Not very Suprema: Biometric access biz bares 27 million records and plaintext admin creds

Re: Incredible

>And this is only what they've found...

More will doubtless turn up - a large scale fingertip search is underway.

Re: Incredible

According to their website there are >1,000,000,000 people using Suprema technologies in 1.5 million installations.

I'll also assume that we're only seeing the iceberg tip.

https://www.supremainc.com/en/about/suprema.asp

Re: Incredible

Hey, man, cool down. It's just a million fingerprints. And I'm sure they'll pay for those million people to have their fingerprints surgically replaced. And credit status monitoring for 12 months. No big deal.

Re: I guess they're off the Christmas list now

Efookinxactly! Nail on the head. If this was oil leaking into the ocean, or toxic gas into the air, there would be monumental fines, cleanup charges and possibly criminal charges (think Deepwater Horizon or Exon Valdez). It wouldn't prevent all incidents, but it would change corporate culture enough to reduce the worst excesses. But as it's "just" our identities at stake, nobody gives a toss. It'll be interesting to see whether a South Korean company can be prosecuted under GDPR given the have a large European client base. That would at least show that the law is moving in the right direction.

Re: I guess they're off the Christmas list now

Well, it's hard to tell, because we don't know how many data stores quietly get their security improved after a breach elsewhere is published, and consequently are never breached. While we continue to see examples of massive breaches due to gross incompetence, we don't know how large the pool of insecure but not-publicly-reported sources is, and whether a significant number of sources have been taken out of the pool.

It's entirely possible that for every Suprema or First American there are a dozen firms which see the public disclosure, realize they're in a similar boat, and silently fix the problem before it becomes public. There's no way for us to know. Have they already been quietly breached by non-publishing attackers (criminals, intelligence organizations¹, etc) before remediating the problem? No way to know that either.

The rate of massive breaches isn't getting better. The population of still-vulnerable targets might be getting smaller. Or it might be growing, as more firms move data to public clouds or otherwise increase their attack surfaces without due diligence. But I can't think of any way to measure that, directly or indirectly. The breach rate isn't a well-correlated proxy because there are too many variables.

¹Arguably a redundant formulation.

It is normal now.

A question to those in the security industry - is this normal?

It's a perverse question. There isn't any "normal" in this area for IT security firms (or security BUs within IT firms, etc). There's too much variation for there to be a meaningful single cluster of "normal" practice.

In my experience, IT security vendors mostly fall into one of two categories. There are those which make an effort to have adequate broad IT-security knowledge, so they devote some resources to hiring and training employees in IT security in general. These are the ones you see sending developers and other technical staff - not just sales and marketing - to security conferences. You see their employees writing and presenting for IT security organizations like ISSA. There's some external sign that they have people doing security research.

The other category are vendors that are only concerned with selling products in some narrow category. They may have some genuine expertise in that area (or they may be selling snake oil), but they often show a bewildering lack of basic security knowledge elsewhere. That generally means their products are rubbish, of course, because they either don't have people who understand security engineering, or they don't listen to those people if they do. And it generally means that they have poor security practices elsewhere, as in this case.

And the others...

And also for the companies that use them. You don't get a pass from GDPR because you outsource your security...

Re: Why no whistle blower’s?

Lol! I doubt that even ten people knew how the data was stored - it was quite possibly a couple of people, and neither one was actually a decently trained and experienced DB designer AND aware enough of what cloud best practices are. It probably ended up online because the business started screaming CLOUD a lot.

Re: Why no whistle blower’s?

Have you tried blowing the whistle on something like this?

I attempted to report my employer to the ICO for ignoring GDPR and a DPO who thinks we can keep data indefinitely if she says so but they are not interested. They have links to report organisations that are misusing your personal data, that Google refused to remove links relating to you, cookie use issues, issues with data transferred to the USA or for reporting an actual breach but nothing for reporting systematic and willfull ignorance of the law.

Re: Why no whistle blower’s?

Because blowing the whistle can be difficult. You don't want the risk of being sued. You're well aware if you are exposed as the blower, you'll Potentially, wrongly, be black listed from working again. Especially if you are exposed in the press. You worry that if you provide email evidence by abusing your position to view mailboxes, would that be crossing the whistle blower line?

A list of the process' for blowing the whistle would be good for people. Like what email systems are good to use to email the press anonymously? Do files like word docs etc have any hidden fingerprint info in them that would say what the last PC they were on was called? Etc

...and to change their faces to a more secure one.

Re: Those customers affected...

I've just sandpapered mine off. It seemed safest. I might draw some on with a marker pen if I have time.

Re: Design Strategy: What if the data becomes public?

What if the data becomes public?

Who's to say it hasn't already?

Re: Design Strategy: What if the data becomes public?

to me, the most unforgivable thing is storing people's passwords and biometric data as non-hashed.

I'm just curious, how easy is it to work with data where there won't be an exact match stored as a hash?

Passwords are easy, your not trying to match "well that's nearly your password I'll say that's good enough" you take the password entered, you apply the hashing algorithm and you match the hashes.

I'm probably being thick here but I assume that finger print matches aren't likely to be precise. Even without things like scratching ones finger tips the scans are noisy. So the entered data won't exactly match the stored data. The hashing algorithm is going to result in any difference in the data producing completely different hashes.

Re: This is becoming a bit mundane which is the really scary bit

"Perhaps GDPR will help but ..."

While GDPR is an improvement, it's unfortunately rather too late when it comes to bolting the stable door. Even if it all works amazingly and a few years from now everyone has perfect security, that doesn't help if your name, address, DoB, email, favourite passwords, face and fingerprints are already all out in the wild. It certainly can't hurt to try to stop things getting any worse, but so far we're not really doing anything to figure out how to cope with the fact that everything has already been hacked and leaked.

@keithpeter - Re: Employment rights?

Your employer has every right to use biometric, RFID chipping/tagging etc on you. It should have the obligation to not misuse your personal information but they're busy making money and can not be bothered with that.

Re: Storing admin credentials in plaintext

The company's share price has increased slightly today. I don't understand why. Who in their right mind would want to invest in a company responsible for this travesty? Surely they're soon to have their balls stamped on?

Re: Storing fingerprints in clear-text?

they can murder someone and leave fingerprints that look like yours

That is most unlikely. What is stored is a data representation of a fingerprint obtained from a biometric scanner. It is not reproducible as an actual fingerprint, as far as I know.

However, that said, if stored without encryption, it means that the data, if stolen, can be used to fool a biometric security system by simply bypassing the scanner and sending the data to the computer doing the comparison with the dataset.

Re: Storing fingerprints in clear-text?

Normally you would store the minutia, which can't be reversed to a fingerprint image.

El'Reg knows it's you. When you look at your AC posts they report your thumbs up and down in the same way they do for your non AC posts.

Re: Hash

Hash everything even their shoe size

Well, they've certainly made a hash of their security policies...

Re: Equifax, Amazon cloud, Suprema......

Secrecy only serves capital. It is anti human...AC, because, those are the rules you all want just now.

We are used to secrecy, but it makes zero difference when it doesn't affect the bottom line. Which is the only reason that it's there in the first place.

And what's a human to do if they have to use a system and the system gets breached? Are they supposed to just change their finger-prints? The point is, it's all just a race for no reason at all. What's "secure" today is wide open tomorrow.

So, suck it up...I don't care...my bank covers my losses ( it's money they created out of thin air anyway ) and no harm comes of anything.

So, ask yourself, why do you care?