Slashdot Mirror
Biometric Thumb Drives?
osopolar asks: "I work as a security analyst for a 10 billion dollar bank and we are currently looking for biometric thumb drives as emergency backup/recovery solutions for our local branches. We do not have IT people at every branch so the backup must be done by a branch manager, so the device needs to be easy to use. How would you backup information securely? What thumb drives do you recommend?"
Think about it.
And build a datacenter and run some atm lines to them for nightly backups.
Of course, you could put all that info on the thumbdrive, maybe give em a laptop too. Who cares about losing the data anyways.
Now some's thumb drive will be missing...or they got lost in their pants in the washing machine?
This just seems to spell trouble. I can only imagine some bank manager "now where did I put that thumb drive...."
That which does not kill me only postpones the inevitable.
upon further consideration of this topic, asking for advice, we need more specs. A quick search for biometric thumdrives didn't reveal anything bigger than 1 gig.
That which does not kill me only postpones the inevitable.
You work for a '10 billions dollar' business that can't afford enough IT staff in its branches and gets hardware recommendations from 'ask slashdot'?
http://milkshake.dexy.org
No offense really intended, but the question is too vague and too open-ended to really be answered well here and it's that lack of specificity that makes me worry a bit about your qualifications for the position you're in. By all means, please, bring in outside help for any situation that you need advice on -- for the sake of your employer and customers, but slashdot is not the best place for high-quality, industrial grade advice that you should hang your hat, job, and other people's money on. That having been said, what exactly are you trying to back up? How frequently does it need to be done? How quickly? How will restores be handled -- who will do them, when and why? What are the demands of the media? Does it need to be simply stored on site or will it be transported? How (mailing? courier?) Would a networked option work for backing up? If not, why not?
That's just a start to the questions that are really unanswered (and need to be) for anyone to answer your question "How would you backup information securely?" It sounds like you think a thumb-drive will be an acceptable answer to you, but it's unclear why you've settled on that...What makes such a system better than a well scripted encryption scheme and commodity media (anything from CD-Rs to removable tape or hard disks?)
Without knowing the specifics, any answer would be incomplete at best, shooting blind at worst...
Yeah, thumb drives, there's an idea.
No, wait, gotta sex it up....
Thumb Drives with Biometrics!
Riiiggghhhttt......
Honey, yer wastin' yours & everyone ele's time with this DOA idea.
Encryption? At the source. Not some lame-ass "biometric" solution grafted onto a thumb drive, if some crazy Pacific Rim factory has pumped out such an inane idea yet . Then who gives a rats ass, your 1 GB, or 2 GB, or whatever, is properly encrypted. But if that's your local branch's disaster recovery strategy well, I'm scared.
For the sake of all of our investments please post your employer, so we can all move our funds to some other 10 billion dollar business that has legitmate disaster recovery strategies.
Hey Cliff, was there REALLY nothing better in the "Ask Slashdot" queue?!
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Fist off asking slashdot is a fantasist idea you might get an off the wall idea as it to follow or just some good general advice. Being vague might just be a problem with and NDA. Paying some one or going only with in your own department you are only going to get what is familiar, which is not the best answer.
Now as for the biometric key drives in personally research they do not provide enough protection to secure such data.
What I would suggest is just a portable USB hard drive. With all the data encrypted using a key generated from the unique serial numbers on the computer and an additional random generated number stored on a key such as this one (http://www.marx.com/en/products.php) or just any public key, each branch could also have one key with the privet key to decrypt the data in case they need to recover it locked in a vault preferably requiring at lest 2 different people to access this key since (if you are in a bank as you say this should not be that hard to arrange) they would never need this key unless they were doing a recovery and you could also key one at a central site incase of an unforeseen events or not, but I suspect if they ever loses theirs you would just replace the entire set (though you would have a much bigger problem on your hands I would think).
Seeing as there small key has 4kb of storage using a large key with AES (probably SHA-512 or again what ever tickles you) would keep your data pretty safe or at lest the government would think so.
The only other thing I would recommend in keeping 2 backups in 2 completely different locations, people do walk off with stuff, or more politely they misplace things.
Hope this helps or gives you some ideas, I am just babbling a little from things I have done. Post if you have a question or want to strike up a conversation.
Injoy
I have to agree with some of the other posters, this biometric thumb drive idea just smells horribly of a poorly thought out plan that is destined to fail catastrophically when your company either makes it into a money sink that never works out properly, or a poor implementation leads to sensitive data being stolen.
There are a number of reasons that it just seems like a strange a bad idea to me, but here are some of the most obvious things that pop into my head:
Firstly, thumb drives seem to be just now getting up into the 2GB range. I'm sure you could find larger ones if you looked, but the largest drive I was able to find with a google search for "thumb drive biometric authentication" was 2GB - and that devices wasn't exactly secure, since the biometric authentication could be overridden by a password. Now, the thing about it is, what sort of data do you have only 2GB of that is so vital as to require it's own backup system? Furthermore, what data do you have that is so vital that it requires it's own special backup system with biometric authentication, and is not vital enough that you aren't already hosting it on some machine with a RAID and nightly backups to tape. Most data that people need to back up now days tends to be stored in a database, which are going to log the hell out of everything, plus have multiple backups- onsite and off site. The idea of some 10 billion dollar banking institution having all of their local branches running their systems on a local access database, and a bank manager backing up the database file to a thumb drive every night would be frightening if it wasn't so absurd.
The second big thing that jumps out at me is the fact that biometrics really aren't all that secure. Many finger/thumb print recognition systems can be defeated with a gummibear; and I've never seen any sort of thumb drive with a built in retinal scanner.
Famous Last Words: "hmm...wikipedia says it's edible"
Why is your bank even keeping data at its branches?
Get your $10,000,000,000 company to establish multiple redundant secure datacenters that the branches connect to using point to point connections along with strong encryption. No Internet connectivity... just centralized data storage in multiple places. I wouldn't even dream of allowing a branch manager access to infrastructure or data storage, six letters popped into my head... OMFG NO!
When a tornado comes along and wipes a branch office off the map - wtf is a thumbdrive going to be useful when the manager's thumb is nowhere to be found?
Your company rolls in a trailer with teller machines and Satellite feeds for data connections to the data center - and your customers' information is still safe in the central location and accessible the next day, even while they're still trying to ID the manager's corpse.
Check this from sandisk: http://www.sandisk.com/Products/Catalog(1066)-SanD isk_Cruzer_Profile_USBFlash_Drive.aspx
They look cool, though never used one, nor do I know if they are good.
1) To answer you question: Trek makes one that doesn't require external drivers. But it's only up to 512k and USB 1.1, and I can't find any indication to see if it actually encrypts the info. (My bet: no)
2) What kind of "security analyst for a 10 billion dollar bank" are you, and can you be put in a room with the rest of us who are answering this question that we might have a chance to kill you, take your salary and put an untrained monkey in your job?
3) Or are you just being clever and trolling for answers to a stupid idea your VP had?
If it's the last one:
Why Biometric? Biometrics are awful security. Terrible terrible terrible. The only advantage they have is, when it actually works, it works and a person doesn't have to think about it. And that's one of it's problems: People should be thinking about security. After that, it's less reliable than passwords (which have a 100% pass/fail reliability) and the whole issue of not being able to change your biometrics. If someone figures out how to fake my thumb, my whole life is fucking over. I can't get new thumbs. (or a new face or whatever). And the other stuff that's been talked about ad nauseam.
Biometric thumb drives are even worse because it anyone who wants what's "protected" on it just has to steal the thing. Given physical access to the device, it's trivial to circumvent the biometrics.
What information at individual branches is important that needs to be backed up? And why the hell isn't it being done already, and off site? Seriously. You're a "10 billion dollar bank" You should have private data lines between your branches and central computers.
And lastly, under what circumstances would you want backups done by unskilled people? I mean C'mon. Are you telling me that you don't know that these guys are the weakest link in your security anyway?
A better security idea would be to automate your backups through your private lines and disable all access to removable media drives in your whole company. Why you'd allow someone to be able to connect a USB drive to a computer that has access to information that needs to be protected makes my nerve endings hurt.
Not too long ago. It was a used one from a small local bank in my rural area, they had upgraded and this guy had it in a shop for some mods to be done for the new owner (I tried to buy it but the new owner thought it was too cool, wanted to keep it for a home mega server or something). It had 12 scsi drives and 4 processors, IIRC PPs, but I might be wrong on that, forget now..anyway, a nifty looking mega tower. I wanted it for..well because it was dang cool, that's why! Figured I'd slap a good vid and sound card in there until the power bill came in, then do something more practical with it..anyway, I didn't get it.
Now, I have no idea what used to be on it (even if they wiped it securely, which I doubt)(hmmm), but I can't *imagine* reproducing even that on a small thumb drive, let alone what new stuff has to do nowadays. So, I don't think that is the exact question, and for that matter, this theoretical secure thumbdrive needs to be inserted into a working computer to be of much use, so there ya go on that. I think it's only to store some login and administrative tools, which are probably done remotely now.
Therefore, is the submitter just asking for getting the whole bank computer system to just turn itself on? Is that the real question? Something to eliminate the remote admin access and to make the local branches independent and still able to function in the event of a near catstrophic emergency? That is my guess,there is a lot of contingency planning going on now around the nation, that this is homeland security worst case scenario bird flu or terrorist attack or economic meltdown or whatever related.
The guys at Realm Systems have a line of small usb servers (a bit wider than an ipod nano) that have a gig or so of flash memory, a PowerPC processor, and fire up a desktop on your machine when you plug them into a USB port. They are running an embedded Linux distribution and use a biometric thumbprint scanner to authenticate their users. Each device can be administered by a management router box in your bank's network.
Check them out! Their web site is www.realmsys.com
When I grow up, I want to have Christopher Walken hair.
Okay, banks deal with money and businesses. Businesses being their main source of profit. How is it that a bank can see it as okay to not have an IT infrastructure that, at the very least, has a steady backup regimine?!?!? The answer is not finding some new gadget that'll let the branch manager wing it. The answer is to either have IT personnel available for such matters or to train existing personnel to do the job correctly. Backup is no insignificant endeavor and shouldn't be treated as such. What bank is this? I a) want their business and b) don't want to give them mine.
PLEASE tell us what bank you work for so that I will know to never use them. Asking SLASHDOT how to create a security policy?
That's like asking a rioting mob how to reach enlightenment.
I use my local credit union.
"I work as a security analyst for a 10 billion dollar bank .... How would you backup information securely?"
*heads to google*
*pulls up information on finance sector*
*attempts to cross-reference all companie market caps between $8B and $12B with list of bank accounts in file cabinet*
*cancels all matches*
*orders credit watch service for credit report*
*shakes head, weeps gently*
*suddenly realizes, not all banks are publically traded*
*mutters obscenities*
*cancels all accounts just to be safe, renounces materialism, heads to mountain cabin in woods*
*later, is eaten by wolves*
I have sitting in front of me a fingerprint USB flash drive from Adata. Cheap. Comes in capacities up to 2GB. Study in a plastic sort of way, it would take abuse. Perhaps most interesting there are no drivers to install, when you plug it in it runs the autorun code which does the fingerprint check and then runs up a tray icon with access to a number of utilities (eg email client) which are stored on the disk. Only takes up 7Mb of the space, the rest of which is available to you. Windows only however. No fingerprint, no access to any of the files.
I've no idea how secure it really is against access, my bet is not very. However it might be possible to change the tray program to contain programmes of interest to you and a Truecrypt partition and driver software could be included for more security.
Do think of all your options. Since I don't know of any thumb drives that'd be useful, here's what I'd recommend:
I suggest you set up a dedicated backup server at each site. It doesn't have to be much of a box -- it may even cost less than the thumbdrive. We used BackupPC to manage the backups -- it's entirely automated, and it can be configured to send out an email if a backup didn't complete successfully. It'll be doing mostly incremental backups. Keep the backups on a separate partition, so you can use something like DRBD over OpenVPN to backup a more central location, which has some sort of IT staff and can handle things like putting the whole thing on a RAID, maybe even swapping out removable hard disks to take home, and of course taking snapshots just in case the filesystem itself decides to die.
Others have talked about keeping everything at multiple datacenters, so that your backup is simply that any one can be hit by a tornado and none of your branch offices even notices. That's a lot more complex than what I've described, and if your DRBD/OpenVPN should lose its connection, local operation will likely still happen -- thus backups will still happen, if only to another local hard drive.
As far as "easy to use", that's not good enough. You want "Automatic". The datacenter is really your best option, with some sort of custom software or a web-based interface. Short of that, the packages I've described will hopefully be reasonably easy to implement, and the restores can happen from a web interface. It's a bit "do-it-yourself", but in a sysad way, not a full-time-programmer way.
Physical security, I leave to you. But if you must, it's certainly easy enough to encrypt the entire hard disk. However, if someone's able to carry off your backup computer, you're probably already hosed, and in any case, they only get information related to the local branch, I hope. Your datacenter/backupcenter would obviously be much more secure, but if the whole thing goes boom, your branch offices still work, and when you bring up a new datacenter, at worst, the branch offices have to reboot the backup server. And even that can be avoided with a few cron jobs.
The thumb drives are doubtless easier to implement -- buy one, plug it in, it works -- but if you get a knowledgeable IT staff to put together a system like the one I've described, it will pretty much run itself, and be mostly free of the whole "human error" problem -- the problem of, say, the guy who forgot to backup the data that day, or the idiotic tech who, rather than backing up, decided to use the thumb drive as primary storage, or the thumb drive that went through the wash, or the building that burnt down with the thumb drive and what it was backing up inside, or that one virus that manages to get into your data, hiding for awhile before it starts destroying things, so you restore from backup, only to find the same virus in every backup.
Oh, and one more thing -- whatever you choose, test it. And by "test it", I mean take all the hardware out of the branch office, bring in brand new hardware, and try to restore from your backup. There's no meaningful test of a backup other than actually attempting to restore it, if for no reason other than to prove to your superiors, customers, and the world in general that your backup is absolutely bulletproof.
Don't thank God, thank a doctor!
Rather than using a thumb drive, I recommend you use a redundant system at the branch, either a full redundant cluster or a segregated backup server if you want to do it on a budget. Then do incremental backups over the internet either between branches or to a central repository. The amount of data generated by even a large bank branch over the course of the day will be relatively small and can be shipped over the net in minutes. (You'll of course want good security for your internet link, with an airgap, bans on anything except backup communications and perhaps http with serious filtering on web access.)
With this arrangement, if there's a local failure in the computers you can be back up and running in minutes rather than having to go out and get a new server to reload your system on; but if something happens that's serious enough to take out both your main system and the backup server, chances are you won't be opening for business immediately anyway, and your data will be well-protected off-site.
NOT A TROLL! Mod parent up insightful.
Women are like electronics: you don't know how damaged they are until you try to turn them on.
A machete or other knife big enough to chop the manager's finger off defeats the security totally, just chop off the thumb.
That is even easier than squeezing a password out of the guy.
I assume you are wanting to backup data such as desktop mydocs from the branches on a daily basis. If so, I strongly recommend using remote backup services. If you are large enough you can purchase a license for your own inhouse remote backup services or if you only have a couple branches, you may want to outsource the services of a 3rd party. The data gets encrypted at the client side before it is transferred over the internet with Blowfish encryption. The host receives and stores only contains encrypted data so it is very secure. We recently purchased a 50 license pack from www.remote-backup.com for offering to offer to our existing local customers as a service. We are only a couple of months into offering this service and recovered lost data for our first customer this week. They are very grateful.
One biometric thumb drive I tested had no actual security. The windows driver would ask it if it was authenticated and if no, would deny access. In Linux, it looked like a standard drive and 100% of the 'secured' data was trivially accessable with no authentication.
Another I evaluated did only slightly better. When in the unauthenticated state, it would report 10 sectors capacity rather than 8000 (OK so far). When authenticated, it reported all 8000. However, I then tried accessing sectors 10-8000 using raw SCSI commands while unauthenticated, and it LET ME DO IT! The 'secured' data was 100% available with no authentication. In fairness, when I noted this, the manufacturer sent me a one off that did it right but I don't know if they ever put those changes into their production model.
Yet another actually denied access to the blocks when unauthenticated, but when the admin recovery procedure was used, it only erased the partition table. So all I had to do was 'recover' admin access then write in a reasonable partition table. All of the old data was available.
I never got around to cracking them open to see if I could bypass the drive emulation and dump the raw flash memory.
There MIGHT be a few drives that actually ARE secure, but too many of them are toys.
The best thing you can do is to bring in a "security analyst" that is a CISA(Certified Information Security Analyst). I know a guy who has this cert and he says that there are a lot of banks out there that don't take security seriously(scary, I know). Given the "cost of failure" in this situation, I wouldn't try some harebrained scheme I saw in the movies. I'd just want it done right so I could sleep at night.
I know you're already a kind of "consultant"(i.e: the person with all the answers) but it may be time to swallow your pride and admit you don't know it all.
- How much data?
- How quickly does it need to be restored?
- What cover time do you need? (You *are* encrypting, yes?)
- What is your policy & procedure when (not if) the thumbdrive fails, the manager resigns or authentication data needs to be updated/revoked?
- What about a two-person rule - Does one person hold the drive and another use his/her fingerprint to access it?
- Do your compliance people know about this? Who has signed this off? Have you checked the statutory/regulatory measures in place and their relevance to this proposal?
- Why are you not using multiple redundant data centres with incremental/differential online backups for remote branches?
Ask your CISO for a copy of your organisation's Information Security policy and make sure you've read it. Twenty times if needed. Then read all the studies on the weaknesses of fingerprint authentication - Google for "gummi bear biometric".
I use a SanDisk Cruzer Profile, which has 512MB, and requires a fingerprint authentication. In addition to providing security against losing the device, it allows me to authenticate to my domain and several websites, etc.. that I have configured. Despite the obvious danger of losing the device, I have found very few drawbacks. The data can be synchronized to avoid data loss should I lose the device (or the authenticated finger), and it is much safer than losing my security badge or an RSA device...
Quick question ... you mentioned using OpenVPN to do the remote-to-central backups. Why not just use rsync? Seems like it would be easier than opening a VPN connection, mounting or otherwise connecting to the server, and then syncronizing the files to be backed up (which you'd need to use other utilities for anyway). With rsync, it's all done for you and the security is still there, since it's done over SSH. Keeping a remote mirror is as easy as one line in crontab (plus setting up the required certificates), and snapshots aren't much harder.
After SSH itself, rsync is one of the most useful little utilities that I couldn't live without. It just works. About the only thing it doesn't do is true bidirectional syncronization, but this isn't as much a limitation for making backups as it is for situations where people are going to be changing things on both ends.
Anyway, I thought the rest of your post was right on, I just thought the SSL VPN thing was the hard way.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Maybe you should try the BioSlimDisk. Sounds like what you would be looking for.
Its does not require any software or drivers thus it really simple to use.
*Mwaha hah hah hah* All your data are belong to us!
If an FBI agent (or anyone else with a proximity card for work, like most people have now) loses a card - even one without multifactor authentication - it can be rendered useless with a phone call. The card doesn't actually store any information, it just grants access to information.
... I dunno guys, what am I missing here?
A thumb drive on the other hand, grants access to the information it stores, and this is a whole different ballgame. Suppose your particular thumb drive has a 1/1000 False Acceptance Rate, well someone just has to try and authenticate that many times (theoretically) to have it eventually let them in. A drunk hacker watching TV can accomplish that.
I think to effectively use a thumb drive and guarantee that loss of the drive does not mean compromise of the data, you need two-factor authentication. One way I can think to do this is by using encryption of the data itself. The user now has to pass a biometric authentication scheme just to get access to the encrypted bits, and enter a hopefully difficult passphrase to decrypt the data and use it. Through this mechanism you could ensure Confidentiality and Integrity; Availability comes with the user not losing the damn thing in the first place, and having the training to use it effectively. You could even get really fancy to where the biometric auth is done by the bank manager, and the encryption is done by the assistant manager (or even remotely by an IT tech) - this way, you can't even get into the thing if you have taken the drive's owner hostage.
That method *seems* secure