Stealing Fingerprints

The news from the Office of Personnel Management hack keeps getting worse. In addition to the personal records of over 20 million US government employees, we've now learned that the hackers stole fingerprint files for 5.6 million of them.

This is fundamentally different from the data thefts we regularly read about in the news, and should give us pause before we entrust our biometric data to large networked databases.

There are three basic kinds of data that can be stolen. The first, and most common, is authentication credentials. These are passwords and other information that allows someone else access into our accounts and -- usually -- our money. An example would be the 56 million credit card numbers hackers stole from Home Depot in 2014, or the 21.5 million Social Security numbers hackers stole in the OPM breach. The motivation is typically financial. The hackers want to steal money from our bank accounts, process fraudulent credit card charges in our name, or open new lines of credit or apply for tax refunds.

It's a huge illegal business, but we know how to deal with it when it happens. We detect these hacks as quickly as possible, and update our account credentials as soon as we detect an attack. (We also need to stop treating Social Security numbers as if they were secret.)

The second kind of data stolen is personal information. Examples would be the medical data stolen and exposed when Sony was hacked in 2014, or the very personal data from the infidelity website Ashley Madison stolen and published this year. In these instances, there is no real way to recover after a breach. Once the data is public, or in the hands of an adversary, it's impossible to make it private again.

This is the main consequence of the OPM data breach. Whoever stole the data -- we suspect it was the Chinese -- got copies the security-clearance paperwork of all those government employees. This documentation includes the answers to some very personal and embarrassing questions, and now opens these employees up to blackmail and other types of coercion.

Fingerprints are another type of data entirely. They're used to identify people at crime scenes, but increasingly they're used as an authentication credential. If you have an iPhone, for example, you probably use your fingerprint to unlock your phone. This type of authentication is increasingly common, replacing a password -- something you know -- with a biometric: something you are. The problem with biometrics is that they can't be replaced. So while it's easy to update your password or get a new credit card number, you can't get a new finger.

And now, for the rest of their lives, 5.6 million US government employees need to remember that someone, somewhere, has their fingerprints. And we really don't know the future value of this data. If, in twenty years, we routinely use our fingerprints at ATM machines, that fingerprint database will become very profitable to criminals. If fingerprints start being used on our computers to authorize our access to files and data, that database will become very profitable to spies.

Of course, it's not that simple. Fingerprint readers employ various technologies to prevent being fooled by fake fingers: detecting temperature, pores, a heartbeat, and so on. But this is an arms race between attackers and defenders, and there are many ways to fool fingerprint readers. When Apple introduced its iPhone fingerprint reader, hackers figured out how to fool it within days, and have continued to fool each new generation of phone readers equally quickly.

Not every use of biometrics requires the biometric data to be stored in a central server somewhere. Apple's system, for example, only stores the data locally: on your phone. That way there's no central repository to be hacked. And many systems don't store the biometric data at all, only a mathematical function of the data that can be used for authentication but can't be used to reconstruct the actual biometric. Unfortunately, OPM stored copies of actual fingerprints.

Ashley Madison has taught us all the dangers of entrusting our intimate secrets to a company's computers and networks, because once that data is out there's no getting it back. All biometric data, whether it be fingerprints, retinal scans, voiceprints, or something else, has that same property. We should be skeptical of any attempts to store this data en masse, whether by governments or by corporations. We need our biometrics for authentication, and we can't afford to lose them to hackers.

This essay previously appeared on Motherboard.

Posted on October 2, 2015 at 6:35 AM • 64 Comments

Comments

Wes ReynoldsOctober 2, 2015 7:14 AM

@Bruce

"got copies the security-clearance paperwork" should be "got copies of the security-clearance paperwork"

No need to publish my comment - just a friendly edit. :-)

TuckerOctober 2, 2015 7:38 AM

If you have an iPhone, for example, you probably use your fingerprint to unlock your phone.

OPM victim.

I used to use my fingerprint to unlock, but it works with other body parts, so I changed it to something the Chinese don't have. Haven't had to resort to nipples yet, if only this is a convenience trumping security decision.

I'm more concerned about border crossings that use biometrics.

I also issued a credit freeze to all the clearing houses. Looking forward to the discussion with OPM minions when they need credit access and I have to negotiate which things to unfreeze and for how long because they are run by incompetent cockups.

Bob S.October 2, 2015 7:58 AM

Absolutely OPPOSED to biometrics:

1. Can be forced to produce biometric via cursory legal process in the USA. Elsewhere, forget about it, they will take it.

2. Criminals and governments can and will use brute physical force including mayhem and murder to get your print...or whatever.

3. Many biometrics can be hacked without any contact with adversary. For example, obtain finger print via photo.

4. Fingerprints especially are being pushed by government and corporations. Governments already have vast data banks of prints for ID comparison, or reconstruction if necessary to hack a device.

5. The OPM debacle, et al, proves again data will not be protected despite it's value to the criminal element. There is no significant penalty for loss. Typical sanction: govt/corporation says, "We are sorry. Really really sorry". End of sanction.

JeffPOctober 2, 2015 8:49 AM

I've had the government FPS and FBI background checks as a government contractor. (Previous job, civilian sector, data produced was publicly available.) What I was told in every case was to reveal arrests, "immoral" habits, etc. so an adversary couldn't use it against you. If the check came back with something you didn't reveal, you risked losing your job.

Is this somehow different than background checks involving higher clearance?

GreenSquirrelOctober 2, 2015 8:50 AM

Biometrics (and to a large extent all multifactor systems) are largely pushed by vendors who are trying to create profitable market.

Sadly they are often supported by otherwise well intentioned security professionals who forget that we really need to focus on threat based security in a cost effective, scalable world.

This means that *most* (but nowhere near all) of the time a single factor authentication solution is suitable if you implement it properly.

Too often Multifactor is pushed to compensate for lazy/cheapskate approaches to passwords rather than simply fixing the password authentication implementation.

One other thing worth considering is that often the authentication is run on the remote device and an "authenticated" string is sent back to the server in a manner which makes it trivial for attackers to replicate the "authenticated" string bypassing things like a "proof of life" check on the remote device. This goes to show that spending money on 2/3FA is pretty much wasted if you dont have the sense to implement things properly. And if you do, you discover that passwords can be pretty effective.

WinterOctober 2, 2015 8:51 AM

Other uses of stolen fingerprints:
1) Leave copies of stolen fingerprints on the right places to frame US operatives

2) To identify US agents by the fingerprints they leave behind

Think, fingerprints of an OPM victim on contraband to take him/her out (drugs, child porn, murder scene). Or take fingerprints from objects to identify US traveler as an agent.

Peter RabbitOctober 2, 2015 8:52 AM

When I said that DNA was an interesting form of biometric data, I meant in its sequenced digital form. Seems eminently hackable for nefarious purposes as a supplement to other personal data. This in addition to the issue of planting someone's DNA for incrimination purposes.

CallMeLateForSupperOctober 2, 2015 8:52 AM

@Bruce
"...fingerprints, retinal scans, voiceprints..."

Also facial recognition data. The number and variety of entities that are interested in facial recognition are already significant ... and increasing.

TGuerrantOctober 2, 2015 9:10 AM

But, hey, everybody gets two years of FREE! credit monitoring. All you have to do is key tons of your most personal data into a site OPM pays a contractor millions to run while letting the contractor immediately shunt incoming fed data to a data broker "partner" company that makes millions more selling your info to anybody at all, including criminals!

Of course, credit monitoring is so, like, uh, useful once a criminal has decided to play with your life because it, uh, keeps you from getting as wrecked if, uh, the service provider actually, uh, does anything for you because it's, uh, not actually required to stop or fix any of the damage being done to you. That's what keeps it FREE!

Especially sweet is that the credit monitoring companies who Take Data Security Seriously lose data all the time. Experian, for example, just blew two years of TMobile customer data out its ass *and* nonetheless is TMobile's choice for providing FREE! credit monitoring service to those customers it victimized.

That we already know Experian got caught selling people's personal information for months to a Vietnamese cyber criminal who claimed to be in the U.S. but paid Experian via wire transfers from Singapore of course raises no questions at all about Experian's Taking Data Security Seriously.

Ellen TilgnerOctober 2, 2015 9:18 AM

When flying to the USA five or six years ago, I was shocked to discover that all foreign nationals were lined up at the airport and had their retinas scanned. They obviosuly couldn't refuse (unless they wanted to be put on a flight back home) and the atmosphere was not particularly conducive to questions about the storage methods and privacy safeguards of the data. Basically, it was a case of: "look here, stay still, move along." I don't know whether they still do that at airports, I guess they probably do. Anyway, there was a distinct waft of Auschwitz about it. (Godwin's Law: got there first!)

Clive RobinsonOctober 2, 2015 9:24 AM

@ SJ,

Even dna isn't bulletproof anymore

It has not been for a very very long time. If you go back on this blog far enough you will find I outlined how to do it in sufficient detail for an undergrad to do it. One or two readers back then very verhmently told me I did not know what I was talking about.

Quite a while later a scientist in Australia said the same thing and the deniers for some reason chose not to repeat their eronious accusations....

So remember that quite often you hear it first on this blog, even though otherse don't want to have their faux golden geese outed.

CallMeVisitorOctober 2, 2015 9:32 AM

Indeed Ellen, it is a shocker that all 10 fingerprints and retina of all visitors to the US are scanned by border control. Together with all your passport data. Looks like an ideal target.

It is not a question if these databases will be compromised, but when. And more scary, when will we (visitors) learn about it.

If the US government wants to make biometrics useless for authentication for US citizens, fine. But what makes them think they can do so for the many more non-US citizens?

hermanOctober 2, 2015 9:43 AM

The way I handle the data/ID theft problem is to use unrelated cards and IDs. For example, if I check into a hotel, I present my Canadian passport and UAE credit card, or the other way around, but I make sure the twain don't match, so that someone fishing in the hotel garbage don't get a complete ID theft kit.

keinerOctober 2, 2015 9:44 AM

@CallMeVisitor

I would not travel to hell, why should I go to the US (any more)?

But even worse: In Germany you a forced to provide a fingerprint to get your ID card (you HAVE to have an ID card if you are over 16 years). So basically they have your fingerprint. And CSC (or call them NSA-Europe) has your fingerprint. So the US have everything, anyway.

Game is lost already....

ChrisOctober 2, 2015 9:55 AM

@GreenSquirrel:

I don't think 2factor is for lazy administrators when implemented right - i'd say it's done to safeguard against lazy end users!

You know, the ones that insist on a password that is the year+dogs name.

If using a TOTP, and users are properly instructed to call the second they lose it, password policies can be a bit more lax, and hopefully reduce the likelihood of them writing it down.

Going a step further, you could do something like a company phone with the app installed, and properly setup geofencing... when you log in it looks at login IP and tries to figure out if it is within a specific radius of where the phone is located.

Of course, how do you secure the phone then?! back to the fingerprint? insecure password? I guess a pin or pattern would be fine considering if it was a TOTP, there is no security if you lose it (and again back to the geofencing for added security)

That being said, I'd rather have something an enemy can steal vs something an enemy would have to kill or harm my end users to access (I put the value of a life above the value of whatever they are going to steal - if this isn't the case, why are you not on an air-gapped network!)

AnonOctober 2, 2015 10:19 AM

My perception is that you're not fond of Chinese as I've seen you mentioning them a lot in your posts. In most cases you cite CIA outlets as the NYT or in this case the WSJ.

The fingerprint theft is very usefull to conduct the perfect murder where both the victim and the suspect/convict can defined.

Silky GrenadeOctober 2, 2015 10:37 AM

Here in London they used to have hundreds of posters around the London Underground network advertising holiday trips to Las Vegas. The slogan was "What happens in Vegas, stays in Vegas". Based on the posts above, I presume that goes for your retina scan too!

johnOctober 2, 2015 10:42 AM

Has OPM said that the data was only copied, but not in any way changed?

Seems to me it would be very bad if the fingerprints on file cannot now be trusted as actually being correct.

WaelOctober 2, 2015 11:00 AM

@Clive Robinson,

If you go back on this blog far enough you will find I outlined how to do it in sufficient detai [...] So remember that quite often you hear it first on this blog, even though otherse don't want to have their faux golden geese outed.

You are probably referring to this post, and you talked about it back in 2005. And this is where you couldn't find the original link in 2009 where you were still talking about the golden goose :)

I thought I'd help you find the link after all these years... What will you do without me, huh?

Alonso VandenbrookOctober 2, 2015 11:09 AM

@Silky Grenade:

In the case of your retina scan, it will only remain in Vegas until it gets hacked by China or North Korea. ;-)

Clive RobinsonOctober 2, 2015 11:20 AM

@ Ryan,

Thus showing that Boimetrics make great "UserNames" but poor"Passwords"

Err no they make bad user names/IDs as well because amongst other things they can not be changed.

I've known how to "fake fingerprints" from a very early age using the red wax from Edam cheese, rubber solution glue, and WD40 or similar as a mold release. I got the idea from just playing with the wax and when warm pressing my thumb in it. A little while later when reading a Sherlock Holmes story using wax to make fake fingers was mentioned in there. So bio-metrics have been blown since before the police started using fingerprints in the 1800's.

The same or similar can be said for most passive bio-metrics that a human can interpret. The use of microelectronics might have expanded the variety of bio-metrics via algorithms into the likes of active biometrics --gait etc-- but there is little proof they scale and remain sufficiently reliable (think both false positives and false negatives). Heck there are still questions hanging over the way we dice up and measure DNA, with the result that the billion to one and lower figures trotted out in court are not realy anything other than made up numbers that sound impressive to those who don't question it...

The simple fact is bio-metrics like many forensic tests have an unsound footing and a near fatal assumption that what is measured is not faked in some way. When you include that possibility those big numbers tumble down to very small numbers indeed.

Thus bio-metrics are still, and probably will remain for sometime, nothing but a curiosity of little real value to security. Thus the "something you are" should not be used as authentication factor.

65535October 2, 2015 11:21 AM

The US government has totally FUBAR’d [F’d Up Beyond Any Recognition] the bio-metrics ID process.

The government knows it will have to eventually disenfranchise all individuals who have had their “bio-metrics” stolen. Bio-metrics should only be used for high level personnel.

In the current situation, the government will certainly want more Bio-metric ID’s from current citizens – let alone all foreigners entering this country. The bio-metric data will be stolen from some weak end-point and sold on the open market.

The loophole will be for prior government employee’s who are too old to fingerprint [this clause is probably in some corner of the government rules].

Next, the NSA and CIA will catalog every individual entering Disney Land or the like. This will end badly.

Disgusting.

Clive RobinsonOctober 2, 2015 11:33 AM

@ Wael,

I thought I'd help you find the link after all these years... What will you do without me, huh?

Good question :-)

I tell you what though if I ever need a charecter witness in your neck of the woods, you'ld make it to the short list ;-)

JacobOctober 2, 2015 12:14 PM

Israel is running a pilot for creating a biometric database (high res face pic + fingerprints) of all the country's citizens. There has been much heated debate about the safety of such database and the risk of nefarious usage of the stored data.
It is worth noting that although the government claims that the database would be 100% safe, they exclude all national security personnel from participating in the program.

Prof. Adi Shamir proposed a system that would safely guard such a biometric database, by fuzzing the relationship between a person and his fingerprint - but still provides the stated biometric database ID goals:

1. Randomely divide the population into small groups of e.g. 100 persons each.
2. The fingerprints will also be divided into the same size groups
3. The biometric store will only contain the (encrypted) relationship between a specific person group to the appropriate fingerprint group. So instead of one-to-one relationship, we will have few-to-few relationship.
4. Even if the biometric database will be compromised (by external adversary or by the database custodians), and the encryption of the group relationship cracked, the most information that can be gained is that a specific fingerprint is related to one out of 100 persons.
5. This proposal substantially reduces the harm incurred by a specific person if the database is compromised: for example,
a. If someone plants a person's fingerprint in a crime scene, there is a 99% change to incriminate someone else. Also, an attempt to plant 10 fingerprints from the same group will indicate a compromise of the database since you must own the database in order to know the full content of a fingerprint group.
b. Using a FP to access a protected system will give you only 1% chance of success, and if you are locked out after a few failed attempts, you are out.
c. Most probably, criminals will not use the database due to the low success rate and the danger of being caught due to failed attempts.

Also, the government is protected from a person trying to falsify his identity:
Let's say that Mike appears before a gov agent and claims that he is John. Mike fingerprints are taken and matched to a group of 100 persons. The chance that John is also in the same group as Mike is very small (ten of thousands of groups in a large population). Note that other physical attributes as sex, height, eye color etc can help here. So basicaslly, you can not claim to be someone else.

In the case of the OPM hack, had the custodians used the Shamir proposal, both criminal use of a person's fingerprint and the positive ID of US overseas operatives (since all US Gov employees would be included in this safe database) would be avoided.

d33tOctober 2, 2015 12:31 PM

How much longer will we have to wait for upgrades to probable cause in the US and the rest of the justice systems out there? If your most personal information, gathered essentially through coercion (so you can get or keep your job, or house, credit cards, utilities, travel etc), is constantly at risk in some db, completely insecure, ready for the grabbing by anyone who takes the time to grab it, why should any of this info be allowed to be used as evidence for or against you in an investigation and especially in court?

Credit bureaus may soon be obsolete. Every time I've checked myself out, the data tends to be pretty off. In fact they seem to not know where or who I am most of the time. I doubt they will get better now. True, reporting is more rapid than ever, but that may not be a good thing. Accuracy and data integrity / security are probably more profitable than speed of access in the long run.

I guess it's only a matter of time before a long series of mammoth medical record thefts? Now with the fast and furious suppression of the US Constitution, I wonder if the metadata associated with medical records is covered as "private" still under the newly enhanced surveillance laws (and their numerous interpretations)? Medical metadata is transmitted by phone, email and text regularly using SSL (if you're lucky). Sometimes to and from outside the US.

I wonder how much medical metadata is stored by NSA indefinitely for future use? I bet by law, it is still considered as "private" and constitutionally protected. I'm sure this kind of data is carefully filtered out of bulk collected surveillance blobs and never stored, which is difficult to do without reading everything prior to searching metadata for "clues". I doubt machines are very good at differentiating medical metadata from good old regular unprotected metadata.

Let alone all of the content.

GweihirOctober 2, 2015 12:56 PM

From my experience, IT security is almost everywhere really pathetic and corporations that did not have their customer base and all associated informations stolen just were lucky because nobody competent tried to steal it.

And then there will be the large amount of data that was stolen by a bit more than average competent hackers and the target never noticed.

My (purely intuition-based) numbers are as follows:

5%: Data stolen, target noticed, public informed.
20%: Data stolen, target noticed, kept silent.
75%: Data stolen, target never noticed.

These may admittedly be overly positive numbers.

That, incidentally, means that biometrics is dead or at least as good as. It _will_ get stolen and the only effective way to defeat forgers is to have a competent human make the measurement. That is of course impossible almost everywhere due to cost.

SomebodyOctober 2, 2015 1:14 PM

This discussion, including Bruce's article, is very disappointing.

Biometrics are not and have never been secret. We walk around shedding fingerprints and DNA, exposing our faces and gaits and retinas to anyone who cares to look. Having them exposed in a database does not make things (much) worse. Any security system that does not assumes biometrics are public information, already known by all adversaries, should be rejected on those grounds alone. People who think biometrics are secret in anyway should be forced to walk around with bags over their heads.

If biometrics are useful at all they must be hard to reproduce in the context of whatever is verifying the biometric. That is where biometric systems have a slim chance at success.

DanielOctober 2, 2015 1:58 PM

Let me tell everyone a little story...

My state has a law that allows for the centralization of medical records in a database. The purpose of this is so that doctors do not have to transfer records between themselves when a new patient shows up on their doorsteps, they merely query the database. However, there is a provision in the law that allows people to "opt out" of this process.

So I opted out.

LOL.

First, a got a rather remarkable letter from the head of the state agency responsible for the database informing me that I was making a terrible mistake, that my data was safe and secure, and practically begging me to opt back in again.

Second, it has been an absolute nightmare. It turns out that all the administrative assistants at the various medical providers I see know all about this law and they are not happy when someone opts out because it makes their lives more difficult. Essentially, the nurses have decided that the punishment for me opting out is to monkeywrench me. So now the only way for me to get records from one doctors office to another is to go to one office, request the documents, drive them to the next office, and submit them to the new professional. Because the database now exists, the nurses refuse to go back to "bad old days" that actually required them to work.

So the moral of this story is that there are hidden transaction costs to opting out of big data that are imposed by third parties. I may have the right to opt out but the cost of privacy has been a large increase in inconvenience.

albertOctober 2, 2015 2:00 PM

@Bruce,
"...should give us pause before we entrust our biometric data to large networked databases..."

And how many femtoseconds would that pause be? Aren't ALL government/corporate systems 'large networked databases'?

The Federal Government should start helping victims of identity theft instead of chasing bogeymen, AND institute security standards for corporations(as a requirement for doing business) and gov't entities. Maybe then it could recover some credibility.

. .. . .. _ _ _

GSOctober 2, 2015 2:14 PM

I wonder how many of the people whose fingerprints were stolen are decision-makers on the US-VISIT program. Tragic irony? Or poetic justice?

tyrOctober 2, 2015 2:47 PM


Here's a little story from history about benign databases.
France had the police keep a neat ledger of privately held
firearms in the local police departments. Perfectly sensible
that way they were saved the tedious work of tracking them
in investigations.

1940 sitzkrieg turns into Blitzkrieg. As German forces swept
into France the first stop was the police department. With
those records in hand a squad of soldiers knocked on the
door of every address on the list and demanded the weapon.
So the benign database turned into instant disarmament of
anyone who might object to being invaded. It cost the Allies
millions to re-arm the Resistance.

Now lets suppose for a moment that you have a list for some
benign purpose that winds up in the hands of people who have
decided you are the problem that needs to be solved. Say
for example diabetics who clog the healthcare system with
expensive treatments for their condition. It is too easy to
find them and round them up and exterminate them with the
ubiquity of modern benign nosyness about everything. If the
so-called enlightened have done it in the recent past. How
can you keep the truly horrible regimes that exist right now
from exploiting the same tech to massacre their imagined
enemies. That's what Tor is all about. It is also why Jake
is always banging on about anonymity being important for
sheer survival in a hostile world. If you don't want to live
in a worldwide repressive superstate with no place to hide
from the mad ideology of the week, stop building it.

The only thing that stays in Vegas is your money...: ^ )

tyco bassOctober 2, 2015 2:48 PM

@ Jane

"disaster waiting to happen for innocent people"

The presumption behind all this is, There are no innocent people.

Tony H.October 2, 2015 7:49 PM

@CallMeVisitor

"Indeed Ellen, it is a shocker that all 10 fingerprints and retina of all visitors to the US are scanned by border control. Together with all your passport data. Looks like an ideal target."

Not all visitors: Canadians are still exempt. For now. However to get a Nexus card you have to have a full 10 fingerprint set taken by US border officers, and a retina scan taken by Canadian ones. Of course there's no chance they'd ever share that information with each other...

Coyne TibbetsOctober 2, 2015 11:26 PM

I think it would be educational--and amusing--if fingerprints of the various DOJ leaders started turning up at hundreds of crime scenes throughout the country.

chris lOctober 2, 2015 11:27 PM

@john: No, OPM hasn't said anything about whether the data they have were altered. Given their apparent level of IT security, they may have no way of knowing short of discovering that a lot of people up for clearance renewal are submitting data that don't match their previous entries.

IanOctober 3, 2015 3:47 AM

This is why I don't allow trust my medical records to be stored digitally in an online-accessible fashion and refuse to use biometric devices. I run two Golden Rules with data (including and especially executables):

1) LEAST PRIVILEGES - as far as possible, only permit access to data, memory, disk space or CPU resources at the minimum required for the carrying out of a specific task. Of course, that leaves a lot of trust to the operating system, the company you're dealing with, and so on.

2) DO NOT STORE DATA ONLINE WHICH CANNOT BE DEPRECATED (or in a form accessible online) - copies of public information are OK, as are (perhaps) non-sensitive data. Passwords sit in the middle, as they are changeable; but it comes down to whether and how quickly a breach is detectable. But medical data and biometrics are by their nature not changeable. Once stolen, that's it: You cannot make the data useless like you can by changing a password.

Also, though I get the idea, biometrics is still a "what-someone-has" rather than strictly a "who-you-are" as there has to be authentication. I may have my thumbprint, but data about my thumbprint has to exist somewhere in some form to be compared and my thumbprint converted to data at every use. That's still data, and is still as vulnerable as any data may be.

My heart goes out to those who irreversible data is stolen. That's a potential lifetime of worries.

JustinOctober 3, 2015 10:42 AM

"We also need to stop treating Social Security numbers as if they were secret."

Good luck with that. I can't even stop hackers from getting into my account here. You'd think if the government could track who's downloading CP and bomb-making instructions on TOR and ordering drugs from Silk Road, they could figure out who else is logging in to my Social Security account and resetting all my "security" questions and answers, but no it doesn't work that way. My personal data is too low on the priority list.

Same story with my account here. The postal service allows other people with access to my email to misdirect my snail mail.

How do you secure a gmail account? Do you get a domain name at godaddy and set up your own email server? The government doesn't like it when people do that, and besides you need a gmail account to set up your domain name anyways. I don't have a high-assurance computer with a high-assurance operating system and a high-assurance browser to browse to all these sites and manage all these accounts. Consequently I have no choice but to access these services from a spyware-ridden computer.

Where's Nick P's expertise when we need him? Or is this high-assurance stuff all a bunch of hot air?

HansOctober 3, 2015 11:11 AM

And to think, this same government wanted to keep split keys or other backdoor keys to our encryption. I can hear it now "Oops! Someone has hacked our key store. Sorry!"

Nick POctober 3, 2015 11:45 AM

@ Justin

Find a friend with a CD burner. Download a Linux Live CD. Linux Mint or Ubuntu will be fine. Burn it. Run it on your machine. Set all that up with the results written on paper. Use the LiveCD any time you access something critical. Seems to work even without high assurance. If your on SS, you surely couldn't afford such solutions at current rates. One of the reasons I push it in [F]OSS is that massive labor investment will bring the cost down of any given solution via reusable components.

Far as your computer, I recommend you get it to a clean state. Read online reviews of backup software to find which you think is good and will be easiest to use. Most important feature it needs is a recovery or boot CD that lets you load up the backup program directly without booting your [corrupted] Windows install. Might need to order a physical copy or just download the purchase on same friend's PC onto another CD. You should be able to back up critical files [1] to an external HD *using the LiveCD*. Never plug this into anything but a LiveCD: get another drive if you want one for that convenience. Download your drivers off your manufacturer's website and store them too. Then, reinstall Windows, then your drivers, your backup softawre, and then your security suite if you have hard copy. Back that system up, preferably w/ recovery CD to test it. Delete a bunch of shit off that system, then do a restore to test the software.

If it works, proceed to do Windows/Microsoft updates until they're done. Open IE, go to DuckDuckGo.com, and type "Chome/Firefox Web Browser." Watch URL's carefully to make sure they say google or mozilla rather than adware BS. Install one of them. If Firefox, go to Add-ons to get Adblock and NoScript. If you can't handle NS, then try Flashblock instead. For either, use Google to get HTTPS Everywhere from EFF site. Get Foxit Reader with Javascript blocking for PDF's and VLC for media. Install any apps you have local copies for that you think are critical. Now, run updates on absolutely everything. Now do a full backup with your recovery CD, disconnect the drive afterward, optionally test/restore that as before, and you're good to go.

This arduous process is what's needed to *begin* to be ready for malware on Windows. From there, there's whitelisting software like Bit9, HIPS like DefenseWall, sandboxes like SandboxIE, hardening guides, and so on. They can reduce risk but Windows boxes usually get smashed anyway. So, strong backup/recovery procedure that you've tested with files isolated from corrupt host is best strategy. You know it will be hit, so get ready to recover. Use differential or incremental backups from there to periodically backup your system. Those are quicker/smaller.

Alternatively, if you tire of this, you can just install a usable Linux w/ Firefox-NS or Chrome on your system. You loose Windows-only apps and sometimes have to Google how to deal with an issue. Usually step-by-step instructions out there on reputable sites. Those issues are few on one like Mint or Ubuntu. Still good to backup at least the data files. Malware is rarely an issue on these as they target Windows mostly.

Hope one of these routes helps. :)

[1] Note: There is a possibility that one or more of the files on your backup have the initial malware. You'll know when you open it. ;) Anyway, you might get lucky with an AV update finding it later on. If infection comes back, you're ready for that scenario.

FigureitoutOctober 3, 2015 12:13 PM

Justin
--Addenum to Nick P's advice (which is pretty much what I do too, No Script and Adblock is so nice), also Sandboxie is nice, some funkiness can happen and I freeload but would pay if I could.... I would say if you can afford it or find a windows key, wipe the sh*t outta that drive w/ DBAN then encrypt w/ truecrypt then wipe again and then reinstall and get your drivers not on your home network (may have to reflash your router), actually using the Ultimate Boot CD ( http://www.ultimatebootcd.com/ ), go to "HDD" go to use some of the disk info tools to see how much memory it reads (if you bought a disk that was 200 or 500 GB and it only reads 80, then that's a red flag, you generally lose a few GB), then use something like Disk Spy and look again for obvious signs of malware. Then check if the HDD's been locked w/ an ATA tool (depends on manufacturer), if it's been locked and you didn't do it...that's when I yank that HDD and religate it to encrypted back up storage I don't really care about.

If same malware symptoms reappear after changing HDD then I would...yeesh, get a cheap RasPi. I don't know, you're owned at that point. Some asshole has it out for you.

On Windows, f*cking so much you have to do since they by default leave you vulnerable as hell, there's some hardening guides out there as what I normally do escapes me right now (I *hate* doing it). I don't like having huge passwords if I have to type it in every day multiple times. But make sure you use a USER account, set auto run off for everything. Require a password for any new install. Set a password for BIOS. Programs like bleachbit, CCleaner, notepad++, and 7zip are nice.

On Gmail, set a password that's 50+ chars and I would say not the max 64, but 63 or 62 in case a PW cracking program expects that. Copy that into USB drive, encrypted or not. Login via liveCD, while not connected to internet, copy the PW (remember your username), close and pull out USB, login then open up text editor and type a bunch of garbage, select all, copy, then paste 5-10 times then select all and copy again. Set up 2FA and check where logins are coming from. That's basically the gist, anything else is probably a worthless waste of time that'll be sidestepped anyway, so encrypt and/or compress anything you care about before putting it in Gmail.

LeoOctober 3, 2015 12:30 PM

Considering the impossibility to replace your biometric data after it has been stolen once, and the impossibility to check whether any tool, service or authority stores the biometric data itself or a hash, this data should *never* be used as an authorization value.
These are concepts any kid should learn in basic education, it will probably be a preference for leading a life in our digital world, run by CS.

JustinOctober 3, 2015 2:48 PM

@ Nick P

"Find a friend with a CD burner."

I have a CD burner. I just need a friend with a CD reader to verify the hash. Unless you think other stuff (and metadata whatnot that can hold malware outside the ISO image) gets written to the CD.

"Far as your computer, I recommend you get it to a clean state."

That would be nice. First I would need a physically secure place to lock it up when I am not present, though.

"If it works, proceed to do Windows/Microsoft updates until they're done."

I don't do Microsoft.

"Alternatively, if you tire of this, you can just install a usable Linux w/ Firefox-NS or Chrome on your system"

That's what I do. I've long since tired of Windows.

@Figureitout

"If same malware symptoms reappear after changing HDD then I would...yeesh, get a cheap RasPi. I don't know, you're owned at that point. Some asshole has it out for you."

No malware symptoms per se. Just sometimes different windows are open on my desktop or my phone when I get back to it. And lots of people know too much information about me that they have no business knowing, and would not know if they had minded their own business. The computer is just a minor aspect of it. I can't say or write anything online or offline without people on the street pestering me about it.

@Leo

How do these people deal with biometric data that spews itself onto computer systems all over the world and in the hands of the mob?

BoppingAroundOctober 3, 2015 4:13 PM

[re: Foxit reader] Nick P,
Do consider the alternatives. For example, SumatraPDF.

I recall Foxit engaging in a number of dodgy actions, namely bundling
adware/spyware with the installer and sending telemetry data even if you've
opted out.

Nick POctober 3, 2015 5:53 PM

@ Justin

"I have a CD burner. I just need a friend with a CD reader to verify the hash. Unless you think other stuff (and metadata whatnot that can hold malware outside the ISO image) gets written to the CD."

That was my concern. I don't know current capabilities of Windows malware when it comes to spreading over CD or whatever. So, I defaulted on someone else's PC that at least didn't have your malware.

"That would be nice. First I would need a physically secure place to lock it up when I am not present, though."

Nah, just a good hiding place. Anything someone won't search or take. A compartment in an old couch and desk is one option. Another is that wouldn't spot near the kitchen sink/cabinets that's between the cabinet and floor. Usually invisible space there you can tape a bag to or whatever. The Big Book of Hiding Places had that plus other interesting ideas. :)

"I don't do Microsoft."
"Just sometimes different windows are open on my desktop or my phone when I get back to it."

Well, that's different. Odds are a rare malware, targeted attack, or physical access. Cheap, black-and-white, hidden camera and/or tamper-evidence marks on computer is best to detect physical part. Cheapest route is a plastic cover that keeps dust out while putting tamper-evident part in that where removing the cover wrong way gives it away. Even garbage bags can help. If you detect something, then it's camera time to ID the perp.

If you think it's just software, then you can use LiveCD or LiveUSB strategy. The main, persistent system should use full disk encryption. Use something like TAILS LiveCD for anything truly private. Avoid wifi & double check router security if possible. Change default password/key at the least. Make sure any new passwords aren't variations on something you did before. Far as password questions, a common attack vector, just give it some gibberish combination of words and write that with the question itself down on paper to hide somewhere. These two help in general but especially if someone's been paying extra attention.

@ BoppingAround

See, that's the problem with being on Linux so long. ;) Yeah, Sumatra is another alternative. However, he just told us he was on Linux so it's less of an issue at this point. Thanks for the tip on Foxit, though.

GreenSquirrelOctober 3, 2015 8:01 PM

@Chris

I don't think 2factor is for lazy administrators when implemented right - i'd say it's done to safeguard against lazy end users!

While I sort of agree, the issue is implemented right. If you implement a single factor authentication system correctly it can be just as effective and considerably cheaper than messing about with phones, apps etc. (All of which add to the system admin burden).

The problem is few people implement password systems properly - which is a trivial task - so I have my doubts around how many would implement 2FA properly.

You know, the ones that insist on a password that is the year+dogs name.

This isn't intrinsically bad. The problem is admins who configure a system which either allows a brute force attack or exposes the shadow password file via SQLi (etc) (or both).

The number of "easy to guess" passwords is actually quite large and often require an element of targeting by the attackers to fine tune.

If a password system blocks an account after five failed log-on attempts, the attacker has to be very, very accurate to have any hope. The problem is balancing this off user-experience, but very few people will remember their password on the 34th try rather than ring the helpdesk.

FigureitoutOctober 3, 2015 9:09 PM

Justin
No malware symptoms per se. Just sometimes different windows are open on my desktop
--Those are malware symptoms (but still *could* be legitimate hardware issues as well, I suspect one lockup of mine to be due to all the capacitors around the CPU (they're "bleeding" and I need to replace them and get that computer back online but I'm being a lazy f*ck b/c I'm too stressed now) but that's a guess and I can't explain it technically as I didn't investigate much, the screen had red lines and half of it was black, it was just unlike all other lockups).

Latest attacks for me was something closed down all my browsers and all open programs on school PC's thru their network. I was doing homework. I pull the ethernet plug and do a cold shutdown/reboot (b/c I want the school to get alerted and track down the offender, I'd be glad to hear from them if it triggered some kind of alarm) and it stopped. Previous worse attacks in the school lab was some kind of remote shutdown of the PC, multiple times then stopped, as if by human control...Heightened paranoia sure does aid the academic learning process...not.

Other was the other day, my liveCD internet PC (this one) shutdown but had the CDROM still closed (it opens on every shutdown) indicating some serious error (I've left it on for a pretty long time, around 2 weeks or so) or a physical intruder again closing it. Best advice from me is to ignore and rise above their level, and to be prepared to kill them if they physically attack.

I can't say or write anything online or offline without people on the street pestering me about it.
--You'd have to describe more of what you're experiencing to make a judgment call on that. Based off my personal research into national security investigations (I have no further curiosity or interest there...), they do in fact taunt targets (so this is again what you should be watching out for in HDD inspection, sloppiness (sometimes the "sloppiness" can be due to defensive measures (pulling plugs randomly)) due to poor execution/experience and if you got the skills/knowledge, from other dumped ROMs of other chips and quickly check it w/ comparing programs if you manage to get a "clean" copy of file) and there's Snowden documents to put it in writing for those that've never experienced it.

Nick P
If you detect something, then it's camera time to ID the perp.
--Unless the perp already has your house under surveillance and reliable way to extract info then you'll be giving up your traps. Also making sure info isn't tampered is huge concern and how much of it do you keep for how long b/c attacks don't happen when you want them to etc... A lot of personal security should be done out in pseudo random places w/ pencil/paper where there'd be much more work to capture reliable data.

JustinOctober 3, 2015 9:25 PM

@ Figureitout

"they do in fact taunt targets"

They do things like spike your coffee and try to goad you into doing or saying something for which they can trump up some kind of criminal charge.

FigureitoutOctober 3, 2015 9:40 PM

Justin
--Actually it'd be better to simply unscrew the cap around sink faucets and stick a little poison up it in, such an easy place for doing such a thing...

Nick P RE: secret spaces
--Ah forgot one I found in my car lol. The arm handles above your head, in honda accords have a little secret compartment that just covers up a screw, it's weird lol. But few would think that it opens but it's definitely made to be opened...

JustinOctober 3, 2015 10:31 PM

@Figureitout

"--Actually it'd be better to simply unscrew the cap around sink faucets and stick a little poison up it in, such an easy place for doing such a thing..."

They actually did that to a young woman on 4chan a few years ago. I forget her name, but they called it "snowballing." They were posting about it in ASCII code. I'm sure the post is long since deleted. They cover up things like that on 4chan.

Clive RobinsonOctober 4, 2015 1:41 AM

@ Nick P,

The Big Book of Hiding Places had that plus other interesting ideas. :)

Hmm you usually refrence your source material... So what's special about this one ;-)

NathanOctober 4, 2015 3:07 AM

I kinda see where this might be headed...
'we need biometrics which (unlike a finger) can be replaced.'
Some kind of unique chip implant, which, like a fingerprint, is unique, but which could be swapped if that identity was compromised.
I really hope we don't get to that though, because I find that idea quite objectionable!

CythralOctober 4, 2015 3:36 AM

First off, I'd like to say I love how someone's blog on security uses the worst captcha system I've ever seen in my life.

Secondly, we need to invent something that uses something along the lines of automorphism if thats even possible. That would solve all our problems

PetskuOctober 4, 2015 9:16 AM

Ha! The notion: Biometrics cannot be changed is wrong. Some can be easily changed. All I need to do is to look at my thumb I use constantly to open my iPhone. It is not the thumb I was born with as I managed to cut it when I was 6.

AndrewOctober 4, 2015 10:32 AM

Fingerprints will soon be obsolete, they are moving fast to face recognition.
Every secure system must include two types of authentication, physical recognition AND password.
While the first one ensure identification, the second one ensure the user will to login to the system and cannot be replaced with anything else.
Maybe password memorize techniques should be learned in school instead of tons of useless stuff...

Nick POctober 4, 2015 12:03 PM

@ Clive Robinson

"Hmm you usually refrence your source material... So what's special about this one ;-)"

A habit for my former, trade secrets. Can't make it too easy on the web crawlers. ;)

JustinOctober 4, 2015 1:39 PM

@Figureitout

"--Actually it'd be better to simply unscrew the cap around sink faucets and stick a little poison up it in, such an easy place for doing such a thing..."

On second thought, I'd say it's just crud.

FigureitoutOctober 4, 2015 5:10 PM

Justin
--Ha, mine was similar, the slime just wiped off. Hard-water drinkers unite (apparently better for your heart except I'm at risk of kidney stones, and that's one of the worst things to happen to a guy lol).

SJOctober 6, 2015 8:08 AM

@tyr

1940 sitzkrieg turns into Blitzkrieg. As German forces swept
into France the first stop was the police department. With
those records in hand a squad of soldiers knocked on the
door of every address on the list and demanded the weapon.
So the benign database turned into instant disarmament of
anyone who might object to being invaded. It cost the Allies
millions to re-arm the Resistance.

I usually see that story from a gun-nut, with a punch line of "registration enables confiscation!"

You have the better analysis, I think. Though you've ended with a similar conclusion.

Databases/registries can become target lists.

Especially if a sudden change in government attitude, or a sweeping change in social norms, turn ordinary behavior in verboten behavior.

Imagine if smokers, or diabetics, or people who need regular dialysis, suddenly became the target of a sweeping social push.

Or imagine that people who donated to support a political cause became the targets of social blackmail.

Or imagine that people who use encryption regularly become targets of government action, because "they have something to hide."

ianfOctober 7, 2015 12:06 PM


@ tyr

I'm not debating biometric databases per se, but need to point out that your examples, though illuminative, are misleading. You wrote (boiled down):

“[…] let's suppose that a benign list winds up in the hands of people who decide you are the problem that needs to be solved… e.g. diabetics that clog the healthcare system with expensive treatments. It is too easy to find them and round them up and exterminate them

It needs to be pointed out that the Nazis managed that rounding up on a large scale without IT. Just as did the Soviets with wholesale deportations of both specific "classes" of potential "enemies of the proletariat," and of merely everybody of a targeted ethnicity or standing in their native regions (e.g. Crimea Tatars; "thinning out" of the population of just annexed Polish borderlands post USSR's 1939 invasion). So these were the consequences of despotic governments' policies, not of data mining.


[…] “As Germans sweep into France in 1940 they first stop at local police stations. With records of gun owners in hand soldiers visit every address on the list and confiscate the weapons. So the benign database [enables] instant disarmament of anyone who might object to being invaded.

A sound policing tactic, I'd say, only you're wrong about ascribing that confiscation to thwarting of some spirit of French belligerence to les boches on being defeated[*]. In occupied Poland and Czechoslovakia the Nazis also confiscated all the radios using (afaik) subscriber lists maintained by the state monopoly emitter. Were radios a threat to the mighty IIIrd Reich? You bet, and far bigger ones than hunting rifles. Also the Jewish congregations held member rolls unawares of the horrors to come. But in all these cases it wasn't the necessary civilian keeping of records, as the lack of maintainers' foresight, and indecisiveness in the face of acute threat, that should be blamed.


@ SJ chirps in:

[…] “Databases/ registries [esp. of gun ownership] can become target lists.

So how do you imagine that a complex civilian society could function WITHOUT records [esp. of gun ownership]? Clearly, you're either dreaming of some libertarian Nirvana, or can not see past the sight of your cherished AK47.


[…] “imagine that people who use encryption regularly become targets of government action, because 'they have something to hide.'

Everybody has something to hide, but those who advertise—if not unwarranted—paranoia, beam out a signal that they require SPECIAL ATTENTION. Which leads to them becoming dense entries in ledgers. Moreover, in today's world, if you piss off some authoritarian figure hard enough, it won't require your encryption keys to retaliate: all that's needed is to remotely plant some CHILD PORNOGRAPHY on your laptop, then stage an arrest "in response to an anonymous tip-off." Maybe you then could use your guns to protest your innocence.


[^*] It was resignation and all but overt cooperation. The resistance came later, and in not altogether clear-cut shapes (“The Free Frenchman's” backstory is all the situation illumination you'll ever need, or could stand).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.