CAT | Physical Security
The Chaos Computer Club (CCC) in Germany recently announced its successful bypassing of the new iPhone 5S fingerprint scanner.
Despite many media claims that the new scanner worked on deep layers in the skin, and was not vulnerable to simple fingerprint duplication, that is exactly what succeeded.
The CCC used a high resolution photo of a fingerprint on glass to create a latex duplicate, which unlocked the phone. It strikes me as particularly problematic that the glass surface of an iPhone is the perfect place to find really clear fingerprints of the owner.
It has long been known in security circles that many printers embed nearly invisible watermarks in all printed documents which uniquely identify the printer used.
SpringyLeaks reports that a recent FOIA request revealed the names of printer companies who embed such markings and have worked with law enforcement to identify the printers used in various cases.
The article also suggest that these watermarks can be used to aid reconstruction of shredded documents.
The FBI in conjunction with the Bureau of Justice Assistance and Joint Regional Intelligence Center have produced a number of fliers to help the public identify possible terrorists. While some of the points have merit, it is very likely that this will generate an extremely high proportion of false alerts based on perfectly reasonable and legal behaviors.
A big red flag for me were the fliers for cyber cafes and electronics stores. These suggest that the use of privacy protecting services, like Anonymizer, should be deemed suspicious. They also call out Encryption, VoIP, and communicating through video games.
In almost all of the fliers they suggest that wanting to pay cash (legal tender for all debts public and private) is suspicious.
Thanks to Public Intelligence for pulling together PDFs of the documents.
This makes a good case for why it concerns me that we seem to be willing to automate all kinds of things that can really impact us without including real security.
Last week I did an interview on a San Diego news program about issues with many cameras and smart phones in particular embedding very accurate location information in your pictures. If your camera (smart phone or whatever) has GPS, then the EXIF meta data in the picture will contain your location to within about 20 feet. This can be disabled, but is typically on by default.
While this can be useful when you are trying to sort and organize the pictures on your computer, the risk shows up when you start to share the pictures. By combining date and time information in the pictures I can tell if they are recent. If you are on vacation and posting on the road, an attacker can tell that you are away from home and your home probably unguarded. Pictures of your home and family can provide the exact location of your house as well.
The good news is that major sites for sharing pictures like Facebook and Flickr seem to strip out that information from the photos. It is unclear if that is intentional or just a byproduct of how they are processing and displaying the images. In any case, the data is certainly available to the sites themselves.
I strongly encourage everyone to download an EXIF editor to be able to strip this information from pictures before uploading, and to turn off location tracking in their cameras and mobile phone photo applications to prevent the capture of that information in the first place.
It looks like there is a process for dealing with inaccurate No-Fly List information after all. You just need to become a billionaire and develop some very high level political connections.
This is just too good. It is a great example of where giving others power over your security, which they then centralize in a single place, leads to compromise with nasty failure modes.
In this case, a disgruntled former employee uses a system to disable over 1000 vehicles.
In this article “I don’t bleepin’ believe it” ComputerWorld reports on a UK insurer raising rates on social network users. The reason points back to something I have been talking about for some time. People post travel information to their social network sites. They say when they will be away from home, and for how long. This is perfect fodder for thieves, who can typically also collect enough information about the posters to identify them and find where they live.
This is why I don’t blog, Twitter, or otherwise post about conferences I am going to, even though it would be great to use social networks to connect with folks at the conference or in the conference city.
Security guide to customs-proofing your laptop | The Iconoclast – politics, law, and technology – CNET News.comDeclan writes a witty and informative piece on securing a laptop against legals searches without cause at border crossings.
Tool Physically Hacks Windows – Desktop Security News Analysis – Dark ReadingI am not sure how this has been true for years, yet has received so little attention. This article discusses the fact that Firewire connections enable direct read and write to a computer’s RAM. In many ways, this is even better than the RAM persistence I blogged about a while back. It appears to be easy to write a script that would run on an iPod or other Firewire device which will allow you to grab passwords from memory, bypass login screens, and gain access to the local drive. The amazing thing about the memory access is that it actually bypasses the CPU entirely. Normal security software will not pick this up at all. PCMCIA and Firewire are designed to work this way. It is a “feature” not a “bug”. Never the less, it is a huge security issue. If your computer is under the physical control of another person, you are in trouble. Hard drive encryption is the solution, but only if the computer is OFF. If it is on, then the password can be grabbed from memory. There is really no solution to that problem.There are two actions one can take. First, you can physically disable your Firewire capability if you need to leave your computer running unattended. Second, you can make sure you never leave your computer running unattended in an insecure location, and that the hard drive is encrypted securely. This second suggestion is the same solution as for the RAM persistence attack.