Why Passwords > Biometrics ?

March 2, 2019

In This Issue:

Biometrics Are *Not* a Replacement for Passwords

RSA Is Here

If You’ve Been Pwned And You Know It, (Thunder)clap Your Hands

Biometrics Are Not a Replacement for Passwords

Let's start with a basic overview: Android nudges passwords closer to the cliff edge with FIDO2 support, and then dive into the in-depth overview: The passwordless web explained. The TL;DR on both is that some people are making it easier to stop using passwords, and start using biometrics instead.

This is a terrible – terrible – idea.

Biometrics are not passwords. They are usernames. They identify you, just like a username does. The purpose of a password is not to identify you; it’s to ensure that you’re allowed to use that account.

In fact, in almost every way, biometrics are even worse than a standard username for identification. If it becomes necessary, you can change your username with relative ease. Changing your biometric identifiers, however, is rather more complicated, expensive, and life-altering.

There are plenty of use cases in which individuals might not want other people to have access to their accounts, even if those individuals have access to your person. While there is always the $5 wrench argument when dealing with state actors, at least you get to sue them into a crater if they beat your password out of you. You can't legally do a darned thing if they take your finger, swipe it against your phone, and subsequently take your life (or your employer's business) apart.

In the real world, however, biometrics are a lot messier. Passing out drunk at a party has entirely different consequences if your device is unlocked using biometrics. To say nothing of the number of extramarital affairs that could be uncovered by snooping spouses, or the chaos children could cause while mommy or daddy were sleeping.

To re-emphasize: replacing passwords with biometrics is a terrible idea, and under no circumstances should any of us support this for any reason.

Countermeasure:

Ban anything that promises to replace passwords with biometrics from your organization. Do it now, and do it with extreme prejudice.

RSA Is Here

The RSA conference is taking place March 4 – 8. If you’re not going, you can still sign up to get (free) post-conference access to security content from more than 200 sessions, seminars, and presentations. If you are attending, stop by the Juniper booth and visit Trevor Pott, one of the authors of this newsletter.

Looking for – or want to become – a cybersecurity ninja? This blog post, Looking for Diverse Cybersecurity Talent? These Visionary Companies and Initiatives Grow Their Own, lists infosec training and development programs aimed at increasing diversity in the security space.

Also check out The AppSec ABC’s: Cybersecurity’s First Children’s Book. This really is what it claims to be: an infosec primer for kids, written by parent (and VP of Security Strategy at Cobalt) Caroline Wong. Talking about her 3-year-old daughter, Wong says, "Rose and I love reading this book together. Her favorite is the OWASP Top 10, which we compare to the list that Santa Claus makes and checks twice." The book can be downloaded as a pdf here.

Countermeasure:

If you aren't attending RSA, take the time to peruse the RSA site, and the security blogs of the major sponsors. There's a lot of good content being put out by vendors and infosec pros for the conference. The next week should have some eye-openers for everyone.

If You’ve Been Pwned And You Know It, (Thunder)clap Your Hands

Thunderbolt is basically an external PCI-E bus slot, and makes you just exactly as vulnerable as if your were wandering around with the side panel off your desktop PC all day.

For details, start at Thunderclap Vulnerabilities Allow Attacks Using Thunderbolt Peripherals. Additional coverage is available at Thunder, thunder, thunder... Thunderclap: Feel the magic, hear the roar, macOS, Windows pwnage tools are loose and at Thunderclap flaws impact how Windows, Mac, Linux handle Thunderbolt peripherals.

Countermeasure:

You wouldn't (or, at the very least, shouldn’t) plug your device into some random stranger's USB port to charge without protection. So be very choosy about what you let be plugged into your Thunderbolt ports.

Until this gets sorted in a more complete way, some simple USB-C dust covers are probably the cheapest, easiest counter to this available. If nothing else, it makes attackers have to expend a few precious seconds to stick something into your device, which might be long enough to ask "Hey, what are you doing"?

A Worrying Spread of DNS Hijacking

There is no summary to be had here, pithy or otherwise. A Deep Dive on the Recent Widespread DNS Hijacking Attacks may be one of the most important pieces of information security writing that will come out all year.

Countermeasure:

Do not stop go, do not collect $200: read Brian Krebs's breakdown of the recent DNS hijacking mess immediately. it's time to take a look at Project Furnace, and see whether or not this can bring some of the unruly newtech platforms in use by *Ops teams to heel.

This Week in Social Media Fails

This also should not become a regular segment. Dear $_society, how about we don't make this a regular thing, mmmkay?

This Week in IoT Schadenfreude

Or, if you aren't into schadenfreude, there's always sobbing into a tall glass of your preferred beverage…

Your $350 Nike self-lacing sneakers aren’t as smart as you hoped
Ring Doorbell Flaw Opens Door to Spying
The Dark Sides of Modern Cars: Hacking and Data Collection
Researcher: Not Hard for a Hacker to Capsize a Ship at Sea. The Register has an article on the same topic, but with more Hackers movie references. Where's Zero Cool when you need him? Loose chips sink ships: How hackers could wreck container vessels

Tweets of the Week

"Shoutout to this older article on how to modify Dionaea services to hide your honeypots better" – H E X A (@hexadecim8)

"I underestimated how much an Information Security job consists of putting screenshots into Word documents." – SwiftOnSecurity (@SwiftOnSecurity)

"Someone is trying to rebrand steganography as "polyglot images" in the latest emails I've been receiving.

Please stop it..." – Catalin Cimpanu (@campuscodi)

Quotes of the Week

"I'm glad that Hasson was arrested before he killed anyone rather than after, but I worry that these systems are basically creating thoughtcrime." – Bruce Schneier

This quote is related to "Insider Threat" Detection Software,
which in turn references Coast Guard lieutenant used work computers in alleged planning of widespread domestic terrorist attack, prosecutors say, which makes everyone sad.

"It's ridiculous vendors are replying to researchers via general counsel, not bug bounty." - EFF Senior Information Security Counsel Nate Cardozo

This quote is referenced in Plain wrong: Millions of utility customers’ passwords stored in plain text, and also makes everyone sad.