[Fwd: Re: Security procedure question]

["Mario A. Spinthiras" <mario () netway com cy>]

> --- Begin Message ---
>
>
> From: "Henry Troup" <HenryT () watchfire com>
>
> Date: Mon, 25 Sep 2006 09:52:28 -0400
>
> Note that I did not suggest that the pre-boot was weak; I suggest that
> the human factors side of it needed to be carefully considered.
> Pre-boot with full-disk encryption is potentially very strong indeed.
>
> As Saqib Ali says in his later email, it can be "too strong" or at least
> pose significant difficulties in recovering legitimate access.
> Corporate key escrow is a necessary requirement, and can be hard to
> fulfill without the potential for compromise.
>
> Probably the major need is to make sure that corporate information
> always has a primary source that's not on a laptop, so that the worst
> case is the need to re-clone the laptop and lose some number of unmerged
> updates.
>
> Henry Troup
> Watchfire Corporation
> Suite 300, 1 Hines Rd.
> Kanata, ON K2K 3C7 Canada
> 613-599-3888 x4048
>
>
> -----Original Message-----
> From: Mario A. Spinthiras [mailto:mario () netway com cy] 
> Sent: Saturday, September 23, 2006 04:25
> To: Saqib Ali
> Cc: Henry Troup; Brown, Sam; security-basics () securityfocus com;
> lists () hwf cc
> Subject: Re: Security procedure question
>
> Saqib Ali wrote:
> > There is a misconception that bio-metric somehow increases the 
> > security of the mobile device. IT DOES NOT!
> >
> > All it is does is make the logon process easier and simpler. The 
> > bio-metric logon process can, in most cases, be circumvented by 
> > escaping out of the logon sequence, and logging in using the regular 
> > username and password. However if the user set a really complex 
> > password, a dictionary attack would be impossible, while a brute-force
>
> > attack would take a very very long time. The user can use a really 
> > complex password like '3mb55y53curity', without actually having to 
> > type in this password upon each logon. So indirectly biometrics 
> > improves the security of the mobile devices when used in conjunction 
> > with a complex strong password.
> >
> > See:
> > http://www.full-disc-encryption.com/biometrics_and_encryption.htm#mozT
> > ocId415582
> >
> >
> > for more info on biometric readers that come with Dell and HP laptops.
> >
> > As for the issue with the  "residual skin oils left on the device 
> > surface", swipe-through biometric  scanners are designed to address 
> > those issues. With swipe through scanner the attacks with shining 
> > light and breathing on the scanner are not possible.
> >
> > On 9/21/06, Henry Troup <HenryT () watchfire com> wrote:
> > > Mario A. Spinthiras describes a three-factor authentication system:
> > >
> > > > - What you know
> > > > - What you have
> > > > - Who you are
> > >
> > > which is excellent, but there are a couple of caveats.
> > >
> > > To maintain the independence of the factors requires end-user best 
> > > practices, specifically not keeping the USB device conveniently at 
> > > hand in the laptop bag.  This requires training and a continual 
> > > awareness campaign.
> > >
> > > In the case where the USB fingerprint reader is stolen with the 
> > > laptop, there is some degradation of security, possibly a lot:
> > >
> > > I haven't found an authoritative update to show that today's 
> > > fingerprint readers are any more secure than the ones that Tsutomu 
> > > Matsumoto spoofed in 2002 - details at http://cryptome.org/gummy.htm 
> > > and http://cryptome.org/fake-prints.htm
> > >
> > > At that time, some fingerprint readers could be spoofed as easily as 
> > > breathing on them, or with a flashlight at just the correct angle.  
> > > Both of these techniques leverage the residual skin oils left on the 
> > > device surface.
> > >
> > > So, a careless user could take it down to single-factor
> authentication.
> > > To manage this, you need to use the principle of "make the right 
> > > thing an easy thing"; somehow make it in the user's interest to keep 
> > > the parts separated.  (As an aside, remember that male and female 
> > > users may have significantly different preferred styles of device; in
>
> > > general males have pockets, females may have no pockets and prefer a 
> > > purse.) Strangely enough, that would push in the direction of 
> > > Bluetooth over USB; even though normally we feel that wireless 
> > > devices don't add security.  BMW has gone this route with some recent
>
> > > automobiles, preferring a proximity card over a physical key.
> > >
> > > Also, you need to ensure that authorized service people can work on 
> > > the laptop without compromise of the confidential information; that 
> > > is, you still need user-level encryption inside the boot-level
> protection.
> > > Henry Troup
> > > Watchfire Corporation
> > > Suite 300, 1 Hines Rd.
> > > Kanata, ON K2K 3C7 Canada
> > > 613-599-3888 x4048
> > >
> > >
> > > ---------------------------------------------------------------------
> > > ------
> > >
> > > This list is sponsored by: Norwich University
> > >
> > > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA 
> > > has designated Norwich University a center of Academic Excellence in 
> > > Information Security. Our program offers unparalleled Infosec 
> > > management education and the case study affords you unmatched 
> > > consulting experience.
> > > Using interactive e-Learning technology, you can earn this esteemed 
> > > degree, without disrupting your career or home life.
> > >
> > > http://www.msia.norwich.edu/secfocus
> > > ---------------------------------------------------------------------
> > > ------
> I would like to begin with stating that an opinion and a misconception
> have two different meanings. Even if a group of people believe in a
> certain opinion , the majority does not make it A FACT or even a
> MISCONCEPTION!
>
> Biometric authentication is can be fooled yes. but it is all based on
> HOW you set it up. This is why i said to boot from the USB STICK and not
> the actual computer. This eliminates a method of brute forcing the
> kernel. If you were to boot from your computer , and enter in a usb
> stick crafter for bruteforcing , then eventually it would give you
> "something" to go step-by-step to proceed with authenticating. But in
> this case you should have looked at the facts before tagging my
> contribution as "misconception".
>
> Facts:
>
> 1. You dont boot from the computer originally for authentication. You 
> boot from the usb stick.
> 2. The key can be 256bit if you like , it can be stored on the usb stick
>
> , not the computer. It simply has to match the required key by the
> computer.
> 3. I didnt mention biometric authentication for making things "easier" 
> or "simpler" - rather than an addition to security.
> 4. A password is required anyway.
>
>
> In conclusion I would like people to research more on technologies 
> before posting since there are methods that have been in implementation 
> for quite a while now. Even the computer Im talking to has the above 
> implemented and has had quite a few try to break it. that gives birth to
>
> another so called "majority" that definately believes the opposing 
> opinion to the misconcepted reply earlier in this post.
>
> Good luck on this,
> Mario A. Spinthiras
> Netway Ltd
> Nicosia , Cyprus
>
>
>
>
>
> --- End Message ---
---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------