Re: CRIME Article on Magic Lantern from ZDNET

From: Crispin Cowan (crispin@private)
Date: Sat Dec 08 2001 - 13:44:57 PST

Next message: Alan: "Re: CRIME Article on Magic Lantern from ZDNET"

Previous message: Alan: "CRIME A Note on Spam..."
In reply to: Alan: "Re: CRIME Article on Magic Lantern from ZDNET"
Next in thread: Alan: "Re: CRIME Article on Magic Lantern from ZDNET"
Reply: Alan: "Re: CRIME Article on Magic Lantern from ZDNET"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Alan wrote:

>>Dr.
>>Crispie's recomended recipies for proper authentication:
>>
>>    * Never use plain old passwords sent in the clear. Common examples
>>      include:
>>          * telnet
>>          * non-SSL web forms
>>
>Also "authenticated pages" on web sites that use "Basic Authentication". The 
>password is encoded, not encrypted. (Base-64, if I remember correctly.)
>
I'm not familiar with "Basic Authentication"; how would I know when 
someone is pushing it at me?

>Also avoid protocols that have been broken, like 802.11b wireless encryption.
>
Just assume that the transitive closure of all machines connected to 
802.11b are outside of your firewall, and you'll be fine :-) Firewalls 
have had degrading security values for years, and 802.11b is a great big 
pothole in their security value.  It is hugely convenient to wire an 
office with WaveLAN, but (since 802.11b authentication was cracked) it 
is now impractical to firewall such a LAN. Therefore, all machines that 
are on a network that has 802.11b on it should:

    * use VPNs or crypto tunnels such as SSH for anything sensitive
    * be "naked on the Internet" secure against attack

Anyone wanna buy an Immunix system? :-)

>Unless the server is comprimised.  They you are SOL. 
>
Agreed.  Buy Immunix :-)

>I thought they found weaknesses in SecureID.  i will have to check my 
>archives.
>
They did, but it's pretty arcane. With a big pile of hardware, you can 
extract the private key from a stolen secureID card, based on watching 
the chip's power consumption as it does the thousand-bit multiplies for 
RSA modular exponentiation. Practical solution: freak out if a user 
reports a card stolen and revoke their key on all your servers. You can 
probably get this done before the attacker cracks the card.

>There are also hardware ID devices like iButton and smart card authentication 
>combined.
>
There are also USB dongles that claim to be secure storage for PKI keys. 
However, I'm unclear on how the human authenticates to the iButton or 
the dongle. If there is no such authentication, then the attacker can 
just steal the token to get access, i.e. it's not really 2-factor. 
Anyone actually tried one? Is there a 2nd factor to authenticate the 
human to the token?

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

Next message: Alan: "Re: CRIME Article on Magic Lantern from ZDNET"
Previous message: Alan: "CRIME A Note on Spam..."
In reply to: Alan: "Re: CRIME Article on Magic Lantern from ZDNET"
Next in thread: Alan: "Re: CRIME Article on Magic Lantern from ZDNET"
Reply: Alan: "Re: CRIME Article on Magic Lantern from ZDNET"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:55 PDT