stasinia at msoe.edu
Mon Oct 23 19:26:53 UTC 2006
That is true for strip card (credit card style) and simple prox cards.
But what I have been seeing more often is that companies are using the
smart card and wireless smart card variety for high security areas. So
instead of having a card that will always return the same value (making
it easy to duplicate) the smart cards will use good old fashion PKI to
mutually authenticate the card to the reader and the reader to the card.
This way, the card won't give out its security information until the
card reader is verified to be a legit member of the security system. In
addition to this, I am seeing a push to go with 2 factor authentication,
so you need the card plus some sort of biometrics. This way, if you
lose the card, it is useless unless the criminal also managed to chop
off your thumb.
But if you are AT&T and have spend millions of dollars on equipping all
your COs with swipe readers because you got sick of having rekey the
locks every time someone lost a key; so when stuck with the choice of
replacing all of your COs' security equipment with something more
secure, or creating blanket polices, creating a policy is cheaper.
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Sent: Monday, October 23, 2006 1:34 PM
To: Roland Perry
Cc: nanog at merit.edu
Subject: Re: Collocation Access
On Oct 23, 2006, at 10:57 AM, Roland Perry wrote:
> In article <20061023103731.W56322 at iama.hypergeek.net>, John A.
> Kilpatrick <john at hypergeek.net> writes
>>> The fellow I chatted with at AT&T said they are not allowed to hand
>>> over their badge because it would compromise their security.
>> My tech said the same thing. That keycard could grant central office
> On its own? No keycode or anything. What if he lost it?
>> so he couldn't surrender it.
> But presumably it would need to be stolen. Wouldn't the tech notice
> that happening... Or is there some way the colo security guy can clone
> it undetected?
These are trivial to clone -- all you need is a reader hooked up to a PC
and you can read the number off the card. You can then buy a batch of
cards that cover the serial numbers that you are interested in (no, I
don't really understand WHY you can buy numbered ranges, but you can...)
The other alternative is something like: http://cq.cx/proxmark3.pl This
device will read and clone a large number of proximity cards -- you
don't even need real access to the card, all you need to do is brush up
against the cardholder with the antenna cincealed in your pocket....
> Roland Perry
If the bad guys have copies of your MD5 passwords, then you have way
bigger problems than the bad guys having copies of your MD5 passwords.
-- Richard A Steenbergen
More information about the NANOG