Re: Hacking USB Thumbdrives, Thumprint authentication

• Previous message: Gideon Rasmussen, CISSP, CFSO, CFSA, SCSA: "How to pick the right company for penetration testing?"
• In reply to: m e: "Hacking USB Thumbdrives, Thumprint authentication"
• Next in thread: m e: "Re: Hacking USB Thumbdrives, Thumprint authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 26 Jan 2004 21:42:04 -0500
To: m e <mje@list.intersec.com>

You will want to verify that the thumbprint is not only hashed, but
morphed either before or after the hash. This way there is the ability
to periodically change the recording of the thumbprint such as you would
change your password, and for many of the same reasons: if the morph
changes every 30 days, the person who has stollen the hash for cracking
has some random subset of that in which that hash is good.

Most comercial grade biometric devices can't do this, and hacking a
thumb print is rather easy, if you have physical access to the person
(and therefor the laptop). Requires social engineering skills, that's all.

Walter

m e wrote:
>
> I'm interested in research regarding hacking USB drives
> unlocked with a thumbprint
>
> http://www.thumbdrive.com/prd_info.htm
>
> Or any thumbprint biometric hacking.
>
> Client is considering USB drives to offload laptop data
> and at first glance seems like a better solution
> than keeping sensitive data on laptops. Encryption software
> on laptops requires more password management and software
> hassles. The above device has no software drivers to install
> so deployment headaches are minimized with (what seems) like
> better security (obviously not maximum security) at low
> deployment cost.
>
> I'm guessing one can take the flash chip off the device
> and plug into regular USB drive. Or rewrite the thumbprint hash.
> Or hacks to fool the drivers. Or reverse engineer the
> login program to always return "Yes".
>
> Thanks,
> dreez
> mje@secev.com
>
>
>
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Gideon Rasmussen, CISSP, CFSO, CFSA, SCSA: "How to pick the right company for penetration testing?"
• In reply to: m e: "Hacking USB Thumbdrives, Thumprint authentication"
• Next in thread: m e: "Re: Hacking USB Thumbdrives, Thumprint authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [Full-disclosure] [Humor] [archivists] National Archives timestamp(fwd) ... different files yield the same hash, but if the algorithm works as it should ... National Archives ... No two digital files will have the same thumbprint. ... The US Postal Service offers a time stamping service for a small ... (Full-Disclosure) Re: [Full-disclosure] [Humor] [archivists] National Archives timestamp(fwd) ... applications using secure hash algorithms. ... National Archives ... No two digital files will have the same thumbprint. ... (Full-Disclosure) Hacking USB Thumbdrives, Thumprint authentication ... I'm interested in research regarding hacking USB drives ... Or any thumbprint biometric hacking. ... than keeping sensitive data on laptops. ... (Pen-Test) Hacking USB Thumbdrives, Thumprint authentication ... Or any thumbprint biometric hacking. ... Client is considering USB drives to offload laptop data ... than keeping sensitive data on laptops. ... (Vuln-Dev)