Saturday 2 June 2012

Fwd: We have your fingerprint! New Hakin9 Issue is out!

---------- Forwarded message ----------
From: Hakin9 <newsletteren@hakin9.org>
Date: Fri, 01 Jun 2012 22:08:55 +0200
Subject: We have your fingerprint! New Hakin9 Issue is out!
To: tanwarimran <taibamanasa@gmail.com>

New Hakin9 Issue is out! The main topic: Biometrics! Inside:















Biometrics: Secure? Hackable? You Decide...
By Gary S. Miliefsky
The Biometric System used for security is similar to a door lock and a
mechanical key. With the right key, you can unlock and open the door. By
providing your unique ID, known as your "biometric" or if multi-faceted
(your finger and your retina print), your "biometrics", you are providing
the proper key to open the lock, which is also known as a Biometric Security
System.
As these Biometric Security Systems have evolved, they continue to be based
on seven basic criteria – uniqueness, universality, permanence,
collectability, performance, acceptability and circumvention. If you really
want to get into the history of biometrics just google "Schuckers biometric
security systems" and you could spend all day reading and learning about it.



Life with Biometrics
By Randy Naramore

Biometric Authentication has been heralded as the future of security
systems, a verification system that not only drastically reduces the risks
of the systems security being compromised but also eliminates the need for
much of the traditional security overhead. In recent years biometric
authentication systems have become more prolific as numerous manufacturers
of biometric sensing devices and middle-ware providers have entered the
market. Having met with particular success in restricting physical access in
high-security environments it is curious to note that this success has not
been echoed where network authentication is concerned. It is with this in
mind that we look at the pros and cons of biometric authentication for
networks and investigate whether this slowness of uptake is an indication of
things to come or whether biometric authentication is the next big thing,
worthy of all the claims of its biggest proponents.




Biometric Authentication In It Security: An Introduction
By AYO Tayo-Balogun

This is the process through which the raw biometric data is captured. This
is the first contact of the user with the biometric system. The user's
biometric sample is obtained using an input device. Quality of the first
biometric sample is crucial for further authentications of this user. It may
happen that even multiple acquisitions do not generate biometric samples
with sufficient quality. Such a user cannot be registered with the system.
There are also mute people, people without fingers or with injured eyes.
Both these categories create a 'fail to enrol' (FTE) group of users. Users
very often do not have any previous experience with the kind of the
biometric system they are being registered with, so the first measurement
should be guided by a professional who explains the use of the biometric
reader. Depending on the technology being implemented, the data captured
could be a facial image, a fingerprint, voice data, etc.


The Day That Fingerprints Has Rule Out From Being An Evidence
By Amitay Dan

Some of the main target in the crime scene which is leader of the biggest
drug cartel is being arrested of killing two people, he did a mistake and
didn't hide the gun well. Two years before, the crime cartel got an idea
from hackers who helped them. The idea was simple: instead of hiding the
fingerprints with gloves, they can steal 100,000 people fingerprint from
workers clock in/out and then add to this stolen database to the cartel
fingerprints database. The next act was to share the database in the
Internet so anyone will be able to fake with it his fingerprints. The idea
got spread to many other cartels and crime members together with privacy
freedom fighter has been start to share their own biometric info, included
fingerprints. Back to the court, the judge got a new breakthrough claim from
the suspect's lawyer, "the fingerprint is in public database for two years,
and any one can use it" the judge in the first time in the history declaim
the fingerprint as proof for the crime since public data can't be an
evidence of one person.



A thin database access abstraction layer for ADO.NET on .NET / Mono
By Moreno Airoldi
Later, Microsoft released a successor to ODBC: OLE DB. This new technology
was object oriented, based on COM – component object model, and aimed to
improve its predecessor in terms of performance, providing a way to write
drivers which were less abstracted and closer to the database server's APIs,
and more open to non-relational database systems. Although it was widely
used, mainly because Microsoft made it the standard way to access their
database system SQL Server, it never became as popular as ODBC. One of the
main factors that prevented OLE DB to be adopted was the fact it is
available on Windows only. Being based on COM, a Windows-only technology, it
would be hard, if not impossible to port it to other operating systems. The
doom for OLE DB was spelled at the end of the 90s, when Microsoft decided to
switch its focus away from COM, a technology which although highly
successful, was very complex to maintain and to develop for, and not ideal
to fight the emerging Java platform on its own ground. With its new
technology for software development: the .NET Framework, specifically
designed to compete with Java, from which it took almost all of its
features; Microsoft presented yet another database access technology:
ADO.NET.



Security issue in SMS Banking
By Amar
You might now wonder what insecurities could really be there in such a
seemingly foolproof design. Very true, Cross site scripting, SQL injection
and Buffer overflow attacks may not be possible from a cell phone but there
are vulnerable points in the architecture which can be attacked: they are
the mobile banking application and the bulk service provider's server. If an
attacker reconstructs any one of the two HTTPS requests (sent from the bulk
service provider to the mobile banking application or vice-versa), he will
be able to flood the valid user with SMS messages. This may lead to the user
believing that someone else is requesting the account details on his behalf.
Worse if the application displays the information contained in the second
request message (from the mobile banking application to the bulk service
provider) after the attacker has successfully created the first request
message (from the bulk service provider to the mobile banking application)
on the browser itself, he will get to see critical information like the
account balance details of a valid user.



Directory Traversal Vulnerability
By Bojan Alikavazović

Directory traversal attacks are usually very easy to perform, especially
when it comes to services like FTP and TFTP. They become more complex at the
web applications. In short, the idea is to traverse to the any file in the
system and be able to read or download files with useful information
(hashes/passwords etc.). This article describes the directory traversal
vulnerabilities in a variety of services such as FTP, TFTP, HTTP and Web
apps. During the tests a very interesting program DotDotPwn has beed used to
perform various types of attacks.



Using REMnux to analyze PE files
By Glenn P. Edwards Jr.
The first step is to identify what the file you are analyzing actually is
so we know which analysis tools to use. Since simply going off the file
extension can be misleading we can try to identify the file type a few
different ways: file, TrID [3], hachoir-metadata, hex editor (xxd) and 7zip
(7z).
Most of you may be familiar with the file command since it has been around
for a while so for the sake of brevity – just remember it uses 'magic
numbers' to identify file types.
TrID identifies files based on their binary signatures, has no fixed rules
and can be continuously updated/trained on new file types. If you run TrID
against a single file it will display which type of file it matches and the
percent of that match as show in (Figure 1).



Why HR Matters – How Organisations Create Their Own Insider Threat
By Drake
So, nearing the end of his probationary period, he decided it was time to
move on, and part company with his current employers. Just as he was
contemplating his options, he received a letter from the company's HR
function, happily telling him that his notice period was now extended to one
month. This was news to him, as his contract said three months. In any case,
he shrugged his shoulders, found another job, and in due course came to
resign. What happened next was really quite upsetting for him – in the HR
function there was another person with a similar name to him, who happened
to be involved with sorting our his affairs ( he had by this stage produced
the previously mentioned letter, to "help things along"). Soon, he found
himself being accidentally copied in to the e-mail trail, where some quite
unsatisfactory things were being said about him. The dénouement of the
story was that he threatened his (now ex) employer with legal action.





Still do not have a subscription? Don't wait any longer!
Subscribe now and get Hakin9 Bible for FREE!





























Please spread the word about Hakin9.
Hakin9 team wish you good reading!
en@hakin9.org
Hakin9.org Click here to unsubscribe
http://mytalkoot.com/12all/box.php?nl=9&c=2473&m=1701&s=5176d7cf014c2f3457c67313955a1d2c&funcml=unsub2


Email marketing by