Give biometrics the FINGER: Horror tales from the ENCRYPT
Le FREAK? C’est chic!
Something for the Weekend, Sir? This week’s sorry tale of security-lapse-by-design might reveal plenty about political interference but it tells us even more about human nature in general. Due to some poorly thought-out US government policy some 20 years ago, yet another security lapse has raised its ugly head, drawn back its lips and threatened to sink its teeth into our collective backsides.
No wonder hackers are so angry and swear most the time. All that chewing of bottoms must get to you after a while.
The FREAK (Factoring RSA Export Keys) flaw allows bad men to exploit those secret intimate moments shared between certain web browsers and HTTPS websites. Just when your copy of Safari begins rubbing the website’s knee and mumbling "you know you want it" in its ear, FREAK allows the hooligan element of the online world to tip-toe unnoticed into the room. By the time Safari has finished sweet-talking the website and is fumbling with its zip before establishing a "safe connection", the rascals have stolen its johnnies.
The weakness in the connection security at this stage was the result of a governmental directive some 20 years ago that good encryption should not be exported to that dark and dangerous place outside the US known as "the rest of the world" (AKA "terrorists").
In many cases, security flaws are loopholes left behind due to the complexity of the digital antagonism between trying to enable a thing while preventing that thing. FREAK, on the other hand, was created as a deliberate act of self-sabotage, determined by the Powers That Be in full knowledge of the potential consequences.
Blame politicians for their lack of long-term vision if you like, but this is hardly the point. Politicians come and go and fill their pockets and die: this is what we expect politicians to do and we vote them into office so that they can do it. If there’s any lack of forward-thinking involved, it starts at the ballot box.
But in this instance, lots of people at the time said that relaxing encryption was A Stupid Idea. So the politicians and their advisers knew it was daft and still went ahead.
Consider the Y2K bug or the 2038 bug or whatever. The very fact that these things have names suggests that someone somewhere had the foresight to think about them in advance. They began as oversights and go on to be exploited, and then go on to be fixed.
It strikes me that the IT industry enjoys watching security go titsup time and time again, simply so that it can fix it.
Despite what we already know, not least what we have learnt this FREAK week, someone somewhere is probably still advising the British prime minister that message encryption was invented by Osama bin Laden and should be zero-dark-thirtied at the first opportunity. National security, he is being advised, can only be achieved by criminalising er… security. Duh.
I blame these same advisors for the reckless re-emergence of biometric checks as a form of authentication. Surely it’s obvious to everyone that the fingerprint login on iPhones 6 and iPad Air devices is just a bit of fun, not a serious stab at effective security. Yet RBS and NatWest banks are introducing fingerprint access for accounts via mobile devices, and the scary bit is that they’re not laughing.
Biometrics are bollocks. Some El Reg readers may recollect Steve Jobs years ago demonstrating VoicePrint verification in Mac OS 9: "My name is my password". It was just a little joke, though: a laugh, a trick to delight the kids. It certainly wasn't secure.
By the way, if you do remember this short-lived feature, well done: most long-time Mac users have already forgotten this turd of biometric nonsense.
In sci-fi action films, when a retina scan or a fingerprint is required to gain access to the high-security lab of an evil genius, the hero plucks out or hacks off that item from an unsuspecting minion in a lab coat and simply waves the relevant bloodied body part in front of the clichéd scanner thingy. For voice-activation, I wouldn't be surprised to see a cinematic hero trying to blow though the vocal cords he’d ripped out of the chief scientist’s neck.
Of course, for voice activation, all you’d need to do is to hire a voice actor for your crack team, or invite that bloke down the pub who can do impersonations. Just imagine if James Earl Jones had voice activation on his bank account: you could break into it using a Darth Vader voice-changer from a toy shop.
No Luke... it's me: your FAAAATH... Oh never mind. Pic via official Star Wars Instagram
Facial recognition is even worse. At least with a fingerprint, I have a more than reasonable chance of keeping it secret from naughty people. Keep your whisky glass clean, Mr Bond; wipe the smears off your iPad, refuse offers of Gummi Bears and don’t let an action hero slice off your fingertips – easy, really. But with facial recognition, the scammers only have to look at me to know my password.
Unless I’m wearing a burka or "mekkin’ me face all blurreh", I would be a walking security nightmare. A half-decent life-size photograph of my face, waved in front of a biometric-testing camera lens, would probably be good enough to break into my bank accounts. Gun nuts could don a novelty Obama mask and stride into the Oval Office. In the UK, they sell Tony Blair masks every Halloween – I kid you not – with which you gain access into the UN building, top-level meetings in Palestine or even Harrod’s, which incidentally is London’s only major department store not to be threatened by Islamic State.
Sponsored: Becoming a Pragmatic Security Leader