[Fwd: Re: Security procedure question]
- From: "Mario A. Spinthiras" <mario@xxxxxxxxxxxxx>
- Date: Mon, 25 Sep 2006 17:10:00 +0300
--- Begin Message ------------------------------------------------------------------------------Note that I did not suggest that the pre-boot was weak; I suggest that
- From: "Henry Troup" <HenryT@xxxxxxxxxxxxx>
- Date: Mon, 25 Sep 2006 09:52:28 -0400
the human factors side of it needed to be carefully considered.
Pre-boot with full-disk encryption is potentially very strong indeed.
As Saqib Ali says in his later email, it can be "too strong" or at least
pose significant difficulties in recovering legitimate access.
Corporate key escrow is a necessary requirement, and can be hard to
fulfill without the potential for compromise.
Probably the major need is to make sure that corporate information
always has a primary source that's not on a laptop, so that the worst
case is the need to re-clone the laptop and lose some number of unmerged
updates.
Henry Troup
Watchfire Corporation
Suite 300, 1 Hines Rd.
Kanata, ON K2K 3C7 Canada
613-599-3888 x4048
-----Original Message-----
From: Mario A. Spinthiras [mailto:mario@xxxxxxxxxxxxx]
Sent: Saturday, September 23, 2006 04:25
To: Saqib Ali
Cc: Henry Troup; Brown, Sam; security-basics@xxxxxxxxxxxxxxxxx;
lists@xxxxxx
Subject: Re: Security procedure question
Saqib Ali wrote:
There is a misconception that bio-metric somehow increases the
security of the mobile device. IT DOES NOT!
All it is does is make the logon process easier and simpler. The
bio-metric logon process can, in most cases, be circumvented by
escaping out of the logon sequence, and logging in using the regular
username and password. However if the user set a really complex
password, a dictionary attack would be impossible, while a brute-force
attack would take a very very long time. The user can use a reallyauthentication.
complex password like '3mb55y53curity', without actually having to
type in this password upon each logon. So indirectly biometrics
improves the security of the mobile devices when used in conjunction
with a complex strong password.
See:
http://www.full-disc-encryption.com/biometrics_and_encryption.htm#mozT
ocId415582
for more info on biometric readers that come with Dell and HP laptops.
As for the issue with the "residual skin oils left on the device
surface", swipe-through biometric scanners are designed to address
those issues. With swipe through scanner the attacks with shining
light and breathing on the scanner are not possible.
On 9/21/06, Henry Troup <HenryT@xxxxxxxxxxxxx> wrote:
Mario A. Spinthiras describes a three-factor authentication system:
- What you know
- What you have
- Who you are
which is excellent, but there are a couple of caveats.
To maintain the independence of the factors requires end-user best
practices, specifically not keeping the USB device conveniently at
hand in the laptop bag. This requires training and a continual
awareness campaign.
In the case where the USB fingerprint reader is stolen with the
laptop, there is some degradation of security, possibly a lot:
I haven't found an authoritative update to show that today's
fingerprint readers are any more secure than the ones that Tsutomu
Matsumoto spoofed in 2002 - details at http://cryptome.org/gummy.htm
and http://cryptome.org/fake-prints.htm
At that time, some fingerprint readers could be spoofed as easily as
breathing on them, or with a flashlight at just the correct angle.
Both of these techniques leverage the residual skin oils left on the
device surface.
So, a careless user could take it down to single-factor
To manage this, you need to use the principle of "make the right
thing an easy thing"; somehow make it in the user's interest to keep
the parts separated. (As an aside, remember that male and female
users may have significantly different preferred styles of device; in
general males have pockets, females may have no pockets and prefer a
purse.) Strangely enough, that would push in the direction of
Bluetooth over USB; even though normally we feel that wireless
devices don't add security. BMW has gone this route with some recent
protection.automobiles, preferring a proximity card over a physical key.
Also, you need to ensure that authorized service people can work on
the laptop without compromise of the confidential information; that
is, you still need user-level encryption inside the boot-level
I would like to begin with stating that an opinion and a misconception
Henry Troup
Watchfire Corporation
Suite 300, 1 Hines Rd.
Kanata, ON K2K 3C7 Canada
613-599-3888 x4048
---------------------------------------------------------------------
------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA
has designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec
management education and the case study affords you unmatched
consulting experience.
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------
------
have two different meanings. Even if a group of people believe in a
certain opinion , the majority does not make it A FACT or even a
MISCONCEPTION!
Biometric authentication is can be fooled yes. but it is all based on
HOW you set it up. This is why i said to boot from the USB STICK and not
the actual computer. This eliminates a method of brute forcing the
kernel. If you were to boot from your computer , and enter in a usb
stick crafter for bruteforcing , then eventually it would give you
"something" to go step-by-step to proceed with authenticating. But in
this case you should have looked at the facts before tagging my
contribution as "misconception".
Facts:
1. You dont boot from the computer originally for authentication. You
boot from the usb stick.
2. The key can be 256bit if you like , it can be stored on the usb stick
, not the computer. It simply has to match the required key by the
computer.
3. I didnt mention biometric authentication for making things "easier"
or "simpler" - rather than an addition to security.
4. A password is required anyway.
In conclusion I would like people to research more on technologies
before posting since there are methods that have been in implementation
for quite a while now. Even the computer Im talking to has the above
implemented and has had quite a few try to break it. that gives birth to
another so called "majority" that definately believes the opposing
opinion to the misconcepted reply earlier in this post.
Good luck on this,
Mario A. Spinthiras
Netway Ltd
Nicosia , Cyprus
--- End Message ---
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
- Prev by Date: Re: Security procedure question
- Next by Date: RE: Network Resource Mapping Reporting
- Previous by thread: Looking for the softwares to monitor our file server
- Next by thread: Ruxcon 2006
- Index(es):
Relevant Pages
|
