lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 7 Feb 2018 12:22:14 +0100
From: Vulnerability Lab <research@...nerability-lab.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Banknotes Misproduction security & biometric weakness

Am 31.01.2018 um 17:21 schrieb Vulnerability Lab:
> Hello Ben Tasker,
> sorry if the title of the issue did lead you to misunderstand the
> article. The currency is still secure.
> The title refers to the information used for the issue. In case it was
> misleading we will update it but you was the first who misunderstood
> the article by comments.
>
> "The weakness, the theory goes, is that someone could register a
> "fingerprint" in your system by using a banknote. This'd give them
> access whilst also meaning you didn't at least have a hash of their
> real fingerprint for forensics to find."
> This is correct. Also the problem that others can access with the same
> hologram into for exmaple the high protected area (mil & gov).
>
>
> "Another theory is that users might opt to use a banknote instead of
> their own fingerprint. I'm not quite sure what the likelihood of that
> is, in that it's not exactly convenient, and if you're concerned about
> privacy implications from a fingerprint scanner the best option is not
> to use it."
>
> What about, if the fingerprint of lenovo (bug disclosed parallel to
> us) is our european currency. Means the hardcoded fingerprints that
> published parallel is exactly what we refer to when we talk about a
> universal fingerprint. In the real life it is pretty easy to use it in
> large companies due to the registration and as well on entrance. Maybe
> you feel like the pratical interaction can not happen, we can confirm
> you from germany we was successful. The government disallowed us to
> register the fingerprint to the real system otherwise a compromise
> could not be excluded.

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ