From owner-freebsd-security Wed Jun 19 10: 8:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.avint.net (pegasus.avint.net [198.165.75.245]) by hub.freebsd.org (Postfix) with ESMTP id 0366737B40A for ; Wed, 19 Jun 2002 10:07:36 -0700 (PDT) Received: from hercules.avint.net (hercules.avint.net [198.165.75.7]) by mail.avint.net (8.11.6/8.11.6) with SMTP id g5JH4kk20342 for ; Wed, 19 Jun 2002 14:34:46 -0230 From: graham To: freebsd-security@FreeBSD.ORG Subject: Re: Password security Date: Wed, 19 Jun 2002 14:20:30 -0230 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain References: <20020619164844.42032.qmail@web10103.mail.yahoo.com> In-Reply-To: <20020619164844.42032.qmail@web10103.mail.yahoo.com> MIME-Version: 1.0 Message-Id: <02061914352901.22345@hercules.avint.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It's alot easier to fool Biometrics than you think. I saw an episode of @discovery on The Discovery Channel's Canadian channel explaining how a mathematician and some grad students could fool all the current commercial biometric systems with common household items available from any supermarket. But I don't fully remember the details of that paticular episode. On Wed, 19 Jun 2002, twig les wrote: > Dag, you have some very good points regarding > Biometrics, but one thing that scares me about them > that hasn't been mentioned (that I've seen) is that > once your fingerprint is stolen it can never be > trusted again. Same with a palm print, etc. If > someone gets into the company database and nabs these > things then replay attacks can follow you for years. > Not likely, but possible. When you quit a job that > uses a handscanner for data center access, what do > they do with your print? I doubt they delete it and > write over it 12+ times. > > Eric has a good point also though. The point of > security (in my view) isn't to stop all attacks. It's > to stop the almost all of them, while increasing the > time and effort it takes the really good attacks to > succeed. If you're running a NIDS and/or tripwire > type thingies, then increasing the penetration time > should allow you to react. > > As for the initial problem... I would take the lazy > admin way out and upgrade the windoze SSH client to > one that uses keys AND passwds (like ssh.com). You > can give your users their key on a floppy with a > notepad file on how to install this client on their > home machine and where to put the key. Then have them > chmod 700 C:\Windo...hmmm. Sorry. > > This solution kind of sucks, but it's simple and users > won't go out of their way to subvert it. With all the > other precautions you're taking it should work fine > though. Also, maybe enforce 15 minute, > passwd-protected screensavers on their boxes with a > script they don't know exists. > > > --- Dag-Erling Smorgrav wrote: > > "Eric F Crist" writes: > > > Of course the technology is not perfect. Things > > such as cuts on your > > > finger and blood-shot eyes can still fool these > > systems, but password > > > technology has its faults too. > > > > These are false negatives, which are annoying but > > tolerable. I'm more > > worried about false positives, and from what I can > > see they're far too > > easy to provoke. > > > > > Biometrics, on the other hand, requires a little > > more work. If you > > > couple basic username/password token systems, a > > hardware or address > > > token, such as I-button/smart card and IP address, > > with either a retinal > > > scanner or palm print, or finger print, or voice > > recognition, there > > > becomes a greater amount of homework to be done to > > break into the > > > system. > > > > Not when the biometric device is so easy to fool > > that it becomes > > practically irrelevant. Then the "passwords & > > fingerprints" scheme is > > reduced to just "passwords & warm fuzzy feelings". > > > > It has been shown empirically that "state of the > > art" biometric > > devices can be fooled by any amateur with a little > > ingenuity and less > > than $50 in supplies. Some fingerprint scanners are > > so bad they can > > be tricked into scanning and accepting the latent > > print left on their > > surface from the previous time they were used. > > Others will accept an > > image of a fingerprint lifted from, say, your coffee > > mug. Yet others > > are vulnerable to trivial replay attacks. All of > > them are vulnerable > > to fake fingers (made of silicone or agar-agar) > > whose "fingerprint" > > can be reconstructed from a mold, or from a latent > > fingerprint (coffee > > mug again) made three-dimensional with a hobby PCB > > etching kit. > > Facial recognition systems have been tricked by > > photographs (or video > > clips for those with "live subject" safeguards) of > > the subject. Iris > > recognition systems have been tricked with printouts > > of an image of > > the subject's iris, with a hole cut in the middle > > for the attacker to > > see through. > > > > The fact that vendors have reacted by either denying > > the results or > > just refusing to discuss them does not increase my > > faith in the > > biometrics industry. > > > > I will not trust any biometric device until vendors > > start openly > > acknowledging and discussing possible attacks, and > > publishing the > > methods they use to resist them. > > > > DES > > -- > > Dag-Erling Smorgrav - des@ofug.org > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > > the message > > > ===== > ----------------------------------------------------------- > Only fools have all the answers. > ----------------------------------------------------------- > > __________________________________________________ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message