[ISN] Confirmed: Apple-owned fingerprint software exposes Windows passwords

From: InfoSec News <alerts_at_private>
Date: Wed, 10 Oct 2012 00:10:18 -0500 (CDT)
http://arstechnica.com/security/2012/10/confirmed-fingerprint-reader-owned-by-apple-exposes-windows-passwords/

By Dan Goodin
Ars Technica
Oct 9, 2012

Security consultants have independently confirmed a serious security 
weakness that makes it trivial for hackers with physical control of many 
computers sold by Dell, Acer, and at least 14 other manufacturers to 
quickly recover Windows account passwords.

The vulnerability is contained in multiple versions of 
fingerprint-reading software known as UPEK Protector Suite. In July, 
Apple paid $356 million to buy Authentec, the Melbourne, Florida-based 
company that acquired the technology from privately held UPEK in 2010. 
The weakness came to light no later than September, but Apple has yet to 
acknowledge it or warn end users how to work around it. No one has 
accused Apple of being responsible for the underlying design of 
fingerprint-reading software.

The UPEK software has long been marketed as a secure means for logging 
into Windows computers using an owner's unique fingerprint, instead of a 
user-memorized password. Last month, Elcomsoft, a Russia-based developer 
of password-cracking software, warned that the software makes users less 
secure than they otherwise would be because it stores Windows account 
passwords to the registry and encrypts them with a key that is easy for 
hackers to retrieve. It takes only seconds for people with the key to 
extract a password, company officials said. They withheld technical 
details to prevent the vulnerability from being widely exploited.

Now, a pair of security consultants say they have independently verified 
the vulnerability and released open-source software that makes it easy 
to exploit it. Easily decrypted passwords are stored in one of several 
registry keys located in HKEY_LOCAL_MACHINE\Software\Virtual 
Token\Passport\, depending on the application version. The duo said they 
released the software and additional information so that penetration 
testers, who are paid to penetrate the defenses of their customers, can 
exploit the weakness.

[...]


--
Get your CEH, CISSP or ISSMP with ExpandingSecurity.com Live OnLine classes that will not wreck your schedule.
Come to a free class and see how good our program really is. Free weekly PainPill: http://www.expandingsecurity.com/PainPill
Received on Tue Oct 09 2012 - 22:10:18 PDT

This archive was generated by hypermail 2.2.0 : Tue Oct 09 2012 - 22:05:01 PDT