silly password restrictions was:Re: [clug] secure remote access method

[Robert Edwards]

Daniel Pittman wrote:
> jm <jeffm at ghostgun.com> writes:
...
> 
>> Things such as yubico help.
> 
> I don't know; recently it seems that serious security vulnerabilities like
> local reconfiguration of the key without authentication or authorization are
> possible...
> 

I think I should clarify here that Yubikeys _can_ be secured from
reconfiguration when reprogrammed with locally known AES 128-bit keys
and IDs. As they are shipped from Yubico, they have a factory preset
key and set of IDs that are really only there for demo and proof of
concept. I don't really think that Yubico are anticipating that anyone
would seriously use Yubikeys authenticating against their public
servers. They really expect you to reprogram them for real use.

The problem is not reconfiguring a Yubikey - that is made "safe" by
requiring the secret AES 128-bit key for reprogramming.

The problem is your system allowing anyone to plug in an arbitrary USB 
device in the first place. That USB device could masquerade as a USB
HID (ie. keyboard or mouse) and send arbitrary key sequences to your
system (eg. "Windows key"->open Internet Explorer->type in a bad
URL->Javascript downloads all your cookies or whatever->close IE...
system compromised - could happen when you aren't looking...). It also
wouldn't be _too_ hard to make such a device look like a Yubikey, but
even easier to make it look like an innocent USB memory stick that
someone accidentally left lying around...

Software or dongle based systems that require rekeying the OTP are
therefore somewhat safer, but somewhat less convenient to use than a
Yubikey.

Cheers,

Bob Edwards.