[ISN] Ultimate Computer Security Devices

From: InfoSec News (isnat_private)
Date: Wed Jun 05 2002 - 01:17:51 PDT

  • Next message: InfoSec News: "[ISN] U.S. prosecutors sent subpoena to MSNBC reporter in hacking investigation"

    By Jay Lyman
    NewsFactor Network 
    June 4, 2002 
    Biometrics have long been the basis of the ultimate security
    technologies in science fiction -- but can these safeguards, which
    rely on fingerprints, eyeballs and other personal traits to
    authenticate users, really secure the enterprise?
    Recent reports of simple ways to circumvent biometric security systems
    -- such as the "gummy finger" tactic, which involves a homemade
    gelatin mold on which a fingerprint is imprinted -- have been
    embarrassing for the biometrics industry.
    However, analysts said such breaches will force vendors to improve
    their technology, which often is used to restrict access to companies'
    most valuable data.
    Analysts also stressed the need for layers of security, noting that no
    security measure can be effective on its own. Indeed, biometric
    security vendors typically market their products as part of a mix.
    According to experts, when combined with other security measures,
    biometrics can pave the way for adoption of safeguards that often are
    resisted by corporations.
    Best When Mixed
    Yankee Group senior analyst Anil Phull told NewsFactor that the best
    practice for companies using biometric devices is to deploy them with
    other identification factors, such as passwords, PINs (personal
    identification number) or other security "tokens."
    "Any organization that solely relies on a product vulnerable [to] this
    sort of 'gummy finger' attack will be more at risk if they do not have
    a second [means of security]," Phull said.
    However, Phull noted, most vendors sell their biometric security
    products as part of an overall solution with appropriate security
    procedures and guidance.
    Feel and Sound of Security
    In response to a number of fingerprint-spoofing tactics, including the
    "gummy finger," SecuGen recently released an optical fingerprint
    sensor that includes monitoring to detect the sensor's environment.
    SecuGen CEO Bob Kyle told NewsFactor that the device has not yet been
    defeated, describing his company's technology as a sensor of a sensor.
    New technologies that use face or even voice recognition also are
    being developed or released. For example, Israel-based SentryCom
    claims that its MobilVoice product allows secure access to the Web
    from any computer, PDA (personal digital assistant) or other device
    using voice authentication.
    Thumb Tab
    Biometrics also is increasingly showing up in the consumer arena. Once
    signed up with such a system, consumers can purchase goods and
    services with the flash of a fingerprint.
    While such systems are in use for customers at a number of national
    store chains, retailers and other businesses, some of these systems
    reportedly can be breached quite easily -- for example, by breathing
    on a sensor to pick up a latent print or by molding a fake finger to
    place on the sensor.
    Enrollment Aide
    Phull noted that countermeasures that thwart biometrics will continue
    to proliferate, but he said many biometric-based security tools can
    serve as easy ways to enroll workers in a larger security system.
    Despite their weaknesses, Phull added, biometric systems will remain
    widespread, with enterprises using these often-expensive security
    technologies for the most sensitive access and information.
    "The gummy finger is pretty embarrassing, but on the good side, it
    gets everybody to improve their technology and raise the bar," Phull
    SecuGen CEO Kyle told NewsFactor that his company's technology, which
    is used by governments, financial institutions, airports and
    pharmaceutical companies, is a flexible, convenient and accurate type
    of security.
    "It's important in a higher level of security to combine different
    security measures," Kyle said. "The higher the security level, the
    more you want to add to the mix."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Jun 05 2002 - 04:02:20 PDT