Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Hacking USB Thumbdrives, Thumprint authentication
From: sil <jesus () resurrected us>
Date: Tue, 27 Jan 2004 13:44:00 -0500 (EST)

On Tue, 27 Jan 2004, Rob Shein wrote:

Vulnerability #1 in this scenario?  The thumbprint is still on the drive
from when he last touched it.  Dust the print off, scan it, print it and
continue from there.  Some of the fingerprint readers can be triggered just
by cupping your hands around them and breathing on them, causing the print
to fog (and be read).

It would be fair to add that the majority of biometric systems available
have software to tweak the thresholds. Sure some readers can be triggered
as so, but the majority of readers have the ability to correct this
measure. Typically I would fault the administrator/operator if someone
were able to circumvent a biometric system under said circumstances. There
is also the 'television-based' notion that one could recreate a
fingerprint via rubber-cement or something similar in nature (didn't
bother finding the source, but one can google away on their own), here's
my take on the biometrics hooplah...

Even though a company may choose to use fingerprint scanners, punchcards,
retinal scanners, etc., sometimes corporations forget to switch it up
sometimes. E.g., with the example of door systems using the ever so
popular keycodes (1-9), how many times does a corporation change these
numbers for one. Back in the early 90's I worked at (then called) Chemical
Bank and we had ID based entry systems, and I don't know how many times I
forgot my card and used a friends. Same goes with number based systems.
"Hey I forgot my number what's your number again..."

Sure it can become cumbersome in a large environment to go around changing
access codes, etc., and most administrators, and the staff that
'supervise', tend to get forgetful, lazy, at times. I will always think in
my mind that conferences should be held quarterly for employees
(mandatory) where basic security is explained to them so the user 1)
understands the need for it, 2) keeps it in mind and perhaps even uses
this information in the personal lives (would eliminate massive amounts of
ID theft perhaps..)

// EOF

Quis custodiet ipsos custodes? - Juvenal

J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]