Information Security News
by christian louboutin men
by Pandora UK
by the north face sale
by michael kors outlet
This weekend's decisive defeat of Touch ID is the most poignant reminder yet of the significant limitations of using fingerprints, iris scans, and other physical characteristics to prove our identities to computing devices. As previously reported, a team of German hackers who have long criticized biometrics-based authentication bypassed the new iPhone feature less than 48 hours after its debut.
Many security researchers and writers, yours truly included, predicted that the ability of the high-definition scanner included in the iPhone 5S wouldn't be fooled by attacks using scanned fingerprint smudges to impersonate an already enrolled thumb or finger. It's now clear we were wrong. Hacker Starbug overcame the purported ability of Touch ID to read prints at a sub-epidermal level by using a slightly higher resolution camera to generate a cloned fingerprint. The availability of a 3D printer also seemed to help.
Some critics have castigated the technique as too difficult for the average hacker. Others have argued that the hack has little significance in the real world. They cite Apple talking points that the protection of Touch ID represents a significant improvement over what many people have now, since a large percentage of iPhone users currently use no PIN at all to lock their phones. There's some merit in this second argument, since any protection, no matter how flawed, is better than none at all. But as Rob Graham, CEO of penetration testing firm Errata Security makes clear, Starbug's technique is easy for many people to carry out.
iPhone 5S TouchID Fingerprint System Hacked – That Was Quick
It's also pretty clear that anytime such a new popular device hits the market that the infosec and hacker communities are going to try to verify just how secure that certain technology is. Count on this: the next thing the community is coming for is ...
Charlatan hijacks iPhone 5S fingerprint hack contest, fools press
I came across an article today that demonstrates a compromise of the new Apple 5S fingerprint reader:
In other words, a copy of your fingerprint is your fingerprint. And as Johannes discussed in the first article on this (https://isc.sans.edu/forums/diary/In+Defense+of+Biometrics/16553/), the screen on your phone is one of the better fingerprint collectors out there !
For me, this brings up both sides of "the fingerprint discussion"
On the other hand:
There's lots of discussion on this online, I think we're still waiting on Apple to respond definitively on any of them.
Anyway, none of these arguments are new, we've been round and round on them anytime these last 10 years, since they started putting readers on laptops for login. What's changed is that there are way more phones than there are laptops, and in most cases the 4 digit unlock code on your phone is all that protects your chequing account, your facebook, paypal, twitter and email accounts.
So, am I using my fingerprints yet? Not on any of my laptops, but once I upgrade my 4S to the new model, it'll be awfully tempting to take the plunge - I guess I'm still thinking about it. If Apple would implement a "fingerprint + PIN" two factor authentication solution, it'd be an easier decision.
We welcome your comments in our discussion forum (comment button below).
Admin write is good, Thanks to wonderful sharing.
by Pandora charms outlet
In my line of work, there is a lot of uses for a random sting of text. Things like:
You get the picture. Strings that you need to key once, or once per instance. In most cases, these are strings that after creation, you don't neccesarily need to know what they are, you just need to know how to change them.
With this list of parameters, you'd think that folks would use random characters for these functions right - at least do the random keyboard walk for it? In my experience, this is almost NEVER the case. People try spell things - "l3tm31n", D0ntg0th3r3" and the like. They'll use their Company name, or the street address of their organization, or some other "meaningful" string. And after using "leet-speak" passwords, they then carefully record the password and save it to a text file, usually on the server that's using the password. As a pentester, this is a win for me, I don't even need to crack the password, you just gave it away! As a system administrator, this horrifies me!
So, what to do? In the past, I've used an excel spreadsheet to generate a random string of "n" characters, selected from a set of characters that do not include the "confusing" ones (Oo01lIiL and so on). The "randomness" was defined by how long I felt like leaning on the F9 key that day. After creating the string, I would then try to get my client to NOT write down the string - this almost never works, but it's worth a try.
For today's story, I decided to improve on this a bit, and re-coded it in python. This was a 5 minute script (as most of mine are), so if you see a way to improve or neaten this up in any way, please - don't be shy - use our comment form.
========================================= psk.py =========================================
from random import randint
if not (len(sys.argv) == 2): # verify syntax
print "Syntax PSK LENGTH_OF_PSK"
rndstrlen = int(sys.argv) # how long is the output string?
chars = "abcedfghjkmnpqrstuvwxyzABCDEFGHJKMNPQRSTUVWXYZ23456789" # define the list of valid characters
charlist = list(chars) # change it to a list for lookups
numchars = len(charlist) -1 # get length of string list, -1 for start from zero
for i in range (0, rndstrlen):
c = charlist[randint(0,numchars)] # pick a random char from the list
outstring += c # append it to outstring
Running this as "python psk 15" will create a 15 character pseudo-random string:
C:\> python psk.py 15
C:\> python psk.py 15
C:\> python psk.py 15
C:\> python psk.py 15
C:\> python psk.py 15
You can change the values that are permitted to be in the string (to exclude lower case values, or to add special characters) by adding or removing characters in the "chars" string. Changing the length of the string is as simple as changing the value in the command line option:
C:> python psk.py 32
C:> python psk.py 64
And please, in most cases there is NO reason to write down this password. Your "windows service password for whichever service" for instance should be changed periodically, but in most cases there is no reason that you should know what it is, you just need to be able to change it.
Also, if you use this to create a random pre-shared-key for your ste-to-site VPN, emailing it in cleartext is what we call "a bad idea". Not only is it open for theft as it transits the internet (and both internal networks), it's also stored (likely forever) in your sent mail and in the recipients inbox, and likely in the Exchange Server message store - the whole cleartext data at rest / cleartext data in transit concept should ring a bell, especially if you've been audited for PCI lately.
As always, in these days when brute-forcing is simple, quick and cheap, bigger is in fact better. For pre-shared keys or "write only" passwords, I generally start at 32 characters and go up from there. Since you never need to re-key the thing, after it's generated you can cut/paste it and forget it.
I hope that you find this simple bit of code useful. If you've got a simpler way of getting to the same results, or if you can improve on my quick-and-dirty python, please post to the comment field below!
Special Training for Students to Overcome India's Cyber Security Experts' Shortage
Business Wire India (press release)
Powered by expert consultants from the industry, who pool their intellect & resources to formulate a comprehensive security study material, this new-age entity provides great opportunity for students who are looking to fashion a career in the InfoSec ...
Posted by InfoSec News on Sep 23http://medcitynews.com/2013/09/mobile-health-meets-shark-tank-gets-totally-annihilated/
Posted by InfoSec News on Sep 23http://www.govinfosecurity.com/dhss-huge-cybersecurity-skills-shortage-a-6080
Posted by InfoSec News on Sep 23http://www.bloomberg.com/news/2013-09-19/zte-device-called-american-spurned-after-china-spy-angst.html
Posted by InfoSec News on Sep 23http://ca.news.yahoo.com/german-group-claims-hacked-apple-025253471.html
Posted by InfoSec News on Sep 23http://www.informationdissemination.net/2013/09/signs-of-massive-cyber-security-incident.html
Posted by InfoSec News on Sep 23http://www.washingtonpost.com/business/economy/security-clearance-contractor-usiss-workers-felt-pressure-to-do-more-and-faster/2013/09/20/c62c7498-2208-11e3-b73c-aab60bf735d0_story.html
Posted by InfoSec News on Sep 23http://www.nytimes.com/2013/09/21/world/asia/hacking-us-secrets-china-pushes-for-drones.html