Hack a Day » vpn

Two-factor authentication using a hardware token

Mike Szczys — Tue, 20 Oct 2009 15:21:51 +0000

We ran into a friend a while back who was logging into her employer’s Virtual Private Network on the weekend. She caught our attention by whipping out her keys and typing in some information from a key-fob. It turns out that her work uses an additional layer of protection for logging into the network. They have implemented a username, pin number, as well as a hardware token system called SecurID.

The hardware consists of a key-fob with an LCD screen on it. A code is displayed on the screen and changes frequently, usually every 60 seconds. The device is generating keys based on a 128-bit encryption seed. When this number is fed to a server that has a copy of that seed, it is used as an additional verification to the other login data.

This seems like a tech trickle-down of the code generating device from GoldenEye. It does get us thinking: with the problems free email services have been having with account theft, why aren’t they offering a fee-based service that includes a security fob? With the right pricing structure this could be a nice stream of income for the provider. We’re also wondering if this can be implemented with a microcontroller and used in our home network. As always, leave comments below and let us know if you’ve already built your own system using these principles.

Update: Thanks to Andre for his comment that tells us this type of security is available for Apache servers. The distribution includes a server side authentication system and a Java based token generator that can run on any handheld that supports Java.

Posted in security hacks

25C3 international Capture the Flag

Eliot — Tue, 23 Dec 2008 17:00:17 +0000

Capture the Flag (CTF) is a long running tradition at hacker conventions. It pits teams of security researchers against each other on the same network. Every team gets an identical virtual machine image. The VM has a set of custom written services that are known to be vulnerable. The teams work to secure their image while simultaneously exploiting services on the machines of other teams. A scoring server monitors the match as it progresses and awards points to teams for keeping their services up and also for stealing data from their competitors.

The Chaos Communication Congress in Berlin December 27-30, 2008 will host a CTF competition. Most CTF matches are done head to head in the same room. While 25C3 will have local teams, it will also be wide open for international teams to compete remotely. Remote teams will host their own images on a VPN with the other competitors. Now is a good time to register and familiarize yourself with the scoring system. It will certainly be interesting to see how this competition plays out now that teams that can’t make the trip can still compete.

Posted in cons, security hacks

Getting around the Great Firewall of China

Kimberly Lau — Mon, 04 Aug 2008 02:00:00 +0000

[Zach Honig] is a photographer in Beijing covering the Olympics. In light of recent allegations of the Chinese government installing monitoring software and hardware in foreign-owned hotels, the necessity of protecting one’s information has become vital and urgent, especially for journalists and photographers. [Honig] provides some suggestions for circumventing the infamous Great Firewall of China; surfing the internet through a secure VPN connection and using a proxy such as PHProxy will allow users to visit websites that have been banned within China. Such simple tricks could mean the difference between not being able to find necessary information, and the ability to surf the internet freely and openly.

[via Digg]