Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
GemSafe Logon is intended for the individual computer. It is self-contained, but with an administrative twist. Access policies are set up centrally by an administrator who creates a configuration file for the individual smartcards and distributes it to users. This is practical for smaller installations but perhaps not for large, distributed enterprises.
The product suffers from the safe mode bypass flaw but tests for the forensic analysis flaw were inconclusive. Because the policy can be set to allow users to reset locked-out pins, change pins and use small pins, care should be taken in configuration. We were able, usually through errors in configuration, to bypass the card security in a variety of ways.
A user with the card administration tool could take further steps to attack the card security. Though Gemplus notes that the tool should be kept out of reach of unprivileged users, this is always a risk and, with many users having admin rights on desktops, could exacerbate the vulnerabilities we found. We feel that the GemSafe Logon product provides cursory protection at best and is a good example of keeping honest people honest rather than providing strong access control.
The product was reasonably straightforward to install and distribute. We found the manuals to be weak. For example, we ran one of the supplied cards down so that it allowed no further login. In order to unlock the card, the policy must allow the user to unlock the card. If the configuration box allowing this is unchecked, the card cannot be unlocked. This is made clear in the manual, but what is not made clear is that there is a way to change the configuration after the fact and reset the card policy, allowing the card to be unlocked – if the user has access to those forbidden administration tools.
Support is not available 24-7 but there is a toll-free number and email access to support. Occasionally we reached voicemail but support, when we reached it, was good.
Generally, we found that GemSafe Logon provided limited protection in a small, contained environment and we recommend it only for small organizations, especially those not using laptops.
Fairly easy to use and manage in a small environment, competitively priced.
Security and configuration flaws or ambiguities and poor documentation.
Good for small, contained environments.
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.