Thursday, June 18, 2009

Upgrade yourself @ 30 years old

I am 30 years old and honestly I feel more fit then I was like 5 to 6 years ago. I think I am in the best shape of my life, both physically and mentally.

I grapple, I wrestle, I box, I jog, I ride skateboards, I read a lot of networking, programming, and quantum physics books, all in a span of 7 days. Could it be possible that my physical and mental being has improved despite aging? I can never do all this 5 to to 6 years ago, I get tired easily, and my patience for reading and digesting complex concepts is absolutely horrible. Now, I can read a book for the first time, and absorb its content without going back to it and reading it again. I never even imagined I can learn to write codes! Now, I am creating my own Cisco IOS simulator using Python and thinking of porting it as a Java Applet.

Whatever it is I'm doing, I am sticking to it. I think its my positive outlook in all things in life that is helping me a lot.

Dreaming while awake, of things I want to accomplish and acquire is also helping me push harder to achieve them. A man without a dream will never reach his potential.

Good thing its Friday, I can now work on my Fakie 180 Ollies, hell, there's even a 4-set stairs in a park nearby that I am trying to ollie on. The young kids, around 15 to 18 years old that skates on that park can easily ollie and kickflip those 4-set of stairs without breaking a sweat. If they can do it, I can do it. I will even do it better, in style, style comes with age :-)

Sunday, June 14, 2009

Multi-Factor Authentication FTW!

Two-factor authentication is old-school now, it has served its purpose in the past. Bank institutions that offers on-line banking to its customers should think beyond two-factor, why not make a multi-factor authentication?

The current safeguard, standards, policies and other techniques to mitigate on-line banking fraud cannot keep up to the meteoric rise of tools to commit fraud. A simple kid struck by the hacking curiosity phenomenon (thanks to Hollywood of course) can easily just search Google for keywords "hacking tools download" and voila, links and links where to download and how to use them. In the past, one needs to understand how to write codes and navigate the command line interface, today, its the age of point and click cracking. Thank goodness for that rich, easy to use graphical user interface.

As Security Expert Bruce Schneier recommended, Bank institutions should focus on authenticating the transaction itself and not the identity of the individual. Identity information theft is so easy to accomplish nowadays. Crackers owe MySpace, Friendster, FaceBook, LinkedIn a lot. No need to do some serious underground data mining work, almost all personal and private information are tucked inside social networking website user profiles. You will be amazed on the high number of people setting their profile to public, exposing all their family pictures and personal information to the world wide weird.

Focusing on authenticating the actual on-line bank transaction is indeed a better way of controlling fraud.

Below is a sample Multi-Factor Authentication Process that Bank institutions can utilize:

1. Bank provides a secure login page for customer username, account number and password input.
2. Bank Server checks on the source public IP address and computer OS and/or MAC address of the transaction, which I am calling as "on-line transaction signature" logs the transaction attempt, and checked against that account owners database of logins if this IP address and other transaction signature has been used already in the past.
3. If public IP address is not listed, computer OS signature and/or MAC address does not match or not on the database for that account owner, this will trigger an alert to the Bank Customer Support Anti-Fraud Agents and they will call the customer on his listed telephone numbers for transaction verification.
4. If customer cannot be reached, the transaction is denied by default.
5. If Bank Agent was able to contact the customer, the Bank Customer Support Anti-Fraud Agent then asks a series of challenge questions to the customer to verify the identity of the customer.
5. As the customer answers the challenge questions, a voice recognition software runs on the background of the Bank Agent's telephone and analyzes the voice signature of the customer. The voice recognition signature software is the safeguard for impersonation attempts.
6. If customer was able to provide correct answers to the challenge questions and passes the voice signature match, customer is authenticated and authorized and transaction is allowed.
7. All transaction logs, denied or authenticated are stored on a secure server, and mirrored on a hot-site server.

Although possible, It will be very difficult even for the smartest social engineer to go through this multi-step authentication. It will make them think twice because of the tedious process. I know many of you will react that this will make on-line banking tedious which basically defeats the purpose of on-line banking, but id rather spend a couple of extra minutes doing secure on-line banking than opting for the fast method but opens the process to a lot of back doors for evil doers to come in.

Bank institutions should go above and beyond in protecting the investments of their depositors. They should invest serious money on research and development of the latest technology in transport layer security, cryptography and other safeguard mechanisms as well as improving standard policies and procedures. They should be liable for every on-line transaction fraud that involves one of their accounts, not the depositors because they should have complete control of a transaction that involves their network. All money matters should be taken seriously, no matter how small the amount is. This multi-factor authentication is one serious approach to curb the rise of on-line bank transactions.

Thursday, June 4, 2009

IP Artificial Intelligence Module: The Center of Your IP Network

In about 20 years or maybe less, we should have already created an Artificial Intelligence (A.I.) module that plugs in to our IP network. The sole purpose of this A.I. IP module is for automated governance of multiple Wide Area Networks (WAN) of the future.

This AI-IP module will be so advance that it will not rely solely on hardware power to completely manage your interconnected-network devices. I believe this A.I. module will contain sophisticated coding techniques that someday someone will discover. A.I. technology has been around so long, this should not take long to be discovered.

A sophisticated A.I.module for a computer network will act as the central control, no matter how many nodes you have on it. It can utilize a simple code tagging technique to a specific packet or traffic, keep track of the signature, payload, and behavior on its almost infinite database. The packet infrastructure of IP networks will evolve beyond IPv6.

No, this is not SkyNet. It will not be sentient, it will only follow what it has on its code.

A playground for network security enthusiasts, innovators and early adoptors

Welcome to my blog, this is me thinking out loud about Voice over IP security (VoIP), managing and optimizing converged networks, Metasploit Framework, Cloud Computing, general security and privacy concerns, grappling adventures, and tuning my MKIV VW Jetta.

All inputs, feedbacks and violent reactions are welcome.

Packet Boy Perseus
Helping spread a positive image why we hack things.

About Me

I am an InfoSec Innovator, a Blue Ocean Seafarer and a Paul Graham Pupil.