PII | Bach Seat

Tag Archive for PII

RB | February 6, 2018

Comments Off

Worst Passwords – 2017

Today is “Safer Internet Day” which is needed. Despite the spate of well-publicized hacks, attacks, ransoms, and even extortion attempts, millions of people continue to use weak, easily guessable passwords to protect their online information. SplashData, provider of password management applications has released its annual Worst Passwords of the Year (NSFW) list. The seventh annual report was compiled from more than five million passwords leaked during 2017.

For the fourth consecutive year, “123456” and “password” held on to the number 1 and #2 spots on the SplashData list. Variations of each, either with extra digits on the numerical string or replacing the “o” with a “0” in “password,” make up six of the top 10 most often used passwords. Morgan Slain, CEO of SplashData warns, “Hackers know your tricks, and merely tweaking an easily guessable password does not make it secure.”

Star Wars is popular

Star Wars fans were so excited by the recent premiere of “Star Wars: The Last Jedi“, that they moved “starwars” up to #16 on the most frequently used bad passwords list. SplashData’s Slain observed that it is not a good password.

Unfortunately, while the newest episode may be a fantastic addition to the Star Wars franchise, ‘starwars’ is a dangerous password to use … Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words.

Another problem with many of these bad passwords, they are simply a straight row of characters across the keyboard making them easy for attackers to guess. Pattern passwords in the bad list include:

12345
123456
1234567
12345678
123456789
qwerty
qazwsx
1qaz2wsx

SplashData’s 25 worst passwords of 2017:

1 – 123456
2 – password
3 – 12345678
4 – qwerty
5 – 12345
6 – 123456789
7 – letmein
8 – 1234567
9 – football
10 – iloveyou
11 – admin
12 – welcome
13 – monkey
14 – login
15 – abc123
16 – starwars
17 – 123123
18 – dragon
19 – passw0rd
20 – master
21 – hello
22 – freedom
23 – whatever
24 – qazwsx
25 – trustno1

SplashData estimates almost 10% of people have used at least one of the 25 worst passwords on this year’s list, and nearly 3% of people have used the worst password, 123456.

SplashData offers these tips to be safer from hackers online:

1. Use passphrases of twelve characters or more with mixed types of characters including upper and lower cases.
2. Use a different password for each of your website logins. If a hacker gets your password they will try it to access other sites.
3. Protect your assets and personal identity by using a password manager to organize passwords, generate secure random passwords, and automatically log into websites.

rb-

Sighs – I covered this again and again ……

One older report I’ve seen says that attackers were able to crack open 254,776 of 499,556 (51%) hashed passwords within 24 hours and 439,610 (88%) within two weeks. The same report says that it can only take one day to crack an eight-character password, while it takes an average of 591 days to crack a 10 character password.

Another report on password hacks points out the value of each additional character in a password.

A 6-character password with only letters has 308,915,776 possible combinations.
An 8-character password with only letters has 208,827,064,576 possible combinations.
An 8-character password with letters (upper & lower case) and includes numbers and symbols has 6,095,689,385,410,816 possible combinations.

Related article

Survey Says: People Have Way Too Many Passwords To Remember (BuzzFeed)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2018, Best practices, Passwords, PII, Security, SplashData, Star Wars, worst practices

RB | October 25, 2017

Comments Off

Biometrics Hype

Followers of the Bach Seat know biometrics have a limited value in replacing passwords. Despite the technical flaws another round of biometric hype is rolling across the Intertubes. The latest round of biometric hype is coming from Samsung (005930). In the hope to revive their brand, Samsung has released the Galaxy S8. The Samsung Galaxy S8 includes the ability to use facial recognition software to unlock your brand new phone. CNet says that this idea “sounds awesome.”

However, this awesome idea appears to lower the bar for your security. CNet reports that the video blogger MarcianoTech demonstrated a pre-release version of the Galaxy S8 being unlocked using just a photo (at the 1:09 mark). To their credit, Samsung has acknowledged that the Face Unlock feature is more for convenience than for security. The biometric feature cannot be used for mobile payments. While weak facial recognition software may be a convenience for the user, it could also be very convent for others, too.

The troubles with Face Unlock date back to 2011. In 2011 SlashGear reported that Google (GOOG) admitted the security system could be fooled by a picture of you and not the real thing. CNet reports that the technology was developed by PittPatt, a startup originating from Carnegie Mellon University, which was later acquired by Google.

FBI’s facial recognition database

The Guardian reports during testimony before congress the FBI admitted that about half of adult Americans’ photographs are stored in facial recognition databases that can be accessed by the FBI. About 80% of photos in the FBI’s network are non-criminal entries, including pictures from driver’s licenses and passports from 18 states including Michigan.

The FBI first launched its advanced biometric database, Next Generation Identification (NGI), in 2010. NGI augmented the old fingerprint database with further capabilities including facial recognition. The bureau did not tell the public about its newfound capabilities nor did it publish a privacy impact assessment, required by law, for five years.

Unlike with the gathering of fingerprints and DNA, which is done following an arrest, photos of innocent civilians are being collected proactively. The FBI made arrangements with 18 different states to gain access to their databases of driver’s license photos.

“I’m frankly appalled,” said Paul Mitchell, a congressman for Michigan. “I wasn’t informed when my driver’s license was renewed my photograph was going to be in a repository that could be searched by law enforcement across the country.”

rb-

So anyone with a photo of you, or maybe even just access to your Facebook (FB) photos, could potentially access your phone. There are two important reasons why biometrics won’t work, and why the old-fashioned password is still a better option: a person’s biometrics can’t be kept secret and they can’t be revoked.

People expose their biometrics everywhere – they leave fingerprints behind at bars and restaurants, their faces and eyes are captured in photos and film, etc. There’s no real way to hide this data from the world. As far back as 2002, research led by Japanese cryptographer Tsutomu Matsumoto. Matsumoto and his team gummy bears to make artificial fingers that they then used to fool fingerprint scanners. The gelatin-based finger was successful in fooling all 11 devices tested. I wrote about spoofing fingerprints in 2016.

However, it’s the second problem with biometrics that is the really big one: once a person’s biometrics have been compromised, they will always be compromised. Since a person can’t change their fingerprint or whatever biometric is being relied upon, it’s ‘once owned, forever owned.’ That is biometrics’ major failing and the one that will be hardest to overcome.

Part of the reason is that it’s silly to only have 10 possible passwords your whole life (20, if you count toes) but unlike a password, once a biometric is compromised, it is permanent. Today, if your Twitter account gets hacked, you just change the password – but if you are using a biometric, you will be stuck with that hacked password for the rest of your life.

With the release of Windows 10, Microsoft stepped up its biometrics game. CNet reports that with the recent improvements in Windows 10 biometric security includes facial recognition software. Besides facial recognition, Windows Hello also supports other biometric factors to secure your PC. Some of the factors are fingerprints and iris recognition. For facial recognition though, Microsoft (MSFT) has partnered with chipmaker Intel (INTC) for its RealSense 3D camera tech to get the job done. RealSense uses depth-sensing infrared cameras to track the location and positions of objects. Microsoft uses RealSense to scan a person’s face or iris before unlocking the device in question.

To further push the biometrics agenda, more than 200 companies including Microsoft, Lenovo, Alibaba, and MasterCard have already come together to form a partnership known as the FIDO (Fast Identity Online) Alliance. FIDO was founded in 2013 to address issues such as a worldwide adoption of standards for authentication processes over the Web to help reduce reliance on passwords.

Related article

Facial recognition technology is everywhere. It may not be legal. (Washington Post)

Category: Uncategorized | Tags: 2017, Biometrics, Facial recognition, FBI, FIDO, GOOG, Google, INTC, Intel, Michigan, Microsoft, MSFT, PII, Privacy, Samsung, Security

RB | February 4, 2017

Comments Off

State of Michigan Data Breach

Data breaches are no surprise these days. I have covered a number of data breaches here on the Bach Seat here, here, and here. Now the State of Michigan (SOM) has joined the ranks of data leakers like Yahoo, Home Depot, Target, BCBS, and the US government. MLive is reporting that the State of Michigan has spilled the personal data of millions of Michigan citizens. On February 03, 2017, the Michigan Department of Technology Management and Budget (DTMB) announced the Michigan data breach. The breach leaked the Personal information of nearly 20% of Michigan residents who were vulnerable to unauthorized access for four months.

Unemployment Insurance Agency

The article reports that in October 2016, a software update to the Michigan Data Automated System (MiDAS) system was used by the state’s Unemployment Insurance Agency (UIA). MiDAS was created by Fast Enterprises of Centennial, CO, and went live in 2012 as part of a modernization of the unemployment benefits and tax system. A flaw allowed employers and human resources firms to get access to names and social security numbers of nearly 1.9 million Michigan residents they were not authorized to view.

The state identified the Michigan data breach on Jan. 30 and fixed it on Jan. 31, 2017. Contracted payroll service providers had unauthorized access to the MiDAS system, according to UIA spokesperson Dave Murray. Anybody working for a company that uses one of those payroll service providers may have had their personal information compromised. DTMB official Caleb Buhs warned, “If you are an employee in Michigan and your company uses a payroll vendor to process payroll, then you can potentially be included.”

Impacted by the Michigan data breach

According to a report on MLive, the 31 vendors with unauthorized access to Michigan citizens’ PII included:

7-Eleven
Aatrix
Accountants World
Acrisure
ADP
Benepay
Casper Willson Wilson
Computing Resources
Connectpay LLC
CoStaff National Services Inc
Craft Accounting
CSS Payroll Inc
DTMB
DM Payroll
Dominion Systems
GT Independence
Heins Acctg
Hewitt Assoc
Highpoint Business Services LLC
Infiniti HR LLC
Julie Lepper Acctg
Mercantile Bank
My Pay Solutions
Nieland & Kosanke PC
One Source Virtual
Paychex
Paycomm Payroll LLC
Paycor
Paylocity Corp
Payroll 1
Payroll Tax Mgt
Professional Systems
Ultimate Software
VenSure HR Inc
Wayne County Regional
Zen Payroll

DTMB Director and State CIO David Behen stated, “Data security is a top priority for the state of Michigan … We will work with our third-party vendors and our state team to check our processes and procedures to avoid incidents like this in the future.”

Recommendations

Here’s what the SOM is recommending those who may have had their PII exposed do:

Call the state hotline at 855-707-8387 between 8 a.m. and 4 p.m. on weekdays to make inquiries about this issue.
Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax, Experian, and TransUnion – for a total of three reports every year. Contact information for the credit bureaus can be found on the Federal Trade Commission.
Take steps to monitor their personally identifiable information and report any suspected instances of identity theft to their local law enforcement.

MiDAS has been in the news before. MiDAS’ “robo-adjudication” feature wrongly flagged at least 20,000 people for unemployment fraud between October 2013 and August 2015. MiDAS would automatically flag a discrepancy and send a message to a seldom-used internal unemployment system. When the victims didn’t respond, the system would automatically find they had committed fraud and issue a 400% fine.

rb-

The way data breach report work is that the originating firm under-estimates the number of records lost by half. So it is possible that the SOM has released nearly 4 million or 38% of all Michiganders personal records.

Despite the Michigan State Police Cyber Command being on the job, it is likely that nothing will happen to the perpetrators – nothing ever does. DTMB spokesman Buhs said, “We are learning from this.” I hope so.

Equifax, TransUnion Fined for Deceptive Credit Score Marketing (thesimpledollar.com)

Category: Uncategorized | Tags: 2017, ADP, Data breach, David Behen, DTMB, Equifax, Experian, Home Depot, Marissa Mayer, Michigan, Paychex, PII, Rick Synder, Security, Target, TransUnion, Yahoo, YHOO

RB | September 24, 2016

Comments Off

FIDO

Since 2013 there have been nearly 5 billion data records lost or stolen according to the Breach Level Index. The UN says there are 6.8 billion mobile phone accounts which mean globally 96% of humans have a cell phone. It would seem that these factoids could interact to cut the pace of lost or stolen data records. An effort is underway to use mobile devices to better secure data called FIDO.

FIDO (Fast ID Online) is an open standard for a secure and easy-to-use universal authentication interface. FIDO plans to address the lack of interoperability among strong authentication devices. TargetTech says FIDO is developed by the FIDO Alliance, a non-profit organization formed in 2012. FIDO members include Agnitio, Alibaba, ARM (ARMH), Blackberry (BBRY), Google (GOOG), Infineon Technologies, Lenovo (LNVGY), Master Card, Microsoft (MSFT), Netflix, Nok Nok Labs, PayPal, RSA, Samsung, Synaptics, Validity Sensors and Visa.

The FIDO specifications define a common interface for user authentication on the client. The article explains the goal of FIDO authentication is to promote data privacy and stronger authentication for online services without hard-to-adopt measures. FIDO’s standard supports multifactor authentication and strong features like biometrics. It stores supporting data in a smartphone to eliminate the need for multiple passwords.

The author writes that FIDO is much like an encrypted virtual container of strong authentication elements. The elements include: biometrics, USB security tokens, Near Field Communication (NFC), Trusted Platform Modules (TPM), embedded secure elements, smart cards, and Bluetooth. Data from authentication sources are used for the local key, while the requesting service gets a separate login to keep user data private.

FIDO is based on public-key cryptography that works through two different protocols for two different user experiences. According to TargetTech the Universal Authentication Framework (UAF) protocol allows the user to register an enabled device with a FIDO-ready server or website. Users authenticate on their devices with fingerprints or PINs, for example, and log in to the server using a secure public key.

The Universal Second Factor (U2F), originally developed by Google, is an effort to get the Web ecosystem (browsers, online service providers, operating systems) to authenticate users with a strong second factor, such as a USB touchscreen key or NFC on a mobile device.

FIDO’s local storage of biometrics and other personal identification is intended to ease user concerns about personal data stored on an external server or in the cloud. By abstracting the protocol implementation, FIDO also reduces the work required for developers to create secure logins.

Samsung and PayPal have announced a FIDO authentication partnership. Beginning with the Samsung Galaxy S5 users can authorize transactions to their PayPal accounts using their fingerprints, which authenticates users by sending unique encrypted keys to their online PayPal wallets without storing biometric information on the company’s servers.

FIDO promises to clean up the strong authentication marketplace, making it easier for one-fob-fits-all products. The open standards shift some of the burdens for protecting personally identifiable information to software on devices or biometric features, and away from stored credentials and passwords. ComputerWeekly described FIDO’s potential this way:

The FIDO method is more secure than current methods because no password of identifying information is sent out; instead, it is processed by software on the end user’s device that calculates cryptographic strings to be sent to a login server.

In the past, multiple-factor authentication methods were based on either a hardware fob or a tokenless product. These products use custom software, proprietary programming interfaces, and much work to integrate the method into your existing on-premises and Web-based applications.

ComputerWeekly says FIDO will divorce second-factor methods from the actual applications that will depend on them. That means the same authentication device can be used in multiple ways for signing into a variety of providers, without one being aware of the others or the need for extensive programming for stronger authentication.

Integrating FIDO-compliant built-in technology with digital wallets and e-commerce can not only help protect consumers but reduce the risk, liability, and fraud for financial institutions and digital marketplaces.

The big leap that FIDO is taking is to use biometric data – voiceprint, fingerprint, facial recognition, etc. and digitize and protect that information with solid cryptographic techniques. But unlike the traditional second-factor authentication key fobs or even the tokenless phone call-back scenarios, this information remains on your smartphone or laptop and isn’t shared with any application provider. FIDO can even use a simple four-digit PIN code, and everything will stay on the originating device. With this approach, ComputerWeekly says FIDO avoids the potential for a Target-like point-of-sale exploit that could release millions of logins to the world, a big selling point for many IT shops and providers.

It can eliminate having to carry a separate dongle as just about everyone has a mobile phone these days this is a mobile world we live in, and we need mobile-compatible solutions; otherwise, you’re behind the curve right out of the gate.

Breaches showing patterns of both desirable, questionable characteristics (ZDNet)

Category: Uncategorized | Tags: 2016, Access control, Authentication, Biometrics, BIOS, FIDO, FIDO Alliance, GOOG, Google, Microsoft, MSFT, Passwords, PayPal, PII, Samsung, Security, TPM, Trusted Platform Module, Universal 2nd Factor

RB | September 17, 2016

Comments Off

Mind Readers Can Steal Your Biometric Info

By now, most people have come to the position that passwords suck. The momentum for alternate means of authentication is growing. Researchers are working on how to use biometric technology for mainstream login activities. As I have pointed out there is a number of emerging biometric techniques like; iris scans, facial recognition, or behavioral characteristics. All of these methods have flaws, which pose a problem for authentication non-repudiation.

passwords suck In a post at IEEE Spectrum, Megan Scudellari writes that fingerprints can be stolen, iris scans spoofed, and facial recognition software fooled. In the wake of these flaws, researchers have turned to brain waves as the next step in biometric identification. Biometric identification is any means by which a person can be uniquely identified by evaluating one or more distinguishing biological traits. Unique identifiers include fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves, DNA, and signatures.

The researchers are racing to prove how accurately and accessibly they can verify a person’s identity using electroencephalograph (EEG) data. An EEG is a test that detects electrical activity in the brain using electrodes attached to the scalp. The IEEE article explains that as your eyes skim over these pixels you are reading and turn them into meaningful words, your brain cells are flickering with a pattern of electrical activity that is unique to you. These unique patterns can be used like a password or biometric identification. In fact, researchers have taken to calling them “passthoughts”.

Using brainwaves to authenticate people goes back a while. Back in 2012, I wrote about the Muse headband sensor which promised to “create a specific brainwave signature or a password they would never have to say out loud or type into a computer.” More recently, psychologists and engineers at Binghamton University in New York achieved 100 percent accuracy at identifying individuals using brain waves captured with a skullcap with 30 electrodes. Scientists at the University of California at Berkeley have adopted a set of earbud sensors that worked with 80 percent accuracy.

The problem is our brains don’t produce a single, clear signal that can be checked like a fingerprint. The article says our brains emit a messy, vibrant symphony of personal information, including one’s emotional state, learning ability, and personality traits. The author contends that as EEG technology becomes cheaper, portable, and more ubiquitous—not only for identity authentication, but in apps, games, and more— there’s a high likelihood that someone will tap into that concerto of information for malicious purposes. Abdul Serwadda, a cybersecurity researcher at Texas Tech University told Spectrum;

If you have these apps, you don’t know what the app is reading from your brain or what [the app’s creators are] going to use that information for, but you do know they’re going to have a lot of information

The Texas Tech team performed experiments to see if they could glean sensitive personal information from brain data captured by two popular EEG-based authentication systems. Surprise, surprise: they were able to capture sensitive personal information from brain data.

Mr. Serwadda presented his results at the IEEE International Conference on Biometrics. The Texas Tech researchers examined EEG-based authentication systems that claimed high levels of authentication accuracy. One system examined was the Berkley model, and the second was based on the Binghamton model. The article explains that these EEG-based authentication systems utilize specific features, or markers, of brain activity to identify a person, like isolating the melody of a specific orchestra instrument to identify a song.

The researchers wanted to see if those markers also contained sensitive personal information—in this case, a tendency for alcoholism. They ran old EEG scans which included alcoholics and non-alcoholics through the systems. Using the brain wave data, they were able to accurately identify 25% of the alcoholics in the sample. That’s 25% of people who just lost their privacy. Mr. Serwadda said;

We weren’t surprised, because we know the brain signal is so rich in information … But it is scary. [Wearable brain measurement] is an application that’s just about to go mainstream, and you can infer a lot of information about users.

The researcher said that malicious third parties could mine brain data to make inferences about learning disabilities, mental illnesses, and more. He told Spectrum, “Imagine if you made these things public, and insurance companies became aware of them … It would be terrible.”

IOActive senior consultant Alejandro Hernández told The Register that dangerous vulnerabilities exist in EEG kits. EEG’s security problems are depressingly familiar results of bad software design, Hernández said. EEG devices are vulnerable to man-in-the-middle attacks, as well as less-severe application vulnerabilities and ordinary crashes. Mr. Hernández says.

… some applications send the raw brain waves to another remote endpoint using the TCP/IP protocol, that by design doesn’t include security, and therefore this kind of traffic is prone to common network attacks such as man-in-the-middle where an attacker would be able to intercept and modify the EEG data sent.

The IOActive consultant found that components like the acquisition device, middleware, and endpoints lack authentication meaning an attacker can connect to a remote TCP port and steal raw EEG data. That same flaw lets attacks pull off the more dangerous reply attacks.

Unfortunately, the researchers do not have a solution for how to secure such information—though in the study, compromising a little on authentication accuracy did reduce the ability to detect who was an alcoholic. Mr. Serwadda hopes other research teams will now take privacy, and not just accuracy, into account when optimizing such systems. Professor Serwadda concludes, “We have to prepare for the movement of brain wave [assessment] into our daily lives.”

Rb-

Given the willingness of apps developers to sell share any info to any third party and the unwillingness of the public to take even basic steps to secure their info online, everyone’s deepest personal information can be hacked in the future.

Another problem with passthoughts UC Berkeley’s John Chuang identifies that stress, mood, alcohol, caffeine, medicine, and mental fatigue could change the electrical signals that are generated.

Despite advances in logging in with your mind, there might always be a need for an old-fashioned eight-plus character phrase with no spaces. “Passwords will never go away,” says Berkeley’s Chuang. He reasons that for a computer, a typed password may be the easiest way to verify identity, while a finger swipe may be best for a touch screen.

But we need to think beyond those to future devices—wearables, for instance—for which there will be neither a keyboard nor a touch screen. “For each device, we must figure out what are the most natural, intuitive ways to tell the device that we are who we are,” Professor Chuang says. Going directly to the brain seems like an obvious choice.

Cyberattack on biometric data poses security risks at border, documents warn (thestar.com)

Category: Uncategorized | Tags: 2016, Biometrics, Brain, EEG, Electroencephalograph, Identity Theft, IEEE, Passthoughts, Passwords, PII, Security, Wearable

« Older Entries Recent Entries »

Bach Seat

Tag Archive for PII

Worst Passwords – 2017

Star Wars is popular

SplashData’s 25 worst passwords of 2017:

Biometrics Hype

FBI’s facial recognition database

State of Michigan Data Breach

Unemployment Insurance Agency

Impacted by the Michigan data breach

Recommendations

Related articles

FIDO

Related articles

Mind Readers Can Steal Your Biometric Info

Related articles

Meta