Key-Genius Leverages Yubikey to Secure Web-Logins

So I was listening to another Security Now podcast and heard about a promising new authentication technology designed by Yubico that generates asynchronous one time passwords with a simple push of a button. The device can authenticate against the maker’s servers or your own. The device itself registers as a USB keyboard and is therefore compatible with most computers. The device costs less than $25 each, with discounts for bulk purchases.

Key Genius is a product that leverages the Yubikey to provide a more secure platform for logging into websites. It recently won an award in the Yubiking competition, in partnership with Security Now. The site stores site-specific passwords in an encrypted database, and using a browser extension, replies to valid Yubikey passwords by automatically inserting the correct password for the site. Usernames are not stored by Key Genius at all, so it’s up to the user to supply them to the website in question. This is actually a good thing, as compromise of the Key Genius database cannot in of itself bely a user’s logon credentials. This is a neat product that not only enhances convenience, but does so in a secure manner.

April 5th, 2009 | jim | Tags: , , , , .
Categories: Authentication, Internet, Security | Comments: No Comments

Conficker Update

Update: An excellent resource list is available at the Internet Storm Center.

The headline at dailymail.co.uk read “April Fool’s Day computer virus is activated… but fails to cause internet chaos.”

I guess the rumors were unfounded. However, it’s important to note that the virus is still rampant and speculation on the potential uses of such a huge botnet are as well. Some surmise that it might be used to DDOS the crap out of some poor server(s). It might also be used to crack passwords or encryption. Check out http://downadup.org to read more and for removal tools. It’s also a good idea to prepare your network for the potentiality of attack. Don’t be a soft target.

Here’s a couple (read non-comprehensive) ideas on how to not be a soft target:

  • Backup, backup, backup
    • Have systems ready to leap into action if necessary, and keep at least one form of backup offline in case of worst-case scenarios.
    • If you don’t already have a backup strategy in place, it’s time to implement one.
  • Control access to your critical services
    • Enforce strong passwords – or better yet, employ multi-factor authentication. PPP is a strong candidate for the thrifty.
    • Audit your users – does that guy who quit last year still have an active user account? Do your non-administrative users have access to critical servers?
    • Use fail2ban or iptables to detect and drop password-guessing attacks – even with 10 million + IP’s to choose from, it’s not easy to crack a password/one-time password combination when you only get 3 tries per IP.
  • Watch your traffic (not really a botnet vulnerability, but good practice in general):
    • Control your legacy services – seriously, it’s time to retire telnet and other services that transmit passwords in cleartext.
    • https > http – especially when it comes to passwords. Don’t allow users the ability to transmit passwords over http.
  • etc…

I’ve hardly compiled a comprehensive list, and I welcome comments for other good practices, but the most important takeaway is to be cognizant of your security stance. Don’t make it easy for the bad guys.

April 1st, 2009 | jim | Tags: , , , , , , , .
Categories: Infrastructure, Internet, Security | Comments: No Comments

Conficker

If you haven’t heard about the growing population of Windows machines hosting this prolific worm, educate yourself, particularly if you run Windows networks. This worm has been spreading like the plague since at least November 2008, and is presently estimated as having infected about 10 million machines. That’s a big botnet. It’s an active one too, regularly “dialing home” to now over 50,000 domains to receive updates. Its variants spread through various mediums, and favor network shares and USB drives.

If you can stand the gripes from your users, disabling Autorun through a forced registry setting (scripts, custom built ADM) is not a bad idea in general, so what if they have to open the folder and double-click the executable that’s likely in the top-level directory anyways?. Read the Cert/CC blog for more about this work around. Of key importance is that for whatever reason, the setting in HKCU overrides the HKLM setting. It may go without saying, but your best bet is cover both fronts.

If your network is infected presently, the following site hosted by BitDefender has a good list of symptoms to look for. In addition, the company has recently published both a single-workstation tool and a network tool to remove the worm from your computers. You can find these resources at http://downadup.org/.

March 23rd, 2009 | jim | Tags: , , , , , .
Categories: Internet, Security, Virii, Windows | Comments: No Comments

Spear Phishing

So I was listening to APM”s Marketplace Money podcast for 20 Mar 2009 today, and I ran across a term that I haven”t heard before: spear phishing. A guest from Consumer Reports described it as follows:

“Regular phishing is kind of like throwing a bunch of bait in the water, or chumming for shark or something like that. Spear phishing is a much more targeted type of phishing where the phishers actually get a hold of some of your personal information and design the email or a mailing notice to look that much more legitimate. Whether it”s fake emails from the IRS, we”ve even seen some from Western Union, or reporting to be someone from Western Union, rather. Unfortunately, due to the prevalence of social networking sites like Facebook and others, identity thieves are finding it very easy to find all sorts of personal information that makes spear phishing that much easier.”  (Edited for clarity)

Homeowners in default are in particular risk, because their mortgage information becomes public, and make prime targets for scammers purporting to represent the victim in adjusting their mortgage. The victim is instructed to pay a hefty fee for the service and to not contact the lender during the “adjustment process.” During this period, the homeowner may end up in foreclosure, at which point the scammer disappears.

An excerpt from December 2008 release of FTC”s “FTC Facts for Consumers:”

Be Alert to Scams
Scam artists follow the headlines, and know there are homeowners falling behind in their mortgage payments or at risk for foreclosure. Their pitches may sound like a way for you to get out from under, but their intentions are as far from honorable as they can be. They mean to take your money. Among the predatory scamsthat have been reported are:

  • The foreclosure prevention specialist: The “specialist” really is a phony counselor who charges high fees in exchange for making a few phone calls or completing some paperwork that a homeowner could easily do for himself. None of the actions results in saving the home. This scam gives homeowners a false sense of hope, delays them from seeking qualified help, and exposes their personal financial information to a fraudster.
  • Some of these companies even use names with the word HOPE or HOPE NOW in them to confuse borrowers who are looking for assistance from the free 888-995-HOPE hotline.
  • The lease/buy back: Homeowners are deceived into signing over the deed to their home to a scam artist who tells them they will be able to remain in the house as a renter and eventually buy it back. Usually, the terms of this scheme are so demanding that the buy-back becomes impossible, the homeowner gets evicted, and the “rescuer” walks off with most or all of the equity.
  • The bait-and-switch: Homeowners think they are signing documents to bring the mortgage current. Instead, they are signing over the deed to their home. Homeowners usually don’t know they’ve been scammed until they get an eviction notice.

As always, be skeptical of any unsolicited communication you may receive from anyone claiming to require your sensitive information. And if you are ever in doubt as to the the veracity of any phone number, it”s a good idea to check a public listing in the organizations official web site, or even better, a phone book. You do still get a phone book, don”t you?

March 22nd, 2009 | jim | Tags: , , .
Categories: Phishing | Comments: No Comments

Multi-Factor Authentication for Cheap.

Yes, cheap as in free. Steve Gibson, the superbly geeky old man of SpinRite fame, developed a printed passcode system for multi-factor authentication. It uses a Rijndael block cipher to generate a sequence of “pseudo-random” characters that allow a Systems Administrator to effectively lock down administrative access with very little overhead. Basically, you carry around a credit-card sized printout, and every time you try to log in, you punch in your username, password, and the next passcode (it prompts you for the correct one). The nice thing is that it’s free and easy to implement, and it’s cake on Debian. It’s not ported everywhere, so it’s not ubiquitous yet. However, with enough folks pitching in and developing front-ends for this product, this system can exponentially (literally) improve the security of your internet-facing systems.
Go to the GRC website to find out more.

PS. Almost forgot. Once you install the PAM module and lock down SSH for your admin accounts, don’t forget to disable su for your normal users. They shouldn’t need it anyways, but if it is enabled, then all someone has to do is crack a normal user account and su into your admin account, without having to get a hold of your passcode card.

March 15th, 2009 | jim | Tags: , , , .
Categories: Linux, Security, Windows | Comments: 1 Comment

« Previous Page