Now typically the second factor authenticators pose a few problems. First being, I’m not an enterprise and most second factor authenticators are the realm of enterprises. Companies selling these solutions (RSA SecurID, Verisign VIP, and the like) charge a lot of money for proprietary software licenses and hardware tokens. Most biometric devices worth having aren’t portable or cheap.

The other problem you have with a lot of these solutions is the fact that they are VERY proprietary. RSA is not going to just let you take a perusal of their source code. Sure, we have a general idea about the algorithms and the technologies these companies employ, but we know nothing of their exact implementation. That’s fine if you can trust RSA and you or the developers you buy software from can integrate RADIUS or whatever API or protocol that these solutions require. And not to pick on RSA here, there’s a lot of other hardware OTP token providers out there.

Needless to say, a less expensive, more open source and portable solution was what I wanted for my personal use. It’s something I’ve been looking into for a awhile. Years ago I was very thrilled at the idea of being my own OpenID provider with backend authentication being performed with an OTP like SecurID. Of course, it wasn’t then something that was possible to do on a small, individual scale. In fact, I bemoaned this rather depressing fact on episode 95 of the Security Now podcast back in 2007.

However, the other day I finally decided to check out a solution to this sticky little problem. It’s been around for a little while, but I think their version 2 product is refined a bit that it’s now at a point where I can consider it secure. Also, there’s now enough open source people working on authentication modules and the like for it.

Yubikey, photo by Thomas Flenstad

The product I’m talking about is the Yubikey from Yubico. It’s actually a rather ingenious little product. It’s basically a tiny USB device that contains only a small capacitive button. There’s no display, drivers, client software, or the like. Rather, it’s a USB HID device…like a keyboard! See where they are going with this yet? All you do to generate and use an OTP is touch the button on the Yubikey. That’s it! The Yubikey spits out a fresh 128-bit blob right into the machine it’s plugged into just by sending out keyboard scan codes via USB, like any keyboard would do. For the lazy people reading (*ahem*) this is even better than SecurID because it types the code for you! It even sends the enter key afterwards to finish submitting your authentication form or dialog box for you. Talk about easy!

There’s some cool technical details to read about at their site or you can listen to Security Now episode 145. But basically, I’m really loving the Yubikey model. It’s inexpensive, platform independent, and not proprietary in the least. You or anyone can implement their own Yubikey authentication, including offline authentication (useful for internal / private applications).

As I’ve said, I’ve rolled out Yubikey for my WordPress installation. I’m excited to continue the roll out into other areas such as OpenID and SSH authentication. Yubikey is affordable OTP / two factor authentication for the rest of us.

Back during the cold war, spies from the USSR were notorious for their caution and yes, their use of advanced technology, to successfully pass information back and forth between operatives and the USSR. We’re talking about things like completely passive microphones powered by remote radio signals and microfiche in hollow coins. Now they are using ad-hoc 802.11 wireless networks and flaky custom software on top of Windows XP to exchange information? Really? This is like the last way I would do this! Writing passwords down on sticky notes? Pathetic! Talking to unknown Russian “operatives” for IT support who are actually US investigators? Too easy. Honestly, it all seems so amateur it makes me think if we weren’t meant to discover this ring on purpose. Food for thought.

Read the article linked below for more spy FAIL.

[via Network World]

As I type this, a small group of dedicated gamers is playing a marathon of Mario games nonstop. Why are they doing this? To benefit the Child’s Play charity. Child’s Play provides toys, games and books to sick kids in children’s hospitals worldwide.

The more donations they receive the more levels they play. The gang has played through all the classic Mario games, and is currently chewing through one of the newer Mario titles, Super Mario Galaxy. So far they have raised over $26,000 and I hope they reach their final goal of $156,611.19.

A hospital is a terribly scary place to be for anyone, let alone a child. Help make a sick kid’s hospitalization a little more bearable by donating to Child’s Play during the Mario Marathon or any time of the year. Please give, because it truly does make a difference.

I can’t promise how active it will be in the immediate future as I’m going to be busy with a cross country move shortly, but rest assured I’ll do my best to keep the cobwebs here at bay. Thanks for dropping by.

Prime example, news this week of a former Fannie Mae contractor leaving a malicious script designed to wipe out thousands of computers after he was fired for…a scripting error he made earlier in the month. Luckily they stumbled upon the script before it was set to execute. They might not have been so lucky though. Bruce Schneier has some good tips about reducing the threat trusted individuals can pose.

In the end, you can take several measures to reduce your insider risk but you can never eliminate it entirely. At the end of the day the weakest link always comes down to people. People are sometimes dishonest, it’s simply a fact of life. Luckily for the rest of us, they seem to be a pretty small minority.

From the moment you start to read NNS, it is engaging and informative. The wealth of information contained in this book will have even hardcore nmap experts learning a thing or two about the preeminent network scanner. Of course, I expected nothing less from NNS because the author is nmap’s chief architect and programmer, Fyodor. Inside you’ll find his 11 years of network scanning experience distilled down into the ultimate nmap guide.

The material is presented in an engaging way, and wherever possible examples are given where the techniques described are applied in real world scenarios. The book is also littered with command line and output examples as well as diagrams. These items in addition to the text allow one to enjoy and learn from the book without having to sit in front of a command line and try every single command yourself. That said, it took me a bit of time to get through the book because I kept stopping to play with new options I’d learned.

From introductory network scanning (What’s a stealth SYN scan?), to scan optimization (Why is it taking so long?!), to advanced techniques (Learn how to write your own nmap plug ins!), NNS covers the gamut. Anyone who does even occasional network scanning with nmap (And you are scanning your network on a regular basis aren’t you?) owes it to themselves to pick this one up.

So my question to you is, do you have backups? Ma.gnolia didn’t. If they did have backups, my guess is they failed step 5 on the path to the tao of backup. While I have both local and off site backups (that yes, I test on a frequent basis…it’s all about restores!), I had overlooked my bookmarks. Luckily, they are safe and sound on del.icio.us. I might not be so lucky next time though. If you’re a del.icio.us user as well, I suggest you export a copy for safe keeping. Then take a moment to think about what else you have stored, and stored solely, in the cloud. Make sure you add those things to your backup procedures.