Apple Proved Wrong by German Computer Club?

“Apple said during its unveiling of the technology (fingerprint recognition) last week that the system scans the sub-epidermal layers of the finger to take the reading.

It’s hard to square Apple’s statement with the German researcher’s demonstration, which showed that a mere photo of a latent print from the skin’s top layer was sufficient to trick the technology.”1

Kim Zetter wrote an interesting article for wired.com explaining how a German computer club was able to defeat the new fingerprint recognition technology built into the iPhone 5S.

The members, known as the “Chaos Computer Club” were able to obtain a fingerprint, copy it, and create a rubber print capable of unlocking the iPhone that was secured by that particular print.

The strategy that they used was not new and had also been used in 2002 by researchers in Japan.  The real point of the article does not surface until the very end when we are reminded that Apple claimed that the system scans the “sub-epidermal” layers of the finger.  Well according to our German friends, they were able to do it with just the top layer of skin.

Apple should still continue to develop the “sub-epidermal” technology as it could be a secure way to protect your personal effects… As long as a fake copy of your “identity” is impossible to create.  Nothing seems to be impossible these days or at least some point in the future, so we’ll have to wait and see what happens.

You can find the complete article here:

http://www.wired.com/threatlevel/2013/09/iphone-fingerprint-cracked/

Making Money as a Zero-day Vendor

“Last year, Vupen researchers successfully cracked Google’s Chrome browser, but declined to show developers how they did so even for an impressive cash bounty.  “We wouldn’t share this with Google for even $1 million,” Vupen CEO Chaouki Bekrar told at that time.” 1

Our US government, the National Security Agency in particular, has been paying the same vendor (Vupen) on a 12-month subscription for “Zero-day” exploits they uncover.

Considering that Vupen will take money from the US government for what they find, I wonder why they would hold out on making more money by not cooperating with Google.  What is the point in taking the time to find an exploit in Google only to keep it for yourself.

Further research on the topic has led me an article from March of 2012 from Forbes magazine.  As it turns out, it is just a business decision on the part of Mr. Bekrar.  The second half of the $1 Million quote reads like this:  “We don’t want to give them (Google) any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”2

 

 

Vupen was named the 2011 Entrepreneurial Company of the year in vulnerability research.  The prices they are demanding and getting for their work is very impressive, and somewhat mind boggling.  Vupen won’t sell its exploits exclusively though, and they often entices bidding wars amongst their clients to get the final pay day as high as possible.

On a positive note, Vupen claims that they do carefully screen their clients, and are only interested in selling to NATO governments and their partners.  “Bekrar claims that it carefully screens its clients, selling only to NATO governments and “NATO partners.” He says Vupen has further “internal processes” to filter out nondemocratic nations and requires buyers to sign contracts that they won’t reveal or resell their exploits. But even so, he admits that the company’s digital attack methods could still fall into the wrong hands. “We do the best we can to ensure it won’t go outside that agency,” Bekrar says. “But if you sell weapons to someone, there’s no way to ensure that they won’t sell to another agency.” 2

Do you think Bekrar is doing good for the world, or just for himself and his customers?

 

References:

  1. http://thehackernews.com/2013/09/nsa-bought-hacking-tools-from-vupen.html
  2. http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/

Emergency Fix for Internet Explorer “Zero-day” Exploit

On Tuesday 9/17/2013, Microsoft released an emergency software fix (link) to combat the recently revealed “zero day” vulnerability.

 

 

From Wikipedia:

“A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on “day zero” of awareness of the vulnerability.  This means that the developers have had zero days to address and patch the vulnerability. Zero-day exploits (the software and/or strategies that use a security hole to carry out a successful attack) are used or shared by attackers before the developer of the target software knows about the vulnerability.”

 

What this means for you:

“Security experts said Internet Explorer users should either immediately install the Microsoft fix or stop using the browser until Microsoft can put out an update, which will be automatically installed through its Windows Update program.” 1

 

Resources:

  1. http://www.nbcnews.com/technology/microsoft-rushes-out-fix-prevent-internet-explorer-attacks-4B11188131

What about these Toad Portals?

You read it correctly – I want to discuss portals that toads use to go from their dimension to ours.  Hold on, give me a minute to explain, I am not off my rocker.

 

FACT 1: We were having a lively time at the campfire roasting marshmallows by the lake, telling spirited stories and enjoying the warmth of the fire.  Around Midnight, out of what appeared to be nowhere, a toad was seen urgently hopping directly for the red hot coals at the base of the fire.  The youngest of our small group rushed into action and disregarding her own safety reached within three inches of the fire and tried to redirect the toad away from certain doom.  To our dismay, the little guy turned around and headed back for the scorching bed of the fire (I’m not making this up).  Not to be thwarted, our heroine took a more aggressive approach this time and made sure the ill-fated amphibian landed at the base of the rock wall we were perched on and had no chance of getting back to the fire.  It would be out by the time Mr. Toad found his way back later that night.

FACT 2: What we witnessed sent all 4 of us into a frenzied discussion on what we just witnessed and why.  One suggestion was that the toad had come through some sort of transportation portal which would explain why it appeared to come out of nowhere.  Since it made a second attempt to get to the fire after the first attempted redirection, it was also conjectured that the portal back to his dimension was through the fire.  We had noticed that the fire actually had unusual blue and green hews just about the time our visitor arrived; giving more credibility to the notion of a “Toad Portal” through our campfire.

 

FICTION:

So now we have a theory that this toad came to visit our dimension through a “Toad Portal” and didn’t make it back because we thought we were saving the poor guy from an extremely warm death.  Little did we know we had stranded him in our space until he can find another fire with a portal he can use to get back to his world.

Always looking for new and innovative discussions to keep the blog page interesting and lively it didn’t take me long to realize that if there really was such a thing as a “Toad Portal”, the Toads should have some kind of security on their portal to prevent unwanted visitors from traveling back to their domain.

Always trying to match the correct authentication method to the resource and users, I thought I would open a discussion on what would be the best way for the Toads to secure their campfire based portal from intruders.

Here are my thoughts:

Password protected: not likely for a Toad – I don’t think they can speak and we didn’t see a keyboard or any input device for them to use.

Two Factor Authentication: the something they know part of 2FA would present the same trouble that the password gives them

SSO: Single Sign On implies they have a way to authenticate the one time and then are able to bounce back and forth between the two worlds with little care (unless an over protective teenager disrupts your travel pattern).  So far, I have not come up with a way for the Toads to verify their identity.

 External Token: Even if they had the technology, where would they carry it?

Bio-metrics: now this one has merit.  If the Toads have the technology to build and use a portal, they are probably able to protect access to it with some kind of body part scanner such as an eyeball, tongue or even claws.  Using the claws and tongues would definitely help keep us humans out, but then there is always that threat – even in our human world – of obtaining the Toad body parts by any means possible and using them to gain entry into the other dimension.

This is only one man’s imaginative opinion and I would love to read your thoughts on the subject.

Entrusting Human Policy Instead of Fixing Software

While perusing through security articles on the internet, I came across this story that made me say, “Huh?”  According to Roy Lundgren (United States Army’s Deputy of Cybersecurity), there exists a “major computer security flaw” that allows users to gain access to resources they are not supposed to see.

The article claims the following:

“The hack allows users with access to shared Army computers to assume the identities of other personnel, gaining their securities clearances in the process, and having their activity logged as that user.

In order to log into a shared Army computer you need to insert your personal Common Access Code military ID. Each card contains a chip that has the individual soldier’s permissions and security details, and which helps the military track your activity. Once you remove the card, you are fully logged out. But the hack overrides that system during the shut down period.

“There are instances where the log-off process does not immediately complete upon removal of the CAC. This occurs when the system is running logoff scripts and shutting down applications,” Lundgren told BuzzFeed. “The period of time that a system can be accessed following CAC removal before system logoff completes is normally not sufficient to gain unauthorized access.””

This is the part that made me scratch my head:

“The Army contends that instead of improving the security flaw itself, individual soldiers should make sure they are properly logged off. “The government and industry must manage numerous risks each day,” says Lundgren. “Often software and/or hardware solutions are not available, supportable, or necessary. In the case of many risks, they are managed via other mitigations such as modifying policy, procedures, or training.”

In response to the problem they are planning an “Information Assurance/Cybersecurity Awareness week” in October as a follow-up measure to their new handbook, released last February, which stresses the importance of individual responsibilities to protect information. According to Lundgren, the handbook “augments current policy, training, and inspection processes and aims to raise awareness and change culture.””

Sure, I don’t know the extent of the hack and what might be required to eliminate it, but having seen my fair share of bugs/weaknesses in software, my experience tells me that this type of flaw can and should be fixed.  One sited reason could be the cost of the repair… but what is the cost of the “Cybersecurity Awareness week”?  All the documentation that must be created… the organization of potential meetings to get the word out… taking time from many individuals to attend the meetings and then the added stress of not making a “human” error when a person does log out.

This is just one blogger’s opinion, but if there is the potential for a security breach and the company/organization knows about it, shouldn’t it be fixed?  One of the greatest attributes of software is that it is run on a computer and computers do not make “human” mistakes.  I plan to do more research on this, but would be very interested to know… What is your take on this topic?

Password Choice Hitting Close to Home

In a previous post, this blogger shared a family story of our daughter having her Facebook account compromised by another local student.  Well, the family has experienced this phenomenon again and I will share it with you today.

I would hope by now that we have all heard about Netflix and how popular it has become.  Even my own Mother is fond of Netflix and shares her account with the family so we can all watch movies instantly, especially the Grandchildren.  For those of you not familiar with Netflix’s watch instantly program, let me explain… user’s are able to login to the Netflix website with their credentials (all the grandkids use Gramma’s credentials) and choose from a large variety of older movies that aren’t in today’s mainstream of movie interest.  Choose a meeting and instantly start watching it on your computer.

Yesterday I received a phone call on my cell phone while at work.  Gramma usually doesn’t bother me during work hours, so I expected it to be important.  She had been reviewing the “watched instantly” movies and saw quite a bit of increased activity.  Not only had the activity bumped up a notch, but the titles of the features were not movies that she would approve of her Grandkids watching.  You can imagine the concern coming from the other end of the conversation.

Now, Grandmother is not hip to all of the security protocols these days for choosing a password, etc. and in fact had set her password to be the name of a family member!  I was able to easily convince her that her Grandkids were not watching these “age-inappropriate” movies and it appears that someone had figured out her password.  I explained how bad seeds in the world have been devising ways to obtain/guess other users passwords and take liberties with other people’s accounts.  My recommendation was to change her password and this time make it difficult for a non-family member to guess.  Of course her response was, “Yah, but then I won’t be able to remember it”.  Keep in mind that I am still on the clock at this point and didn’t have the luxury of trying to take the time to convince her otherwise.

Well the password has been changed (she actually figured out how to do it without my help.  Go Gramma!), but not nearly as secure as I would have hoped, but definitely more obscure than the first one.

Putting this story down on paper just made me realize that I have to make a mental note to ask my Mother if she does any banking or more important stuff online and then show her how to create a difficult password to guess, while making it easy for her to remember.

That’s it for this post.  I hope you were educated a little more and if not, at least entertained.  I know that phone call entertained me.

The 'Cryptopocolypse'

To further iterate a topic broached last week, this week an article by Patrick Lambert on TechRepublic.com investigates the issue of cryptography soon becoming obsolete by our own advancing computing power.  Cryptography is used to secure data in the virtual world, be it stored locally or on the internet, by taking advantage of some simple yet unintuitive properties of mathematics, and wrapping said data within it.  For a detailed look, you may also refer to our post earlier this month which describes various aspects of the topic; The surface level detail however is this: It is cryptography that allows us to protect our sensitive files, our personal data and our messages to others from prying eyes on the Internet, and without it, any data, anywhere on the net is fair game to anyone.

Hence why the forthcoming moment when our computing power advances enough to easily crack any standard cryptographic practices in use right now is being called the ‘cryptopocalypse’.  In the event that this happens, all computer security would be rendered meaningless in an instant, and the reasons that this would be such a terrible and chaotic event need not be expounded upon.  Is there really a chance of this happening? The topic has been long debated by experts.

The initial threat against cryptographic algorithms is the ability to reverse them, which would allow someone with malicious intent to analyze the encrypted data to remove the encryption by running the mathematical properties used to create it, backwards.  The entire cryptographic system is built on the idea that this is nearly impossible to do, and would take more guesses than any person has time for in their lifetimes.  So why have a person make guess after guess for years on end, when a modern computer can do the same in fractions of the time.  Computers are getting fast enough to ‘brute force’, or make tremendous amounts of guesses per second as to what the sensitive data is.  The latest version of the ‘Hashcat’ password cracker software for example, now supports attacking passwords of up to 55 characters long, and is capable of conducting about eight billion guesses per second as to what that password is – and has been previously known to do well in cracking passwords of 15 characters.  What will the next update be capable of?

Read more

Password breaker successfully tackles 55 character sequences

Are we heading for a ‘cryptopocolypse’?