If your password management system is to use your "fingerprint as your master password," and if your laptop uses UPEK software, then you'll not be happy to know your Windows password is not secure and instead is easily crackable. In fact, "UPEK's implementation is nothing but a big, glowing security hole compromising (and effectively destroying) the entire security model of Windows accounts." UPEK fingerprint reader and software came installed on laptops manufactured from any of these 16 companies: Acer, Amoi, ASUS, Clevo, Compal, Dell, Gateway, IBM/Lenovo, Itronix, MPC, MSI, NEC, Sager, Samsung, Sony and Toshiba.
On the Elcomsoft blog about "advanced password cracking insight," Olga Koksharova had bad news for people who thought they were more secure by using biometrics, a UPEK fingerprint reader, instead of relying on a password. UPEK stores Windows account passwords in the registry "almost in plain text, barely scrambled but not encrypted." It's not just a few that are susceptible to hacking. "All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible. If you ever registered your fingerprints with UPEK Protector Suite for accelerated Windows login and typed your account password there, you are at risk."
We could extract passwords to all user accounts with fingerprint-enabled logon. Putting things into perspective: Windows itself never stores account passwords unless you enable "automatic login", which is discouraged by Microsoft." In fact, Windows warns users that automatic login is a security risk before allowing activation of the setting.
So if you subscribed to the theory "password management at your fingertips," believing that biometrics increased your security via using UPEK Protector Suite, and also encrypted files or folders with Windows Encrypting File System (EFS), then Elcomsoft has even worse news for you.
EFS encryption is extremely strong and impossible to break without knowing the original Windows account password. And here comes UPEK Protector Suite. Conveniently storing your plain-text account password, the suite gives the intruder the ability to access your used-to-be-protected EFS encrypted files. Bummer.
UPEK Protector Suite software shipped with laptops equipped with UPEK fingerprint readers until 2010 when the company was acquired by AuthenTec and switched to TrueSuite software. Elcomsoft warned, however, the most "existing laptop users will simply stay with the old flawed software, not feeling the need to upgrade." Furthermore, "if you care about security of your Windows account, launch UPEK Protector Suite and disable the Windows logon feature. That should clear the stored password for your account. Note that you should clear all stored account passwords to protect all user accounts."
Elcomsoft often writes about "password recovery" and is a member of the Russian Cryptology Association (RCA) and the Computer Security Institute. Yet it is not the only firm that has found flaws in UPEK software. UPEK Protector Suite also came under fire last year when the Vulnerability Laboratory disclosed that the UPEK Protector Suite 2011 was vulnerable to buffer overflow.
Ars Technica's Dan Goodin reported that AuthenTec is allegedly "aware of the weakeness" in the UPEK Protector Suite. Yet AuthenTec has neither recalled the software, nor issued a security warning—despite the fact that the digital privacy of millions of people is now at risk.
AuthenTec reported revenue of $20.5 million in the second quarter of 2012. The company's last two news releases pertained to AuthenTec's "first military-grade encryption offering for data stored on Android devices and removable storage media" and AuthenTec's VPN security and FIPS-certified cryptographic security being integrated into Pantech's newest Android smartphones.
According to Sophos Naked Security, "Brent Dietz, the Director of Corporate Communications at Authentec, said that his company can’t find any evidence to support those [Elcomsoft] claims." Dietz added that "ProtectorSuite uses AES encryption to protect stored passwords and that the company would never leave passwords in an unencrypted state in its software – past or present. Should the company find evidence to support Elcomsoft's claims, it will push a patch to customers immediately."
Like this? Here's more posts:
- Rise of the AI Overlord: Machines monitor, automatically detect suspicious behavior
- Anonymizer tied to company selling TrapWire surveillance to governments
- Owned in 60 seconds with ZackAttack: From network guest to Windows Domain Admin
- Emerging technology: Cool or creepy innovation?
- Microsoft raises privacy issues with tweaked TOS to share data across the cloud
- Unblinking surveillance stare: Army's 7-story flying football field-sized blimp
- Virtual avatar CBP agent Elvis screens travelers for lies at the border
- Citizen Lab discovers mobile malware: FinFisher spyware variants target smartphones
- Did AntiSec snag Apple UDID list from FBI laptop via Java 0day exploit?
- P2P blocklists fail to protect privacy from copyright cops' mass monitoring
- WikiLeaks dumps Stratfor email dirt on TrapWire, a CIA-connected global spying system
- Stealthy Wi-Fi Spy Sees You Through Walls Thanks to Your Wireless Router
- Massive Leak: Project HellFire Hackers Dump 1 Million Accounts from 100 Sites
Follow me on Twitter @PrivacyFanatic
Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. Smith has a diverse background in information technology, programming, web development, IT consulting, and information security. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.
Smith is an independent contractor and is not affiliated with any vendor that makes or sells information technology.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited