This podcast is brought to you by the Greater Lafayette Security Professionals (GLSP) group, SecurePurdue, and the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.

Show Notes

Hosts

• Preston Wiley, CISSP, CCNA
• Mike Hill, CISSP
• Keith Watson, CISSP-ISSAP, CISA

Announcements

• October is the National Cyber Security Awareness Month. Here at Purdue we will hold a university-wide event on October 5th. This event will include a keynote address by the Executive Director of CERIAS, Dr. Spafford, followed by a presentation by Purdue’s new Chief Information Security Officer, David Shaw. We also have panel discussion on the Promise and Peril of Social Networking that will include the Dr. Spafford, David Shaw, Kyle Bowen, and Professor Lorraine Kisselburgh. After lunch there are two tracks, one on security awareness and the other on technical issues. Mike Hill, Preston Wiley, and Keith Watson (podcast hosts) and many other Greater Lafayette Security Professionals are making most of the presentations. (Program)

• The Fall CERIAS Security Seminars continue:
  

  • October 3, William Enck, North Carolina State University
  • October 10, Chris Kanich, University of Illinois at Chicago

  The seminars begin at 4:30pm in Stewart G52 and will also be shown on the Purdue channel. These seminars are recorded and made available as podcasts through iTunes and on YouTube.

Security Updates

• Apple Mac OS X updated to 10.7.5 and 10.8.2, September 19
• Apple iOS updated to 6, September 19
• Apple Safari web browser updated to 6.0.1, September 19
• Microsoft Internet Explorer updated 6, 7, 8, and 9 to address a critical 0-day vulnerability, September 21

Tools Discussion

• Previous podcast on password tools, episode 4
• Previous GLSP presentation by Keith Watson on One-time Password systems (meeting notes and presentation link)
• Hardware tokens (RSA SecurID)
• Hardware tokens provide a second factor in authentication
• Preferred primarily for simplicity in user management, user training
• Costs can be high
• Can integrate with existing authentication and directory solutions
 
• Hardware tokens contain a secret, algorithm, and a clock
• The current time and the secret are into an algorithm to generate a one-time password that is only valid for the time in which it is displayed on the token
• The algorithms are typically proprietary
• There is typically no independent verification of their security and efficacy
• RSA suffered a breach of token information that may have been used by attackers to gain access to defense contractor networks

 

 

• The clock on the device needs to be fairly accurate though the server side can handle some amount of clock drift
• The number changes every 30 or 60 seconds
 
• Hardware tokens require a user secret

 

• The user has a 4-digit PIN that they select
• Only the server knows the PIN (once registered)
• If the device is found and the attacker knows the user, they still need the PIN to compromise an account (though it might be easier)
 
• Hardware tokens are tamper resistant

 

• The secret for each device is set at the factory and tied to its serial number.
• The secret is supposed to be difficult to extract or copy if the case of the device is compromised
 
• Something about the use of the devices

 

• In the mid-90s at the COAST lab, we used RSA SecurID cards to access remote UNIX machines over telnet (strong auth; weak confidentiality)
• Today, at Purdue we have “Boiler Keys” which are RSA hardware tokens in a keyfob form factor
• RSA and others have produced nearly 250 million security tokens
 
• Many of the Hardware tokens have smart phone app equivalents
• Yubico‘s YubiKey

 

• USB Interface / Detects as a USB Keyboard making it compatible with anything that can use a USB keyboard
• Currently cost $25 per key with bulk discounts available. No other licensing fee required.
• Uses the Open Yubikey-OTP by default, but can be configured to function in other modes, such as OATH-HOTP
• Use AES-128 encryption.
• Contains no persistent clock or battery so it does not support time based OTP generation without a “helper app”
• By default, they are programmed at the factory with a password the is known by YubiCo. They can be reprogrammed with a free application with a new password, but it can then only function within the local implementation.
• The key itself is write only, so configuration data cannot be read from the key.
• Modes: Yubikey-OTP, OATH-HOTP, Challenge/Response, Static Password.
• YubiRADIUS is a free authentication solution for authentication locally and not via the YubiCo server, such as in an enterprise.
 
• Google Authenticator

 

• Google Authenticator is a mobile application that allows you to enable 2-step verification on your mobile device
• Open/Source free app
• The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module (PAM). One-time passcodes are generated using open standards developed by the Initiative for Open Authentication (OATH) (which is unrelated to OAuth).
• These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.
• TOTP code changes every 30 seconds
• Supported Devices
• Android version 2.1 or later
• BlackBerry OS 4.5 - 6.0
• Apple iOS 3.1.3 or later
• Popular sites supporting Google Authenticator include
• LastPass
• DropBox
• WordPress
• Drupal