Biometrics for identification
By Jake Edge
April 2, 2008
Using a fingerprint or other physical characteristic, called biometric data, for
identity verification seems, at first glance, like a perfect solution to
the problem. Unfortunately, there are some basic problems with using biometric
information that way. If the biometric data can be gathered by others, it no
longer makes such a good identifier.
As part of a political protest against including fingerprints in passports,
the Chaos Computer Club (CCC)
published a
fingerprint of German Home Secretary Wolfgang Schäuble. Schäuble
is a supporter of collecting fingerprint data to combat terrorism. The club not
only published the picture, but also a film that can be placed over a
finger to deceive fingerprint scanners. A club spokesman has usage
recommendations as reported in heise online:
We recommend that you use the film whenever your fingerprint is taken,
such as when you enter the US, stop over at Heathrow, or even when you
touch bottles at your local super market -- just to be on the safe side
It seems unlikely that CCC's distributed finger film will
actually leave the Secretary's print on a glass surface, but more
sophisticated versions of the same basic idea should be able to.
Various folks have shown that using an image of someone's fingerprint can
fool most scanners. Even sophisticated scanners can be spoofed when that
image is placed over a live finger—with body temperature and pulse.
The problem is that while a fingerprint is unique, it isn't secret. CCC
got theirs from a sympathizer who picked it up from a glass used by the Secretary
during a speech.
Bruce Schneier is, as usual, ahead of the curve on this. In an article
from nearly ten years ago, he drives home the point:
The moral is that biometrics work great only if the verifier can verify two
things: one, that the biometric came from the person at the time of
verification, and two, that the biometric matches the master biometric on
file. If the system can't do that, it can't work. Biometrics are unique
identifiers, but they are not secrets. (Repeat that sentence until it sinks
in.)
Other forms of biometric identification exist, but are susceptible to the
same kinds of problems. A voiceprint or facial identification scanner
could be fairly easily subverted by secretly recording or photographing the
subject. Retinal scans are trickier, perhaps, but technology to remotely
(and surreptitiously) read them will probably come along. In many cases,
an attacker may not even need to go to that amount of trouble because they
can just extract—or pay to have someone else extract—that
information from some database.
More and more of this kind of information is being gathered and
centralized. The US has started fingerprinting all ten fingers of non-citizens
who enter the country—other countries have started doing it in
retaliation. One could hope the data retention policy for that information
is similar to that of White House emails, but it is probably longer.
Worse yet, it is probably stored with photographs, passport information,
and signature of the subject.
The key to using biometrics correctly is to repeat the Schneier mantra:
Biometrics are powerful and useful, but they are not keys. They are useful
in situations where there is a trusted path from the reader to the
verifier; in those cases all you need is a unique identifier. They are not
useful when you need the characteristics of a key: secrecy, randomness, the
ability to update or destroy. Biometrics are unique identifiers, but they
are not secrets.
Revocation of a biometric identifier is difficult or impossible—if it
is even known to be compromised. One could potentially switch fingers for
fingerprint identification, or even switch eyes—once. Switching
voiceprint, face, or DNA if and when that gets used, will be essentially
impossible. Biometrics suffer from the same failure mode as using the same
password everywhere, unless you can somehow use a different characteristic
for each biometrically "protected" dataset—hard to do with limited
body parts.
Biometric data does have its uses, but it has limitations as well. It
seems seductively simple that your fingerprint is the same as you, but it
isn't necessarily true. Now we just need to teach the politicians, which
might be something that Schäuble is starting to learn.
Comments (34 posted)
New vulnerabilities
capp-lspp-config: privilege escalation
| Package(s): | lspp-eal4-config-ibm, capp-lspp-eal4-config-hp |
CVE #(s): | CVE-2008-0884
|
| Created: | April 1, 2008 |
Updated: | April 2, 2008 |
| Description: |
The lspp-eal4-config-ibm and capp-lspp-eal4-config-hp packages contain
utilities and documentation for configuring a machine for the Controlled
Access Protection Profile, or the Labeled Security Protection Profile.
It was discovered that use of the "capp-lspp-config" script results in the
"/etc/pam.d/system-auth" file being set to world-writable. Authorized local
users who have limited privileges could then exploit this to gain
additional access, or to escalate their privileges. |
| Alerts: |
|
Comments (2 posted)
centerim: command injection
| Package(s): | centerim |
CVE #(s): | CVE-2008-1467
|
| Created: | April 2, 2008 |
Updated: | April 2, 2008 |
| Description: |
The centerim instant messaging interface passes unescaped URLs to the shell, allowing the injection of arbitrary commands. |
| Alerts: |
|
Comments (none posted)
cups: buffer overflows
| Package(s): | cups |
CVE #(s): | CVE-2008-0053
CVE-2008-1373
|
| Created: | April 1, 2008 |
Updated: | October 16, 2008 |
| Description: |
Two overflows were discovered in the HP-GL/2-to-PostScript filter. An
attacker could create a malicious HP-GL/2 file that could possibly execute
arbitrary code as the "lp" user if the file is printed. A buffer overflow flaw was discovered in the GIF decoding routines used by CUPS image converting filters "imagetops" and "imagetoraster". An attacker
could create a malicious GIF file that could possibly execute arbitrary
code as the "lp" user if the file was printed. |
| Alerts: |
|
Comments (none posted)
cups: multiple vulnerabilities
| Package(s): | cups |
CVE #(s): | CVE-2008-1374
CVE-2004-0888
CVE-2005-0206
|
| Created: | April 1, 2008 |
Updated: | August 6, 2008 |
| Description: |
Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use
xpdf code such as CUPS, gpdf, and kdegraphics, allow remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code. An
attacker could create a malicious PDF file that could possibly execute
arbitrary code as the "lp" user if the file was printed. The patch for
integer overflow vulnerabilities in Xpdf 2.0 and 3.0 (CVE-2004-0888) is
incomplete for 64-bit architectures on certain Linux distributions such as
Red Hat, which could leave Xpdf users exposed to the original
vulnerabilities. |
| Alerts: |
|
Comments (none posted)
gnome-screensaver: information disclosure
| Package(s): | gnome-screensaver |
CVE #(s): | CVE-2007-6389
|
| Created: | April 2, 2008 |
Updated: | August 29, 2008 |
| Description: |
The gnome-screensaver "leave message" feature can be used to read the contents of the user's clipboard, potentially disclosing useful information. |
| Alerts: |
|
Comments (none posted)
gnome-screensaver: lock bypass
| Package(s): | gnome-screensaver |
CVE #(s): | CVE-2008-0887
|
| Created: | April 2, 2008 |
Updated: | July 7, 2008 |
| Description: |
From the Red Hat advisory: A flaw was found in the way gnome-screensaver verified user passwords. When
a system used a remote directory service for login credentials, a local
attacker able to cause a network outage could cause gnome-screensaver to
crash, unlocking the screen. |
| Alerts: |
|
Comments (none posted)
lighttpd: denial of service
| Package(s): | lighttpd |
CVE #(s): | CVE-2008-1531
|
| Created: | April 1, 2008 |
Updated: | May 19, 2008 |
| Description: |
lighttpd 1.4.19 and earlier allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost. |
| Alerts: |
|
Comments (none posted)
mod_suphp: symlink vulnerabilities
| Package(s): | mod_suphp |
CVE #(s): | |
| Created: | April 2, 2008 |
Updated: | April 2, 2008 |
| Description: |
mod_suphp 0.6.2 contains two symbolic link vulnerabilities which can be exploited to create a privilege escalation attack. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: information disclosure
| Package(s): | phpMyAdmin |
CVE #(s): | CVE-2008-1567
|
| Created: | April 2, 2008 |
Updated: | July 7, 2008 |
| Description: |
phpMyAdmin saves MySQL username and password information in (potentially unprotected) session data. |
| Alerts: |
|
Comments (none posted)
policyd-weight: insecure temp file
| Package(s): | policyd-weight |
CVE #(s): | CVE-2008-1569
|
| Created: | March 27, 2008 |
Updated: | April 11, 2008 |
| Description: |
From the Debian alert:
Chris Howells discovered that policyd-weight, a policy daemon for the Postfix
mail transport agent, created its socket in an insecure way, which may be
exploited to overwrite or remove arbitrary files from the local system. |
| Alerts: |
|
Comments (none posted)
tomcat: insecure ciphers
| Package(s): | tomcat |
CVE #(s): | CVE-2007-1858
|
| Created: | March 28, 2008 |
Updated: | April 2, 2008 |
| Description: |
The default SSL cipher configuration in Apache Tomcat 4.1.28 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.17 uses certain insecure ciphers, including the anonymous cipher, which allows remote attackers to obtain sensitive information or have other, unspecified impacts. |
| Alerts: |
|
Comments (none posted)
xine-lib: multiple integer overflows
| Package(s): | xine |
CVE #(s): | CVE-2008-1482
|
| Created: | April 1, 2008 |
Updated: | September 10, 2008 |
| Description: |
Multiple integer overflows in xine-lib 1.1.11 and earlier allow remote attackers to trigger heap-based buffer overflows and possibly execute arbitrary code via (1) a crafted .FLV file, which triggers an overflow in demuxers/demux_flv.c; (2) a crafted .MOV file, which triggers an overflow in demuxers/demux_qt.c; (3) a crafted .RM file, which triggers an overflow in demuxers/demux_real.c; (4) a crafted .MVE file, which triggers an overflow in demuxers/demux_wc3movie.c; (5) a crafted .MKV file, which triggers an overflow in demuxers/ebml.c; or (6) a crafted .CAK file, which triggers an overflow in demuxers/demux_film.c. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
