German Hacker Group States They Have Cracked Apple’s iPhone 5S Fingerprint Scanner
Jim Finkle Reuters
BOSTON (Reuters) – A group of German hackers claimed to have cracked the iPhone fingerprint scanner on Sunday, just two days after Apple launched the technology that it promises will better protect devices from criminals and snoopers seeking access.
If the claim is verified, it will be embarrassing for Apple which is betting on the scanner to set its smartphone apart from new Samsung models and others running the Android operating system of Google.
Two prominent iPhone security experts told Reuters that they believed the German group, known as the Chaos Computer Club, or CCC, had succeeded in defeating Apple’s Touch ID, though they had not personally replicated the work.
One of them, Charlie Miller, co-author of the “iOS Hacker’s Handbook,” described the work as “a complete break” of Touch ID security. “It certainly opens up a new possibility for attackers.”
Apple representatives did not respond to requests for comment.
CCC, one the world’s largest and most respected hacking groups, posted a video (shown below) on its website that appeared to show somebody accessing an iPhone 5S with a fabricated print. The site described how members of its biometrics team had cracked the new fingerprint reader, one of the few major high-tech features added to the latest version of the iPhone.
iPhone 5S Touch ID fingerprint scanner tricked?
The group said they targeted Touch ID to knock down reports about its “marvels,” which suggested it would be difficult to crack.
“Fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints,” a hacker named Starbug was quoted as saying on the CCC’s site.
The group said it defeated Touch ID by photographing the fingerprint of an iPhone’s user, then printing it on to a transparent sheet, which it used to create a mold for a “fake finger.”
CCC said similar processes have been used to crack “the vast majority” of fingerprint sensors on the market.
“I think it’s legit,” said Dino Dai Zovi,” another co-author of the iOS Hacker’s Handbook. “The CCC doesn’t fool around or over-hype, especially when they are trying to make a political point.”
Touch ID, which was only introduced on the top-of-the-line iPhone 5S, lets users unlock their devices or make purchases on iTunes by simply pressing their finger on the home button. It uses a sapphire crystal sensor embedded in the button.
Data used for verification is encrypted and stored in a secure enclave of the phone’s A7 processor chip.
Two security experts who sponsored an impromptu competition offering cash and other prizes to the first hackers who cracked the iPhone said they had reviewed the information posted on the CCC website, but wanted more documentation.
“We are simply awaiting a full video documentation and walk through of the process that they have claimed,” said mobile security researcher Nick DePetrillo, who started the contest with another security expert, Robert Graham. “When they deliver that video we will review it.”
The two of them each put up $100 toward a prize for the contest winner, then set up a website inviting others to contribute. While the booty now includes more than $13,000 in cash, it was not clear that the CCC would receive the full payout, even if DePetrillo and Graham declared them winners.
A micro venture capital firm known as I/O Capital, which had offered to pay $10,000 of the prize money, issued a press release late on Sunday saying that it would make its own determination about who won the contest.
Copyright 2013 Thomson Reuters.
Win Bitcoins, booze and cash! Be the first to crack the iPhone’s Touch ID fingerprint sensor…
A posting from Dark Reading about iPhone’s Touch ID fingerprint sensor:
The fingerprint sensor on Apple’s new iPhone 5s could well be the device-within-a-devicethat brings biometrics into the everyday mainstream.
(There’s good and bad in that. The good news is that if you paid extra for a laptop, years ago, because it had a fingerprint scanner you could never get to work, you’ll no longer be seen as a technology sucker but as an early adopter.
The bad news is that any hope of arguing for the end of fingerprint scanners in US immigration lines will be lost forever. Heck, if you can do it for Apple, you can do it for Uncle Sam!)
For all that I recently wrote – this very morning, in fact – that convenience is “one of security’s mortal enemies,” Apple’s Touch ID might end up as a blessing in disguise entirely on account of its ease of use.
People who are too lazy to bother with proper passwords or even four-digit passcodes on their phones (like Marissa Mayer, CEO of Yahoo!, no less) might be willing to use Touch ID, since it makes it slicker for them to get back into their phone one-handed.
To read more click here:
Shylock Malware Resurges, Targets Top U.S. Banks
A posting in Information Week in there security /attacks sections :
Beware the latest version of the banking malware known as Shylock — also called Caphaw — which has been retooled to target customers of 24 different banks.
Security firm Zscaler reported Wednesday that over the last month it’s seen the number of Shylock infections surge. While the malware was first spotted in 2011 and was seen earlier this year targeting European banking customers, the latest version of the Trojan application now targets customers of the four largest U.S. banks — Chase Manhattan Corporation, Bank of America, Citi Private Bank and Wells Fargo — as well as Bank of the West, Capital One, U.S. Bancorp and others.
Shylock is better than most banking malware, which typically siphons up a user’s banking credentials and relays them to attackers for later use. “This is one of the few pieces of malware that can automatically steal money when the user is actively accessing his banking account,” read an analysis of Caphawpublished earlier this year by ESET security researcher Aleksandr Matrosov. Other malware with this capability includesCarberp, Gataka, Ranbyus and Tinba.
To read more click here:
Snowden disclosures prompt warning on widely used computer security formula
SAN FRANCISCO (Reuters) – In the latest fallout from Edward Snowden’s intelligence disclosures, a 
major U.S. computer security company warned thousands of customers on Thursday to stop using software that relies on a weak mathematical formula developed by the National Security Agency.
RSA, the security arm of storage company EMC Corp, told current customers in an email that a toolkit for developers had a default random-number generator using the weak formula, and that customers should switch to one of several other formulas in the product.
Last week, the New York Times reported that Snowden’s cache of documents from his time working for an NSA contractor showed that the agency used its public participation in the process for setting voluntary cryptography standards, run by the government’s National Institute of Standards and Technology, to push for a formula that it knew it could break.
NIST, which accepted the NSA proposal in 2006 as one of four systems acceptable for government use, this week said it would reconsider that inclusion in the wake of questions about its security.
But RSA’s warning underscores how the slow-moving standards process and industry practices could leave many users exposed to hacking by the NSA or others who could exploit the same flaw for years to come.
RSA had no immediate comment. It was unclear how the company could reach all the former customers of its development tools, let alone how those programmers could in turn reach all of their customers.
Developers who used RSA’s “BSAFE” kit wrote code for Web browsers, other software, and hardware components to increase their security. Random numbers are a core part of much modern cryptography, and the ability to guess what they are renders those formulas vulnerable.
The NSA-promoted formula was odd enough that some experts speculated for years that it was flawed by design. A person familiar with the process told Reuters that NIST accepted it in part because many government agencies were already using it.
But after the Times report, NIST said it was inviting public comments as it re-evaluated the formula.
“If vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible,” NIST said on September 10.
Snowden, who is wanted on U.S. espionage charges and is living in temporary asylum in Russia, disclosed secret NSA programs involving the collection of telephone and email data.
(Reporting by Joseph Menn; Editing by Eric Beech)
Copyright 2013 Thomson Reuters.
Windows Phone 8 earns US government security certification that protects sensitive data
An interesting article from HackersNewsBulletin.com:According to Microsoft, they have earned a key government accreditation called FIPS 140-2—Which is an U.S. government security standard used to accredit the cryptographic algorithms that protect sensitive data inside products like smartphones.
All of the Windows 8 phones received accreditation for nine cryptographic certificates:
- Kernel Mode Cryptographic Primitives Library (CNG.SYS)
- Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)
- Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)
- Enhanced Cryptographic Provider (RSAENH.DLL)
- Boot Manager
- BitLocker Windows OS Loader (WINLOAD)
- Code Integrity (CI.DLL)
- BitLocker Windows Resume (WINRESUME)
- BitLocker Dump Filter (DUMPFVE.SYS)
This certificate is said to be ‘to protect sensitive data’ while Anonymous group of hackers think that this could be a step to spy, One of the famous Anonymous twitter account (@youranonnews) tweeted ‘Each unit comes with a free back door!!‘
Microsoft announces Windows Phone 8 gets US government security certification http://t.co/8a3kSKIX3f Each unit comes with a free back door!!
— Anonymous (@YourAnonNews) September 18, 2013
Last year, a few of the Samsung devices have also received the same FIPS 140-2 certificate and and BlackBerry earned it for the BlackBerry 10 platform back in November last year before it even launched.
Hacker group found in China, linked to big cyberattacks: Symantec
BOSTON (Reuters) – Computer security experts have discovered a group of highly sophisticated computer hackers operating for hire, a U.S. computer security firm said on Tuesday, and it linked the group to some of the best-known cyber-espionage attacks out of China in recent years.
Symantec Corp said the hacker group, which it dubbed “Hidden Lynx,” was among the most technically advanced of several dozen groups believed to be running cyber espionage operations out of China. Unlike a previous report by another company, Symantec did not allege Chinese government involvement in the cyberattacks.
Symantec’s 28-page report said its researchers believe the Hidden Lynx group may have been involved with the 2009 Operation Aurora attacks, the most well-known cyber espionage campaign uncovered to date against U.S. companies.
In Operation Aurora, hackers attacked Google Inc and dozens of other companies including Adobe Systems Inc. Google disclosed the attacks in January 2010, in which hackers tried to read Gmail communications of human rights activists and also attempted to access and change source code at targeted companies.
Symantec researcher Liam O’Murchu said his firm was unable to determine which individuals were behind Hidden Lynx or if it was linked to the Chinese government.
A separate study, released in February from the U.S. computer security firm Mandiant, said a secretive unit of the Chinese military was engaged in cyber espionage on American companies. Beijing vehemently denied the accusations in that document, which contained photos of the building that Mandiant alleged was the unit’s headquarters.
Symantec believes the group is based in China, O’Murchu said, because much of the infrastructure used to run the attacks is based there and because the malicious software was written using Chinese tools and with Chinese code.
The Symantec report also provides new details about who is behind several recent attacks, including a breach at cyber security firm Bit9 and follow-on attacks at three Bit9 clients.
It also connects Hidden Lynx to a major campaign dubbed Voho, which was discovered last year by the security firm RSA, which is owned by EMC Corp. Voho targeted hundreds of organizations including financial firms, technology and healthcare companies, defense contractors and government agencies.
Symantec described the Hidden Lynx group as a “professional organization” staffed by between 50 and 100 people with a variety of skills needed to breach networks and exfiltrate data. The arsenal of tools included Trojan Naid and Trojan Moudoor, which the gang use to siphon data from infected computers.
Symantec, which sells software and services to protect corporate and consumer computer systems from cyber attacks like the ones mentioned in the report, said Naid was also used by hackers in Operation Aurora.
The Hidden Lynx hackers “were either responsible for the Aurora attack or were working in conjunction with the Aurora attackers,” O’Murchu said.
(Reporting by Jim Finkle; Editing by Richard Valdmanis and David Gregorio)
Copyright 2013 Thomson Reuters.
