Android fingerprint security not so secure

Since the introduction of Apple’s Touch ID, I’ve warned readers and clients about the complacency possible with fingerprint recognition on smartphones.  At Black Hat USA next month, two different presentations demonstrate how to steal fingerprint images from a compromised Samsung Android phones.

In one instance, FireEye researchers Tao Wei and Yulong Zhang demonstrate how to steal fingerprint images from the phone.  No finger stealing required…

At most, fingerprint recognition on smartphones is a convenience for accessing confidential information (in a public, confidential, critical classification scheme).  It should never be used for critical data.

Another Encryption Perspective

Hacking Team solutions aren’t the only ways government has to access encrypted information.  Most large government agencies have their own tools that perform the same tasks: capturing encrypted data when it’s not encrypted.  All data must be decrypted to be used or processes.  That is when it is most vulnerable.  So why the debate?  Ii discuss this in a Toolbox.com blog entry posted today.

Is Encryption a Right?

With governments beginning to make noise again about weakening encryption, several security professionals have come out against any moves to do this.  But does government have the right to take away our right to privacy?

Absolute privacy can be a national security issue.  But so is weakening business and critical infrastructure security in the name of protecting society.  The question I’ve been asking myself is whether strong encryption is a right: a right no government has the “right” to take from us.

In the U.S., our government has repeatedly resisted demands to limit the strength of encryption via things like backdoors and weak algorithms.  In the 1990’s, when these issues were dealt with, many believed the “crypto wars” were over.

“But they may not have realized that we would be on the brink of a similar battle over the right to use strong encryption some 15 years later. That’s why the key takeaway from the conflict is that weakening or undermining encryption is bad for the U.S. economy, Internet security, and civil liberties—and we’d be far better off if we remembered why the Crypto Wars turned out they way they did, rather than repeating the mistakes of the past” (Danielle Kehl, 2015).

It’s time to resolve this.  Congress and the People need to decide whether absolute privacy is a right in view of the internal and external threats we face as individuals, as organizations, and as a nation.  When deciding, we should keep in mind the following:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized” (4th Amendment of the U.S. Constitution).

Whatever we decide, a balance must be struck between security and our right to manage our lives as we see fit without interference by government.  The only exception is when living as we choose causes harm to others.

Wi-Fi Sense Creates New User-dependent Security Issue

For those who haven’t seen it yet, Windows 10 includes a feature, WiFi Sense, that allows a user’s friends to share WiFi access with others.  For example, Bob might allow Alice to access his access point.  With WiFi access, she never has to log in again to use Bob’s network.

This doesn’t necessarily give Alice access to network resources, just the Internet.  However, access to the access point provides opportunities for using it to commit a crime while putting the blame on Bob.  And then there’s the chance that the barrier between Bob’s guest network and his internal network isn’t as strong as it should be.

WiFi Sense challenges arise when Alice decides to share the access capability with her friends.  According to an article in Extreme Tech,

“WiFi Sense will automatically connect you to detected crowdsourced WiFi networks, acquire network information and provide “additional info” to networks that require it (it’s not clear exactly what constitutes additional info), and can be used to automatically share your WiFi password with your contacts on Facebook, Skype, and Outlook.

That last feature is the potentially controversial one. When you turn on this feature of WiFi Sense (and it’s not clear if the feature comes activated or not), it will request permission to connect to Outlook, Skype, and Facebook on your behalf. Other users on your friends list who also run Windows 10 will have their contact information shared with you as well, assuming they also enable the feature.”

So whether questionable people might have access to Bob’s access point depends on how Alice sets the switches during initial access.

WiFi Sense Selection

Microsoft apparently has two solutions to this, neither of them acceptable to those of us who attempt to help keep systems secure.  First, Bob can change the name of his SSID to include an opt out tag, as shown below,

WiFi Sense SSID Opt Out

Or he can set up the connection for Alice and make sure her sharing settings are properly set.  Both options rely on Bob or Alice making the right choices.  No one in security believes relying on human behavior for security is a good idea.

Microsoft, what were you thinking?

Is email safer than a password?

According to a Register article, Small change to Medium takes large axe to passwords, Medium is providing an option to use email to login instead of passwords.  I registered at Medium to check it out and to see if I agree with the Register article about possible weakness.

Sign up is easy.  On the first screen, you choose whether to use a social network login (e.g., Twitter) or email.  I chose email.  After selecting topics I wanted to read about, Medium sent an email to me.  Using the email, I logged in.  No password, just a user ID.

I logged out and tried to log in again.  Medium asked me for my registration email using TLS 1.2 to encrypt the session.  I entered my email and almost immediately received a message from Medium.  The message provided a button I pushed, which took me to my home page at Medium.  Very fast, very efficient.

So is this safer than a password?  Almost everyone now accepts email as a secondary method of bypassing forgotten passwords.  It isn’t much of a stretch to use email as the primary authentication factor.  Further, users don’t have to write down passwords or remember a new password for every login.  But…

In an email-as-a-password world, email becomes a single-point-of-failure and a big target.  As long as users do better at password selection, this could still work.  What are the odds that we can train users (after trying for years) to use something other than 12345678 or Passw0rd.