Archive

Posts Tagged ‘Security’

Hacker schedule 2014

Jan 6th, 2014 No comments

7. – 9. March 2014 eth-0
17. – 21. March 2014 Troopers
18. – 21. April 2014 Easterhegg
29. – 30 May 2014 HITBSecConf
13. – 15. June 2014 Chaos Singularity in Bienne
19. – 22. June 2014 Gulasch Programmier Nacht
July 2014 SIGINT
August 2014 ICMP7
September 2014 Datenspuren
24. – 26. October 2014 Hackover
27. – 30. December 2014 31C3

“ZEIT Online” Interview with Starbug

Sep 26th, 2013 No comments

Starbug-TouchID“The matter for Apple was comfort, not Security”

For Jan Krissler (aka Starbug) it wasn’t a struggle to bypass the fingerprint scanner of the iPhone 5s. In an interview he explains why passwords mostly are more secure than biometry.

ZEIT ONLINE: You did hack the fingerprint scanner of the iPhone 5s, why?

Jan Krissler: Since 10 years I deal with security of biometric systems, especially how to override them. From time to time, when a new product emerges, I look at it and check if the old techniques of bypassing still work, or if there are new challenges. With the TouchID sensor I assumed challenges but unfortunately was disappointed.

ZEIT ONLINE: Are fingerprints qualified at all to secure a telephone, a door or other things?

Jan Krissler: As with all biometric systems one must ask, what data or things you want to protect with it. If their value exceeds the effort to crack a system, the choice of an easily bypassable biometric system might not be the best choice.

ZEIT ONLINE: Which means that biometry is easier to overcome than a password for example?

Krissler: That depends on the password and how the user deals with it and, of course, also the biometric system. At least I assume my passwords to be more secure than my fingerprint. The problem is that one leaves fingerprints everywhere, that faces can be photographed unnoticed. My password is in my head and if I’m careful typing, I will remain the only one who knows it.

ZEIT ONLINE: Which biometric data would be appropriate to establish access control?

Krissler: There are certain characteristics that are better and characteristics which are less suitable. The better ones include those which you do not leave anywhere, or the ones that cannot be taken off easily and unnoticed. Which means, characteristics that you can actually only be read with an appropriate sensor. The vein pattern is a good example. I had assumed that Apple would apply something of the kind. After all at the launch of the iPhone it was announced that the scanner will have a sub-epidermal finger recognition, i.e. one that not only relies on finger ridges on the surface. Frankly spoken, I was shocked by how easy it was to bypass it.

But also in other processes such as vein patterns it must be clear: if someone gets access to such a characteristic, he will find a way to replicate it and thereafter to overcome the system.

ZEIT ONLINE: So why is biometry presently so highly touted as a security mechanism?

Krissler: As there is a big industry behind it and because biometry also is capable of identifying people.

ZEIT ONLINE: But isn’t it that biometry works fine to clearly identify someone, but not as good to have something secured?

Krissler: One can customize systems quite well, as long as they only need to distinguish people from each other. In this case the error rate is quite low. But once you have the whole of humanity, or in this case all iPhone users as a target group, things get quite impossible. Simply because its characteristics vary greatly. Biometry just also has its weaknesses. Unlike passwords that are either right or wrong, there is always a certain probability of match. Therefore the TouchID scanner isn’t really a security method, but a comfortable method. Had Apple made the mechanism more secure, too many people would have struggled turning on their iPhone and too many people would have been rejected too often.

Many don’t use any passcode on their smartphone at all, whereas using a fingerprint is still better than nothing – as Apple said at the launch. But it’s obviously about convenience and ease of use, not about security. Therefore I would not even want to rate TouchID associated with security practices.

ZEIT ONLINE: The iPhone has a fairly high status, many find it great. Is it a problem if such a popular device relies on biometry, and thus spread a, shall we say, problematic security method to be used?

Krissler: This has already begun with the fingerprints in the German identification card and the passport. Thus, methods that were actually intended to identify criminals, carried out to the general public. This of course is problematic. On one hand, because data is gathered that would not have to be captured and could be abused for other things. On the other hand because this way everyone is getting used to biometry and then use it for all sorts of applications. The best example for this is Hamburg, where at one school all students had to submit their fingerprints to get their lunch.

The interview was conducted in written via Jabber.

Original Interview (in German) by Kai Biermann (with kind permission for publication of my english translation).

Links:
ZEIT Online Article
Chaos Computer Club
Raumfahrtagentur
Neusprech

[Update 1st of October 2013]
Dustin Kirkland, a GNU/Linux Ubuntu Developer writes:

But biometrics cannot, and absolutely must not, be used to authenticate an identity. For authentication, you need a password or passphrase. Something that can be independently chosen, changed, and rotated. I will continue to advocate this within the Ubuntu development community, as I have since 2009.

read Fingerprints are Usernames, not Passwords

moar Cryptoparties!1!!

Jul 2nd, 2013 No comments

cp-logo-200x67
Worried about surveillance and control? Still living in 1984? Get your copy of the Cryptoparty handbook and organise your Cryptoparty today!

EUGEN5 LSZH (cops at Zurich airport)

Jun 5th, 2012 No comments

On Planefinder one can see police and fire brigade objects like EUGEN11, EUGEN5, URSULA4 and GALA18 taxying along the run- and taxiways in LSZH at night.

Tower, EUGEN5 speaking, good morning. Can we access runway 28?

This is quite handy, as any attacker with a Smartphone can see, where the cops are located, which would ease access to the airport facility and the aircrafts … 😎
*sigh* – What a misconception!

… they can even be tracked with the live and fully movable webcams of the airport. – And they actually should be audible on frequency as well!?

[Update]
Ambu = Ambulance
Apron = Apron Control
Argus = Sight seeings
Diana = Gamekeeper
Eugen = Electro
Fabian = Workshop
Florian = Fire Brigade
Flupo = Airport Authority
Gala = Maintainance
Guido = Skyguide
Gusti = Airport Authority
Kondor = Snow Truck
Meteo = Weather
Orion = Ramp Safety
Parking = Parking
Riva = Airport Police
Simon = Safety Office
Turm = Approach / Runways
Ursula = Construction supervisor
Viktor = Cleaning
Zebra = Apron Service (Marshaller)

Privacy issues in Preview.app (OS X)

Sep 6th, 2011 No comments

Christian Kienle just found a disturbing privacy issue affecting Preview.app. If you wanna see a demonstration simply watch his video. He’s making this issue public so that every user can find out about it and is able to prevent bad things from happening with their (private) data.

Categories: Free Software, Technology Tags: ,

Security through obviousness

Apr 29th, 2011 No comments

Encryption bug in Apple Mail (… or feature?)

Nov 15th, 2010 1 comment

Hi Steve

When using s/mime encryption, which is nicely integrated in the users keychain, with IMAP configured accounts in mail.app, the app does not encrypt the mail and stores it (e.g. as draft) unencrypted on the server before it has been sent.

An attacker can either read the unencrypted mail, if he has access to the server (sysadmin), or in case the IMAP connection is unencrypted, read the unencrypted message on the nodes/routers.

Please fix this.

Take care & best, lx