Is the US about to get a nationwide, privately owned, biometrics system?

By Danny Bradbury

Two US biometric companies, SureID and Robbie.AI, have partnered to research a private, nationwide biometrics system that could combine fingerprint and facial recognition data.

SureID runs a nationwide fingerprint collection system designed to make identity and background checks less painful. Users go to one of around 800 fingerprint collection stations around the US and scan their digits. A few hours later, SureID will deliver the user’s background check to their employer, landlord or whichever other authority they choose. Robbie.AI sells an AI-powered facial recognition technology.

By combining the two technologies, SureID hopes to create “the United States’ first nationwide biometrics gathering system for broad consumer-focused initiatives”. The idea is to use facial recognition to confirm that the person providing the fingerprints is legitimate.

Is it secure?

The worry with biometric authentication has always been that someone might crack it by replicating a person’s features. In the past, when companies have claimed high levels of security for their biometric systems, hackers have figured out a way past them.

For example, researchers pilfered publicly available photos online, created 3D-animated renditions that could be displayed on a smart phone, and then used them to fool facial recognition systems.

Read more at https://nakedsecurity.sophos.com/2018/11/06/is-the-us-about-to-get-a-nationwide-privately-owned-biometrics-system/

Children’s apps contain an average of 7 third-party trackers, study finds

By John E Dunn

When it comes tracking mobile app users, internet advertising companies like to start them young, according to a new University of Oxford study.

Researchers analysed nearly one million Android apps downloaded from the US and UK Google Play Stores and found that those used by children now embed some of the highest numbers of third-party trackers of any app category.

Most of these fall under in the ‘family’ category (8,930 apps), which had a median of seven trackers each, just ahead of the vast games and entertainment category (291,952 apps) on six.

Some family apps had even more trackers, with 28.3% exceeding 10. The only category that could match this was ‘news’ (26,281 apps), 29.9% of which had more than 10, or a median of seven trackers per app.

So, if you’re someone who gets their news from an app, chances are that what you’re doing is being watched very closely – something that’s at least as likely if you’re a child using a family app.

It’s no big reveal that advertisers are out to track people for commercial purposes, although the extent to which apps have become the front line in this endeavor is still quite surprising.

The extent to which children are being tracked through apps is even more unexpected given the wave of regulations that are supposed to limit how this is done, especially for anyone under the age of 13.

Read more at https://nakedsecurity.sophos.com/2018/11/06/childrens-apps-contain-an-average-of-7-third-party-trackers-study-finds/

CIA’s secret online network unraveled with a Google search

By Lisa Vaas

According to reports, the US government is still reeling from a catastrophic, years-long intelligence failure that compromised its internet-based covert communications system and left CIA informants vulnerable to exposure and execution worldwide.

In 2013, following the compromise, CIA experts worked feverishly to reconfigure their secret websites and try to move their informants to safety, but intelligence sources say that damage this severe probably can’t be wholly undone.

Yahoo published a report last week about the previously unreported intelligence disaster.

According to Yahoo, which relied on 11 former intelligence and national security officials for the report, the problem started in Iran and “spiderwebbed” out to countries that were friendly to Iran.

It wasn’t just one point of failure: it was a string of them. One of the worst intelligence failures of the past decade was in 2009, when the Obama administration discovered a secret Iranian underground enrichment facility. The Iranians, furious about the breach, went on a mole hunt, Yahoo reports, looking to dig out foreign spies.

Unfortunately for the US and its agents, it didn’t take long to find the moles. That’s due in large part to what one former official called an “elementary system” of internet-based communications – one that was never meant to stand up to sophisticated counterintelligence efforts such as those of China or Iran, let alone one that should have been entrusted with the extremely sensitive communications between the CIA and its sources.

Read more at https://nakedsecurity.sophos.com/2018/11/06/cias-secret-online-network-unravelled-with-a-google-search/

Private Facebook data from 81,000 accounts discovered on crime forum

By John E Dunn

Malicious browser extensions have been blamed for the theft of private messages and data from 81,000 Facebook users recently discovered for sale on a cybercrime forum.

According to the BBC Russian Service investigation, samples of the data were discovered in September being hawked for 10 cents per account on an English-language forum with Russian connections.

Most of the breached accounts were from Russia and Ukraine, but Facebook users in the UK, Brazil and other countries are also among the victims, the BBC said after verifying the find with UK cybersecurity company Digital Shadows.

Criminals offered another 176,000 accounts although it’s possible that some of the email address and phone number data in this cache could simply have been scraped from public profiles.

Stolen data from the 81,000 accounts that appeared to be genuine included intimate exchanges between Facebook users. One example, according to the BBC,

included photographs of a recent holiday, another was a chat about a recent Depeche Mode concert, and a third included complaints about a son-in-law.

When the BBC posed as a buyer, the seller claimed he could supply access to a further 120 million accounts, which Digital Shadows believes is probably untrue because it implies a huge data breach Facebook would have noticed.

This is a big problem for investigators: working out what’s been stolen or breached can be difficult when cybercriminals make exaggerated or false claims about what they have in their possession.

Read more at https://nakedsecurity.sophos.com/2018/11/05/private-facebook-data-from-81000-accounts-discovered-on-crime-forum/

FIFA, hacked again, is leaking like a sieve

By Lisa Vaas

The Fédération Internationale de Football Association (FIFA), world soccer’s governing body, acknowledged last week that it’s been hacked – again.

The first cyberattack, in 2017 – which led to the publishing of footballers’ failed drug tests – was attributed to the Russian hacking group Fancy Bear, also known as APT28.

FIFA President Gianni Infantino admitted to the new hack while talking to the press after a FIFA Council meeting last week in Kigali, Rwanda, telling press that he was braced for a release of private information after FIFA discovered that its network had suffered another intrusion.

The New York Times reported on Tuesday that there was “no clarity” at that point about the details of the second attack, but it did report that officials at UEFA (the Union of European Football Associations) had been targeted in a phishing attack. As of Tuesday, the organization reportedly hadn’t found traces of a hack.

The first to get the newly leaked FIFA documents was Football Leaks – a whistleblowing platform that’s been called the football version of WikiLeaks.

Football Leaks fed the leaked documents to a consortium of European media organizations called the European Investigative Collaborations (EIC), and EIC members started to publish a series of stories based in part on the internal documents on Friday. Der Spiegel was the first to do so, but other media outlets soon started to publish articles based on analyzing the leaked, confidential, highly sensitive documents.

Read more at https://nakedsecurity.sophos.com/2018/11/05/fifa-hacked-again-is-leaking-like-a-sieve/