HAKIN9 06/2012: BIOMETRICS

Biometrics: Secure? Hackable? You Decide…
By Gary S. Miliefsky

The Biometric System used for security is similar to a door lock and a mechanical key. With the right key, you can unlock and open the door. By providing your unique ID, known as your “biometric” or if multi-faceted (your finger and your retina print), your “biometrics”, you are providing the proper key to open the lock, which is also known as a Biometric Security System.
As these Biometric Security Systems have evolved, they continue to be based on seven basic criteria – uniqueness, universality, permanence, collectability, performance, acceptability and circumvention. If you really want to get into the history of biometrics just google “Schuckers biometric security systems” and you could spend all day reading and learning about it.

Life with Biometrics
By Randy Naramore

Biometric Authentication has been heralded as the future of security systems, a verification system that not only drastically reduces the risks of the systems security being compromised but also eliminates the need for much of the traditional security overhead. In recent years biometric authentication systems have become more prolific as numerous manufacturers of biometric sensing devices and middle-ware providers have entered the market. Having met with particular success in restricting physical access in high-security environments it is curious to note that this success has not been echoed where network authentication is concerned. It is with this in mind that we look at the pros and cons of biometric authentication for networks and investigate whether this slowness of uptake is an indication of things to come or whether biometric authentication is the next big thing, worthy of all the claims of its biggest proponents.

Biometric Authentication In It Security: An Introduction
By AYO Tayo-Balogun

This is the process through which the raw biometric data is captured. This is the first contact of the user with the biometric system. The user’s biometric sample is obtained using an input device. Quality of the first biometric sample is crucial for further authentications of this user. It may happen that even multiple acquisitions do not generate biometric samples with sufficient quality. Such a user cannot be registered with the system. There are also mute people, people without fingers or with injured eyes. Both these categories create a ‘fail to enrol’ (FTE) group of users. Users very often do not have any previous experience with the kind of the biometric system they are being registered with, so the first measurement should be guided by a professional who explains the use of the biometric reader. Depending on the technology being implemented, the data captured could be a facial image, a fingerprint, voice data, etc.

The Day That Fingerprints Has Rule Out From Being An Evidence
By Amitay Dan

Some of the main target in the crime scene which is leader of the biggest drug cartel is being arrested of killing two people, he did a mistake and didn’t hide the gun well. Two years before, the crime cartel got an idea from hackers who helped them. The idea was simple: instead of hiding the fingerprints with gloves, they can steal 100,000 people fingerprint from workers clock in/out and then add to this stolen database to the cartel fingerprints database. The next act was to share the database in the Internet so anyone will be able to fake with it his fingerprints. The idea got spread to many other cartels and crime members together with privacy freedom fighter has been start to share their own biometric info, included fingerprints. Back to the court, the judge got a new breakthrough claim from the suspect’s lawyer, “the fingerprint is in public database for two years, and any one can use it” the judge in the first time in the history declaim the fingerprint as proof for the crime since public data can’t be an evidence of one person.

A thin database access abstraction layer for ADO.NET on .NET / Mono
By Moreno Airoldi

Later, Microsoft released a successor to ODBC: OLE DB. This new technology was object oriented, based on COM – component object model, and aimed to improve its predecessor in terms of performance, providing a way to write drivers which were less abstracted and closer to the database server’s APIs, and more open to non-relational database systems. Although it was widely used, mainly because Microsoft made it the standard way to access their database system SQL Server, it never became as popular as ODBC. One of the main factors that prevented OLE DB to be adopted was the fact it is available on Windows only. Being based on COM, a Windows-only technology, it would be hard, if not impossible to port it to other operating systems. The doom for OLE DB was spelled at the end of the 90s, when Microsoft decided to switch its focus away from COM, a technology which although highly successful, was very complex to maintain and to develop for, and not ideal to fight the emerging Java platform on its own ground. With its new technology for software development: the .NET Framework, specifically designed to compete with Java, from which it took almost all of its features; Microsoft presented yet another database access technology: ADO.NET.

Security issue in SMS Banking 
By Amar

You might now wonder what insecurities could really be there in such a seemingly foolproof design. Very true, Cross site scripting, SQL injection and Buffer overflow attacks may not be possible from a cell phone but there are vulnerable points in the architecture which can be attacked: they are the mobile banking application and the bulk service provider’s server. If an attacker reconstructs any one of the two HTTPS requests (sent from the bulk service provider to the mobile banking application or vice-versa), he will be able to flood the valid user with SMS messages. This may lead to the user believing that someone else is requesting the account details on his behalf. Worse if the application displays the information contained in the second request message (from the mobile banking application to the bulk service provider) after the attacker has successfully created the first request message (from the bulk service provider to the mobile banking application) on the browser itself, he will get to see critical information like the account balance details of a valid user.

Directory Traversal Vulnerability
By Bojan Alikavazović

Directory traversal attacks are usually very easy to perform, especially when it comes to services like FTP and TFTP. They become more complex at the web applications. In short, the idea is to traverse to the any file in the system and be able to read or download files with useful information (hashes/passwords etc.). This article describes the directory traversal vulnerabilities in a variety of services such as FTP, TFTP, HTTP and Web apps. During the tests a very interesting program DotDotPwn has beed used to perform various types of attacks.

Using REMnux to analyze PE files
By Glenn P. Edwards Jr.

The first step is to identify what the file you are analyzing actually is so we know which analysis tools to use. Since simply going off the file extension can be misleading we can try to identify the file type a few different ways: file, TrID [3], hachoir-metadata, hex editor (xxd) and 7zip (7z).
Most of you may be familiar with the file command since it has been around for a while so for the sake of brevity – just remember it uses ‘magic numbers’ to identify file types.
TrID identifies files based on their binary signatures, has no fixed rules and can be continuously updated/trained on new file types. If you run TrID against a single file it will display which type of file it matches and the percent of that match as show in (Figure 1).

Why HR Matters – How Organisations Create Their Own Insider Threat
By Drake

So, nearing the end of his probationary period, he decided it was time to move on, and part company with his current employers. Just as he was contemplating his options, he received a letter from the company’s HR function, happily telling him that his notice period was now extended to one month. This was news to him, as his contract said three months. In any case, he shrugged his shoulders, found another job, and in due course came to resign. What happened next was really quite upsetting for him – in the HR function there was another person with a similar name to him, who happened to be involved with sorting our his affairs ( he had by this stage produced the previously mentioned letter, to “help things along”). Soon, he found himself being accidentally copied in to the e-mail trail, where some quite unsatisfactory things were being said about him. The dénouement of the story was that he threatened his (now ex) employer with legal action.