Biometric Thumb Drives? 66
osopolar asks: "I work as a security analyst for a 10 billion dollar bank and we are currently looking for biometric thumb drives as emergency backup/recovery solutions for our local branches. We do not have IT people at every branch so the backup must be done by a branch manager, so the device needs to be easy to use. How would you backup information securely? What thumb drives do you recommend?"
Awesome for hitchhiking! (Score:1, Funny)
Re:Awesome for hitchhiking! (Score:3, Funny)
Re:Awesome for hitchhiking! (Score:1)
Re:Awesome for hitchhiking! (Score:1)
Re:Use part of the 10 billion (Score:2)
And add a WAFS appliances to the remote sites requiring a backup service. This gets you the ability to backup local data to your data center, and with the right software can ensure that you get single instance storage of any file stored within the backup system, and only send changes across the wire. This can also provide the ability to restore from bare metal if required.
Restore jobs can be performed remotely by someone from IT, or
Re:Use part of the 10 billion (Score:2)
Seems like building a datacenter is sort of putting all their eggs in one basket.
They're banks. Assumedly, they have vaults. I'm going to assume also that they have internet connections--if not, then they should. Rather than centralizing the backups, have each bank back up to a server located at another bank branch every night, then make physical-media snapshots and put them in the vault. Best would be to have each bank's partner be o
missing laptop (Score:2)
This just seems to spell trouble. I can only imagine some bank manager "now where did I put that thumb drive...."
Re:missing laptop (Score:3, Interesting)
It applies for alot of other small devices in other jobs. If you're an FBI agent and that you lost your security access card, if your some guard and you lost your keys, etc etc, it's just the same as if you're a bank manager who lost his thumb drive.
You're just not supposed to lose that kind of stuff, period.
Re:missing laptop (Score:4, Insightful)
Re:missing laptop (Score:2)
Yes, except... (two-factor thumb drives?) (Score:1)
A thumb drive on the other hand, grants access to the information it stores, and this is a whole different ballgame. Suppose your particular thumb drive has a 1/1000 False Acceptance Rate, well someone just has to try and auth
Re:missing laptop (Score:5, Funny)
Although, if you had a USB port in your thumb, it would make it hard to type, so better make it a toe drive. Make sure your toe drive is bootable! I'm sure the creative minds here at slashdot can think of other more pedestrian uses for a toe drive.
Re:missing laptop (Score:2)
Not to mention, we don't know where the branch managers stand on all this. Whoops, I guess I did m
what are you backing up (Score:2)
Re:what are you backing up (Score:1)
Re:what are you backing up (Score:2)
er... (Score:5, Insightful)
Re:er... (Score:3, Funny)
Re:er... (Score:2)
Places like this are why the phrase "Nobody ever got fired for buying IBM" exists.
While asking
Re:er... (Score:2)
JACK: If X is less than the cost of a recall, we don't do one.
BUSISNESS WOMAN: Are there a lot of these kinds of accidents?
JACK: Oh, you wouldn't believe.
BUSINESS WOMAN:
JACK:A major one.
Re:er... (Score:2)
I imagine he's asking 'has anyone else evaluated these things, and which ones did you find were the best?'.
Alternatively, he's going to go suck up to his boss later with his "personal research on his own time".
Re:er... (Score:1)
Mc Donalds
Jack in the Box
Auntie Annie's
any other retail coffee / soda / taco / burger shop / multimall kiosk operation
some cash-yer-paycheck express storefront
An operation / franchise having 10,000 branches, each with 20-30 employees, 90% of whom are fry chefs and janitors may not be one that maintains an IT staff at every outlet.
With your title (Score:5, Interesting)
No offense really intended, but the question is too vague and too open-ended to really be answered well here and it's that lack of specificity that makes me worry a bit about your qualifications for the position you're in. By all means, please, bring in outside help for any situation that you need advice on -- for the sake of your employer and customers, but slashdot is not the best place for high-quality, industrial grade advice that you should hang your hat, job, and other people's money on. That having been said, what exactly are you trying to back up? How frequently does it need to be done? How quickly? How will restores be handled -- who will do them, when and why? What are the demands of the media? Does it need to be simply stored on site or will it be transported? How (mailing? courier?) Would a networked option work for backing up? If not, why not?
That's just a start to the questions that are really unanswered (and need to be) for anyone to answer your question "How would you backup information securely?" It sounds like you think a thumb-drive will be an acceptable answer to you, but it's unclear why you've settled on that...What makes such a system better than a well scripted encryption scheme and commodity media (anything from CD-Rs to removable tape or hard disks?)
Without knowing the specifics, any answer would be incomplete at best, shooting blind at worst...
Re:With your title (Score:5, Funny)
Phsaw! Ignore him. I'll get you a good deal on the thumb drives. They're 1GB ones, but they're bulk discounted because the label on the front (and Windows) misreports the size as 16MB. (Since G and 6 are so similar, the isolinear pro-recgonization dll don't properly link). To get the biometric security working, you just need to download additional drivers. I can't remember the website off hand, but it ends with .fl It adds on an additional level of security by co-hashing the thumbprint recogniztion with a non-alpha numerator string of indetermened length. For the best security, you should use a long number, and one that isn't known outside of the upper echelons of your company. Your expense account credit card number should do.
Oh, and if your IT guys start spouting off nonsense about "remote access of datadrive contents", you can tell them what's really going on. The thumb drives (courtesy of the additional drivers) use sporatic cross-referenced data layer technology. Whenever the drive is connected to an internet-capable machine, it automatically hides parts of its data throughout the Internet for safe keeping. After all, if the thumbdrive gets lost, you don't want all the data to be gone, too? It's an additional security feature. (And your IT guys SHOULD know that, shouldn't they? I mean, they are supposed to be knowledged professionals. Unless they lied on their resumes. Better check that out...)
Re:With your title (Score:1)
You are evil, I like that; also, are you looking for an apprentice? I can make some damn good coffee!
Re:With your title (Score:1)
Re:With your title (Score:2)
Re:With your title (Score:1)
Thumb down the thumb drive (Score:5, Insightful)
Yeah, thumb drives, there's an idea.
No, wait, gotta sex it up....
Thumb Drives with Biometrics!
Riiiggghhhttt......
Honey, yer wastin' yours & everyone ele's time with this DOA idea.
Encryption? At the source. Not some lame-ass "biometric" solution grafted onto a thumb drive, if some crazy Pacific Rim factory has pumped out such an inane idea yet . Then who gives a rats ass, your 1 GB, or 2 GB, or whatever, is properly encrypted. But if that's your local branch's disaster recovery strategy well, I'm scared.
For the sake of all of our investments please post your employer, so we can all move our funds to some other 10 billion dollar business that has legitmate disaster recovery strategies.
Hey Cliff, was there REALLY nothing better in the "Ask Slashdot" queue?!
Seek a CISA (Score:1)
I know you're already a kind of "consultant"(i.e: the person with all the answers) but it may
Re:Omigod, the stupidity+inanity. (Score:1)
Other Suggestion (Score:5, Insightful)
Now as for the biometric key drives in personally research they do not provide enough protection to secure such data.
What I would suggest is just a portable USB hard drive. With all the data encrypted using a key generated from the unique serial numbers on the computer and an additional random generated number stored on a key such as this one (http://www.marx.com/en/products.php [marx.com]) or just any public key, each branch could also have one key with the privet key to decrypt the data in case they need to recover it locked in a vault preferably requiring at lest 2 different people to access this key since (if you are in a bank as you say this should not be that hard to arrange) they would never need this key unless they were doing a recovery and you could also key one at a central site incase of an unforeseen events or not, but I suspect if they ever loses theirs you would just replace the entire set (though you would have a much bigger problem on your hands I would think).
Seeing as there small key has 4kb of storage using a large key with AES (probably SHA-512 or again what ever tickles you) would keep your data pretty safe or at lest the government would think so.
The only other thing I would recommend in keeping 2 backups in 2 completely different locations, people do walk off with stuff, or more politely they misplace things.
Hope this helps or gives you some ideas, I am just babbling a little from things I have done. Post if you have a question or want to strike up a conversation.
Injoy
Bad Idea (Score:5, Insightful)
There are a number of reasons that it just seems like a strange a bad idea to me, but here are some of the most obvious things that pop into my head:
Firstly, thumb drives seem to be just now getting up into the 2GB range. I'm sure you could find larger ones if you looked, but the largest drive I was able to find with a google search for "thumb drive biometric authentication" was 2GB - and that devices wasn't exactly secure, since the biometric authentication could be overridden by a password. Now, the thing about it is, what sort of data do you have only 2GB of that is so vital as to require it's own backup system? Furthermore, what data do you have that is so vital that it requires it's own special backup system with biometric authentication, and is not vital enough that you aren't already hosting it on some machine with a RAID and nightly backups to tape. Most data that people need to back up now days tends to be stored in a database, which are going to log the hell out of everything, plus have multiple backups- onsite and off site. The idea of some 10 billion dollar banking institution having all of their local branches running their systems on a local access database, and a bank manager backing up the database file to a thumb drive every night would be frightening if it wasn't so absurd.
The second big thing that jumps out at me is the fact that biometrics really aren't all that secure. Many finger/thumb print recognition systems can be defeated with a gummibear; and I've never seen any sort of thumb drive with a built in retinal scanner.
Data kept at branches? (Score:5, Insightful)
Get your $10,000,000,000 company to establish multiple redundant secure datacenters that the branches connect to using point to point connections along with strong encryption. No Internet connectivity... just centralized data storage in multiple places. I wouldn't even dream of allowing a branch manager access to infrastructure or data storage, six letters popped into my head... OMFG NO!
When a tornado comes along and wipes a branch office off the map - wtf is a thumbdrive going to be useful when the manager's thumb is nowhere to be found?
Your company rolls in a trailer with teller machines and Satellite feeds for data connections to the data center - and your customers' information is still safe in the central location and accessible the next day, even while they're still trying to ID the manager's corpse.
Re:Data kept at branches? (Score:1)
My thinking here would be to enforce a policy of "save files on the server", that way the desktops are disposable and irrelevent. But
Re:Data kept at branches? (Score:2)
Restores are easily done when the files and backups reside in the same central location - poof it's back. Obviously offsite and redundant locations is a must.
Laptop users also shouldn't be carrying any customer information without some heavy duty protection and on-the-fly encryption. Mobile users are only safe if they're trained in how
There ya go! (Score:1)
Where to start... (Score:5, Informative)
1) To answer you question: Trek [thumbdrive.com] makes one that doesn't require external drivers. But it's only up to 512k and USB 1.1, and I can't find any indication to see if it actually encrypts the info. (My bet: no)
2) What kind of "security analyst for a 10 billion dollar bank" are you, and can you be put in a room with the rest of us who are answering this question that we might have a chance to kill you, take your salary and put an untrained monkey in your job?
3) Or are you just being clever and trolling for answers to a stupid idea your VP had?
If it's the last one:
Why Biometric? Biometrics are awful security. Terrible terrible terrible. The only advantage they have is, when it actually works, it works and a person doesn't have to think about it. And that's one of it's problems: People should be thinking about security. After that, it's less reliable than passwords (which have a 100% pass/fail reliability) and the whole issue of not being able to change your biometrics. If someone figures out how to fake my thumb, my whole life is fucking over. I can't get new thumbs. (or a new face or whatever). And the other stuff that's been talked about ad nauseam.
Biometric thumb drives are even worse because it anyone who wants what's "protected" on it just has to steal the thing. Given physical access to the device, it's trivial to circumvent the biometrics.
What information at individual branches is important that needs to be backed up? And why the hell isn't it being done already, and off site? Seriously. You're a "10 billion dollar bank" You should have private data lines between your branches and central computers.
And lastly, under what circumstances would you want backups done by unskilled people? I mean C'mon. Are you telling me that you don't know that these guys are the weakest link in your security anyway?
A better security idea would be to automate your backups through your private lines and disable all access to removable media drives in your whole company. Why you'd allow someone to be able to connect a USB drive to a computer that has access to information that needs to be protected makes my nerve endings hurt.
Re:Where to start... (Score:2)
I can't tell you how many times I've heard lately about biometrics and how they're going to be the "next big thing," and how they're "so secure." A few times, I've even heard the dreaded P-word come up. The one you never hear from anyone who knows what they're talking about in regards to system security: "perfect."
People think because they use their thumb-print to access their computer, that somehow it's impossible for anyone without their thumb to
Re:Where to start... (Score:2)
It doesn't occur because a lot of people simply don't understand that computers boil everything down to a bunch of numbers.
I had the most terrible trouble explaining this exact scenario to someone when I was on placement - that it was all a bunch of numbers. The person I was explaining it to was absolutely convinced that I was wrong, and that what was sent down the wire was "a picture", not a bunch of numbers. Th
I just looked at a bank server (Score:2, Insightful)
Check out Realm Systems iD3 devices (Score:2, Interesting)
Check them out! Their web site is www.realmsys.com
Re:Check out Realm Systems iD3 devices (Score:1)
Re:Check out Realm Systems iD3 devices (Score:2)
Very confused by your post...
HOW does a bank operate with this mindset?!?!?! (Score:4, Informative)
please tell us (Score:2)
That's like asking a rioting mob how to reach enlightenment.
I use my local credit union.
Re:please tell us (Score:2)
http://slashdot.org/~osopolar [slashdot.org]
He appears to be based in Peru, so presumably it's peruvian branches that he's talking about. Even then, from the way he writes, I think this is a case of a somewhat youthful slashdotter getting delusions of grandeur.
Re:please tell us (Score:2)
Another comparison, Westpac bank, one of Australia's "Big 4" (bear in mind, 20 million people versus 260 million in the US) regularly posts $2B in annual profits, and has assets of $260B.
Oh God..... (Score:4, Funny)
"I work as a security analyst for a 10 billion dollar bank .... How would you backup information securely?"
*heads to google*
*pulls up information on finance sector*
*attempts to cross-reference all companie market caps between $8B and $12B with list of bank accounts in file cabinet*
*cancels all matches*
*orders credit watch service for credit report*
*shakes head, weeps gently*
*suddenly realizes, not all banks are publically traded*
*mutters obscenities*
*cancels all accounts just to be safe, renounces materialism, heads to mountain cabin in woods*
*later, is eaten by wolves*
Adata Fingerprint Disk (Score:3, Informative)
I have sitting in front of me a fingerprint USB flash drive from Adata. Cheap. Comes in capacities up to 2GB. Study in a plastic sort of way, it would take abuse. Perhaps most interesting there are no drivers to install, when you plug it in it runs the autorun code which does the fingerprint check and then runs up a tray icon with access to a number of utilities (eg email client) which are stored on the disk. Only takes up 7Mb of the space, the rest of which is available to you. Windows only however. No fingerprint, no access to any of the files.
I've no idea how secure it really is against access, my bet is not very. However it might be possible to change the tray program to contain programmes of interest to you and a Truecrypt partition and driver software could be included for more security.
Depends... (Score:2)
I suggest you set up a dedicated backup server at each site. It doesn't have to be much of a box -- it may even cost less than the thumbdrive. We used BackupPC [sourceforge.net] to manage the backups -- it's entirely automated, and it can be configured to send out an email if a backup didn't complete successfully. It'll be doing mostly incremental backups. Keep the backups on a separate partition, so you can
Why not use rsync (Score:2)
different solution (Score:2)
A machete (Score:2)
That is even easier than squeezing a password out of the guy.
Remote backup (Score:1)
Evaluate VERY carefully (Score:4, Informative)
One biometric thumb drive I tested had no actual security. The windows driver would ask it if it was authenticated and if no, would deny access. In Linux, it looked like a standard drive and 100% of the 'secured' data was trivially accessable with no authentication.
Another I evaluated did only slightly better. When in the unauthenticated state, it would report 10 sectors capacity rather than 8000 (OK so far). When authenticated, it reported all 8000. However, I then tried accessing sectors 10-8000 using raw SCSI commands while unauthenticated, and it LET ME DO IT! The 'secured' data was 100% available with no authentication. In fairness, when I noted this, the manufacturer sent me a one off that did it right but I don't know if they ever put those changes into their production model.
Yet another actually denied access to the blocks when unauthenticated, but when the admin recovery procedure was used, it only erased the partition table. So all I had to do was 'recover' admin access then write in a reasonable partition table. All of the old data was available.
I never got around to cracking them open to see if I could bypass the drive emulation and dump the raw flash memory.
There MIGHT be a few drives that actually ARE secure, but too many of them are toys.
Re:Evaluate VERY carefully (Score:1)
These "thumbprint" flash drives are for keeping snoopers from seeing what's on your thumb drive while being quicker and easier than a password system (nothing to remember). But mostly they're just a gimmick. Good for hiding pr0n from your mum, not much more..
Biometric Thumb Drive (Score:1)
Try BioSlimDisk (Score:1)
Its does not require any software or drivers thus it really simple to use.