lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 10 Feb 2004 08:49:50 -0500
From: "Eric 'MightyE' Stevens" <mightye-removethis-@...htye.org>
To: Navaneetharangan <navaneeth@...solutions.com>
Cc: markus-1977@....net, bugtraq@...urityfocus.com
Subject: Re: Hacking USB Thumbdrives, Thumprint authentication


Navaneetharangan wrote:

>2) With the arrival of optic based fingerprint scanners, the probability
>of getting authenticated on latent fingerprints (or by using a lifted
>fingerprint) is very minimal.
>  
>
This is not true, there has been a fair amount of research done on 
creating false finger print pads from latent fingerprints, which mostly 
consist of defining the oils left behind with, eg, black printer toner, 
capturing a high resolution image of the finger print with a digital 
camera or scanner, touching up the image as necessary in a photo editing 
suite, printing a negative of the finger print on to transparency, and 
burning a "circuit" with ultraviolet light (common in the home 
electronics scene).  This makes a reusable mold in to which gelatin can 
be poured to make a false finger pad which regularly fools fingerprint 
scanners since it is of similar consistency to human finger print pads. 

The largest covert advantage of the gelatin approach is that the false 
pads can be applied almost invisibly over a person's existing finger 
pads, and in the event of a panic of the operative, destruction of the 
evidence is easy, simply tear off the false pads with your teeth and 
consume the gelatin; within seconds there is no more trace as the false 
pads completely dissolve.

For more information on this, check out Google: 
http://www.google.com/search?q=defeat+fingerprint+scanner+gelatin

>3) And you can use all the ten fingers of yours for authentication; it
>need not always be your thumbprint alone.
>
>  
>
This is true, and this increases the effort required on the part of the 
covert operative in order to capture a successful identification, 
however the underlying problem still exists: once a user's prints are 
successfully compromised, they have no opportunity to alter their key 
(finger prints).  If my password is guessed, I can change it.  If my SSH 
key is broken, I can change it.  If my fingerprints are captured, I have 
no such opportunity.

-Eric "MightyE" Stevens
To reply to me, please remove "-removethis-" from my email address.
http://lotgd.net -- Slay a dragon... over lunch!



Powered by blists - more mailing lists