RE: Hacking USB Thumbdrives, Thumprint authentication

From: Jerry Shenk (jshenk_at_decommunications.com)
Date: 01/27/04

  • Next message: Robert E. Lee: "RE: How to pick the right company for penetration testing?" 
    To: <pen-test@securityfocus.com>
Date: Tue, 27 Jan 2004 13:30:16 -0500

    This is a valid line of questioning. You're basically doing a threat
    assessment - how big is the vulnerability and how large is the threat.
    Having a security mechanism that 3 people in the world can "easily
    compromise" is only a big deal if you've got some pretty serious stuff
    on those laptops. In that case, having it on the laptop may be the
    biggest mistake.

    I have this argument (lower security that everybody uses vs. higher
    security that nobody uses) all the time in regard to passwords. I have
    one client that has auditors that insist on locking accounts after 3
    failures. This same client locks about 30-40 accounts a day due to
    password failure. By making things too tight, they've completely lost
    the Intrusion Detection benefit of password lockouts. I'd agree with
    you...if it's too complicated for the target audience (sales people and
    other non-techies), then you've got to make things simpler and perhaps
    come up with a way to watch it better. Maybe a process that e-mails the
    thumbprint logs (hopefully such a thing exists) off the box in the
    background every day.

    It's certainly valuable to know how secure something really is as
    opposed to what the sales people would like you to believe or may even
    think themselves. Then you need to determine how likely any of that is
    to happen and how big a deal it is if it does. Do your guys sell
    fortune cookie sayings or plans for the Tomahawk Cruise Missile?

    This relates quite a bit to the recent thread about pen-testing's value.
    It's very good to know what effort is required to circumvent a security
    mechanism and also what detection mechanisms are in place. In the case
    of the USB Thumbprint authentication....detection probably isn't gonna
    happen...it's on some sales guy's laptop and if he looses it, he's not
    gonna tell anybody for awhile thinking he might find it and never get
    caught.

    -----Original Message-----
    From: m e [mailto:mje@list.intersec.com]
    Sent: Tuesday, January 27, 2004 8:58 AM
    To: pen-test@securityfocus.com
    Subject: Re: Hacking USB Thumbdrives, Thumprint authentication

    In-Reply-To:
    <AE503E4425AA90459FDD5066BCE87E9901DD8B84@smskpexmbx1.mskcc.root.mskcc.o
    rg>

    >When we investigated fingerprinting products, two colleagues cracked
    the

    >system by using a paper photocopy of a finger. They placed it on the

    >=66ingerprinting pad and pressed it with another finger to provide the

    >heat that the pad needs to detect. I was incredulous of their account,

    >but after reading the Putte source below, this sounds credible.

    >

    very cool. this i'll try and let you know.

    please devil's advocate the following argument.

    We are not trying to build a cruise missle to kill a fly.

    We want 50% security control that 100% of the people use, not

    100% security control that 50% of the people use.

    I can't see a threat scenario where wife copies sales guys

    thumbprint on gummy bear while sales guy is sleeping to get

    a peek at his USB drive. Yes it may happen once a year, but

    chances are they will lose USB device first.

    Real vulnerability is sales guy loses USB drive, and Joe

    Six-Pack picks it up and brings it home to his kid. Or leaves

    USB drive at customer site and customer gets curious and tries

    to look at it.

    So what are the vulnerabilities in this scenario?

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Robert E. Lee: "RE: How to pick the right company for penetration testing?"

    Relevant Pages

    • MI5 Boss hints kiss goodbye to civil rights...
      ... "THE INTERNATIONAL TERRORIST THREAT AND THE DILEMMAS IN COUNTERING IT" ... I am delighted to be here to celebrate the 60th Birthday of the AIVD. ... The friendship between the AIVD and my Service, the British Security ... fascism then, by the time I met him, on countering terrorism. ...
      (soc.culture.scottish)
    • [Fwd: Re: Security procedure question]
      ... case is the need to re-clone the laptop and lose some number of unmerged ... Subject: Security procedure question ... So indirectly biometrics ... In the case where the USB fingerprint reader is stolen with the ...
      (Security-Basics)
    • Re: Basic Windows Security Question
      ... I see more and more firms that disable USB due to the large security risks ... Subject: Basic Windows Security Question ... Suppose you have a small company of less than 100 employees. ... to prevent the use of thumb drives and other specific devices through ...
      (Security-Basics)
    • Re: Needed Advice - Olap client tool
      ... I got the security working which is BIG plus but I notice something. ... If one sales person logs and get his/her data is great and the total ... Excel was unable to get necessary information about this cube. ...
      (microsoft.public.sqlserver.olap)
    • Re: Needed Advice - Olap client tool
      ... I got the security working which is BIG plus but I notice something. ... If one sales person logs and get his/her data is great and the total ... Excel was unable to get necessary information about this cube. ... the visual totals option. ...
      (microsoft.public.sqlserver.olap)