Security Basics mailing list archives
RE: Security procedure question
From: "Henry Troup" <HenryT () watchfire com>
Date: Thu, 21 Sep 2006 11:49:50 -0400
Mario A. Spinthiras describes a three-factor authentication system:
- What you know - What you have - Who you are
which is excellent, but there are a couple of caveats. To maintain the independence of the factors requires end-user best practices, specifically not keeping the USB device conveniently at hand in the laptop bag. This requires training and a continual awareness campaign. In the case where the USB fingerprint reader is stolen with the laptop, there is some degradation of security, possibly a lot: I haven't found an authoritative update to show that today's fingerprint readers are any more secure than the ones that Tsutomu Matsumoto spoofed in 2002 - details at http://cryptome.org/gummy.htm and http://cryptome.org/fake-prints.htm At that time, some fingerprint readers could be spoofed as easily as breathing on them, or with a flashlight at just the correct angle. Both of these techniques leverage the residual skin oils left on the device surface. So, a careless user could take it down to single-factor authentication. To manage this, you need to use the principle of "make the right thing an easy thing"; somehow make it in the user's interest to keep the parts separated. (As an aside, remember that male and female users may have significantly different preferred styles of device; in general males have pockets, females may have no pockets and prefer a purse.) Strangely enough, that would push in the direction of Bluetooth over USB; even though normally we feel that wireless devices don't add security. BMW has gone this route with some recent automobiles, preferring a proximity card over a physical key. Also, you need to ensure that authorized service people can work on the laptop without compromise of the confidential information; that is, you still need user-level encryption inside the boot-level protection. Henry Troup Watchfire Corporation Suite 300, 1 Hines Rd. Kanata, ON K2K 3C7 Canada 613-599-3888 x4048 --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Security procedure question Brown, Sam (Sep 20)
- Re: Security procedure question Mario A. Spinthiras (Sep 21)
- RE: Security procedure question Henry Troup (Sep 21)
- Re: Security procedure question Saqib Ali (Sep 22)
- Re: Security procedure question Mario A. Spinthiras (Sep 25)
- Re: Security procedure question Saqib Ali (Sep 25)
- RE: Security procedure question Henry Troup (Sep 21)
- Re: Security procedure question Mario A. Spinthiras (Sep 21)
- Re: Security procedure question MandommGmail (Sep 25)
- Re: Security procedure question Mario A. Spinthiras (Sep 25)
- RE: Security procedure question Ken Kousky (Sep 26)
- Re: Security procedure question Daniel DeLeo (Sep 27)
- Re: Security procedure question Saqib Ali (Sep 27)