Biometrics and You
By: Don Parker
Most of us will remember watching television or movies not that long ago that showed a pretty neat technology, which showed people having their identity verified via a facial scan. That looked very high tech, and also like it belonged in science fiction books. Well what was very novel a few years ago is now very much in the realm of the possible, and one could argue commonplace. There is far more to biometrics though then a facial scan. Other biometrics exist such as the now more common thumbprint scanner on some laptops. These two methods of biometric identification are not the only ones though. You can also see or may have heard of retina scans, iris scans, and voice recognition, amongst others. What do all of these methods have in common? Well, each method will generate a unique identifier based on the biometric used. Everyone’s voice, retina, iris, thumbprint is actually unique, and can therefore be used as an identifier. For some high security installations a combination of biometric methods are used to identify individuals seeking access to restricted areas.This article was first published on our affiliate's site Windows' Security. The original article can be found here.Why or how did biometrics come into existence? Well this technology in all of its various implementations was borne out of a need to have a highly secure means of identifying someone. Whether it be the military, government organizations, banks, or others, there exists a very real need to be 100% sure that the person is who they say they are. This is especially true amidst the increase of targeted computer attacks against individuals, which can result in key-loggers being installed on a person’s computer. Quite often it is easiest to target the company, or government worker at this home computer vice the hardened corporate/government network. While the attacker may have the person’s username and password they will not however have their thumbprint, or other biometric fail safe.
This is already being seen in what is now called “three factor authentication” schemes that have improved upon the well known “two factor authentication” methods in use today. Having a third authentication factor that is a biometric is very much a vast improvement in safeguarding access to sometimes extremely sensitive data. It is not only the military and government that have very sensitive data, but also private sector areas such as pharmaceutical companies and banks. The time has indeed come for the advent of biometrics, as an additional form of authentication.
How does it affect me?
Well there are vendors now actively marketing their products with onboard biometrics technology. One of those vendors would be IBM and their Thinkpad laptop series. For many people and companies, laptop theft is very much of concern. The contents of the laptop can be as earlier mentioned, highly classified data. You would not want an unknown entity to have access to it. Having a laptop with onboard biometric technology is, or can be to some, a very desirable solution. Just remember that like any security solution you would be best to layer your defences.
This thumbprint reader on laptops and desktops is the most visible biometric security solution today in production networks. Is it a failsafe solution though? Hardly - there have already been concerns over the simplicity of lifting someone’s thumbprint off of a glass, or a piece of gum for that matter. The funny thing is that if you ask many of the vendors for these biometric solutions they will tell you that they are not security devices in and of themselves. Think about it now. All it really takes is for an attacker to simply crack open the laptop or desktop, and extract the hard drive. With this low tech attack the biometric access control has been neatly side stepped. You really must, as mentioned, use this biometric technology with other layered security solutions. Encrypting the entire hard drive comes readily to mind, whether it be through a power/on or power/off solution.
I thought it was foolproof!
Well we can see from the above paragraph that the use of biometrics is not the all encompassing security control that some may think they are. In actuality they are quite weak, and again, take the example of simply extracting the hard drive vice authenticating via the thumbprint scanner. Where this technology does help is that it is another hurdle an attacker must bypass or compensate for. Attackers will always go for the low hanging fruit, and typically shun hardened targets. Each layer counts! There are other biometrics of course beyond the talked about thumbprint. The problem with them is that they are not that portable, or cheap for that matter. Also there is not a mass market for them, and thereby is still very much what I would call a maturing technology.
What about identity theft?
The use of biometrics also raises other privacy concerns that are, in my mind, rather well founded ones. If the use of biometrics really took off, and for some proposed technologies it might, does that mean there will be a database of digital data? By that I mean will there be a central repository of thumbprints somewhere held by some company as a means of authenticating customers? That database would be very hard to resist for malicious hackers, and you could say even worse, the government. Intelligence and police agencies would be salivating to get their hands on such a vast store of unique identification files. This is especially true in light of anti-terror legislation giving the government what would have been unthinkable powers several years ago. Again we also have that most pernicious and highly skilled threat of black hat hackers. Such a repository of information may not be of use right now, but may very well become so in the near future.
Is it worth it?
With all of the concerns over the possible security and identity concerns within the field of biometrics, is it worth bothering with it at all? Well for that you really need to quantify what you consider to be manageable risk. What level of risk are you willing to accept, and are you really exercising due diligence? The answer to that really would take a bit of thinking and common sense. Firstly, you would need to see if it helps you in practicing due diligence in the effort to secure your data or customers data. Secondly, it really is not a bad idea to have if you are working with sensitive data. Any step that you can take to help further safeguard your data is a good one. Remember not every attacker is a high tech wonder boy. Quite often laptops are simply stolen for their resale value, and one of the first thing done is to tear out and throw away the hard drive. It is my opinion that biometrics are definitely here to stay, and are not going away any time soon. You would be well advised to see if they do indeed fit into your corporate or personal security plans. After all we should, as security professionals, objectively evaluate any new technology that crosses our path. I sincerely hope that this article was of interest to you and as always welcome your feedback. Till next time!
About Don Parker
Don Parker, GCIA GCIH specializes in matters of intrusion detection, and incident handling. He has also enjoyed a role as guest speaker at various network security conferences, and writing for various online and print media on matters of computer security. You can contact Don Parker at dparker@bridonsecurity.com
1.) Web Application Footprinting & Assessment with MSN Search - Shreeraj Shah
2.) Biometrics and You - Don Parker
3.) Review: Mac OS X x86 10.4.1 & 10.4.3 - L33tdawg
4.) eXploiting Local Stack on Windows - Nish Bhalla
5.) Reverse engineering a shareware tool and writing a proper keygen for it - azerton
6.) Story of a dumb patch - Cesar Cerrudo