This is the 48th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded November 23, 2015. Below are the show notes, commentary, links to articles and news mentioned in the podcast:
Hacking tool swipes encrypted credentials from password manager
This article, and the associated incident, is an excellent reminder that there is no easy solution to securing EVERYTHING. Using an infected computer presents so many catastrophic scenarios, it’s not really wise to view this problem as a problem with password managers.
If a computer is infected with malware, the attacker can capture passwords as you enter them into any site. You could add a 2-factor authentication mechanism (like Google Authenticator), or force a user to enter a master password to access anything in a password manager’s database, but you then still have the problem of malware capturing what you enter into a site’s password field (even without a password manager), and the 2-factor MAN-IN-THE-MIDDLE attack we talked about in the last episode of the Shared Security Podcast.
This is one of many reasons I often emphasize the need to try to avoid malware risks by having good surfing habits, like:
– Not visiting questionable sites
– Not clicking on links or attachments in emails you weren’t expecting, or that look suspicious
– If you must do the above, do it on a different computer or a Virtual Machine environment, where an infection will probably not compromise your existing data
I still use a password manager, because it helps defend against many more risks than it is vulnerable to.
– Scott
Your Unhashable Fingerprints Secure Nothing
Wow! I’ve actually had my concerns about any biometric authentication schemes (like fingerprints, iris scanners, facial recognition, etc.) since watching the movie MINORITY REPORT. Now, I’m CERTAIN they are not the way to go.
This is an amazingly well-written story that explains in elegant detail why fingerprints (and, I suspect, most biometric authentication factors) are actually a dangerous way of authenticating people. If you’re not technically inclined, it could be a difficult article to read, but here are my important take-aways:
1) THEY AREN’T REALLY SECRET – Your fingerprints are probably not as secret as any of your well-chosen passwords, because they can be either photographed from a fair distance with a high resolution camera, or lifted using standard forensic techniques from almost anything you’ve touched (e.g. a mug, a door knob, a keyboard, a steering wheel, a water tap, a seat back, etc.);
2) THEY ARE EASY TO REPRODUCE AND USE TO IMPERSONATE YOU – Fingerprints, once known (by lifting or by high resolution photos), can be easily reproduced pretty quickly, and without much effort, on a LATEX SKIN, and used at will;
3) THEY CAN’T BE REVOKED OR CHANGED – If your fingerprint is lifted from something and used to compromise your identity, there is literally no way to revoke – or reset – your fingerprint authenticator. So, it should never be used again, just like when you are asked to change your password after a data breach;
4) THEY AREN’T USUALLY SECURED WELL (or HASHED) – For fingerprint authentication to work properly, an authentication system has to verify that an impression of your print at the time of an authentication request is a CLOSE MATCH to one you gave at the time you registered to
Published on 10 years, 1 month ago
If you like Podbriefly.com, please consider donating to support the ongoing development.
Donate