RE: Hacking USB Thumbdrives, Thumprint authentication

From: Jerry Shenk (jshenk@decommunications.com)
Date: Tue Jan 27 2004 - 13:30:16 EST


This is a valid line of questioning. You're basically doing a threat
assessment - how big is the vulnerability and how large is the threat.
Having a security mechanism that 3 people in the world can "easily
compromise" is only a big deal if you've got some pretty serious stuff
on those laptops. In that case, having it on the laptop may be the
biggest mistake.

I have this argument (lower security that everybody uses vs. higher
security that nobody uses) all the time in regard to passwords. I have
one client that has auditors that insist on locking accounts after 3
failures. This same client locks about 30-40 accounts a day due to
password failure. By making things too tight, they've completely lost
the Intrusion Detection benefit of password lockouts. I'd agree with
you...if it's too complicated for the target audience (sales people and
other non-techies), then you've got to make things simpler and perhaps
come up with a way to watch it better. Maybe a process that e-mails the
thumbprint logs (hopefully such a thing exists) off the box in the
background every day.

It's certainly valuable to know how secure something really is as
opposed to what the sales people would like you to believe or may even
think themselves. Then you need to determine how likely any of that is
to happen and how big a deal it is if it does. Do your guys sell
fortune cookie sayings or plans for the Tomahawk Cruise Missile?

This relates quite a bit to the recent thread about pen-testing's value.
It's very good to know what effort is required to circumvent a security
mechanism and also what detection mechanisms are in place. In the case
of the USB Thumbprint authentication....detection probably isn't gonna
happen...it's on some sales guy's laptop and if he looses it, he's not
gonna tell anybody for awhile thinking he might find it and never get
caught.

-----Original Message-----
From: m e [mailto:mje@list.intersec.com]
Sent: Tuesday, January 27, 2004 8:58 AM
To: pen-test@securityfocus.com
Subject: Re: Hacking USB Thumbdrives, Thumprint authentication

In-Reply-To:
<AE503E4425AA90459FDD5066BCE87E9901DD8B84@smskpexmbx1.mskcc.root.mskcc.o
rg>

>When we investigated fingerprinting products, two colleagues cracked
the

>system by using a paper photocopy of a finger. They placed it on the

>=66ingerprinting pad and pressed it with another finger to provide the

>heat that the pad needs to detect. I was incredulous of their account,

>but after reading the Putte source below, this sounds credible.

>

very cool. this i'll try and let you know.

please devil's advocate the following argument.

We are not trying to build a cruise missle to kill a fly.

We want 50% security control that 100% of the people use, not

100% security control that 50% of the people use.

I can't see a threat scenario where wife copies sales guys

thumbprint on gummy bear while sales guy is sleeping to get

a peek at his USB drive. Yes it may happen once a year, but

chances are they will lose USB device first.

Real vulnerability is sales guy loses USB drive, and Joe

Six-Pack picks it up and brings it home to his kid. Or leaves

USB drive at customer site and customer gets curious and tries

to look at it.

So what are the vulnerabilities in this scenario?

------------------------------------------------------------------------

---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:46 EDT