9th December, 2019 – Purple Post
- CWE Top 25 Dangerous Software Errors
- FBI Echo/Google Home Advisory
- Bouncer App
- Disney+ & Nord VPN
- Android Woes
- Insider Threats – Still King
- CyrusOne Ransomware Attack
- NAS Ransomware – new!
- Mobile Jump shares data with China
- Outlook Home Page Hack
- Order Pizza – lose 95k!
- CallerSpy Malware pretends it is a Chat App
- Apple Admits it tracks location even if you revoked permission
- FBI: Russians Indicted for malware
- Windows Hello Advisory
- Thales DIS SafeNet Sentinel LDK License Manager Runtime Bug
- Weidmueller Industrial Ethernet Switches
- AA19-339A: Dridex Malware
This week’s insight from Purple Team on
Why Aadhar is Flawed
Now that I have got your attention, I really want to talk about Bio-metric Authentication and its, often unconsidered, problems. From Aadhar to airports, from bank accounts to office entrances, from phones to safes, bio-metric information like fingerprints and, more rarely, iris prints have become the authentication mechanism of choice. And it is quite understandable why: It is very convenient. It is correct. It is fast. It is quite difficult to lose a finger or an eye. And, barring Mission Impossible like scenarios, it makes sure that it is indubitably you, the indented user.
There are two main problems with bio-metric authentication: legal & technical.
Consider: when an organization uses bio-metric information, it collects uniquely identifiable information about the person (that is, in fact, the point). However, the privacy implications of this information are rarely considered. Since this is not user information and it is authentication information, it is not accorded the ‘sanctity’ of a Personally Identifiable Information (PII) and therefore not safeguarded as well. A breach of this information would (and should) attract the same penalties as any privacy related data breach.
The technical consideration is more important: There is no way to change bio-metric information! If the various organizations which store the information are not as careful as it should be with this information or if they get hacked, it would enable a bad actor to impersonate as the user or deny them access to services. There are any number of other scenarios, all bad, that you can imagine as well I can, I am sure. When your password gets leaked, you can go in and change the password. If you lose your multi-factor authentication device, you can buy another one. What do you do when your fingerprints are leaked?!
(In case those issues do not bother you, consider the accuracy fingerprint data that Aadhar maintains – estimates on false positives vary between 3% to 5%. While that might look accurate enough, consider the implication: India’s population today is 1,366,417,754; forget about 5%, an error rate of even of 0.5% means that 7 million people can be confused for each other!)
There are various solutions currently being attempted to solve the problem. However, none afford the same comfort & speed as the current methods while adequately addressing the problem. At least as yet.
Technically, the solutions tend to be in one of two categories: (a) a more fool proof authentication method like Behavioural Biometrics based authentication; or (b) substituting biometrics with mutable biometrics. Neither approach is complete and I am sorry to say, neither actually solves the problem. We will perhaps have to wait for another Purple Post to understand the eventual solution when it materializes.
The current state of art reminds me of Douglas Adam’s Ident-i-eeze in Mostly Harmless! To refresh your memory, this is what he says “Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all-purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology’s greatest triumph to date over both itself and plain common sense.“
What a prescient take!
– Sridhar Parthasarathy, CEO, Purple Team (www.purpleteam.in)
Learning News this Week
ZDNet has, very conveniently, collected the information and links on all the major hacks, cyber-attacks and breaches so far in 2019. It makes for very scary reading particularly when you realize that this is just a selection of the newsworthy incidents of the year.
Apart from the variety of in the incidents, the key learning from my perspective is that organizational cyber-security needs to be pro-active – be it patching your systems on schedule and as per your risk profile or ensuring that your IDS/IPS are up to scratch. From what I can see, there is no real pattern regarding the breaches. Perhaps there is a slight increase in ransomware attacks & insider threats. However, these are seasonal and I would not draw any lasting strategies based on it.
I am going to stay with the breaches of 2019 and see what lessons we can draw from that repot.
The other learning is a bit inferential, in my opinion: get cyber insurance, without fail. It is a no brainer.
- It is a certainty that you will be breached. It is better to be prepared.
- 50% of organizations do not think they are ready to handle a breach. Even if you are ready, your suppliers may not be.
- The average total cost of a breach, has risen 12% to $3.92 million when you take into account notification costs, expenses associated with investigation, damage control, and repairs, as well as regulatory fines and lawsuits.
- And your stock price drops by 7% if you notify a breach.
At least cover the financial impact so that you can handle the reputational impact.
FBI has some very specific advise about using consumer IoT devices. Please read the article if you use any of these devices. TL;DR: change the default passwords. Watch out what permissions that the attendant mobile app.
In the matter of application permissions on Android, I discovered this app: Bouncer. It revokes permissions from apps after you are done using them. That way you do not give up any functionality while ensuring that the apps do not snoop on you. Too much.
Mitre has released the Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Errors (CWE Top 25). The big news is that SQL Injection has slipped to #6.
Disney+ is available only in a few geographies and they have ensured that they block VPNs. However, Nord VPN users have been able to access Disney+ using something called “residential proxies”. The article provides a theory how. I personally think they just purchased a block of residential proxy addresses from a willing service provider.
Android had a fairly rotten week last week – 4 major vulnerabilities reported. Google themselves have categorized them “Critical”. Ensure that you apply the Dec 1 security update, without fail.