
                                                     
                                                       
               ۰߰     ܰ۰  
             ۱      ܱ߰    ۰
             ۱          ۱      ۰  
                 ܰ߱    ߰۲    
               Outbreak Magazine Issue #9 - Article 11 of 13
           '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'

######################################################################
############    Biometric Security Basics -by dropcode    ############
######################################################################

Intro.
----------------------------------------------------------------------
Biometrics is the study of physiological traits by which a human being
can  be recognized. Examples include voice  pattern  detection, retina  
and  iris  scanning,  fingerprints, palmprints and hand geometry, etc. 
There  are  various companies and organizations dedicated to this area 
of  study  and  as of late quite a few biometric security devices have 
been developed for laptop and desktop PCs.

In  this  article  I  will  cover  some  of  the basic vulnerabilities 
presented in various biometric security products.


Abstract.
----------------------------------------------------------------------
Ever  forget a password or private pin number? lose a key or an access 
card? Then you can probably see the advantages to widespread biometric
security  systems. But the same advantages present a few, more subtle, 
but  very  critical  vulnerabilities. For instance, if you forget your 
password  or pin, theres generally a hotline to call or someone to see
to get it changed. If you lose your key? make a new one or change your 
locks.  But  what  if  someone found a way to copy your palm print? or 
mimic your voice? Theres no replacing biometric traits.

Everywhere  we go, whenever we do anything we're leaving traces of our 
biometric  signatures.  Fingerprints and palmprints can be lifted from 
flat surfaces and recreated efficiently and inexpensively. Hurray :)


....?!
----------------------------------------------------------------------
You're  standing  outside  an  office building waiting for the smokers 
to  come out for their lunch break. You straighten your tie and put on 
your best smile.

The  door  opens  and out comes the first wave of people. You light up 
and  pretend  you  came  out  with  them.  10  minutes later Judy from 
accounting pulls out her access card, opens up the door and you follow
the group back inside.

First  things  first,  you  pull  out  your notebook and look for Jims 
office  number and floor. If everythings going according to plan, Jims 
downstairs  at  a board meeting. You know this from the memo you found
in  the  trash  bin  out  back. Jims the administrator for the company 
webpage,  you  pulled his name, address and phonenumber. It wasn't too 
difficult, you whoisd the company page at network solutions (thats the 
whois  server  that  internic  gave  you)  and  you  looked up his NIC 
handle...  that  showed  you  his  homepage and you got his infr0 from 
his  homepages  whois  record.  Anyway, for the last  3  months you've 
been  getting copies of his phone bill and going through his trash. He
seems like an easy mark: heavy smoker, problems with the ex-wife...

You  know  how  it is to be stressed, so just out of courtesy you sent
him  a  gift.  stress  putty. You know, the stuff you squeeze when you 
can't keep a train of thought? signed, 'your secret admirer' *smirk*

You  step  out of the elavator and into his office. There we go, right
on  the desk is your putty. You pocket it, along with some extravagant
office  supplies, and make your way down to the staff lunch room. Once
there  you  pull out the gellatine solution you mixed earlier that day
and  place it on the thumb print in the stress putty :). Put it in the 
lunch  room  freezer  (carefully  conceiled somewhere in the back) and 
wait about 5 minutes. Tada, perfect replica of Jims thumb.

(the gellatine mixture needs to be really strong 1:1 gellatin to water 
 ratio should do it.)

Now find a computer somewhere out of the way and use it in the Finger-
print TouchPad (trademark of Synaptics inc). Access. :)
----------------------------------------------------------------------

while  most of the pioneering biometric fingerprinting devices are all 
optical,  (meaning they only care about what a fingerprint looks like) 
some  of the newer devices (ie capacitive sensors) will make sure that 
the  finger has some electrical conductance. The optical sensors could
be  fooled with silicone fingers, but because silicone doesn't conduct
electricity, the capacitive sensors couldn't. The beauty of the attack
described above is that, gelatine DOES conduct. :D

A  common  attack  against  biometric fingerprint scanners utilizing a
method  called  capacitive  resistance  is blowing lightly on the unit 
shortly  after  it  has been legitamately used. Often, there is enough 
natural oil left over to recreate the original print.

The same effect can occur when a small plastic bag of water is pressed
against the unit.


Closing.
----------------------------------------------------------------------
I intend to add to this file as I learn more about biometric tech, but
for now, this will have to do.


----------------------------------------------------------------------
greets: savvyD,  ramb0x,  gr3p,  kleptic,  dirv,  jenny,  lexi, lenny, 
	turb, joja. I love you guys :D
