Biometric Security

26 April 2018

A lot of projects I am seeing are starting to use biometric elements to secure the system. Biometric credentials are fundamentally different to other credentials because they are not absolute. Many of these try to use the biometric in the same way as a password, this is the wrong approach. Hence the refrain “A biometric is your username not your password.”

A sensor will make a reading and this is then compared with a template, and result in a measurement of the degree of match. Usernames, passwords, keys (not physical) are all binary in that they either match exactly or not.

But most biometric systems do not directly store the recording of the physical measurement, but a template. That is a set of characteristics of the biometric. So a fingerprint reader analyses the image of the print and finds a number of unique points or minutiae features. where ridges divide, stop, or have small islands. The template that is stored will be a list of these minutiae and their location rather than an image.

This means that for a biometric credential there is a level of confidence that the reading is from the same person. When the system is set up we must set the minimum confidence level that we will accept. This is driven by a number of factors.

  1. How often the attempt is detected as false when it is the same person. This is called the False Negative Rate, or False Non-Match Rate (FNMR).
  2. How often the system accepts an attempt by a different person. This is the False Positive Rate, or False Match Rate (FMR).
  3. How many fail attempts we allow before locking the system.

The higher we set the threshold the lower the FMR, but this increases the FNMR, and if we have a low number of attempts we may lock out legitimate users. But if the threshold is low, then we will be letting in attackers more easily, especially if the number of fail attempts allowed is high.

The Birthday Problem

There is a parlour game where you ask everyone in the room the call out the date (day/month) of their birthday, and if you have about 25 people the odds are better than even that you will find 2 people with the same day. Because there are 365 days in a year we think that the probability of a match would need ~150 people. But what we are really doing is saying what is the probability of everyone having a different birthday.

How is this relevant? If we are using a biometric credential, how many templates are we comparing it against for a match. if you are using a fingerprint to unlock a phone or a laptop, you will only have a at most a couple of your fingers registered. If we are using the biometric to identify and individual from hundreds or thousands, then we quickly get into a Birthday Problem situation. If we are designing a security system it should first identify the individual, and then compare the biometric with that individual’s template.

Identification and Authorisation

These terms are often confused, so lets start with a definition.

Identification, The presentation of a unique data that selects a specific account on the system.
Authorisation, The presentation or verification a credential that permits actions on the system under a specific account.

So in the old world your username is the Identification, and the password provides Authorisation to log on. A biometric credential can provide Identification. But sometimes all we need is identification. A contactless card transaction you present your card for identification, and for small transactions that is enough.

Many applications of biometric systems assume that because we have identified the account, that a separate authorisation step is not necessary. This may be true for low value (or low risk) applications, but not for many other applications.

What is different about Biometrics

Because a biometric credential is based on reading a physical characteristic of the body we cannot change or invalidate that reading. We can choose a different component to present, ie a different finger to a scanner. This is why we cannot treat a biometric as a password.

Secondly this data is not secret, we leave fingerprints everywhere, they can be copied from high resolution photographs, and facial recognition systems have been foiled with pictures, or masks.

Lastly the process of reading a biometric depends on a set of hardware and software that is open to attack. Because hardware must perform the reading, many systems also contain the templates, and the processing to compare the reading to the template. An attack could replace the biometric reader with a simple device to say there was a match, so the integrity of the this subsystem needs to be assured.

This is why Apple have been clamping down on repairs that replace the fingerprint sensor on their phones. A hacked sensor could tell the phone that every finger matches.

Data Protection

Biometric data is clearly personal and so needs to be processed and stored according to Data Protection requirements (Like GDPR & HIPPA).

For example from hand geometry the level of testosterone exposure during pregnancy can be determined by the relative lengths of the first and third fingers. https://en.wikipedia.org/wiki/Digit_ratio this has been correlated with a number of health and lifestyle factors like Sexual orientation.

Further Reading
https://pages.nist.gov/800-63-3/sp800-63b.html
https://privacyinternational.org/node/1454

Advertisements

How to use a computer

25 April 2018


I am often asked for advice on doing various things on a computer and I assume that they are doing everything else securely, and then I find that they don’t have the basics right. So here is my guide to doing the basics right.

Don’t use Windows

OK so some people still haven’t upgraded to a Linux distribution, and I have hit brick walls in trying to convince some of my friends to do this. But this is one of the best things you can do to improve your security. OK keep a separate partition with windows for playing games, everything else is better on Linux.

Update, Update, Update

Make sure that you keep all your software up-to-date, not just the operating system, all those other bits and pieces of software need updating.

When you install software always do this by adding a repository to your package manager, that way when you do your apt full-update everything is updated in one go. (this is one of the main reasons why Linux is better)

Backup, Backup, Backup

All computers can fail, taking your data with them, so you need to make sure the rule of 3 is followed. All data should have 3 copies, the live version, a backup version, and a remote backup.

Use a password Manager

We are just frail humans and we can not remember a different, complex password for every site we need or want a password on. The only way to remember all these passwords is to use a password manager. There are better and worse managers out there but you are much safer using a bad password manager than not using one at all.


Password Managers

7 February 2017

Lastpass Screenshot

I am constantly surprised that ordinary people don’t use password managers. I would expect most security professionals to use them, but even there I find many do not use a password manager.

So what is a Password manager? Basically a database that stores usernames and passwords for you. The data is encrypted with a master password so you do have to remember that one password. When you visit a site or start an application that needs a password the password manager fills in the credentials for you.

Why is this better than what I do at the moment? If you don’t use a password manager then you must be doing one of the following:

1. Use the same password, or a small set of passwords on many sites.

This is a bad idea, mostly because if one of those sites is compromised then you will need to change your password on all the sites you have used that password on. Can you remember all of those sites? How long will it take you to do that?

2. Write passwords down.

Actually this is not too bad, as long as you look after the password book. You can do some things to make sure that if the book is stolen then it doesn’t immediately compromise all your passwords. But if you lose that book how do you go about changing your passwords?

3. Use an algorithm to generate the password for each site.

It could be paper based or something you can remember and do in your head or a combination. Usually you use the domain name of the site to work out your password. The problem here is if that site is compromised then you have to change your password, lots of these and you have a long list of exceptions, or alternative methods for passwords. It will soon become unmanageable.

Software to the rescue.

So the answer is to use a password safe software. There are a number of systems available. I recommend both lastpass and keepass. Lastpass is internet based, and implemented through a browser plugin whereas keepass is an application you run locally on your machine.

Both allow you to store usernames, passwords and the URL of the login page. Both have a master password to encrypt the password store, and only decrypt the password in memory on the local machine.

Keepass has a local database, but this can be synced with other machines with a Dropbox, GDrive, OneDrive, or even sftp. Because the database is only decrypted in memory this is safe. Keepass is open source and there are clients for all desktop operating systems, and some mobile as well. There is a huge range of extensions to extend the basic functionality.

I personally use lastpass, but I also regularly export my keystore and import it into keepass so I have a backup.

So why is this good.

1. you have a different password on every site. OK if you don’t have this when you start you can progress towards this. Because you only have to remember one password, there is no effort in having a different password for every site.

2. You use long, randomly generated passwords. These systems will generate a new password for you, so you may as well make it long and complex as you don’t have to remember it. And that makes you much more secure. So when you set up a new account or change an existing password, generate it randomly and a make it 16 characters long (if the site accepts this).

3. Your password manager checks the domain you are visiting and will only enter the amazon password into the page at amazon.com not amason.com amaz0n.com amazom.com arnazon.com

4. Use your password manager as your bookmarks, if you need to visit your bank, select it in the password manager and it will go there and log you on.

5. Use you password manager to store password recovery information. Because you are using a password manager you don’t need to be able to recover a forgotten password, but some sites insist on this. Never answer the security questions with the correct information, if they want your mothers maiden name put something random in there, otherwise it may be possible to have your account taken over using the password recovery process.

6. You can use this to store and auto fill other sensitive information like Name, address, credit card numbers etc. This avoids storing cards on a website, from where it may be compromised. And because it is automated just as fast as having the website store the data.

So if you have read this far you should be totally convinced and ready to start using a password manager now. Well done.


Cracking the Hacking Team

6 July 2015

The somewhat notorious Hacking Team seem to have been subject to an attack of using their own tools. This points to the use of poor passwords, and reusing password on multiple systems.

The other lesson here is to have tools looking for ex-filtration of data, at least to detect when something has gone wrong.

We should be able to learn something here…

http://www.net-security.org/secworld.php?id=18592

“Hacking Team appears to have committed two of the classic mistakes in security: Never use simple passwords and never reuse passwords. For a security company that’s this high profile, there’s no excuse for these sins. We don’t know yet how the attackers got into HT’s systems, but given the poor passwords that have been revealed in the documents, it could have been as simple as brute-forcing the passwords on a few system,” Martin McKeay, Akamai senior security advocate, commented for Help Net Security.

“The other major mistake made by HT was not noticing that 400Gb of data was leaving their systems. Extrusion detection for an organization that specializes in malware and monitoring should be one of the defenses they concentrate on, because it’s what other people would use to detect their tools. Expect your tools to be used against you is a basic warfare tenet.”

And I have now fallen into the trap of the miss use of the word “Hacking” in a negative context.


Article on IMSI Catchers and Stingrays

24 April 2015

I have been helping a proper journalist, Brady Dale, write a article on the use and abuse of Stingrays and other IMSI catchers. It turned out quite well. It is up on Motherboard.


Internet Survey

27 March 2013

You may have heard of this elsewhere. This is a Grey Hat report from a anonymous individual, that has used a botnet to survey the entire IPV4 address space and perform a port scan on every one of those IP addresses.

In summary he delivered his scanning software to 30 thousand machines that provided a telnet port (23) that accepted a logon of either root/root root/(blank) admin/admin admin/(blank) or even (blank)/(blank). There were many more of these devices, but this was sufficient to his requirement to scan the entire IPv4 range in about 3 hours.

The main implication from this is the availability of these hosts could be used for DDoS and other botnet activities. One would speculate that they may be an increase in this type of activity going forward.

http://internetcensus2012.bitbucket.org/paper.html


iPM Interview

10 July 2008

I’ve just had an interesting conversation with Chris Vallance of the BBC iPM program. We were talking about my blog post on the changes to the interception of communications. He was very thorough in going through all the aspects of the proposals. I had to make lots of “no comment” on his questions, but hopefully there is enough that he can use to make an item for the show. I’ll keep you posted.