Fingerprint security: Three myths busted

Fingerprints have long been viewed as the ultimate identifier, unique only to you and impossible to steal, which is why fingerprint readers have become integral to smartphone and mobile device security.

So, it seems, these gadgets must now be at their most secure. Well, not quite. We debunk three myths in this short feature to bring some clarity to the subject of fingerprint security.

Myth 1: Fingerprint security more secure than passwords

Contrary to what many people assume biometric readers are not foolproof. They have their own set of unique vulnerabilities, the technology can be exploited and fingerprints can be stolen (and even from photographs).

For example, in America, it is Homeland Security policy to collect fingerprints from non-US citizens between the ages of 14 and 79 as they enter the country. Meanwhile, the FBI keeps a file of an estimated 100 million prints, of which more than 30 million are “civil prints”, i.e. not linked to criminal activity.

These two cited examples equate to repositories of sensitive information, which will appeal to cybercriminals. If this information can be accessed, then, just like credit cards and pin numbers, it is entirely possible for them to be stolen and used maliciously.

Myth 2: You can’t copy a fingerprint

In 2013, Apple ushered in the era of the biometrical mainstream by announcing the addition of a fingerprint scanner to its iPhone 5s. It promised to keep your phone super protected while providing a Touch ID method of purchasing things from iTunes and the App Store – effectively removing the need for passwords (not totally, mind you).

But within two days of the new handset launching a German security researcher called Starburg used publicly available software called VeriFinger to recreate the fingerprints of Germany’s Minister of Defence using high-resolution photos – claiming the copy was good enough to trick fingerprint systems for biometric authentication.

More recently, in 2016, Biometrics firm Vkansee demonstrated that the “technology can be spoofed” – all you need is clay and some Play-Doh and you can capture enough fingerprint details to dupe a sensor into thinking it’s the real deal. However, the firm did state that the process is rather convoluted and unlikely to result in breaches of this ilk. Nevertheless, it does suggest that fingerprints can be copied.

Myth 3: Fingerprints will replace passwords in the future

Given that fingerprints can be stolen, copied and used to bypass today’s readers, it’s clear we have a long way to go before passwords are made obsolete. And even then, the likelihood is that passwords are going to be around for a long time.

What this highlights is there is no single solution to security, with many experts advising an approach that embraces multiple measures so that ultimately, there is more than one entry point into whatever it is you seek to protect.

In practice, this means a mix of fingerprints, passwords and additional security in the shape of two-factor authentication may be required, especially in instances where the information or assets – digital or physical – is of a particularly sensitive nature.

https://www.welivesecurity.com/2017/05/04/fingerprint-security-three-myths-busted/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

A short history of the computer password

The password is nothing new. In fact, it has been around for centuries. Way before Hotmail, Skype and Netflix were prompting you to create a secure code with a funky username, the Romans reportedly used passwords as a way to convey important military messages between troops.

Essentially, it was a simple way to protect information. Fast forward a few thousand years and enter Fernando Corbató.

Widely regarded as the godfather of the modern computer password, he introduced the idea to computer science while working at the Massachusetts Institute of Technology (MIT) in 1960.

The university had developed a huge Compatible Time-Sharing System (CTSS) that all researchers had access to. However, they shared a common mainframe as well as a single disk file.

To help keep individual files private, the concept of a password was developed so that users could only access their own specific files for their allotted four hours a week – hey, computer time was limited back in the 60s.

Although the password was less than perfect, something Corbató is the first to admit, it went on to become the go-to method for computer security, both in the personal and corporate spheres, due to its simplicity (although this would later be seen as one of its faults).

Hashing, salt and cryptology

In those early days of computing, the use of passwords in this sense was fairly limited, mainly to guys like Corbató and his team who were among the first to really explore the power of computers.

However, as the world wide web exploded in the 90s, more and more people began using the internet on a regular basis, creating reams of sensitive data and information in the process.

But even before the web went into overdrive, early computer scientists were working on a way to make passwords more secure. And, to do that, computer science took a leaf from cryptology.

Working for Bell Labs in the 70s, cryptographer Robert Morris devised “hashing”; the process by which a string of characters is transformed into a numerical code that represents the original phrase.

Hashing was adopted in early unix-like operating systems, which are widely used today across the world in mobile devices and workstations. Apple’s macOS, for example, uses unix, while the PlayStation 4 uses Orbis OS, a unix-like operating system.

Adding yet another level of security, modern password databases can also employ “salting” to further encrypt a password whereby random data is inserted before the password, and then the resulting string is hashed.

This, however, doesn’t stop a simple password from being guessed: the main aim is to stop a leaked password or multiple passwords (for example, in the event a database has been breached) from being cracked and used.

But back when Corbató devised the password, security wasn’t such a huge issue: hacking, as we understand it today, didn’t really appear until the 80s.

Now, it’s a different story: almost everything is online.

From banking and shopping, to TV and music, we keep our data safe with a string of digits and letters. But how safe is it? Even huge companies eBay and LinkedIn have been attacked in recent years, compromising the passwords of their users.

The pros and cons of the password

There are a couple of seemingly intrinsic problems with passwords. One, it seems to be that short ones are easy to remember but easier to guess. Two, longer ones are harder to crack but harder to remember.

Keeping so many different passwords can be difficult too. Just think about how many online accounts the average person has: online banking, personal email, iTunes, Skype, Amazon … the list goes on and on.

This has led many people to just use one or two passwords across the board. This, of course, poses a major problem: if attackers work it out, they then have access to everything.

Another issue is the choice of the password itself. Shockingly, SplashData found that a great many people still used “password” or “123456” as the key to their sensitive data – it’s not going to take a cybercriminal much effort or time to crack that code now, is it?

The password is dead … long live the password

Passwords do, of course, provide a level of security, and despite the likes of Bill Gates saying it was dead way back in 2004, most companies with online portals still use them.

So how can you make your passwords more secure? Well, there are a few options.

The people behind World Password Day, an initiative focused on improving password strength, suggest that each account should have its own unique password to avoid this very issue.

Creating strong passwords in the first place is also crucial. Codes that combine words and numbers, avoid obvious personal information and that are eight or more letters in length generally work best.

Users can also adopt a “passcode” strategy for increased security or adopt two-factor authentication, where a password is only one step in gaining access to sensitive data.

Further, moving beyond passwords is recommended – passphrases, for example, offer users better security courtesy of longer and complex sentences, while still being easy to remember.

“The three golden rules to ensure computer security are: do not own a computer; do not power it on, and do not use it.”

If all this password malarkey seems a bit much, you could take a leaf from the late cryptographer Robert Morris (father of Robert Morris Jr, author of the Morris Worm). Besides his contributions to password hashing the above tips, he had a slightly more unusual suggestion for computer security:

“The three golden rules to ensure computer security are: do not own a computer; do not power it on, and do not use it.”

A little too extreme perhaps …

https://www.welivesecurity.com/2017/05/04/short-history-computer-password/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

No more pointless password requirements

By Peter Stancik

You know the struggle – you’re staring at yet another sign-up form, on yet another website, after being asked to create an account in order to proceed.

You give it your best to come up with a password you aren’t already using across your most crucial online accounts and hit submit. Not so fast! “Password must contain at least one uppercase letter.” Okay then, there you go, submit. “Password must contain at least one special character.” Now the password can’t contain the very character you’ve chosen. Sorry, now the “password is too long”.

Well, all this may be about to change.

As of May 1, the new Digital Identity Guidelines drafted by NIST (the US National Institute for Standards and Technology) are closed for public comment and ready to be finalized.

The guidelines will bring new and improved password requirements, changing most of what we’ve known as a “necessary evil” needed to secure our accounts.

As many of the previously utilized rules have proven ineffective or even counterproductive, NIST now recommends administrators leave out any measures that put a burden on users but don’t significantly improve their security.

Doing so is expected to lead to increasingly secure authentication, as users won’t be compelled to find easy (and insecure) ways around overly complicated requirements.

Although the guidelines are only binding for federal agencies, they tend to have great influence on organizations in general, which in turn affects internet users worldwide.

So what are some of the major changes ahead?

No more enforced composition rules

Any other complex composition rules (such as requiring users to include both uppercase and lowercase characters, at least one number and a special character) are to be eliminated. The reason behind this is that such rules rarely encourage users to set stronger passwords and rather result in passwords that are both weak and difficult to remember.

No more periodic password expiration

The new guidelines also advise against requiring routine password changes unless the subscriber requests a change or there is evidence of a compromise. The argument here is that users only have so much patience for having to constantly think of new reasonably strong passwords, thus forcing them to do it repeatedly can do more harm than good.

No more hints and knowledge-based authentication

Another thing to leave behind according to NIST are password hints and knowledge-based verifying questions. While these might in fact help users on their search for forgotten passwords, they can also be of great value for attackers – even greater so if reused on multiple sites.

Blacklist of unacceptable passwords

Instead of the previously used composition rules, NIST recommends checking new passwords against a “blacklist” of the most commonly used and/or previously compromised passwords and evaluating matching attempts as unacceptable.

Broader variety of characters

When setting a password, users should be able to choose freely from all printable ASCII characters, as well as UNICODE characters including emojis. Users should also have the option of using spaces, which are a natural part of passphrases – an often-recommended alternative to traditional passwords.

Minimum length of eight characters

The new guidelines acknowledge length as the key factor in password strength and introduce a minimum required length of eight characters reaching up to a maximum of 64 characters.

One factor is not enough (but leave SMS out of it)

No matter how much effort you put into improving your passwords, they remain just a single barrier standing between potential attackers and your valuable data. When aiming for secure accounts, an additional layer of authentication should be considered as an absolute must. NIST knows this and recommends utilizing two-factor or multi-factor authentication whenever possible.

The point of 2FA/MFA is to verify that the person trying to gain access to an account is really the person authorized to do so. In practice, this can be done using something you know (like a memorized password or a PIN), something you have (such as a security token or a mobile phone) or something you are (biometric methods like fingerprint readers, face or retina scanners).

What’s new in the latest recommendations in terms of 2FA? SMS is no longer advised as a second factor due to it being susceptible to numerous threats. A more secure alternative to SMS includes hardware devices, as well as software-based one-time password (OTP) generators – such as secure apps installed on mobile devices.

The new guidelines introduce a more straightforward approach to digital authentication, which has the potential to improve the current situation not only in terms of user-friendliness, but also in terms of security. And because passwords don’t seem to be going anywhere just yet, we might as well try and make the best out of them.

NIST is not alone in their recommendation either. The people behind World Password Day, an initiative focused on improving password strength, suggest that each account should have its own unique password and that users can also adopt either a “passcode” strategy for increased security or adopt two-factor authentication, whereas a password only provides a single (security) step to gain access to sensitive data. Thus, the takeaway here echoes one of our most central pieces of advice, the use of a reliable multi-layered security solution.

https://www.welivesecurity.com/2017/05/03/no-pointless-password-requirements/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

AEB en DHBW Stuttgart lanceren online onderzoek: Welke rol speelt agile project management in logistiek en international supply chains?

■       Hype of actuele trend? Leiders in de vakgebieden logistiek, supply chain management, douane en export worden uitgenodigd om een online vragenlijst over agile project management in te vullen –  tussen nu en 12 juni 2017 via www.aeb.com/gtm-study.

■       Wie maakt al gebruik van de agile-methodiek? Wat zijn de voordelen en de succesfactoren? Wat zijn de nadelen en de risico’s?

Veel supply chain- en logistieke projecten zijn vandaag de dag zodanig complex en hun omgevingen zo dynamisch, dat traditionele project management methodes niet langer volstaan. Een alternatief is agile project management. Gebruikers hopen daarmee op meer efficiëntie, meer flexibilteit en lagere kosten. Het is een veelbelovende aanpak – maar werkt deze ook in logistiek en internationale supply chains? Deze vraag staat centraal in een gezamenlijk onderzoek van softwareleverancier AEB en de Baden-Württemberg Cooperative State University (DHBW) in Stuttgart. Beide partners nodigen u uit om tussen nu en 12 juni 2017 deel te nemen aan het onderzoek via www.aeb.com/gtm-study.

Agility: hype met inhoud?

“Softwareontwikkelaars maken al langer gebruik van agile methodieken en technieken. We zien nu steeds meer voorbeelden van agile project management in andere sectoren. Agility is het gesprek van de dag en een echte hype”, ervaart Dr. Dirk Hartel van DHBW Stuttgart. “Met ons onderzoek willen we achterhalen of logistieke en supply chain professionals eveneens agile methodieken en technieken toepassen en wat hun ervaringen daarmee zijn”, verklaart Dr. Ulrich Lison, expert van AEB in
internationale handel.  Dat is de reden waarom het onderzoek focust op vragen zoals: Wat is de visie van bedrijven als het gaat om toepassing van agile project management in logistiek en supply chains? Hoe passen projectleiders deze methodieken en technieken toe? En hoe succesvol is deze aanpak nu echt?

Logistiek managers, supply chain professionals en experts op het gebied van douane en export in bedrijven uit alle sectoren en van elke omvang worden uitgenodigd om hun mening te laten horen en de online vragenlijst in te vullen vóór 12 juni 2017. Iedereen die deelneemt aan het onderzoek ontvangt gratis het onderzoeksrapport zodra het wordt gepubliceerd (gepland voor najaar 2017). Daarnaast worden onder alle deelnemers verschillende prijzen verloot, waaronder een fraaie, stevige laptop-rugtas, flexibele tablet-toetsenborden en power banks.

Global Trade Management Agenda reeks

Het ‘Agile Project Management in Global Trade and Logistics’ onderzoek maakt deel uit van de ‘Global Trade Management Agenda’ reeks – een gezamenlijk project van softwarehuis AEB en Dr. Dirk Hartel van DHBW Stuttgart. De onderzoeken uit deze reeks omvatten actuele vraagstukken op het gebied van logistiek en supply chain. Het laatste onderzoek, eind 2016 gepubliceerd, had als thema apps in logistiek en internationale supply chains.  Download nog vandaag een gratis exemplaar door naar de website www.aeb.com te gaan en te klikken op Media.

Over AEB (www.aeb.com – www.aeb.com/nl) 

Met ruim 30 jaar ervaring is AEB een van de toonaangevende aanbieders van wereldwijde IT-oplossingen en diensten voor Supply Chain Management met de nadruk op de logistiek van inkoop, opslag en distributie, buitenlandse handel en risicobeheer. Met de logistieke suite ASSIST4 biedt AEB een toepassing met een doorlopende procesondersteuning en een volledige transparantie voor de planning en aansturing van wereldwijde bezorgnetwerken. AEB is een internationale onderneming met ruim 5000 klanten in Europa, Azië en Amerika. Het hoofdkantoor van AEB is gevestigd in Stuttgart, met vestigingen in Hamburg, Soest, Düsseldorf en München evenals internationale vestigingen in Groot-Brittannië, Singapore, Zwitserland, Oostenrijk. Zweden, Nederland, de Tsjechische Republiek, Frankrijk en de VS.