Iphone fingerprint hacker on the limits of biometrics for security

Jan "Starbug" Krissler, the Chaos Computer Club researcher who broke the fingerprint reader security on the new Iphone, had given a long interview to Zeit Online explaining his process and his thoughts on biometrics in general. The CCC's Alex Antener was good enough to translate the interview for us; I've included some of the most interesting bits after the jump. Read the rest

New Cyanogenmod release for Android devices includes secure locate-my-device and remote wipe

The Cyanogenmod project -- a free, open version of Android with lots of great features that Google can't or won't add to the official version -- has a new release out, 10.1.3. The new release includes CM Account, a way of finding lost phones and wiping them that -- unlike similar functions in Android and Ios -- does not allow the company itself to keep track of your device or erase it. Read the rest

More details, new video showing Iphone fingerprint reader pwned by Chaos Computer Club

Starbug, the Chaos Computer Club hacker who broke the fingerprint biometric security on the Iphone, has given an interview [German] to CT Magazine detailing the hack, and released a new video showing how he did it. Read the rest

Chaos Computer Club claims it can unlock Iphones with fake fingers/cloned fingerprints

The Chaos Computer Club's biometric hacking team has announced a successful attack on Apple's Iphone biometric fingerprint lock, using a variation on the traditional fingerprint-cloning technique. CCC's Starbug summarizes: "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints." Read the rest

Celebrate Software Freedom Day by hacking on STEED, a way to make email crypto easier

Georg sez, "End to end cryptography is one of the few truly effective ways in which privacy and security can be protected. GnuPG is the central tool for this, recommended and used by security icons such as Bruce Schneier. While the software itself is easier to use than most people realize, key exchange is cumbersome. The authors of GnuPG have developed a concept that will solve this issue: STEED. So this is a call to action for tomorrow's Software Freedom Day. Help spread the word so one of the biggest obstacles to pervasive end to end cryptography will be solved for good. Let the STEED run!" Read the rest

Why fingerprints make lousy authentication tokens

An "expert" quoted in the Independent predicts that thieves will amputate their victims' fingertips in order to bypass the biometric locks on the new Iphones. I'm not particularly worried about this vulnerability (if you're willing to cut off someone's fingertip to unlock his phone, you're probably also willing to torture him into giving up his PIN), though I remember reading stories of carjackers who amputated their victims' fingertips in order to make off with their biometrically protected cars.

More interesting is the prediction that phone thieves will lift their victims' fingerprints and use them to bypass the readers. As German Interior Minister Wolfgang Schauble discovered, you leak your fingerprints all the time, and once your fingerprint has been compromised, you can't change it. (Schauble was pushing for biometric identity cards; playful Chaos Computer Club hackers lifted his fingerprints off a water-glass after a debate and published 10,000 copies of them on acetate as a magazine insert).

This is the paradox of biometric authentication. The biometric characteristics of your retinas, fingerprints, hand geometry, gait, and DNA are actually pretty easy to come by without your knowledge or consent. Unless you never venture into public without a clean-room bunny-suit, mirrorshades, and sharp gravel in your shoes, you're not going to be able to stop dedicate strangers from capturing these measurements. And as with Schauble's fingerprints, you can't revoke your DNA and replace it with new DNA once a ripoff artist has used it to clean out your bank-account or break into your workplace. Read the rest

This is the crypto standard that the NSA sabotaged

The New York Times has published further details of last week's leaked documents detailing the NSA's program of sabotage to crypto products and standards. The new report confirms that the standard that the NSA sabotaged was the widely-suspected NIST Dual EC DRBG standard. The Times reports that the NSA then pushed its backdoored standard through the International Organization for Standardization and the Canadian Communications Security Establishment.

NIST has re-opened the comments on its standard with the hope of rooting out the NSA sabotage to the random number generator and restoring trust in its work products. Read the rest

What NSA sabotage does to security

Princeton computer science profession Ed Felten has an excellent explanation of what it means to security to have the NSA actively sabotaging cryptographic standards and tools. As he points out, the least secure situation is to believe that you are secure when you are not -- a car without breaks can be driven slowly and cautiously, if you know the brakes are shot. But if you don't know the brakes are out, you're likely to discover the fact the hard way. Read the rest

Keylogger service provides peek inside Nigerian 419 scammers' tactics

Security researcher Brian Krebs has had a look at the contents of "BestRecovery" (now called "PrivateRecovery") a service used by Nigerian 419 scammers to store the keystrokes of victims who have been infected with keyloggers. It appears that many of the scammers -- known locally as "Yahoo Boys" -- also plant keyloggers on each other, and Krebs has been able to get a look at the internal workings of these con artists. He's assembled a slideshow of the scammers' Facebook profiles and other information. Read the rest

Firsthand account of NSA sabotage of Internet security standards

On the Cryptography mailing list, John Gilmore (co-founder of pioneering ISP The Little Garden and the Electronic Frontier Foundation; early Sun employee; cypherpunk; significant contributor to GNU/Linux and its crypto suite; and all-round Internet superhero) describes his interactions with the NSA and several obvious NSA stooges on the IPSEC standardization working groups at the Internet Engineering Task Force. It's an anatomy of how the NSA worked to undermine and sabotage important security standards. For example, "NSA employees explicitly lied to standards committees, such as that for cellphone encryption, telling them that if they merely debated an actually-secure protocol, they would be violating the export control laws unless they excluded all foreigners from the room (in an international standards committee!)." Read the rest

90 percent of Tor keys can be broken by NSA: what does it mean?

Errata Security CEO Rob Graham has published a blog-post speculating that ninety percent of the traffic on the Tor anonymized network can be broken by the NSA. That's because the majority of Tor users are still on the an old version of the software, 2.3, which uses 1024 RSA/DH keys -- and at keylengths of 1024 RSA/DH crypto can be broken in a matter of hours using custom chips fabbed at an estimated cost of $1B. It seems likely that the NSA has spent the necessary sum and sourced these chips (likely from IBM).

This isn't the same as being able to decrypt all of Tor in realtime, but it does suggest that the NSA could selectively decrypt its stored archives of Tor traffic.

However, the new version of Tor, 2.4, uses elliptical curve Diffie-Hellman ciphers, which are probably beyond the NSA's reach.

Graham faults the Tor Project for the poor uptake of its new version, though as an Ars Technica commenter points out, popular GNU/Linux distributions like Debian and its derivative Ubuntu are also to blame, since they only distribute the older, weaker version. In either event, this is a wake-up call that will likely spur both the Tor Project and the major distros to push the update.

Yesterday's revelations about the NSA's ability to decrypt 'secure' communications were taken by many to mean that the NSA had made fundamental mathematical or computing breakthroughs that allowed it to decrypt securely enciphered messages. But it's pretty clear that's not what's going on. Read the rest

TSA continues to improve experience of rich people

More evidence that American travel is headed for a two-tier security theater that is reasonable and light for rich people and business travellers, and increasingly awful and invasive for everyone else: as Pre-Check expands, people who fly often enough to make it worth spending $85 will be able to keep shoes, jackets and belts on and avoid pornoscanners (including the new more radioactive versions). Us dirty foreigners, as well as people who save carefully for one trip every couple of years to see their families, will get the ever-expanding Grand Guignol treatment, especially since everyone with any clout or pull will be over there in Pre-Check land, getting smiles and high-fives from the TSA. Read the rest

25 years of hacker radio online

2600's Emmanuel Goldstein writes, "25 years of hacker radio is now online at full broadcast quality as part of the 2600 website redesign. 'Off The Hook' has aired on WBAI-FM in New York since October 1988 with hacker tales, interviews, and news. The online archives had been stored in mono at 16kbps since their inception. The new 2600 website has far more space, allowing an upgrade to 128kbps and stereo, making this large piece of history a whole lot more listenable." Read the rest

Anti-robocall robot shows how compromising phone metadata is

Alan sez, "Nomorobo recently won the FTC's contest for best anti-robocall invention. It uses a feature of the phone system that's already mostly in place which lets the Nomorobo device get the call at the same time as you do, checks the calling number against certain spam signatures (e.g. calling blocks of numbers sequentially) and auto-disconnects the robocaller before your phone even can ring. Anyone who claims you can't do interesting things purely with phone call metadata has not thought about the problem long enough." Read the rest

Stick-figure AES: crypto explanations for the rest of us

Jeff Moser's "A Stick Figure Guide to the Advanced Encryption Standard (AES)" beautifully presents the history, context, and workings of one of the most important pieces of math in the modern world. AES is at the core of virtually every privacy technology you use, and it holds the promise of building an NSA-proof, unsnoopable Internet. Read the rest

NSA probably hasn't broken strong crypto

You may have heard speculation that the NSA has secretly broken the strong cryptographic systems used to keep data secret -- after all, why collect all that scrambled data if they can't unscramble it? But Bruce Schneier argues (convincingly) that this is so impossible as to be fanciful. So why have they done this? My guess is that they're counting on flaws being revealed in the cryptographic implementations in the field (or maybe they've discovered such flaws and are keeping them secret). Or they're hoping for a big breakthrough in the future (quantum computing, anyone?).

Read the rest

Password-cracking software runs at 8 million guesses per second

oclHashcat-plus is a "password-recovery" tool that chews through 8-million guesses a second. It optimizes its guesses by trying phrases from "the Bible, common literature, and in online discussions,” and by formulating characters into websites' required "password-construction protocols."

One security researcher cracked the passphrase “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1,” a phrase from an H.P. Lovecraft horror story. It was less impossible than it was super easy, crackable in minutes, because it was in an easily available hacker word list.

No password is safe from new breed of cracking software Read the rest

More posts