Key-Genius Leverages Yubikey to Secure Web-Logins

So I was listening to another Security Now podcast and heard about a promising new authentication technology designed by Yubico that generates asynchronous one time passwords with a simple push of a button. The device can authenticate against the maker’s servers or your own. The device itself registers as a USB keyboard and is therefore compatible with most computers. The device costs less than $25 each, with discounts for bulk purchases.

Key Genius is a product that leverages the Yubikey to provide a more secure platform for logging into websites. It recently won an award in the Yubiking competition, in partnership with Security Now. The site stores site-specific passwords in an encrypted database, and using a browser extension, replies to valid Yubikey passwords by automatically inserting the correct password for the site. Usernames are not stored by Key Genius at all, so it’s up to the user to supply them to the website in question. This is actually a good thing, as compromise of the Key Genius database cannot in of itself bely a user’s logon credentials. This is a neat product that not only enhances convenience, but does so in a secure manner.

April 5th, 2009 | jim | Tags: , , , , .
Categories: Authentication, Internet, Security | Comments: No Comments

YouTube EDU

Sure this is old news, but I didn’t hear bout it till recently. YouTube’s EDU sub-site features lectures and educational videos from participating educational institutions. Newfound value aside, I still doubt you can get your IT department to unblock youtube.

April 3rd, 2009 | jim | Tags: .
Categories: Internet | Comments: No Comments

Conficker Update

Update: An excellent resource list is available at the Internet Storm Center.

The headline at dailymail.co.uk read “April Fool’s Day computer virus is activated… but fails to cause internet chaos.”

I guess the rumors were unfounded. However, it’s important to note that the virus is still rampant and speculation on the potential uses of such a huge botnet are as well. Some surmise that it might be used to DDOS the crap out of some poor server(s). It might also be used to crack passwords or encryption. Check out http://downadup.org to read more and for removal tools. It’s also a good idea to prepare your network for the potentiality of attack. Don’t be a soft target.

Here’s a couple (read non-comprehensive) ideas on how to not be a soft target:

  • Backup, backup, backup
    • Have systems ready to leap into action if necessary, and keep at least one form of backup offline in case of worst-case scenarios.
    • If you don’t already have a backup strategy in place, it’s time to implement one.
  • Control access to your critical services
    • Enforce strong passwords – or better yet, employ multi-factor authentication. PPP is a strong candidate for the thrifty.
    • Audit your users – does that guy who quit last year still have an active user account? Do your non-administrative users have access to critical servers?
    • Use fail2ban or iptables to detect and drop password-guessing attacks – even with 10 million + IP’s to choose from, it’s not easy to crack a password/one-time password combination when you only get 3 tries per IP.
  • Watch your traffic (not really a botnet vulnerability, but good practice in general):
    • Control your legacy services – seriously, it’s time to retire telnet and other services that transmit passwords in cleartext.
    • https > http – especially when it comes to passwords. Don’t allow users the ability to transmit passwords over http.
  • etc…

I’ve hardly compiled a comprehensive list, and I welcome comments for other good practices, but the most important takeaway is to be cognizant of your security stance. Don’t make it easy for the bad guys.

April 1st, 2009 | jim | Tags: , , , , , , , .
Categories: Infrastructure, Internet, Security | Comments: No Comments

Conficker

If you haven’t heard about the growing population of Windows machines hosting this prolific worm, educate yourself, particularly if you run Windows networks. This worm has been spreading like the plague since at least November 2008, and is presently estimated as having infected about 10 million machines. That’s a big botnet. It’s an active one too, regularly “dialing home” to now over 50,000 domains to receive updates. Its variants spread through various mediums, and favor network shares and USB drives.

If you can stand the gripes from your users, disabling Autorun through a forced registry setting (scripts, custom built ADM) is not a bad idea in general, so what if they have to open the folder and double-click the executable that’s likely in the top-level directory anyways?. Read the Cert/CC blog for more about this work around. Of key importance is that for whatever reason, the setting in HKCU overrides the HKLM setting. It may go without saying, but your best bet is cover both fronts.

If your network is infected presently, the following site hosted by BitDefender has a good list of symptoms to look for. In addition, the company has recently published both a single-workstation tool and a network tool to remove the worm from your computers. You can find these resources at http://downadup.org/.

March 23rd, 2009 | jim | Tags: , , , , , .
Categories: Internet, Security, Virii, Windows | Comments: No Comments

Cloud Hosting != Unbreakable

When Microsoft launched their cloud-based operating system last October, they branded it “Azure,” I suppose as a reference to the blue skies that supposedly hold these clouds.

According to Tier1 Research’s A. Piraino, Azure suffered a 22 hour outage this weekend when a (speculatively) software related glitch caused instances to suddenly stop responding. While Microsoft is yet to release the results of a root cause analysis, one can envision a NOC with stacks of monitors displaying Blue Screen’s of Death. Or rather, Azure Screen’s of Death.

To be fair, Microsoft Azure is still in “Technology Preview,” which is to say, pre-production. And other cloud computing platforms have suffered similar outages in their infancy as well. Amazon Web Services suffered a seven hour outage in July from faulty load balancers. Google systems were brought down twice in the past six months.

The problem isn’t that the architecture doesn’t work as planned. The problem is that no amount of planning will cover every situation that can, and will, occur. Failures of critical components become huge issues in virtualized applications, because that many more (virtual) instances require the services of those components. Though a system can have n levels of redundancy built into it, ultimately, there is no such thing as a completely unbreakable system.

Folks tend to get excited about cloud computing because they envision a future of virtualized applications zipping around in a grid computing infrastructure, never failing, never dying. Even in more traditional environments, people get excited about centralized storage, and the joys of instant snapshots and multiple layers of redundancy. Though these technologies are exciting and brings with it new avenues for innovation, uniform architectures share uniform faults. Diversity in architecture is an important consideration when you’re building fault tolerance into your system.

Another important consideration is this: the more power we place in the hands of an administrator, the more damage he can do when he goofs. And he will goof. We all goof once in a while. Take, for example, Flexiscale, who ate a five-day outage because of one such goof. The more we consolidate technology, the more vulnerable we are if something that should never happen, happens.

The takeaway is simple. Take the promises of new technology with a grain of salt. And even if the skies are blue, pack an umbrella just in case.

March 18th, 2009 | jim | Tags: , .
Categories: Infrastructure, Internet | Comments: No Comments

« Previous PageNext Page »