The WiKID Blog | WiKID Systemshttp://www.wikidsystems.com/blog/2016-03-07T17:28:25+00:00The WiKID Blog, musings on two-factor authentication, information security and some other stuff.Fingerprints spoofed with conductive ink2016-03-07T17:28:25+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/fingerprints-spoofed-with-conductive-ink/<p>I am guessing that the FBI wishes this research had come out just a bit eerlier. Researchers at Michigan State University have figured out how to <a href="http://boingboing.net/2016/03/06/hacking-a-phones-fingerprint.html">use conductive ink to create fingerprint spoofs</a>. </p>
<blockquote>
<p><span style="color: #333333; font-family: 'Libre Baskerville', sans-serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 24px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none; background-color: #ffffff;">Biometric identifiers are the new hotness in information security, but have significant deficits as authentication tokens, including the fact that biometrics are intrinsically leaky (you reveal your retinas by looking at things and your gait by walking, and shed DNA and leave fingerprints behind everywhere you go) and they can't be revoked once they leak (you can't get new fingerprints when griefers dump your existing ones on the Internet).</span></p>
</blockquote>
<p>We have long recognized the <a href="http://www.wikidsystems.com/learn-more/authentication-problems/biometrics-not-suitable-for-most-authentication-needs/">problems with biometrics</a> as a form of authetication. They are the same for all shared secrets, but as noted 'very leaky'. PINs remain a more secure solution for two-factor authentication.</p>Latest release pushes into Privileged Access Management2015-10-15T14:39:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/latest-release-pushes-into-privileged-access-management/<p>The <a class="internal-link" href="https://www.wikidsystems.com/company/recent-press-releases/wikid-systems-launches-first-native-active-directory-two-factor-authentication-to-help-companies-prevent-attack-escalation-and-credential-misuse" target="_self" title="">4.1 release</a> of the <a class="internal-link" href="https://www.wikidsystems.com/downloads/wikid-strong-authentication-system-enterprise" target="_self" title="">WiKID Strong Authentication Server</a> - Enterprise Edition includes the ability to use one-time passcodes for Active Directory accounts. We noted an increasing focus on privileged accounts. Companies need these accounts to manage windows PCs and infrastructure. Multiple system admins need to have the credentials for them too. So, organizations often have shared spreadsheets with credentials. You can put them into a "password vault" but then there is still a password to the vault and an attacker that is already on the system can still perform a 'pass-the-hash' attack to escalate their privilege. </p>
<p>At WiKID we prefer to just get rid of the secrets. With the new Active Directory protocol on WiKID, a user gets an OTP and it is pushed to AD as the new password. They login with the OTP. The WiKID server then overwrites the OTP with a random string. WiKID allows multiple tokens on the same username as well so you can have five tokens for the user 'Admin' if you want.</p>
<p>The benefits:</p>
<ul>
<li>No need to maintain a spreadsheet of passwords or a vault</li>
<li>Users are managed on the WiKID server vs changing passwords</li>
<li>Two-factor authentication for critical accounts in Windows</li>
</ul>
<p>Every year the Verizon DBIR and other reports prove that attackers use credentials to infiltrate and then to escalate their privileges. Two-factor authentication for remote access thwarts the former, this new functionality thwarts the latter.</p>
<p>I should also note that if you are an organization with up to 5 admins (which covers a lot of ground), you can deploy this for free. </p>
<p><span class="linkButtonRedContent"><a class="internal-link" href="https://www.wikidsystems.com/downloads/wikid-strong-authentication-system-enterprise" target="_self" title="">Download today! </a></span></p>Yet another reason to add two-factor authentication to your admin accounts2015-09-24T16:51:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/yet-another-reason-to-add-two-factor-authentication-to-your-admin-accounts/<p>Seems like we just made the case for requiring <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-for-admin-access-to-a-cisco-asa-5500" target="_self" title="">two-factor authentication for Cisco Admins</a> due to the <a class="internal-link" href="https://www.wikidsystems.com/WiKIDBlog/synful-attack-shows-the-need-for-2fa-on-routers" target="_self" title="">SYNFul attack</a>. Now here's another one.</p>
<p>This attack only affects <a class="external-link" href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-sshpk" target="_self" title="">Cisco devices using RSA public keys for authentication</a>. But there is already a <a class="external-link" href="https://twitter.com/hdmoore/status/646746244514217984" target="_self" title=""><span class="external-link">Metasploit module available for it</span></a>. </p>
<p>So, of course, there could also be a vuln in the Cisco Radius implementation, but this shows the risks inherent in setting up a separate identity management silo for your administrators. It is better to have all of your identity management done in one place, your directory, with the <strong>appropriate escalation to two-factor authentication for privileged accounts</strong> or for <strong>riskier activities, such as remote access</strong> or for <strong>users that you trust less, such as vendors</strong> and other third parties.</p>
<p>The question you ask is "at what cost"? Well, 2-factor authentication is no longer limited to <a class="internal-link" href="https://www.wikidsystems.com/WiKIDBlog/cost-savings-wikid-vs-hardware-tokens" target="_self" title="">expensive RSA tokens</a>. Moreover, how many admins do you have? Most companies have fewer than 5 so they would be covered by our <a class="internal-link" href="https://www.wikidsystems.com/pricing" target="_self" title="">free 2FA licenses</a>. </p>
<p> </p>
<p> </p>
<p> </p>Why you need a stand-alone two-factor authentication server2015-09-10T14:21:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/why-you-need-a-stand-alone-two-factor-authentication-server/<p>We do a fair amount of testing and documentation for commercial and open-source VPNs (<a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/cisco-two-factor-tutorials" target="_self" title="">Cisco</a>, <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-a-sonicwall-8-0-secure-remote-access-vpn" target="_self" title="">SonicWall</a>, <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/sophos-utm-two-factor-authentication-tutorials" target="_self" title="">Sophos</a>, <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/checkpoint-two-factor-tutorials" target="_self" title="">Checkpoint</a>, etc, etc). Increasingly, we see VPNs embedding some type of two-factor authentication into their product. The idea is to make it simple to add 2FA to your VPN services, a laudable goal and perhaps sufficient for some small organizations. So, when should you consider using a stand-alone service instead?</p>
<p>1. When you have critical infrastructure or data that needs securing for security or compliance reasons. A prime example would be any system with credit card information covered by <strong>PCI</strong> or PII covered by <strong>HIPAA</strong>.</p>
<p>2. When you have privileged accounts with multiple users. <strong>Privileged account management</strong> is of increasing concern. If you are thinking about it, then you need to think about adding two-factor authentication to it. </p>
<p>3. If you need <strong>two-factor authentication for customers</strong>. No point in having two separate systems. We increasingly see SaaS providers needing two-factor authentication.</p>
<p>4. If you need two-factor authentication for <strong>out-bound access</strong>. We have recommended this in the past as way to find all the services sending data out of your network - and whether they should be or not!</p>
<p>5. If you allow <strong>vendors</strong> in your network. Think Target and their HVAC vendor. </p>
<p>6. You plan on implementing <strong>SSO</strong>. SSO means keys to the kingdom, so best protect them.</p>
<p>7. If you provide non-VPN remote access, such as with <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-wikid-two-factor-authentiction-to-bomgar-remote-support-server" target="_self" title="">Bomgar</a> or<a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-wikid-two-factor-authentication-to-vmware-view" target="_self" title=""> VMWare View</a>.</p>
<p>In short, any place you use a password could be a place you use two-factor authentication. Two-factor authentication: Not just for remote access!</p>
<p>And, of course, you can <a class="internal-link" href="https://www.wikidsystems.com/downloads/wikid-strong-authentication-system-enterprise" target="_self" title="">download the WiKID server</a> and set up five free users anytime.</p>BSidesLV 2013 Video List2015-09-03T16:31:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/bsideslv-2013-video-list/<p><strong>UPDATE: It was pointed out that these are the videos for 2014. DUH. Learn to read before rushing off to try to help. </strong></p>
<p>I was not able to go to BSidesLV 2015 this summer. Luckily, the talks were recorded. Below is the list of talks on Youtube, presented drama-free:</p>
<ul>
<li><a class="external-link" href="https://www.youtube.com/watch?v=J5rFNCdv1PE" target="_self" title=""><span class="watch-title " dir="ltr" id="eow-title" title="bg00 opening keynote beyond good and evil towards effective security adam shostack">Opening keynote beyond good and evil towards effective security - Adam Shostack</span></a></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=IQpPgnU-O-A" target="_self" title="">USB write blocking with USBProxy Dominic Spill</a></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=04hnlz4FuLQ" target="_self" title=""><span class="watch-title " dir="ltr" id="eow-title" title="bg02 allow myself to encrypt myself evan davison"><span class="external-link">Allow myself to encrypt myself evan daviso</span>n</span></a></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=WJF8oNVZ7ew" target="_self" title=""><span class="watch-title " dir="ltr" id="eow-title" title="bg03 what reaction to packet loss reveals about a vpn anna shubina sergey bratus">What reaction to packet loss reveals about a vpn anna shubina sergey bratus</span></a></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=VIlWgfC13VU" target="_self" title="">Untwisting the Mersenne Twister: How I killed the PRNG - moloch & Dan 'AltF4' Petro<span></span></a></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=LWc5aoFLWW0" target="_self" title=""><span class="watch-title " dir="ltr" title="bg02 allow myself to encrypt myself evan davison">Anatomy of memory scraping, credit card stealing POS malware<span class="Apple-converted-space"> </span><br/>Amol Sarwate</span></a></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=LWc5aoFLWW0" target="_self" title=""><span class="watch-title " dir="ltr" title="bg02 allow myself to encrypt myself evan davison"></span></a><span class="watch-title " dir="ltr" title="bg02 allow myself to encrypt myself evan davison"><a class="external-link" href="https://www.youtube.com/watch?v=4AVfNz724KI" target="_self" title="">Cluck Cluck: On Intel's Broken Promises - Jacob Torrey</a><span></span></span></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=RC8xDwvoq-4" target="_self" title="">A Better Way to Get Intelligent About Threats - Adam Vincen</a>t</li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=65D_81JrO4I" target="_self" title="">Bring your own Risky Apps Michael Raggo - Kevin Watkins</a></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=vCmggziIsZg" target="_self" title="">Invasive Roots of Anti-Cheat Software - Alissa Torres</a></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=CCcGjc07aNo" target="_self" title="">Vaccinating Android Milan Gabor - Danijel Grah</a></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=GALIQVofceQ" target="_self" title="">Security testing for Smart Metering Infrastructure Steve Vandenberg - Robert Hawk</a></li>
<li><span class="watch-title " dir="ltr" title="bg02 allow myself to encrypt myself evan davison"><a class="external-link" href="https://www.youtube.com/watch?v=fmIuGqvEd1o" target="_self" title="">The Savage Curtain Tony Trummer - Tushar Dalvi</a></span></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=n_sXG0Ff2oM" target="_self" title=""><span class="watch-title " dir="ltr" title="bg02 allow myself to encrypt myself evan davison">We Hacked the Gibson! Now what? - Philip Young</span></a></li>
</ul>
<p class=" "><span class="watch-title " dir="ltr" title="bg02 allow myself to encrypt myself evan davison"><b><span><b><span>Proving Ground:</span></b></span></b></span></p>
<ul>
<li><a class="external-link" href="https://www.youtube.com/watch?v=NcrJQEVPASk" target="_self" title=""><span class="watch-title " dir="ltr" title="bg02 allow myself to encrypt myself evan davison">#edsec: Hacking for Education - Jessy Irwin</span></a></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=_5z2rOaiilE" target="_self" title=""><span class="watch-title " dir="ltr" title="bg02 allow myself to encrypt myself evan davison">Securing Sensitive Data: A Strange Game<span class="Apple-converted-space"> - </span>Jeff Elliot</span></a></li>
<li><span class="watch-title " dir="ltr" title="bg02 allow myself to encrypt myself evan davison"><a class="external-link" href="https://www.youtube.com/watch?v=bojn0wdUvyE" target="_self" title="">Brick in the Wall vs Hole in the Wall - Caroline D Hardin</a></span></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=f77-Guh5fZs" target="_self" title=""><span class="watch-title " dir="ltr" title="bg02 allow myself to encrypt myself evan davison">Cut the sh**: How to reign in your IDS - Tony Robinson/da_667</span></a></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=yGHLkeeq8L4" target="_self" title="">Geek Welfare -- Confessions of a Convention Swag Hoarder - Rachel Keslensky </a></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=B0kbyAoTEho" target="_self" title="">No InfoSec Staff? No Problem. - Anthony Czarnik</a></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=w2ekNVDNBmE" target="_self" title=""><span class="watch-title " dir="ltr" title="bg02 allow myself to encrypt myself evan davison">Can I Code Against an API to Learn a Product? - Adrienne Merrick-Tagore</span></a></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=xahThX00dIA" target="_self" title="">Bridging the Air Gap: Cross Domain Solutions - Patrick Orzechowski</a></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=YZvytEbYjbY" target="_self" title="">Back Dooring the Digital Home - David Lister</a></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=rJroherlZVo" target="_self" title="">iOS URL Schemes: omg:// - Guillaume K. Ross</a></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=UU2-UzMPXKg" target="_self" title="">Oops, That Wasn't Suppossed To Happen: Bypassing Internet Explorer's Cross Site Scripting Filter</a><a class="external-link" href="https://www.youtube.com/watch?v=UU2-UzMPXKg" target="_self" title=""><span class="Apple-converted-space"> - </span>Carlos Munoz</a></li>
<li><a class="external-link" href="https://www.youtube.com/watch?v=0RZCSQlolvw" target="_self" title="">What I've Learned As A Con-Man - MasterChen</a></li>
<li><span><a class="external-link" href="https://youtu.be/IFFFWdTSp1A" target="_self" title="">Training with Raspberry Pi - Nathaniel Davis</a></span></li>
<li><a class="external-link" href="https://youtu.be/T5sQSF4Aj2Q" target="_self" title=""><span style="float: none;">Black Magic and Secrets: How Certificates Influence You! - Robert Lucero</span></a></li>
<li><a class="external-link" href="https://youtu.be/-0ZeL_SMNB8" target="_self" title="">Attacking Drupal Greg Foss</a></li>
<li><a class="external-link" href="https://youtu.be/Lpd0Q8uoXCI" target="_self" title="">Hackers vs Auditors - Dan Anderson</a></li>
<li><a class="external-link" href="https://youtu.be/ii6SsSXXOtE" target="_self" title=""><span style="float: none;">Third-Party Service Provider Diligence: Why are we doing it all wrong? - Patrice Coles</span></a></li>
<li><a class="external-link" href="https://youtu.be/eGydPcyKRfM" target="_self" title=""><span style="float: none;">Pwning the hapless or How to Make Your Security Program Not Suck - Casey Dunham - Emily Pience</span></a></li>
<li><a class="external-link" href="https://youtu.be/ztATPgP1jtg" target="_self" title=""><span style="float: none;">Teach a man to Phish... - Vinny Lariza</span></a></li>
<li><a class="external-link" href="https://youtu.be/sw6UBQ-RQyE" target="_self" title=""><span style="float: none;">The Lore shows the Way - Eric Rand</span></a></li>
</ul>
<p>Common Ground:</p>
<ul>
<li><a class="external-link" href="https://youtu.be/GHY3dv42dz4" target="_self" title=""><span style="float: none;">SHA-1 backdooring and exploitation - Jean-Philippe Aumasson</span></a></li>
<li><a class="external-link" href="https://youtu.be/tkOtBkvS9xY" target="_self" title=""><span style="float: none;">Evading code emulation: Writing ridiculously obvious malware that bypasses AV<span class="Apple-converted-space"> </span>- Kyle Adams</span></a></li>
<li><a class="external-link" href="https://youtu.be/tCxLPWz3KAU" target="_self" title=""><span style="float: none;">Security Management Without the Suck Tony Turner Tim Krabec</span></a></li>
<li><a class="external-link" href="https://youtu.be/JShGkofeCHo" target="_self" title=""><span style="float: none;">Malware Analysis 101 - N00b to Ninja in 60 Minutes<span class="Apple-converted-space"> </span>- grecs</span></a></li>
<li><a class="external-link" href="https://youtu.be/KGeobmJUXCM" target="_self" title=""><span style="float: none;">Travel Hacking With The Telecom Informer<span class="Apple-converted-space"> </span>- TProphet</span></a></li>
<li><a class="external-link" href="https://youtu.be/JgNRvhsZiBg" target="_self" title=""><span style="float: none;">The untold story about ATM Malware - Daniel Regalado<span style="float: none;"></span></span></a></li>
<li><a class="external-link" href="https://youtu.be/JawtzDr2dLw" target="_self" title=""><span style="float: none;"><span style="float: none;">Using Superpowers for Hardware Reverse Engineering - Joe Grand</span></span></a></li>
<li><a class="external-link" href="https://youtu.be/_zFgCumQRyU" target="_self" title=""><span style="float: none;"><span style="float: none;">Why am I surrounded by friggin' idiots?!? (Because you hired them!) - Stephen Heath</span></span></a></li>
<li><a class="external-link" href="https://youtu.be/WSAH_F2jN00" target="_self" title=""><span style="float: none;"><span style="float: none;">Demystiphying and Fingerprinting the 802.15.4/ZigBee PHY - Ira Ray Jenkins, Sergey Bratus</span></span></a></li>
<li><a class="external-link" href="https://youtu.be/iHqR_v3OnlQ" target="_self" title=""><span style="float: none;"><span style="float: none;">Insider Threat Kill Chain: Human Indicators of Compromise - Ken Westin</span></span></a></li>
<li><a class="external-link" href="https://youtu.be/Olw5nGj_WPc" target="_self" title=""><span style="float: none;"><span style="float: none;">A Place to Hang Our Hats: Security Community and Culture - Domenic Rizzolo</span></span></a></li>
<li><span style="float: none;"><span style="float: none;"><a class="external-link" href="https://youtu.be/spgrc-fskks" target="_self" title="">Booze, Devil's Advocate, and Hugs: the Best Debates Panel You'll See at BSidesLV 2014<span class="Apple-converted-space"> </span><br/>David Mortman • Joshua Corman • Jay Radcliffe • Zach Lanier • David Kennedy</a></span></span></li>
</ul>
<p>Ground Truth:</p>
<ul>
<li><span style="float: none;"><span style="float: none;"><a class="external-link" href="https://youtu.be/4h88qU4PlGk" target="_self" title="">The Power Law of Information - Michael Roytman</a></span></span></li>
<li><a class="external-link" href="https://youtu.be/Zsw9kqYbPM0" target="_self" title=""><span style="float: none;"><span style="float: none;">Measuring the IQ of your Threat Intelligence feeds - Alex Pinto • Kyle Maxwell</span></span></a></li>
<li><span style="float: none;"><span style="float: none;"><a class="external-link" href="https://youtu.be/jWxtTsRJOYg" target="_self" title="">Strategies Without Frontiers - Meredith L. Patterson</a></span></span></li>
<li><span style="float: none;"><span style="float: none;"><a class="external-link" href="https://youtu.be/fN5TOB4ZPVI" target="_self" title=""><span class="external-link"> </span>ClusterF*ck - Actionable Intelligence from Machine Learning - Mike Sconzo</a></span></span></li>
<li><a class="external-link" href="https://youtu.be/d-l_xPAUEOY" target="_self" title=""><span style="float: none;"><span style="float: none;">Know thy operator - Misty Blowers</span></span></a></li>
<li><a class="external-link" href="https://youtu.be/EugmzP0nXI4" target="_self" title=""><span style="float: none;"><span style="float: none;">Improving security by avoiding traffic and still get what you want in data transfers - Art Conklin</span></span></a><a class="external-link" href="https://youtu.be/CHvCPrSd2uQ" target="_self" title=""><span class="external-link"><span style="float: none;"><span style="float: none;"></span></span></span></a></li>
<li><a class="external-link" href="https://youtu.be/CHvCPrSd2uQ" target="_self" title="">The Semantic Age - or - A Young Ontologist's Primer - Conrad Constantine </a></li>
<li><a class="external-link" href="https://youtu.be/GTpOt2J4-y4" target="_self" title="">I Am The Cavalry Q&A</a></li>
</ul>How to Increase the Likelihood that your Security Risk Recommendations are accepted2015-08-25T17:34:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/how-to-increase-the-likelihood-that-your-security-risk-recommendations-are-accepted/<p>Via <a class="external-link" href="https://twitter.com/adamshostack/status/636196680770043904" target="_self" title="">@adamshostack</a> came this post by <a class="external-link" href="https://twitter.com/lennyzeltser" target="_self" title="">@lennyzeltser</a> <a class="external-link" href="https://zeltser.com/business-managers-ignore-security-recommendations/" target="_self" title="">Why Business Managers Ignore IT Security Risk Recommendations.</a></p>
<p>It is a tremendous list of excellent content. I will turn this around slightly and discuss some thoughts on how to increase the likelihood that your security risk recommendations are accepted. In many ways this comes down to does your management trust you to wisely invest capital? Not just that, but relative to others in your organization. They are looking at a number of projects that require time and money across a broader view of the organization that just your department. It is their job to optimize the outcomes for the organization. How can you build the case that you're to be trusted over another manager? </p>
<p>Here is what I would look for:</p>
<p>1. Display that you have optimized for cost reduction already. Moving SSH off port 22 is a great example of this. It may not increase security, but it greatly reduces logs and thus optimizes the resources needed to manage and review logs. Standardized configurations may be another, depending on your organization. Demonstrate you can manage OpEx.</p>
<p>2. Show that you have optimized the use of your existing security infrastructure. The best example of this is <a class="internal-link" href="https://www.wikidsystems.com/WiKIDBlog/the-two-things-that-actually-work-in-information-security-and-how-to-deploy-them" target="_self" title="">the two things that are proven effective in infosec</a>: two-factor authentication and VPNs. Do your critical accounts use two-factor authentication for access? What about vendors? Is your firewall filtering mail attachments? Show you can manage CapEx. </p>
<p>3. Max out the use of free and open source tools. There are a lot of these in infosec and many can do all that you need. But often times not. This shows that you are aware of what's available and making informed decisions. For example: You have been using a free web-app scanner, but with the increased importance of the ecommerce site, a professional evaluation is warranted. This reduces the risk that you are paying an expert to find the easy problems and not the hard-to-find issues. Show you know how to use money wisely.</p>
<p>4. Know your capabilities. Most organizations cannot handle the bleeding edge. Trying to deploy a shiny new all-encompassing system that watches what all the users do every where will tax your resources and potentially fail big time. You need wins to maintain your credibility. Optimize for success. </p>
<p>To me this is just the infosec version of "Start where you are, with what you have" attributed to Teddy Roosevelt and Arthur Ashe. Corporations are just capital management organizations. The better the return on capital, the happier the shareholders, management etc. Your ability to consistently deliver projects on time and on budget will build your credibility. You should start with the basics. </p>
<p>(Note that I have not included any financial models on how to prove the value of your project. Maybe for another day. Or never.)</p>Avoiding the creep factor in authentication2015-08-18T13:45:30+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/avoiding-the-creep-factor-in-authentication/<p>I have recently seen a number of WiKID competitors announced in the two-factor authentication market that seek to reduce the need for user interaction.</p>
<p>The latest is a solution that turns on your microphone and <a class="external-link" href="http://www.net-security.org/secworld.php?id=18772" target="_self" title="">records the ambient sound</a>. This is just creepy:</p>
<p class="callout"><span style="float: none;">The system works like this: when the user enters his username and password into a website that offers Sound-Proof 2FA, the website switches on the computer's microphone and starts recording. At the same time, it pings the Sound-Proof app which does the same.</span></p>
<p><img alt="eavesdropping barbie" class="image-left" height="346" src="https://www.wikidsystems.com/static/media/uploads/images/.thumbnails/eavesdropping_barbie.png/eavesdropping_barbie-481x346.png" width="481">There is a security benefit in active involvement by users in the authentication process. Knowledgeable, aware users are a good thing. Recording, monitoring, tracking, less so. Solutions such as these rely on a presumption of an acceptable rate of false positives and negatives. When an activity is outside of the acceptable rate, then there is a fall-back procedure to other, stronger forms of authentication. Which begs the question: why not just use the other form of strong authentication? </img></p>Defense at every stage2015-07-10T16:39:57+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/defense-at-every-stage/<p>Another tweet struck me for it's common sense and truth:</p>
<p><a class="external-link" href="https://twitter.com/dinodaizovi/status/618422788563582976" target="_self" title="Defense-in-depth defined"><img alt="defense-in-depth defined" class="image-inline" height="189" src="https://www.wikidsystems.com/static/media/uploads/images/WiKIDBlog/.thumbnails/defense_at_all_stages.jpg/defense_at_all_stages-603x189.jpg" width="603"/></a></p>
<p>To me, this is defense-in-depth defined. I will also point out that the "<a class="internal-link" href="https://www.wikidsystems.com/WiKIDBlog/the-two-things-that-actually-work-in-information-security-and-how-to-deploy-them" target="_self" title="">two effective security technologies that stand the test of time</a>" (firewalls and two-factor authentication) can be make these stages harder for attackers:</p>
<ul>
<li>Implementing two-factor authentication for remote access will make intrusion much more difficult.</li>
<li>Implementing two-factor authentication for privileged accounts will make escalation much more difficult.</li>
<li>Implementing two-factor authentication at your outbound proxy will make <span style="float: none;">exfiltration</span> much more difficult.</li>
</ul>
<p>We have seen a big increase in the use of two-factor authentication for remote access (thanks to regulations like PCI, often). I think we're about to see a big increase in two-factor authentication for <strong>privileged access management</strong> both for systems administrators and third-party access. We have recommended using <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to" target="_self" title="">pam_radius</a> to implement two-factor authentication for Sudo for a long, long time. Now with more tools for privileged access management available we will see this in the Windows world. It's well past time. In addition to thwarting escalation, such a setup would make detection easier and therefore movement and persistence more difficult as well. </p>
<p>I don't think we will see too much 2FA for out-bound access except for organizations with high-value IP. Organizations should be able to implement it quickly - in case they think there has been an intrusion. </p>
<p>You don't want to create new identity silos when doing this. Make sure that your authentications run through your directory even if you have to setup a RADIUS server to make it happen. (With the possible exception of <a class="internal-link" href="https://www.wikidsystems.com/WiKIDBlog/keeping-vendors-out-of-ad" target="_self" title="">vendors that you don't want in your active directory</a>.) </p>
<p>The hardest part is most likely not the implementation, but convincing users and management that it's worthwhile to avoid being the next OPM. </p>
<p> </p>Bridging Gunnar Gaps to create virtual circles2015-06-19T15:48:18+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/bridging-gunnar-gaps-to-create-virtual-circles/<p>If you haven't read Gunnar Peterson's post <a class="external-link" href="http://1raindrop.typepad.com/1_raindrop/2015/04/security-fast-and-security-slow.html" target="_self" title="">Security, Fast and Slow</a>, please do so now. It is about how Security's natural tendencies grate the natural tendencies of Development. Security needs to adapt to make it easier for Development to make the right decisions to bridges such gaps. I now call these "Gunnar Gaps". </p>
<p>As a security vendor, I wonder what we do to that might create or hopefully bridge such gaps. The best thing I think we do for developers is have easily downloadable API code examples that are LGPL-licensed. This means that a developer can quickly setup a WiKID server in a lab and integrate our API into their code base without talking to a sales person or worrying about licensing (LGPL allows you to use the code in a commercial application without releasing the code as open source). </p>
<p><a class="external-link" href="https://twitter.com/joshcorman" target="_self" title="">Josh Corman </a>hit on this same idea:</p>
<p><a class="external-link" href="https://twitter.com/joshcorman/status/606447781927092225" target="_self" title=""><img alt="devops for vendors" class="image-inline" height="185" src="https://www.wikidsystems.com/static/media/uploads/images/WiKIDBlog/.thumbnails/joshcormandevopsvendors.jpg/joshcormandevopsvendors-503x185.jpg" title="devops for vendors" width="503"/></a></p>
<p>Devs don't want paywalls, sales people, web forms that require email addresses, etc when working on projects. That's pure friction and gap-creation. </p>
<p>Devs like well documented code. And the best documentation is examples. We actually like providing example code that developers can cut and paste. It allows them to focus on exactly the functionality they need and it creates a much tighter feed-back loop to us. So, bridging the gap to developers works both ways and makes our product better too.</p>New eGuide on Adding Two-factor Authentication to your Network2015-05-05T14:35:31+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/new-eguide-on-adding-two-factor-authentication-to-your-network/<p>Multi-factor authentication is a key requirement for securing infrastructure, we have tried our best to make it less expensive and less of a headache for users and admins. We do a lot of work helping systems administrators integrate two-factor authentication. These efforts often involve supporting other products and we're ok with that. People ask us "Do you work with my VPN?" So we often produce tutorials on how to add two-factor authentication a specific product, like <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/using-wikid-strong-authentication-with-openvpn" title="Using WiKID Strong Authentication with OpenVPN">OpenVPN</a> or a <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-a-cisco-vpn-concentrator-for-two-factor-authentication-from-wikid" title="How to configure a Cisco VPN concentrator for two-factor authentication from WiKID.">Cisco</a> box or a <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-use-wikid-strong-authentication-with-juniper-uac-appliance" title="How to use WiKID Strong Authentication with Juniper IC Series UAC Appliance">Juniper UAC.</a></p>
<p>However, we realized that what was missing was an overview that gave more strategic guidance on how to plan our your two-factor authentication implementation. While we have a lot of the content on the website, we needed to put it into one document for continuity. So, please enjoy.</p>
<p>Also, please share this information. It is mostly product agnostic and uses RADIUS - an open and widely supported authentication protocol - so the lessons apply to all two-factor authentication products. This guide is primarly aimed at the overworked souls that toil in organizations <a href="https://451research.com/t1r-insight-living-below-the-security-poverty-line">living below the information security poverty line</a> that perform so many tasks it's difficult to anything except meet the minimum PCI requirements. In my opinion, most of this deficit can be made up by education. Better knowledge of how to implement security right and better awareness of less expensive/free/opensource options.</p>
<p>You can <a class="internal-link" href="https://www.wikidsystems.com/learn-more/white-papers" title="Two-factor Authentication White Papers">download the eGuide and all of our white papers here without registering</a>.</p>Why Information Security Breaches may matter to stock prices2015-05-01T16:01:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/why-information-security-breaches-may-matter-to-stock-prices/<p>I've been chewing on the this post since <a class="external-link" href="https://twitter.com/dearestleader">@dearestleader</a>'s BSidesATL talk and since reading this <a class="external-link" href="https://hbr.org/2015/03/why-data-breaches-dont-hurt-stock-prices">HBR piece</a>.</p>
<p>First, know that stock investors care about the past only in how it might reflect potential future outcomes. By the time a breach is discovered it is history. Most companies have insurance that will cover some portion of the expense. There are PR firms ready to handle the press and information security consultants ready to proclaim the advanced nature of the attack. The dollar impact is proclaimed to be tiny compared to the revenue.</p>
<p>However, businesses flourish by creating capital at a rate higher than their weighted-average cost of capital. The lower the average cost of their stocks, loans, bonds and other forms of financing the easier it is to exceed that rate. The easier it is to exceed the cost of capital, the cheaper it becomes. It can be a highly virtuous circle. Or the opposite.</p>
<p>For a breach to have a negative impact, it would have to represent part of a larger issue. For example. the fact that Home Depot's lead security architect had a <a class="external-link" href="http://arstechnica.com/security/2014/09/home-depots-former-security-architect-had-history-of-techno-sabotage/">history of sabotaging his former employer</a> might indicate other HR issues. The best way to evaluate the impact is to compare the performance of Home Depot versus the competition. I don't have the time to do this in detail, but I will share this graph comparing Home Depot to Lowes in the last 6 months (the HD breach press release was <a class="external-link" href="https://corporate.homedepot.com/MediaCenter/Documents/Press%20Release.pdf"> Nov 6th 2014</a> pdf) :</p>
<p> <img alt="" class="image-inline" src="https://www.wikidsystems.com/WiKIDBlog/copy3_of_HDvsLOW.jpg" title=""/></p>
<p>Both stocks did better than the S&P, but Lowes significantly outperformed HD, giving Lowes a lower weighted-average cost of capital. We'll see what the can do with it.</p>
<p>This is of course just anecdotal and there are many possible reasons for this. It could be enlightening to evaluate a portfolio of breached companies to their competitors and the market overall. It seems likely we will have sufficient data for that. But it's a mistake to say "after the breach the stock went up" without comparing the stock to the market and the competition.</p>Why Information Security Breaches may matter to stock prices2015-05-01T16:01:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/why-information-security-breaches-may-matter-to-stock-prices/<p>I've been chewing on the this post since <a class="external-link" href="https://twitter.com/dearestleader">@dearestleader</a>'s BSidesATL talk and since reading this <a class="external-link" href="https://hbr.org/2015/03/why-data-breaches-dont-hurt-stock-prices">HBR piece</a>.</p>
<p>First, know that stock investors care about the past only in how it might reflect potential future outcomes. By the time a breach is discovered it is history. Most companies have insurance that will cover some portion of the expense. There are PR firms ready to handle the press and information security consultants ready to proclaim the advanced nature of the attack. The dollar impact is proclaimed to be tiny compared to the revenue.</p>
<p>However, businesses flourish by creating capital at a rate higher than their weighted-average cost of capital. The lower the average cost of their stocks, loans, bonds and other forms of financing the easier it is to exceed that rate. The easier it is to exceed the cost of capital, the cheaper it becomes. It can be a highly virtuous circle. Or the opposite.</p>
<p>For a breach to have a negative impact, it would have to represent part of a larger issue. For example. the fact that Home Depot's lead security architect had a <a class="external-link" href="http://arstechnica.com/security/2014/09/home-depots-former-security-architect-had-history-of-techno-sabotage/">history of sabotaging his former employer</a> might indicate other HR issues. The best way to evaluate the impact is to compare the performance of Home Depot versus the competition. I don't have the time to do this in detail, but I will share this graph comparing Home Depot to Lowes in the last 6 months (the HD breach press release was <a class="external-link" href="https://corporate.homedepot.com/MediaCenter/Documents/Press%20Release.pdf"> Nov 6th 2014</a> pdf) :</p>
<p> <img alt="" class="image-inline" src="https://www.wikidsystems.com/WiKIDBlog/copy3_of_HDvsLOW.jpg" title=""/></p>
<p>Both stocks did better than the S&P, but Lowes significantly outperformed HD, giving Lowes a lower weighted-average cost of capital. We'll see what the can do with it.</p>
<p>This is of course just anecdotal and there are many possible reasons for this. It could be enlightening to evaluate a portfolio of breached companies to their competitors and the market overall. It seems likely we will have sufficient data for that. But it's a mistake to say "after the breach the stock went up" without comparing the stock to the market and the competition.</p>Seven common misconceptions about two-factor authentication2015-01-13T16:50:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/seven-common-misconceptions-about-two-factor-authentication/<p>We get a lot of questions from enterprises as they deploy two-factor authentication. There are a good number of misconceptions out there about how to do it. Here's are six that we see frequently as enterprises first start to think about two-factor authentication:</p>
<ul>
<li><b>"Will your two-factor authentication work with my Cisco, Juniper, Fortinet, etc, etc?"</b></li>
<p>This less a misconception than a a mis-direction. For years vendors have promoted their proprietary connections and Microsoft pushed direct connections to AD. However, the right question to ask is "Does your product support the standard authentication protocols we need". For inside the firewall, RADIUS is just about all you need. While you may need TACACS+ for switches, most companies do not. RADIUS does all you need. All business-oriented remote access solutions support RADIUS. So basically all enterprise-class two-factor solutions support all enterprise-class remote access solutions. If your remote access solution doesn't, you need to put it behind something that does.</p>
<ul>
<li><b>"Authorization vs authentication."</b> </li>
<p>Authorization is "who can do what" and is done in the directory using groups and permissions. Authentication is "who are you". It's a subtle difference, but it exists for a reason.</p>
</ul>
<li>"<b>How can I synchronize with AD?" </b></li>
<p>You do not need to. What you want is for AD to perform authorization and for your two-factor auth server to do authentication. You do this by using the <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps">NPS radius plugin</a>. Same goes for <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-openldap-and-freeradius">LDAP</a>. This means that every authentication request is validated by AD/LDAP. Once a user is disabled in AD/LDAP they are locked out. Isn't that simpler than synchronizing? The username in WiKID needs to match the username in AD, but you can easily do that using our self-enrollment scripts.</p>
<ul>
<li>"<b>How can I keep users out of AD?"?</b></li>
</ul>
<p>Easy, just have your remote access solution send RADIUS requests directly to your 2FA server. This came up recently. A retail company needed to allow 3rd parties to access their networks with two-factor authentication (because Target). But they didn't want to have to add their users into AD.</p>
<li><b>"I want to secure the Windows login."</b></li>
<p>I feel you. Except this is very hard. You will need to modify the GINA (for Win 7 and before) or the Credential Provider. You can go with smart cards, but unless you have a bunch of money and require everyone to use corporate laptops, it will be very tough. It is probably better to go with a virtual desktop solution like <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-wikid-two-factor-authentication-to-vmware-view">VMWare View</a> or <a href="https://www.wikidsystems.com/WiKIDBlog/x2go-on-centos">X2Go</a></p>
<li><b>"First they login with their AD passwords and then they give the OTP." </b></li>
<p>Not necessarily. This is product specific. Some one-time passcode systems provide you with one factor. Unlike WiKID, Google authenticator and other TOTP systems do not ask for a PIN before delivering the OTP. This means that you need to add the "what you know" in your authentication process. This adds a step for your users and more importantly, does not reduce password use.</p>
<li><b>"Two-factor authentication is inconvenient for users." </b></li>
<p>This is no longer necessarily the case. Passwords are much more inconvenient for users because they have so many accounts. Password fatigue is now universal. If you require your users to login with a password and a one-time password, then yes, it. But that is an implementation issue.</p>
<p> </p>
</ul>Belts and Suspenders Security2015-01-05T16:22:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/belts-and-suspenders-security/<p>I continue to be astounded that one server without two-factor authentication caused the JP Morgan breach. If a sophisticated organization like a major US financial institution can get hacked like that, what are the chances for everyone else? If you were an incoming CIO or CISO, what can you do to avoid such a disaster?<br/><br/>Obviously, JP Morgan is reviewing the status of all their servers (for a start). As I mentioned before, automation and infrastructure as code will help create idempotent servers so you can be sure that they meet security requirements . Any servers outside that level of management, should be segmented and brought in line eventually. But I think it will increasingly make sense for servers to have <b>two-factor authentication for remote access and administrator rights</b>. This is simple to do on *nix servers as services that use <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to">PAM</a> - ie sshd, sudo, login etc can all easily require two-factor authentication. Copying these configuration files via management tools is quite simple. By using RADIUS as the authentication protocol, you can perform authorization in <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps">Active Directory </a>or <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-openldap-and-freeradius">LDAP</a>. If I were going into Sony, I would require <a class="external-link" href="https://www.wikidsystems.com/WiKIDBlog/getting-the-most-out-of-your-two-factor-authentication">two-factor authentication for egress</a> as well.<br/><br/>Certainly, this would break some things. But that's the idea. The breaks should show you were you have issues. You need to address those issues.</p>More on the security concerns for SSH and Key Management2014-07-29T16:52:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/more-on-the-security-concerns-for-ssh-and-key-management/<p>We've blogged previously about the potential <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-secure-ssh-with-two-factor-authentication-from-wikid">compliance issues around SSH keys</a> and about the risks of <a class="external-link" href="https://www.wikidsystems.com/WiKIDBlog/risks-from-poorly-managed-ssh-keys">poor SSH key management</a>. A recent <a class="external-link" href="https://www.venafi.com/assets/pdf/wp/Gaps_In_SSH_Security_Create_An_Open_Door_For_Attackers.pdf">Forrester survey</a> (PDF warning!) revealed:</p>
<ul>
<li>36% of enterprises do not scan for unauthorized keys.</li>
<li>47% of IT professionals reported dealing with a security incident due to compromised or mis-used keys.</li>
<li>Keys are rarely rotated. </li>
<li>40% of enterprises rely on sys admins to detect a rogue SSH key.</li>
</ul>
<p>You could purchase software to help you manage keys (as the sponsors of that survey no doubt recommend), but you would essentially be setting up a second user database instead of relying on your existing directory infrastructure. By using PAM-RADIUS and an one-time password you can have two-factor authentication tied into your AD. Rogue keys would cease to be an issue.</p>Are we royally screwing up two-factor authentication2014-07-09T14:12:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/are-we-royally-screwing-up-two-factor-authentication/<p>One of our stated goals has always been to help get rid of passwords (alright, reduce their prevalence). They aren't secure enough and are a big pain for the end user. Attempts to make them stronger, such as 60 day expirations and complexity requirements, make them much much worse. <br/><br/><img alt="meme" class="image-left" height="255" src="https://www.wikidsystems.com/WiKIDBlog/2FA_allthethings.jpg" title="two-factor all the things" width="340"/>I have watched as a number of attacks have shown the weaknesses and hacks have exposed personal data and yet there was no movement for change until <a class="external-link" href="http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/">Mat Honan's attack</a>. Then all of the sudden, OMG, we all need two-factor auth and shame on those services that do not provide it. Web services started adding two-factor authentication and there's even a <a class="external-link" href="http://twofactorauth.org/">web site listing</a> which services do and shaming those that don't offer two-factor. There's a full-on rush to two-factor all the things. <br/><br/>So what's my problem? We are *adding* two-factor authentication. We aren't getting rid of passwords at all. Users now typically login with their usernames and password and are then prompted to authorize the access (as with Twitter, though I haven't been prompted for that in a long while) or to enter an OTP (as with Amazon's EC2).<br/> <br/>Even most corporate sysadmins struggle with this concept. Most assume that you need to perform authorization against AD or LDAP using both the username and static password and that the OTP should be an additional process. This is not case since Windows Server 2008 and IAS for Windows and never for RADIUS/LDAP. IAS (now <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps">NPS</a>)<i> will do the authorization in AD based on the username alone</i>. If authorization passes, then the username and OTP are proxied to the authentication server as per the RADIUS standard. Yet many admins still want both an AD password and OTP. If the OTP encompasses both factors then asking for the AD password is just more of the same factor, more risk that the password will be compromised and more hassle for your users.<br/><br/>In addition to being weak, passwords are huge pain in the ass. We should be taking advantage of this opportunity to vastly improve authentication and we are not.</p>Risks from poorly managed SSH Keys2014-03-07T15:18:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/risks-from-poorly-managed-ssh-keys/<p>Read Computerworld's article about a Ponemon study discussing <a class="external-link" href="http://www.computerworld.com/s/article/9246512/Poorly_managed_SSH_keys_pose_serious_risks_for_most_companies">SSH key management issues</a>:</p>
<p class="callout"><span style="text-align: left; float: none;">Even though more than half of the surveyed enterprises had suffered SSH-key related compromises, 53% said they still had no centralized control over the keys and 60% said they had no way to detect new keys introduced in the organizations. About 46% said they never change or rotate SSH keys -- even though the keys never expire.</span></p>
<p><span style="text-align: left; float: none;">We've talked about this before. We love SSH - can't live without it - but key management is difficult and often fails to meet compliance standards, particularly PCI. Some people have suggested <a class="external-link" href="http://neocri.me/documentation/using-ssh-certificate-authentication/">SSH Certificates</a> which looks interesting, but it introduces yet another identity management system and yet another authentication system.</span></p>
<p><span style="text-align: left; float: none;">It's much better to have all your users using the same identity management and authentication system. One-time passcodes as a form of two-factor authentication are particularly useful in this regard as passwords tend to work in all UIs. Certificates do not. </span></p>
<p><span style="text-align: left; float: none;">It is also best to a single point of user disablement, with HR able to perform it. This points to using RADIUS as the authentication protocol of choice inside the network. RADIUS will do the authorization in your directory (AD, LDAP) and if that passes, the authentication in a separate system. Disabling a user in the directory is the only step required. <br/></span></p>
<p>For SSH, all you need to do is to configure<a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to"> PAM-RADIUS</a> and tell <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-secure-ssh-with-two-factor-authentication-from-wikid">SSH to use it</a>. Then you can use pam-radius for any other service that supports PAM, such as sudo. If you add two-factor authentication to SSH, you don't have to worry about the existing keys, they would only be used for encryption, not identification, solving your key management issue.</p>New server update2014-02-06T15:09:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/new-server-update/<p>The latest release of our two-factor authentication server is a strong one. We focused on speed enhancements and usability for some of our large (meaning multi-thousand users) enterprise customers. It is capable of performing close to <strong>500 authentications per minute</strong> in replication mode and well over 1000 per minute in stand-alone mode.</p>
<p>In addition, we have added filtering to the user page so now you can quickly find all the users that have say, iPhone software tokens. Pagination on the user and logging tabs also increases ease of use and performance.</p>
<p>One thing we have seen this year is growth in both the new customers and growth in existing customers. As two-factor authentication deployments grow in size, we're are improving our server to meet those needs. \</p>
<p>We're also thinking about the fact that companies can now choose between a self-hosted two-factor authentication system, like WiKID or one of the authentication as service offerings. Why would give up control of the keys to your kingdom to a service? Ease of deployment, reliability, and cost spring to mind and we're addressing those. WiKID is already <a class="internal-link" href="http://www.wikidsystems.com/pricing">less expensive than most Enterprise-class authentication services</a>. Our server is rock-solid reliable and simple to install. There is always room for improvement, though and expect more from us soon.</p>
<p>If you are one of our customers or in the market for a two-factor authentication solution, I urge you to <a class="internal-link" href="http://www.wikidsystems.com/downloads/">test our latest server</a>.</p>Wisdom about two-factor authentication based on facts2013-05-16T18:01:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/wisdom-about-two-factor-authentication-based-on-facts/<p>There is one quote in the <a class="external-link" href="http://www.verizonenterprise.com/DBIR/2013/">Verizon DBIR</a> that speaks volumes about the value of two-factor authentication to enterprise users:</p>
<p class="callout">If data could start a riot (“Occupy Passwords!”), we could use these statistics to overthrow single-factor passwords: the supreme ruler in the world of authentication. If we could collectively accept a suitable replacement, it would’ve forced about 80% of these attacks to adapt or die.</p>
<p>Authentication-based attacks are using in 4 out of 5 attacks. Same as last year.</p>
<p>There are indeed attacks against two-factor authentication and Verizon makes it clear that the attacks will adapt, but that is the nature of the game. Did you pull your anti-virus and firewalls when they were circumvented?</p>
<p>Strategically, two-factor authentication must be one of the top security tools for enterprises. What else will impact 80% of attacks?</p>New Drupal two-factor module released - CMS authentication issues2013-02-28T19:59:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/new-drupal-two-factor-module-released-cms-authentication-issues/<p>WiKID is pleased to annouce the release of a <a href="http://drupal.org/sandbox/greghaygood/1927960">two-factor authentication module for Drupal</a>.</p>
<p>I'm personally really happy about the feedback we've already gotten and the questions posed. It clearly shows the issues software projects face regarding implementation of two-factor authentication. In reality, it is implementation of authentication. Clearly, the days of storing username and password in the CMS database are (hopefully) over. So what should they look like now? In my opinion, they should handle the session, be pluggable and provide lots of logging.</p>
<p>By 'handle session' I mean that if the authentication is successful, everything else should work. It should not matter what form of authentication is performed and you should not need to create a new account or if you have to it is as simple as possible.</p>
<p> By pluggable, I mean that it should handle really any type of authentication via a simple process. Linux PAM is a good example as is Plone. Plone provides a super simple example that you can copy (as I did).</p>
<p>Sadly, logging is where many fall down. Plone's authentication system totally eats any feedback. This makes it very hard to determine where the issue is. Organizations with two-factor authentication typcially have three or more nodes, the client (the CMS or VPN), a radius server (ACS, NPS, Freeradius), a directory (LDAP, NPS) and a two-factor authentication server (<a class="internal-link" href="https://www.wikidsystems.com/downloads" title="Downloads">WiKID</a>, of course). If one of these nodes isn't logging properly it just makes it that much more difficult to trouble-shoot.</p>
<p>So, the inevitable question for us: Why didn't you use or develop a pluggable auth module for Drupal? Because our API does so much more than just authenticate. Indeed, most of the API was developed for user management in a multi-tier. multi-tenant environment. You can register tokens, add tokens to existing users, re-enable users, list users by domains, delete tokens, delete users, etc. all on a per network client basis.</p>
<p>If you use Drupal for any Enterprise-oriented software projects that require some extra security please give our module a whirl.</p>