Posts Tagged security
Verizon FIOS WEP belong to us
Posted by Christopher in Nerd Stuff, Work Stuff on November 7, 2009
I deal with computer security almost every day and just found one of the most shocking lapses in judgment by a major corporation I have ever seen.It will have a huge effect on many of readers of this blogs security for quite a while to come.
Lets boil it down for those non-nerds. If you have Verizon FIOS and they installed your modem/router (comes with the service) your WEP key is being broadcast through out the neighborhood. The secret code to connect to your internet is being sent to everybody in your neighborhood…. wow.
Now for some details. If you have ever fired up your computer in a neighborhood, likely you have seen the new 5 character (example; H6196, 9RHUN) wireless clouds that pop up anywhere Verizon has FIOS. This SSID is unique and helps you find your wireless cloud. Verizon decided that since they were doing all this work in setting up peoples wireless access points, why not use the MAC address of the modem and generate SSID based on this. This is a OK idea but then ,as per normal for any large corporation, decided to shoehorn the idea into every aspect of the situation. They then used the MAC address to generate the WEP key.
Any user of Network Stumbler or Wireshark knows that the MAC address is broadcast along with the SSID. You take that 5 charicture SSID, run it through the java script WEP calculator at (http://fioswepcalc.webs.com) and you will likely end up with the WEP key of most all your neighbors wireless networks.
Security through Obscurity has been the modus operandi since the start of computers. At some point, if computers systems are to continue, companies that endanger their clients, lose clients data or expose clients to data theft, will have to be held accountable for poor security.
In real life trials, only half of the FIOS WEP keys were valid.
Yubikey quest
Posted by Christopher in Nerd Stuff on September 4, 2009
I hope to use the blog a bit more to document not only travel but practical issues and data. Unfortunately, most of the practical data I deal with would be categorized as nerd stuff.
First off, I want to explain the issue that will dominate the coming years when it comes to internet technology: Security and Encryption.
Security is an issue that is only lightly understood by most. Our bank has a username and password, Paypal has another password, Gmail or Yahoo has another password. We store these passwords on sticky notes on our monitor, have Internet Explorer remember them or use a password manager. Keepass is the best (open source) password manager.
Unless you use a password manager, your passwords are usually in this form; “GoReds!” or “1983Win!”. All of these passwords can be cracked easily using new methods that are advancing quickly. The only password you should use for anything (even hotmail or yahoo) should be alpha numeric and longer than 16. Example: “k43uLK823JHjkasdFFf2fas43″. I probably just irritated you but it is true. Any “easy to remember” password can be cracked easily.
So, let’s just say that you want to secure your back account, investment account or Gmail with a gnarly password. How can you do this, without having to write it down for anyone that can read a sticky note to learn. As stated, I use Keepass but I wanted to show you another method.
Yubikey is a product that was made by Yubico. They are currently on version two of the device and the prices have come down enough to justify getting one. I sent Art B one so he can test it in parallel with me.
Here is the device:
It is quite small, extremely durable and looks similar to the new minimalist USB drives.
Here is a great article if you want to learn more about it’s practical nature. “ReadWriteWeb”
I am going to focus on the questions that I had to find answers for.
- How much does it cost? $15-25
- Where can I read a simple “What is this doc”? Here
- Is the unit water proof? Yes
- Where can I find the config utility? Here
- How can I use the static password option without messing up the OTP? Here
- Where is the instructions? Here (not the best documentation I have read)
- Are there real world services I can use this with now? Yes
- What is a static password? Wikipedia
- What is an OTP(one time password)? Wikipedia
More and more services using offering OTP authentication services. Google, OpenID, osCommerce, MediaWiki and Salesforce are just a few who currently use Yubikey. Below is a quick video on how to use Google with your Yubikey.
How will I use my Yubikey?
I will start with the static password config and as I get confidence in the product/concept move toward Google Apps.
One issue that I have yet to resolve is the reduncancy variable. What if I loose my OTP token?
Let me know if you find value in the “nerd stuff” or only want to read travel stuff.
Christopher
Comments