By Tim Dees
C1 Contributor
Security is always inconvenient, and people — police people in particular — seem to strive constantly to defeat security measures intended to protect themselves, their property, or the assets of their employers.
Locked doors are propped open or the latches taped over; keys are left accessible to anyone who happens by the hook they’re hung on.
Biometric measures like iris scans and fingerprint readers offer what seems like a secure means of maintaining security without having to carry a card or key or remember a password, and these methods are mostly reliable. Recently, a flaw in a fingerprint reader used on many laptop computers was revealed to expose passwords stored in the Windows registry.
One Woodpecker
The Windows registry is a gawd-awful-long index of arcane “keys” that dictate how the Windows operating system works. You can look at it by typing “regedit” (without the quotes) into the search field in Windows. Change or delete the right key, and the whole system crashes.
The Windows registry is a proof of concept that, if computer programmers designed buildings and bridges, one woodpecker could destroy Western civilization.
The vulnerable password manager is a set of applications called the UPEK Protector Suite.
It services the fingerprint reader installed on many laptops and some desktop machines. Instead of typing a password in to start Windows or access files or websites, you slide your fingertip over the reader, telling the computer that it’s really you that is trying to get in. The reader recognizes an enrolled fingerprint and queries the list stored in the registry for a password matching the resource having the focus on the screen.
If found, the software retrieves the password, enters it into the blank, and you’re operating.
In late August, a company called Elcomsoft announced they had devised a way to get the passwords stored by the UPEK software out of the registry. Following that, consultants Adam Cauhill and Brandon Wilson published some open-source software that does the same thing. The objective (Cauhill’s and Wilson’s, anyway) wasn’t to steal anyone’s passwords, but to show users it could be done. The weakness lies with UPEK’s method of storing the passwords in “barely scrambled but not encrypted” form, making them easy prey for password collectors. A new version of the software was released in mid-September, but the experts say it isn’t much of an improvement.
Acquiring even a single password from a user can leave that user’s entire online identity vulnerable, because people tend to use the same password, or a slight variation of it, over and over. Once the hacker has your email address and a password, they start looking at popular websites and merchants like Amazon, Facebook, Hotmail, and Google, entering the details they acquired to see what works.
Software capable of trying thousands of password variations every second is available and executable on garden-variety desktop and laptop computers. If that password is something often used (“12345,” “password,” “qwerty”) or is tied to a detail of your life (the city where you live, your child’s or dog’s name, your nickname), the task is even easier.
If your computer has a fingerprint reader installed on it, you can check to see if it uses the vulnerable software by opening the registry using the method described above, and navigating to HKEY_LOCAL_MACHINE\Software\Virtual Token\Passport\. If you don’t find this key folder, you’re using some other software. Alternatively, check your Programs and Features listing in Control Panel to see if “UPEK Protector Suite” is one of them.
One historically-reliable method of maintaining security on multiple passwords is to use a password manager. LastPass has a free version, and their premium version is only $12 per year. I personally favor RoboForm, which varies between $9.95 and $39.95 per year, depending on how many computers you use.
Both store your passwords online in heavily-encrypted form that, so far, no one has been able to crack without the master password. When you use a password manager, instead of typing in a web address and manually entering your user name and password, you click on a link in the password manager and the software does all that for you.
Obviously, you need to choose a strong master password, but it’s the only one you’ll have to remember. Both packages include password generators that construct strong passwords of random characters of almost any length and combination of character types (upper- and lowercase letters, numbers, punctuation) you can then paste into the new password blank.
The software will then suggest you ask it to remember the password and where you entered it for future use.
Cops are especially juicy targets for hackers, because they have sensitive information stored on their computers, and because they like to make us look like fools.
Don’t leave yourself open to a security breach.