#securityeverywhere

We already know the issues we face with passwords and other single-factor authentication protocols. They are often ‘weak’, reused and can be easily forgotten given the number of passwords some people have to remember. This is where the idea of biometrics comes in - it aims to alleviate these concerns by mapping the concept of authentication to physical aspects of our bodies. The question is how good are biometrics right now and where are they vulnerable?

I want to go over the main types that are in use today which are:

Iris / retina scanning - uses unique patterns in the iris or vein patterns in the retina

Facial recognition - extract features of the face (i.e. distance between eyes) and match against a database

Fingerprint scanning - identification via the ridges and valleys on your fingers

Finger dimensions & palm veins - not as common as fingerprints but beginning to gain popularity

DNA - copying and splitting of genetic markers in our genes (very accurate)

There are some other interesting emerging ones too:

Voice recognition - can recognise an individual in as few as 100 datapoints in your speech

Ear recognition - shape of human ear is unique to every individual; remains pretty much the same from birth to death

Typing - identification of individuals through habits of using a keyboard (i.e. rhythm & key pressure)

Gait - mainly used in analysing athletes at present, but could be expanded to identify individuals (unique ways in which joints move)

All these methods of identifying individuals via biometrics are ‘good and well’, however we have one main issue with them all. In order for an organisation to use these as authentication, these elements need to be converted into data and stored. If the data was compromised then you have permanently lost your biometric authentication (for that aspect) - there are only so many physical aspects you can use for biometrics, where as you aren’t limited in password choice. There have already been proven methods today to forge facial recognition, fingerprints and iris scans from this data. Honestly, I don’t think biometrics alone can provide great security at this stage - although, I think as part of a multi-factor authentication, they definitely add to the overall security. (it’s just another pain in the ‘butt’ for an attacker)

The other big issue with systems implementing biometrics is the ‘type I / type II error tradeoff’. Being able to recognise the physical features in sufficient detail such that it recognises the individual most of the time, without leading to a significant increase in false positives, is difficult. I’m pretty sure Richard already mentioned in the lectures the example of going through the airport - the systems are tilted towards approving identities, otherwise we would have huge queues and lots of manual intervention required.

TransportNSW - Facial Recognition Replace Opal Cards? (article)

The transport minister, Andrew Constance, basically discussed the idea of using facial recognition in the not-too-distant future instead of Opal Cards. Now I don’t actually see any issues regarding forging authentication in this case - since the costs are so minimal for a single transaction, it wouldn’t be worth the effort for an attacker to try and forge it. My problem revolves around the fact I don’t think our facial recognition technology is good enough to do this yet; we can barely recognise people with lined up passport photos at the airport.

My other major concern relates to privacy - the government will be investing billions of dollars if they were to try and develop this system, so who says that would just limit it to transport? I think they would try and expand the system to law enforcement and every other area of government, if they manage to get the authentication working well. Remember a lot of image recognition systems rely on being able to ‘train against data’; if millions of people are using the systems every day then you can collect a lot of data in a short period of time. They would be able to get so good at recognising your face in every shade of light and every angle; to the point where they could use this on every camera in their control. This is the point we become a ‘surveillance state’.

China - Facial Recognition (article)

Some of the things China has been doing with regards to facial recognition are definitely starting to feel like an Orwellian dystopia. According to the article, here are the main things they’ve been doing in 2018:

Police facial recognition glasses - almost like ‘Google Glass’, they can be used to identify individuals and flag criminals

Drones in class - used to scan student’s faces to track attendance and how closely they followed lectures

“Smart” uniforms - microchipped school uniforms to give location and link up with on-school facial recognition

AI news anchors - used to ‘effectively replace’ an anchor when breaking news needs to be broadcast

Facial recognition near rivers - recognition used to detect children near river to give them warnings and alert parents

Checking up on animals - facial recognition to identify pigs and track well-being

San Francisco Biometric Ban (article)

Yesterday night I was visiting a friend in a hospital, and it’s been a while since I’ve actually been to a hospital (probably a good thing). But when I got there, I was really surprised by the lack of security or even staff in the wards.

I was able to walk right past reception and visit patient wards without having to sign in or be verified anywhere. On the way to actually find the right ward, I accidentally took the lift to a floor which was supposed to be ‘staff only’ access - the mechanism which restricts permissions to visit floor might have been broken. I also noticed some of the elevators didn’t have noticeable security cameras.

After getting to the right ward, I also noticed that  there were probably very important medical records about patients just lying around desks that anyone could have picked up. I also saw one instance of a computer that was left logged in and unattended which is obviously a massive security risk, I could have walked up to the computer and looked up potentially confidential information about patients assuming I had access to the database.

Obviously a lot of people who would visit a hospital are there to visit a patient, but what about the low probability event of a random person coming in to harm a patient/staff member.

Ways hospitals might improve their security measures to prevent the risk of this happening:

Implement a sign in sheet at the front of the reception desk where visitors must sign - and staff to monitor who goes in and out of the ward

Training for staff should be improved - know not to leave important documents lying around, and ALWAYS log out of the computer if not in use

I was watching a video lecture on echo360 to catch up on some work and saw that my lecturer was typing in the pin to the ipad that is used during the lecture. Similarly, a few weeks later the notification of logging into icloud pops up showing the lecturer’s personal email address. Within this email address is the lecturer’s name and six digits which closely resemble the a birth date. 

Risk: So, all this is recorded on echo, if an attacker wanted to access this lecturer’s personal details, the ipad can easily be taken and logged in using the pin in the recording. 

Also learning from the talk last week regarding passwords, we only require a few pieces of information of an individual to determine the possible passwords to an account. So since we already know the name and possible dob the third piece of information can be found somewhere on the ipad. 

Otherwise, it is also possible that some sites are already logged on/ have details saved. i.e. unsw portal. 

Prevention and plan for the future: 

I guess a lesson that can be learn is that we can’t always keep everything a secret, but keep your personal information to yourself. 

If you don’t need to share information don’t

I saved these articles from a couple days ago because I thought they were pretty cool, but didn’t get time to writeup about them.

Catching Vandals with Wi-Fi

The basic idea behind this story was a bunch of teens were busted vandalising a school because their phones automatically connected to the WiFi. While they were painting racist and homophobic imagery throughout the school, their phones connected to the school’s internet with their own personal credentials. Basically their efforts to try and conceal their identities by covering their faces from the school’s security cameras were completely wasted.

This case is somewhat similar (conceptually) to the Harvard bomb threat that happened back in 2013. Some dude thought he was pretty smart in using ‘Tor’ to post the threat to get out of an exam. However, he failed to realise he was connected to the universities’ internet and was the only person using ‘Tor’. As they were able to trace the threat back to one of the ‘Tor’ servers and suspected a student at Harvard had made the threat, they were able to force a confession from him.

Both these stories definitely highlight the need to consider every aspect of your online identity if you don’t want to be traced. You have to understand that the best way for ‘no information’ to be conferred about you is to ‘blend in’ with the crowd - how close data is to random is what determines information!

Google Listening In

Is anyone honestly surprised by this story? I wrote a blog post about this very fact, a couple weeks ago, from personal anecdotes which I had heard. It seems very obvious to me that the device itself isn’t capable of handling complex human speech interactions and would require an external server! Of course they would be using excerpts from this to try and improve their ‘listening devices’.

I found it funny how they essentially claimed all the data was anonymised - you know, like apart from your voice and everything you say to it? Apparently Google has hit back and said only around 0.2% of recordings get sent for review - don’t worry that’s probably only 2 million people.

The other thing you might not consider is the fact that the NSA probably has roots in all major American tech companies, so really if you do have one of these devices, you essentially have ‘another’ wiretap in your house. (on top of all your other devices of course!)

Linux Servers and Android Devices (link)

Since I had just recently written an article about XSS attacks I thought I should give a mention to a recent piece of malware infecting some Linux computers. So basically it is a piece of software written in GoLang which uses the CPU power of infected computers to mine Monero. Researchers described its methods of propagation as involving either server-level programming languages or misconfigured credentials in a SSH or Redis database. 

After gaining access to a machine it would disable any security software and kill any other program using too much of the CPU. It has apparently also been used to hijack a number of mining pools which has reportedly made them thousands. Only around 2 weeks ago it was also reported that botnet malware was using a vulnerability in the Android Debug Bridge (ADB) ports to infiltrate devices to mine the cryptocurrency Monero; it applied a similar process to conceal itself.

What about XSS?

You’re probably wondering what any of this has to do with XSS, so I should probably explain. Basically a similar form of attack (in using CPU to mine Monero) was performed around a year ago which affected thousands of UK government websites. The attackers compromised an accessibility plugin known as Browsealoud which was used on many government websites. This meant that when any user loaded one of these websites, they would also run the script.

According to IATA, in the period of 2012 - 2016, there was an average of 75 accidents per year out of an average of 37 million flghts. Out of these accidents, there was an average of 11 fatal accidents, resulting in an average of 315 fatalities per year.

This officially makes aeroplane travel the safest form of travel there is and dying from your plane crashing is indeed a prime example of a low probability and high impact event.

From our case study, and also from the statistics it is abundantly clear that the majority of the causes for these crashes is due to human error or weakness. In order to manage this risk better we need only focus on how to reduce such errors.

In the stories discussed in our case study I think that we learned there are ways to improve Flight Procedures in a way that would prevent future disasters. Some of this has already been addressed - for instance, since the Germanwings disaster it has become compulsory (across a range of different airlines) to always have two pilots in the cockpit. There are also stricter rules on monitoring of pilot health to ensure that we avoid pilots that have issues with mental health and suicide.

Train barriers and the gate guards are simply a detterent like the guards at retail stores. I saw recently a boy jump over a gate and the guard saw, but did absolutely nothing. A recommendation for Transport NSW would be to invest more in higher gates which would make it much more difficult to jump over, or duck under.

I was at the shops today when I was leaving the shops. I got pulled over by the guard to check my bag. I unzipped it for a second, then he told me to continue on. Thinking back, those bag checks are never more than a deterrent. If you hide the thing you’re trying to steal under enough layers, or in a side pocket, they would never notice. Just remember to take the tags off so the alarms won’t go off when you pass through the door...

Retail shops should consider doing more thorough random checks each time, since it feels very pointless otherwise.