Penetration Testing mailing list archives
RE: Hacking USB Thumbdrives, Thumprint authentication
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Tue, 27 Jan 2004 13:30:16 -0500
This is a valid line of questioning. You're basically doing a threat assessment - how big is the vulnerability and how large is the threat. Having a security mechanism that 3 people in the world can "easily compromise" is only a big deal if you've got some pretty serious stuff on those laptops. In that case, having it on the laptop may be the biggest mistake. I have this argument (lower security that everybody uses vs. higher security that nobody uses) all the time in regard to passwords. I have one client that has auditors that insist on locking accounts after 3 failures. This same client locks about 30-40 accounts a day due to password failure. By making things too tight, they've completely lost the Intrusion Detection benefit of password lockouts. I'd agree with you...if it's too complicated for the target audience (sales people and other non-techies), then you've got to make things simpler and perhaps come up with a way to watch it better. Maybe a process that e-mails the thumbprint logs (hopefully such a thing exists) off the box in the background every day. It's certainly valuable to know how secure something really is as opposed to what the sales people would like you to believe or may even think themselves. Then you need to determine how likely any of that is to happen and how big a deal it is if it does. Do your guys sell fortune cookie sayings or plans for the Tomahawk Cruise Missile? This relates quite a bit to the recent thread about pen-testing's value. It's very good to know what effort is required to circumvent a security mechanism and also what detection mechanisms are in place. In the case of the USB Thumbprint authentication....detection probably isn't gonna happen...it's on some sales guy's laptop and if he looses it, he's not gonna tell anybody for awhile thinking he might find it and never get caught. -----Original Message----- From: m e [mailto:mje () list intersec com] Sent: Tuesday, January 27, 2004 8:58 AM To: pen-test () securityfocus com Subject: Re: Hacking USB Thumbdrives, Thumprint authentication In-Reply-To: <AE503E4425AA90459FDD5066BCE87E9901DD8B84 () smskpexmbx1 mskcc root.mskcc.o rg>
When we investigated fingerprinting products, two colleagues cracked
the
system by using a paper photocopy of a finger. They placed it on the
=66ingerprinting pad and pressed it with another finger to provide the
heat that the pad needs to detect. I was incredulous of their account,
but after reading the Putte source below, this sounds credible.
very cool. this i'll try and let you know. please devil's advocate the following argument. We are not trying to build a cruise missle to kill a fly. We want 50% security control that 100% of the people use, not 100% security control that 50% of the people use. I can't see a threat scenario where wife copies sales guys thumbprint on gummy bear while sales guy is sleeping to get a peek at his USB drive. Yes it may happen once a year, but chances are they will lose USB device first. Real vulnerability is sales guy loses USB drive, and Joe Six-Pack picks it up and brings it home to his kid. Or leaves USB drive at customer site and customer gets curious and tries to look at it. So what are the vulnerabilities in this scenario? ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Hacking USB Thumbdrives, Thumprint authentication, (continued)
- Re: Hacking USB Thumbdrives, Thumprint authentication Craig Pringle (Jan 26)
- Re: Hacking USB Thumbdrives, Thumprint authentication Job de Haas (Jan 26)
- RE: Hacking USB Thumbdrives, Thumprint authentication John Deatherage (Jan 26)
- Re: Hacking USB Thumbdrives, Thumprint authentication Walter Williams (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Rob Shein (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Deras, Angel R./Information Systems (Jan 26)
- Re: Hacking USB Thumbdrives, Thumprint authentication Volker Tanger (Jan 27)
- Re: Hacking USB Thumbdrives, Thumprint authentication m e (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Rob Shein (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Jerry Shenk (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Atul Porwal (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Herbold, John W. (Jan 27)
- Re: Hacking USB Thumbdrives, Thumprint authentication m e (Jan 28)
- Re: Hacking USB Thumbdrives, Thumprint authentication Meritt James (Jan 29)
- Re: Hacking USB Thumbdrives, Thumprint authentication m e (Jan 28)