resource center
  See your link here
|
Subscribe to Computerworld IDG News Service - Never mind worrying about hackers stealing your password. A security researcher with the Finnish military has shown how they could steal your fingerprint, by taking advantage of an omission in Microsoft Corp.'s Fingerprint Reader, a PC authentication device that Microsoft has been shipping since September 2004.
Although the Fingerprint Reader can prevent unauthorized people from logging onto your PC, Microsoft has not promoted it as a security device, but rather as convenient tool for home users who want a fast way to log onto Web sites without having to remember usernames and passwords. In fact, the Microsoft.com Web site warns that the Fingerprint Reader should not be used to protect sensitive data.
Hoping to understand why Microsoft had included that caveat, a researcher with the Finnish military, Mikko Kiviharju, took a close look at the product. In a paper presented at the Black Hat Europe conference last week, he reported that because the fingerprint image taken by the scanner is not encrypted, it could be stolen by hackers and used to inappropriately log into a computer. Kiviharju's report can be found online (download PDF).
Because the fingerprint image is transferred unencrypted from the Fingerprint Reader to the PC, it could be stolen using a variety of hardware and software technologies, called sniffers, that monitor such traffic, said Kiviharju, a researcher with the Finnish Defense Forces. "The fingerprint that can be sniffed is pretty good quality," he said.
The fingerprint image could either be used to break into a PC or simply be stolen by attackers.
Once the fingerprint image had been sniffed, it could be used by attackers to make it appear as if the victim were authenticating onto a PC or a Web site using the Fingerprint Reader, Kiviharju said. But this type of attack, which is called a replay attack because the fingerprint scan is simply replayed back to the computer, is complex. It also requires that the attacker physically connect a second PC to the computer that is being attacked.
Although neither of these attacks is easy to pull off, they are both greatly simplified by the fact that Microsoft has chosen not to encrypt the fingerprint image, Kiviharju said.
In fact, this is probably the most interesting question raised by the research, because it appears that Microsoft could enable encryption by making some minor changes to the product's firmware, Kiviharju said. "That has baffled some of the experts that have contacted me as well, " he said "It's quite a decent product, but somehow Microsoft has managed to botch it."
IDG.net
An All-in-One Approach to Web Security
Granting web access to employees poses challenges to IT administrators and introduces unique security risks. Even as companies have perfected their security techniques...
Usability Is Everything
Learn what sets Workday's HR and Payroll solutions apart from the competition....
The Hidden Dangers of Spam
Beyond the well-understood productivity drain that spam inflicts on businesses, threats posed by illicit email circulating through a network are causing many security...
The Value of Real SaaS at Workday
Cost savings, speed to value, and innovation brought to the enterprise by Workday's software-as-a-service solutions for HR and Payroll....
Case Study: The Ritz London
Discover how the superior capabilities of Webroot E-mail Security SaaS allows user to focus on their principal tasks instead of wasting their time...
SaaS at Flextronics, Inc.
Dave Smoley, CIO of Flextronics, discusses the real value of software-as-a-service and why he chose Workday for his HR solution....
Case Study: Richmond Ambulance Authority (RAA)
In this case study, find out how Webroot Web Security SaaS delivers the proactive web security RAA needs....
Why Compliance Pays
This OnDemand webcast explores the relationship that firms with best compliance records have higher revenue, greater customer retention, lower financial losses from data...
Can Heuristic Technology Help Your Company Fight Viruses?
(Source: MessageLabs - now part of Symantec) In the face of today's increasingly sophisticated malware, using multiple layers of email and web protection...
Agile Enterprise Content Management (ECM) for Rapid ROI
Find out how combining ECM and BPM will help adress issues about content rich business processes....
Sign up to receive updates on the latest Security resources
CIO
Computerworld
CSO
DEMO
GamePro
Games.net
IDC
IDG
IDG Connect
IDG Knowledge Hub
IDG TechNetwork
IDG Ventures
IDG.net
InfoWorld
ITwhitepapers
ITworld
JavaWorld
LinuxWorld
Macworld
Network World
PC World
The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All
rights reserved. Reproduction in whole or in part in any form or medium
without express written permission ofComputerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc. |
