Information Risk and Incident Management
Debian developers released an advisory on 25 June stating they found a serious coding bug in the Intel 5th generation Skylake and the 7th generatlion Kaby Lake processors. This bug can cause multithreaded processes to cause unpredictable system failure.
The resolution? Go into your BIOS or UEFI settings and disable hyper-threading immediately. Then download and install the coming firmware updates as soon as they are available.
Theft of biometrics data is becoming more frequent. A recent example is the breach of Avanti point of sale systems. Although this is a problem, it isn’t likely as high risk as many believe. Using stored biometrics data is harder to use than is practical, making too high (in most cases) the effort given the attacker’s financial returns. So possible theft of biometrics data shouldn’t be a reason to stop using biometrics as an authentication factor.
When a user registers a physical attribute with a biometrics solution, the attribute’s characteristics are converted to a numeric value. This value is encrypted and stored. According to Larry Greenemeier, in an article written for Scientific American, “Misuse of stolen digital fingerprint files is hardly that straightforward and would involve cracking encryption codes, reverse-engineering data files and several other complicated procedures that are probably not worth the effort.”
The biggest problem is not in the actual risk. It is in the public’s perception of the risk. We have enough challenges trying to get many people to accept biometrics without spreading misinformation about the risk. Yes, we need to protect biometrics data. Yes, theft of this data elevates risk. However, biometrics alone should never be used to protect highly sensitive information, and the effort needed to use stolen customer biometrics data is likely too high for common use.
There is an exception, however, that might elevate the risk above acceptable levels. What if the attacker steals the imprint information passing between the sensor and the biometrics verification algorithm? Any solution selected to protect our customers or our highly sensitive information must be protected and designed in ways to make this kind of attack highly improbable.
This has been an interesting week. First, my old website provider (initial Y) decided to break my email. When I called to have it fixed, I was told it would take 48 hours. When I informed them this was their fault, they continued providing me with formulaic responses that meant nothing. So I decided to move to another provider.
Well… I did some research and decided to go to a highly rated site (initial i). Everything was fine until I entered an online chat to get help with an issue. The first thing the support person asked me for (as part of identity verification) was my answer to my secret question. Those security professionals out there know this is just plain wrong. I immediately cancelled my subscription.
My new provider, HostGator, seems to get it. I had to create a PIN instead of answering a secret question. In addition, chat sessions require me to authenticate using my HostGator credentials. This provides immediate verification without asking for information the support tech should not have.
Granted, these are small providers… unlike Amazon, Microsoft, Google, etc. However, how many people use these services to post information? How many of these sites have questionable business continuity assurance or security? For example, ‘i’ likely has other security issues if they believe asking for a customer’s secret question response is a good idea.
Oh, well. I am settling into my new website home. ‘Y’ and ‘i’ will just have to get along without me…