Security for Dummies

security tips and tricks

Faking fingerprint (part 3)

Dear all, since the problem of faking fingerprints attracted so much interest, I decided to collect few available videos here. I am sure you can find more. If you meet something interesting, please drop a link in comments.

1. Karen Friar has sent a link to Dialogue Box video . This video describes an easy way to make a fake finger. Moulding plastic, jelly, milk and tea are all the ingredients that Dialogue Box needed to get past one biometric security device.   

2. This following one gets the same result with some other tools and materials

3. I personnaly love this one.

4. This one is really interesting for those who understand. They trick a Upek swipe-type capacitive sensor with a piece of wet paper.

5. One more crack of Digital Persona with gelly fingers. in German

I hope that you agree with me, there is no fingerprint sensor that cannot be tricked by artificial fingerprints. But I want you to understand me right. I am not against using biometrics! I am biometrics stickler! I beleive that it just shall be used in right place and it shall be called by the right name – not security provider, but security assistant.

 

June 30, 2008 Posted by | Biometrics, How-to, Security, Security Threats | , , | Leave a comment

Virology Part 1, Introduction to…

Long ago and far away, when I was working as a pathologist, dealing with corps, viruses were rather frequent nidus. I left my medical practice, but viruses continue chasing me.  Now, dealing with security threats I have to beware of the same old virus hazard. This makes me believe in reincarnation, karma and fate. But, if back in dissecting room, the respiratory mask and gloves were the only possible protection, nowadays there are much more means. This is a first post about computer viruses. More are coming.

Why “virus”?
I never ask this question, but some people do, why these pieces of code are called “virus”. I do not know who first suggested this term, but he definitely was a smart guy with medical background. Viruses in a real world cannot replicate themselves. They need a cell; they integrate themselves into the cell’s DNA, change it and use the resources of the cell for replication, till the moment the cell dies. The same way computer viruses need some environment to live and duplicate. They spread over computer and available files, delete or modify their code and duplicate themselves till “the end of computer”. Some of computer viruses are not mortal, others are very aggressive. Some are very similar to AIDS. The HID virus attacks lymphocytes, the cells responsible for immune response of the body, computer viruses destroy the anti-virus program.

Who needs it?
Actually, I still cannot answer this question. IMHO this is more a psychological than a pathological issue. People that write viruses have programming knowledge and experience. They could earn much more by creating applications than by destroying. Sometimes I feel that Anti-Virus monsters are responsible for that. After the attack of Chernobyl virus in 1996, when thousands of motherboards were destroyed in one day by the system overclocking, I suspected hardware manufacturers. These conspiracy ideas are too obvious to be true or too true to be proved.  Anyway, virus creation, development or distribution is a crime. So, please, behave yourself and stop doing bad things.

Dear Dummies, I will write much more about viruses, worms, malware, spyware, whatsoever in later posts. Please be patient. It will be interesting later.
Keep reading or subscribe to RSS feed

June 29, 2008 Posted by | Security | , , | Leave a comment

Why do you need encryption to be portable

In previous post I have told you about 5 reasons to use encryption, but did not mention the main one. It is not the reason number 6, it is the MAIN reason.
Before I tell you what this reason is I want you to imagine that when you encrypt some data you put it in a safe. The stronger algorithm the thicker are the walls of the safe. Let’s imagine AES 256  as a safe with 10” steel walls, massive door and very complicated lock. Next character – a cryptographic key, which can be a password (a dial pad on the safe door) or a key.
I hope you clearly imagine this safe. Good. Let’s assume that you closed this safe with a password. We all know that passwords are rather weak protection and sooner or later your password will be guessed. You ask why? OK, I will remind you.
1. You have to remember passwords, therefore it cannot be too complicated
2. You have to type it blind, in without seeing letters, so it cannot be too long. Otherwise you will need to input it several times
3. You likely use a vocabulary word as a password, or address, or you family member’s name and date of birth. It can be also your pet name. So a brute-force attack will definitely smash your protection.
So, encrypting a file using passwords is like placing it in a safe with dial pad. Sometimes you even write the password down and stick it near the dial pad. Actually, nowadays cryptographic algorithms are extremely strong. The only weak link is the user. Yes, you are! Are you still relying on this kind of protection?
Let us imagine a stronger one. You have a key to lock your safe with. It can be a key-file on some removable media. This is a bit stronger. You lock and open your safe with the same key. This is a symmetric encryption.
There is even stronger solution, when you lock with one key and unlock with another. This technology is called PKI or asymmetric encryption. It can use a hardware key, like Aladdin e-Token or smartcard. Is it secure enough? Yes, it is much safer than a password and a key file. But… You need something to enable these keys. A smartcard reader and drivers installed, or drivers for the e-Token or ActiveX enabled. That means that you can use encrypted file on your workstation only. What if you want to use this file somewhere else?

Is there a way to make it portable? Yes, there are portable cryptographic tools. They do not need drivers; they work automatically, integrating both crypto-engines and key generation tools.

Summarizing, you need Portable Encryption to make your files really secured. If you encrypt one with a password, you lock it within a safe and invite a brute-force attack. If you encrypt using a preinstalled system you provide also tools for this attack. Only using portable solution will keep your files safe. You carry your keys and your lock with you, while your info is closed within a safe.

June 28, 2008 Posted by | Encryption, privacy, Security | , | 1 Comment