Hristo Bojinov and other researchers at Stanford have discovered a new way of digitally fingerprinting mobile devices. The method works off the fact that the accelerometers used in smart phones all have unique measurement errors after rolling off the assembly line. These errors can be found by setting the phone on a flat surface, tapping it, then flipping it over. The researchers have stood up a proof of concept site where users can find the accelerometer fingerprint of their own device.
The technique could be used by advertisers and by surveillance agencies as a method of tracking and identifying mobile devices. The current favored method for this operation, putting tracking cookies on the piece of hardware, is subject to a number of constraints. Not the least of these being that the users can delete the cookies to give themselves a fresh start in the tracking system.
Dan Gifford – MCySec Media Manager
Security Researcher Brian Krebs has conducted an investigation of a number of identity theft portals active on the internet, where various ne’er-do-wells were able to purchase the personal information (social security numbers and full background check information) of anyone they pleased, including such luminaries as Beyonce, Kanye West and Jay Z and even First Lady Michelle Obama, CIA Director John Brennan, and former FBI Director Robert Mueller.
The service which Krebs honed in on, ssndob.ms, was apparently slurping their data from the primary companies on the “legitimate” side of background checks; Lexis-Nexus, Dun and Broadstreet, and Kroll Security. The ID thieves had penetrated the networks of those companies and added a number of their servers to a botnet. The admins of ssndob then used these computers to grab data from the databases of the companies. They also had control of a number of compromised accounts with conventional access to these databases.
The main impact of the hack is that it proves that so-called “Knowledge-Based Authentication” (KBA), a process where someone’s identity is determined by asking them questions from their history, such as places lived, cars owned, and recent bills paid, is not an effective security measure. Identity thieves have gotten the databases, and will no doubt continue to find access to them, which means that passing a KBA challenge is a trivial task for determined and well connected attackers. However, many of the alternatives such as biometric identifiers, come with their own problems. Establishing Identity is the hard problem of the information age.
Dan Gifford – MCySec Media Manager
The Chaos Computer Club (CCC) of Germany, founded in 1981 and one of the most visible global hacking collectives, has published the details of their successful hack of the new iPhone 5s biometric security fingerprint scanner (a system called TouchID). A member of the club’s biometric hacking team, nicknamed “Starbug”, documented the successful hack in a video posted to Youtube. The method used to conduct the hack is not apparently different than the method Starbug has used in the past to defeat fingerprint readers, except that cracking the TouchID system requires making a fake latex fingerprint of a higher resolution that that used with other systems (however, at 1200 dpi it is still well within the capabilities of a desktop printer). The ease of the method described by the CCC should put a pin in the claims of revolutionary technological developments made so breathlessly in the press in recent days in regard to Apple’s new TouchID feature.
Frank Reiger, spokesperson for the group, stated that: “We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token. The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.”
In 2008, the CCC acquired and then published 4000 copies of German Interior Minister Wolfgang Schäuble’s fingerprint in an issue of their magazine. The fingerprint was included on a piece of film that would allow users to impersonate the Minister when using biometric devices. This was done in protest of the Minister’s public advocacy which led to the inclusion of fingerprint data on German passports.
Dan Gifford- MCySec Media Manager