daily online news

A British researcher has developed a biometric keylogger of sorts that can capture fingerprints required to unlock building doors or gain access to computer networks or other restricted systems.

For now, the Biologger is a proof-of-concept aimed at showing the insecurity of many biometric systems, according to Matthew Lewis, who demonstrated the tool at last month's Black Hat Amsterdam conference. But the researcher, who works for Information Risk Management, warns the attack could become commonplace if current practices don't change and could be used to log images of retinas, facial features and any other physical characteristics used by biometric systems.

"Biometric device manufacturers and system integrators cannot rely on security through obscurity alone for the overall security of their devices and systems," he writes in this white paper (PDF). "Without adequate protection of the confidentiality, integrity and availability of biometric access control devices and their data, the threat of "Biologging" activities within those enterprises employing such access controls is real."

The unspecified access control device used in Lewis's demonstration didn't bother to encrypt data before sending it to back-end servers, making it ripe for interception by a man-in-the-middle laptop that logged all traffic passing between the two devices. The researcher was able to construct an image of a fingerprint by subjecting portions of the captured data to an algorithm designed to graphically identify image data and resolution.

"The result of such a finding to attackers could be significant," Lewis wrote. "If a good quality image can be reconstructed, then it is conceivable that techniques described ... could again be used to generate a 3D spoof finger of users that have obviously been registered with the system at some point."

The research is the latest cautionary reminder that biometrics are by no means a panacea to the difficulty of verifying a person's identity. Last week, a hacker club published what it said was the fingerprint of Wolfgang Schauble, Germany's interior minister and an ardent supporter of storing a digital representation of citizen's fingerprints in their passports. Schauble's print was embossed on a sticky piece of plastic that can leave the print on coffee cups, telephones and biometric readers.

Lewis was also able to issue commands to the access control device that enabled him to unlock doors and add new users with full administrative rights without presenting a fingerprint. That's because the device needed a single 8-byte message that passed over the network in plaintext. Although he was never able to crack a 2-byte checksum used for issuance of each message, he was able to overcome this limitation by taking a brute-force approach, in which every possible combination of checksums was used.

There are other limitations to Lewis's attack. For one, it requires attackers to have privileged access to the network connecting the access point to the server. Another is that the traffic was transmitted using the user datagram protocol, which rendered the brute-force attempts "not 100% reliable."

But his point seems to be that, just as best practices require that passwords are never stored in the clear, fingerprints and other biometric data should likewise be encrypted. Architects designing the next generation of biometric systems,

A plan to expand the number of government police and security agencies that can tap into detailed satellite images is proceeding, despite concerns from Congress, the head of the U.S. Department of Homeland Security said Wednesday.

During a roundtable discussion with bloggers and journalists here, Secretary Michael Chertoff said a "charter has been signed" to create a new office, which will serve as a clearinghouse for requests from law enforcement, border security, and other domestic homeland security agencies to view feeds from powerful satellites. It will be called the National Applications Office.

"I think the way is now clear to stand (the office) up and go warm on it," said Chertoff at Homeland Security's headquarters here.

Right now, these spy satellites are more commonly used for things like monitoring volcanic activity, hurricanes, floods, and various environmental and geological shifts. But the agency has said it sees important applications for the images in other areas within its purview, such as terrorism investigations and illegal immigration busts.

Originally, the satellite office was supposed to take shape last October but those plans were delayed after congressional Democrats raised privacy concerns. They said they wouldn't be able to support the program until the agency lays out exactly what legal framework it will be using to fulfill requests by, say, state and local police, and how it will protect Americans' civil liberties.

Chertoff said Wednesday that the department has completed the privacy impact assessments for the new office and should be releasing them within a few days. He said that members of Congress have received briefings and that he thinks there's a "good process in place to make sure there aren't any legal transgressions."

In the past, Homeland Security officials have downplayed the implications of allowing more agencies to access the satellites, arguing that in addition to scientific applications, the technique has already been employed from time to time by the Secret Service and FBI. For instance, when a well-publicized series of sniper attacks swept through the Washington, D.C., area in October 2002, the CIA and FBI were permitted to use images provided by the National Geospatial Intelligence Agency to look for places snipers might hide along highways along the east coast.

"I think we have fully addressed everybody's concerns," Chertoff said Wednesday. "We've made it clear this is not going to be interception of communications, verbal or oral or written. That's still going to be done under the traditional way."

The Homeland Security secretary, however, may not have that easy a time persuading congressional overseers.

Within the next few days, Reps. Jane Harman (D-Calif.) and Christopher Carney (D-Penn.), who lead Homeland Security subcommittees, are planning to send Chertoff a letter that says the new scheme still isn't ready for launch, a Democratic aide to the U.S. House of Representatives Homeland Security Committee, which oversees the department, told CNET News.com on Wednesday.

Committee leaders say the charter for the National Applications Office is "wholly inadequate," said the aide, who spoke on condition of anonymity since the letter is still being drafted. They plan to criticize the department for allegedly failing to outline the legal framework and other "standard operating procedures" governing the program.

Furthermore, the Government Accountability Office has not yet vetted the program's privacy guidelines, which was made a condition for the National Applications Office to receive congressional funding, the aide said.

On cybersecurity
Also at the roundtable discussion, Chertoff attempted to defuse concerns that Homeland Security's cybersecurity arm plans to "sit on the Internet," as he put it, and monitor traffic in a manner reminiscent of the Chinese government.

As part of its efforts to detect network intrusions in real time, Homeland Security has said it plans to expand use of an existing system known as Einstein, that will, among other things, monitor visits from Americans and foreigners visiting .gov Web sites. The set-up is in place at 15 federal agencies, but Chertoff has asked for $293.5 million from Congress in next year's budget to roll it out governmentwide.

In addition to outfitting federal networks with those tools, Chertoff said the government also plans to help companies to fend off cyberattacks by offering some of its "classified" intrusion detection tools--but such aid will be purely optional.

As for the department's broader strategy, "in some ways, it's more and better of what we're doing," Chertoff said. "In some cases, it may involve some additional things I can't talk about."

Sidestep spammers with dedicated email accounts for online bills. By Andrew Brown.

Somewhere out there some firm that holds my credit-card details has been hacked. I know this because I have started to get spam to an email address I only ever use for buying things. I have no idea which firm it might be: in the past 212 years, I have had at least 520 messages to that address, from about 75 different companies. I don't think it's likely that any of the big ones has been hacked or else we would hear more of it. (Wouldn't we?) But among the software publishers, the music sites, the wine merchants and second-hand book dealers I have been paying from this address there is one whose customer database has been plundered.

Keeping specialised and unique email addresses for different tasks is one of those tricks that everyone should know and practice: for one thing, it can be combined with spam-filtering rules to make a rock-solid defence against phishing scams. Since I have unique addresses for eBay, PayPal, the various Amazons and my bank, none of which are ever used for other correspondence, I know that an email purporting to come from any of those firms that is not sent to the right private address must be a scam, and it's easy to set up rules to delete it unread. I have not done this with the correspondence for one-off purchases, all of which went to the address that has now become a spam target, because each new address would have to be set up in the spam filter.

The gang that stole my customer details is unlikely to be the same one that is sending me the spam. There are well-established marketplaces for email lists and the number of addresses for sale is hard to grasp: one moderate-sized botnet analysed by SecureWorks last year contained 162 million addresses. Many millions of these will be dead, of course; the spamming software has routines built into it to detect and delete addresses that have been blackholed, but messages that are instead bounced will keep the address alive.

There's nothing I can do, of course, other than keep a beady eye on my credit card and bank statements. But I do that anyway, and it will only detect damage after the event. In any case, I don't know whether my credit-card details are gone. On a well-designed site, they would be stored separately from the customer database; but a well-designed site wouldn't get hacked.

In the meantime, I skim-read the spam that drifts up in what used to be my private inbox, since Thunderbird's built-in spam filter is nothing like as efficient as Gmail's, or the one in Opera's mail module. There is a strange, twisted poetry of longing to discover here. The black economy of the internet has invented another criminal trade: alongside the programmers and the data thieves, there must be copywriters for the penis-enlargement pills. Perhaps someone, somewhere is publishing What Penis? magazine.

You'd have thought that after 10 years or more of pretty much continual spam there would be nothing fresh to say about enlargement pills, patches and creams. How can there be anyone out there who supposes that any of this will work? Yet the inexhaustible stream of spam proves that there must be hundreds of suckers born every minute.

Much of it seems written by people who don't speak English as a first language. But the awful thing is that all the circumlocutions are perfectly clear, because they speak to the universal fear of being a despised outcast. If you take the time to read the spam, it becomes clear that the market is the men's equivalent of anti-ageing creams for women: what is really being offered is the promise of being attractive, or at least not loathsome.

It may seem implausible to anyone over the age of 12 that a man whose tool bangs against his knees will be - whatever his other problems - irresistible to women. But the alternative explanation for a lack of success is that women are giggling behind your back at your pathetic, stunted personality. And that would be even worse.

Security is both a feeling and a reality, and they're different. You can feel secure even though you're not, and you can be secure even though you don't feel it. There are two different concepts mapped onto the same word — the English language isn't working very well for us here — and it can be hard to know which one we're talking about when we use the word.

There is considerable value in separating out the two concepts: in explaining how the two are different, and understanding when we're referring to one and when the other. There is value as well in recognizing when the two converge, understanding why they diverge, and knowing how they can be made to converge again.

Some fundamentals first. Viewed from the perspective of economics, security is a trade-off. There's no such thing as absolute security, and any security you get has some cost: in money, in convenience, in capabilities, in insecurities somewhere else, whatever. Every time someone makes a decision about security — computer security, community security, national security — he makes a trade-off.

People make these trade-offs as individuals. We all get to decide, individually, if the expense and inconvenience of having a home burglar alarm is worth the security. We all get to decide if wearing a bulletproof vest is worth the cost and tacky appearance. We all get to decide if we're getting our money's worth from the billions of dollars we're spending combating terrorism, and if invading Iraq was the best use of our counterterrorism resources. We might not have the power to implement our opinion, but we get to decide if we think it's worth it.

Now we may or may not have the expertise to make those trade-offs intelligently, but we make them anyway. All of us. People have a natural intuition about security trade-offs, and we make them, large and small, dozens of times throughout the day. We can't help it: It's part of being alive.

Imagine a rabbit, sitting in a field eating grass. And he sees a fox. He's going to make a security trade-off: Should he stay or should he flee? Over time, the rabbits that are good at making that trade-off will tend to reproduce, while the rabbits that are bad at it will tend to get eaten or starve.

So, as a successful species on the planet, you'd expect that human beings would be really good at making security trade-offs. Yet, at the same time, we can be hopelessly bad at it. We spend more money on terrorism than the data warrants. We fear flying and choose to drive instead. Why?

The short answer is that people make most trade-offs based on the feeling of security and not the reality.

I've written a lot about how people get security trade-offs wrong, and the cognitive biases that cause us to make mistakes. Humans have developed these biases because they make evolutionary sense. And most of the time, they work.

he government has further delayed the introduction of crucial legislation to criminalise new forms of hacking activities.

Laws to amend the 18-year-old Computer Misuse Act (CMA) were due this month, but have been put back as the Home Office tries to iron out potential conflicts in the legislation.

The updates are important because they target cyber crime techniques that were not envisaged when the act was first written ­ particularly, denial of service attacks and the selling of hacking tools.

Amendments were first approved by parliament in the Police and Justice Act two years ago, but have not been implemented because of potential overlap with the Serious Crime Bill and a fear they might criminalise legitimate security professionals.

The legislation is needed urgently because the CMA has been so ineffective in tackling hacking, said shadow home affairs minister James Brokenshire.

“Further delays send out the message to criminals that the UK is a soft touch on cyber crime,” he said. “We need action.”

Denial of service attacks are becoming increasingly sophisticated. Last month, gambling company Gala Coral experienced a new breed of attack that disabled its network for almost half an hour ­ despite costly protection systems.

Even when the legislation comes into force there are no guarantees it will work, said MP John Hemming, who used to run an e-commerce site.

“The government often looks for simple solutions to complex situations and very often gets it wrong,” he said.

The Home Office said no date has been set for the commencement order.
“Work on legislation will begin in April ­ we are still considering when to bring in the legislation,” said a spokeswoman.

The UK public fears online fraud and privacy invasion but are ill-informed about the rules that protect them, according to research.

The Switched On report conducted by the Ofcom Consumer Panel - an independent body that advises the communications regulator - lists immoral web merchants as a key concern for internet users, along with paedophiles and people who lie on dating sites. Members of the public also told researchers that they felt "under siege" from web and telephone spam.

These worries present a serious issue for the communications technology sector, according to Anna Bradley, chair of the panel.

"Service providers, regulators and other policy makers need to give consumers greater confidence that the risks are well managed," said Bradley.

"In addition, we need to help consumers understand about the existing protections, make the residual risks clear to them and help them to make their own electronic environment safer.”

Internet griefers descended on an epilepsy support message board last weekend and used JavaScript code and flashing computer animation to trigger migraine headaches and seizures in some users.

The nonprofit Epilepsy Foundation, which runs the forum, briefly closed the site Sunday to purge the offending messages and to boost security.

"We are seeing people affected," says Ken Lowenberg, senior director of web and print publishing at the Epilepsy Foundation. "It's fortunately only a handful. It's possible that people are just not reporting yet -- people affected by it may not be coming back to the forum so fast."

The incident, possibly the first computer attack to inflict physical harm on the victims, began Saturday, March 22, when attackers used a script to post hundreds of messages embedded with flashing animated gifs.

The attackers turned to a more effective tactic on Sunday, injecting JavaScript into some posts that redirected users' browsers to a page with a more complex image designed to trigger seizures in both photosensitive and pattern-sensitive epileptics.

RyAnne Fultz, a 33-year-old woman who suffers from pattern-sensitive epilepsy, says she clicked on a forum post with a legitimate-sounding title on Sunday. Her browser window resized to fill her screen, which was then taken over by a pattern of squares rapidly flashing in different colors.

Fultz says she "locked up."

"I don't fall over and convulse, but it hurts," says Fultz, an IT worker in Coeur d'Alene, Idaho. "I was on the phone when it happened, and I couldn't move and couldn't speak."

After about 10 seconds, Fultz's 11-year-old son came over and drew her gaze away from the computer, then killed the browser process, she says.

"Everyone who logged on, it affected to some extent, whether by causing headaches or seizures," says Browen Mead, a 24-year-old epilepsy patient in Maine who says she suffered a daylong migraine after examining several of the offending posts. She'd lingered too long on the pages trying to determine who was responsible.

Circumstantial evidence suggests the attack was the work of members of Anonymous, an informal collective of griefers best known for their recent war on the Church of Scientology. The first flurry of posts on the epilepsy forum referenced the site EBaumsWorld, which is much hated by Anonymous. And forum members claim they found a message board thread -- since deleted -- planning the attack at 7chan.org, a group stronghold.

Fultz says the attack spawned an uncommonly bad seizure. "It was a spike of pain in my head," she says. "And the lockup, that only happens with really bad ones. I don't think I've had a seizure like that in about a year."

But she's satisfied with the Epilepsy Foundation's relatively fast response to the attack, about 12 hours after it began on Easter weekend. "We all really appreciate them for giving us this forum and giving us this place to find each other," she says.

Epilepsy affects an estimated 50 million people worldwide, about 3 percent of whom are photosensitive, meaning flashing lights and colors can trigger seizures.

It turns out malware somehow found its way onto a Maine-based supermarket chain's servers, which led to the security breach announced earlier this month compromising up to 4.2 million credit cards.

Citing a letter the Hannaford grocer sent to Massachusetts regulators, The Boston Globe on Friday reported that the malicious software intercepted data from customers as they paid with plastic at checkout counters and sent data overseas.

The malware was installed on computer servers at each of the 300-some stores operated by Hannaford and its partners, the Globe reported.

The company is continuing its investigation into how the malware may have been placed on the servers. The Secret Service, meanwhile is conducting its own investigation.

The breach appears to be one of the first in which credit card numbers were stolen while the information was in transit, or at the point of sale. One of a growing number of sophisticated attacks, it illustrates vulnerabilities in the communication between cash registers and branch servers, as Neal Krawetz of Hacker Factor Solutions has warned in research (PDF).

That mode contrasts to attacks on databases, the method used to compromise 45.7 million accounts over a two-year period in a data breach of customer records at TJX Companies, the operator of T.J. Maxx and Marshalls retail chains.

Andrew Conry of InformationWeek adds that Hannaford, in addition to the breach, has two related class action lawsuits on its hands alleging negligence in maintaining customer security. And he suggests that there might be some truth to the claims, noting that Hannaford should have noticed that "internal servers were transmitting outside the network to a strange IP. This should've raised flags somewhere--server logs, IDS logs, firewall logs."

I'll second Conry's conclusion: "In any case, the whole mess should be very instructional to retailers everywhere," particularly in light of Friday's news of attacks on top Web sites like USAToday.com, Target.com, ABCNews.com, Walmart.com, and of a data breach at Antioch University in Ohio.

Fujifilm Recording Media has launched in the US a GPS tracking device for tape storage — the backup and archiving medium with a nasty habit of "disappearing" while in transit to remote sites.

Fujifilm Tape Tracker is a wireless device that discreetly fits into a standard half-inch tape cartridge. The company partnered with cargo monitoring firm SC-Integrity (SCI) to develop software to monitors the Fuji-bugged tapes as they move between data centers or disaster recovery locations. Data center admins can use a web-based application to find the device using maps and satellite images.

Tape Tracker is based on LoJack InTransit, a system SCI developed with LoJack in 2006. According to Fujifilm, the software can set boundaries that will send alerts if the cargo strays from its route. The service also provides chain of custody history reports and 24/7 monitoring.

The cost of using Fujifilm's digital snitch costs $150 per month through the company's resellers.

Fujifilm hopes to capitalize on tape archiving data breach scares that pop up on a disturbingly consistent basis. Most recently, US retailer J.C. Penny had a backup tape allegedly stolen that included personal information belonging to more than 650,000 customers. ®

It held out as long as possible, but a Windows Vista laptop fell to a determined bunch of hackers Friday evening at the Pwn to Own contest at CanSecWest.

Since it was the third day of the contest, which saw a MacBook Air get hacked on Thursday, the TippingPoint Zero Day Initiative relaxed the rules even further. On the first day of the contest, only the operating system could be targeted, but on the second day that was expanded to include standard applications. An undisclosed Safari flaw led to the MacBook Air's downfall.

But on Friday, hackers could target any "popular" piece of application software that you might find on a system. The Fujitsu laptop, running Vista Ultimate, was compromised by a previously undiscovered flaw in Adobe's Flash software.

Shane Macaulay, Derek Callaway and Alexander Sotirov, were able to gain control of the laptop, which also means they get to keep it. However, since the rules had been relaxed, they only get $5,000; the MacBook Air winners collected $10,000.

The contest rules stipulated that any winner sign a nondisclosure agreement immediately after a successful hack, so that the nature of the flaw could be disclosed to the vendor. Once Adobe and Apple patch their flaws, the nature of the flaw will be disclosed.

A Sony Vaio laptop running Ubuntu remained unscathed at the end of the conference.