Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Security procedure question

from [Saqib Ali] Network Security [Permanent Link]
Subject: Re: Security procedure question
Date: Thu, 21 Sep 2006 14:19:59 -0700 
There is a misconception that bio-metric somehow increases the
security of the mobile device. IT DOES NOT!

All it is does is make the logon process easier and simpler. The
bio-metric logon process can, in most cases, be circumvented by
escaping out of the logon sequence, and logging in using the regular
username and password. However if the user set a really complex
password, a dictionary attack would be impossible, while a brute-force
attack would take a very very long time. The user can use a really
complex password like '3mb55y53curity', without actually having to
type in this password upon each logon. So indirectly biometrics
improves the security of the mobile devices when used in conjunction
with a complex strong password.

See:
http://www.full-disc-encryption.com/biometrics_and_encryption.htm#mozTocId415582

for more info on biometric readers that come with Dell and HP laptops.

As for the issue with the  "residual skin oils left on the device
surface", swipe-through biometric  scanners are designed to address
those issues. With swipe through scanner the attacks with shining
light and breathing on the scanner are not possible.

On 9/21/06, Henry Troup <HenryT@watchfire.com> wrote: 
Mario A. Spinthiras describes a three-factor authentication system:

> - What you know
> - What you have
> - Who you are

which is excellent, but there are a couple of caveats.

To maintain the independence of the factors requires end-user best
practices, specifically not keeping the USB device conveniently at hand
in the laptop bag.  This requires training and a continual awareness
campaign.

In the case where the USB fingerprint reader is stolen with the laptop,
there is some degradation of security, possibly a lot:

I haven't found an authoritative update to show that today's fingerprint
readers are any more secure than the ones that Tsutomu Matsumoto spoofed
in 2002 - details at http://cryptome.org/gummy.htm and
http://cryptome.org/fake-prints.htm

At that time, some fingerprint readers could be spoofed as easily as
breathing on them, or with a flashlight at just the correct angle.  Both
of these techniques leverage the residual skin oils left on the device
surface.

So, a careless user could take it down to single-factor authentication.
To manage this, you need to use the principle of "make the right thing
an easy thing"; somehow make it in the user's interest to keep the parts
separated.  (As an aside, remember that male and female users may have
significantly different preferred styles of device; in general males
have pockets, females may have no pockets and prefer a purse.)
Strangely enough, that would push in the direction of Bluetooth over
USB; even though normally we feel that wireless devices don't add
security.  BMW has gone this route with some recent automobiles,
preferring a proximity card over a physical key.

Also, you need to ensure that authorized service people can work on the
laptop without compromise of the confidential information; that is, you
still need user-level encryption inside the boot-level protection.


Henry Troup
Watchfire Corporation
Suite 300, 1 Hines Rd.
Kanata, ON K2K 3C7 Canada
613-599-3888 x4048


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: PHP Sessions, Hagen, Eric
Next by Date:  RE: Hackers in the House, Don Parker
Previous by Thread:  RE: Security procedure question, Henry Troup
Next by Thread:  Re: Security procedure question, Mario A. Spinthiras
Indexes:  [Date] [Thread] [Top] [All Lists]