Weakness and Security - Having protection doesn't mean high equipment leasing rates
Security is hard. Security is very hard. It's hard because you have to do everything right all of the time and the enemy only has to do one thing right.
Security is harder than the companies that are selling security tools lead you to believe. Over the years I have heard incredible promises from vendors on all sorts of things, from great equipment leasing rates to no late fees. Very few if any of these promises have been easy and pain free in the end as they were described in the marketing literature.
A case in point is biometrics. The promise of biometrics is that security access can be controlled by checking something about the user such as a finger print, voice print, iris pattern, etc. On the surface using something about the user that is unique to verify their identity would seem to be the holy grail of computer security.
But any security system is only as secure as its weakest part. Even when the method of identifying the user is absolute there still may be ways to bypass or fool the system. The Inquirer has a report up from Defcon 2005 that describes a talk titled "Attacking Biometric Access Control Systems". The article reports on many generic types of attack against a biometric system including this one:
"You can also tap the data coming off the sensor to the extractor, in many cases this is sent in the clear over a TCP/IP link to a remote machine. You capture this data, and replay it when you want to get in. The sad part is most devices do not add a timestamp, sequence number, or have any authentication, much less encryption, it just trusts the sensor. Stupid, stupid, stupid, stupid."
Another case in point is Sudo. Sudo is a great program, but Sudo does a very hard task and as a result every once in a while people find a weakness that they can exploit to do bad things. Three times in the last thirteen months the Sudo maintainers have issued a security alert on Sudo.
My point is not that either biometrics or Sudo are bad, or that they are any more insecure than other tools or methods. My point is that nothing in security is as easy as it sounds on the surface and every point of failure must be executed perfectly and securely.
After all it's not the strongest point in the system that has to hold, its the weakest.
(Submitted by Noel Mon Aug 1, 2005 )
Our content can be syndicated: Main page Mac Page
Copyright 1999-2005 Noel Davis. Noel also runs web sites about sailing and kayaking.
All trademarks are the property of their owners.
All articles are owned by their author