Biometrics at infragard *the only thing missing is u!*

[Dave Aitel <dave () immunitysec com>]

Infragard NYC Jan 18, 2005 Meeting Summary

The Infragard meetings are free and open to the public. They come with a 
free lunch. The lunch is usually of better quality than most purchased 
lunches. The meetings are a lot of sales-people in a large room 
listening to presentations from other sales people. Typically it's more 
Sales Engineers than sales people, and the presentations are quite 
interesting. You'll meet the occasional district attourney, FBI agent, 
or NYPD Cyber Crimes person.

This meeting was on biometrics. I went to see how the industry was doing 
and what the new flashy presentations were going to say. Huge Surprise: 
They said glowing things about the industry!

The first presentation was on Iris biometrics, and had an interesting 
story that the Iris biometrics person next to me had never heard, which 
is that Iris biometrics can sometimes "detect" pregnancy, due to a 
change in the chemistry of a pregnant woman's eye. Locking her out also 
informs everyone that she's pregnant, which raises all sorts of HR issues.

Identix noted that 80% of their sales were to law enforcement. I read 
this as saying that private industry has not bought into biometrics.

There was a funny story about someone going to Egypt and talking to them 
about fingerprint databases. It turns out a lot of the law enforcement 
fingerprint databases are mostly the same people. The egyptions laughed 
at this, since they pretty much kill everyone who gets arrested more 
than three times. (I'm paraphrasing here).

One of the issues with biometrics is the storage problem. If you have a 
huge database, it becomes a big target. So instead people are storing 
the biometrics data on smartcards. Smartcards are never as impenetrable 
as they think they are, and I imagine the smarter of the designers are 
hashing this data and storing that hash in a database.

One new biometrics that I'd never heard of was "skin recognition". This 
seemed completely counterintuitive to me. They claimed it required no 
special cameras. I could see it if it was a measurment of the blood 
vessels under the skin by way of infrared camera, but it turns out to be 
"texture" recognition. I don't buy that at all. Lots of the population 
wears make-up. Lots of the population has rapidly changing skin 
conditions. And the rest of us just recycle the entire surface of our 
skin every couple weeks or whatever. A lot of it seemed a way for Facial 
Recogntion vendors, hurting from poor acceptance rates, to buffer their 
technology with another technology using the same equipment.

One neat statistic was that facial recognition needs 120 pixels between 
the eyes.

A lot of people seemed to be worried about people recreating 
fignerprints from stored biometrics values. They claim that you can't do 
it. Lots of the time you don't need to do it, because to transfer your 
biometrics between vendors, or give them to the feds, you need to store 
an image of the fingerprint anyways. I peronally think you could do a 
decent job of recreating a fingerprint from the stored biometric values 
as well. (I think they store a FFT of the fingerprint with the high 
order noise cut off). Be neat to find out if you could.

There was a lot of "Since 9/11 everything has changed" wishful thinking. 
Other vendors sadly noticed that there was a LOT of user resistance to 
biometrics. The USG is apparantly worried about a hit to commerce from 
more stringent fingerprint systems. I know it always annoys everyone 
I've ever met.

IBM had a presentation that started off with a scare story about 80% of 
all PC's being infected with spyware. He quoted Dr. Osmond from 
Microsoft with saying that most hackers are now professional theives and 
nation states.

He says that "mass customization" means you now are forced to care about 
your vendors and customers data security.

Someone mentioned the problem of revoking a biometric, and the IBM guy 
did say there was an option to do so by running biometrics through 
different kind of filters. Not sure I can figure out what he really 
meant by that though.

He quoted John Boyd with a "the hackers are turning within our decision 
cycle"

Claims that business identity theft is a growing problem.

People are getting worried about biometrics storage being outsourced to 
China.

And lots of other stuff I didn't write down. :>

One thing I noticed is a lack of "adversarial testing". This is 
pronounced in a lot of industries, including ours, but you rarely see 
public reports on how poorly face recognition works at a baseball game 
where people are free to paint their face. Even the highly vaunted 
fingerprint recognition teams are still reeling from the "gummy bear" 
attack where a Japanese scientist bypassed a fingerprint biometric with 
a piece of 10 dollar gelatin.

-dave







_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave