The gummi bear attack – now I’ve officially heard it all

One of the great things about working in the network and security arena is that it is constantly evolving. There’s always a new story to either educate or amuse, today it’s a story about a brilliant use of gummi bears.

Now thought I was fully versed in the uses of gummi bears. Was I not the instigator of the imfamous Bronx Science last school day gummi bear stick-a-thon, where we managed to cause $15,000 dollars of damage to one of the science labs using nothing but a jumbo bag full of those candies?
Of course not! That was simply a joke. I have no idea how that incident happened! I certainly didn’t discover that a gummi bear would get sticky enough to adhere to ceiling tiles when thrown, I certainly didn’t demonstrate these capabilities to my classmates, and I most certainly didn’t spend the next 30 minutes in wanton gummi-bear destruction, sticking them to ever surface that we could. Like I said, I have no idea how that happened, we had all left when our teacher hadn’t shown up.

Anyway, let’s just say I know about gummi bears and how they can be used to disrupt schools, but this story is a new one on me. It appears that some Australians are using them to aid truancy by spoofing the fingerprint systems in charge of taking. These enterprising young people have discovered that the gelatine has the same capacitance of human skin and have made replica fingerprints. They have their friends go to school and log them in using these replicas fooling the system into thinking that they are present.

Now besides this story being hilarious there are some security implications:
– This shows how easy it is to fool a fingerprint scanner. It’s been known for some time that fingerprint scanners can be spoofed however the sophistication of the attack had been much higher. This shows that a teenager with some gelatine, time, and a hatred of history class can easily fool the system.
Note that this attack requires a willing participant. You couldn’t use this type of attack to grab someone’s fingerprints without their knowledge, I mean who wouldn’t be suspicious of someone saying “hey there, would you mind sticking your right index finger into this pot of jello for me?”
– There’s no substitute for human inspection. Have as many automated systems you want but if someone wants to they can trick the system. Technology is not always the solution to the problem, or at least it’s not a complete solution.
– 2 factor authentication is not a solution when there is collusion. Having a pin as well as a fingerprint would be useless in this system as the student swiping the fake finger would have the pin as well. 2 factor authentication is only useful when the user has a vested interest in keeping it secret

Intel Hardware Hacking

I’ve been reading about a potentially serious vulnerability in Intel processors. To summarize, security researchers have discovered a way to access Intel CPUs System Management Mode (SMM) and run rootkits. A rootkit is a tool that allows an attacker to completely take over a computer system and do whatever they want with it and usually the only way to get rid of it is a complete rebuild of the system. SMM is a diagnostic tool designed to help chip designers and runs at a higher privilege level than the Operating System, so once in SMM an attacker can run programs whether you like it or not. Worse, SMM can made completely invisible to the target PC so something could be running there any you’d never know it. This attacks your computer’s hardware instead of it’s software, and once a malicious program is there it’s free to do what it wants, and can possibly even save itself in your hardware so it loads on startup.

In short, if successful an attacker could take complete control of your system and bypass every security measure you have and you’d never even know it, much less be able to do anything about it.

It’s not that clear how widespread this vulnerability is but it’s fair to say it affects a large proportion on Intel-based computers produced in the last few years. This is more than just PCs and laptops but servers, network devices, and security devices as well.

An undetectable rootkit is definitely a very, very bad thing so serious efforts are under way to fix this The good news is that it looks like traditional methods will have to be used to load it on, so installing security updates and having good anti-virus software is still your best defence. It’s not as if anyone can take over your computer no matter what your precautions, it’s just that if they do penetrate your computer’s defences the potential for damage has gone up substantially.

What is most concerning about this for me is not the fact that it bypasses security so thoroughly, although that is a major worry. in truth there are already many other much easier ways to gain control of systems for fun or profit as many people do not install security updates or have antivirus software installed. This type of attack, while powerful, isn’t suddenly going to bust things open. The sophistication of this attack will prevent widespread exploitation by anyone but the most clever and knowledgeable of crackers at least for now. The very sophistication however is the problem in that anyone who has the skills to gain this method will have the skill to exploit it to its fullest potential. The danger is more in it’s stealth than it’s power: as a rootkit installed using this method is completely undetectable a sophisticated attacker could exploit it so subtly that the victims may never have a clue that they’re been attacked.

For now there’s nothing you can do about this except what you hopefully do already: install security updates and buy good antivirus software. For now the race is on to see if Intel and the security industry can come up with a fix before this is widely exploited.

For the curious more information can be found here:
http://invisiblethingslab.com
http://blogs.techrepublic.com.com/security/?p=1130