Re: Security procedure question

["Mario A. Spinthiras" <mario () netway com cy>]

Saqib Ali wrote:
> There is a misconception that bio-metric somehow increases the
> security of the mobile device. IT DOES NOT!
>
> All it is does is make the logon process easier and simpler. The
> bio-metric logon process can, in most cases, be circumvented by
> escaping out of the logon sequence, and logging in using the regular
> username and password. However if the user set a really complex
> password, a dictionary attack would be impossible, while a brute-force
> attack would take a very very long time. The user can use a really
> complex password like '3mb55y53curity', without actually having to
> type in this password upon each logon. So indirectly biometrics
> improves the security of the mobile devices when used in conjunction
> with a complex strong password.
>
> See:
> http://www.full-disc-encryption.com/biometrics_and_encryption.htm#mozTocId415582 
>
>
> for more info on biometric readers that come with Dell and HP laptops.
>
> As for the issue with the  "residual skin oils left on the device
> surface", swipe-through biometric  scanners are designed to address
> those issues. With swipe through scanner the attacks with shining
> light and breathing on the scanner are not possible.
>
> On 9/21/06, Henry Troup <HenryT () watchfire com> wrote:
> > Mario A. Spinthiras describes a three-factor authentication system:
> >
> > > - What you know
> > > - What you have
> > > - Who you are
> >
> > which is excellent, but there are a couple of caveats.
> >
> > To maintain the independence of the factors requires end-user best
> > practices, specifically not keeping the USB device conveniently at hand
> > in the laptop bag.  This requires training and a continual awareness
> > campaign.
> >
> > In the case where the USB fingerprint reader is stolen with the laptop,
> > there is some degradation of security, possibly a lot:
> >
> > I haven't found an authoritative update to show that today's fingerprint
> > readers are any more secure than the ones that Tsutomu Matsumoto spoofed
> > in 2002 - details at http://cryptome.org/gummy.htm and
> > http://cryptome.org/fake-prints.htm
> >
> > At that time, some fingerprint readers could be spoofed as easily as
> > breathing on them, or with a flashlight at just the correct angle.  Both
> > of these techniques leverage the residual skin oils left on the device
> > surface.
> >
> > So, a careless user could take it down to single-factor authentication.
> > To manage this, you need to use the principle of "make the right thing
> > an easy thing"; somehow make it in the user's interest to keep the parts
> > separated.  (As an aside, remember that male and female users may have
> > significantly different preferred styles of device; in general males
> > have pockets, females may have no pockets and prefer a purse.)
> > Strangely enough, that would push in the direction of Bluetooth over
> > USB; even though normally we feel that wireless devices don't add
> > security.  BMW has gone this route with some recent automobiles,
> > preferring a proximity card over a physical key.
> >
> > Also, you need to ensure that authorized service people can work on the
> > laptop without compromise of the confidential information; that is, you
> > still need user-level encryption inside the boot-level protection.
> >
> >
> > Henry Troup
> > Watchfire Corporation
> > Suite 300, 1 Hines Rd.
> > Kanata, ON K2K 3C7 Canada
> > 613-599-3888 x4048
> >
> >
> > --------------------------------------------------------------------------- 
> >
> > This list is sponsored by: Norwich University
> >
> > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> > The NSA has designated Norwich University a center of Academic 
> > Excellence
> > in Information Security. Our program offers unparalleled Infosec 
> > management
> > education and the case study affords you unmatched consulting 
> > experience.
> > Using interactive e-Learning technology, you can earn this esteemed 
> > degree,
> > without disrupting your career or home life.
> >
> > http://www.msia.norwich.edu/secfocus
> > --------------------------------------------------------------------------- 
I would like to begin with stating that an opinion and a misconception 
have two different meanings. Even if a group of people believe in a 
certain opinion , the majority does not make it A FACT or even a 
MISCONCEPTION!

Biometric authentication is can be fooled yes. but it is all based on 
HOW you set it up. This is why i said to boot from the USB STICK and not 
the actual computer. This eliminates a method of brute forcing the 
kernel. If you were to boot from your computer , and enter in a usb 
stick crafter for bruteforcing , then eventually it would give you 
"something" to go step-by-step to proceed with authenticating. But in 
this case you should have looked at the facts before tagging my 
contribution as "misconception".

Facts:

1. You dont boot from the computer originally for authentication. You 
boot from the usb stick.
2. The key can be 256bit if you like , it can be stored on the usb stick 
, not the computer. It simply has to match the required key by the computer.
3. I didnt mention biometric authentication for making things "easier" 
or "simpler" - rather than an addition to security.
4. A password is required anyway.


In conclusion I would like people to research more on technologies 
before posting since there are methods that have been in implementation 
for quite a while now. Even the computer Im talking to has the above 
implemented and has had quite a few try to break it. that gives birth to 
another so called "majority" that definately believes the opposing 
opinion to the misconcepted reply earlier in this post.

Good luck on this,
Mario A. Spinthiras
Netway Ltd
Nicosia , Cyprus


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------