Archive | IT security

Fingerprints are not passwords

Biometrics were never authentication tokens. They were identity tokens. Authentication tokens are secret and replaceable, and your fingerprints (your retina, your iris, and so on) are neither.

When you authenticate something even slightly sensitive with biometrics, you’re doing it wrong.

The right way to do it is to identify with biometrics, and then authenticate with a proper security token, which is secret.

Falkvinge: Once more, with passion: Fingerprints suck as passwords »

0

IoT: When toasters attack

While people have been discussing the possible threat of Artificial Intelligence (AI) – a totally different and very real threat has emerged: IT-attacks exploiting the Internet of things (IoT).

Simply put, a multitude of connected devices can be used in unexpected, unwanted and destructive ways. IT security expert Bruce Schneier explains in reference to a recent attack…

Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the internet as part of the Internet of Things.

E.g. it can be about DDos-attacks or to set up a botnet to distribute malware.

Many devices used today are more or less unprotected. At Krebs on Security the victim of such an attack, Brian Krebs writes…

One of those default passwords — username: root and password: xc3511 — is in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use it in their own products. (…)

“The issue with these particular devices is that a user cannot feasibly change this password,” said Flashpoint’s Zach Wikholm. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist.”

This also raises the question of state-sponsored attacks. What if a country orders its electronics industry to include specific vulnerabilities, backdoors, malware etc. in its products?

For now, I guess awareness and an open discussion is the best protection. Also, there might be initiatives on a political level in the EU:

According to a report at Euractive.com, the Commission is planning the new IoT rules as part of a new plan to overhaul the European Union’s telecommunications laws. “The Commission would encourage companies to come up with a labeling system for internet-connected devices that are approved and secure,” wrote Catherine Stupp. “The EU labelling system that rates appliances based on how much energy they consume could be a template for the cybersecurity ratings.”

Links:
• We Need to Save the Internet from the Internet of Things »
• Who Makes the IoT Things Under Attack? »
• Europe to Push New Security Rules Amid IoT Mess »
• Commission plans cybersecurity rules for internet-connected machines »

/ HAX

1

Apple vs. FBI – here we go again…

When the FBI asked a court to force Apple to help crack the encrypted iPhone 5c of San Bernardino shooter Rizwan Farook in February, Bureau director James Comey assured the public that his agency’s intrusive demand was about one terrorist’s phone, not repeated access to iPhone owners’ secrets. But now eight months have passed, and the FBI has in its hands another locked iPhone that once belonged to another dead terrorist. Which means they may have laid the groundwork for another legal showdown with Apple.

Wired: The FBI wants to get into the locked iPhone of another dead terrorist »

0

France, Germany and crypto backdoors

In a world where terrorists deliberately encrypt their connections, how big is the chance that a terrorist would (continue to) use a service that is known to be insecure? Our guess: as soon as the European Commission introduces legislation forcing services such as Telegram to decrypt secure communications, terrorists will turn to alternative tools. (…)

The idea that the way to gain access to terrorists’ communications is by backdooring services such as Telegram, is preposterous. Let’s be clear, the French and German proposal will undermine the security of every single person, under the populist guise of improving security. Or, in the words of cryptographer Phil Zimmerman: When crypto is outlawed, only outlaws will have crypto.

EDRi: When crypto is outlawed, only outlaws will have crypto »

1

With leaked NSA tools, now everybody can hack like a spy

The findings highlight one of the potential risks that come with hoarding undisclosed vulnerabilities for intelligence-gathering and surveillance. By holding on to bugs instead of disclosing them so they can be patched, spy agencies like the NSA create a potentially dangerous free-for-all if their exploits are exposed.

Wired: Of Course Everyone’s Already Using the Leaked NSA Exploits »

0