Tom Olzak

Posts Tagged ‘access control’

Android fingerprint security not so secure

In Access Controls, Android Security, Biometrics on July 10, 2015 at 13:40

Since the introduction of Apple’s Touch ID, I’ve warned readers and clients about the complacency possible with fingerprint recognition on smartphones.  At Black Hat USA next month, two different presentations demonstrate how to steal fingerprint images from a compromised Samsung Android phones.

In one instance, FireEye researchers Tao Wei and Yulong Zhang demonstrate how to steal fingerprint images from the phone.  No finger stealing required…

At most, fingerprint recognition on smartphones is a convenience for accessing confidential information (in a public, confidential, critical classification scheme).  It should never be used for critical data.

Another Encryption Perspective

In Access Controls, Application Security, Cyber-warfare, Cybercrime, Data Security on July 9, 2015 at 14:36

Hacking Team solutions aren’t the only ways government has to access encrypted information.  Most large government agencies have their own tools that perform the same tasks: capturing encrypted data when it’s not encrypted.  All data must be decrypted to be used or processes.  That is when it is most vulnerable.  So why the debate?  Ii discuss this in a Toolbox.com blog entry posted today.

Is Encryption a Right?

In Access Controls, Application Security, Encryption, Government on July 8, 2015 at 04:00

With governments beginning to make noise again about weakening encryption, several security professionals have come out against any moves to do this.  But does government have the right to take away our right to privacy?

Absolute privacy can be a national security issue.  But so is weakening business and critical infrastructure security in the name of protecting society.  The question I’ve been asking myself is whether strong encryption is a right: a right no government has the “right” to take from us.

In the U.S., our government has repeatedly resisted demands to limit the strength of encryption via things like backdoors and weak algorithms.  In the 1990’s, when these issues were dealt with, many believed the “crypto wars” were over.

“But they may not have realized that we would be on the brink of a similar battle over the right to use strong encryption some 15 years later. That’s why the key takeaway from the conflict is that weakening or undermining encryption is bad for the U.S. economy, Internet security, and civil liberties—and we’d be far better off if we remembered why the Crypto Wars turned out they way they did, rather than repeating the mistakes of the past” (Danielle Kehl, 2015).

It’s time to resolve this.  Congress and the People need to decide whether absolute privacy is a right in view of the internal and external threats we face as individuals, as organizations, and as a nation.  When deciding, we should keep in mind the following:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized” (4th Amendment of the U.S. Constitution).

Whatever we decide, a balance must be struck between security and our right to manage our lives as we see fit without interference by government.  The only exception is when living as we choose causes harm to others.

Wi-Fi Sense Creates New User-dependent Security Issue

In Access Controls, Computers and Internet, Wireless Security on July 3, 2015 at 04:00

For those who haven’t seen it yet, Windows 10 includes a feature, WiFi Sense, that allows a user’s friends to share WiFi access with others.  For example, Bob might allow Alice to access his access point.  With WiFi access, she never has to log in again to use Bob’s network.

This doesn’t necessarily give Alice access to network resources, just the Internet.  However, access to the access point provides opportunities for using it to commit a crime while putting the blame on Bob.  And then there’s the chance that the barrier between Bob’s guest network and his internal network isn’t as strong as it should be.

WiFi Sense challenges arise when Alice decides to share the access capability with her friends.  According to an article in Extreme Tech,

“WiFi Sense will automatically connect you to detected crowdsourced WiFi networks, acquire network information and provide “additional info” to networks that require it (it’s not clear exactly what constitutes additional info), and can be used to automatically share your WiFi password with your contacts on Facebook, Skype, and Outlook.

That last feature is the potentially controversial one. When you turn on this feature of WiFi Sense (and it’s not clear if the feature comes activated or not), it will request permission to connect to Outlook, Skype, and Facebook on your behalf. Other users on your friends list who also run Windows 10 will have their contact information shared with you as well, assuming they also enable the feature.”

So whether questionable people might have access to Bob’s access point depends on how Alice sets the switches during initial access.

WiFi Sense Selection

WiFi Sense Selection

Microsoft apparently has two solutions to this, neither of them acceptable to those of us who attempt to help keep systems secure.  First, Bob can change the name of his SSID to include an opt out tag, as shown below,

WiFi Sense SSID Opt Out

WiFi Sense SSID Opt Out

Or he can set up the connection for Alice and make sure her sharing settings are properly set.  Both options rely on Bob or Alice making the right choices.  No one in security believes relying on human behavior for security is a good idea.

Microsoft, what were you thinking?

It isn’t the algorithm, it’s the admin…

In Access Controls, Password Management, SHA on February 18, 2013 at 19:04

In a recent Threat Post article, Dennis Fisher writes about a competition to find a new password hashing algorithm.  Actually, I thought we had enough.  Let’s see… we have SHA-2 and SHA-3 (just approved by NIST), so what is the rush for a new one?  It seems the supporters of this competition believe their efforts will help stop use of unencrypted password stores.  Really?

The problem is not with hashing algorithms.  Rather, it is with the questionable reasoning of administrators or business managers that can’t seem to understand the need to scramble passwords in storage or in transit.  It also exists in the mental voids where managers seem to justify weak passwords and weak prevention, detection, and response controls.  We have the hash algorithms we need; we just need to use them. But even if a better algorithm is found, who is going to make people use it?  SHA-1 might be weak, but it’s betting than nothing.  SHA-2 is still effective, and SHA-3 is waiting in the wings for deployment (http://valerieaurora.org/hash.html).

Yes, faster is better.  Stronger is better.  But getting people to do the right thing requires more than a better, faster algorithm.

%d bloggers like this: