From owner-freebsd-security Wed Jun 19 9:49: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from web10103.mail.yahoo.com (web10103.mail.yahoo.com [216.136.130.53]) by hub.freebsd.org (Postfix) with SMTP id AE1EB37B403 for ; Wed, 19 Jun 2002 09:48:44 -0700 (PDT) Message-ID: <20020619164844.42032.qmail@web10103.mail.yahoo.com> Received: from [68.5.49.41] by web10103.mail.yahoo.com via HTTP; Wed, 19 Jun 2002 09:48:44 PDT Date: Wed, 19 Jun 2002 09:48:44 -0700 (PDT) From: twig les Subject: Re: Password security To: Dag-Erling Smorgrav , Eric F Crist Cc: 'Michael Sierchio' , 'Ryan Thompson' , freebsd-security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dag, you have some very good points regarding Biometrics, but one thing that scares me about them that hasn't been mentioned (that I've seen) is that once your fingerprint is stolen it can never be trusted again. Same with a palm print, etc. If someone gets into the company database and nabs these things then replay attacks can follow you for years. Not likely, but possible. When you quit a job that uses a handscanner for data center access, what do they do with your print? I doubt they delete it and write over it 12+ times. Eric has a good point also though. The point of security (in my view) isn't to stop all attacks. It's to stop the almost all of them, while increasing the time and effort it takes the really good attacks to succeed. If you're running a NIDS and/or tripwire type thingies, then increasing the penetration time should allow you to react. As for the initial problem... I would take the lazy admin way out and upgrade the windoze SSH client to one that uses keys AND passwds (like ssh.com). You can give your users their key on a floppy with a notepad file on how to install this client on their home machine and where to put the key. Then have them chmod 700 C:\Windo...hmmm. Sorry. This solution kind of sucks, but it's simple and users won't go out of their way to subvert it. With all the other precautions you're taking it should work fine though. Also, maybe enforce 15 minute, passwd-protected screensavers on their boxes with a script they don't know exists. --- Dag-Erling Smorgrav wrote: > "Eric F Crist" writes: > > Of course the technology is not perfect. Things > such as cuts on your > > finger and blood-shot eyes can still fool these > systems, but password > > technology has its faults too. > > These are false negatives, which are annoying but > tolerable. I'm more > worried about false positives, and from what I can > see they're far too > easy to provoke. > > > Biometrics, on the other hand, requires a little > more work. If you > > couple basic username/password token systems, a > hardware or address > > token, such as I-button/smart card and IP address, > with either a retinal > > scanner or palm print, or finger print, or voice > recognition, there > > becomes a greater amount of homework to be done to > break into the > > system. > > Not when the biometric device is so easy to fool > that it becomes > practically irrelevant. Then the "passwords & > fingerprints" scheme is > reduced to just "passwords & warm fuzzy feelings". > > It has been shown empirically that "state of the > art" biometric > devices can be fooled by any amateur with a little > ingenuity and less > than $50 in supplies. Some fingerprint scanners are > so bad they can > be tricked into scanning and accepting the latent > print left on their > surface from the previous time they were used. > Others will accept an > image of a fingerprint lifted from, say, your coffee > mug. Yet others > are vulnerable to trivial replay attacks. All of > them are vulnerable > to fake fingers (made of silicone or agar-agar) > whose "fingerprint" > can be reconstructed from a mold, or from a latent > fingerprint (coffee > mug again) made three-dimensional with a hobby PCB > etching kit. > Facial recognition systems have been tricked by > photographs (or video > clips for those with "live subject" safeguards) of > the subject. Iris > recognition systems have been tricked with printouts > of an image of > the subject's iris, with a hole cut in the middle > for the attacker to > see through. > > The fact that vendors have reacted by either denying > the results or > just refusing to discuss them does not increase my > faith in the > biometrics industry. > > I will not trust any biometric device until vendors > start openly > acknowledging and discussing possible attacks, and > publishing the > methods they use to resist them. > > DES > -- > Dag-Erling Smorgrav - des@ofug.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message