NSA Recommendations for RSA SecurID Users After Cyber Intrusion
Posted on by Zuly GonzalezCategories Computer Security, Resources, Security8 Comments on NSA Recommendations for RSA SecurID Users After Cyber Intrusion

The National Security Agency (NSA) SignOn March 17, 2011, RSA announced that it had been the victim of a cyber intrusion, and as a result, information related to its SecurID product – a two-factor authentication device – had been compromised. According to RSA, the compromise does not lead to a direct attack on SecurID, but it does decrease its effectiveness.

In reaction to the RSA cyber intrusion, The National Security Agency (NSA) released Information Assurance Advisory No. IAA-003-2011: Recommended Actions for SecurID Users in Response to RSA Cyber Intrusion. This advisory expands on the information previously released by NSA via Information Assurance Alert No. IAR-001-2011: Mitigations for the RSA Cyber Intrusion, and provides additional guidance on:

  • The use of SecurID hard tokens and soft tokens
  • Fortifying the security profile of SecurID’s authentication factors
  • Measures to harden SecurID’s Authentication Manager

Here is a summary of NSA’s recommendations for SecurID customers.

The Use of SecurID Hard Tokens and Soft Tokens

RSA is exploring remediation strategies and best practices for its customers. However, implementation of these strategies may take some time. Customers should continue to work with RSA to develop short-term and long-term mitigations. Options include:

  • Continued use of hard tokens: In some circumstances, the risk of continued use of hard tokens may be deemed minimal.
  • Replacing hard tokens with soft tokens: For this option, an application is installed to generate a one-time password.

Fortifying the Authentication Factors

As a best practice, SecurID should not be used as the sole means of authentication. Recommendations on additional authentication measures and how to securely implement them are:

  • Augment SecurID with usernames and passwords: A relatively simple way to augment SecurID is to also require a user to log in to the system. This forces the adversary to compromise additional user information in order to gain access. Specific measures include the following:
    • Enable account login restrictions
    • Require users to phone-in before logging in
  • Augment SecurID with the DoD Common Access Card (CAC): A DoD customer could augment its existing SecurID system with the DoD CAC card, which is widely used across the DoD.
  • Perform regular audits of remote login activity: Enclaves should regularly audit login activities in order to identify unauthorized activity. Specific steps include:
    • Verify remote logins with each user
    • Analyze logs for unusual IP addresses
    • Analyze logs for failed login attempts
    • Notify users of last logins
  • Implement robust PIN policies: Implement strong policies for PIN and password usage and selection. The following should be considered:
    • Enforce the selection of robust PINs and passwords
    • Have users select new PINs and passwords and increase the frequency at which this needs to be performed
    • Implement quicker user lock-out after failed login attempts

Authentication Manager (AM) Hardening

These include:

  • Change default passwords
  • Install a system integrity checker
  • Only install valid software
  • Do not co-locate the AM with other services
  • Restrict Internet access from the AM
  • Limit user access to the AM
  • Baseline the AM network communications
  • Establish firewall rules to restrict network access to the AM
  • Limit user access to only a specific IP address or range of IP addresses
  • Restrict remote access to the AM

Additional Resources

Read NSA’s entire Information Assurance Advisory No. IAA-003-2011: Recommended Actions for SecurID Users in Response to RSA Cyber Intrusion here.

Read NSA’s entire Information Assurance Alert No. IAR-001-2011: Mitigations for the RSA Cyber Intrusion here.

Visit RSA’s SecurID Customer Resource Center, which provides links to SecurID information related to the attack, and where customers can tune in for updates.

In response to the RSA breach, the DHS issued the Technical Information Paper TIP-11-075-01 System Integrity Best Practices. This TIP calls for users to:

  • Enable strong logging
  • Limit remote access
  • Apply additional defense-in-depth techniques
  • Validate software

Were you affected by the SecurID compromise? Do you have additional resources to share with us? Let us know in the comments.

Light Point Web 0.8 Complete
Posted on by Beau AdkinsCategories Computer Security, Light Point Security Update, Light Point WebLeave a comment on Light Point Web 0.8 Complete

Light Point Web LogoWe have just wrapped up development and deployment of Light Point Web 0.8. We released 0.7 just over a month ago, so this release isn’t much different. However, our 0.7 beta did not go so well, so 0.8 is mainly just fixing the problems we found with 0.7.

Light Point Web 0.7 Beta Results

How did the 0.7 beta go? Short answer: not too good. Long answer: it wasn’t that bad. There were 2 indirect problems we found immediately after beginning the beta. After we found them, we decided to cancel the beta to resolve them, and try again with 0.8.

Firefox 4.0

The first problem is that Firefox 4.0 was officially released just before we began the 0.7 beta. 0.7 only officially supported Firefox 3.6, and while Firefox 4.0 has been available as a beta for a very long time, I didn’t plan on putting the time to port it until 4.0 was officially released. By the time we started sending 0.7 beta installers, some of our beta testers had already upgraded, and therefore could not use it.

Misconfigured Servers

The other problem is that I had a misconfiguration in our cloud servers which caused the backend Light Point Web services to run slowly. If a user connected there would not be much difference, but after that user disconnected it could take upwards of an hour to prepare for the next user, instead of the minute it should have taken. While this preparation was going on, no other users could connect.

What’s New in Light Point Web 0.8?

New User Site

We have built a bare-bones website to be used only by our users. A user can go here to create a new account, change their passwords, download installers, etc. In previous versions, we would email our beta testers a link to an installer to download, and also send them a username and password we created for them, which could not be changed. For security reasons, we did not want these services provided by our public facing site.

Firefox 4.0 Support

We now officially support Firefox 4.0. This transition was actually very easy (like 4 lines of code easy). I attribute this ease of this transition to the work I had put in for 0.7 cleaning up our Firefox extension in anticipation of exactly this. It worked VERY well.

Updated Open Source Code to Newest Version

Light Point Web relies on a lot of open source code. Periodically we go through and update our build scripts and repositories to use the newest.

More Robustness

Numerous small changes which will make Light Point Web be more reliable, be faster, and be just overall a more mature product.

What’s Next for Light Point Web?

We are getting REALLY close to having a product to sell. In fact, the only thing we are missing is having a system in place to take a payment. So that is our next goal.

In the meantime, if you would like to try out Light Point Web 0.8, head over to our contact-us page, and let us know!

How to Protect Yourself From the Epsilon Security Breach
Posted on by Zuly GonzalezCategories Security, Web Security4 Comments on How to Protect Yourself From the Epsilon Security Breach

As most of you know by now Epsilon, one of the largest email marketing companies, was affected by a major security breach that resulted in the compromise of the email lists of some of its clients, including JPMorgan Chase, Capital One, TD Ameritrade, and Citi.

Epsilon released a statement announcing that approximately 2% of its client base was affected by the breach. This equates to about 50 of its approximately 2,500 clients being impacted. The names of the companies impacted by the breach are slowly being released by Epsilon (see a list below), and it is expected that the list will slowly grow over time.

The World Financial Network National Bank (WFNNB) is the latest to be affected by this security breach. WFNNB issues The Limited Credit Card, as well as many others. Here is the statement WFNNB released to its customers:

WFNNB Epsilon security breach email notification

Protecting Your Personal Information

Only the names and email addresses of customers have been compromised in most cases. This means that the threat is relatively low for those of us that practice good security. However, there is still a threat. Here is what you may see if you are the customer of one of the affected brands, and what you can do to protect yourself.

Spam. The most common issue you’ll face is an increase in spam. Although spam is annoying, it is not a huge security threat as long as you don’t open the emails. Keep in mind that most email services have fairly good spam filters, so even though there may be an increase in the amount of spam sent to you, you may not even notice it if your email spam filters are any good. This may be a good time to check your spam filter settings, and improve the security if you feel you’ve been getting too much spam lately.

Brute Force Password Attacks. There’s also the possibility that spammers could attempt to brute force passwords. Given a valid email address, spammers can run a script that will attempt to guess the password associated with that email address. Weak passwords are much more vulnerable to brute force attacks than strong passwords. Weak passwords are those that have few characters, contain dictionary words, contain names, contain no numbers or special characters, and are all lower case.

If you have a weak password, make sure you change it. This includes using your name, or a variation of it, as your password. Remember, in the case of the Epsilon security breach, the thieves also walked away with customer names, so that may be the first thing they try.

Targeted Phishing Attacks. The biggest threat will come from targeted phishing attacks, known as spear phishing. Phishing campaigns are common place for spammers, even if they don’t know if a particular person is affiliated with the brand they are targeting. In this case they have targeted customer lists for each brand, along with each customer’s name. This makes their job infinitely easier. Because customers expect to see emails from these companies, the email open rates will be much higher. And if the spammers can make the emails look legitimate by, for example, using the customer’s name, they will have a much higher success rate.

You can protect yourself from phishing attacks by not clicking on links in emails claiming to be from legitimate companies, like your bank. You should be even more skeptical if the email claims that you need to type in, or verify, your login credentials, or other personal information. Banks, credit card companies, and just about any other respectable company will never ask you for personal information via email. Instead of clicking on links contained in the email, type in your bank’s website URL directly in your browser, or call them to confirm the email.


List of Affected Companies

This is the current list of companies that have been affected by the Epsilon breach. Look over the list, and be extra vigilant if you have given any of these companies your email address in the past. Please note that this is not an all inclusive list, as new companies are slowly being announced by Epsilon.

Air Miles
Ameriprise Financial
Bebe Stores
Best Buy
Capital One
City Market
Dell Australia
Disney Destinations
Eddie Bauer
Eileen Fisher
Ethan Allen
Fred Meyer
Hilton Honors Program
Home Shopping Network (HSN)
Jay C
JPMorgan Chase
King Soopers
LL Bean Visa Card
Marks & Spencer
Marriott Rewards
McKinsey & Company
New York & Company
Red Roof Inn
Ritz-Carlton Rewards
Robert Half
Smith Brands
TD Ameritrade
The College Board
US Bank
World Financial Network National Bank (WFNNB)

Are you receiving more spam than usual because of the Epsilon security breach? Have other companies been affected by the breach that are not listed above? Let us know in the comments.