Part 1: Two-Factor Authentication?!?

Recently, I was reading an article on One Time Passwords in an IT security magazine called hakin9, entitled "One Time Passwords - New Dimensions in Security". Details of the magazine can be found at http://hakin9.org/. I decided to share some the contents in the article and example of what two factor authentication is about in Singapore context. This will be a simple two parts about two factor authentication.

As most Singaporeans may have experienced by now with Internet banking, there's a secure device that displays a 6 digit numbers that is required each time you logon for Internet banking. An example will be the DBS iB secure device as shown in the picture (compliments of DBS). This will be an example of a two factor authentication where it requires both a password/PIN by the user and the unique 6 digit numbers shown on the DBS iB secure device. I will now share a bit further into the technology behind this simple act of login for Internet banking and how it adds another layer of security for people.

Traditionally, a static password and the username have been used to access resources available. This is no longer sufficient in today's environment and has led to better authentication methods for both online and offline resources. Thus, One Time Password (OTP) technology was used to generate and display a unique password which is only valid for a while was added for authentication. Verification of user credentials and access to resources are done in a safe, simple and efficient way using OTP technology.

The idea of OTP is the brainchild of Leslie Lamport. There are basically two main types of one-time passwords now: the first type is based on time-synchronization between the authentication server and the client providing the password, and a second type where the new password is based on a challenge (e.g. a random number chosen by the authentication server or transaction details) and a counter instead of being based on the previous password.

For the next part, I will show examples of OTP products and their suppliers with an example of the process in OTP generation.

References:
hakin9 Issue2/2008 "One Time Passwords - New Dimensions in Security" by Rajesh Mago
http://en.wikipedia.org/wiki/One-time_password

Microsoft finally patched it..

Remember my previous blog posting on 17th Jan 08 on the vulnerability in Microsoft Excel (Vulnerability in Microsoft Excel....). It was a critical vulnerability that allowed remote user to execute arbitrary code on the target user's system.

After 2 months, Microsoft finally released a patch for the vulnerability. The March monthly black tuesday, they release 4 crtitcal patches.

In the Microsoft Security Bulletin MS08-014 - Critical- (Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution - 949029), it addresses the vulnerability for Microsoft Security Advisory -(Vulnerability in Microsoft Excel Could Allow Remote Code Execution - 947563). It took Microsoft more than 2 months (since the vulnerability was announced) to patch a critical vulnerability.

This is just one of the example of how long microsoft takes to patch a critical vulnerabilty. Imagine how many things a hacker can do with that vulnerability for 2 months.

Microsoft really "focus" in secure computing, three "cheers" to Microsoft and Bill Gates. ;P

Related Report:
- Microsoft Security Bulletin Summary for March 2008

"Lock" your wireless network - WLAN Part 2

On my previous posting ("What is WIFI..?? - WLAN Part 1"), I have briefly discuss on the WIFI Standard and the encryption used. As promise, we will discuss on the "best practise" in securing a home or small office's WLAN.

1> Secure administration account for the Access Point(AP)
Always change the default administrator username and use a strong password. Dafault username and password are easily available in support websites or forums. Username such as "admin" and password such as "admin" or "linksys" are commonly used by Dlink or Linksys wireless AP/router.

Note: Wireless AP/routers don't locked out account with incorrect login. Brute-force attack is possible to launch against them.

2> Disable Remote Administration
Having remote administration allows anyone in the Internet to access the Wireless AP/router. Hackers all over the world can try to brute-force the administrator account. But if remote administration was really required, it should be restricted to specific IP (only those authorised source).

Note: Disable remote administration only reduce a ways of possible attack, especially from the Internet.

3> Disable SSID broadcast
A service set identifier(SSID) is a name used to identify the particular WLAN. Changing of default SSID and disable the SSID broadcast, will make your AP invisible to casual wireless user. Standard wireless software will not show or display as "Unnamed Network". User will need to manually enter the correct SSID to connect to the network.

Note: SSID can be easily sniffed and revealed by using wireless scanner like netstumbler or kismet.

4>MAC Filtering enabled
Media Access Control (MAC) address is a uniquely assigned hardware address for each network card. MAC filtering will restrict the access of the AP by individual MAC address. There will be a problem keeping track of the MAC addresses if there are many wireless devices.

Note: MAC addresses of those legitimate wireless devices can be easily shown using wireless scanner (such as netstumbler). Users can easily spoofed their MAC address to bypass the MAC filtering. As MAC spoofing is generally used on servers for high availability, MAC spoofing programs are easily downloadable from the Internet.

5> Reduce the transmiting power
Try to keep the wireless transmitting signal within your home or office area. This will reduce the ability for others "stealing" the wireless network outside your home or office.

Note: Not all houses or offices are in perfect round. There are also walls and funitures that will affect the signal transmission. So there will be areas outside the office/home that the signal can be received. Wireless card with extended antenna could be used by hacker to identify any weak signal.

6> Enable encryption
Encryption should be enabled for the WLAN. WPA2 is the current encryption standard and is recommended. If due to the version of the AP or wireless card not supporting WPA, WEP should at least be implemented. It is always better on having a weak encryption than having all your data in cleartext.

Note: WEP/WPA is still easily hackable (Demostrate in future posting) unless WPA2 with strong authentication (EAP-TLS) is implemented. But it will not be feasible for home user (or even small office) to maintain an authentication server for their WLAN.

Even though the suggested steps above can be bypassed, but they are still recommended to prevent casual/novice script kiddies from sniffing and hacking the WLAN. Beside the recommended steps, it is advisible (where possible) to use cable instead of wireless to access the network. Accessing of sensitive resources via wireless should also be minimised. If possible, try implementing SSL or VPN for accessing sensitive resource.