Skip to main content

The WiKID Blog

Viewing posts tagged Information Security

More on Wordpress Security

Two recent blog posts by Ethicalhack3r discuss authentication attacks against Wordpress sites.  The first post discusses  two vulnerabilities in Wordpress including one vulnerability from 2009.  Both leak username information.  As a follow up, Ethicalhack3r released a video (no code) of a brute-force attack tool he wrote over a weekend. 

Traditional two-factor authentication is dead.

At Bsides Atlanta last week, Eric Smith (@infosecmafia) and Dave Kennedy (@dave_rel1k) demonstrated a real-time attack against a Juniper SSL-VPN that by-passes the authentication method used including time-bound one-time passcodes.  (Dave's post on "Traditional Penetration Testing is DEAD" on their BSidesAtlanta talk inspired my title. ;)

This type of attack against SSL and DNS has been predicted for some time, taking advantage of user's willingness to accept any SSL certificate.  Kudos to Eric and Dave for showing how this type of attack combined with a strategically aimed penetration test can really wreak havoc on an enterprise.

Product improvements, prospect relations and Bsides


These past few weeks, we released 3 minor updates to our PC software token client.  These were all in response to a single prospect that is rolling out WiKID using the Web Start version of the WiKID PC Software token.  (The Web Start version or JNLP is an easy way to distribute the software token especially if you don't have a software management system that can push software out to corporate laptops.)

Based on feedback from this prospect, we now do a better job of specifying the location of the private key storage on Windows and Linux, we allow for a single, dedicated domain to be specified in advance for ease-of-use, and you can specify a custom jw.properties file for the Web Start software token.  Taken together, these changes have created an easy-to-use, highly customize-able, cost-effective solution for two-factor authentication.

More importantly, they show how vendors and prospects working together can create better solutions.  WiKID and $prospect benefit, but so do future prospects.  Competitors respond, improving their product, forcing us to improve in a virtuous circle.  I've been concerned for a long time that the prospect-vendor relationship is strained at best, mostly broken, slowing down this process.  I'm sure that most of us have given fake emails or hotmail accounts to vendors.  It is also noticeable at industry conferences where vendors play a form of laser tag with the prospects as the targets. 

I'm not sure how to re-build a level of trust between these two parties. I think events like SecurityBsides which a sponsored by vendors, run by volunteers and lack vendor booths or excessive sales pushiness are a good start. BSides is still clearly feeling its way.  The volunteers are mostly from vendors and I don't really see a way around that.  The sponsors seem to understand that it's a community engagement platform and not a lead-gen opportunity.  (WiKID has sponsored the first Bsides in Las Vegas and one in San Francisco during RSA and we are co-organizing/Sponsoring the BSidesAtlanta.) 

We got a long way to go though.  The attack mentality of many companies is stiffling feedback and hurting product development.  I believe this especially affects small companies, such as WiKID, which are taking on existing, entrenched competitors. Our best asset is our ability to convert feedback into product improvements quickly.  Without feedback, we're potentially wasting our resources.  That's why we love tough prospects that tell us what they need and why we support BSides.

Article on CSO: Two-factor authentication through Windows Server 2008 Net Policy Server

CSO Online has published a tutorial we wrote on Adding Two-factor Authentication through Windows Server 2009 Network Policy Server.

The keys-to-the-kingdom/Authentication-in-depth

The New York Times has an article with new details about the Google attack.  The key take-aways:

Recent Posts

Archive

2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom