__________________________________________________________________________________

     __ _____
 _   __| ____|
    == | |
 = _ _ | |___
     __|_____|       __
       __\ \  / \   / /
     - == \ \/ /\ \/ /
      __  _\  /  \  /
        ___ \/    \/ 
                                   -=Cyber Wrath Systems=-

                         -[ BIOMETRIC SECURITY SYSTEMS ]-
                                           
                                            by

                                          Ashtar  <ashtar@dragon.hack.tc>

           1999-2000
___________________________________________________________________________________


[This text is written from notes I took over 2 years ago when I was studying 
alittle about biometrics from various resources, its just a brief intro, 
but I think its fairly useful.]


 BIOTMETRIC SECURITY INTRODUCTION
----------------------------------
Biometric security systems are basically systems that identify an individual by using 
a physical, nautral feature, such as a fingerprint, or by the persons voice. 
These systems are meant to replace passwords in many cases, which can be stolen, 
forgotten, guessed or cracked. Although they are somewhat tougher to bypass 
they aren't an end all security soultion and i'll explain in this text, 
how a number of biometric systems work, what problems are presented when 
using such systems, and potenial ways they can be "hacked".

The types of biometric security systems that will be discussed in this text will be:

Finger Print Systems 
Voice Systems 
Handwriting Systems 
Hand Geometry Systems 
Eye/Retina Scanner Systems




 WHERE YOU MIGHT SEE BIOMETRICS
---------------------------------
Generally you won't see biometrics in too many places, not yet anyway....mostly big 
important organizations might have them to access particular parts of buildings. 
Most of these will be on the organizations local network and not so much implemented 
for remote access. I've seen biometrics in the building of a major ISP.  
You can get biometrics for the home, i've seen a fingerprint scanner out there 
in the store. Also now Micro$oft is supposely going to start implementing 
biometrics for Windows in the future.


 FINGER PRINT BIOMETRICS
--------------------------
These basically consist of a device where you would lay your finger on and it 
reads your fingerprint to match with a template. The computer takes sections 
of the persons fingerprint. Certain archs, loops and whorls. The whole fingerprint
is not taken for a template, the computer will take small sections of the
fingerprint in various areas, this leads to the obviously conclusion that someone 
with a close enough match, at least on those certain sections of fingerprint
would be able to gain access. 

Also some problems with the inital enrollment could be if the person placed 
their finger off center or smeared their fingerprint.
You'd probably want to wash your hands good before providing a template
to help avoid smearing.


 VOICE RECOGNITION 
--------------------
The voice biotmetric security system i'm describing in this text is one that is
being developed at AT&T. To enroll into the system a user is instructed to
repeat a certain phrase several times. The computer would take the samples to 
digitalize and store each sample and then from the accquired data, build a voice
signature that would be open to allow some voice varrations of the produced signature. 
This obviously could leave a bit of a hole open.

Some problems that could arise with a voice based security system is, 
changes of the voice with age, sickness and also stress would play factors in voice
changes that could end up locking a person out of what ever they needed to gain access to.
Well, at least you'll get to go home if your sick right?



 HANDWRITING BIOMETRICS 
-------------------------
Handwriting biometrics are obviously a way to identify someone by their handwriting style.
To enroll the user would give 6 samples of the signature or word they would have to write. 
The computer takes the samples and creates a verification template
using 2 out of the 6 samples.

If the dynamics of the signature match the template closely enough the user 
will be granted access. However, some of these systems have pressure sensors 
and acceleration sensors which would prevent someone from taking their 
sweet time to forge the perfect signature...it would have to be casual 
and fast enough to fool the computer, but with practice, it's possible, thus
the old skill of forgery finds its place in the age of computers.


 HAND GEOMETRY SYSTEMS 
------------------------ 
These biometric systems scan the measurements of a users hand by using recording 
light from the fingertips to the webbing of the hand. It measures each finger 
within 1/10,000 of an inch, marking where the beginning and end of the finger is
by the varying intensities of light. The information obtained is stored 
digitally in a system as a template or possibly even coded on a magnetic stripped ID card.


A possible problem would be a user who enrolled with long fingernails. 
If the user were to cut them or grow them more, he/she would probably not be able to 
gain access. The censors would also not detect the true fingertips of someone either. 
A bandaid over the finger, thick nailpolish and other factors could come into play if 
the user enrolls that way to begin with. I'm sure if someone had a swollen hand or 
just gained/lost weight, this would probably have effects on wether or not access 
is granted as well.


  EYE/RETINA SCANNERS
------------------------ 
Each person has a pattern of blood vessels etc, in the back of their eyeballs. 
Retina biometric scanners will enroll the user by recording this pattern of blood 
vessels using an infrared beam, which scans in a circular path around the eyeball. 
Enrollment takes about 30 seconds, and after a user is added to the system, 
authenification takes about a 1 1/2 seconds. There is a one in a million chance 
that 2 people will have a close enough match. 

Retina biometrics are probably one of the more reliable forms of biometric security.

However, if someone is blind (fully or partially), or has cataracts for example, they 
may have trouble enrolling into the system. 




 SOME THOUGHTS ON BIOMETRICS 
-------------------------------

While it may be a bit of a challenge to get past a biometric system, its not impossible. 
Of course....you could take 'hacking' to a whole new level and 'hack' some users 
hand off for access...but thats a bit extreme (well, maybe). 
Cloning someones body part maybe? Making a wax mold of somebody's hand? 
Hell, I don't know.
  
Implementing biometrics on a wide scale will almost certainly strike up alot of 
privacy concerns and activism. Therefore I really don't see it getting overly popular,
but you never know what the future holds. Either way, if your working in some place 
who has biometrics implemented, know that alot of biometric systems do log access 
times and whatnot, and with biometrics there won't be any "Umm...must have been someone 
using my eyeball! That wasn't me in there browsing through the classified documents!" 
So becareful if your doing something shady. Theres probably a way to turn off logging, 
but this would depend on which particular biometric system the place is using. 

If you find yourself in a biometric secured enviorment and want to find out more about 
that particular system, I can't stress how much information company websites will give 
about a product. Fire up that browser and find out all you can about it. General
information is great, but with something like biometrics, you'll probably 
want to get information on your specific product.



_______________________________________________________________________________________


Greets: Moshing, Talk, Guato, Mister_Geen


(C) Ashtar <ashtar@dragon.hack.tc>