Archive for the ‘Privacy’ Category

#33C3 – my “must have”-sessions

December 27, 2016 Leave a comment

Like every year, there’s the annual Chaos Communication Congress taking place to cover the dead week between Christmas and new year. I was taking a look onto the schedule to identify my „must have“-sessions. These are:

As every year, I’ll spend my rare time with my family back home, but i’ll try to catch at least a couple of my „must have“-sessions via livestreams. Once the event is over, i’ll download all my sessions to watch them offline during hotel nights.

The full schedule can be found here:
Live stream will be available here:
Downloads will be available here:

All of you onsite: have a great event. 

[Update: 01.01.2017]
I’ve added the URLs of the recordings to the list of my „must have“-sessions. But i’ll download all of the sessions to watch them bit by bit. I’ll take the one or other talk to dig into it a little deeper, and posting my thoughts about it.


Current Security Nightmares

February 10, 2015 Leave a comment

What’s going on out there in the networks in the last couple of days? We had a strange hack into a US health insurance provider exposing tens of millions of SSNs and addresses, a temporary shutdown of a online tax service due to identity theft fraud, a database security issue that came up just by accident using a search engine and finally today there was high level politician dumping emails containing personal information of residents of a US state.

Diving just in two of those security issues with some more detail:

The database issue I mentioned does affect MongoDB, a popular NoSQL database system. Three students just ran over round about 40.000 open MongoDB databases, containing sensitive information up to credit card information, names and email addresses. Anyone might wonder how that could have happen: by just using default configuration values without checking them.

    Default: true
    Disable authentication. Currently the default. Exists for future compatibility and clarity.
    For consistency use the auth option.

So it’s default to disable authentication? For future compatibility? Seriously? Wait… let’s check the auth option for consistency reasons…

    Default: false
    Set to true to enable database authentication for users connecting from remote hosts. Configure users via the mongo shell. If no users exist, the localhost interface will continue to have access to the database until you create the first user.

Yeah… great… Authentication is disabled by default… Pretty consistent…

Source for both: Configuration File Option – MongoDB Manual 2.2.7

Whoever did that decision, I won’t be in his position right now. We’ll see how long it might take until both options are flipped with their default configuration. The conclusion should be: the more you trust a product, the more you should focus on the default configuration before going into production. Spending too much trust in a vendor / community just because you’re a “fan” of the tool will put you at risk if you loose the insight on the configuration options.

The second issue I’d like to dive into is a US politician and potential presidential candidate just dumping emails containing sensitive data of Florida state residents. He just approached to shed some transparency into his work by posting emails he exchanged with residents of the state of Florida. Unfortunately he and his team did not redact the emails before. So he just dumped emails containing SSNs, clear text names and even emails with the following text add-on:

Confidential communications intended for indicated recipient only

Just keeping in mind that this guy might be a future president of the United States of America, trying to rule the world I’m getting worried and afraid. Guys like him are deciding on rules affecting hundreds of million of people without having the touch of a sense in how to deal with their residents data. Is that the future we’re moving into? I don’t hope so. It should be mandatory for politicians to have a brief understanding of privacy, data security, encryption and the way how to deal with sensitive information. I’m really upset right now…

Categories: Privacy, Security

Biometry is broken

January 28, 2015 Leave a comment

From what we’ve seen during 31C3, biometry is broken. It’s not just broken if we do try to get the fingerprints of a potential victim by extracting them from whatever our victim might have touched before using forensic methods. With what we’ve seen during the talk given by starbug ( – attention: the talk was given in german), the physical barrier is broken. There is no more need to save a glass that was touched by our victim. The fingerprint can be restored using a photograph of the fingertips of our victim that has a certain quality.

During his talk, starbug already gave some insight on what might be next: 4K video. I’m curious about what he might come up for the next congress. Maybe he’s already working on extracting fingerprints from 4K videos.

So you might wanna say fingerprints are broken, what about other biometric factors. Let’s try to run them through:

  • fingerprints – broken
  • retina scans – broken (at least if the quality of the picture is good enough)
  • face scans – broken (as shown in the video)
  • heart beat – not broken yet
    So let’s keep up with what’s left on the list: heart beat. There was a startup showing up with the idea of a wristband using your unique heart beat signature as a identification token. Sounds pretty cool so far. But here it comes: I’ve been talking to different people about two different approaches that might break this as well.
    The first approach (although is much more theoretical and does have a moral and ethical impact) I’ve been discussing with a doctor. In the end she told me, that it would be possible to use a pacemaker to re-program a individuals heart beat. It has not been done before, but it’s possible.

The second approach I was talking to a guy working in device security for quite a while. From his expertise, it shouldn’t be the biggest deal to set up the specific electric signal that will look like a valid heart beat to the device.

So from where we are right now, there are only two conclusions:

  1. Don’t trust in biometrics as a single source of identification. They might be used in combination with other forms of authentication, but never ever alone.
  2. Biometric devices need to get better. The need to be able to determine if they are scanning a print version of the fingerprint, face or retina or if the are scanning a real human being. This will raise prices for devices.
Categories: IAM, Identity, Privacy, Security

Biometric authentication approaches

September 25, 2013 Leave a comment

Apple recently released their iPhone 5s with an fingerprint sensor as an replacement to the typical 4 digit pin code. As it was expected by the majority of people in the security space, it only took a few days until the biometry team at CCC (Chaos Computer Club) were able to fake a fingerprint to unlock an iPhone 5s. The article can be found here (german) and here (english). If you’re not willing to read, here is the initial video, which was re-done based upon request of, which is available here.

So what does that mean for biometric authentication?
Although we’re in total agreement that passwords must die, the security features looking promising at first glance did turn out to be just cheap hardware being able to be compromised by just increasing the scanning resolution. Biometrics might be a way to get away from passwords, but not with simple and easy hardware.As the fingerprint sensor was meant to replace the typical 4 digit pin code, this might just have been the first step. But just imagine the impact if the necessary would have been open so far application developers leveraging this technology? In case, your mobile banking account would be open to an attacker easier than before, your credit card data out of the AppStore and so on. So the CCC hack would be the initial (and not very complicated step) to an complete identity theft.

Another approach was taken by the inventors of nymi. They are trying to capture something unique, your heartbeat. But your heartbeat is just a single component of an 3-factor authentication: you’ll need your heartbeat (pretty hard to loose), your nymi device and your authorized authentication device (nymi does call that AAD) like a smartphone, tablet or whatever.. So even if you’d loose your smartphone and someone gets your nymi device, they’re still missing the 3rd component.

But nymi still offers an attack vector from my understanding: the nymi device is using bluetooth to communicate with your AAD, so there is some potential in hijacking the bluetooth connection and all information that is being exchanged via bluetooth.

Looking at the nymi approach, there’s only one conclusion: biometrics itself will not replace passwords (not as long as the devices like fingerprint readers are that weak that they are not able to do an deep scan to distinguish an faked fingerprint) on their own. Biometrics will be part of the multi-factor authentication as replacement for passwords. A good idea might be a combination of the nymi approach with fingerprints: a fingerprint sensor that is able not only to read the skin-deep fingerprint but also the pulse running through the finger. This combination can not be faked at all. And with all paranoia, it does allow certain scenarios: while your left thumb in combination with your heartbeat just enables you to unlock your device, while your right middle finger in combination with your heartbeat and a security code or external token might authenticate you into your corporate network when using private devices as part of an BYOD strategy. Additionally this combination would remove the bluetooth attack vector that is still open with the nymi approach so it would need a physical device hack to intercept the information.

One question is still circling in my head, maybe someone is able to answer that: what happens to your heartbeat in case of an myocardial infarcation or in case you’re getting shocked due to an medical emergency: will such happening influence your heartbeat and potentially destroy your access token?

Categories: IAM, Mobility, Privacy, Security

eIDClientCore–an open API to the new German electronic ID

September 18, 2012 Leave a comment

The new founded BeID-LAB (Berlin electronic ID laboratory) has published the eIDClientCore, as open API to the new German electronic ID (ePA). The API is acting as middleware between an eID-Provider and the card reader, communicating with the ID.

The API implements parts of the eCARD-API, being an foundation for the eCard strategy of the German government containing projects like eGK (electronic health insurance card), ePA (electronic ID), ePass (electronic passport), ELSTER (electronic tax declaration) and the already buried ELENA (electronic income confirmation).

The eIDClientCore is available as an C/C++ library, currently needing libxpat, libgcrypt and an PCSC driver handling the communication to an card reader.

Use cases for this API might be:

  • two-factor / multi-factor authentication for different web- or cloud services
  • implementation of further eGovernment projects
  • identity-proofing in eGovernment

With the complete source code of the API being available under an open license, this might help to find security issues but also opens up the possibility of exploiting those security issues with code knowledge.

My personal opinion on that: I’m still a bit concerned about the strategy to bring everything into digital abstractions, especially sovereign documents like and ID or an passport. The more I’m concerned about that, the more I’m happy about the chance to have a look inside.

Categories: Identity, Privacy, Security

Germany to ban surveillance software exports to totalitarian regimes

September 18, 2012 Leave a comment

As ZDNet reports today, the German foreign minister Guido Westerwelle made an announcement to ban exports of surveillance software to totalitarian regimes and states.

By using the words “These regimes should not get the technical instruments to spy on their own citizens” he’s telling something more critical: while it’s not ok for an totalitarian regime like Syria to have surveillance software to spy on their own citizens, it seems like he’s pretty ok with the fact that countries like Germany itself are using surveillance software to spy on their citizens. At the moment this software is (officially) only used for special purposes in crime investigation, but there were even inappropriate software in use in Germany itself. For more insight on that just have a look on the hashtag #0zapftis.

Categories: Privacy, Security