Biometrics | Bach Seat

Tag Archive for Biometrics

RB | April 15, 2017

Comments Off

Open a New Galaxy Crack with a Pix

Followers of the Bach Seat know biometrics have a limited value in replacing passwords. Despite the technical flaws another round of biometric hype is running across the intertubes. The latest round of biometric hype is coming from Samsung (005930). In the hope to revive their brand, they are on the verge of releasing the Galaxy S8. The Samsung Galaxy S8 includes the ability to use facial recognition software to unlock your brand new phone. CNet says that this idea “sounds awesome.”

However, this awesome will lower the bar for your security. CNet reports that the video blogger MarcianoTech demonstrated a pre-release version of the Galaxy S8 is seen being unlocked using just a photo (at the 1:09 mark). To their credit Samsung has acknowledged that the Face Unlock feature is more for convenience than for security, and it cannot be used for mobile payments. Weak facial recognition software is a convenience for the user, it could also be very convenient for others, too.

The troubles with Face Unlock date back to 2011 when SlashGear reported that Google admitted the security system can be fooled by a picture of you and not the real thing. CNet reports that a Carnegie Mellon University spin-off in Pittsburgh, PittPatt, developed that Face Unlock which was later acquired by Google (GOOG).

Just to make Face Unlock and similar facial recognition systems more dangerous, the Guardian reports during recent testimony before congress the FBI admitted that they store about half of all adult Americans’ photographs in a facial recognition databases that can be accessed by the FBI. About 80% of photos in the FBI’s network are non-criminal entries, including driver’s licenses pictures from 18 states including Michigan (pdf) and passports.

The FBI first launched its advanced biometric database, Next Generation Identification, in 2010, augmenting the old fingerprint database with further capabilities including facial recognition. The bureau did not tell the public about its newfound capabilities nor did it publish a privacy impact assessment, required by law, for five years.

Unlike with the collection of fingerprints and DNA, which is done following an arrest, photos of innocent civilians are being collected proactively. The FBI made arrangements with 18 different states to gain access to their databases of driver’s license photos.

“I’m frankly appalled,” said Paul Mitchell, a congressman for Michigan. “I wasn’t informed when my driver’s license was renewed my photograph was going to be in a repository that could be searched by law enforcement across the country.” So anyone with a photo of you, or maybe even just access to your Facebook photos, could potentially access your phone.

rb-

There are two important reasons why biometrics don’t work, and why the old-fashioned password is still a better option: a person’s biometrics can’t be kept secret and they can’t be revoked.

People expose their biometrics everywhere – they leave fingerprints behind at bars and restaurants, their faces and eyes are captured in photos and film, etc. There’s no real way to conceal your eyes, face, or fingerprints from the world. As far back as 2002, research led by Japanese cryptographer Tsutomu Matsumoto. Matsumoto and his team used clear gelatin to make artificial fingers that they then used to fool fingerprint scanners. The gelatin-based finger was successful in fooling all 11 devices tested. I wrote about spoofing fingerprints in 2016.

However, it’s the second problem with biometrics that is the really big one: once a person’s biometrics have been compromised, they will always be compromised. Since a person can’t change their fingerprint or whatever biometric is being relied upon, it’s ‘once owned, forever owned.’ That is biometrics’ major failing and the one that will be hardest to overcome.

Part of the reason is that it’s silly to only have 10 possible passwords your whole life (20, if you count toes) but unlike a password, once a biometric is compromised, it is permanent. Today, if your Twitter account gets hacked, you just change the password – but if you are using a biometric, you will be stuck with that hacked password for the rest of your life.

With the release of Windows 10, Microsoft (MSFT) stepped up their biometrics game. CNet reports that with the recent improvements in Windows 10 biometric security includes facial recognition software. Besides facial recognition, Windows Hello also supports fingerprint and iris recognition to secure your PC. For facial recognition though, Microsoft has partnered with chipmaker Intel (INTC) for its RealSense 3D camera tech to get the job done. RealSense uses depth-sensing infrared cameras to track the location and positions of objects, which Microsoft then uses to scan a person’s face or iris before unlocking the device in question.

To further push the biometrics agenda, more than 200 companies including Microsoft, Lenovo, Alibaba, and MasterCard have already come together to form a partnership known as the FIDO (Fast Identity Online) Alliance. Founded in 2013, FIDO was set up to address issues such as a worldwide adoption of standards for authentication processes over the Web to help reduce reliance on passwords.

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 10, 2017, Biometrics, Facial recognition, FBI, FIDO, Galaxy, GOOG, Google, INTC, Intel, Microsoft, MSFT, Passwords, RealSense, S8, Samsung, Security, Windows

RB | April 2, 2017

Comments Off

300 Billion Passwords

The death of the password has been predicted for years. Bill Gates predicted the death of the password at an RSA Security conference in 2004. In 2011, IBM (IBM) predicted that biometrics would replace passwords by 2016. In case you haven’t noticed in 2017 and passwords are still with us and they suck. “It’s now years after those statements were made, and passwords are still in heavy use,” Joseph Carson, head of global strategic alliances at Thycotic Software told CSO.

A new report (Reg. Req.) from cyber-security research firm Cybersecurity Ventures says that the number of passwords in use will grow from about 75 billion today to around 100 billion in 2020. AND the number of passwords used by machines, such as IoT devices, will grow even faster, from around 15 billion in 2015 to around 200 billion in 2020, the report said. That is 300 billion passwords by 2020.

And these numbers don’t include one-time passwords, SSL encryption keys, and other short-term credentials said Thycotic’s Carson. Thycotic Software sponsored the report.

Mr. Carson told CSO the estimates come from worldwide statistics about the total number of computers, operating systems, servers, routers, and other technologies and applications that come with passwords or need users to create passwords to use them. he added, “Then there are the social media accounts, which have been growing significantly.”

The average user has over 25 passwords, he said. There’s no decline in the number of passwords, in fact, the opposite is the case. “We find that the growth is accelerating at a massive pace,” CSO observed that the use — and reuse — of all these passwords is creating an ever-growing attack surface of both human and machine-to-machine passwords. A record number of credential breaches were disclosed in 2016, Mr. Carson added — 3 billion, with 43% of people having had at least one password or credential stolen.

A report released by the Pew Research Center said that for U.S. adults, the number was even higher. According to a 2016 survey, 64% said that they had personally noticed or been notified of a data breach that affected their accounts or personal data.

According to Mr. Carson, the financial damages of the breaches will continue to increase as well. Thycotic and Cybersecurity Ventures predicts potential damages from cyber-crime to reach $6 trillion by 2021.

rb-

Looks like passwords are here to stay. Followers of the Bach Seat know that passwords suck. I have covered a number of options to replace passwords. None of the biometric options have taken off as IBM had predicted.

Where biometric authentication is deployed, it’s been as an adjunct to passwords, not a replacement. Passwords are used to set up the initial trusted relationship, and as a fallback when the biometrics fail. Mr. Carson concludes, “The biometrics are used for ease of access to systems … Biometrics will never replace passwords.”

Related articles

JetBlue and Delta begin testing biometrics to identify passengers (The Los Angles Times)

Category: Uncategorized | Tags: 2017, Bill Gates, Biometrics, Cybersecurity Ventures, Data breach, IOT, Passwords, Security, Social media, SSL, Thycotic

RB | September 24, 2016

Comments Off

FIDO

Since 2013 there have been nearly 5 billion data records lost or stolen according to the Breach Level Index. The UN says there are 6.8 billion mobile phone accounts which mean globally 96% of humans have a cell phone. It would seem that these factoids could interact to cut the pace of lost or stolen data records. An effort is underway to use mobile devices to better secure data called FIDO.

FIDO (Fast ID Online) is an open standard for a secure and easy-to-use universal authentication interface. FIDO plans to address the lack of interoperability among strong authentication devices. TargetTech says FIDO is developed by the FIDO Alliance, a non-profit organization formed in 2012. FIDO members include Agnitio, Alibaba, ARM (ARMH), Blackberry (BBRY), Google (GOOG), Infineon Technologies, Lenovo (LNVGY), Master Card, Microsoft (MSFT), Netflix, Nok Nok Labs, PayPal, RSA, Samsung, Synaptics, Validity Sensors and Visa.

The FIDO specifications define a common interface for user authentication on the client. The article explains the goal of FIDO authentication is to promote data privacy and stronger authentication for online services without hard-to-adopt measures. FIDO’s standard supports multifactor authentication and strong features like biometrics. It stores supporting data in a smartphone to eliminate the need for multiple passwords.

The author writes that FIDO is much like an encrypted virtual container of strong authentication elements. The elements include: biometrics, USB security tokens, Near Field Communication (NFC), Trusted Platform Modules (TPM), embedded secure elements, smart cards, and Bluetooth. Data from authentication sources are used for the local key, while the requesting service gets a separate login to keep user data private.

FIDO is based on public-key cryptography that works through two different protocols for two different user experiences. According to TargetTech the Universal Authentication Framework (UAF) protocol allows the user to register an enabled device with a FIDO-ready server or website. Users authenticate on their devices with fingerprints or PINs, for example, and log in to the server using a secure public key.

The Universal Second Factor (U2F), originally developed by Google, is an effort to get the Web ecosystem (browsers, online service providers, operating systems) to authenticate users with a strong second factor, such as a USB touchscreen key or NFC on a mobile device.

FIDO’s local storage of biometrics and other personal identification is intended to ease user concerns about personal data stored on an external server or in the cloud. By abstracting the protocol implementation, FIDO also reduces the work required for developers to create secure logins.

Samsung and PayPal have announced a FIDO authentication partnership. Beginning with the Samsung Galaxy S5 users can authorize transactions to their PayPal accounts using their fingerprints, which authenticates users by sending unique encrypted keys to their online PayPal wallets without storing biometric information on the company’s servers.

FIDO promises to clean up the strong authentication marketplace, making it easier for one-fob-fits-all products. The open standards shift some of the burdens for protecting personally identifiable information to software on devices or biometric features, and away from stored credentials and passwords. ComputerWeekly described FIDO’s potential this way:

The FIDO method is more secure than current methods because no password of identifying information is sent out; instead, it is processed by software on the end user’s device that calculates cryptographic strings to be sent to a login server.

In the past, multiple-factor authentication methods were based on either a hardware fob or a tokenless product. These products use custom software, proprietary programming interfaces, and much work to integrate the method into your existing on-premises and Web-based applications.

ComputerWeekly says FIDO will divorce second-factor methods from the actual applications that will depend on them. That means the same authentication device can be used in multiple ways for signing into a variety of providers, without one being aware of the others or the need for extensive programming for stronger authentication.

Integrating FIDO-compliant built-in technology with digital wallets and e-commerce can not only help protect consumers but reduce the risk, liability, and fraud for financial institutions and digital marketplaces.

The big leap that FIDO is taking is to use biometric data – voiceprint, fingerprint, facial recognition, etc. and digitize and protect that information with solid cryptographic techniques. But unlike the traditional second-factor authentication key fobs or even the tokenless phone call-back scenarios, this information remains on your smartphone or laptop and isn’t shared with any application provider. FIDO can even use a simple four-digit PIN code, and everything will stay on the originating device. With this approach, ComputerWeekly says FIDO avoids the potential for a Target-like point-of-sale exploit that could release millions of logins to the world, a big selling point for many IT shops and providers.

It can eliminate having to carry a separate dongle as just about everyone has a mobile phone these days this is a mobile world we live in, and we need mobile-compatible solutions; otherwise, you’re behind the curve right out of the gate.

Breaches showing patterns of both desirable, questionable characteristics (ZDNet)

Category: Uncategorized | Tags: 2016, Access control, Authentication, Biometrics, BIOS, FIDO, FIDO Alliance, GOOG, Google, Microsoft, MSFT, Passwords, PayPal, PII, Samsung, Security, TPM, Trusted Platform Module, Universal 2nd Factor

RB | September 17, 2016

Comments Off

Mind Readers Can Steal Your Biometric Info

By now, most people have come to the position that passwords suck. The momentum for alternate means of authentication is growing. Researchers are working on how to use biometric technology for mainstream login activities. As I have pointed out there is a number of emerging biometric techniques like; iris scans, facial recognition, or behavioral characteristics. All of these methods have flaws, which pose a problem for authentication non-repudiation.

passwords suck In a post at IEEE Spectrum, Megan Scudellari writes that fingerprints can be stolen, iris scans spoofed, and facial recognition software fooled. In the wake of these flaws, researchers have turned to brain waves as the next step in biometric identification. Biometric identification is any means by which a person can be uniquely identified by evaluating one or more distinguishing biological traits. Unique identifiers include fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves, DNA, and signatures.

The researchers are racing to prove how accurately and accessibly they can verify a person’s identity using electroencephalograph (EEG) data. An EEG is a test that detects electrical activity in the brain using electrodes attached to the scalp. The IEEE article explains that as your eyes skim over these pixels you are reading and turn them into meaningful words, your brain cells are flickering with a pattern of electrical activity that is unique to you. These unique patterns can be used like a password or biometric identification. In fact, researchers have taken to calling them “passthoughts”.

Using brainwaves to authenticate people goes back a while. Back in 2012, I wrote about the Muse headband sensor which promised to “create a specific brainwave signature or a password they would never have to say out loud or type into a computer.” More recently, psychologists and engineers at Binghamton University in New York achieved 100 percent accuracy at identifying individuals using brain waves captured with a skullcap with 30 electrodes. Scientists at the University of California at Berkeley have adopted a set of earbud sensors that worked with 80 percent accuracy.

The problem is our brains don’t produce a single, clear signal that can be checked like a fingerprint. The article says our brains emit a messy, vibrant symphony of personal information, including one’s emotional state, learning ability, and personality traits. The author contends that as EEG technology becomes cheaper, portable, and more ubiquitous—not only for identity authentication, but in apps, games, and more— there’s a high likelihood that someone will tap into that concerto of information for malicious purposes. Abdul Serwadda, a cybersecurity researcher at Texas Tech University told Spectrum;

If you have these apps, you don’t know what the app is reading from your brain or what [the app’s creators are] going to use that information for, but you do know they’re going to have a lot of information

The Texas Tech team performed experiments to see if they could glean sensitive personal information from brain data captured by two popular EEG-based authentication systems. Surprise, surprise: they were able to capture sensitive personal information from brain data.

Mr. Serwadda presented his results at the IEEE International Conference on Biometrics. The Texas Tech researchers examined EEG-based authentication systems that claimed high levels of authentication accuracy. One system examined was the Berkley model, and the second was based on the Binghamton model. The article explains that these EEG-based authentication systems utilize specific features, or markers, of brain activity to identify a person, like isolating the melody of a specific orchestra instrument to identify a song.

The researchers wanted to see if those markers also contained sensitive personal information—in this case, a tendency for alcoholism. They ran old EEG scans which included alcoholics and non-alcoholics through the systems. Using the brain wave data, they were able to accurately identify 25% of the alcoholics in the sample. That’s 25% of people who just lost their privacy. Mr. Serwadda said;

We weren’t surprised, because we know the brain signal is so rich in information … But it is scary. [Wearable brain measurement] is an application that’s just about to go mainstream, and you can infer a lot of information about users.

The researcher said that malicious third parties could mine brain data to make inferences about learning disabilities, mental illnesses, and more. He told Spectrum, “Imagine if you made these things public, and insurance companies became aware of them … It would be terrible.”

IOActive senior consultant Alejandro Hernández told The Register that dangerous vulnerabilities exist in EEG kits. EEG’s security problems are depressingly familiar results of bad software design, Hernández said. EEG devices are vulnerable to man-in-the-middle attacks, as well as less-severe application vulnerabilities and ordinary crashes. Mr. Hernández says.

… some applications send the raw brain waves to another remote endpoint using the TCP/IP protocol, that by design doesn’t include security, and therefore this kind of traffic is prone to common network attacks such as man-in-the-middle where an attacker would be able to intercept and modify the EEG data sent.

The IOActive consultant found that components like the acquisition device, middleware, and endpoints lack authentication meaning an attacker can connect to a remote TCP port and steal raw EEG data. That same flaw lets attacks pull off the more dangerous reply attacks.

Unfortunately, the researchers do not have a solution for how to secure such information—though in the study, compromising a little on authentication accuracy did reduce the ability to detect who was an alcoholic. Mr. Serwadda hopes other research teams will now take privacy, and not just accuracy, into account when optimizing such systems. Professor Serwadda concludes, “We have to prepare for the movement of brain wave [assessment] into our daily lives.”

Rb-

Given the willingness of apps developers to sell share any info to any third party and the unwillingness of the public to take even basic steps to secure their info online, everyone’s deepest personal information can be hacked in the future.

Another problem with passthoughts UC Berkeley’s John Chuang identifies that stress, mood, alcohol, caffeine, medicine, and mental fatigue could change the electrical signals that are generated.

Despite advances in logging in with your mind, there might always be a need for an old-fashioned eight-plus character phrase with no spaces. “Passwords will never go away,” says Berkeley’s Chuang. He reasons that for a computer, a typed password may be the easiest way to verify identity, while a finger swipe may be best for a touch screen.

But we need to think beyond those to future devices—wearables, for instance—for which there will be neither a keyboard nor a touch screen. “For each device, we must figure out what are the most natural, intuitive ways to tell the device that we are who we are,” Professor Chuang says. Going directly to the brain seems like an obvious choice.

Cyberattack on biometric data poses security risks at border, documents warn (thestar.com)

Category: Uncategorized | Tags: 2016, Biometrics, Brain, EEG, Electroencephalograph, Identity Theft, IEEE, Passthoughts, Passwords, PII, Security, Wearable

RB | July 30, 2016

Comments Off

More IRS Tech Troubles

The U.S. gooberment agency in charge of ~~extorting~~ collecting taxes from citizens, but not businesses, has more IT troubles. In the past, the IRS has had problems with hackers attacking its online systems which exposed more than 720,000 taxpayer accounts. It has had data breaches that released 101,000 taxpayer SSNs, Its internal processes are so weak that the IRS could not find 1,300 PC’s to complete the upgrade from Windows XP.

The latest report says that the IRS off-boarding processes are so porous that former employees have “unauthorized entry.” Former employees have access to workplaces, IRS computers, taxpayer information, and could allow them to misrepresent themselves to taxpayers, according to an article at Nextgov.

The article cites a new watchdog report. In the report, there was a random sampling in 2014 that said the IRS couldn’t verify it had recovered all security items from more than 66 percent of roughly 4,100 “separated” employees. The employees had left due to retirement, resignation, death, etc.

If the IRS had just checked with me, this would not have been a surprise. In 2014 wrote about this issue. Lieberman Software released the results of a survey of IT security professionals. 13% of IT Pros at the RSA Conference 2014 admitted to being able to access previous employers’ systems using their old credentials. Perhaps even more alarming is that of those able to access previous employers’ systems nearly 23% can get into their previous two employers’ systems using old credentials.

rb-

This is just another example of why passwords suck. If the tax collectors used a two-factor authentication (2FA) process, chances are must greater that ex-employees would not be able to access taxpayer’s records. Two-factor authentication is a security process where the user provides two means of identification from separate categories of credentials.

An authentication factor is an independent category of credentials used for identity verification. The three most common categories are often described as something you know (the knowledge factor), something you have (the possession factor), and something you are (the inheritance factor). For systems with more demanding requirements for security, location and time are sometimes added as fourth and fifth factors.

One rising authentication measure is biometrics. Biometrics is the measurement and statistical analysis of people’s physical and behavioral characteristics. The technology is mainly used for identification and access control. The basic premise of biometric authentication is that everyone is unique and an individual can be identified by his or her intrinsic physical or behavioral traits. An individual’s biometric uniqueness can fulfill the inheritance factor of identify verification (“something you are”). Using biometrics in its various forms (I have written about different forms of biometrics on the Bach Seat; voice, brain waves, retina scan, behavioral biometrics, etc.) when combined with a strong password can form a 2FA.

There are drawbacks to using biometrics for authentication too.

Global Two-factor Biometrics Industry to Grow at a CAGR of 22.87% to 2020 (newsmaker.com.au)

Category: Uncategorized | Tags: 2016, 2FA, Biometrics, Hack, IRS, Passwords, Security, Two-factor authentication, US Government

« Older Entries Recent Entries »

Bach Seat

Tag Archive for Biometrics

Open a New Galaxy Crack with a Pix

300 Billion Passwords

FIDO

Related articles

Mind Readers Can Steal Your Biometric Info

Related articles

More IRS Tech Troubles

Related articles

Meta