iPhone 5S fingerprint scanner tricked by Chaos Computer Club

The Chaos Computer Club (CCC) in Germany recently announced its successful bypassing of the new iPhone 5S fingerprint scanner.

Despite many media claims that the new scanner worked on deep layers in the skin, and was not vulnerable to simple fingerprint duplication, that is exactly what succeeded. 

The CCC used a high resolution photo of a fingerprint on glass to create a latex duplicate, which unlocked the phone. It strikes me as particularly problematic that the glass surface of an iPhone is the perfect place to find really clear fingerprints of the owner.

Printers watermark your documents

It has long been known in security circles that many printers embed nearly invisible watermarks in all printed documents which uniquely identify the printer used. SpringyLeaks reports that a recent FOIA request revealed the names of printer companies who embed such markings and have worked with law enforcement to identify the printers used in various cases.

The article also suggest that these watermarks can be used to aid reconstruction of shredded documents.

FBI: Anonymity implies terrorist

The FBI in conjunction with the Bureau of Justice Assistance and Joint Regional Intelligence Center have produced a number of fliers to help the public identify possible terrorists. While some of the points have merit, it is very likely that this will generate an extremely high proportion of false alerts based on perfectly reasonable and legal behaviors.

A big red flag for me were the fliers for cyber cafes and electronics stores. These suggest that the use of privacy protecting services, like Anonymizer, should be deemed suspicious. They also call out Encryption, VoIP, and communicating through video games.

In almost all of the fliers they suggest that wanting to pay cash (legal tender for all debts public and private) is suspicious.

Thanks to Public Intelligence for pulling together PDFs of the documents.

Internet Cafe flier.

Electronics Store flier.

Schneier on Security: Disabling Cars by Remote Control

Schneier on Security: Disabling Cars by Remote Control This is just too good. It is a great example of where giving others power over your security, which they then centralize in a single place, leads to compromise with nasty failure modes.

In this case, a disgruntled former employee uses a system to disable over 1000 vehicles.

UK insurer raises rates on social network users.

In this article "I don't bleepin' believe it" ComputerWorld reports on a UK insurer raising rates on social network users. The reason points back to something I have been talking about for some time. People post travel information to their social network sites. They say when they will be away from home, and for how long. This is perfect fodder for thieves, who can typically also collect enough information about the posters to identify them and find where they live. This is why I don't blog, Twitter, or otherwise post about conferences I am going to, even though it would be great to use social networks to connect with folks at the conference or in the conference city.

Firewire enables direct hack against any OS

Tool Physically Hacks Windows - Desktop Security News Analysis - Dark ReadingI am not sure how this has been true for years, yet has received so little attention. This article discusses the fact that Firewire connections enable direct read and write to a computer's RAM. In many ways, this is even better than the RAM persistence I blogged about a while back. It appears to be easy to write a script that would run on an iPod or other Firewire device which will allow you to grab passwords from memory, bypass login screens, and gain access to the local drive. The amazing thing about the memory access is that it actually bypasses the CPU entirely. Normal security software will not pick this up at all. PCMCIA and Firewire are designed to work this way. It is a "feature" not a "bug". Never the less, it is a huge security issue. If your computer is under the physical control of another person, you are in trouble. Hard drive encryption is the solution, but only if the computer is OFF. If it is on, then the password can be grabbed from memory. There is really no solution to that problem.There are two actions one can take. First, you can physically disable your Firewire capability if you need to leave your computer running unattended. Second, you can make sure you never leave your computer running unattended in an insecure location, and that the hard drive is encrypted securely. This second suggestion is the same solution as for the RAM persistence attack.

How to physically take a computer without interrupting the power.

One of my folks at Anonymizer pointed me towards this site WiebeTech HotPlug as a follow up to my blog post yesterday about recovering data from RAM after it has been removed from power. The HotPlug tool is sold to law enforcement to enable seizure of a computer without ever turning it off. The system has several methods that allow a running computer to be transitioned to a portable UPS system without causing the computer to shut down or react in any way. It can then be transported to a lab with the OS still running.As an additional clever trick, they have a USB dongle called the "Mouse Jiggler" which simulates a mouse making constant small motions, thus preventing a screen saver from ever activating. This allows the attacker to take all the time he needs without worrying about a password protected screen saver, or any other inactivity based security trigger, activating.All this enables the attacker to get the computer back to controlled laboratory conditions before trying to access the machine or pulling the power to capture the RAM image. Yet another argument for not walking away from a running computer with sensitive information. 

An example of the power of social engineering

Here is another article I picked up on the Qui Custodes blog of David Kaufman: Washington City Paper: Cover Story: Desk Job.This article describes a woman, without any special training, who was able to gain access to "secure" government buildings and steal money right from the desks and purses of the employees. Obviously this could have been documents and information if she had been involved with foreign intelligence. Her methods were simple. She was spotted frequently, but very few people were willing to confront her about her actions, choosing to avoid conflict. The moral here is: security is about everyone following up on everything that seems out of place or unusual. Better metal detectors, or bigger guns at the front door won't do it. Security comes from the alert minds of everyone on the inside of the building being willing to ask direct questions.