February 11, 2005
- Ease of Use:
- Value for Money:
- Overall Rating:
Fairly easy to use and manage in a small environment, competitively priced.
Security and configuration flaws or ambiguities and poor documentation.
Good for small, contained environments.
GemSafe Logon is intended for the individual computer. It is self-contained, but with an administrative twist. Access policies are set up centrally by an administrator who creates a configuration file for the individual smartcards and distributes it to users. This is practical for smaller installations but perhaps not for large, distributed enterprises.
The product suffers from the safe mode bypass flaw but tests for the forensic analysis flaw were inconclusive. Because the policy can be set to allow users to reset locked-out pins, change pins and use small pins, care should be taken in configuration. We were able, usually through errors in configuration, to bypass the card security in a variety of ways.
A user with the card administration tool could take further steps to attack the card security. Though Gemplus notes that the tool should be kept out of reach of unprivileged users, this is always a risk and, with many users having admin rights on desktops, could exacerbate the vulnerabilities we found. We feel that the GemSafe Logon product provides cursory protection at best and is a good example of keeping honest people honest rather than providing strong access control.
The product was reasonably straightforward to install and distribute. We found the manuals to be weak. For example, we ran one of the supplied cards down so that it allowed no further login. In order to unlock the card, the policy must allow the user to unlock the card. If the configuration box allowing this is unchecked, the card cannot be unlocked. This is made clear in the manual, but what is not made clear is that there is a way to change the configuration after the fact and reset the card policy, allowing the card to be unlocked – if the user has access to those forbidden administration tools.
Support is not available 24-7 but there is a toll-free number and email access to support. Occasionally we reached voicemail but support, when we reached it, was good.
Generally, we found that GemSafe Logon provided limited protection in a small, contained environment and we recommend it only for small organizations, especially those not using laptops.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Information Security Risk Manager, £45-55k + bens
Infosec People - West Midlands, England, Coventry
SOC Analyst, Aldershot, £55-63k + benefits
Infosec People - England, Aldershot, Hampshire
Security Architect, Cardiff - to £70k Basic
Infosec People - Cardiff, Wales
Interim CISO (Chief Information Security Officer) - Cyber Security Director
CYBER EXECS - London (Central), London (Greater)
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Cyber-security must reflect risk not just regulation
- Met Police grab suspect with phone unlocked to get hold of data
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report