Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
Why Passwords > Biometrics 👀
In This Issue:
- Biometrics Are *Not* a Replacement for Passwords
- RSA Is Here
- If You’ve Been Pwned And You Know It, (Thunder)clap Your Hands
Biometrics Are *Not* a Replacement for Passwords
Let's start with a basic overview: Android nudges passwords closer to the cliff edge with FIDO2 support, and then dive into the in-depth overview: The passwordless web explained. The TL;DR on both is that some people are making it easier to stop using passwords, and start using biometrics instead.
This is a terrible – terrible – idea.
Biometrics are not passwords. They are usernames. They identify you, just like a username does. The purpose of a password is not to identify you; it’s to ensure that you’re allowed to use that account.
In fact, in almost every way, biometrics are even worse than a standard username for identification. If it becomes necessary, you can change your username with relative ease. Changing your biometric identifiers, however, is rather more complicated, expensive, and life-altering.
There are plenty of use cases in which individuals might not want other people to have access to their accounts, even if those individuals have access to your person. While there is always the $5 wrench argument when dealing with state actors, at least you get to sue them into a crater if they beat your password out of you. You can't legally do a darned thing if they take your finger, swipe it against your phone, and subsequently take your life (or your employer's business) apart.
In the real world, however, biometrics are a lot messier. Passing out drunk at a party has entirely different consequences if your device is unlocked using biometrics. To say nothing of the number of extramarital affairs that could be uncovered by snooping spouses, or the chaos children could cause while mommy or daddy were sleeping.
To re-emphasize: replacing passwords with biometrics is a terrible idea, and under no circumstances should any of us support this for any reason.
Ban anything that promises to replace passwords with biometrics from your organization. Do it now, and do it with extreme prejudice.
RSA Is Here
The RSA conference is taking place March 4 – 8. If you’re not going, you can still sign up to get (free) post-conference access to security content from more than 200 sessions, seminars, and presentations. If you are attending, stop by the Juniper booth and visit Trevor Pott, one of the authors of this newsletter.
Looking for – or want to become – a cybersecurity ninja? This blog post, Looking for Diverse Cybersecurity Talent? These Visionary Companies and Initiatives Grow Their Own, lists infosec training and development programs aimed at increasing diversity in the security space.
Also check out The AppSec ABC’s: Cybersecurity’s First Children’s Book. This really is what it claims to be: an infosec primer for kids, written by parent (and VP of Security Strategy at Cobalt) Caroline Wong. Talking about her 3-year-old daughter, Wong says, "Rose and I love reading this book together. Her favorite is the OWASP Top 10, which we compare to the list that Santa Claus makes and checks twice." The book can be downloaded as a pdf here.
If you aren't attending RSA, take the time to peruse the RSA site, and the security blogs of the major sponsors. There's a lot of good content being put out by vendors and infosec pros for the conference. The next week should have some eye-openers for everyone.
If You’ve Been Pwned And You Know It, (Thunder)clap Your Hands
Thunderbolt is basically an external PCI-E bus slot, and makes you just exactly as vulnerable as if your were wandering around with the side panel off your desktop PC all day.
For details, start at Thunderclap Vulnerabilities Allow Attacks Using Thunderbolt Peripherals. Additional coverage is available at Thunder, thunder, thunder... Thunderclap: Feel the magic, hear the roar, macOS, Windows pwnage tools are loose and at Thunderclap flaws impact how Windows, Mac, Linux handle Thunderbolt peripherals.
You wouldn't (or, at the very least, shouldn’t) plug your device into some random stranger's USB port to charge without protection. So be very choosy about what you let be plugged into your Thunderbolt ports.
Until this gets sorted in a more complete way, some simple USB-C dust covers are probably the cheapest, easiest counter to this available. If nothing else, it makes attackers have to expend a few precious seconds to stick something into your device, which might be long enough to ask "Hey, what are you doing"?
A Worrying Spread of DNS Hijacking
There is no summary to be had here, pithy or otherwise. A Deep Dive on the Recent Widespread DNS Hijacking Attacks may be one of the most important pieces of information security writing that will come out all year.
Do not stop go, do not collect $200: read Brian Krebs's breakdown of the recent DNS hijacking mess immediately. it's time to take a look at Project Furnace, and see whether or not this can bring some of the unruly newtech platforms in use by *Ops teams to heel.
This Week in Social Media Fails
This also should not become a regular segment. Dear $_society, how about we don't make this a regular thing, mmmkay?
- Social Media Platforms Double as Major Malware Distribution Centers
- Facebook apps secretly sending sensitive data back to the mothership
- White hats spread VKontakte worm after social network doesn't pay bug bounty
- Bored bloke takes control of British Army 'psyops' unit's Twitter
- Harassment, hate and bile, suicide instructions for kids... anything else social media's good at? Ah yes, cybercrime
This Week in IoT Schadenfreude
Or, if you aren't into schadenfreude, there's always sobbing into a tall glass of your preferred beverage…
- Your $350 Nike self-lacing sneakers aren’t as smart as you hoped
- Ring Doorbell Flaw Opens Door to Spying
- The Dark Sides of Modern Cars: Hacking and Data Collection
- Researcher: Not Hard for a Hacker to Capsize a Ship at Sea. The Register has an article on the same topic, but with more Hackers movie references. Where's Zero Cool when you need him? Loose chips sink ships: How hackers could wreck container vessels
Tweets of the Week
"Shoutout to this older article on how to modify Dionaea services to hide your honeypots better" – H E X A (@hexadecim8)
"I underestimated how much an Information Security job consists of putting screenshots into Word documents." – SwiftOnSecurity (@SwiftOnSecurity)
"Someone is trying to rebrand steganography as "polyglot images" in the latest emails I've been receiving.
Please stop it..." – Catalin Cimpanu (@campuscodi)
Quotes of the Week
"I'm glad that Hasson was arrested before he killed anyone rather than after, but I worry that these systems are basically creating thoughtcrime." – Bruce Schneier
This quote is related to "Insider Threat" Detection Software,
which in turn references Coast Guard lieutenant used work computers in alleged planning of widespread domestic terrorist attack, prosecutors say, which makes everyone sad.
"It's ridiculous vendors are replying to researchers via general counsel, not bug bounty." - EFF Senior Information Security Counsel Nate Cardozo
This quote is referenced in Plain wrong: Millions of utility customers’ passwords stored in plain text, and also makes everyone sad.
Podcast of the Week
Smashing Security #116: Stalking debtors, Facebook farce, and a cyber insurance snag Hosts: Carol Theriault, Graham Cluley. Guest: Joe Carrigan of the Information Security Institute at Johns Hopkins University
Ep.021 – Leaked calls, a social media virus and passwords exposed [PODCAST] – Anna Brading, Paul Ducklin, Mark Stockley and Matt Boddy - Naked Security blog (Sophos)
PODCAST: US cyber foes take cue from government shutdown; rise in malware deployment under way – Byron Acohido – The Last Watchdog. Podcast guest: Jeremy Samide, CEO of Stealthcare
- Password Facepalm: Millions of utilities customers’ passwords stored in plain text
- Refers to Plain wrong: Millions of utility customers’ passwords stored in plain text
- Password Facepalm 2: Cryptocurrency wallet caught sending user passwords to Google's spellchecker ß I can't even.
- Russian creator of NeverQuest banking trojan pleads guilty in American court
- New Breed of Fuel Pump Skimmer? Not Really
- Gen. Nakasone on US Cyber Command
- Reverse Location Search Warrants
- 139 US bars, restaurants and coffee shops infected by credit-card stealing malware
- Toyota Australia driven offline by cyber attack, as heart hospital hit by ransomware
- Two weeks after hackers tried to steal 13 million euros, Bank of Valletta goes offline again
- Former Russian Cybersecurity Chief Sentenced to 22 Years in Prison
- Payroll Provider Gives Extortionists a Payday
- One of Russia’s Neighbors Has Security Lessons for the Rest of Us
- MY TAKE: Why the next web-delivered ad you encounter could invisibly infect your smartphone
- Researchers break e-signatures in 22 common PDF viewers