Green Line Solutions News

Give Em The Finger

Thomas Topp - Tuesday, March 07, 2017

Give ‘Em the Finger

The Use of Biometrics in Court Cases

Biometrics -- distinctive and quantifiable traits utilized for identifying an individual -- have been used in the form of fingerprint locks on smartphones since 2011. However, it wasn’t until 2013, when the iPhone’s Touch ID was released on the 5S, that the technology gained popular momentum.

Using one’s fingerprints to lock smartphones or sensitive content is appealing because everyone’s fingerprints are unique and therefore believed to be a personalized passcode that cannot be hacked. It also saves the user from forgetting the password or having to type anything on the screen. However, in May of 2016, Russell Brandom, contributor to The Verge, posted an article describing many of the pitfalls of this technology.

One of the biggest problems with using fingerprint biometrics is that vast databases store fingerprint information for government and law enforcement agencies, and not just on criminals. As Brandom writes:

Homeland Security policy is to collect fingerprints from non-US citizens between the age of 14 and 79 as they enter the country, along with a growing number of fingerprints taken from undocumented immigrants apprehended by Customs and Border Patrol. The FBI maintains a separate IAFIS database with over 100 million fingerprint records, including 34 million "civil prints" that are not tied to a criminal file.

By using information from these databases a mold of an individual’s fingerprints can be created with ease. However, using a left behind print, dental cast and mold the same thing can be accomplished in an unofficial manner. Perhaps the most condemning aspect of using biometrics is that they are permanent. Unlike a password that can be changed if it’s hacked, once a theft of biometric data has happened there is no option for such a recourse.

Recently, in the case of The State of Minnesota v. Matthew Vaughn Diamond, a legal precedent was set by the Court of Appeals. The case originally began with a burglary in October of 2014, after which Diamond’s phone was seized but not able to be unlocked. He was eventually ordered to provide his fingerprint to unlock his phone and the evidence gathered resulted in a 51-month sentence.

In the appeal case, which was decided on in January of this year, the court ruled that such an order was not a violation of the defendant’s constitutional rights, citing that police have the authority to gather blood, hair, urine, handwriting and fingerprint samples even against that person’s wishes.

The Judge, Tracy Smith, wrote that the order to provide a fingerprint for the purposes of unlocking a personal device does not violate a person’s privilege against self-incrimination, nor is doing so comparable to being made to testify against oneself in court. The differentiation can be seen clearly when the former is thought of as a confirmation of who you are, and the latter as a confirmation of what you know.

Surprisingly, U.S. Magistrate Judge David Weisman, a federal judge in Chicago, denied the FBI’s request for a warrant mandating the use of suspect’s fingerprints to unlock their smart devices. While the case is actually concerning charges related to child pornography, evidence suspected of being on the cell phones could help convict.

In an article from The Chicago Tribune, the ruling was described as “narrow in scope” but did provide an important blow to “ federal agencies looking for sweeping powers to search individuals' cellphones without probable cause,” as stated by Jennifer Lynch, a senior staff attorney at the nonprofit digital rights group Electronic Frontier Foundation.

As biometric technologies become more and more ubiquitous the issue spreads from those involved with illicit activities to law-abiding citizens by increasing the amount and types of data samples that can be collected by law enforcement without express permission from a judge.


The Rise of DDoS Attacks

Thomas Topp - Friday, November 04, 2016

On October 21st, millions of people on the on the East Coast were denied access to dozens of major websites such as Netflix, Twitter, Spotify, Reddit, Pinterest, and Paypal; as well as to news sites like CNN, Fox News, The New York Times and the Guardian. Later in the day, a wave of similar outages affected the Atlantic coasts of the United States and Europe.  

The attack was focused on Dyn, which is one the companies that runs the internet’s Domain Name System, (DNS). The first attack came around 7am EST, although a second followed at noon and a third just after 4pm. The Department of Homeland Security began an investigation the same day.

The outages were the result of a cyber attack known as a DDoS, or Distributed Denial-of-Service, a threat that is becoming increasingly more common, according to  Brian Krebs, an independent security researcher, noted earlier in October on his blog Simply put, a DDoS attack is designed by hackers to flood a network with useless traffic until it crashes.

Amazon’s web services division, the world’s largest cloud computing company, was also affected, although Doug Madory, director of internet analysis at Dyn, could not confirm if the outages at Dyn and Amazon were linked. Flashpoint, a cybersecurity firm,  attributed the attack to malware based on the Mirai source code, infecting an entire network of devices with the self-propagating code and thereby overloading it.

The Mirai source code powers the “Internet of Things” botnet, which allows objects to be sensed and/or controlled remotely across existing network infrastructure and thereby allows more direct integration of the physical world into computer-based systems. Ideally, the IoT improves efficiency, accuracy and economic benefits, although its scope, including smart devices, security systems and integrated networks, means that attacks can be devastating.

The IoT was born in 2008, when the world first had more smart devices than human being, at which point cybersecurity experts warned such devices were incredibly insecure. “Among the numerous vulnerabilities are that most of them have open and discoverable administrative controls, default passwords and no capability to be patched or updated,” writes Taylor Armerding of CSO Online.

Unfortunately, due to the fact that there are now estimated to be roughly 16 billion smart devices in the world, securing all of them would be a Herculean feat. And what may be surprising is that the attack is not expected to have originated from a national enemy or cyber criminal mastermind, but rather by “script kiddies” who used the Mirai malware source code after finding it posted publicly on hacker websites.

Another major problem is that many users do not know how to, or the importance of, securing their devices. However, the onus is not necessarily on the user, Chester Wisniewski, principle research scientist at Sophos, explains: “Today almost all of the responsibility is on the consumer, who more often than not is not aware of the risks and doesn't know what to do to mitigate them… Consumers have some responsibility, but shouldn't have to become security specialists.” He maintains that “The burden should be almost entirely on the manufacturer to make it as simple as possible.”

Mike Lynch, chief strategy officer at inAuth, adds a second point which is that product designers and manufacturers are not necessarily security experts. “In the eyes of many organizations, building in security protocols is an unnecessary expense that eats into margins, both factors combine to create conditions where security is relegated to afterthought status,” he said.

While this attack will almost certainly not be the last of its kind, because it affected an entire DNS, as opposed to being relegated to individual owners, we may begin to see a movement toward better encryption and security protocols taken more seriously and on a wider scale.


Gone In A Flash

Thomas Topp - Thursday, September 22, 2016

The End of an Animation Era More...