Security Basics mailing list archives
Re: Security procedure question
From: "Saqib Ali" <docbook.xml () gmail com>
Date: Thu, 21 Sep 2006 14:19:59 -0700
There is a misconception that bio-metric somehow increases the security of the mobile device. IT DOES NOT! All it is does is make the logon process easier and simpler. The bio-metric logon process can, in most cases, be circumvented by escaping out of the logon sequence, and logging in using the regular username and password. However if the user set a really complex password, a dictionary attack would be impossible, while a brute-force attack would take a very very long time. The user can use a really complex password like '3mb55y53curity', without actually having to type in this password upon each logon. So indirectly biometrics improves the security of the mobile devices when used in conjunction with a complex strong password. See: http://www.full-disc-encryption.com/biometrics_and_encryption.htm#mozTocId415582 for more info on biometric readers that come with Dell and HP laptops. As for the issue with the "residual skin oils left on the device surface", swipe-through biometric scanners are designed to address those issues. With swipe through scanner the attacks with shining light and breathing on the scanner are not possible. On 9/21/06, Henry Troup <HenryT () watchfire com> wrote:
Mario A. Spinthiras describes a three-factor authentication system: > - What you know > - What you have > - Who you are which is excellent, but there are a couple of caveats. To maintain the independence of the factors requires end-user best practices, specifically not keeping the USB device conveniently at hand in the laptop bag. This requires training and a continual awareness campaign. In the case where the USB fingerprint reader is stolen with the laptop, there is some degradation of security, possibly a lot: I haven't found an authoritative update to show that today's fingerprint readers are any more secure than the ones that Tsutomu Matsumoto spoofed in 2002 - details at http://cryptome.org/gummy.htm and http://cryptome.org/fake-prints.htm At that time, some fingerprint readers could be spoofed as easily as breathing on them, or with a flashlight at just the correct angle. Both of these techniques leverage the residual skin oils left on the device surface. So, a careless user could take it down to single-factor authentication. To manage this, you need to use the principle of "make the right thing an easy thing"; somehow make it in the user's interest to keep the parts separated. (As an aside, remember that male and female users may have significantly different preferred styles of device; in general males have pockets, females may have no pockets and prefer a purse.) Strangely enough, that would push in the direction of Bluetooth over USB; even though normally we feel that wireless devices don't add security. BMW has gone this route with some recent automobiles, preferring a proximity card over a physical key. Also, you need to ensure that authorized service people can work on the laptop without compromise of the confidential information; that is, you still need user-level encryption inside the boot-level protection. Henry Troup Watchfire Corporation Suite 300, 1 Hines Rd. Kanata, ON K2K 3C7 Canada 613-599-3888 x4048 --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
-- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 ----------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Security procedure question Brown, Sam (Sep 20)
- Re: Security procedure question Mario A. Spinthiras (Sep 21)
- RE: Security procedure question Henry Troup (Sep 21)
- Re: Security procedure question Saqib Ali (Sep 22)
- Re: Security procedure question Mario A. Spinthiras (Sep 25)
- Re: Security procedure question Saqib Ali (Sep 25)
- RE: Security procedure question Henry Troup (Sep 21)
- Re: Security procedure question Mario A. Spinthiras (Sep 21)
- Re: Security procedure question MandommGmail (Sep 25)
- Re: Security procedure question Mario A. Spinthiras (Sep 25)
- RE: Security procedure question Ken Kousky (Sep 26)
- Re: Security procedure question Daniel DeLeo (Sep 27)
- Re: Security procedure question Saqib Ali (Sep 27)
- Re: Security procedure question Mario A. Spinthiras (Sep 27)