The RSA SecurID token has arguably been the defacto second factor authenticator for many years. Despite the recent breach at RSA I do not see many organizations moving to alternate vendors or other second factor technologies, like PKI / SmartCards or telephone based solutions. In the wake of the RSA breach most companies seem to be replacing tokens and hardening their SecurID & Authentication Manager infrastructures and reviewing relevant security processes. I have seen a couple organizations look to add additional authentication methods to supplement existing SecurID implementations for remote access, like requiring PKI certs in addition to SecurID for Remote Access. Obviously this capability is dependent on your Remote Access vendor. If you are staying with SecurID for your Remote Access authentication you should be taking a hard look at your access logs. Below are some searches that you may find useful if your logging environment can perform them. The ability to perform GeoIP lookups and calculate temporal data is required for some of the searches. Many of these searches will require you to baseline this activity in your environment to reduce the false positives.

• Top 20 Remote Access source IP addresses for the last 30 days
• Top 20 Remote Access users for the last 30 days
• Remote Access attempt from non-US IP address
• Remote Access attempts at “odd” hours
• Remote Access failures from multiple
• Remote Access attempts from one IP address for two or more usernames
• Remote Access attempts for one username from at least two different IP addresses in XX minutes
• Remote Access attempts for one username from at least two different countries in an X hour period
• Remote Access sessions of longer than usual duration
• SecurID authentication attempt involving Invalid / Revoked / Expired tokens
• SecurID authentication attempts involving one username and multiple token serial numbers
• SecurID authentication attempts involving one token serial number and multiple usernames
• SecurID “Right Token code, wrong PIN” messages

There are probably others that can be added to the list.  Your RSA sales rep can provide you with a copy of their Security best practices guide for Authentication Manager as well as their Log Monitoring Guidelines. The NSA’s Information Assurance Directorate has also published an unclassified advisory on securing your SecurID infrastructure. If you Google it you should be able to find a copy.

–Chris

My old pal’s from the System Network and Attack Center at the NSA have a great guide on securing routers. The Router Security Configuration Guide has a good amount of the networking basics and then goes into a lot of hands on configurations and best practices. Cisco routers are covered specifically but I would imagine that a lot of the commands would be the same for other routers that support CLI. Combining information from this guide along with using the Router Audit Tool (RAT) from the Center for Internet Security will get you going in the right direction.

I think that routers are one of the most overlooked pieces of perimeter security. A finely tuned border router can do a lot for you and your security posture.

Technorati Tags: NSA, SNAC, router, information security

http://1208930147

and

http://%67%6f%6f%67%6c%65%2e%63%6f%6d

For a good explanation as to why this is and what URL obfuscation is used for, check out this post.

–Chris

Technorati Tags: URL, obfuscation, Browser, Google

Anonymity
Skype is basically Voice over IP (VoIP) using some peer to peer (P2P) technologies. I am not going to go into the details here. If you want to learn more about how Skype works check out this link. Since Skype is P2P based many people believe that there is an inherent security, due to the multiple peers involved with the call. This is simply not true . If it has an IP address it is traceable to some extent. Kobi Alexander (former CEO of Comverse and Federal Fugitive) found this one out the hard way. He placed a one minute Skype call which investigators traced to Sri Lanka. He was arrested in Namibia shortly after. George Mason University has published a paper on Tracking Anonymous PeertoPeer VoIP Calls on the Internet. It’s an interesting read.

Disabling Super Node
Skype has the ability (and authority under the EULA you didn’t read) to use your PC as a Super Node. Skype uses Super Nodes to route Skype phone calls. If you have a reasonable fast processor and fast Internet connection your PC may be tasked with being a Super Node. The concern here is that Skype could plug up your network with calls being routed to other Skype users. This was enough of a concern to the folks at Fermi National Accelerator Laboratory that they wrote a how-to on disabling super node / relaying in Skype.

**DISCLAIMER:** Disabling Super Node is Skype *may* be in violation of their Terms of Service. I have not read closely it so I do not know for sure. Proceed at your own risk and I take no responsibility.

Disable File Transfer & API access
Transferring files using IM / Chat / VOIP clients has been problematic at best because of the risk of passing malicious files. Most commercial AntiVirus vendors don’t have tight integration with these types of products. There are AV plugins for Outlook and IE but not may for Trillian or mirc. The Skype Security Blog has a post on Disabling File Transfers.

On that same blog post is a procedure for disabling access to the Skype API. As the saying goes, if you don’t need it…don’t turn it on.

There is also a good whitepaper on Skype security by Simson Garfinkel here.

–Chris

–Chris

Definitely worth a read if you want a cheat sheet on 802.1x. It’s through Bitpipe so you will have to register to download it.

–Chris

Technorati Tags: 802.1x, Fluke, Bitpipe

220 mydomain.com Microsoft ESMTP MAIL Service, Version: 6.5.7226.6 ready at
Wed, 30 Aug 2006 16:11:32 -0400

you can tell that it is at least MS Exchange 2003 with Service Pack 1 installed. They don’t seem to cover the Small Business Server versions of Exchange. My SBS 2003 returns a version string of 6.0.3790.1830, which is not listed. They also don’t cover the myriad of hotfixes / updates that change a build number. Still a good reference though as a place to start.

Outlook build numbers are listed there as well.

–Chris

Technorati Tags: Exchange, Pentest, Outlook, Microsoft

If you are looking to learn more about application security (web application security specifically), check out OWASP. It’s the Open Web Application Security Project. There are local chapters all over the world.

–Chris

Technorati Tags: SQL injection, application security