Steve Layman wrote:
> To something more topical... many years ago I played around with a
> voice recognition S/W tool but never really understood how it worked
> internally. I had issues with reliability and it was cumbersome to use
> so I just uninstalled it and never played with it since. Does anyone
> know how effective Magic Lantern (or any key-logging trojan) would be
> againt a voice recognition key stroke generator tool instead of
> physically touching the keys to create and send emails and does this
> possiblity even exist with any email tools out there?
Such an attack is very effective, and even worse than you imagine.
Biometric authentication doesn't just record the utterance (or
fingerprint scan, or retina scan, or whatever) and store it; it records
a "characteristic" hash of a scan. This is because each scan has lots of
noise in it, so you can't just compare two scans and call it good the
way you would with a password. So an attacker who infects your PC with a
virus can not only steal your characteristic hash, they can modify it
and replace it such that some other pattern of their choice will also be
accepted.
Biometrics are being loudly touted across the country lately as the
greatest thing since sliced bread, and IMHO they are utter crap. Dr.
Crispie's recomended recipies for proper authentication:
* Never use plain old passwords sent in the clear. Common examples
include:
* telnet
* non-SSL web forms
* e-mail access via POP or IMAP
* Why: these methods can be broken through both Magic Lantern
and Carnivore (sniffing) methods, and very often are broken
and used by attackers.
* For casual authentication, i.e. most of your uses that don't
involve highly sensitive access, plain old passwords sent through
crypto tunnels are ok. Common examples include:
* SSH (used in place of telnet)
* SSL-crypted web forms
* e-mail access via POP or IMAP tunneled through crypto such
as SSH or SSL (stunnel)
* Why: these methods cannot be broken through casual sniffing
(Carnivore & the like). But they can be broken through
shoulder surfing, or if the user carelessly enters their
password in the clear somewhere, allowing the attacker to
obtain the password, and then break in via the otherwise
perfectly good crypto tunnel.
* Personally, I do all of my remote access through SSH
tunnels. My personal password is NEVER transmitted in the clear.
* For serious authentication, i.e. it REALLY matters that this
access not be broken, use 2-factor tokens SecureID
http://www.icon-sys.com/preise/rsa/rsa-token.html
* Why: these are crypto devices that fit in your wallet.
"2-factor" means that the user must first authenticate to
the card by typing in a PIN or password, and then the card
is used in a crypto challenge-response exchange with the
remote server to be accessed. This resists shoulder surfing,
sniffing, and Magic Lantern virii.
* Caveat: this keeps the virus from sniffing the crypto
authentication key, but it does NOT prevent the virus from
keylogging all the activities you do after you authenticate.
* For very serious authentication (nuclear weapons, billions of $,
etc.) use 2-party authentication, where two separate humans have
to use 2-factor authentication as above to authorize an operation.
* Why: because kidnapping a user (or their daughter, whatever)
works to get people to authenticate anything you want.
Kidnapping 2 people is much harder.
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:51 PDT