Two-factor Authentication Using A Hardware Token

October 20, 2009 by Mike Szczys 106 Comments

RSA-SecurID-hardware-token

We ran into a friend a while back who was logging into her employer’s Virtual Private Network on the weekend. She caught our attention by whipping out her keys and typing in some information from a key-fob. It turns out that her work uses an additional layer of protection for logging into the network. They have implemented a username, pin number, as well as a hardware token system called SecurID.

The hardware consists of a key-fob with an LCD screen on it. A code is displayed on the screen and changes frequently, usually every 60 seconds. The device is generating keys based on a 128-bit encryption seed. When this number is fed to a server that has a copy of that seed, it is used as an additional verification to the other login data.

This seems like a tech trickle-down of the code generating device from GoldenEye. It does get us thinking: with the problems free email services have been having with account theft, why aren’t they offering a fee-based service that includes a security fob? With the right pricing structure this could be a nice stream of income for the provider. We’re also wondering if this can be implemented with a microcontroller and used in our home network. As always, leave comments below and let us know if you’ve already built your own system using these principles.

Update: Thanks to Andre for his comment that tells us this type of security is available for Apache servers. The distribution includes a server side authentication system and a Java based token generator that can run on any handheld that supports Java.

POV Fan EEPROM Hack

October 9, 2009 by Mike Szczys 4 Comments

pov_fan_eeprom_hacking

Hacking with Gum got their hands on one of the persistence of vision display fans that Cenzic was giving away at Blackhat this year. It’s not the biggest fan-based POV display we’ve seen but it’s still a fun device to tinker with. They hacked into the EEPROM on the device in order to change the message the fan displayed.

This is very similar to the other EEPROM reading/writing we’ve seen recently. Hacking with Gum read the data off of the EEPROM and then disassembled it to discover how the message data is stored on the chip. This was made easier by noting the messages displayed when the fan is running. The first byte of data shows the number of words in the message, then each chunk of word data is preceded by one byte that represents the number of letters in that work. Data length was calculated based on the number of pixels in each display character. Once he knew the data-storage scheme, it was just a matter of formatting his own messages in the same way and overwriting the chip.

This is a great write-up if you’re looking for a primer on reverse engineering an unknown hardware system. If you had fun trying out our barcode challenges perhaps deciphering EEPROM data from a simple device should be your next quest.

[Thanks James]

Safelock: Biometric Typing Security

October 9, 2009 by Mike Szczys 33 Comments

[youtube=http://www.youtube.com/watch?v=_vMb9JUhC1g]

We’ve seen some ways to bypass biometric security measures but here’s a new offering that we think will be hard to fool. The Safelock system is used in conjunction with a password to identify a specific user. This software records your typing style including the time between keystrokes, the time keys are held, and key pressure data. This information is then normalized and compared to the information stored about the user when the password was originally set. If you don’t fall within specifications that match the stored data, you won’t get in even with the right password.

The icing on the cake is that Safelock will look for malicious users. If you enter the wrong password, it will begin to record and analyze your typing style. If you make enough incorrect attempts you will be labeled as a security threat and locked out of the system altogether. We can only think of one reliable way to circumvent this and that’s using a man-in-the-middle method of recording the keyboard inputs of the legitimate user for playback later.

This is an innovative user identification system and we’re not the only ones that think so. [Jeff Allen] and [John Howard], students at SMU won first prize for the Student Innovation Contest at the 2009 User Interface Software and Technology Symposium.

Adding A Keypad To A Key Card Lock

October 9, 2009 by Phil Burgess 19 Comments

keypad

[Colin Merkel] had a little problem: he was continually forgetting his electronic key card, locking himself out of his own dorm room. Like any normal Hack a Day reader, rather than getting in the habit of always carrying his card, the natural impulse of course is to build this elaborate rig of electronics and duct tape. Right?

The result is an additional keypad that can be used to gain access…not by altering the existing electronic lock, but with a secondary mechanism that operates the inside door handle. An 8-bit PIC microcontroller scans the outside keypad (connected by a thin ribbon cable), and when a correct access code is entered, engages a 12 volt DC motor to turn the handle. It’s a great little writeup that includes a parts list, source code, and explains the process of keypad scanning.

It’s similar to the RFID-based dorm hack we previously posted. By physically operating the handle, most any approach could be used: facial recognition, other biometrics, DDR pad, or whatever inspired lunacy you can dream up.

Robot Security Patrol Brings Skynet Closer

October 6, 2009 by Mike Szczys 11 Comments

autonomous_atv

The students at the University of Oklahoma have put together a robot that will surely join the other drones in our future robot overlord regime. This autonomous vehicle was produced to replace human security patrols which can be both boring and dangerous. Intent on delivering surveillance to most locations, an all terrain vehicle was used as the base. It can navigate by itself through an obstacle avoidance system and communicate video and audio wirelessly. After the break we’ll take a look at the systems that make this work. Continue reading “Robot Security Patrol Brings Skynet Closer” →

Garage Door… Packet Sniffer

October 3, 2009 by Jake W 46 Comments

Some type of logger or sniffer exists for almost every form of electronic communication. Your keystrokes, phone conversations, and wireless networks could all be monitored. In this awesome proof-of-concept project, [James] expanded that array to include garage door openers. After receiving a piece of chain mail which stated that criminals have the technology to record any remote code and play it back, [James] wondered if he could build such a device that would work on at least his opener model. Continue reading “Garage Door… Packet Sniffer” →

See Through Walls Via Wireless Network

October 1, 2009 by Caleb Kraft 22 Comments

Seeingthroughwalls

Researchers at the University of Utah have been able to detect movement in a room based on variations in wireless signals. Accurate to about a meter, they are using a 34 node wireless network to do their sensing. As a person moves, they change the signals, and can therefore be detected. They state one possible application being rescue workers deploying multiple wireless nodes around a building to find people located inside.

[via Gizmodo]