The WiKID Blog, musings on two-factor authentication, information security and some other stuff.
Two-factor auth from the get-go: Eliminating Password1.
Posted by: admin 7 years, 4 months ago
Yesterday, Dave Kennedy tweeted:
Belts and Suspenders Security
Posted by: admin 7 years, 4 months ago
I continue to be astounded that one server without two-factor authentication caused the JP Morgan breach. If a sophisticated organization like a major US financial institution can get hacked like that, what are the chances for everyone else? If you were an incoming CIO or CISO, what can you do to avoid such a disaster?
Obviously, JP Morgan is reviewing the status of all their servers (for a start). As I mentioned before, automation and infrastructure as code will help create idempotent servers so you can be sure that they meet security requirements . Any servers outside that level of management, should be segmented and brought in line eventually. But I think it will increasingly make sense for servers to have two-factor authentication for remote access and administrator rights. This is simple to do on *nix servers as services that use PAM - ie sshd, sudo, login etc can all easily require two-factor authentication. Copying these configuration files via management tools is quite simple. By using RADIUS as the authentication protocol, you can perform authorization in Active Directory or LDAP. If I were going into Sony, I would require two-factor authentication for egress as well.
Certainly, this would break some things. But that's the idea. The breaks should show you were you have issues. You need to address those issues.
J.P. Morgan caused by lack of two-factor authentication on one server
Posted by: admin 7 years, 5 months ago
This story is interesting because it shows that two-factor authentication would have (most likely) worked to prevent this devastating attack. However, it also shows how hard it is for large organizations to actually implement security controls, especially given the use of third parties and growing through acquisitions.
Tough times for Retailers
Posted by: admin 7 years, 5 months ago
Here's a few things for the security teams at retailers to consider:
The death of SaaS? Bringing software back.
Posted by: admin 7 years, 6 months ago
So, it used to be common knowledge, some time after I suffered through setting up data centers in co-location facilities but before I was selling security software/virtual appliances, that 'software was dead'. Well, I'm of the opinion that software (and PaaS) are bringing software back.
People liked SaaS because it meant that they didn't have to buy or manage hardware, it was reliable and if you had internet, available everywhere. These SaaS players and consumer sites like Etsy and Netflix led the move to Dev-ops and idempotent infrastructure, creating reliable infrastructure and agile operations. They pushed infrastructure as code as I have seen in packer.io, a program that allows you to build idempotent virtual machines for your virtual platform of choice or PaaS vendor.
Recent Posts
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
- WiKID Android tokens had their data deleted over the weekend by Google Chrome bug
- Scalability improvements in version 5.0 of the WiKID Strong Authentication server
- 5.0 Released!
Archive
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)