Two Factor Auth & The Yubikey

Posted on July 18, 2010 by brad

I have now upgraded the blog to use two factor authentication for logins to the WordPress back end. Meaning, to login you have to present something you know (username/password – ho hum) and either something you have (keyfiles / SSL client certificate / one time password (OTP)) or something you are (biometrics like finger prints, iris scan, hand scan, etc). This solves a whole host of authentication problems when you only use one factor. It’s certainly not the end all, but if implemented correctly it definitely increases security to add a second (or third) factor.

Now typically the second factor authenticators pose a few problems. First being, I’m not an enterprise and most second factor authenticators are the realm of enterprises. Companies selling these solutions (RSA SecurID, Verisign VIP, and the like) charge a lot of money for proprietary software licenses and hardware tokens. Most biometric devices worth having aren’t portable or cheap.

RSA is not going to just let you take a perusal of their source code.

The other problem you have with a lot of these solutions is the fact that they are VERY proprietary. RSA is not going to just let you take a perusal of their source code. Sure, we have a general idea about the algorithms and the technologies these companies employ, but we know nothing of their exact implementation. That’s fine if you can trust RSA and you or the developers you buy software from can integrate RADIUS or whatever API or protocol that these solutions require. And not to pick on RSA here, there’s a lot of other hardware OTP token providers out there.

Needless to say, a less expensive, more open source and portable solution was what I wanted for my personal use. It’s something I’ve been looking into for a awhile. Years ago I was very thrilled at the idea of being my own OpenID provider with backend authentication being performed with an OTP like SecurID. Of course, it wasn’t then something that was possible to do on a small, individual scale. In fact, I bemoaned this rather depressing fact on episode 95 of the Security Now podcast back in 2007.

However, the other day I finally decided to check out a solution to this sticky little problem. It’s been around for a little while, but I think their version 2 product is refined a bit that it’s now at a point where I can consider it secure. Also, there’s now enough open source people working on authentication modules and the like for it.

YubiKey

Yubikey, photo by Thomas Flenstad

The product I’m talking about is the Yubikey from Yubico. It’s actually a rather ingenious little product. It’s basically a tiny USB device that contains only a small capacitive button. There’s no display, drivers, client software, or the like. Rather, it’s a USB HID device…like a keyboard! See where they are going with this yet? All you do to generate and use an OTP is touch the button on the Yubikey. That’s it! The Yubikey spits out a fresh 128-bit blob right into the machine it’s plugged into just by sending out keyboard scan codes via USB, like any keyboard would do. For the lazy people reading (*ahem*) this is even better than SecurID because it types the code for you! It even sends the enter key afterwards to finish submitting your authentication form or dialog box for you. Talk about easy!

There’s some cool technical details to read about at their site or you can listen to Security Now episode 145. But basically, I’m really loving the Yubikey model. It’s inexpensive, platform independent, and not proprietary in the least. You or anyone can implement their own Yubikey authentication, including offline authentication (useful for internal / private applications).

As I’ve said, I’ve rolled out Yubikey for my WordPress installation. I’m excited to continue the roll out into other areas such as OpenID and SSH authentication. Yubikey is affordable OTP / two factor authentication for the rest of us.

Posted in Security | Tagged , , , | Leave a comment

Even Russian Spies Need A Helpdesk

Posted on June 30, 2010 by brad

If you’ve been following the news recently, by now you’ve heard about the Russian spy ring infiltrated and formally charged by the US. The operatives spying on us make a lot of critical mistakes.

Back during the cold war, spies from the USSR were notorious for their caution and yes, their use of advanced technology, to successfully pass information back and forth between operatives and the USSR. We’re talking about things like completely passive microphones powered by remote radio signals and microfiche in hollow coins. Now they are using ad-hoc 802.11 wireless networks and flaky custom software on top of Windows XP to exchange information? Really? This is like the last way I would do this! Writing passwords down on sticky notes? Pathetic! Talking to unknown Russian “operatives” for IT support who are actually US investigators? Too easy. Honestly, it all seems so amateur it makes me think if we weren’t meant to discover this ring on purpose. Food for thought.

Read the article linked below for more spy FAIL.

[via Network World]

Posted in Security | Tagged , , , | Comments Off

Mario Marathon 3 Ends

Posted on June 30, 2010 by brad

After 4+ days of nonstop gaming, the 3rd annual Mario Marathon is complete after having raised over $81,000 for Child’s Play charity. Amazing! Congrats and thanks to all the fellow donors.

Posted in Uncategorized | Comments Off

Mario Marathon 3

Posted on June 26, 2010 by brad

Super Mario Marathon 3

As I type this, a small group of dedicated gamers is playing a marathon of Mario games nonstop. Why are they doing this? To benefit the Child’s Play charity. Child’s Play provides toys, games and books to sick kids in children’s hospitals worldwide.

The more donations they receive the more levels they play. The gang has played through all the classic Mario games, and is currently chewing through one of the newer Mario titles, Super Mario Galaxy. So far they have raised over $26,000 and I hope they reach their final goal of $156,611.19.

A hospital is a terribly scary place to be for anyone, let alone a child. Help make a sick kid’s hospitalization a little more bearable by donating to Child’s Play during the Mario Marathon or any time of the year. Please give, because it truly does make a difference.

Posted in Uncategorized | Tagged , , , | Comments Off

Heavy Data

Posted on June 23, 2010 by brad

Wouldn’t it be cool if data had weight? Yes I know a lot of the things that data can do are due to the fact that you can send it across the globe at nearly the speed of light. But still, I can’t help but muse on the idea of data that has weight. You could literally feel your portable hard drive fill up with stuff. When you cleaned up and deleted things you no longer needed, it would be easy to pick it up and feel the difference it made. Newer external hard discs are now coming with e-ink screens displaying a label and capacity meter. Pretty cool, but still a far cry from the instant physical feedback weight could give. One can dream anyway…

Posted in /dev/random | Comments Off

Hullo

Posted on June 21, 2010 by brad

That’s right, this site is back from the dead. I feel rather bad for not having written anything here for awhile. That and WordPress 3.0 has just been released, and I figured that was just the impetus I needed to start blogging again. Check out some of the cool new features:

I can’t promise how active it will be in the immediate future as I’m going to be busy with a cross country move shortly, but rest assured I’ll do my best to keep the cobwebs here at bay. Thanks for dropping by.

Posted in Site News | Tagged | Comments Off

The New Insider Threat

Posted on February 16, 2009 by brad

It’s not a new threat really. People inside an organization can always be a threat. It’s just that many people, some of them prominent security professionals, have been downplaying the insider threat lately in order to hype other emerging threats. I’m of the opinion that we’ll see insider threats rise through the year and probably into next. As the economy worsens, people who are becoming financially stressed may turn to corporate crime, or may retaliate for being laid off.

Prime example, news this week of a former Fannie Mae contractor leaving a malicious script designed to wipe out thousands of computers after he was fired for…a scripting error he made earlier in the month. Luckily they stumbled upon the script before it was set to execute. They might not have been so lucky though. Bruce Schneier has some good tips about reducing the threat trusted individuals can pose.

In the end, you can take several measures to reduce your insider risk but you can never eliminate it entirely. At the end of the day the weakest link always comes down to people. People are sometimes dishonest, it’s simply a fact of life. Luckily for the rest of us, they seem to be a pretty small minority.

Posted in Security | Tagged , | Comments Off

Rubber Hose Cryptanalysis

Posted on February 15, 2009 by brad


via xkcd

Posted in Humor, Security | Tagged , | Comments Off

Nmap Network Scanning Review

Posted on February 5, 2009 by brad

Nmap Network Scanning by Fyodor
Title: The long winded title for this book is Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning, but I’ll just be calling it NNS.
Author: Gordon “Fyodor” Lyon
Rating: *****
Bottom Line: The definitive nmap book, for all your network scanning needs.

From the moment you start to read NNS, it is engaging and informative. The wealth of information contained in this book will have even hardcore nmap experts learning a thing or two about the preeminent network scanner. Of course, I expected nothing less from NNS because the author is nmap’s chief architect and programmer, Fyodor. Inside you’ll find his 11 years of network scanning experience distilled down into the ultimate nmap guide.

The material is presented in an engaging way, and wherever possible examples are given where the techniques described are applied in real world scenarios. The book is also littered with command line and output examples as well as diagrams. These items in addition to the text allow one to enjoy and learn from the book without having to sit in front of a command line and try every single command yourself. That said, it took me a bit of time to get through the book because I kept stopping to play with new options I’d learned. :)

From introductory network scanning (What’s a stealth SYN scan?), to scan optimization (Why is it taking so long?!), to advanced techniques (Learn how to write your own nmap plug ins!), NNS covers the gamut. Anyone who does even occasional network scanning with nmap (And you are scanning your network on a regular basis aren’t you?) owes it to themselves to pick this one up.

Posted in Books, Networking, Security | Tagged , , , , | Comments Off

Bookmark Backup?

Posted on February 2, 2009 by brad

Are you backing up your bookmarks? Oh, you don’t store local bookmarks? You use a social bookmarking website you say? Well I hope you weren’t using Ma.gnolia. They announced on Friday morning that they’ve experienced a catastrophic data loss. Wired is reporting Ma.gnoalia has lost both their production database and backups of user data. Bye bye bookmarks!

So my question to you is, do you have backups? Ma.gnolia didn’t. If they did have backups, my guess is they failed step 5 on the path to the tao of backup. While I have both local and off site backups (that yes, I test on a frequent basis…it’s all about restores!), I had overlooked my bookmarks. Luckily, they are safe and sound on del.icio.us. I might not be so lucky next time though. If you’re a del.icio.us user as well, I suggest you export a copy for safe keeping. Then take a moment to think about what else you have stored, and stored solely, in the cloud. Make sure you add those things to your backup procedures.

Posted in Uncategorized | Tagged , , | Comments Off