RE: Hacking USB Thumbdrives, Thumprint authentication

From: Herbold, John W. (JWHERBOLD@arkbluecross.com)
Date: Tue Jan 27 2004 - 13:42:38 EST


It also looks like there are different drives, one that is also password
protected to add another layer of security. I have also heard of some
thumbprint check for biofeedback by passing a small current through the
thumb to help stop the finger print problem but I am not sure if they do
this on any of the USB models.

Thanks,

John W. Herbold Jr.
Security Specialist
501-399-3939

-----Original Message-----
From: Rob Shein [mailto:shoten@starpower.net]
Sent: Tuesday, January 27, 2004 8:57 AM
To: 'm e'; pen-test@securityfocus.com
Subject: RE: Hacking USB Thumbdrives, Thumprint authentication

Vulnerability #1 in this scenario? The thumbprint is still on the drive
from when he last touched it. Dust the print off, scan it, print it and
continue from there. Some of the fingerprint readers can be triggered just
by cupping your hands around them and breathing on them, causing the print
to fog (and be read).

> -----Original Message-----
> From: m e [mailto:mje@list.intersec.com]
> Sent: Tuesday, January 27, 2004 8:58 AM
> To: pen-test@securityfocus.com
> Subject: Re: Hacking USB Thumbdrives, Thumprint authentication
>
>
> In-Reply-To:
> <AE503E4425AA90459FDD5066BCE87E9901DD8B84@smskpexmbx1.mskcc.ro
> ot.mskcc.org>
>
> >When we investigated fingerprinting products, two colleagues cracked
> >the system by using a paper photocopy of a finger. They
> placed it on
> >the =66ingerprinting pad and pressed it with another finger
> to provide
> >the heat that the pad needs to detect. I was incredulous of their
> >account, but after reading the Putte source below, this sounds
> >credible.
> >
>
> very cool. this i'll try and let you know.
>
> please devil's advocate the following argument.
>
> We are not trying to build a cruise missle to kill a fly.
> We want 50% security control that 100% of the people use, not
> 100% security control that 50% of the people use.
>
> I can't see a threat scenario where wife copies sales guys
> thumbprint on gummy bear while sales guy is sleeping to get
> a peek at his USB drive. Yes it may happen once a year, but
> chances are they will lose USB device first.
>
> Real vulnerability is sales guy loses USB drive, and Joe
> Six-Pack picks it up and brings it home to his kid. Or leaves
> USB drive at customer site and customer gets curious and
> tries to look at it.
>
> So what are the vulnerabilities in this scenario?
>
>
>
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------
>
>
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:47 EDT