Security security security

September 8th, 2012 by Stephen Jones Leave a reply »

Hackers got their hands on a database of 12 million Apple Unique Device Identifiers (UDIDs) apparently by hacking an FBI laptop.

 Why does an FBI agent have user identification information about 12 million iPhone users on his laptop? How did the FBI get their hands on this data in the first place?

FBI said, “The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”

Apple also denies giving the database to the FBI.

So form where did the database come from? And are there really 12 million, or only one million.  Lots of honeypot and conspirator speculations on the blogs about this.

another recent repoet is that Fingerprint-reading software preinstalled on laptops sold by Dell, Sony, and at least 14 other PC makers contains a serious weakness that makes it trivial for hackers with physical control of the machine to quickly recover account passwords, security researchers said.

The UPEK Protector Suite, which was acquired by Melbourne, Florida-based Authentec two years ago, is marketed as a secure means for logging into Windows computers using an owner’s unique fingerprint, rather than a user-memorized password. In reality, using the software seesm to make users less secure than they otherwise would be. When activated, the software writes Windows account passwords to the registry and encrypts those with a key that is easy for hackers to retrieve. Once the key is acquired, it takes seconds to decrypt the password.

Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted,  said an advisory issued by Elcomsoft, a Russia-based developer of password-cracking software. When Protector Suite isn’t activated, Windows doesn’t store account passwords in the registry unless users have specifically configured an account to automatically log in. Security experts have long counseled people not to use automatic login.

. The most obvious disadvantage is for those computers that have a Windows feature known as Encrypting File System enabled to prevent third parties from accessing sensitive files or folders. The key that unlocks that encrypted data is controlled by a Windows account password. Once the password is retrieved, the EFS-encrypted data stored on the computer can quickly be decrypted.

The account password could unlock other data that might otherwise be harder to obtain. The Windows Data Protection application programming interface, for example, is also closely tied to account passwords and controls access to credentials used by Outlook, Internet Explorer, and possibly other applications.

any time a PC is physically controlled by a hacker, its passwords are vulnerable to cracking attacks but without the use of the UPEK Protector Suite, hackers have access only to one-way password hashes, which, depending on the complexity of the underlying passcode, can take years or centuries to recover using brute-force methods. Use of the fingerprint software almsot guarantees the success of the cracking operation, and it can also significantly reduce the time it takes.

The easily cracked passwords are stored in the Windows registry even after the Protector Suite software has been deactivated, and it is only removed when a user manually deletes it. The precise registry location of the encrypted password is not yet known. .

Authentec no longer actively markets Protector Suite, but according to archived data from the UPEK website, the app ships—or used to ship—on laptops manufactured by 16 different companies. In addition to Dell and Acer, other PC makers include Amoi, Asus, Clevo, Compal, Dell, Gateway, IBM/Lenovo, Itronix, MPC, MSI, NEC, Sager, Samsung, Sony, and Toshiba.

Biometric readers are only as secure as the software that implements with those readers. That is why we sell hand punch readers with 13 bit encyrption.


Trackbacks /

  1. decrypt md5

Leave a Reply

You must be logged in to post a comment.