Friday, October 27, 2006

The Silex S2: The "Perfect" Fingerprint Reader?

Nobody's perfect and nothing works 100 per cent of the time, right? Tell that to Silex Technology America Inc. because the Salt Lake City-based company believes it has a biometric technology that comes pretty darn close.

Walk into a computer store and you'll find add-on fingerprint readers as well as notebook computers and desktop PC keyboards with tiny fingerprint readers built in. Configure the reader to recognize your fingerprint and no one but you will be able to access your sensitive data, right? Unfortunately, the fingerprint reader that works perfectly in the store might not be so cooperative in bad weather, if it gets smudged or if your fingers are wet, dirty or extra dry, said Gary Bradt, vice president of Silex's biometric division. Imagine that: Data kept so securely that not even you can get at your own data.

Enter the Silex S2, a portable USB fingerprint reader which doesn't rely on actual finger contact but uses a proprietary radio frequency technology to read your fingerprint one skin layer deep. Since the sensing electronics don't need to touch your finger, the weather and your digit-cleansing habits won't affect the S2's ability to recognize your fingerprint and unlock your data, said Bradt. The result is near-perfect reading accuracy, he said.

The S2, which comes in a sealed white plastic housing, is slightly smaller but significantly lighter than the current Silex S1, which uses the same RF technology. The S2 is light enough to be worn on a cord around the neck and can be used with a user identity module (UID), a small electronic card similar to the SIM cards used in GSM cell phones to identify user accounts.

The goal, said Bradt is the license the RF fingerprint reading technology to other hardware manufacturers. Will the technology take off? Only time will tell. The S2 will be officially announced Oct. 30.

Photo courtesy of Silex Technology America Inc.
© Copyright 2006 Stadium Circle Features

Monday, October 09, 2006

Messaging Security 2006: Vishing: The Next Big Cyber Headache?

Halloween is almost here, but you may not have to wait until the end of the month to get a good fright from the latest cybersecurity headache: Vishing.

What's that I hear? Your phone's ringing? According to the Caller ID readout it looks like your bank is calling. Better put this blog aside and take the take that call. But don't leave any personal data behind--it could be a case of vishing.

Such was one of the dire warnings from the security experts at last week's Messaging Security 2006 conference at the Mandalay Bay Resort & Casino in Las Vegas.

Like "phishing"--fraudulent e-mail that has the look and feel of legitimate e-mail from banks, etc.--those who practice vishing use broadband phone systems to pry personal information from their victims via fake voice mail, computer-generated phone calls or by other means.

"We're seeing the first examples of it," said Dr. Paul Judge (left), chief technology officer for Secure Computing Corp., sponsor of the conference. " These are the warning shots."

For example, you could get an automated called from your credit card company alerting you that you are over your credit limit. The call might ask you to log in the phone system with your credit card number and the card's expiration date. The Caller ID you see on your phone might be accurate for your bank but the call could actually be coming in from overseas.

The potential problems from vishing include eavesdropping, Caller ID spoofing, unauthorized access to your personal voice mail, intentional overloading of your voice mailbox, the harvesting of phone numbers from your broadband phone provider, access to billing information and other maladies, said Judge.

Broadband phone services like Vonage, SunRocket and Skype send phone calls over the Internet or via private digital networks instead of the traditional phone network. Since they often have to link to old phone networks, the connection points required to properly hand off the calls have opened new doors for hackers, said Judge.

"You're bringing together many systems that didn't talk or didn't like to talk to each other over the years," said Judge during an Oct. 6 presentation.

Broadband phone services allow users to acquire phone numbers with area codes from other cities, thus making it easy for a distant hacker to appear like a local business. Many broadband phone services offer members sophisticated voice mail systems which sound very professional. Judge told the audience of network security experts that while they might be wise to many vishing techniques, today's hackers have become "...very ingenious in finding ways around your network defenses."

Judge said that while separating bad phone calls from the good can be done by tracking the source of vishing calls to the computers that spew them out, this can be a difficult task since so many new vishers crop up daily. He noted that while there are many widely used data standards for broadband telephony, some services, like Skype, use proprietary protocols and are thus harder for network security experts to work with to keep vishing calls out of their offices.

Jay Chaudhry, vice chairman and chief strategy officer for Secure Computing, also noted that Caller ID data can be easily faked but also noted that encryption of broadband phone traffic can be done relatively easily, thus offering a layer of protection from eavesdroppers.

One strategy to fight vishing is to develop "reputations" for the Internet protocol (IP) addresses of the computers on the Internet that handle voice traffic, he said.

"An IP address is like a Social Security number," said Chaudhry, founder of CipherTrust Inc., which merged with Secure Computing this past summer. "IP is a little bit more tricky [to deal with] but it can be done."

By pinpointing the physical locations of known safe and bad broadband phone services, he said security experts can create multi-layered software and hardware defenses against vishing.

"You don't depend on one technique," said Chaudhry.

So the next time you grab that phone, don't be so eager to respond to requests for sensitive information. You could end up swimming with the vishes.

(Full disclosure: Secure Computing, the conference sponsor, covered the travel and lodging expenses for myself and other journalists.)

Photo and text © Copyright 2006 Stadium Circle Features