Re: Hacking USB Thumbdrives, Thumprint authentication

["Rev. Kronovohr" <kronovohr () finalaeon net>]

Thumbprint scanners are only a small part of a larger security strategy.
While being ineffectual in and of themselves, combined with retina
scanning, physical verification, PIN codes, and ID cards, they're fine
for perimeter security, but workstation security should maintain more
than one simple biometric device to assure that the user calling is the
user who's supposed to be there.

Like you said, great for one household system, but if it's not part of a
greater security scheme, it might as well be unpassworded for all
intents and purposes to a determined attacker who can gain physical
access to a system.

On Mon, 2004-01-26 at 10:40, Harlan Carvey wrote:
> There were some articles on SF a bit ago, referring to
> the use of household kitchen items (gummy bears) to
> "fool" the thumbprint biometric devices.  
>
> My own research about 2 yrs ago showed that while the
> thumbprint scanners worked well for local
> authentication, they did nothing to protect a system
> from being contacted remotely.  If a weak admin (or
> any user, for that matter) password is in place, then
> the biometric does no good whatsoever. 
>
> Also, there are ways to cause the biometric device to
> "malfunction", to the point that the user is
> frustrated.  For instance, unseat the connection to
> the back of the machine, or break off a pin, or put a
> smug on the reader...these will cause enough problems
> with the device that the user will grow tired of
> dealing with it.
>
> Remember, the thumbprint biometric scanners are not so
> much for security, but more for convenience...users
> don't often forget their thumbs, whereas they may
> forget a password.
>
> > I'm interested in research regarding hacking USB
> > drives
> > unlocked with a thumbprint
> >
> > http://www.thumbdrive.com/prd_info.htm
> >
> > Or any thumbprint biometric hacking.
> >
> > Client is considering USB drives to offload laptop
> > data 
> > and at first glance seems like a better solution
> > than keeping sensitive data on laptops. Encryption
> > software
> > on laptops requires more password management and
> > software
> > hassles. The above device has no software drivers to
> > install
> > so deployment headaches are minimized with (what
> > seems) like
> > better security (obviously not maximum security) at
> > low
> > deployment cost.
> >
> > I'm guessing one can take the flash chip off the
> > device
> > and plug into regular USB drive. Or rewrite the
> > thumbprint hash.
> > Or hacks to fool the drivers. Or reverse engineer
> > the
> > login program to always return "Yes".
> >
> > Thanks,
> > dreez
> > mje () secev com
-- 
Rev. Kronovohr <kronovohr () finalaeon net> The Brotherhood of the Final Aeon
finger kronovohr () finalaeon net   or
http://www.finalaeon.net/finger.php?user=kronovohr&host=finalaeon.net
fingerprint: 37C4 B78A 770E 9D85 79E3  532F BB29 03FE 0759 CF8B

Attachment: signature.asc
Description: This is a digitally signed message part