Re: Security procedure question

["Saqib Ali" <docbook.xml () gmail com>]

Mario,

I apologize. I didn't carefully read your earlier post. I think you
were referring to "Pre-Boot" authentication using a biometric device,
which is usually performed using a bsd-like or linux kernel. Secude
offers one such solution using linux kernel and GRUB boot loader.

Yes this is one of the better authentication solution, and very
secure. Infact I am currently trying to trroubleshoot a computer that
has hardware encryption ASIC for the HDD, and uses a pre-boot
authentication system. But the authentication piece is corrupted and
it is now "impossible" to get into the computer.


--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------



On 9/23/06, Mario A. Spinthiras <mario () netway com cy> wrote:
> Saqib Ali wrote:
> > There is a misconception that bio-metric somehow increases the
> > security of the mobile device. IT DOES NOT!
> >
> > All it is does is make the logon process easier and simpler. The
> > bio-metric logon process can, in most cases, be circumvented by
> > escaping out of the logon sequence, and logging in using the regular
> > username and password. However if the user set a really complex
> > password, a dictionary attack would be impossible, while a brute-force
> > attack would take a very very long time. The user can use a really
> > complex password like '3mb55y53curity', without actually having to
> > type in this password upon each logon. So indirectly biometrics
> > improves the security of the mobile devices when used in conjunction
> > with a complex strong password.
> >
> > See:
> > http://www.full-disc-encryption.com/biometrics_and_encryption.htm#mozTocId415582
> >
> >
> > for more info on biometric readers that come with Dell and HP laptops.
> >
> > As for the issue with the  "residual skin oils left on the device
> > surface", swipe-through biometric  scanners are designed to address
> > those issues. With swipe through scanner the attacks with shining
> > light and breathing on the scanner are not possible.
> >
> > On 9/21/06, Henry Troup <HenryT () watchfire com> wrote:
> >> Mario A. Spinthiras describes a three-factor authentication system:
> >>
> >> > - What you know
> >> > - What you have
> >> > - Who you are
> >>
> >> which is excellent, but there are a couple of caveats.
> >>
> >> To maintain the independence of the factors requires end-user best
> >> practices, specifically not keeping the USB device conveniently at hand
> >> in the laptop bag.  This requires training and a continual awareness
> >> campaign.
> >>
> >> In the case where the USB fingerprint reader is stolen with the laptop,
> >> there is some degradation of security, possibly a lot:
> >>
> >> I haven't found an authoritative update to show that today's fingerprint
> >> readers are any more secure than the ones that Tsutomu Matsumoto spoofed
> >> in 2002 - details at http://cryptome.org/gummy.htm and
> >> http://cryptome.org/fake-prints.htm
> >>
> >> At that time, some fingerprint readers could be spoofed as easily as
> >> breathing on them, or with a flashlight at just the correct angle.  Both
> >> of these techniques leverage the residual skin oils left on the device
> >> surface.
> >>
> >> So, a careless user could take it down to single-factor authentication.
> >> To manage this, you need to use the principle of "make the right thing
> >> an easy thing"; somehow make it in the user's interest to keep the parts
> >> separated.  (As an aside, remember that male and female users may have
> >> significantly different preferred styles of device; in general males
> >> have pockets, females may have no pockets and prefer a purse.)
> >> Strangely enough, that would push in the direction of Bluetooth over
> >> USB; even though normally we feel that wireless devices don't add
> >> security.  BMW has gone this route with some recent automobiles,
> >> preferring a proximity card over a physical key.
> >>
> >> Also, you need to ensure that authorized service people can work on the
> >> laptop without compromise of the confidential information; that is, you
> >> still need user-level encryption inside the boot-level protection.
> >>
> >>
> >> Henry Troup
> >> Watchfire Corporation
> >> Suite 300, 1 Hines Rd.
> >> Kanata, ON K2K 3C7 Canada
> >> 613-599-3888 x4048
> >>
> >>
> >> ---------------------------------------------------------------------------
> >>
> >> This list is sponsored by: Norwich University
> >>
> >> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> >> The NSA has designated Norwich University a center of Academic
> >> Excellence
> >> in Information Security. Our program offers unparalleled Infosec
> >> management
> >> education and the case study affords you unmatched consulting
> >> experience.
> >> Using interactive e-Learning technology, you can earn this esteemed
> >> degree,
> >> without disrupting your career or home life.
> >>
> >> http://www.msia.norwich.edu/secfocus
> >> ---------------------------------------------------------------------------
> >>
> >>
> >>
> >
> >
> I would like to begin with stating that an opinion and a misconception
> have two different meanings. Even if a group of people believe in a
> certain opinion , the majority does not make it A FACT or even a
> MISCONCEPTION!
>
> Biometric authentication is can be fooled yes. but it is all based on
> HOW you set it up. This is why i said to boot from the USB STICK and not
> the actual computer. This eliminates a method of brute forcing the
> kernel. If you were to boot from your computer , and enter in a usb
> stick crafter for bruteforcing , then eventually it would give you
> "something" to go step-by-step to proceed with authenticating. But in
> this case you should have looked at the facts before tagging my
> contribution as "misconception".
>
> Facts:
>
> 1. You dont boot from the computer originally for authentication. You
> boot from the usb stick.
> 2. The key can be 256bit if you like , it can be stored on the usb stick
> , not the computer. It simply has to match the required key by the computer.
> 3. I didnt mention biometric authentication for making things "easier"
> or "simpler" - rather than an addition to security.
> 4. A password is required anyway.
>
>
> In conclusion I would like people to research more on technologies
> before posting since there are methods that have been in implementation
> for quite a while now. Even the computer Im talking to has the above
> implemented and has had quite a few try to break it. that gives birth to
> another so called "majority" that definately believes the opposing
> opinion to the misconcepted reply earlier in this post.
>
> Good luck on this,
> Mario A. Spinthiras
> Netway Ltd
> Nicosia , Cyprus


--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------