Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Privacy United Kingdom Technology

Major Breach Found in Biometrics System Used By Banks, UK Police and Defence Firms (theguardian.com) 21

Posted by msmash from the privacy-woes dept.
The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks, The Guardian reported Wednesday. From the report: Suprema is the security company responsible for the web-based Biostar 2 biometrics lock system that allows centralised control for access to secure facilities like warehouses or office buildings. Biostar 2 uses fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings. Last month, Suprema announced its Biostar 2 platform was integrated into another access control system -- AEOS. AEOS is used by 5,700 organisations in 83 countries, including governments, banks and the UK Metropolitan police. The Israeli security researchers Noam Rotem and Ran Locar working with vpnmentor, a service that reviews virtual private network services, have been running a side project to scans ports looking for familiar IP blocks, and then use these blocks to find holes in companies' systems that could potentially lead to data breaches. In a search last week, the researchers found Biostar 2's database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.
This discussion has been archived. No new comments can be posted.

Major Breach Found in Biometrics System Used By Banks, UK Police and Defence Firms More

Major Breach Found in Biometrics System Used By Banks, UK Police and Defence Firms

Comments Filter:

  • Dont worry (Score:5, Funny)

    by Anon, Not Coward D ( 2797805 ) on Wednesday August 14, 2019 @11:46AM (#59086326)

    Just change you password! :)

  • I guess it's time to go get a new face and new fingerprints. Too bad I let the old one's slip out in public. But at least I'm not writing my passwords on a Post-It Note, amiright?

  • Manipulating the URL???!!! (Score:4, Insightful)

    by nwaack ( 3482871 ) on Wednesday August 14, 2019 @11:53AM (#59086354)
    "They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data." - Wow, just wow. Everyone that is even remotely related to security at that firm needs to be fired immediately.

    • Re:Manipulating the URL???!!! (Score:5, Interesting)

      by Snotnose ( 212196 ) on Wednesday August 14, 2019 @12:11PM (#59086416)

      Wow, just wow. Everyone that is even remotely related to security at that firm needs to be fired immediately.

      Not necessarily. 20 years ago I worked for a startup writing code for Linux boxes. It was a bunch of windows programmers and me. Everyone ran as root, except me. I pointed out this was not a good thing, and wrote several memos showing how you could use sudo instead of running as root. Got nowhere.

      Worse, you had to be root to run their code. I wrote more memos on the SUID bit, and how programs should do their rooty things early, then drop their permission level. Again, got nowhere.

      First customer. Their IT department refuses to allow the box on the network because they don't want a bunch of root users running around. So we create a default user, took about 2 days, send the boxes back. Their IT department refuses to allow the box on the network because they don't want a bunch of people knowing how to log in as root. We (actually, everyone but me) had to change their programs to run SUID root. Back to the customer. IT department refuses to allow the box on the network because they don't want a bunch of daemons running as root. You see how this is going.

      Best part? Startup ran out of money before they could do a second silicon spin, and that customer bought all the IP from bankruptcy and made it their own product.

      That startup was hands down the worse place I've ever worked. Bad management, sleazy management, greedy founders, stupid mistakes. They covered all the bases of "how to ensure your startup fails".

    • Everyone that is even remotely related to security at that firm needs to be fired immediately.

      On the contrary. Everyone in management should be shot immediately.

      • On the contrary. Everyone in Management and in Security at that company should be put into an arena for Celebrity Death Match. Winner takes the blame and jail time.
  • They have made a Suprema mistake.
  • My fingerprints were part of the OPM breach in 2015 and so far so good...

  • Can somebody who knows crypto answer: (Score:3)

    by hey! ( 33014 ) on Wednesday August 14, 2019 @12:25PM (#59086452) Homepage Journal

    Why don't people who design biometric security systems use salting? It is just because biometrics are so easy to steal they aren't worth protecting?

  • ...but obviously didn't, like always.

  • How do those get reset? Use another finger?

    Okay, what happens when you run out of fingers? Go to retina? That only kicks the can down the road.

    Biometrics are really not as useful as the hardware suppliers would have us believe. Once compromised these cannot be reset.

    • My problem with them is actually more the opposite at present, though I agree 100% with your comment: pruny fingers, scuffs on fingertips, minor cuts, blisters, age; all of these things force me to keep resetting my fingerprints, about every month (Galaxy S9+).

  • Identifiers (Score:3, Insightful)

    by Retired ICS ( 6159680 ) on Wednesday August 14, 2019 @01:28PM (#59086664)

    Fingerprints and Facial Recognition data are identifiers, not authenticators. There should be no problem with divulging identifiers. In fact, it is done routinely. Looked at this thing they call a "phone book" recently? It contains quite a lot of identifiers ... but no authenticators.

    If someone wants to use biometric information as an authenticator you should be telling them where to go shove themselves. If you permit your identifiers (such as biometric information) to be used as authenticators, then YOU are the problem.

    • Re: (Score:2)

      by Okind ( 556066 )

      Fingerprints and Facial Recognition data are identifiers, not authenticators. [...] If [someone] permit[s] your identifiers (such as biometric information) to be used as authenticators, then [you have a] problem.

      Fixed. Sometimes, you have no choice about the matter. Using biometrics as authentication, wrong as it is, is increasingly used and not always avoidable. Even if you don't use it, your biometrics might be leaked and then installed somewhere, and thus usable by an attacker.

      Having said that, any system that uses identifiers as authentication mechanism is MUCH less secure than a password protected system: at least with password you can choose a strong password.

    • Re: (Score:2)

      by sjames ( 1099 )

      If the various industries understood that, there wouldn't be a problem. However, biometrics are being used for authentication.

  • Bureaucratards who are so concerned with security that they feel the need to implement invasive biometric ID schemes, yet fail to ensure the security of the biometric data their security schemes rely on. And it's not as though this is a rare phenomenon - we hear similar cautionary tales just about every day. Why does it seem that nobody heeds these stories and gets his own house in order? Are they all stuck in the 'it can't happen here' fallacy?

Slashdot Top Deals

Any programming language is at its best before it is implemented and used.

Close