Now typically the second factor authenticators pose a few problems. First being, I’m not an enterprise and most second factor authenticators are the realm of enterprises. Companies selling these solutions (RSA SecurID, Verisign VIP, and the like) charge a lot of money for proprietary software licenses and hardware tokens. Most biometric devices worth having aren’t portable or cheap.

The other problem you have with a lot of these solutions is the fact that they are VERY proprietary. RSA is not going to just let you take a perusal of their source code. Sure, we have a general idea about the algorithms and the technologies these companies employ, but we know nothing of their exact implementation. That’s fine if you can trust RSA and you or the developers you buy software from can integrate RADIUS or whatever API or protocol that these solutions require. And not to pick on RSA here, there’s a lot of other hardware OTP token providers out there.

Needless to say, a less expensive, more open source and portable solution was what I wanted for my personal use. It’s something I’ve been looking into for a awhile. Years ago I was very thrilled at the idea of being my own OpenID provider with backend authentication being performed with an OTP like SecurID. Of course, it wasn’t then something that was possible to do on a small, individual scale. In fact, I bemoaned this rather depressing fact on episode 95 of the Security Now podcast back in 2007.

However, the other day I finally decided to check out a solution to this sticky little problem. It’s been around for a little while, but I think their version 2 product is refined a bit that it’s now at a point where I can consider it secure. Also, there’s now enough open source people working on authentication modules and the like for it.

Yubikey, photo by Thomas Flenstad

The product I’m talking about is the Yubikey from Yubico. It’s actually a rather ingenious little product. It’s basically a tiny USB device that contains only a small capacitive button. There’s no display, drivers, client software, or the like. Rather, it’s a USB HID device…like a keyboard! See where they are going with this yet? All you do to generate and use an OTP is touch the button on the Yubikey. That’s it! The Yubikey spits out a fresh 128-bit blob right into the machine it’s plugged into just by sending out keyboard scan codes via USB, like any keyboard would do. For the lazy people reading (*ahem*) this is even better than SecurID because it types the code for you! It even sends the enter key afterwards to finish submitting your authentication form or dialog box for you. Talk about easy!

There’s some cool technical details to read about at their site or you can listen to Security Now episode 145. But basically, I’m really loving the Yubikey model. It’s inexpensive, platform independent, and not proprietary in the least. You or anyone can implement their own Yubikey authentication, including offline authentication (useful for internal / private applications).

As I’ve said, I’ve rolled out Yubikey for my WordPress installation. I’m excited to continue the roll out into other areas such as OpenID and SSH authentication. Yubikey is affordable OTP / two factor authentication for the rest of us.

Back during the cold war, spies from the USSR were notorious for their caution and yes, their use of advanced technology, to successfully pass information back and forth between operatives and the USSR. We’re talking about things like completely passive microphones powered by remote radio signals and microfiche in hollow coins. Now they are using ad-hoc 802.11 wireless networks and flaky custom software on top of Windows XP to exchange information? Really? This is like the last way I would do this! Writing passwords down on sticky notes? Pathetic! Talking to unknown Russian “operatives” for IT support who are actually US investigators? Too easy. Honestly, it all seems so amateur it makes me think if we weren’t meant to discover this ring on purpose. Food for thought.

Read the article linked below for more spy FAIL.

[via Network World]

Prime example, news this week of a former Fannie Mae contractor leaving a malicious script designed to wipe out thousands of computers after he was fired for…a scripting error he made earlier in the month. Luckily they stumbled upon the script before it was set to execute. They might not have been so lucky though. Bruce Schneier has some good tips about reducing the threat trusted individuals can pose.

In the end, you can take several measures to reduce your insider risk but you can never eliminate it entirely. At the end of the day the weakest link always comes down to people. People are sometimes dishonest, it’s simply a fact of life. Luckily for the rest of us, they seem to be a pretty small minority.

From the moment you start to read NNS, it is engaging and informative. The wealth of information contained in this book will have even hardcore nmap experts learning a thing or two about the preeminent network scanner. Of course, I expected nothing less from NNS because the author is nmap’s chief architect and programmer, Fyodor. Inside you’ll find his 11 years of network scanning experience distilled down into the ultimate nmap guide.

The material is presented in an engaging way, and wherever possible examples are given where the techniques described are applied in real world scenarios. The book is also littered with command line and output examples as well as diagrams. These items in addition to the text allow one to enjoy and learn from the book without having to sit in front of a command line and try every single command yourself. That said, it took me a bit of time to get through the book because I kept stopping to play with new options I’d learned.

From introductory network scanning (What’s a stealth SYN scan?), to scan optimization (Why is it taking so long?!), to advanced techniques (Learn how to write your own nmap plug ins!), NNS covers the gamut. Anyone who does even occasional network scanning with nmap (And you are scanning your network on a regular basis aren’t you?) owes it to themselves to pick this one up.

The first post is about targeted social engineering. One of the more interesting aspects:

In one incident, an attacker used phrases directly taken from a public blog, as well as a cordial greeting that the blogger had used when writing about a personal topic. This made the message significantly more authentic to the target, who duly clicked on the attachment.

Pretty clever. Anything you can do to make people even subconsciously believe a message is legitimate will increase your success rate. It only takes one person to fall for it in most cases, to get a foothold that you can leverage for a deep internal attack.

The other post is simply a list of what NOT to do when it comes to IT security. Some of the highlights:

• Assume the users will read the security policy because you’ve asked them to.
• Assume that policies don’t apply to executives.
• Don’t review system, application, and security logs.
• Expect end-users to forgo convenience in place of security.

I’d add a couple of my own to the list:

• Assume that because you’ve never been compromised you’re secure
• Assume that you can prevent all compromises
• Protect only the perimeter
• Have no incident response plan

Transatlantic Cables Terminated in Avon NJ

I couldn’t resist this juxtaposition. These cables are VSNL submarine telecommunications cables that cross the Atlantic and come above ground in the VSNL building in Avon, NJ. They are capable of carrying over an estimated 3.5 Tbps (that is terabits per second). Probably less from over head and my guess from the article’s figure (60,000,000 simultaneous voice calls = 60,000,000 DS0s = 60,000,000 * 64kb/s). In any case, those cables are extremely important for international communication but they look like utterly unimportant buried utility cable. Just a great photograph. Via Wired.