NYCPHP Meetup

NYPHP.org

[joomla] The $10 logon password protections solution

Gary A. Mort - freelance Joomla/PHP coder joomla+2012 at gary.mort.net
Mon Sep 24 12:43:45 EDT 2012


     I just got off the phone with Marian - I'm a bit bummed that I wasn't
able to stay for the last part of the meeting as security is something that
really interests me - especially as I am directly at odds with the "common
wisdom" of security "professionals".*1
 
 In any case, she said there was a discussion of key loggers and how to
make yourself secure from them.  There is an extremely simple mechanism -
it's called a 'one time key'.  The most popular is the one used by both
Google and Amazon - TOTP.
 
 In a nutshell, when you go to log onto your Google or Amazon account when
you have enabled TOTP, in addition to your password you will also need to
enter your "one time code".  This code is generated by a program and is
based on:
 1) A preconfigured computer generated hash
 2) The time
 
 As both sides in the equation[Google and your device] know the current
time and the hash, they can create a code which will only work for the next
2 minutes.  After that, to logon you need to generate a new code.
 
 So, how do YOU get that code to enter?
 Well, if you have a smart phone - the answer is sitting in your pocket. 
Both Amazon and Google have released applications for the iPhone, the
Android, and the Blackberry which can be used to generate that code.
 http://mandrillapp.com/track/click.php?u=11000867&id=9766f7ff6ea04f44808dd14e8425905e&url=http%3A%2F%2Faws.amazon.com%2Fmfa%2F&url_id=723796165&tags=252069,957497
 http://mandrillapp.com/track/click.php?u=11000867&id=9766f7ff6ea04f44808dd14e8425905e&url=http%3A%2F%2Fsupport.google.com%2Faccounts%2Fbin%2Fanswer.py%3Fhl%3Den%26answer%3D1066447&url_id=723796169&tags=252069,957497
 
 Once installed and configured, you simply load the application every time
you want to log on and it will tell you the current code.  Type the code in
and your good to go.
 
 But what if you don't want to depend on your smartphone?  It's just a
little application, and there are many versions of the application out
there for a PC or Mac...[I didn't bother to include Linux because this is a
geek toy - it's a given that there are at least 100,000 applications on the
internet which will run on Linux and generate a code for you]
 
 Now I'm lazy...  I really really despise the idea of copying a code every
time I want to log on to something.  So I won't use those above apps.  But
have faith, even for lazy people like me there is a solution.  Someone can
take all that code for generating the key and stick it on a little
micro-processor the size of a usb thumb drive[and with a convenient usb
connector].  Even better, they program it to pretend to be a keyboard with
1 function - output.  So your computer thinks it's a keyboard, and when you
press the button it enters the code.  So simply place the cursor in the
logon field box for the code, press the button, and you can logon.  As an
added benefit, the code is completely hidden from keyloggers[because a key
logger is a device that is placed in between a keyboard and the computer. 
It can only log the traffic that comes through it - from the keyboard
itself.  Not from any additional keyboards].
 
 The downside is, these little code generators are expensive.  Typically
they cost 10+ and only work with for a specific company.  IE an Amazon fob
only works on Amazon.  A Google MFA fob only works on Google... or does it?
 
 Go to your Joomla backend Admin.  Go to the plugins page and pull up the
authentication plugins...Joomla! comes with built in support for Google
Authentication.  Problem solved.  While your Joomla site can't use the code
generated to logon, if it allows you to logon using your Google credentials
- you can simple use a Google Fob on your Google Account and you get all
this for free[or for under $20 if buying a fob from somewhere]
 
 Hey, didn't I say there was a $10 solution?    Well, this takes a bit more
work.  Using off the shelf, open source hardware and software [most
importanly the texas insturments launchpad]  you can build your own code
generator for under 10$.  I promised Marian that I'd bring a copy of my
TOTP generator[built on the mega expensive Texas Instruments Launchpad...a
whole five dollars!!] to the next meeting to give away in the raffle.  For
those of you who don't want to take a chance on the raffle, both Spark Fun
sells them for $6 http://mandrillapp.com/track/click.php?u=11000867&id=9766f7ff6ea04f44808dd14e8425905e&url=https%3A%2F%2Fwww.sparkfun.com%2Fproducts%2F10020&url_id=723796173&tags=252069,957497 - bring it to the
next meeting and I'll give you the code to load onto it, your Joomla site,
and your Chrome web browser.
 
 And if you REALLY want a more "professional" looking device, send me email
at msp430 at gary.mort.net <mailto:msp430 at gary.mort.net> and I'll give you the
link to my kickstarter project to fund turning all those open source
schematics into a open source thumbdrive design and getting a run of
prototypes done that can work for any Joomla website[or more accurately,
any Joomla website with the authentication extension installed].
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/joomla/attachments/20120924/a7b971a3/attachment.html>


More information about the Joomla mailing list