The WiKID Blog | WiKID Systemshttp://www.wikidsystems.com/blog/2017-04-04T20:00:58+00:00The WiKID Blog, musings on two-factor authentication, information security and some other stuff.PCI DSS disses multi-step authentication2017-04-04T20:00:58+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/pci-dss-disses-multi-step-authentication/<p>The PCI Council has published an <a href="https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf">"Information Supplement" on multi-factor authentication</a> (pdf). The document that multi-step and mutl-factor authentication are not the same and that the former is not acceptable. </p>
<blockquote>
<p>PCI DSS requires that all factors in multi-factor authentication be verified prior to the authentication mechanism granting the requested access. Moreover, no prior knowledge of the success or failure of any factor should be provided to the individual until all factors have been presented.<br/><snip><br/>For example, if an individual submits credentials (e.g., username/password) that, once successfully validated, lead to the presentation of the second factor for validation (e.g., biometric), this would be considered “multi-step” authentication.</p>
</blockquote>
<p>If this is the way you're doing your authentication with a service or using Google Authenticator, then it's probably time to re-think that (in addition to <a href="http://www.wikidsystems.com/blog/5-issues-enterprises-should-consider-before-using-google-authenticator-for-ssh/">other issues with Google Authenticator</a>). WiKID's authentication process is true multi-factor, easy to integration into a one-step authentication process and it can perform <a href="http://www.wikidsystems.com/blog/non-console-administrative-access/">2FA for non-console administrative access</a> as required by <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf">PCI 3.2</a> (pdf). </p>NIST deprecates SMS as an out-of-band authentication method2016-08-23T14:22:57+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/nist-deprecates-sms-as-an-out-of-band-authentication-method/<p>When we started WiKID, we looked at using SMS to deliver one-time passcodes. We chose not to for the simple reason that there was no way we could control the encryption and thus demonstrate the security of our solution to customers. There wasn't any data about the possible risks or probabilities of failures (except for reliability/delivery percentages) We looked to basic security design principles and best practices when we developed WiKID. Could we control the encryption? Could we generate the keys on the devices instead of using shared-secrets? </p>
<p>Since then, there have been attacks against <a href="http://www.wikidsystems.com/blog/why-using-sms-for-authentication-is-a-bad-idea/">specific user's accounts</a>, <a href="http://www.wikidsystems.com/blog/another-nail-for-sms-authentication/">devices capable of intercepting SMS messages</a> being sold to attackers, and <a href="http://www.wikidsystems.com/blog/privacy-concerns-about-sms-based-two-factor-authentication/">SMS privacy concerns</a> about giving firms your cell number (at least where we were concerned). We've pointed out that SMS relies on the security of the telcos and that they are dis-incented to increase account security. And the latest: <a href="https://pages.nist.gov/800-63-3/sp800-63b.html">SMS is deprecated by NIST</a> as an OOB solution.</p>
<p>But these are all just anecdotes and not actionable data (as pointed out by <a href="https://www.rsaconference.com/blogs/dissed-by-nist">Wendy Nather in Dissed by NIST</a>). There are plenty of examples of attacks against systems protected by two-factor authentication that do not include a cost/benefit analysis. We cannot find any example of a service that turned off two-factor and I assume they (especially banks) do cost/benefit analysis.</p>
<p>We know that FISMA stated that two-factor would have <a href="http://www.wikidsystems.com/blog/fisma-report-states-two-factor-authentication-could-have-stopped-52-of-incidents/">stopped 52% of attacks against the Federal government</a>. And every year, the Verizon <a href="http://www.wikidsystems.com/blog/dbir-once-again-makes-the-case-for-two-factor-authentication/">DBIR points to the use of abused credentials in attacks</a>. But we don't know if these attacks used user credentials or privileged credentials and we don't know if SMS 2FA would have stopped them (or some impactful percentage).</p>
<p>So, what's an organization to do? Here are our (biased!) recommendations given the current state of available data:</p>
<p>1. Implement 2FA for your smaller, technically proficient internal privileged user base first. In particular, if you are a consumer service protect the database of your users' passwords! Thwart attackers as they attempt to escalate, not just when they try to infiltrate. Escalation is a nice choke point and an easily logged, monitored event. Remember, asking users to use 2FA after you've lost their password database is a form of victim blaming. Plug: WiKID can do <a href="http://www.wikidsystems.com/support/tutorials/how-to-setup-two-factor-authentication-for-both-linux-and-windows-administrators/">2FA for Windows and Linux admins</a>. In this area, PCI-DSS is ahead of NIST.</p>
<p>2. Remember to avoid setting up identity silos. Keep your users in your directory where they are supposed to be and use a RADIUS server like NPS to proxy the authentications to a 2FA server.</p>
<p>3. Any 2FA is better than none, but you should evaluate your choice based on your organization's risk profile, threat analysis, and general preferences (on-premises or cloud, willingness to switch or tendency to stick to a solution, etc). </p>
<p>A long time ago, we pointed out that banks should be using <a href="http://www.wikidsystems.com/blog/validating-online-transactions-with-two-factor/">strong authentication for transactions</a>, not sessions. Now, we're talking about 2FA for privileged accounts. Perhaps it's more important where we implement 2FA than what kind. (But still, use WiKID.)</p>
<p> </p>
<p> </p>Non-Console Administrative Access2016-05-05T16:52:02+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/non-console-administrative-access/<p>Now that PCI-DSS 3.2 is live, we have been pondering how hard it will be to implement the new multi-factor authentication requirements. First some definitions from the PCI Glossary:</p>
<p><a href="https://www.pcisecuritystandards.org/pci_security/glossary#Non-Console%20Administrative%20Access" title="Non-Console Administrative Access">Non-Console Administrative Access:</a><br/><em>Refers to logical administrative access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component. Non-console administrative access includes access from within local/internal networks as well as access from external, or remote, networks.</em></p>
<p><a href="https://www.pcisecuritystandards.org/pci_security/glossary#CDE" title="CDE">CDE</a>:<br/><em>Acronym for “cardholder data environment.” The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.</em></p>
<p>It appears that not only will you have to use two-factor for your servers, but also your routers and VPNs. Luckily, this is not hard. </p>
<p>First, most enterprise-class routers and VPNs support radius for authentication of administrators. Previously, we have shown how to add two-factor authentication for non-console acces to both <a href="http://www.wikidsystems.com/support/how-to/how-to-add-two-factor-authentication-for-admin-access-to-a-cisco-asa-5500/" title="Non-console admin two-factor auth for Cisco">Cisco</a> and <a href="http://www.wikidsystems.com/support/how-to/how-to-require-two-factor-authentication-for-check-point-admins/" title="Non-console Adminstrative multi-factor auth for Checkpoint">Checkpoint</a> devices. You really should do this for all of your networking infrastructure to avoid attacks like <a href="http://www.wikidsystems.com/blog/yet-another-reason-to-add-two-factor-authentication-to-your-admin-accounts/">SYNful</a>.</p>
<p>Linux servers are easy too. Disable root login via SSH and require two-factor authentication for sudo via pam-radius. </p>
<p>Windows servers are harder because Microsoft, after spending all that money winning the battle of directories against Novell, wants you to use Active Directory all the time for everything. Even their radius plugin, NPS, wouldn't allow proxying to third-party authentication servers until Server 2008. At WiKID, we have figured out an elegant way to use one-time passwords for AD users. It doesn't require any software on the Windows side, just an admin capable of changing passwords. Not even a group policy. It does require that you have certificate for SSL connections, so you need to set up AD Certificate Server if you haven't. We do recommend that you have admin users and not just users that are admins. </p>
<p>We have a complete tutorial on setting up <a href="http://www.wikidsystems.com/support/tutorials/how-to-setup-two-factor-authentication-for-both-linux-and-windows-administrators/" title="multi-factor auth for non-console admins Windows and Linux">two-factor auth for Windows and LInux Admins with WiKID</a>.</p>
<p>The best thing about implementing the new PCI requirements is that they should actually be very impactful. As noted in the 2016 Verizon DBIR, 63% of attacks use credentials to infiltrate or escalate their attacks. Preventing pass-the-hash attacks alone will make escalation much harder if not impossible. And it will make detection much easier. </p>
<p>Remember, WiKID is free for 5 users. <a href="http://www.wikidsystems.com/downloads/wikid-strong-authentication-system-enterprise/">Download today and lock down your network!</a></p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>Scalability notes for the WiKID Strong Authentication server2015-10-26T16:26:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/scalability-notes-for-the-wikid-strong-authentication-server/<p>Large two-factor authentication deployments are becoming more and more common these days as enterprises deploy it to more and more employees . We're also seeing more SaaS providers needing to meet regulations such as HIPAA and PCI. These enterprises have large user bases and need scalable, reliable, affordable two-factor authentication. We have the affordable part covered (you can see our <a class="internal-link" href="https://www.wikidsystems.com/pricing" target="_self" title="">pricing online</a>) and we are highly incented to provide reliable software thanks to our annual subscription license. But how scalable is WiKID?</p>
<p>We have had a stress tester for some time. We use it along with our <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-use-the-wikid-quick-configuration-option" target="_self" title="">quick-setup config option</a> to quickly build and test new releases. We decided to publish some results to show how well WiKID can scale. The first thing to know is that you can segment users across WiKID boxes without their knowledge or any impact on users. Second, we are testing transactions/authentication per time period and doing a lot, because we want to stress the system. You need to know the authentication per minute that you do to know how many WiKID servers you need.</p>
<p>The stress tester registers a number of users and then tests authentications using RADIUS. We throw a number of round on the stress tester. The WiKID virtual servers use our minimum recommended set up of 2 gigs of RAM and 1 CPU. They are configured for replication, primary and secondary. The host is a modest server with plenty of RAM and 1 CPU with 8 cores. The tester runs on the host and the servers are in VirtualBox.</p>
<table class="plain" summary="Scalabilty of the WiKID Server">
<tbody>
<tr><th><strong>Transactions</strong></th><th><strong>Tx/Minute</strong></th><th><strong>Tx/Hour</strong></th></tr>
<tr>
<td>1,000</td>
<td>342.95</td>
<td>20,577.07</td>
</tr>
<tr>
<td>1,000</td>
<td>394.83</td>
<td>23,689.67</td>
</tr>
<tr>
<td>1,000</td>
<td>371.29</td>
<td>22,277.23</td>
</tr>
<tr>
<td>1,000</td>
<td>379.08</td>
<td>22,744.93</td>
</tr>
<tr>
<td></td>
<td>Average</td>
<td><em><strong>22,322.23</strong></em></td>
</tr>
</tbody>
</table>
<p>The tester starts out registering a bunch of users, then performs radius authentications for those testers. Here it is with 10,000 transactions:</p>
<table class="plain" summary="Scalabilty of the WiKID Server">
<tbody>
<tr><th>Transactions</th><th>TX/Minute</th><th>Tx/Hour</th></tr>
<tr>
<td>10,000</td>
<td>408.75</td>
<td><span style="text-align: right;">24,525.07</span></td>
</tr>
<tr>
<td>10,000</td>
<td>408.11</td>
<td><span style="text-align: right;">24,486.40</span></td>
</tr>
<tr>
<td>10,000</td>
<td>409.39</td>
<td><span style="text-align: right;">24,581.30</span></td>
</tr>
<tr>
<td></td>
<td>Average</td>
<td><strong><span style="text-align: right;">24,530.92</span></strong></td>
</tr>
</tbody>
</table>
<p>24,000 transactions per hour is a very decent through put for a single small server. </p>
<p>Next, I set the logs to go to syslog instead of to the database. This means that they are not available in the WiKIDAdmin web UI, but they would go into your SIEM (you can set them to go to both, but you wouldn't see any speed improvement. </p>
<table class="plain">
<tbody>
<tr><th>Transactions</th><th>Tx/Minute</th><th>Tx/Hour</th></tr>
<tr>
<td>1,000</td>
<td><span style="text-align: right;">580.78</span></td>
<td><span style="text-align: right;">34,846.58</span></td>
</tr>
<tr>
<td>1,000</td>
<td><span style="text-align: right;">714.37</span></td>
<td><span style="text-align: right;"><span style="text-align: right;">42,862.25</span></span></td>
</tr>
<tr>
<td>1,000</td>
<td><span style="text-align: right;">769.36</span></td>
<td><span style="text-align: right;"><span style="text-align: right;">46,161.54</span></span></td>
</tr>
<tr>
<td>1,000</td>
<td><span style="text-align: right;">800.38</span></td>
<td><span style="text-align: right;">48,023.05</span></td>
</tr>
<tr>
<td></td>
<td><span style="text-align: right;">Average</span></td>
<td><span style="text-align: right;"><span style="text-align: right;">45,682.28</span></span></td>
</tr>
</tbody>
</table>
<p>That's pretty impressive. 45,000 authentications per hour. </p>
<p>This gives you an idea of what kind of peak performance WiKID can handle. This last 1,000 transaction test took less than 2 minutes. We're going on the record as saying that WiKID is secure, reliable, and highly scalable.</p>Why you need a stand-alone two-factor authentication server2015-09-10T14:21:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/why-you-need-a-stand-alone-two-factor-authentication-server/<p>We do a fair amount of testing and documentation for commercial and open-source VPNs (<a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/cisco-two-factor-tutorials" target="_self" title="">Cisco</a>, <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-a-sonicwall-8-0-secure-remote-access-vpn" target="_self" title="">SonicWall</a>, <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/sophos-utm-two-factor-authentication-tutorials" target="_self" title="">Sophos</a>, <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/checkpoint-two-factor-tutorials" target="_self" title="">Checkpoint</a>, etc, etc). Increasingly, we see VPNs embedding some type of two-factor authentication into their product. The idea is to make it simple to add 2FA to your VPN services, a laudable goal and perhaps sufficient for some small organizations. So, when should you consider using a stand-alone service instead?</p>
<p>1. When you have critical infrastructure or data that needs securing for security or compliance reasons. A prime example would be any system with credit card information covered by <strong>PCI</strong> or PII covered by <strong>HIPAA</strong>.</p>
<p>2. When you have privileged accounts with multiple users. <strong>Privileged account management</strong> is of increasing concern. If you are thinking about it, then you need to think about adding two-factor authentication to it. </p>
<p>3. If you need <strong>two-factor authentication for customers</strong>. No point in having two separate systems. We increasingly see SaaS providers needing two-factor authentication.</p>
<p>4. If you need two-factor authentication for <strong>out-bound access</strong>. We have recommended this in the past as way to find all the services sending data out of your network - and whether they should be or not!</p>
<p>5. If you allow <strong>vendors</strong> in your network. Think Target and their HVAC vendor. </p>
<p>6. You plan on implementing <strong>SSO</strong>. SSO means keys to the kingdom, so best protect them.</p>
<p>7. If you provide non-VPN remote access, such as with <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-wikid-two-factor-authentiction-to-bomgar-remote-support-server" target="_self" title="">Bomgar</a> or<a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-wikid-two-factor-authentication-to-vmware-view" target="_self" title=""> VMWare View</a>.</p>
<p>In short, any place you use a password could be a place you use two-factor authentication. Two-factor authentication: Not just for remote access!</p>
<p>And, of course, you can <a class="internal-link" href="https://www.wikidsystems.com/downloads/wikid-strong-authentication-system-enterprise" target="_self" title="">download the WiKID server</a> and set up five free users anytime.</p>Defense at every stage2015-07-10T16:39:57+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/defense-at-every-stage/<p>Another tweet struck me for it's common sense and truth:</p>
<p><a class="external-link" href="https://twitter.com/dinodaizovi/status/618422788563582976" target="_self" title="Defense-in-depth defined"><img alt="defense-in-depth defined" class="image-inline" height="189" src="https://www.wikidsystems.com/static/media/uploads/images/WiKIDBlog/.thumbnails/defense_at_all_stages.jpg/defense_at_all_stages-603x189.jpg" width="603"/></a></p>
<p>To me, this is defense-in-depth defined. I will also point out that the "<a class="internal-link" href="https://www.wikidsystems.com/WiKIDBlog/the-two-things-that-actually-work-in-information-security-and-how-to-deploy-them" target="_self" title="">two effective security technologies that stand the test of time</a>" (firewalls and two-factor authentication) can be make these stages harder for attackers:</p>
<ul>
<li>Implementing two-factor authentication for remote access will make intrusion much more difficult.</li>
<li>Implementing two-factor authentication for privileged accounts will make escalation much more difficult.</li>
<li>Implementing two-factor authentication at your outbound proxy will make <span style="float: none;">exfiltration</span> much more difficult.</li>
</ul>
<p>We have seen a big increase in the use of two-factor authentication for remote access (thanks to regulations like PCI, often). I think we're about to see a big increase in two-factor authentication for <strong>privileged access management</strong> both for systems administrators and third-party access. We have recommended using <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to" target="_self" title="">pam_radius</a> to implement two-factor authentication for Sudo for a long, long time. Now with more tools for privileged access management available we will see this in the Windows world. It's well past time. In addition to thwarting escalation, such a setup would make detection easier and therefore movement and persistence more difficult as well. </p>
<p>I don't think we will see too much 2FA for out-bound access except for organizations with high-value IP. Organizations should be able to implement it quickly - in case they think there has been an intrusion. </p>
<p>You don't want to create new identity silos when doing this. Make sure that your authentications run through your directory even if you have to setup a RADIUS server to make it happen. (With the possible exception of <a class="internal-link" href="https://www.wikidsystems.com/WiKIDBlog/keeping-vendors-out-of-ad" target="_self" title="">vendors that you don't want in your active directory</a>.) </p>
<p>The hardest part is most likely not the implementation, but convincing users and management that it's worthwhile to avoid being the next OPM. </p>
<p> </p>New eGuide on Adding Two-factor Authentication to your Network2015-05-05T14:35:31+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/new-eguide-on-adding-two-factor-authentication-to-your-network/<p>Multi-factor authentication is a key requirement for securing infrastructure, we have tried our best to make it less expensive and less of a headache for users and admins. We do a lot of work helping systems administrators integrate two-factor authentication. These efforts often involve supporting other products and we're ok with that. People ask us "Do you work with my VPN?" So we often produce tutorials on how to add two-factor authentication a specific product, like <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/using-wikid-strong-authentication-with-openvpn" title="Using WiKID Strong Authentication with OpenVPN">OpenVPN</a> or a <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-a-cisco-vpn-concentrator-for-two-factor-authentication-from-wikid" title="How to configure a Cisco VPN concentrator for two-factor authentication from WiKID.">Cisco</a> box or a <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-use-wikid-strong-authentication-with-juniper-uac-appliance" title="How to use WiKID Strong Authentication with Juniper IC Series UAC Appliance">Juniper UAC.</a></p>
<p>However, we realized that what was missing was an overview that gave more strategic guidance on how to plan our your two-factor authentication implementation. While we have a lot of the content on the website, we needed to put it into one document for continuity. So, please enjoy.</p>
<p>Also, please share this information. It is mostly product agnostic and uses RADIUS - an open and widely supported authentication protocol - so the lessons apply to all two-factor authentication products. This guide is primarly aimed at the overworked souls that toil in organizations <a href="https://451research.com/t1r-insight-living-below-the-security-poverty-line">living below the information security poverty line</a> that perform so many tasks it's difficult to anything except meet the minimum PCI requirements. In my opinion, most of this deficit can be made up by education. Better knowledge of how to implement security right and better awareness of less expensive/free/opensource options.</p>
<p>You can <a class="internal-link" href="https://www.wikidsystems.com/learn-more/white-papers" title="Two-factor Authentication White Papers">download the eGuide and all of our white papers here without registering</a>.</p>More on the security concerns for SSH and Key Management2014-07-29T16:52:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/more-on-the-security-concerns-for-ssh-and-key-management/<p>We've blogged previously about the potential <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-secure-ssh-with-two-factor-authentication-from-wikid">compliance issues around SSH keys</a> and about the risks of <a class="external-link" href="https://www.wikidsystems.com/WiKIDBlog/risks-from-poorly-managed-ssh-keys">poor SSH key management</a>. A recent <a class="external-link" href="https://www.venafi.com/assets/pdf/wp/Gaps_In_SSH_Security_Create_An_Open_Door_For_Attackers.pdf">Forrester survey</a> (PDF warning!) revealed:</p>
<ul>
<li>36% of enterprises do not scan for unauthorized keys.</li>
<li>47% of IT professionals reported dealing with a security incident due to compromised or mis-used keys.</li>
<li>Keys are rarely rotated. </li>
<li>40% of enterprises rely on sys admins to detect a rogue SSH key.</li>
</ul>
<p>You could purchase software to help you manage keys (as the sponsors of that survey no doubt recommend), but you would essentially be setting up a second user database instead of relying on your existing directory infrastructure. By using PAM-RADIUS and an one-time password you can have two-factor authentication tied into your AD. Rogue keys would cease to be an issue.</p>Risks from poorly managed SSH Keys2014-03-07T15:18:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/risks-from-poorly-managed-ssh-keys/<p>Read Computerworld's article about a Ponemon study discussing <a class="external-link" href="http://www.computerworld.com/s/article/9246512/Poorly_managed_SSH_keys_pose_serious_risks_for_most_companies">SSH key management issues</a>:</p>
<p class="callout"><span style="text-align: left; float: none;">Even though more than half of the surveyed enterprises had suffered SSH-key related compromises, 53% said they still had no centralized control over the keys and 60% said they had no way to detect new keys introduced in the organizations. About 46% said they never change or rotate SSH keys -- even though the keys never expire.</span></p>
<p><span style="text-align: left; float: none;">We've talked about this before. We love SSH - can't live without it - but key management is difficult and often fails to meet compliance standards, particularly PCI. Some people have suggested <a class="external-link" href="http://neocri.me/documentation/using-ssh-certificate-authentication/">SSH Certificates</a> which looks interesting, but it introduces yet another identity management system and yet another authentication system.</span></p>
<p><span style="text-align: left; float: none;">It's much better to have all your users using the same identity management and authentication system. One-time passcodes as a form of two-factor authentication are particularly useful in this regard as passwords tend to work in all UIs. Certificates do not. </span></p>
<p><span style="text-align: left; float: none;">It is also best to a single point of user disablement, with HR able to perform it. This points to using RADIUS as the authentication protocol of choice inside the network. RADIUS will do the authorization in your directory (AD, LDAP) and if that passes, the authentication in a separate system. Disabling a user in the directory is the only step required. <br/></span></p>
<p>For SSH, all you need to do is to configure<a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to"> PAM-RADIUS</a> and tell <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-secure-ssh-with-two-factor-authentication-from-wikid">SSH to use it</a>. Then you can use pam-radius for any other service that supports PAM, such as sudo. If you add two-factor authentication to SSH, you don't have to worry about the existing keys, they would only be used for encryption, not identification, solving your key management issue.</p>SSH key management a potential risk2013-06-12T19:18:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/ssh-key-management-a-potential-risk/<p>We've long said that while we love SSH,<a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-secure-ssh-with-two-factor-authentication-from-wikid"> SSH key management is a weak point,</a> especially if you need to meet compliance requirements such as PCI. Now <a class="external-link" href="http://www.darkreading.com/database/bad-ssh-key-management-leaves-databases/240156501">Charles Kolodgy of IDC is saying the same thing</a>:</p>
<p class="callout"><span style="text-align: start; float: none;">"An interesting unintended consequence of SSH is that an SSH connection can be used to bypass access control mechanisms such as password-based systems," Kolodgy recently wrote. "If a system account--operating systems, middleware, databases, and applications for running processes--has a key association, a user can make a connection to the system account, circumventing the standard password-based authentication. This access is made possible because the SSH key association provides acceptable authentication."</span></p>
<p>It's best to have all of your authentication processes go through the same process - and it should include a stop at your Enterprise directory, whether Active Directory and LDAP. In this way, all your remote access authentications, whether it is an admin logging into a database server or a VP checking email via the VPN. Users need to be disabled quickly and securely by the proper people in an organization. The more access/power they have, the more important that is.</p>
<p>For information on how to configure all your major remote access services including VPNs and SSH, please download our <a class="internal-link" href="https://www.wikidsystems.com/learn-more/white-papers"> eGuide on adding two-factor authentication to your network</a>.</p>Reporting via our API2013-06-05T14:37:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/reporting-via-our-api/<p>Reporting is a fact of life. And to be honest, good reporting is good for security. In this post, we will take a look at the reports you can generate via the wAuth API to help monitor and manage your two-factor authentication installation.</p>
<p>The first report is the user report:</p>
<pre><%
if (request.getParameter("action") != null && request.getParameter("action").equalsIgnoreCase("Get User Report")) {
ReportDataTransaction.Separator separator;
if("comma".equals(request.getParameter("separator"))){
separator = ReportDataTransaction.Separator.COMMA;
} else if("tab".equals(request.getParameter("separator"))){
separator = ReportDataTransaction.Separator.TAB;
} else {
separator = ReportDataTransaction.Separator.XML;
}
status = wc.getUserReport(separator,request.getParameter("includeDisabledUsers")!=null, request.getParameter("includeTokenData")!=null);
}
%>
</pre>
<p>The XML looks like (note that the XML needs to be on one line, it is edited for presentation):</p>
<pre>
<transaction><br/> <type>12</type><br/> <data dataType="USER" separator=","> <br/> <options> <br/> <includeDisabledUsers>true</includeDisabledUsers> <br/> <includeTokenData>true</includeTokenData> <br/> <groupUserData>false</groupUserData> <br/> <includeDisabledDevices>false</includeDisabledDevices><br/> <includeUnregistered>false</includeUnregistered><br/> </options> <br/> </data><br/></transaction></pre>
<p>The report is available in comma delimited, tab delimited and XML.</p>
<pre>username,badPasscodes,userCreation,userStatus,tokenDeviceID,tokenStatus,badPINs,tokenExpiration,tokenCreation,domainCode,domainName,deviceDomainName </pre>
<p>This report will show you users that are perhaps in danger of getting disabled for bad passcode attempts (ie, bad logins) or bad PIN attempts.</p>
<p>If you run multiple domains, you may want a report based on domains:</p>
<pre><%
if (request.getParameter("action") != null && request.getParameter("action").equalsIgnoreCase("Get Domain Report")) {
ReportDataTransaction.Separator separator;
if("comma".equals(request.getParameter("separator"))){
separator = ReportDataTransaction.Separator.COMMA;
} else if("tab".equals(request.getParameter("separator"))){
separator = ReportDataTransaction.Separator.TAB;
} else {
separator = ReportDataTransaction.Separator.XML;
}
status = wc.getDomainReport(separator, request.getParameter("groupUserData") != null);
}
%>
</pre>
<p>This report shows the following information:</p>
<pre> domainName,domainCode,deviceDomainName,userName,tokenDeviceID </pre>
<p>Each user can have more than one token/device. You can generate a report of your two-factor authentication users based on their tokens:</p>
<pre><%
if (request.getParameter("action") != null && request.getParameter("action").equalsIgnoreCase("Get Device Report")) {
ReportDataTransaction.Separator separator;
if("comma".equals(request.getParameter("separator"))){
separator = ReportDataTransaction.Separator.COMMA;
} else if("tab".equals(request.getParameter("separator"))){
separator = ReportDataTransaction.Separator.TAB;
} else {
separator = ReportDataTransaction.Separator.XML;
}
status = wc.getDeviceReport(separator, request.getParameter("includeDisabledDevices") != null, request.getParameter("includeUnregistered") != null);
}
%>
</pre>
<p>The output:</p>
<pre>deviceid,username,badPINs,tokenStatus,tokenExpiration,tokenCreation,domainCodedomainName,deviceDomainName </pre>
<p>If you have any additional reporting needs, please let us know!</p>Wisdom about two-factor authentication based on facts2013-05-16T18:01:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/wisdom-about-two-factor-authentication-based-on-facts/<p>There is one quote in the <a class="external-link" href="http://www.verizonenterprise.com/DBIR/2013/">Verizon DBIR</a> that speaks volumes about the value of two-factor authentication to enterprise users:</p>
<p class="callout">If data could start a riot (“Occupy Passwords!”), we could use these statistics to overthrow single-factor passwords: the supreme ruler in the world of authentication. If we could collectively accept a suitable replacement, it would’ve forced about 80% of these attacks to adapt or die.</p>
<p>Authentication-based attacks are using in 4 out of 5 attacks. Same as last year.</p>
<p>There are indeed attacks against two-factor authentication and Verizon makes it clear that the attacks will adapt, but that is the nature of the game. Did you pull your anti-virus and firewalls when they were circumvented?</p>
<p>Strategically, two-factor authentication must be one of the top security tools for enterprises. What else will impact 80% of attacks?</p>PCI Compliance2013-05-15T16:31:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/pci-compliance/<p>If you are using the WiKID Strong Authentication System to meet the PCI-DSS requirement for two-factor authentication, you should upgrade to the latest version of the server. We have a couple of fixes that popped in a scan. See the <a class="internal-link" href="https://www.wikidsystems.com/downloads/changelogs">Changelogs</a>. In particular, build 3.5.0-b1411 disabled unnecessary HTTP methods and 3.5.0-b1403 removed weak SSL ciphers from the WiKIDAdmin.</p>Big Data vs Easy Data: The WiKID OSSIM plugin2013-02-12T21:01:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/big-data-vs-easy-data-the-wikid-ossim-plugin/<p>Big data is all the hype right now, but what most companies need is not big data but easy data. The truth is that most average-sized organizations do not even monitor the logs that the collect. That's changing as log management and monitoring are required as part of PCI compliance. Enterprises need log management tools.</p>
<p>In this spirit, we have released a WiKID plugin for OSSIM, Alienvault's opensource SIEM. It is very simple for now with only a few rules, but it will be easy to add more if there is interest.</p>
<p>The plugin consists of two files:
<a href="http://www.wikidsystems.com/webdemo/WiKID.cfg">
http://www.wikidsystems.com/webdemo/WiKID.cfg</a> and <a href="http://www.wikidsystems.com/webdemo/WiKID.sql">http://www.wikidsystems.com/webdemo/WiKID.sql </a>.</p>
<p>Copy the first file to /etc/ossim/agent/plugins and the second to /usr/share/doc/ossim-mysql/contrib/plugins/WiKID.sql. Restart the ossim server and you should be good to go.</p>
<p>On the WiKID server, configure the logs to use syslog. You will need to edit the file /etc/WiKID/log4j.properties so it looks like this:</p>
<pre># Logging detail level,
# Must be one of ("trace", "debug", "info", "warn", "error", or "fatal").
#log4j.rootLogger=DEBUG, socketLogger
# comment the line above and uncomment the line below to use syslog
log4j.rootLogger=DEBUG, socketLogger, Syslog, A1
# comment out the rootLogger above and uncomment the line below to output logs to the console
#log4j.rootLogger=DEBUG, socketLogger, A1
log4j.appender.socketLogger=org.apache.log4j.net.SocketAppender
log4j.appender.socketLogger.RemoteHost=localhost
log4j.appender.socketLogger.Port=8300
log4j.appender.socketLogger.LocationInfo=true
# Uncomment the lines below if using syslog
log4j.appender.Syslog=org.apache.log4j.net.SyslogAppender
log4j.appender.Syslog.layout=org.apache.log4j.PatternLayout
log4j.appender.Syslog.layout.ConversionPattern=%-5p %c{2} [%t,%M:%L] %m%n
log4j.appender.Syslog.SyslogHost=
log4j.appender.Syslog.Facility=WiKID
log4j.appender.Syslog.FacilityPrinting=true
# A1 is set to be a ConsoleAppender.
log4j.appender.A1=org.apache.log4j.ConsoleAppender
# A1 uses PatternLayout.
log4j.appender.A1.layout=org.apache.log4j.PatternLayout
log4j.appender.A1.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m%n</pre>
<p>Changing log4j.appender.Syslog.SyslogHost to your OSSIM server IP.</p>
<p>That's it. You can test it by logging in via radius and by using a bad password. WiKID has always recognized that <strong>two-factor authentication is just part of a balanced, deep security program</strong>. In order to work well, these pieces need to communicate.</p>
<p>If you would like to see other rules, please let us know!</p>Are most people doing two-factor authentication right?2012-11-15T16:30:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/are-most-people-doing-two-factor-authentication-right/<p>Needless to say we're big proponents of two-factor authentication around here. We also have a pretty broad spectrum of customers from large service providers pushing two-factor authentication out to customer to small businesses doing security for the first time thanks/due to <a class="external-link" href="https://www.pcisecuritystandards.org/">PCI requirements</a>. A lot of infosec rock stars talk about how PCI should be a floor and without disagreeing, we first hand see companies reaching that floor, called by some the '<a class="external-link" href="https://451research.com/t1r-insight-living-below-the-security-poverty-line">information security poverty line</a>' and know that it is a big improvement.</p>
<p>One of the key ways we know whether a company is really trying or not is how they configure their two-factor authentication in their network. PCI regulations can be met by having your VPN talk directly to the two-factor authentication server. This configuration is quite easy if you use radius.</p>
<p>It takes more effort up front to have the VPN concentrator talk to your directory and have the directory perform authorization and then proxy the authentication request to the WiKID Strong Authentication server. However, the security benefits of this setup are clear. It is much easier to deprovision users and to have role changes reflected immediately. Long term, it's also less work and more flexible.</p>
<p>While recently review our web analytics I was interested to see that our top instructional content piece over the last 90 days is "<a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps" title="How to add two-factor authentication to NPS">How to add two-factor authentication to NPS</a>". The next most popular is our tutorial on <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-pam-radius-in-ubuntu" title="How to configure Pam-radius in Ubuntu">"PAM radius for Ubuntu"</a>, followed by "<a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-openldap-and-freeradius" title="How to add two-factor authentication to OpenLDAP and Freeradius">How to add two-factor authentication to OpenLDAP & Freeradius"</a>. Lees popular, but still higher than most of our VPN tutorials is "<a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-ias-to-support-two-factor-authentication" title="How to configure IAS to support two-factor authentication">How to Configure IAS to Support Two-factor authentication</a>".</p>
<p>So two of our top three tutorials of late are about setting up two-factor authentication correctly. Of course, you can argue that almost everyone that has a directory is using AD or OpenLDAP, where as we have a tutorial for all the major VPN providers (<a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-a-cisco-vpn-concentrator-for-two-factor-authentication-from-wikid" title="How to configure a Cisco VPN concentrator for two-factor authentication from WiKID.">Cisco</a>, <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-use-wikid-strong-authentication-with-juniper-uac-appliance" title="How to use WiKID Strong Authentication with Juniper IC Series UAC Appliance">Juniper</a>, <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-wikid-two-factor-authentication-to-a-sonicwall-vpn" title="How to add WiKID Two-Factor Authentication to a SonicWall VPN">Sonicwall</a>, <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center" title="WiKID Documentation Center">etc. etc</a>.) but I choose to see it as heading in the right direction. (Of course, if I weren't an uber-optimist I would have a real job instead of being</p>
<p>In addition, these numbers do not include the downloads for our eGuide on <a class="internal-link" href="https://www.wikidsystems.com/learn-more/white-papers"><span class="internal-link">Adding Two-factor Authentication to your Network</span></a>, which of course stresses the inclusion of your directory, with NPS as an example.</p>Updated OpenVPN & Two-factor authentication tutorial2012-10-05T14:25:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/updated-openvpn-two-factor-authentication-tutorial/<p>We recently updated the tutorial on how to add<a class="external-link" href="http://www.howtoforge.com/adding-two-factor-authentication-to-openvpn-as-with-the-wikid-strong-authentication-server"> two-factor authentication to OpenVPN AS </a>over on HowToForge. It's quite easy.</p>PCI compliance in the local news2012-09-07T16:43:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/pci-compliance-in-the-local-news/<p>The Atlanta-area transit authority was forced to accept only cash due to software errors it blamed on their <a class="external-link" href="http://www.ajc.com/news/business/marta-riders-urged-to-bring-cash-to-avoid-vending-/nR2Ks/">efforts to meet PCI compliance. </a></p>
<div class="pullquote">MARTA passengers had to rely on only cash to purchase fares over the
Labor Day holiday weekend, when a software problem wouldn’t allow Breeze
cards to be used. The agency said earlier this week that the problem
might involve software used to help make the Breeze card system
compliant with major credit and debit card companies’ security
requirements.</div>
<p>I haven't blogged about PCI compliance in a while. Of course, we have a lot of customers that use WiKID to meet the two-factor authentication requirement 8.3 and we still get a number of customers deploying two-factor authentication for the first time (though increasingly they are <a class="internal-link" href="https://www.wikidsystems.com/learn-more/features/lessexpensive" title="WiKID: Save Big on your Total Cost of Ownership">switching from a more expensive competitor</a>). But really, it seemed like most of the organizations that needed to be compliant were. </p>
<p>It brings back that old debate of whether PCI is a floor or a ceiling. Many infosec professionals and analysts are aware of companies that look at PCI and do that and only that. Some have said they know of companies that reduce their security to PCI levels. </p>
<p>That may be the case, but at WiKID, we see the other side: companies now increasing their security spend to meet PCI. These are often smaller companies or newer retailers. We may have a biased view, but I think there are far more companies that don't have security professionals and don't use infosec analysts than those that do. So I think PCI has increased overall security. </p>
<p>That being said, PCI needs to keep raising the bar. The MARTA situation shows that there are still some major holes as well.</p>
<p> </p>ViTM - The Vendor in the Middle2011-06-01T15:14:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/vitm-the-vendor-in-the-middle/<p>Enterprise security architects are traditionally very wary of systems that rely on 3rd parties for access, uptime or security. Ironically, many of these same architects deployed RSA SecurID systems not considering (or heavily discounting) the fact that RSA kept copies of the seeds for licensing purposes.</p>
<p>My intention here is not to pile on RSA, but rather to clarify the root cause because as organizations evaluate options to SecurID, they are often making the same mistake: Relying on a security vendor's infrastructure - or worse, using a system like SMS, where the provider is not even a security vendor! That's not to say that some organizations might be better off using a service, but that they should be aware of the risks. Just as some organizations will be better off "in the cloud" while some will not.</p>
I dislike all the confusion around two-factor authentication. Security people seem to ignore the difference between shared secrets and asymmetric encryption, services and software, etc. I don't know why that two-factor authentication is such an emotional issue. Pundits like to say things like "to<a class="external-link" href="http://www.schneier.com/blog/archives/2005/03/the_failure_of.html">o little, too late"</a>
<p> about it. Excessive negativity does nothing to increase security. </p>
<p>There are two big trends occurring now: an increase adoption in two-factor authentication due to cloud-based services and compliance requirements such as PCI and a re-evaluation of the price/benefit of expensive hardware tokens (which started well-before the RSA attack). It is my hope that organizations will make intelligent decisions about the products they choose based on their risk profile and capabilities. It is my concern that we are not giving any clear thoughts on the matter.</p>PCI news & updates2011-04-21T15:42:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/pci-news-updates/<p>According to this<a class="external-link" href="http://www.informationweek.com/articles/229401946"> article on InformationWeek</a>:</p>
<p class="callout"><span class="Apple-style-span"><span class="Apple-style-span" style="text-align: left;">The Payment Card Industry Data Security Standard--known as PCI DSS, or just PCI--is meant to safeguard cardholder data. Yet, 67% of PCI-regulated companies are still not in full compliance with the standard.</span></span></p>
<p><span class="Apple-style-span"><span class="Apple-style-span" style="text-align: left;">At the same time, the PCI Council has pointed out that <a class="external-link" href="http://storefrontbacktalk.com/securityfraud/new-pci-call-center-recording-advice-make-sad-go-away/">if you have a call-center that processes credit card data, it needs to be in scope</a>. </span></span></p>
<p><span class="Apple-style-span"><span class="Apple-style-span" style="text-align: left;">I'm firmly in the camp that PCI is "raising the security floor". We know from experience that organizations that never would have before are deploying two-factor authentication to their infrastructure. I think that two-factor authentication is, in particular, a technology that indicates a change in the market. Deploying strong authentication affects end-users, as opposed to deploying an application firewall, for example. While great strides have been made, clearly, the PCI effort still has a long way to go. <br/></span></span></p>Security Missteps Made in the Name of Compliance2010-02-23T19:07:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/security-missteps-made-in-the-name-of-compliance/<p>In the <a class="external-link" href="http://www.csoonline.com/article/552617/Five_Security_Missteps_Made_in_the_Name_of_Compliance">Five Security Missteps made in the Name of Compliance</a>, <a class="external-link" href="http://www.csoonline.com/author/380013/Bill+Brenner">Bill Brenner</a> lists "How to Botch Multi-factor Authentication" first. The point is that if you open holes for users that have forgotten their hardware tokens, you have circumvented your own security, eliminating the value of two-factor authentication.</p>
<p>WiKID helps prevent the need for this type of circumvention in two ways. First, using the wireless tokens means that the user has to forget their <a class="internal-link" href="http://www.wikidsystems.com/downloads/software-token-clients/" title="Token Clients">Blackberry, iPhone, or Android smartphone</a> which is much less likely because they actually like those things and/or need to have them for non-work related things. Secondly, unlike most software tokens, WiKID is based on seat licensing and not on a per-license basis. With shared-secret tokens, you get a list of seeds you can use. You can only have extra by paying for them. With WiKID, each unique username is a seat license and each user can have more than one token. A user with a forgotten token can be issued a new one, perhaps on a USB drive. Obviously, you still have to properly validate the user is who they say they are, but you do not have to open a door for single-factor authentication.</p>
<p>Hopefully, managers worried about quickly meeting compliance goals will find this post, helping them to now make the second mistake: Failing to do enough research. </p>