Biometrics, the weapon for the ‘New War’
In February 2010, the DNI (director of National Intelligence) presented the annual ‘National Threat Assessment’ report to Congress. Cyber threats are number one this year, displacing the dominance of terrorism. Creating a war against something of concern is nothing new – we have had other wars, wars on drugs, wars on terror that arguably didn’t require a war effort, but it is the way to build a large momentum against a treat – imagined or real. Cyber crime and the cyber threat to national online infrastructure is the new war. This ‘war’ will yield major amounts of money to secure the Internet, and the critical connected infrastructure. It also will likely not truly solve the core problem with all systems, the lack of strong identity.
When the authorities and bureaucrats realize that strong identity is at the core of many problems, we can look forward to the government creating a national strong identity platform initiative. If we are lucky, it will be pretty good, if we are not, it will mean a complex system that no doubt will impinge on our personal privacy and rights. One thing is clear though: that biometrics will be at the center of the system. President Obama has created a Cyber Security CZAR position to address this problem, a chief technology officer for the Internet, and he has activated programs for research, development and deployment of new technologies to address the problems. Some estimates puts spending at 5 Billion USD per year to solve this problem.
In this presentation, we will examine the change in awareness, look at the current state of biometrics, and cover a new architectural paper on securing transactions over an insecure Internet; delivered by Dr. Michael Fiske to the DOD and NSA (IMPC 2009 Miami) addressing this topic. On a lighter note, Mark will also cover Dr. Lee Haddad’s paper on the reported Gummy Bear attack against biometric finger print security systems.
Whats the new war ?
DNI – 2010 Annual Threat Report
– Initial 2.5 pages discuss critical infrastructure protections (Cyber threats)
This is a break from the norm, where the key focus and initial discussion has been on domestic Terrorism.
Professor Leo Strauss said :
- America will disintegrate into ruin because of individual self interests
- America needs to have a special place in the world… the protector of the freedom to make right the wrongs – in order to prevent this
- Because of this need: it is ok to exaggerate or create an enemy if one is not actually present
Critical infrastructure – Cyber attack is a real enemy and perhaps ex CIA operative Osama Bin Laden and his Terrorism is not… (source, “The power of Nightmares” BBC Adam Curtis
Critical infrastructure – SCADA
- Acknowledged compromises (many on Google)Nuclear power plan safety system –> down for 5 hours
- Pipeline –> Leading to release of materials
- Oil Platform –> disgruntled employee
BP Oil Spill
Accident or Cyber Attack?
- Article alludes to North Korea being behind the attack (circumstantially)
- Deepwater Horizon oil platform was built and financed by South Korea
Lack of integrity and protection in SCADA leaves them open to attack. Very little hard evidence is present due to the Oil Rigg being destroyed.
Weak Identity and Compromise
Do most identity systems confirm the actual user –> No
PKI cards only identify the card, there’s no direct log leading back to the user. Gap in the identity chain.
Top 10 requirements to solve these issues (coming from IPMC 2009 talk by Dr. Michael Fiske)
The host computer and network cannot be trusted. The ecosystem must be divided into trusted and untrusted parts An operation not run in a trusted environment must be handled as a secure transaction. Authentication and authentication from an untrusted device is not secure.
A new notion, a secure module is required. Given that the host network cannot be trusted, it follows that something new needs to be used.
This new module must focus on :
Authentication must be decentralized while authorization operations must be centralized.
All authentication data must be stored only in the secure module. If the module is tampered with, the contents should be destroyed to protect integrity.
All authentication factors (PIN, Password, Biometrics) have to be entered directly into the module. The only output is a dynamic token in the form of a one-time-passcode.
Module Demonstration –> demo of a working module (at 17:00)