Most of the people who are going to read this are aware of the popularity that security issues have enjoyed recently. For the most part, this is good. This means that (given a flashy enough exploit) security problems will get popular press, vendors will be publicly embarrassed, and all of us get high paying jobs.
Of course, as with anything getting press, there are opportunities for scams. These scams include bad "security" software, articles offering bad security advice, consultants preying on clueless customers, ISPs claiming to have more secure networks, etc..
I won't comment (at this time) about everything mentioned in the previous two paragraphs. In fact, those two paragraphs cover nearly our entire job as hackers. Our job as hackers is to expose the scams via the popular press.
End plug for hacker work. I'm writing this today because of two things I keep reading about, which as far as I'm concerned, are scams. These are biometrics and public access terminals.
From a security point-of-view, if these two technologies gain popularity, we're going to be in a lot of trouble.
First, Biometrics:
For those who aren't familiar with the concept of biometrics, it's the practice of using a measurement of one's body part(s) as an authentication mechanism. For example, a fingerprint reader or retina scanner. This measurement becomes your password.
The idea is that at your installation, all the workstations have a finger reader or eyeball scanner. You walk up to a workstation, door, or whatever, scan your part, and in you go.
Spot the problem yet? When you scan your body part, those measurements are converted into some sort of digital representation. That string of bits that is the digital representation is a STATIC PASSWORD. Worse, it's a static password that you can't change, or perhaps can only change a limited number of times. With a biometric string, there is no concept of a "bad" or "good" static password. All you have is the string of bits that represent your body measurement.
Keep in mind that this measurement is NOT necessarily secret, either. I'm not even talking about the James Bond scenarios where they lift your prints from a discarded soda can, or chloroform you, measure every orifice, and replace everything in your house with an exact duplicate.
Think about what happens when this starts to become REALLY popular. The bank wants to scan your eyeball to get cash out of the ATM. The DMV wants your prints to get a driver's license. The grocery store wants to scan your face to accept your check. Various government agencies already fingerprint and photograph you and keep a permanent record if you get picked up, conviction or not.
Exactly how bad would this be? Imagine using your social security number as your only password, on every system you have access to.
Why am I so worried about this? Because I'm seeing many, many people just assume that biometrics are the ultimate authentication mechanism. I'm not just talking about the clueless people either. I subscribe to a number of security mailing lists, and I'm shocked at the number of people, who I think should know better, make statements like: "Well, OTP cards are OK for now.. until we can widely deploy biometrics."
NO, NO, NO! An OTP card with a halfway decent implementation is BETTER!
There is a general fallacy in the information security world. People, even experts, tend to believe that something less familiar is more secure. I don't know the psychology behind it, but I've seen it many times. That's why people used to insist that NT was more secure than unix. Now NT is familiar, and we know better.
So, I'm screaming about this biometrics mess because I don't want to see us go down that path. I don't want us to spend 10 years proving that it wasn't such a great idea.
Now, having said all that, let me take care of some of the pro-biometric arguments right up front.
Do I think biometrics are completely useless? No. Biometrics are useless across a network, or on a system out of my personal control. Where WOULD they work? I would use biometrics as a PIN replacement on some sort of sealed security device that I own and control. For example, an OTP card. I would be happy using my fingerprint on my OTP card instead of punching in a PIN code.
Why? Because the biometric info itself (or a hash, or any product of it) doesn't pass to another system. No one else has to have a record of my print.
I would NOT use it as a PIN replacement at my bank, because I would have no choice about my biometric "PIN" matching at the bank and anywhere else.
Second, Public-Access Terminals:
I've also been reading a number of articles about "some day in the future" when public kiosks with Internet access are available everywhere, and you don't even need to take your laptop with you anymore. You simply plug in your smartcard, and read your e-mail, in the middle of the mall, at your hotel room, etc..
This is so wrong, it's not funny.
These things are called web kiosks, public access terminals, e-mail stations or something else. I'll call them PATs.
You're using a terminal that you have no idea how secure it is, who owns it, or what's been done to it.
1: Payment issues. Today, in the United States, there is really no such thing as a smart card, at least not as a mass-market payment device. For this purpose, we use credit cards. A couple of times now I've used PATs, once in a bar in Boston, and once at an airport lounge in Chicago. All I had to do was swipe a credit card, and I had Internet access. No PIN code, no typing in the cardholder name, just swipe and go. All you need is physical possession of a credit card.
All of the usual credit-card-over-the-net issues apply. Maybe more so, since this PAT has been physically accessible to many people before you. Some PATs may be on the Internet full-time. All the better to break into them remotely and collect credit cards. Many of them run Windows, so development of an appropriate trojan or exploit should be quite do-able.
I'm not one of those people who is super paranoid about using credit cards over the Internet. Credit cards have the best fraud protection of any payment mechanism. If you are paranoid about that sort of thing, you'll want to stay away from PATs.
2: Privacy issues. So far, these PATs provide only public Internet service.
Still, this is a problem if you're, say, a Hotmail user. Any web site you
visit with any sensitive information, such as a username and password,
may be vulnerable. It may be vulnerable because of someone breaking into
the machine and monitoring all activity, or something as stupid as the
next guy checking the history table in the browser. Same for telnet, POP,
FTP or any protocol. Don't forget about the 100
people standing around in viewing distance of the terminal either.
What happens when there are PATs that start advertising themselves as "VPN
ready". Just swipe your card, punch in your password (or your fingerprint)
and you're connected to the corporate net.
If it's something you wouldn't want the entire world to see, don't access it from a PAT.
3: Public Attack Terminals. Another meaning for PAT. These public terminals are to crackers what payphones are to (evil) phreaks. An anonymous place to attack from.
How do I know? The company I work at puts on a number of trade shows each year. For the last couple of years, we have provided Internet access via banks of PCs at these shows. I have a class C that I drag around the world for these shows that I use for this. These machines aren't firewalled, lest it break some new Internet media toy. They can be reloaded quickly if hacked.
My name is on the in-addr.arpa whois for this class C. Every time, for the last few shows, I get a call from someone wanting to know why I'm attacking them. Seems that someone at the show is trying out IMAP exploits, doing network scans, etc... By the time the message reaches everyone, the attacker is long gone.
The best I can do is explain to the attacked party what that network is used for. Most people are very understanding, and they simply block that class C.
Conclusion:
As someone who is concerned about security, you need to do what you should always be doing, apply some critical thinking to the use of new technologies.
Nothing that I've pointed out here is really news. Anyone who would bother to read this could figure it out himself or herself. Occasionally though, I find that I need to have something pointed out to me to make it obvious. Sometimes, you need all of the problems brought together in one spot to really see how bad an idea something is.