nanog mailing list archives
RE: Collocation Access
From: "Stasiniewicz, Adam" <stasinia () msoe edu>
Date: Mon, 23 Oct 2006 14:26:53 -0500
That is true for strip card (credit card style) and simple prox cards. But what I have been seeing more often is that companies are using the smart card and wireless smart card variety for high security areas. So instead of having a card that will always return the same value (making it easy to duplicate) the smart cards will use good old fashion PKI to mutually authenticate the card to the reader and the reader to the card. This way, the card won't give out its security information until the card reader is verified to be a legit member of the security system. In addition to this, I am seeing a push to go with 2 factor authentication, so you need the card plus some sort of biometrics. This way, if you lose the card, it is useless unless the criminal also managed to chop off your thumb. But if you are AT&T and have spend millions of dollars on equipping all your COs with swipe readers because you got sick of having rekey the locks every time someone lost a key; so when stuck with the choice of replacing all of your COs' security equipment with something more secure, or creating blanket polices, creating a policy is cheaper. My $.02 Adam Stasiniewicz -----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Warren Kumari Sent: Monday, October 23, 2006 1:34 PM To: Roland Perry Cc: nanog () merit edu Subject: Re: Collocation Access On Oct 23, 2006, at 10:57 AM, Roland Perry wrote:
In article <20061023103731.W56322 () iama hypergeek net>, John A. Kilpatrick <john () hypergeek net> writesThe fellow I chatted with at AT&T said they are not allowed to hand over their badge because it would compromise their security.My tech said the same thing. That keycard could grant central office
accessOn its own? No keycode or anything. What if he lost it?so he couldn't surrender it.But presumably it would need to be stolen. Wouldn't the tech notice that happening... Or is there some way the colo security guy can clone
it undetected?
These are trivial to clone -- all you need is a reader hooked up to a PC and you can read the number off the card. You can then buy a batch of cards that cover the serial numbers that you are interested in (no, I don't really understand WHY you can buy numbered ranges, but you can...) The other alternative is something like: http://cq.cx/proxmark3.pl This device will read and clone a large number of proximity cards -- you don't even need real access to the card, all you need to do is brush up against the cardholder with the antenna cincealed in your pocket....
-- Roland Perry
-- If the bad guys have copies of your MD5 passwords, then you have way bigger problems than the bad guys having copies of your MD5 passwords. -- Richard A Steenbergen
Current thread:
- Re: Did Cogent & L3 de-peer again?, (continued)
- Re: Did Cogent & L3 de-peer again? Patrick W. Gilmore (Oct 23)
- RE: Collocation Access Alex Rubenstein (Oct 23)
- Re: Collocation Access Etaoin Shrdlu (Oct 23)
- Re: Collocation Access Roland Perry (Oct 23)
- RE: Collocation Access Craig Holland (Oct 23)
- RE: Collocation Access John A. Kilpatrick (Oct 23)
- Re: Collocation Access Roland Perry (Oct 23)
- Re: Collocation Access John A. Kilpatrick (Oct 23)
- Re: Collocation Access Roland Perry (Oct 23)
- Re: Collocation Access Warren Kumari (Oct 23)
- RE: Collocation Access Stasiniewicz, Adam (Oct 23)
- Re: Collocation Access Henry Yen (Oct 23)
- Re: Collocation Access Etaoin Shrdlu (Oct 23)
- Re: Collocation Access Jim Popovitch (Oct 23)
- RE: Collocation Access David Schwartz (Oct 23)
- RE: Collocation Access Daniel Senie (Oct 23)
- RE: Collocation Access Randy Epstein (Oct 24)
- RE: Collocation Access Michael . Dillon (Oct 24)
- Re: Collocation Access Roland Perry (Oct 24)
- RE: Collocation Access David Schwartz (Oct 24)
- Re: Collocation Access Larry Smith (Oct 24)
- RE: Collocation Access David Schwartz (Oct 24)