This is the 48th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded November 23, 2015. Below are the show notes, commentary, links to articles and news mentioned in the podcast:
Hacking tool swipes encrypted credentials from password manager
This article, and the associated incident, is an excellent reminder that there is no easy solution to securing EVERYTHING. Using an infected computer presents so many catastrophic scenarios, it’s not really wise to view this problem as a problem with password managers.
If a computer is infected with malware, the attacker can capture passwords as you enter them into any site. You could add a 2-factor authentication mechanism (like Google Authenticator), or force a user to enter a master password to access anything in a password manager’s database, but you then still have the problem of malware capturing what you enter into a site’s password field (even without a password manager), and the 2-factor MAN-IN-THE-MIDDLE attack we talked about in the last episode of the Shared Security Podcast.
This is one of many reasons I often emphasize the need to try to avoid malware risks by having good surfing habits, like:
– Not visiting questionable sites
– Not clicking on links or attachments in emails you weren’t expecting, or that look suspicious
– If you must do the above, do it on a different computer or a Virtual Machine environment, where an infection will probably not compromise your existing data
I still use a password manager, because it helps defend against many more risks than it is vulnerable to.
Your Unhashable Fingerprints Secure Nothing
Wow! I’ve actually had my concerns about any biometric authentication schemes (like fingerprints, iris scanners, facial recognition, etc.) since watching the movie MINORITY REPORT. Now, I’m CERTAIN they are not the way to go.
This is an amazingly well-written story that explains in elegant detail why fingerprints (and, I suspect, most biometric authentication factors) are actually a dangerous way of authenticating people. If you’re not technically inclined, it could be a difficult article to read, but here are my important take-aways:
1) THEY AREN’T REALLY SECRET – Your fingerprints are probably not as secret as any of your well-chosen passwords, because they can be either photographed from a fair distance with a high resolution camera, or lifted using standard forensic techniques from almost anything you’ve touched (e.g. a mug, a door knob, a keyboard, a steering wheel, a water tap, a seat back, etc.);
2) THEY ARE EASY TO REPRODUCE AND USE TO IMPERSONATE YOU – Fingerprints, once known (by lifting or by high resolution photos), can be easily reproduced pretty quickly, and without much effort, on a LATEX SKIN, and used at will;
3) THEY CAN’T BE REVOKED OR CHANGED – If your fingerprint is lifted from something and used to compromise your identity, there is literally no way to revoke – or reset – your fingerprint authenticator. So, it should never be used again, just like when you are asked to change your password after a data breach;
4) THEY AREN’T USUALLY SECURED WELL (or HASHED) – For fingerprint authentication to work properly, an authentication system has to verify that an impression of your print at the time of an authentication request is a CLOSE MATCH to one you gave at the time you registered to the system. To do this, it has to be easy for the system to retrieve your exact original print(s), so they can be compared and scored for SIMILARITY. This requirement means that the database must be MUCH MORE VULNERABLE to brute force attack than a good password hash database. In a well-constructed password hashing scheme, if an attacker manages to guess a correct password (very unlikely), they must start over to get any others. For a fingerprint (or most biometric) databases, it’s likely that the entire database is encrypted in a way that makes it easy to retrieve ALL of the prints.
If these points don’t make sense to you, then I’m afraid you’re going to have to read the article – which you really should do anyway – before you use something like Touch-ID on an iPhone.
CCTV Botnet In Our Own Back Yard
With the convergence of physical security devices (like CCTV cameras) and networking technologies there was always a risk that something like this could happen. Again, this goes back to the device manufacture and ensuring that IoT devices such as CCTV cameras are built with security in mind from the beginning. It also means that when people and organizations buy CCTV camera’s they need to harden and secure them before deployment. Default credentials is the number one attack vector we see abused with most IoT devices.
NOTE: Scott recommended a novel called INVASION OF PRIVACY by Ian Sutherland during this discussion. It’s a murder mystery with some good illustrations of plausible social engineering attacks, scenarios of interesting webcam risks and hacking tools used in interesting contexts. Here’s a link to the author’s webpage: http://ianhsutherland.com/. There’s also a free prequel to the novel at: http://ianhsutherland.com/social-engineer-sign-up/.
Predicting the future of technology
This is a good article for covering the range of technologies that could be affected by the next wave of SMART TECH. It also made me think of a book I recently read by Daniel Burris, called Flash Foresight. Burris is a great thinker and problem solver, who has a methodology for predicting technology evolution based on what he calls HARD TRENDS vs. SOFT TRENDS. If you’re interested in trying to predict or come up with the next successful technology in any of the areas mentioned in this article, or even if you just like to understand how technology is evolving, you should read Flash Foresight. It’s very interesting.
A Teen Instagram Star Is Quitting Social Media And Revealing The Truth Behind Her “Perfect Photos”
Can you really “quit” social media? This was an interesting article and sheds light on how people can be consumed with social media and the negative impact it can have on our lives. However, I find it ironic that she still uses social media (like Youtube and Vimeo videos) to start an entire new campaign against social media. Love it or hate it social media is part of our lives whether you like it or not. It comes down to responsible use and knowing when its consumed your life and has become an addiction (just like anything else in our life). Too much of anything can be a bad thing.
What is Tor?
With all the talk about encryption and Edward Snowden in the news I thought it would be helpful to give our listeners a quick overview of what the Tor Proxy (aka: The Onion Router) is and how it’s used. Tor is used by people with good intentions to protect their privacy but is also used by criminals (such as the case of the infamous ‘Silk Road’). Tor should also not be relied upon to be 100% anonymous on the Internet as it does have a few risks you should be aware of (especially if you’re running a Tor ‘exit node’). For further reading check out this great article on Lifehacker about Tor. If you’re feeling technically adventurous and want to play with Tor you can also build yourself a Tor enabled wifi network which I thought was a pretty cool project if you have a Raspberry Pi.
Free eBook: Securing Your Network and Application Infrastructure
Shared Security Podcast co-host Tom Eston was recently featured with several other security professionals in a free eBook titled “Securing Your Network and Application Infrastructure”. Check it out for lots of great advice and tips to secure your business.
Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening!