Security Ideas for new App I'm Building?

Security Ideas for new App I'm Building?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Security Ideas for new App I'm Building? tekiegreg 07-30-2007
Posted by tekiegreg on July 30, 2007, 4:39 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi there, I'm currently a developer hired out to a multi-unit
franchisee in the Fast Food industry. Currently I'm building an
application that will be deployed to all our stores. Each store will
be running an application that will be connecting to a central server
here at the home office. Logins of some sort will be needed for each
store manager, but how to login has been a problem. The main issue
has been that the store managers have had a nasty tendency in the
past
to share usernames/passwords with people in the store that they
shouldn't, compromising security. So a standard user/pass won't do
necessarily. Our thoughts have already run as follows:

1) What about fingerprints? We've tried that, but had problems with
them in the past with greasy smudges on people's fingers proving
difficult for the scanners to authenticate properly.


2) Voice recognition? Nope, too much background noise in these stores
(and seeing as it's fairly constant and loud, often anyone gets in!)


3) Video recognnition? Is it good enough yet? Reasonably priced as
well?


So in a nutshell, what would you be thinking about? I'll probably
use
Client Certificates to authenticate the computer, but granted only
store managers are allowed in, we need to restrict to themselves
only. Hoping for some ideas here, thanks!


Posted by Todd H. on July 30, 2007, 6:26 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


> Hi there, I'm currently a developer hired out to a multi-unit
> franchisee in the Fast Food industry. Currently I'm building an
> application that will be deployed to all our stores. Each store will
> be running an application that will be connecting to a central server
> here at the home office. Logins of some sort will be needed for each
> store manager, but how to login has been a problem. The main issue
> has been that the store managers have had a nasty tendency in the
> past
> to share usernames/passwords with people in the store that they
> shouldn't, compromising security. So a standard user/pass won't do
> necessarily. Our thoughts have already run as follows:
>
> 1) What about fingerprints? We've tried that, but had problems with
> them in the past with greasy smudges on people's fingers proving
> difficult for the scanners to authenticate properly.
>
>
> 2) Voice recognition? Nope, too much background noise in these stores
> (and seeing as it's fairly constant and loud, often anyone gets in!)
>
>
> 3) Video recognnition? Is it good enough yet? Reasonably priced as
> well?
>
>
> So in a nutshell, what would you be thinking about?

Three words: Terms of employment.

You're attempting to throw a technology solution at a problem that is
better handled with an administrative control.

In short, train the managers that if they disclose their username/pass
to anyone, it's extremely serious, and they can be fired. Have them
recertify to this policy on a regular basis.

If they still don't comply, best to find out in the trenches why it's
so inconvenient for them to comply.

This may not work for your situation, but it's one avenue that
deserves some contemplation. 2 factor auth is somewhat expensive and
has downfalls as you cite.

--
Todd H.
http://www.toddh.net/

Posted by tekiegreg on July 30, 2007, 6:29 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I agree with you on the fact that it's human issue more than
technology issue, I was just hoping to augment the policy some with
good application design, as negligence is a factor in this as well
(writing passwords down, leaving applications open and unlocked,
etc...) but indeed it may have to be a human control involved, with
auditing to back this up...


On Jul 30, 3:26 pm, comph...@toddh.net (Todd H.) wrote:
> > Hi there, I'm currently a developer hired out to a multi-unit
> > franchisee in the Fast Food industry. Currently I'm building an
> > application that will be deployed to all our stores. Each store will
> > be running an application that will be connecting to a central server
> > here at the home office. Logins of some sort will be needed for each
> > store manager, but how to login has been a problem. The main issue
> > has been that the store managers have had a nasty tendency in the
> > past
> > to share usernames/passwords with people in the store that they
> > shouldn't, compromising security. So a standard user/pass won't do
> > necessarily. Our thoughts have already run as follows:
>
> > 1) What about fingerprints? We've tried that, but had problems with
> > them in the past with greasy smudges on people's fingers proving
> > difficult for the scanners to authenticate properly.
>
> > 2) Voice recognition? Nope, too much background noise in these stores
> > (and seeing as it's fairly constant and loud, often anyone gets in!)
>
> > 3) Video recognnition? Is it good enough yet? Reasonably priced as
> > well?
>
> > So in a nutshell, what would you be thinking about?
>
> Three words: Terms of employment.
>
> You're attempting to throw a technology solution at a problem that is
> better handled with an administrative control.
>
> In short, train the managers that if they disclose their username/pass
> to anyone, it's extremely serious, and they can be fired. Have them
> recertify to this policy on a regular basis.
>
> If they still don't comply, best to find out in the trenches why it's
> so inconvenient for them to comply.
>
> This may not work for your situation, but it's one avenue that
> deserves some contemplation. 2 factor auth is somewhat expensive and
> has downfalls as you cite.
>
> --
> Todd H.http://www.toddh.net/- Hide quoted text -
>
> - Show quoted text -



Posted by ric on July 31, 2007, 5:48 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On Jul 30, 11:26 pm, comph...@toddh.net (Todd H.) wrote:
> > Hi there, I'm currently a developer hired out to a multi-unit
> > franchisee in the Fast Food industry. Currently I'm building an
> > application that will be deployed to all our stores. Each store will
> > be running an application that will be connecting to a central server
> > here at the home office. Logins of some sort will be needed for each
> > store manager, but how to login has been a problem. The main issue
> > has been that the store managers have had a nasty tendency in the
> > past
> > to share usernames/passwords with people in the store that they
> > shouldn't, compromising security. So a standard user/pass won't do
> > necessarily. Our thoughts have already run as follows:
>
> > 1) What about fingerprints? We've tried that, but had problems with
> > them in the past with greasy smudges on people's fingers proving
> > difficult for the scanners to authenticate properly.
>
> > 2) Voice recognition? Nope, too much background noise in these stores
> > (and seeing as it's fairly constant and loud, often anyone gets in!)
>
> > 3) Video recognnition? Is it good enough yet? Reasonably priced as
> > well?
>
> > So in a nutshell, what would you be thinking about?
>
> Three words: Terms of employment.
>
> You're attempting to throw a technology solution at a problem that is
> better handled with an administrative control.
>
> In short, train the managers that if they disclose their username/pass
> to anyone, it's extremely serious, and they can be fired. Have them
> recertify to this policy on a regular basis.
>
> If they still don't comply, best to find out in the trenches why it's
> so inconvenient for them to comply.
>
> This may not work for your situation, but it's one avenue that
> deserves some contemplation. 2 factor auth is somewhat expensive and
> has downfalls as you cite.
>
> --
> Todd H.http://www.toddh.net/- Hide quoted text -
>
> - Show quoted text -

Yup. They sign a formal document that states they can be fired for
sharing log ons, and you enforce it.
Don't even *think* about voice or video recognition, this is such a
dumb idea.
I'd suggest you use smartcard authentication and have them wear their
smartcards attached to their ID badge.

Ric


Posted by Ari on July 31, 2007, 1:06 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On Tue, 31 Jul 2007 02:48:40 -0700, ric wrote:

> Don't even *think* about voice or video recognition, this is such a
> dumb idea.

Why?
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

Similar ThreadsPosted
Mysterious app. tries to connect, no info found yet, any ideas? January 24, 2005, 3:34 am
Building a CERT May 5, 2004, 5:11 am
Building an Intranet January 3, 2006, 11:29 am
Security Breaches Pandemic - Deloitte Touche 2006 Global Security Survey June 29, 2006, 12:42 am
New site dedicated to security conferences : www.security-briefings.com May 6, 2006, 11:16 am
New It Security News and Information site for security professionals August 6, 2008, 2:46 am
Excellent website for IT Security (Security+) February 8, 2008, 12:32 am
Google Closes Security Holes in Google Base Security November 21, 2005, 5:37 pm
Security IP June 10, 2005, 3:09 pm
BGP Security October 4, 2005, 1:49 pm

The site map in XML format XML site map

Contact Us | Privacy Policy