Politician’s fingerprint reproduced using photos of her hands

Last week at a Chaos Computer Club (CCC) convention in Hamburg, Germany, German hacker Starbug claimed he reproduced a fingerprint belonging to German defense minister Ursula von der Leyen using nothing but some commercially-available software and a number of high-resolution photos of her hand.

Starbug, whose real name is Jan Krissler, said that he used a close-up photo of von der Leyen's thumb that was taken with a “standard photo camera” at a press conference from a distance of three meters (about 10 feet). He also used several other pictures of her thumb which had been taken from different angles at different times. Then, according to VentureBeat, Starbug used a program called Verifinger to recreate the print.

Fingerprint readers like those that are commonly found on more recent iPhone models have been hacked in the past. Starbug himself is famous for circumventing Apple's Touch ID in just 48 hours—and he spoke to Ars about the feat at length in an interview. But recreating a fingerprint with just a photo takes a well-known hack a step further. On CCC's website, the group described the conclusions of Starbug's most recent hack: "In the past years, it was successfully demonstrated a number of times how easily fingerprints can be stolen from [their] owner if a person touched any object with a polished surface (like glass or a smartphone)... With this knowledge [of recreating fingerprints from photos] there will be no need to steal objects carrying the fingerprints anymore."

Read 3 remaining paragraphs | Comments

Fake “The Interview” App Delivers Mobile Malware in South Korea

McAfee Mobile Security, in a joint investigation with the Secure Software Engineering Group at the Technische Universität Darmstadt and Fraunhofer SIT, has identified a new threat campaign underway in South Korea that attempts to exploit the huge media frenzy surrounding the release of the film The Interview.

Shortly after the news broke that The Interview, originally scheduled to be released on Christmas Day, would appear online from Sony Pictures, numerous sites claimed to offer a pirated copy–fueled by the rumors that the movie might be distributed free online due to the circumstances surrounding the film’s change in distribution. One claim making the rounds in South Korea turned out to be an Android Trojan we have designed Android/BadAccents (named after the main component in the first stage of the Trojan).

Image_1
Android/BadAccent claims to download a copy of  The Interview but instead is the first-stage downloader of a two-stage banking Trojan. The second-stage component, which was distributed using Amazon Web Services, targets account holders of prominent local banks in South Korea as well as one international bank.

One element of the threat’s code caught our attention: the presence of a detection routine that checked the device manufacture before infecting the device. We had at first overlooked this because we had not heard of the manufactures Samjiyon or Arirang; we later found they are not located in South Korea. If the device manufacture was set to either  삼지연 (Samjiyon) or  아리랑 (Arirang ), then the threat would not infect the device and instead prompt the user with a message that an attempt to connect to the server had failed, as we see in the following image.


Fig3Fig2
When installing on any other brand of device, the infection is completed immediately following the download and execution of the second-stage payload.

Currently we don’t believe that this is a politically motivated threat–limiting the infection to devices sold only in South Korea–but purely a business strategy. Because the malicious payload targets account holders in South Korea, why waste bandwidth on an audience outside of the country?

Using the new specialized tool CodeInspector developed by the Secure Software Engineering Group at CASED, the joint IT-security research center between Technische Universität Darmstadt and Fraunhofer SIT, we were able to decrypt the account information that was used by the malware’s authors to relay information to a mail account hosted outside of South Korea.

Despite the fact that this campaign appeared to be relatively new when we discovered it, the number of infected devices that relayed data was about 20,000. Because accounts related to this threat are hosted outside of South Korean, authorities cannot easily dismantle the campaign and prevent further infections. This tactic has become very popular with threats targeting mobile devices in Korea.

Our investigation of the second-stage component indicates that the malware’s components as well the Amazon Web Security services may have been used in previous campaigns targeting banks in South Korea as early as October. McAfee has notified Amazon Web Security and the Korea Internet & Security Agency of our findings. We are working with them to stop the distribution and prevent further infections of this campaign.

In a second post on this topic, we will take a deep technical dive into the code and tactics used in this campaign.

We would like to thank Siegfried Rasthofer with the Secure Software Engineering Group at the Technische Universität Darmstadt and Fraunhofer SIT for his contributions to our research.

The post Fake “The Interview” App Delivers Mobile Malware in South Korea appeared first on McAfee.

FBI claimed to be investigating Xbox Live, PlayStation Network DDoS perps

The FBI is reported to be investigating the people responsible for the denial of service attacks that rendered Microsoft's Xbox Live and Sony's PlayStation Network inaccessible for much of Christmas Day, according to sources speaking to the Daily Dot.

A group calling itself Lizard Squad has claimed responsibility for the Christmas attacks. The group has raised its profile over the Christmas period by speaking with a variety of media outlets, including BBC Radio 5 Live and Sky News. Talking to WinBeta, group members said that the denial of service attacks were being done to demonstrate poor security on the part of Microsoft and Sony.

The Lizard Squad members call themselves "Ryan Cleary" (after Ryan "ViraL" Cleary, the LulzSec collaborator imprisoned for hacking and possession of child pornography) and "Vinnie Omari." They claim that their denial of service attacks used undersea routers and that a total of 1.2 terabits per second of data flooded the gaming networks.

Read 6 remaining paragraphs | Comments