Category: biometrics

[By John Gallagher, Vice President of Viakoo Labs]

Biometric security is often viewed as superior to passwords when it comes to protecting sensitive systems or data. The interface between physical and software security, verified by unique personal identifiers like iris scans, fingerprint scans, or voice verification, seemed to render biometrics invulnerable to the types of attacks that systems of either variety were susceptible to independently. Recent news has proven otherwise.

The Widening Gaps in Biometric Security

Earlier this year, an Arizona mother received a late-night ransom call with her 15-year-old daughter pleading in distress on the other line. “The voice sounded just like Brie’s, the inflection, everything,” she told reporters – but it wasn’t her daughter on the line. It was an AI-generated clone of her daughter’s voice print generated from snippets of audio and used to create a fake recording with enough fidelity that even the child’s mother could not tell the difference.

We saw a remarkable surge in the frequency and quality of deepfakes last year. The increasing availability of biometric data makes these types of scams relatively easy to execute. Threat actors can mine IoT-connected devices like video databases for iris, fingerprint, and facial recognition data – think of a typical office environment where a person might pass a high-resolution camera multiple times a day for several months. A bit of the iris here, a partial fingerprint there – with enough repetition, compute power, and time, threat actors could “crack” a person’s full biometric profile with relatively little effort (not to mention capturing passwords if the cameras are positioned to read keyboards). As the technology evolves rapidly, attackers can now insert the deepfake right into the video feed, avoiding some of the liveness checks that biometric systems offer. For this reason, securing video surveillance systems and the data they generate will be crucial in the upcoming year. IoT devices are among the largest unsecured attack surface for most modern organizations. As cybercriminals become increasingly clever and sophisticated, lax IoT security poses a greater risk than ever before.

Leveraging Emerging Technologies and Processes to Overcome Challenges

These issues, combined with advances in artificial intelligence (AI) and quantum computing, have the potential to break biometrics. The solution? Greater use of AI by defenders at all levels–specifically using AI to drive more rapid expansion of zero trust approaches, threat detection mechanisms, early eradication of bots and malware, and use of digital authentication methods such as certificates.

Organizations must make strong, proactive investments in improving their security posture to stay ahead of the evolving threat landscape. As attackers use AI to find and exploit vulnerabilities, IT and security teams should leverage AI at every level of defense to act as a force multiplier, aggregating and prioritizing data, identifying likely attack paths, revealing lateral access, highlighting back doors, and compiling potential remediation actions.

Despite the size and scale of its potential impact, the “end” of biometrics is also the continuation of an increasingly popular trend: the move to zero trust. The cloud era ushered in the decline of the traditional security perimeter, and the shift to remote work amid the Covid-19 pandemic delivered its last rites. Zero trust should be the default position for all organizations – meaning that each user is continually verified not only based on their credentials, but on the data they’re accessing. A sophisticated zero trust capacity can identify and confront unauthorized access faster than any traditional security protocol. Regardless of the method of attack, zero trust enables organizations to regulate network access to a granular degree in real time, limiting the risk of any unauthorized access.

Preparing for the Future

While the end of biometric security has deep implications for organizations across industry and government, there are concrete actions leaders can take to protect against the threats that will emerge in the gap. By expanding the use of AI in cyber defense, along with investing in tools to achieve a comprehensive zero trust network state, organizations can defend against these threats and evolve with threats in the era of AI and quantum computing.

The post Are We Experiencing the End of Biometrics? appeared first on Cybersecurity Insiders.

In 2000, I wrote: “If McDonald’s offered three free Big Macs for a DNA sample, there would be lines around the block.”

Burger King in Brazil is almost there, offering discounts in exchange for a facial scan. From a marketing video:

“At the end of the year, it’s Friday every day, and the hangover kicks in,” a vaguely robotic voice says as images of cheeseburgers glitch in and out over fake computer code. “BK presents Hangover Whopper, a technology that scans your hangover level and offers a discount on the ideal combo to help combat it.” The stunt runs until January 2nd.

This is an old piece of malware—the Chameleon Android banking Trojan—that now disables biometric authentication in order to steal the PIN:

The second notable new feature is the ability to interrupt biometric operations on the device, like fingerprint and face unlock, by using the Accessibility service to force a fallback to PIN or password authentication.

The malware captures any PINs and passwords the victim enters to unlock their device and can later use them to unlock the device at will to perform malicious activities hidden from view.

They’re not that good:

Security researchers Jesse D’Aguanno and Timo Teräs write that, with varying degrees of reverse-engineering and using some external hardware, they were able to fool the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN sensor in one of Microsoft’s own Surface Pro Type Covers. These are just three laptop models from the wide universe of PCs, but one of these three companies usually does make the fingerprint sensor in every laptop we’ve reviewed in the last few years. It’s likely that most Windows PCs with fingerprint readers will be vulnerable to similar exploits.

Details.

The personal information of more than 815 million people in India has reportedly been leaked online. According to local media reports, hackers have offered for sale the personally identifiable information (PII) - including that found on Aadhaar identity cards - belonging to hundreds of millions of Indian residents. Read more in my article on the Hot for Security blog.

Data Centers play a pivotal role in today’s digital landscape, serving as the backbone of information storage and processing for organizations worldwide. As the volume and sensitivity of data continue to grow, the importance of maintaining robust cybersecurity measures within data centers cannot be overstated. In this article, we will explore the potential of biometric monitoring as a tool to enhance the cybersecurity posture of data centers.

The Data Center Cybersecurity Challenge

Data centers store vast amounts of sensitive and critical information, making them prime targets for cyberattacks. Attack vectors such as ransomware, distributed denial of service (DDoS) attacks, and insider threats constantly threaten the security and integrity of these facilities. Traditional security measures like firewalls, encryption, and access controls have been essential but may no longer be sufficient to thwart evolving cyber threats.

The Role of Biometric Monitoring

Biometric monitoring involves the use of unique physical or behavioral traits for identification and authentication. Common biometric modalities include fingerprint recognition, facial recognition, iris scanning, and voice recognition. When applied within data centers, biometric monitoring can provide several advantages that contribute to a stronger cybersecurity posture:

Enhanced Access Control: Biometric authentication ensures that only authorized personnel gain access to critical data center areas. Traditional methods like keycards and passwords can be lost, stolen, or compromised, while biometric data is much more difficult to replicate.

Real-time Monitoring: Biometric systems can continuously monitor and verify the identity of individuals within the data center. If an unauthorized person gains entry, the system can trigger alarms and immediate security responses.

Mitigation of Insider Threats: Insider threats, where employees misuse their access privileges, can be particularly challenging to detect. Biometric monitoring helps mitigate this risk by ensuring that the person accessing sensitive systems is the authorized user.

Reduced Password Vulnerabilities: Passwords are susceptible to brute-force attacks and phishing attempts. Biometric authentication reduces the reliance on passwords, thereby reducing these vulnerabilities.

Audit Trails: Biometric systems can generate detailed logs of access events, providing a comprehensive audit trail for security analysis and compliance purposes.

Challenges and Considerations
While biometric monitoring offers significant advantages, it is not without challenges and considerations:

Privacy Concerns: Collecting and storing biometric data can raise privacy concerns. Proper data handling and compliance with data protection regulations are essential.
False Positives and Negatives: Biometric systems can produce false positives (authorizing unauthorized users) or false negatives (denying legitimate users). Ensuring the accuracy of the system is crucial.
Cost: Implementing biometric systems can be costly, both in terms of initial investment and ongoing maintenance.
Integration: Integrating biometric systems with existing data center security infrastructure may require significant effort and planning.

Conclusion
Data center cybersecurity is an ongoing challenge in an increasingly connected world. Biometric monitoring presents a promising solution to enhance security measures, particularly when used in conjunction with existing security protocols. While there are challenges to consider, the potential benefits in terms of access control, insider threat mitigation, and overall security posture make biometric monitoring a compelling option for data center operators looking to fortify their defenses against cyber threats. As technology continues to evolve, biometrics may become an indispensable tool in the arsenal of data center security measures.

The post Can Biometric Monitoring Improve the Cybersecurity Posture of Data Centers appeared first on Cybersecurity Insiders.

Interesting article on technologies that will automatically identify people:

With technology like that on Mr. Leyvand’s head, Facebook could prevent users from ever forgetting a colleague’s name, give a reminder at a cocktail party that an acquaintance had kids to ask about or help find someone at a crowded conference. However, six years later, the company now known as Meta has not released a version of that product and Mr. Leyvand has departed for Apple to work on its Vision Pro augmented reality glasses.

The technology is here. Maybe the implementation is still dorky, but that will change. The social implications will be enormous.

Interesting story:

Napoleon Gonzalez, of Etna, assumed the identity of his brother in 1965, a quarter century after his sibling’s death as an infant, and used the stolen identity to obtain Social Security benefits under both identities, multiple passports and state identification cards, law enforcement officials said.

[…]

A new investigation was launched in 2020 after facial identification software indicated Gonzalez’s face was on two state identification cards.

The facial recognition technology is used by the Maine Bureau of Motor Vehicles to ensure no one obtains multiple credentials or credentials under someone else’s name, said Emily Cook, spokesperson for the secretary of state’s office.

In case you don’t have enough to worry about, someone has built a credible handwriting machine:

This is still a work in progress, but the project seeks to solve one of the biggest problems with other homework machines, such as this one that I covered a few months ago after it blew up on social media. The problem with most homework machines is that they’re too perfect. Not only is their content output too well-written for most students, but they also have perfect grammar and punctuation ­ something even we professional writers fail to consistently achieve. Most importantly, the machine’s “handwriting” is too consistent. Humans always include small variations in their writing, no matter how honed their penmanship.

Devadath is on a quest to fix the issue with perfect penmanship by making his machine mimic human handwriting. Even better, it will reflect the handwriting of its specific user so that AI-written submissions match those written by the student themselves.

Like other machines, this starts with asking ChatGPT to write an essay based on the assignment prompt. That generates a chunk of text, which would normally be stylized with a script-style font and then output as g-code for a pen plotter. But instead, Devadeth created custom software that records examples of the user’s own handwriting. The software then uses that as a font, with small random variations, to create a document image that looks like it was actually handwritten.

Watch the video.

My guess is that this is another detection/detection avoidance arms race.

Who has been warning Italian criminals that their phones are wiretapped? Can you trust your voice to protect your bank account? And why is TikTok being singled out by investigators? All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Dinah Davis.