°Û °Û ÞÜ ±Û °Û °Û ÜÛÛ ÛÜ ±Û ²Û°ÛÛÛÛß°Û ÜÜÜ ±Û ÜÜ ÜÛÛÛÜ°ÛßßßÛ°Û °Û ÛÛ ° ÛÛ±Û ±Û ÛÛ ±ÛÛßßßÛܱÛÛßß°ÛÜÜÜß °Û°ÛÛÛ ÛÛ ° ÛÛ±Û ±Û ÛÛ ±Û °Û±Û °ÛÜ °ÜÛßßÛ°Û °Û ßÛ ÛÛß °ÛÛÛ ßÛÛÜ°ÛßÛÛÛÛß±Û °ÛÛÛß°ÛÜÜÛ²°Û °Û Outbreak Magazine Issue #9 - Article 11 of 13 '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~' ###################################################################### ############ Biometric Security Basics -by dropcode ############ ###################################################################### Intro. ---------------------------------------------------------------------- Biometrics is the study of physiological traits by which a human being can be recognized. Examples include voice pattern detection, retina and iris scanning, fingerprints, palmprints and hand geometry, etc. There are various companies and organizations dedicated to this area of study and as of late quite a few biometric security devices have been developed for laptop and desktop PCs. In this article I will cover some of the basic vulnerabilities presented in various biometric security products. Abstract. ---------------------------------------------------------------------- Ever forget a password or private pin number? lose a key or an access card? Then you can probably see the advantages to widespread biometric security systems. But the same advantages present a few, more subtle, but very critical vulnerabilities. For instance, if you forget your password or pin, theres generally a hotline to call or someone to see to get it changed. If you lose your key? make a new one or change your locks. But what if someone found a way to copy your palm print? or mimic your voice? Theres no replacing biometric traits. Everywhere we go, whenever we do anything we're leaving traces of our biometric signatures. Fingerprints and palmprints can be lifted from flat surfaces and recreated efficiently and inexpensively. Hurray :) ....?! ---------------------------------------------------------------------- You're standing outside an office building waiting for the smokers to come out for their lunch break. You straighten your tie and put on your best smile. The door opens and out comes the first wave of people. You light up and pretend you came out with them. 10 minutes later Judy from accounting pulls out her access card, opens up the door and you follow the group back inside. First things first, you pull out your notebook and look for Jims office number and floor. If everythings going according to plan, Jims downstairs at a board meeting. You know this from the memo you found in the trash bin out back. Jims the administrator for the company webpage, you pulled his name, address and phonenumber. It wasn't too difficult, you whoisd the company page at network solutions (thats the whois server that internic gave you) and you looked up his NIC handle... that showed you his homepage and you got his infr0 from his homepages whois record. Anyway, for the last 3 months you've been getting copies of his phone bill and going through his trash. He seems like an easy mark: heavy smoker, problems with the ex-wife... You know how it is to be stressed, so just out of courtesy you sent him a gift. stress putty. You know, the stuff you squeeze when you can't keep a train of thought? signed, 'your secret admirer' *smirk* You step out of the elavator and into his office. There we go, right on the desk is your putty. You pocket it, along with some extravagant office supplies, and make your way down to the staff lunch room. Once there you pull out the gellatine solution you mixed earlier that day and place it on the thumb print in the stress putty :). Put it in the lunch room freezer (carefully conceiled somewhere in the back) and wait about 5 minutes. Tada, perfect replica of Jims thumb. (the gellatine mixture needs to be really strong 1:1 gellatin to water ratio should do it.) Now find a computer somewhere out of the way and use it in the Finger- print TouchPad (trademark of Synaptics inc). Access. :) ---------------------------------------------------------------------- while most of the pioneering biometric fingerprinting devices are all optical, (meaning they only care about what a fingerprint looks like) some of the newer devices (ie capacitive sensors) will make sure that the finger has some electrical conductance. The optical sensors could be fooled with silicone fingers, but because silicone doesn't conduct electricity, the capacitive sensors couldn't. The beauty of the attack described above is that, gelatine DOES conduct. :D A common attack against biometric fingerprint scanners utilizing a method called capacitive resistance is blowing lightly on the unit shortly after it has been legitamately used. Often, there is enough natural oil left over to recreate the original print. The same effect can occur when a small plastic bag of water is pressed against the unit. Closing. ---------------------------------------------------------------------- I intend to add to this file as I learn more about biometric tech, but for now, this will have to do. ---------------------------------------------------------------------- greets: savvyD, ramb0x, gr3p, kleptic, dirv, jenny, lexi, lenny, turb, joja. I love you guys :D