IHF Roundup: New iPhone App Aids Gamblers, Photoshop Trumps Laptops, and Other Top Stories This Week

News from all corners of the country this week. Let's get started.

Casinos across the country were warned about an iPhone/iPod Touch application that counts cards, and according to the Nevada Gaming Commission, helps players beat the house in blackjack. If caught, I wouldn't be surprised if gamblers use this to fight off security guards. It must be more successful than trying to make a run for it.

At Black Hat DC this week, Vietnamese researchers showed the vulnerabilities of facial recognition software as a secure authentication method for laptops. With digital images and tweaked angles and lighting, they were able to bypass the biometrics on Lenovo, Asus and Toshiba laptops and gain access to the computer. Looks like traditional typed log-ins and passwords will hold the edge, at least for now.

Back in California, last week's DMV controversy has not died down in the least. A key legislative committee blocked the DMV's request to utilize facial recognition software to match up driver's license photographs with the entire DMV database of headshots. Fears that this system could make its way into police hands to monitor people at public gatherings are still rampant. So far, privacy groups: 1 DMV: 0. However, I'm sure this battle is far from over.

Did I mention Einstein was reborn? In a robot's body. The resemblance is uncanny! The researchers are still working on improving the IQ score.

Facial Recognition Authentication Software on Laptops Still Vulnerable to Hackers

At Black Hat DC yesterday, researchers demonstrated the vulnerability of current biometric facial recognition technology as a log-in security measure. Entitled "Your Face is NOT Your Password: Face Authentication Bypassing Lenovo – Asus – Toshiba," the report describes how the software -- a successor to traditional, typed passwords -- is still in its very early stages.

Lenovo's Veriface III, ASUS' SmartLogon V1.0.0005, and Toshiba's Face Recognition 2.0.2.32 systems all use webcams and algorithms to match a stored image with the user's face in order to log them into the system. However, as the researchers demonstrated, there remain several fairly simple ways for users to bypass this authentication process.

For example, Nguyen Minh Duc, manager of the application security department at the Bach Khoa Internetwork Security Center, a Hanoi-based security organization, described how using an image bearing a slight resemblance to the one stored by the system can allow a user to bypass the software. With millions of photos made accessible online by Facebook, MySpace and other social networking sites, hackers can easily manipulate images in terms of angle and lighting until one works -- even an intermediate PhotoShop user could make the requisite changes.

The team also showed a secondary spoofing technique called "fake face bruteforce," in which hackers generate multiple random faces to eventually gain access to the system. As one reporter recognized, this process parallels the conventional mechanism of trying hundreds, or possibly thousands, of text passwords before the correct combination is found.

Taking into account all of these concerns, it looks like the typed password will remain the preferred authentication method for laptops worldwide -- at least for now.

There are approaches, however, that can address both of these issues. First, dealing with the brute force attack vulnerability is the easiest. Since it's relatively easy for a laptop to know when it is being bombarded with hundreds or thousands of randomly generated and incorrect faces, that kind of activity burst can trigger a response from the facial recogntion software itself. It might shut down in response to the attack, or possibly just slow down. By suspending for longer and longer intervals with each failed access attempt beyond the acceptable threshold, the brute force attack is dragged out over such a long time period that the attack becomes impractical.

As for detecting the difference between live faces and pictures, a so called 'liveness' test can be performed to deter hacking, but is a much more difficult problem. However, I assure you that too can be done, as well. As to how? I need to keep that to myself for now, but let's just say that not all facial recognition technology is so easily hacked.