization

I have never been much of a fan of using your fingerprint or eyeball print as a way of gaining access to something – whether it be your phone or a data center.  There are a number of reasons why, but now we can add a new one to it.

The Chaos Computer Club demonstrated (see article in Tech Crunch) a way to capture a fingerprint and fake the iPhone’s fingerprint reader out.  Some fingerprint readers are even easier to fake – you can fool them with a fingerprint on a gummy bear.

Now mind you, their attack some some serious work and for most people, who don’t even put a PIN on their phone, the fingerprint is a serious upgrade.

For those people who are paranoid, the courts have held that you can be forced to stick out your finger to unlock your phone while you cannot be forced – without being given immunity – to give up your password.  Also, you can, conveniently, forget your password.  It is hard to forget your finger.

Suffice it to say, biometic information can be captured, with different levels of difficulty and if that information is used for authorization (i.e. unlock your phone), it is possible to unlock your phone without your approval.

One way to get around this is to use biometics to identify the user and a password to authorize that user, but that is inconvenient, so, except for high security environments – such as data centers – that is not often done.

Now today’s new problem.  Agic (see their web site) has created a technology that allows you to print a computer circuit board on your ink jet printer.  Swap out the ink cartridges with their ink and use their paper and you can print a circuit board.  Put some components on it and you have a real circuit.

How does this relate to biometrics.  Well, apparently, it turns out that the capacitance of this ink and paper combination is such that you can print a fingerprint on their paper, using their ink, and that fingerprint has the right capacitance to fool many fingerprint readers.

This means that you can take a picture of someone’s finger, invert the ridges and grooves and print it.  They claim to have unlocked a Samsung Galaxy S6 using this technique.

It also means that if you forget your finger and you took a picture of it and put it in your wallet, you can still unlock your phone.

The point is that there should be a distinction between IDENTIFYING who you are and AUTHORIZING your access – and vendors are collapsing the two.

That being said, given that many people don’t even put a PIN on their phones (Marissa Mayer, CEO of Yahoo famously said that it was too much work to do that (see article), so  using a fingerprint is a huge step up.  But for those people for whom security is important, I do not recommend using a fingerprint at this time.  An Alphanumeric password of at least 10 characters is a pretty safe bet.  Experts are recommending 16 characters.  It could be a phrase like “I Like Ice Cream!”, since those are a lot easier to remember.

Information for this post came from the Security Now podcast, episode 550.