Tech Friday

August 16, 2019

  • Millions of biometric records exposed in new data breach:
    • A biometric database has been breached, exposing facial recognition records, fingerprints, log data and personal information on millions of users
    • The breach was discovered onAugust 5th, 2019 and is comprised of nearly 28 million records amounting to 23 gigabytes of data
    • Unlike usernames and passwords, biometric data can't be changed. You can't really get a new fingerprint, iris or face
    • A research team from vpnMentor lead by Noam Rotem and Ran Locar, vpnMentor’s team recently discovered the breach in a "security" application known as BioStar 2
    • BioStar 2 is a web-based biometric "smart" lock platform that allows administrators to control facility access and record activity logs
    • It uses facial recognition and fingerprinting technology to identify and authenticate users
    • A company named Suprema, one of the world’s top 50 security manufacturers, makes the sysem
    • BioStar 2 uses facial recognition and fingerprinting technology to identify users, and that information was stored in an insecure format in an insecure database
    • Suprema bills itself as a "global Powerhouse in biometrics, security and identity solutions" They say they have a product range that "includes biometric access control systems, time and attendance solutions, fingerprint live scanners, mobile authentication solutions and embedded fingerprint modules"
    • Suprema recently partnered with Nedap to integrate BioStar 2 into their AEOS access control system. AEOS is used by nearly 6,000 organizations in 83 countries
    • The data leaked is highly sensitive, including detailed personal information of employees and unencrypted usernames and passwords. This could give hackers access to user accounts and permissions at facilities using BioStar 2
    • This information could allow hackers complete access to administrative accounts on BioStar 2
    • You can read the full report from vpnMentor here:https://www.vpnmentor.com/blog/report-biostar2-leak/
  • The Federal Trade Commission warns about fake Equifax settlement sites:
    • The Federal Trade Commission (FTC) warned that people impacted by the 2017 Equifax breach may fall prey to fake settlement sites
    • An estimated 147 million claimants may be eligible for up to $425 million in compensation as a result of the settlement
    • The FTC indicated that you should start at their oficial website to file a claim. You can find it at:ftc.gov/Equifax
    • A link on the FTC site will take you to the offical Equifax Data Breach Settlement site. Ths is the ONLY official site:https://www.equifaxbreachsettlement.com/file-a-claim
    • They also indicated that you do not need to pay to file a claim. If you're asked to pay a filing a fee you're being scammed
    • You can also postal mail in your claim, the address is on the official site listed above
    • Beware of Phishing emails that attempt to lure you to this site or any other site related to a data breach
    • Read more about the settlement at the FTC site here:https://www.consumer.ftc.gov/blog/2019/07/equifax-data-breach-settlement-what-you-should-know
  • Hackers at DEFCON 27 continue to have success breaking into voting systems:
    • There have been many reports in recent years regarding election security issues
    • Alex Rice, CTO and co-founder of HackerOne, pointed out that slot machines currently undergo more security assurance and regulation than voting machines
    • "A sufficiently motivated adversary would have no shortage of feasible strategies for the compromise voting computers," Rice said
    • Many electronic voting systems run obsolete software such as Windows XP and Microsoft Access and don't get security updates
    • University of Michigan professor J. Alex Halderman participated in a project where the public was invited to attack a proposed Internet voting system. Halderman's team took less than 48 hours was to gain access and change every vote
    • Halderman made a video showing how his hacker team even accessed the security cameras to watch the people running the election system. Haldemann said “We don’t have the technology to vote online safely,” and "It will be decades more before Internet voting can be secure"
    • In the past many flaws have been found with voting machines. Auditors discovered they could connect to the machines’ wireless network and could change votes remotely without detection. Flaws included:
      • Easily crackable passwords including “abcde”, “admin” and “shoup” to secure the admin account, Wi-Fi network and voter results database respectively
      • Wi-Fi that uses easily crackable Wired Equivalent Privacy (WEP) which the FBI demonstrated could be broken in 3 minutes back in 2005
      • Ports that could be easily tampered with
      • Lack of logging
      • An unencrypted Microsoft Access database for voter results
    • Jeremy Epstein, a security expert specializing in e-voting from SRI International, has said: “The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place - within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know"
    • Hackers made big headlines at DEFCON 25 by exposing several vulnerabilities in voting technology. Disturbingly, they were eventually successful hacking into every voting machine they tried
    • Several machines were broken into within two hours and sadly, and all were compromised within two-and-a-half days
    • Many of the most typical voting machines are more than 15 years old. They run obsolete operating systems such as Windows 95. "The biggest barrier to hacking them was finding the right pieces of old software" Hall said
    • The Voting Machine Hacking Village (VMHV) at DEFCON offered a set of voting machines
    • An 11-year old boy, Emmett Brewer, accessed a replica of the Florida secretary of state’s website and was able to change the results of the "election" in less than 10 minutes
    • Sadly, election systems were not designated "critical infrastructure" until January 2017
    • The National Academies of Sciences and Engineering just released a report that says “Every effort should be made to use human-readable paper ballots in the 2018 federal election. All local, state, and federal elections should be conducted using human-readable paper ballots by the 2020 presidential election.” Get a copy here:https://www.nap.edu/catalog/25120/securing-the-vote-protecting-american-democracy
    • At this years' recently concluded DEFCON 27, Voting Village was once again eye opening and disturbing
    • Voting Village involved hacking voting equipment, panels with election officials and security experts, and a demonstration of a $10 million experimental voting system from DARPA
    • The call for paper ballots was common. There still several states whose voting machines have no auditable paper trails
    • US Senator Ron Wyden, a well known privacy and security advocate, attended Voter Village this year. He said "White hat hackers do an invaluable public service in this technologic age by identifying security holes and, if necessary, shaming the government or the companies responsible into fixing them"
    • Some of the device's weaknesses were exposed in interesting ways, for example one electronic poll book had Doom installed on it
    • This year's findings included:
      • ES&S's Express Poll pollbook uses the vendor's name as the password and stores maintenance credentials in plain text
      • ES&S Automark 300 administrator password was discovered via an Internet search
      • Accuvote's Optical Scanner could allow an attacker to add votes that appear to have been cast during the election timeframe after polls close
      • Dominion's ImageCast Precint system contains an exposed flash card that could allow vote tampering
    • You should contact your representatives and urge them to read these reports and work to ensure that our elections are secure

Chat About Tech Friday