This approach sidesteps user authentication, therefore providing unauthorized access and complete control over the device that is the focus of the attack.Researchers from China were able to undertake brute-force attacks and acquire unauthorized access to accounts, systems, and networks by effectively circumventing the current security mechanisms on smartphones, such as attempt limitations and liveness detection, by exploiting two zero-day vulnerabilities. This enabled the researchers to gain unauthorized access to accounts, systems, and networks.The following zero-day vulnerabilities have been exploited, and we have listed them below:

Cancel-After-Match-Fail (CAMF)
Match-After-Lock (MAL)

In addition, researchers found a potential vulnerability in the protection of biometric data that was being communicated by fingerprint sensors via the Serial Peripheral Interface (SPI).In order to analyze the efficacy of BrutePrint and SPI MITM attacks, a thorough test was run on 10 different types of smartphones that are quite popular.

The findings showed that these attacks were effective in allowing an infinite number of tries on any Huawei device running Android or HarmonyOS; however, iOS devices indicated a restricted vulnerability, allowing for just an extra 10 attempts to be made.
The primary idea of BrutePrint is to send an unconstrained series of fingerprint image submissions to the device that is being targeted. This process is repeated until a match is discovered with the user-defined fingerprint, and there are no restrictions placed on the number of times the process may be carried out.

An attacker can launch a BrutePrint attack on a target device by first gaining physical access to the device, then gaining access to a fingerprint database, and finally using equipment that costs around $15. This allows the attacker to manipulate the False Acceptance Rate (FAR) in order to increase the acceptance threshold for fingerprint matches and achieve easier unauthorized access.

By exploiting the CAMF issue, BrutePrint injects a checksum mistake into the fingerprint data. This enables it to circumvent security mechanisms and gives attackers the ability to try an endless number of fingerprint matches on smartphones without being discovered.By exploiting the MAL vulnerability, attackers get the ability to determine the authentication results of the fingerprint photographs they test on the target device, even while the device is in a “lockout mode” state of operation.The BrutePrint attack sidesteps the lockout mode by exploiting a process known as MAL. It also makes use of a method known as “neural style transfer” to change fingerprint pictures in the database so that they more closely match sensor scans taken by the target device. This increases the probability that the authentication will be successful.

The researchers found that every Android and iOS device they tested had a vulnerability to at least one known vulnerability after running a series of tests on those devices. The tests were carried out on a selection of 10 different mobile devices.

The researchers found that certain iPhone models are susceptible to CAMF, but due to the limited number of fingerprint attempts (up to 15), it is impractical to brute-force the owner’s fingerprint. Additionally, the researchers found that all tested Android devices are susceptible to the SPI MITM attack, with the exception of iPhones, which encrypt fingerprint data on the SPI, rendering any interception ineffective.

BrutePrint may appear to have limitations due to the requirement that it must have prolonged access to the device it is targeting; however, its potential for enabling thieves to unlock stolen devices and extract private data, as well as the ethical concerns and privacy rights implications for law enforcement during investigations, raise significant issues regarding rights violations and the safety of individuals in countries with a dominant political or economic position.

The post Unlock any Android Smartphone with this fingerprint hack appeared first on Information Security Newspaper | Hacking News.

According to the experts at Resecurity, this is one of the most popular cybercriminal trends today, as it allows hackers to perform account takeover attacks and easily access compromised online accounts without attracting the attention of affected users or security systems on these platforms.

Before continuing, it is necessary to clarify that the term fingerprints refers to a set of data related to the user’s devices, including IP addresses, screen resolution, browser data, time zone, language, navigation cookies and browser plugins installed. Many of the current anti-fraud solutions are based on fingerprint verification and are usually regarded as a reliable method.

Using MASQ in conjunction with the credentials for an attacked account, threat actors can reuse victim cookies to spoof the digital record of an authentic device. Anti-fraud mechanisms will not be able to identify this malicious activity, so transactions will be carried out without raising suspicions.

With the active growth of consumers using mobile devices, cybercriminals use such tactics more often to compromise all kinds of online accounts, including email platforms, social media accounts and online banking accounts.

“These tools represent one of the biggest risks for online transactions, as they enable all kinds of frauds. It is extremely important to track the emergence of such tools on the dark web and use this knowledge to develop more advanced fraud prevention and digital identity authentication controls,” Resecurity experts mention.

The latest version of MASQ was released on June 13, indicating that the tool receives constant updates and maintenance. Experts mention that this tool has already displaced Linken Sphere as the most popular evasion tool today, so it will continue to be in the news for months to come.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post MASQ: The new hacking tool able to copy the identity of any smart device appeared first on Information Security Newspaper | Hacking News.

Hackers can clone your fingerprints if you show ur hands in photos | President of USA and FBI call social media companies to develop tools so they can detect criminals before they strike

Below the links to the cybersecurity news.

1. Hackers can clone your fingerprints if you show ur hands in your photos.

2. President of USA and FBI call social media companies to develop tools so they can detect criminals before they strike

The post POPULAR NEWS VIDEO 8 AUG appeared first on Information Security Newspaper | Hacking News.

Carlos Gutierrez, an FBI consultant expert, claims that a hacker could copy the fingerprints of anyone using a high-resolution camera.

“Smartphone cameras are increasingly equipped with better resolution; by just zooming in a photo you could see a person’s fingerprints. There have already been reports of cloning fingerprints from photographs,” says the cybersecurity expert. “With access to this information hackers could break into bank accounts, request credits, and unlock mobile devices, among other malicious activities”.

In addition, he notes that the use of fingerprints as a means of authentication could further compromise the user than the traditional username and password method: “Anyone can reset the password of their email or other platforms, but fingerprints are for life,” the expert adds.

It should be noted that this attack variant requires various conditions to be met; to begin with, the camera with which the photograph was taken must have a very high resolution, in addition the fingertips of the person appearing in the photo must be in the appropriate position for the fingerprints to be sufficiently visible.

The good news is that not everything is lost. Teams of experts are developing a protective layer for our hands that would cover our fingerprint, preventing hackers from getting it with just one photo.

Faced with the potential risk of becoming victims of identity fraud, cybersecurity specialists from the International Institute of Cyber Security (IICS) recommend users who like to post their photos constantly applying some modifications, such as cropping the image so that the fingerprint doesn’t appear full sized or applying filters that make it difficult to see the image.

Some hackers have successfully attempted fingerprint cloning before; a few years ago, Jan Krissler forged Apple‘s TouchID sensors when the iPhone 5S was released using only the stain of a fingerprint on the sensor screen. The hacker managed to create a fake finger with that fingerprint and unlocked the device. A year later, the same hacker used some photos posted on Internet pages to falsify the fingerprint of Germany’s defense minister.

The post How hackers are stealing people’s fingerprints with their photos appeared first on Information Security Newspaper | Hacking News.

The fingerprints recognition software used by the Federal Bureau of Investigation and around 18,000 US law enforcement agencies include a piece of code made by a Russia-based firm called Papillon AO.

The fingerprint analysis software was purchased from the French company called Morpho (earlier known as Sagem Sécurité) which “deliberately concealed” the existence of the secretly sourced Russian code, the report claims.

However, the reason why it was kept a secret is due to a non-disclosure agreement between Morpho and Papillion that happened almost 10 years ago when the code was sold for $6 million. Morpho is now owned by a US firm and its name has been changed to Idemia.

Maybe, a backdoor in the fingerprint recognition software is just a possibility. Becuase none of the sources and cybersecurity experts the website contacted have claimed the existence of the same in the code.

But what could raise eyebrows is that Papillion, in the past, has openly talked about their collaborations with Kremlin-fueled bodies including the Ministry of Defence and Federal Security Service, also known as FSB.

Papillion has denied the allegations of any backdoor in the code. The FBI didn’t address the website’s request for a comment on the matter but said that the all the software are well-checked and reviewed before they’re deployed.

Source:https://fossbytes.com/russia-hacking-fbi-stealing-fingerprints/

The post Russia Might Be Hacking FBI And Stealing Fingerprints Of Millions, Says Report appeared first on Information Security Newspaper | Hacking News.

A researcher has found digital fingerprints that tie the WCry ransomware worm that menaced the world on Friday to a prolific hacking operation that previously generated headlines by attacking Sony Pictures, the Bangladesh Central Bank, and South Korean banks.

The link came in a cryptic Twitter message from Neel Mehta, a security researcher at Google. The tweet referenced identical code found in a WCry sample from February and an early 2015 version of Cantopee, a malicious backdoor used by Lazarus Group, a hacking team that has been operating since at least 2011. Previously discovered code fingerprints already tied Lazarus Group to the highly destructive hack that caused hard drives in South Korea to self-destruct in 2013, wiped almost a terabyte’s worth of data from Sony Pictures in 2014, and siphoned almost $1 billion from the Bangladesh Central Bank last year by compromising the SWIFT network used to transfer funds.

The post Virulent WCry ransomware worm may have North Korea’s fingerprints on it appeared first on Information Security Newspaper | Hacking News.

The US federal authorities asked a 3D printing lab to recreate a dead man’s fingers to unlock his smartphone … will it work?

Do you remember the battle Apple vs FBI conducted to force the IT giant on unlocking the San Bernardino Shooter’s iPhone, well it has become a story of the past.

According to Rose Eveleth, the Police asked a 3D printing lab at the University of Michigan to recreate a dead man’s fingers to unlock his phone.

In this specific case, the man was killed and investigators believed that his mobile device contains useful information to solve the case.

Contrary to what you think, it isn’t so easy to reproduce such kind of  fingers because modern biometric sensors rely on electrical currents that most 3D-printed objects are not able to conduct.

For this reason, the federal authorities requested the help of the professor Anil Jain at the University of Michigan. The professor “coated the 3D printed fingers in a thin layer of metallic particles” in order to overwhelm the limitation related to the electric conduction of that most 3D-printed objects.

“The police already have a scan of the victim’s fingerprints taken while he was alive (apparently he had been arrested previously). They gave those scans to the lab, and using them Arora has created 3D printed replicas of all ten digits.” stated the report published by Eveleth. “A 3D printed finger alone often can’t unlock a phone these days. Most fingerprint readers used on phones are capacitive, which means they rely on the closing of tiny electrical circuits to work. The ridges of your fingers cause some of these circuits to come in contact with each other, generating an image of the fingerprint. Skin is conductive enough to close these circuits, but the normal 3D printing plastic isn’t, so Arora coated the 3D printed fingers in a thin layer of metallic particles so that the fingerprint scanner can read them.”

Arora and his team haven’t yet tested the fingers on the mobile device of the dead man, but the professor is confident that in a few weeks he will be able to unlock the device .

On the other hand, this technique potentially represents a threat to the users’ privacy, there is the concrete risk that someone could abuse it, for example by stealing a fingerprint using a high-resolution photo and recreating it with a 3D-printing process.

The post 3D printing of a dead man’s fingers allows unlocking his phone appeared first on Information Security Newspaper | Hacking News.

While initial reports placed the OPM hack at around 1.1 million affected people, as time went by, the number grew to 4 million, then 18 million, before finally ballooning at 21 million in the most recent official statement.

Now, as the OPM internal security team is investigating the incident alongside the DoD, new information has come to light, according to which, some of the servers on which the hackers found their way into also contained biometrics data, fingerprints, to be more exact.

FBI officials say that, while this data is quite harmless at the moment, it could still be used in upcoming years, as fingerprints will slowly start to replace passwords.

One of the companies pioneering this trend is Apple, which included its Touch ID system in its latest iOS 9 release.

Besides phones and tablets, the technology is also expected to be used with online banking services, providing a much safer and quicker way to authenticate, eliminating many of the current entry points for hackers, which most of the times are targeting the user’s alpha-numeric passwords.

This is just an update on the OPM hack, and we’ll be following it to bring you more details as the investigators churn through the data.

Source:https://news.softpedia.com/

The post Fingerprints of over 5.6 Million Americans Stolen During the OPM Hack appeared first on Information Security Newspaper | Hacking News.