Security Bulletin #113 – 25 May 2017
Samsung Galaxy S8 iris scanner can be fooled with a printed photo
Chaos Computer Club (CCC) hacker “Starbug” has proven that the iris recognition system in Samsung’s Galaxy S8 smartphone can be fooled by using a printed photo of the user’s eye(s). Iris recognition may be barely sufficient to protect a phone against complete strangers unlocking it. But whoever has a photo of the legitimate owner can trivially unlock the phone. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris. Samsung means for the iris recognition tech to be used by users to make purchases with Samsung Pay in-store, check their bank accounts via Samsung Pass, and log into their favorite sites with the Web sign-in feature. Iris recognition was said to be an airtight security feature but unfortunately for Samsung, this simply isn’t true. If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication.
Microsoft unveils special version of Windows 10 for Chinese government
China banned Microsoft's Windows operating system on government computers in 2014 amid concerns about security and US surveillance. Even in the wake of that, China had been pushing its custom version of Windows XP and its forked version of Ubuntu Linux. To deal with this issue and target the world's largest market, Microsoft's CEO for the Greater China region last year confirmed that the company was working on a Chinese version of Windows 10 that included ``more management and security controls`` and less bloatware. Now, Microsoft has just announced a new version of its Windows 10, which is now ready for Chinese government agencies to use. Windows 10 Enterprise Edition already provides several security, identity, and manageability features governments and enterprises need, but Windows 10 China Government Edition will let the country use the management feature to monitor and deploy updates as needed, manage telemetry, and use its own encrypted algorithms. Microsoft enables the Chinese government to use its own encrypted algorithms in its Windows 10 China Government Edition in order to secure data that they do not want others to see. The Chinese version of Windows 10 does not allow access to features that are not needed by Chinese government employees like Microsoft's OneDrive service that let people store their documents and files on Microsoft-controlled data centers.
DEF CON July: Hackathon against voting machines
Organizers at the DEF CON hacking conference in July are planning a mass cracking of US electronic election machines. The event, which for over 20 years has attracted the best and the brightest in the hacking community, will see a group hackathon against the voting machines that are used in every US election these days. The purpose is to check whether the machinery that underpins the electoral system is up to scratch. America was one of the earliest adopters of electronic voting systems. But there have been doubts raised about the security of electronic systems almost immediately since their introduction. Up until now, the voting machine companies keep telling us everything is totally secure, when everyone in cybersecurity knows there's nothing that's totally secure, it's all just a matter of risk mitigation. Other countries are also troubled by the prospect of voting machine manipulation. India is to hold a hackathon for its election machines to find out if they can be subverted, and the EU has voiced concern about voting security. US regulations on voting machines are lax to say the least, and the DEF CON crews should find lots of interesting holes.
Current Alerts CERTFR-2017-ALE-008 : Multiples vulnérabilités dans Microsoft Windows XP et Windows Server 2003 (15 mai 2017) Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-008.pdf CERTFR-2017-ALE-011 : Campagne de messages électroniques non sollicités de type Jaff (14 mai 2017) Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-011.pdf CERTFR-2017-ALE-010 : Propagation d’un rançongiciel exploitant les vulnérabilités MS17-010 (12 mai 2017) Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-010.pdf Patches CERTFR-2017-AVI-165 : Vulnérabilité dans Samba (24 mai 2017) Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-AVI-165.pdf