Great Circle Associates Firewalls
(April 1998)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: SecurID & a Biometric & a PIN
From: Keith Pachulski <sectech @ pikeonline . net>
Date: Sat, 04 Apr 1998 16:48:08 -0500
To: firewalls @ greatcircle . com
Cc: krenard @ securitydynamics . com


 > We've learned from passwords that "static" can be bad.

Static passwords are a downfall, fact we all know this already. 

 >etc.).  Therefore, I can easily generate the biometric data necessary to

generate, replicate it..

 >assume your identity.  "Stealing" the data can be done much easier and
 >secretly than an attack on the body.  I, for one, would barely notice a
 >missing coffee mug compared to a missing digit.  Assume the data is
heh, guess you wouldn`t notice then if I borrowed your pasword file then
would you. It all comes down to the issue of security and to what degree an
individual is involved in the security process. I for one would notice if
anything were moved on my desk let alone turned up missing.


>Now the problem is comparing that data
 >to a (remote?) database of data without allowing data to be inserted
 >between the measuring device and the compare operation.  You must

This area can become debatable and depends on the hardware installer and
security company governing the biometric devices. I just finished
installing a biometric reader in a 4000 office,  office building in NYC.
The reader is attached via serial port to a PC which stores the photo/info
database. At the desk (24/7) is where a guard sits while the client must
authenticate with both the biometric reader as well as photo
identification. So, unless you can spoof both the facial and fingerprints
of the subject, you are not getting into any of my buildings. And no you
can`t just prance by the guard and hop into one of the 6 elevators.
Accessing the elevators requires a pin number which is changed daily, and
only the guard has the new PIN number. 

Sound complicated? The whole process takes on average 30 seconds.


 On the other hand (pun intended):  Your fingerprint device is
 connected via a serial port to your PC.  An attacker could easily unplug
 the fingerprint device and plug in the coffee mug to give the same
 response (the stolen biometric data) unless the measuring device itself
 was authenticated.  This is the type of biometric authentication I've
 seen demo-ed so far.

I suggest you spend more time studying physical security devices before
condeming them further. Most of the higher quality readers read the entire
print. So your coffee mug scenario is something I can laugh about =) no
The opinions expressed are mine and not that of my company, its agents,
associates or any others I forgot to mention =) Have a nice day

Just a thought, but how and why are we on the subject of biometrics for a
firewalls list?

Keith A. Pachulski PPS, CPI
Guardian Group Agency
sectech @
 pikeonline .

Indexed By Date Previous: Re: Sniffer
From: debie @ puma . sirinet . net
Next: Polite Request
From: "Dorian Hanzich" <dhanzich @ email . msn . com>
Indexed By Thread Previous: [no subject]
From: mediplan @ ssdnet . com . ar
Next: Re: SecurID & a Biometric & a PIN
From: Vin McLellan <vin @ shore . net>

Search Internet Search