Security Theatre - enter the Biometric authenticated USB memory stick
I was in a meeting earlier today where my machine was connected to the projector and someone wanted me to display their presentation for them. In normal circumstances I'd expect to be passed a USB memory stick ("thumb drive") containing the PPT which I'd copy to my local disk and display as requested. This time though I was passed a wierd looking USB token that included an integrated biometric finger print scanner. The owner of the token was "into security" and perceived that the biometric bought him some form of authentication - don't get me started on that one except to say that it's actually providing just identity unless accompanied by a form of authentication which this device didn't do.
The "security theatre" came in when I inserted the token, an executable had to be executed on the device to unlock it's contents - the owner swiped the biometric and then nothing happened! It turned out that we couldn't unlock the device AS I WASN'T RUNNING WITH ADMIN PRIVILEGES.
In order to use the device (that claimed to improve my security) I'd have had to LOWER my security by using excessive privileges! What's worse is that the token could easily have included additional unknown malicious software that could even have autoexecuted if I'd had the default configuration!!!
I can see that the owner of the device might have gained some security when transfering files from and to their own system as they'd have chosen to install the required software (using administrative credentials) - assuming of course that some form of authentication was used in addition to the biometric identity.
Incidentally my system was running Windows XP Service Pack 2 in a low privilege configuration hence the software failed to install by default.
Comments
Anonymous
January 01, 2003
Steve tends to focus on security, and I focus on Messaging and collaboration. I tend to leave all ofAnonymous
January 01, 2003
PingBack from http://winblogs.security-feed.com/2006/09/29/security-theatre-enter-the-biometric-authenticated-usb-memory-stick/Anonymous
October 02, 2006
Yep, been there too. Same applies to most of the disk encryption options for removeable disks which is a real pain...
Perhaps there's scope for a USB stick friendly EFS or similar?
NikAnonymous
October 05, 2006
The comment has been removedAnonymous
October 05, 2006
The other security theatre of this is that the token's owner placed an apparently public presentation on a secured area of his drive. We have a similar issue where I work - those of us approved to carry USB thumb-drives with us are given password-protected thumb-drives (and the admin-only software is deployed to all machines using Group Policy as a result :)), and they are configured to use 100% of the drive as encrypted. This means, of course, that every time I take this drive to a machine where I need to access its data, I need to present my password to unlock it. All those different places wherein I'm providing an opportunity for someone to shoulder-surf or keylog my password. No, I reformat the drive - half is encrypted, half is not - so the tools that I carry around to other machines, and the public information I work with, are all available without a password. The secret stuff comes out only when I'm on a machine I can trust in a room with people who need to see the secret sauce.Anonymous
October 09, 2006
Agree. Tell the user to look at the Stealth MXP device. No Admin rights needed.