Re: CRIME REMINDER: Free Seminar on Computer Security tomorrow!

From: Crispin Cowan (crispin@private)
Date: Tue Sep 03 2002 - 15:08:17 PDT

  • Next message: Crispin Cowan: "Re: CRIME REMINDER: Free Seminar on Computer Security tomorrow!"

    Andrew Plato wrote:
    
    >I'll have a cool BIOMETRIC mouse on display and if our wireless router is working I can demo its use on the Internet. 
    >
    At the risk of further aggevating Andrew ... IMHO, biometric 
    authentication for computer systems are bogus snake oil. It's a theorem 
    that your fingerprints are all over your desk (coffee cups, soda cans, 
    pens, even the big greasy fingerprints on the screen :) so it is 
    actually much *easier* for a bad guy to snarf your fingerprint than your 
    password. See here for how easy it is to spoof a fingerprint scanner 
    http://www.counterpane.com/crypto-gram-0205.html#5
    
    Biometrics' other huge vulnerability is sniffing: a biometric scan is an 
    identifier, not an authenticator. If you send it it clear text, it can 
    be sniffed and spoofed. To prevent that, you would have to put a full 
    crypto engine in the biometric scanning device. This is possible, but 
    few do it. Once you go to the trouble, then the primary value of the 
    device is the crypto authentication storage, and the biometric part 
    becomes pretty redundant.
    
    Summary:
    
        * For cheap & cost-effective: use a strong password policy enforcer,
          and ensure that passwords are not sent in the clear (i.e. use SSL
          or SSH everywhere, especially for e-mail).
        * For high security, strong authentication for computer systems is
          2-factor tokens: a smart card with a PIN keyboard on it, so that
          to break in you have to both steal the smart card and know the
          user's PIN code.  Here's some resources on 2-factor tokens
              o http://www.itsecurity.com/asktecs/may901.htm
              o http://www.rsasecurity.com/products/securid/securid_softwaretoken_for_windows.html
        * Biometrics are ok for securing physical access (big steel door
          locks) but basically useless for computers. This is because the
          reference repository for the door can be right behind the door,
          and thus not subject to sniffing, and the door can be subject to
          physical security (video cameras, armed guard) and other forms of
          2-factor authentication (need a metal key to go with that finger
          print). None of this is true for computer authentication.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX                      http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Tue Sep 03 2002 - 15:51:15 PDT