Daily Archives: February 6, 2023

News

The ethics of biometric data use in security

Read Time:4 Minute, 38 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In a world where you can scan the veins in your hand to unlock a smartphone, how do you maintain control over personal data? Biometric authentication, the use of distinctive human features like iris patterns, fingerprints and even gait in lieu of a password, is gaining ground in the tech world.

Proponents tout its inherent, hard-to-replicate qualities as a security benefit, while detractors see the same features as an invasion of privacy. Both sides may be right.

The problems with biometrics

Unlike a password, you can’t forget your face at home. But also, unlike a password, you can’t reset your face — meaning you’re out of luck if someone steals a photo of it.

In 2016, a biometrics researcher helped investigators hack into a murder victim’s phone with only a photo of the man’s fingerprint. While security systems are getting more advanced all the time, current technology also allows cybercriminals to run wild with a single piece of biometric data, accessing everything from laptop logins to bank accounts.

By its very nature, biometric authentication requires third parties to store biometric data. What happens if the information is exposed?

In addition to potential hacking, breaching people’s personal data might reveal something they’d rather keep private. Vein patterns could reveal that a person has a vascular disorder, raising their insurance premiums. Fingerprints could expose a chromosomal disease.

True, people give this same information to their doctors, and a medical data breach could have the same repercussions. But handing off biometric data to a commercial company — which isn’t bound by HIPAA or sworn to do no harm — is a much grayer area.

Another issue that occasionally plagues biometric authentication is injuries and natural bodily changes. A single paper cut can derail a fingerprint scanner, and an aging eye throws iris scanners for a loop. People will have to update their photos every few years to remind the system what they look like.

Some facial recognition programs can even predict how long a person will live. Insurance companies have expressed interest in getting hold of this data, since the way a person ages says a lot about their health. If stolen biometric data fed into an algorithm predicts a person won’t make it past 50, will their employer pass them up for a promotion?

In the event of an accident, your family won’t easily be able to access your accounts if you use biometric authentication, since it’s not as simple as writing down a list of passwords. Maybe that’s a good thing — but maybe not.

Another ethical dilemma with biometric data use is identifying people without their consent. Most people are used to being on camera at the grocery store, but if that same camera snaps a photo without permission and stores it for later retrieval, they probably won’t be too happy.

Some people point out that you have no right to privacy in a public space, and that’s true — to an extent. But where do you draw the line between publicity and paparazzi? Is it OK to snap a stranger’s photo while you’re talking to them, or is that considered rude and intrusive?

The benefits of biometric data

Of course, no one would be handing off a photo of their face if the technology was good for nothing.

It’s quick, easy, and convenient to log into your phone by putting your thumb on the home button. Though it’s possible for a hacker to find a picture of your thumbprint, they’d also have to snag your phone along with it to log in, essentially having to bypass a two-factor authentication system. Who has time for that just to steal a reel of cat photos?

Hackers also can’t brute-force their way into guessing what your face looks like. Letter and number combinations are finite, but the subtle variations of the human body are limitless. Nobody can create a program to replicate your biometric data by chance. Consequently, biometric authentication is an extremely strong security measure.

Police can also use biometric analysis to get criminals off the streets. Unlike a human with questionable accuracy, a camera is a reliable witness. It’s not perfect, of course, but it’s much better than asking shaken crime victims for a description of who mugged them. Smart cameras equipped with facial recognition can prevent wrongful detainments and even acquit people who would otherwise languish in jail.

The flip side is that facial recognition does occasionally get it wrong — people have been arrested for crimes they didn’t commit thanks to camera footage of a lookalike. As camera technology improves, hopefully the incidence of people being wrongfully accused will lessen. But for the few outliers who still get misidentified, the consequences can be grave.

Facing the facts

Ultimately, people will have to decide for themselves if they’re comfortable using biometric technology. You probably won’t encounter any problems using biometric authentication to access your phone or laptop, and it can vastly improve your security. The bigger ethical debate is in how third parties can use publicly available data — whether legal or leaked — to further their own gains. In the meantime, just know that your face is probably already in a database, so keep an eye out for doppelgangers.

Read More

Advisories

USN-5842-1: EditorConfig Core C vulnerability

Read Time:14 Second

Mark Esler and David Fernandez Gonzalez discovered that
EditorConfig Core C incorrectly handled memory when handling
certain inputs. An attacker could possibly use this issue to cause
applications using EditorConfig Core C to crash, resulting in a
denial of service, or possibly execute arbitrary code.

Read More

News

Will your incident response team fight or freeze when a cyberattack hits?

Read Time:46 Second

If there’s an intrusion or a ransomware attack on your company, will your security team come out swinging, ready for a real fight? CISOs may feel their staff is always primed with the technical expertise and training they need, but there’s still a chance they might freeze up when the pressure is on, says Bec McKeown, director of human science at cybersecurity training platform Immersive Labs.

“You may have a crisis playbook and crisis policies and you may assume those are the first things you’ll reach for during an incident. But that’s not always the case, because the way your brain works isn’t just fight or flight. It’s fight, flight, or freeze,” she says. “I’ve heard people say, ‘We knew how to respond to a crisis, but we didn’t know what to do when it actually happened.’”

To read this article in full, please click here

Read More

Advisories

CVE-2017-20176

Read Time:21 Second

A vulnerability classified as problematic was found in ciubotaru share-on-diaspora 0.7.9. This vulnerability affects unknown code of the file new_window.php. The manipulation of the argument title/url leads to cross site scripting. The attack can be initiated remotely. The name of the patch is fb6fae2f8a9b146471450b5b0281046a17d1ac8d. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-220204.

Read More

Advisories

CVE-2014-125086

Read Time:23 Second

A vulnerability has been found in Gimmie Plugin 1.2.2 and classified as critical. Affected by this vulnerability is an unknown functionality of the file trigger_login.php. The manipulation of the argument userid leads to sql injection. Upgrading to version 1.3.0 is able to address this issue. The name of the patch is fe851002d20a8d6196a5abb68bafec4102964d5b. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220207.

Read More

Advisories

USN-5824-1: Thunderbird vulnerabilities

Read Time:2 Minute, 54 Second

Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code. (CVE-2022-45403, CVE-2022-45404,
CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409,
CVE-2022-45410, CVE-2022-45411, CVE-2022-45418, CVE-2022-45420,
CVE-2022-45421, CVE-2022-46878, CVE-2022-46880, CVE-2022-46881,
CVE-2022-46882, CVE-2023-23605)

Armin Ebert discovered that Thunderbird did not properly manage memory
while resolving file symlink. If a user were tricked into opening a
specially crafted weblink, an attacker could potentially exploit these to
cause a denial of service. (CVE-2022-45412)

Sarah Jamie Lewis discovered that Thunderbird did not properly manage
network request while handling HTML emails with certain tags. If a user
were tricked into opening a specially HTML email, an attacker could
potentially exploit these issue and load remote content regardless of a
configuration to block remote content. (CVE-2022-45414)

Erik Kraft, Martin Schwarzl, and Andrew McCreight discovered that
Thunderbird incorrectly handled keyboard events. An attacker could possibly
use this issue to perform a timing side-channel attack and possibly figure
out which keys are being pressed. (CVE-2022-45416)

It was discovered that Thunderbird was using an out-of-date libusrsctp
library. An attacker could possibly use this library to perform a
reentrancy issue on Thunderbird. (CVE-2022-46871)

Nika Layzell discovered that Thunderbird was not performing a check on
paste received from cross-processes. An attacker could potentially
exploit this to obtain sensitive information. (CVE-2022-46872)

Matthias Zoellner discovered that Thunderbird was not keeping the filename
ending intact when using the drag-and-drop event. An attacker could
possibly use this issue to add a file with a malicious extension, leading
to execute arbitrary code. (CVE-2022-46874)

Hafiizh discovered that Thunderbird was not properly handling fullscreen
notifications when the window goes into fullscreen mode. An attacker could
possibly use this issue to spoof the user and obtain sensitive information.
(CVE-2022-46877)

Tom Schuster discovered that Thunderbird was not performing a validation
check on GTK drag data. An attacker could potentially exploits this to
obtain sensitive information. (CVE-2023-23598)

Vadim discovered that Thunderbird was not properly sanitizing a curl
command output when copying a network request from the developer tools
panel. An attacker could potentially exploits this to hide and execute
arbitrary commands. (CVE-2023-23599)

Luan Herrera discovered that Thunderbird was not stopping navigation when
dragging a URL from a cross-origin iframe into the same tab. An attacker
potentially exploits this to spoof the user. (CVE-2023-23601)

Dave Vandyke discovered that Thunderbird did not properly implement CSP
policy when creating a WebSocket in a WebWorker. An attacker who was able
to inject markup into a page otherwise protected by a Content Security
Policy may have been able to inject an executable script. (CVE-2023-23602)

Dan Veditz discovered that Thunderbird did not properly implement CSP
policy on regular expression when using console.log. An attacker
potentially exploits this to exfiltrate data. (CVE-2023-23603)

It was discovered that Thunderbird did not properly check the Certificate
OCSP revocation status when verifying S/Mime signatures. An attacker could
possibly use this issue to bypass signature validation check by sending
email signed with a revoked certificate. (CVE-2023-0430)

Read More