Top infosec trends in the social media spotlight this week
The biometric authentication debate was reignited once again this week, as reports surfaced of an alleged breach at a security firm that handles highly sensitive data on behalf of UK law enforcement, among other organizations.
According to The Guardian, the fingerprints of more than one million people, as well as facial recognition information, unencrypted usernames and passwords, and other personal data was discovered on a publicly accessible database managed by Suprema.
The leak was discovered by security researchers Noam Rotem and Ran Locar, who were said to have accessed more than 27 million records and 23 GB-worth of sensitive data.
The advice to those concerned about having their biometric data compromised was clear:
Joking aside, biometric authentication remains a contentious subject within the security community.
Earlier this year, the European Parliament voted to create a massive biometrics database that would amalgamate individual national records.
Although an EU spokesperson said the Common Identity Repository would be designed with security at the forefront, Webroot security analyst Tyler Moffitt warned that there were still significant risks associated with the storage of so much personal information.
“Shared databases mean more access, which equates to more exposure and more risk that everyone’s data could be exposed or compromised. It becomes a numbers game,” Moffitt told The Daily Swig.
In other data (in)security news, British Airways came under scrutiny after security researchers at Wandera disclosed a flaw in the airline’s e-ticketing system.
According to security firm, the unencrypted check-in URL vulnerability could enable miscreants to snoop on passengers’ booking reference numbers, email addresses, and more.
Over in the US, authorities said the alleged Capital One hacker may have breached more than 30 other organizations.
According to reports, the US Attorney’s Office in Seattle said servers found in the suspect’s home contained data stolen from dozens of unnamed companies, educational institutions, and other organizations.
The investigation into the Capital One data breach remains ongoing.
Elsewhere, Israeli security firm Check Point caught news headlines in the wake of DEF CON 27, as the company demonstrated how a Canon DSLR camera had been susceptible to a ransomware exploit that could encrypt all images it held and render the device unusable.
In a technical blog post published on Sunday, Check Point researcher Eyal Itkin explained how the (now-patched) vulnerabilities in the WiFi-enabled camera were due, in part, to shortcomings in Canon’s implementation of the Picture Transfer Protocol (PTP).
While Canon has addressed the flaws in the its EOS 80D model, Itkin said the PTP vulnerabilities might well impact WiFi-connected DSLR cameras from other suppliers.
“The protocol itself is quite complex,” he said. “We do believe that similar vulnerabilities could be found in cameras by other vendors.
“We want to raise awareness for this specific protocol,” he added. “It should contain some encryption or authentication. Today, you just connect to the camera and that’s it.”
Check out our coverage of this innovative exploit for more details.