Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Hacking USB Thumbdrives, Thumprint authentication
From: m e <mje () list intersec com>
Date: 28 Jan 2004 00:09:05 -0000

In-Reply-To: <000701c3e503$9d4e41c0$6701010a () JASEVO>

EXACTLY! My claim is that as security people our jobs are
to reduce incidents and costs on significant information
assets. So the deployment plan is to get 100% of the people to use
50% "good" security, and next year get them to use 60% "good"
security, etc.

Most attempts at 100% security wind up in additional costs,
losing end user committment, software/hardware deployment
nightmares, etc.

That's why we feel that Thumpprint USB tokens are 50% good security
that 100% will use vs laptops with encryption are probably 80% good security, except only 25% will use it, help desk 
calls and costs will skyrocket, etc. In the end incidents and costs will rise with poorly
adopted security measures.  


This is a valid line of questioning.  You're basically doing a threat
assessment - how big is the vulnerability and how large is the threat.
Having a security mechanism that 3 people in the world can "easily
compromise" is only a big deal if you've got some pretty serious stuff
on those laptops.  In that case, having it on the laptop may be the
biggest mistake.

I have this argument (lower security that everybody uses vs. higher
security that nobody uses) all the time in regard to passwords.  I have
one client that has auditors that insist on locking accounts after 3
failures.  This same client locks about 30-40 accounts a day due to
password failure.  By making things too tight, they've completely lost
the Intrusion Detection benefit of password lockouts.  I'd agree with
you...if it's too complicated for the target audience (sales people and
other non-techies), then you've got to make things simpler and perhaps
come up with a way to watch it better.  Maybe a process that e-mails the
thumbprint logs (hopefully such a thing exists) off the box in the
background every day.

It's certainly valuable to know how secure something really is as
opposed to what the sales people would like you to believe or may even
think themselves.  Then you need to determine how likely any of that is
to happen and how big a deal it is if it does.  Do your guys sell
fortune cookie sayings or plans for the Tomahawk Cruise Missile?

This relates quite a bit to the recent thread about pen-testing's value.
It's very good to know what effort is required to circumvent a security
mechanism and also what detection mechanisms are in place.  In the case
of the USB Thumbprint authentication....detection probably isn't gonna
happen...it's on some sales guy's laptop and if he looses it, he's not
gonna tell anybody for awhile thinking he might find it and never get

-----Original Message-----
From: m e [mailto:mje () list intersec com] 
Sent: Tuesday, January 27, 2004 8:58 AM
To: pen-test () securityfocus com
Subject: Re: Hacking USB Thumbdrives, Thumprint authentication

<AE503E4425AA90459FDD5066BCE87E9901DD8B84 () smskpexmbx1 mskcc root mskcc o

When we investigated fingerprinting products, two colleagues cracked

system by using a paper photocopy of a finger.  They placed it on the

=66ingerprinting pad and pressed it with another finger to provide the

heat that the pad needs to detect.  I was incredulous of their account,

but after reading the Putte source below, this sounds credible.

very cool. this i'll try and let you know.

please devil's advocate the following argument.

We are not trying to build a cruise missle to kill a fly.

We want 50% security control that 100% of the people use, not

100% security control that 50% of the people use.

I can't see a threat scenario where wife copies sales guys

thumbprint on gummy bear while sales guy is sleeping to get 

a peek at his USB drive. Yes it may happen once a year, but

chances are they will lose USB device first.

Real vulnerability is sales guy loses USB drive, and Joe

Six-Pack picks it up and brings it home to his kid. Or leaves

USB drive at customer site and customer gets curious and tries

to look at it.

So what are the vulnerabilities in this scenario?




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]