Penetration Testing mailing list archives
RE: Hacking USB Thumbdrives, Thumprint authentication
From: sil <jesus () resurrected us>
Date: Tue, 27 Jan 2004 13:44:00 -0500 (EST)
On Tue, 27 Jan 2004, Rob Shein wrote:
Vulnerability #1 in this scenario? The thumbprint is still on the drive from when he last touched it. Dust the print off, scan it, print it and continue from there. Some of the fingerprint readers can be triggered just by cupping your hands around them and breathing on them, causing the print to fog (and be read).
It would be fair to add that the majority of biometric systems available have software to tweak the thresholds. Sure some readers can be triggered as so, but the majority of readers have the ability to correct this measure. Typically I would fault the administrator/operator if someone were able to circumvent a biometric system under said circumstances. There is also the 'television-based' notion that one could recreate a fingerprint via rubber-cement or something similar in nature (didn't bother finding the source, but one can google away on their own), here's my take on the biometrics hooplah... Even though a company may choose to use fingerprint scanners, punchcards, retinal scanners, etc., sometimes corporations forget to switch it up sometimes. E.g., with the example of door systems using the ever so popular keycodes (1-9), how many times does a corporation change these numbers for one. Back in the early 90's I worked at (then called) Chemical Bank and we had ID based entry systems, and I don't know how many times I forgot my card and used a friends. Same goes with number based systems. "Hey I forgot my number what's your number again..." Sure it can become cumbersome in a large environment to go around changing access codes, etc., and most administrators, and the staff that 'supervise', tend to get forgetful, lazy, at times. I will always think in my mind that conferences should be held quarterly for employees (mandatory) where basic security is explained to them so the user 1) understands the need for it, 2) keeps it in mind and perhaps even uses this information in the personal lives (would eliminate massive amounts of ID theft perhaps..) // EOF =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Quis custodiet ipsos custodes? - Juvenal J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . org http://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Hacking USB Thumbdrives, Thumprint authentication m e (Jan 25)
- Re: Hacking USB Thumbdrives, Thumprint authentication Craig Pringle (Jan 26)
- Re: Hacking USB Thumbdrives, Thumprint authentication Job de Haas (Jan 26)
- RE: Hacking USB Thumbdrives, Thumprint authentication John Deatherage (Jan 26)
- Re: Hacking USB Thumbdrives, Thumprint authentication Walter Williams (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Rob Shein (Jan 27)
- <Possible follow-ups>
- RE: Hacking USB Thumbdrives, Thumprint authentication Deras, Angel R./Information Systems (Jan 26)
- Re: Hacking USB Thumbdrives, Thumprint authentication Volker Tanger (Jan 27)
- Re: Hacking USB Thumbdrives, Thumprint authentication m e (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Rob Shein (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication sil (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Jerry Shenk (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Rob Shein (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Atul Porwal (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Herbold, John W. (Jan 27)
- Re: Hacking USB Thumbdrives, Thumprint authentication m e (Jan 28)
- Re: Hacking USB Thumbdrives, Thumprint authentication Meritt James (Jan 29)
- Re: Hacking USB Thumbdrives, Thumprint authentication m e (Jan 28)