resource center
  See your link here
|
IDG News Service - Never mind worrying about hackers stealing your password. A security researcher with the Finnish military has shown how they could steal your fingerprint, by taking advantage of an omission in Microsoft Corp.'s Fingerprint Reader, a PC authentication device that Microsoft has been shipping since September 2004.
Although the Fingerprint Reader can prevent unauthorized people from logging onto your PC, Microsoft has not promoted it as a security device, but rather as convenient tool for home users who want a fast way to log onto Web sites without having to remember usernames and passwords. In fact, the Microsoft.com Web site warns that the Fingerprint Reader should not be used to protect sensitive data.
Hoping to understand why Microsoft had included that caveat, a researcher with the Finnish military, Mikko Kiviharju, took a close look at the product. In a paper presented at the Black Hat Europe conference last week, he reported that because the fingerprint image taken by the scanner is not encrypted, it could be stolen by hackers and used to inappropriately log into a computer. Kiviharju's report can be found online (download PDF).
Because the fingerprint image is transferred unencrypted from the Fingerprint Reader to the PC, it could be stolen using a variety of hardware and software technologies, called sniffers, that monitor such traffic, said Kiviharju, a researcher with the Finnish Defense Forces. "The fingerprint that can be sniffed is pretty good quality," he said.
The fingerprint image could either be used to break into a PC or simply be stolen by attackers.
Once the fingerprint image had been sniffed, it could be used by attackers to make it appear as if the victim were authenticating onto a PC or a Web site using the Fingerprint Reader, Kiviharju said. But this type of attack, which is called a replay attack because the fingerprint scan is simply replayed back to the computer, is complex. It also requires that the attacker physically connect a second PC to the computer that is being attacked.
Although neither of these attacks is easy to pull off, they are both greatly simplified by the fact that Microsoft has chosen not to encrypt the fingerprint image, Kiviharju said.
In fact, this is probably the most interesting question raised by the research, because it appears that Microsoft could enable encryption by making some minor changes to the product's firmware, Kiviharju said. "That has baffled some of the experts that have contacted me as well, " he said "It's quite a decent product, but somehow Microsoft has managed to botch it."
IDG.net
Share our Strength
Download Now
Key Strategies for Managing Data Growth
What are you storage challenges?
Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.
Extending Client Refresh - 11 Steps to Maximize Savings
Register Now!
Eradicate Spam & Gain 100% Asurance of Clean Mailboxes
Get this paper now!
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Mastering eDiscovery: The IT Manager's Guide to Preservation, Protection & Production
Get this paper now!
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Not Just Words: Enforce Your Email and Web Acceptable Usage Policies
Get this paper now!
Consolidate Your Servers and Storage to Lower Costs with Oracle Database 11g
Register for this webcast!
Sign up to receive updates on the latest Security resources
CIO
Computerworld
CSO
DEMO
GamePro
Games.net
IDC
IDG
IDG Connect
IDG Knowledge Hub
IDG TechNetwork
IDG Ventures
IDG.net
InfoWorld
ITwhitepapers
ITworld
JavaWorld
LinuxWorld
Macworld
Network World
PC World
The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All
rights reserved. Reproduction in whole or in part in any form or medium
without express written permission ofComputerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc. |
