Today’s post was contributed by Sarah Clarke on her thoughts of NIST’s recent update to SP 800-64 Electronic Authentication Guideline.

Another milestone has been reached in the race to get rid of now-suspect RSA token technology. On December 12, 2011, NIST published the Electronic Authentication Guideline SP-800-63-1, which updates guidance previously provided in SP-800-63. The updated document provides guidance on how federal agencies should implement the four levels of assurance defined in OMB M-04-04 as they apply to users authenticating to government systems over untrusted, public networks.

NIST’s summary of the updates [PDF] includes:

• Recognition of more types of tokens, including pre-registered knowledge token, lookup secret token, out-of-band token, as well as some terminology changes for more conventional token types;
• Detailed requirements for assertion protocols and Kerberos;
• A new section on token and credential management;
• Simplification of guidelines for password entropy and throttling;
• Emphasis that the document is aimed at Federal IT systems;
• Recognition of different models, including a broader e-authentication mode;
• Clarification of differences between Levels 3 and 4 in Table 12; and
• New guidelines that permit leveraging existing credentials to issue derived credentials.

The press release adds:

Government agencies have the option of using the services of companies that have had their authentication systems certified through the Federal Chief Information Officer Council’s Trust Framework Provider Adoption Process (TFPAP). This program assesses credentialing processes against federal requirements, including those established in 800-63. To ensure consistency and avoid redundant analysis, NIST strongly encourages agencies to leverage the TFPAP process.

So, what’s it all mean?

Remote access tokens are now going to be required for all government agencies starting at assurance level 2, with applicable token types being “Memorized Secret Tokens, Pre-Registered Knowledge Tokens, Look-up Secret Tokens, Out of Band Tokens, and Single Factor One-Time Password Devices.” The new terminology for traditional soft tokens is Multi-factor (MF) Software Cryptographic Tokens; they are still acceptable at level 3 as in the prior version. On the other hand, terminology for hard tokens is a little more tricky since they can be deployed as single-factor one-time-password device (without PIN). These single factor versions thus are no longer acceptable at levels 3 and 4, but now only at level 2, a level which previously had no requirement for hard or soft tokens. I’m not sure what category a hard token with PIN would be deployed as … I’m leaning towards level 3 but the wording is a little tricky.

Now that NIST has issued this guidance, government agencies (and the large commercial entities that follow NIST guidance) will have a path forward as they perhaps migrate away from their RSA technology. This refresh, both of tokens required currently for levels 3-4 and new purchases for the tokens now required at level 2, means large profits for TFPAP-credentialed providers in the near future. Who these TFPAP providers are was something I wasn’t able to determine. I’m not even sure if anyone has been credentialed yet or if the certified provider list has been released.

Both the press release and the summary of updates downplay the impact this updated guidance will have as it addresses the RSA problem shared by both government and private industry. This makes the updated guidance recommended reading for anyone responsible for their organizations’ remote access.

I feel like this release is a direct reaction to the RSA hacks … the updates show movement away from the original RSA technique, there’s emphasis on the diversification of models and technologies to prevent the same type of issue (where the seed database was compromised and all tokens were affected) and the guidance references thoughts on what to do in the event of a certified provider being compromised in future. The end result is that once this guidance is implemented the impact of another compromise like RSA will be much less far reaching and potentially less catastrophic.

#####

These are just my thoughts after one evenings’ writing… I’d love to hear more opinions on the subject, including determining what level an RSA token with PIN maps to, mapping old token types to new token types, and how this will affect your remote access strategies. There’s a lot more to cover … please comment and continue the conversation! Today’s featured image is from the Information Technology Forum.

With all the big news being RSA, it seemed fitting to make this week’s “syndicated” post actually two “syndicated” posts from a local blogger at RSA. Over at The Falcon’s View, Ben Tomhave discusses RSA’s “Innovation Sandbox” as well as  summarizes of day 1.

As part of our effort to let the Metro DC area know about the awesome infosec bloggers we have, our “syndicated” posts emphasize other local bloggers that discuss news, events, and resources relevant to infosec professionals in NoVA, DC, and MD. In each post we introduce the topic, syndicate the introduction and part of the content, and then link off to the source blog post for the rest of the content and conclusions.

Well onto today’s posts…

///

RSA 2010 – Innovation Sandbox: Not Really Innovative

“Where has all the innovation gone? I was very much looking forward to talking to the startup vendors selected as finalists for this year’s Innovation Sandbox at RSA. After last year, I suppose I should have set my expectations a little lower, although realistically it would have been impossible to set them low enough to avoid some level of disappointment. Because, quite honestly, I was quite disappointed.

Of the 9 finalists, 6 had “cloud” point solutions, largely targeted to the hypervisor, with one that did some funky inline crypto stuff that made me wonder. 2 finalists had “new” authentication approaches, which were sort of interesting, but they didn’t solve the larger problems with authentication. The 9th finalist was also potentially interesting in that they provided a nice visualization dashboard for risk management, but the biggest downside was that all data had to be independently entered. There was no integration with any GRC products, and so while it looked pretty, it wasn’t overly sensible. So, yes, I was a wee bit disappointed.”

RSA 2010 – Day 1 Round-up

“It’s already Wednesday morning, which means the first full day of RSA 2010 is in the can and quickly receding into the past. Overall, things are fairly standard quo again this year. Sessions galore, vendor keynotes, and a busy expo floor. This last point is perhaps the biggest difference from 2009 in that the expo floor is, in fact, quite busy. My impression is that a lot of realistic networking and lead generation is happening this year.

Before I hit themes, one tidbit of interest. I spoke with a couple guys from Boston who specialized in financial fraud. One of the fellows had calculated the cost of doing a wholesale revamp of the card infrastructure to be about US$12B. That is far more than the card brands are eating in fraud costs today. Moreover, today the merchants bear most of the fraud burden, whereas the cost of a complete infrastructure overhaul would be primarily borne by the card brands (although these costs would obviously be passed along to the banks, merchants, acquirers, processors, customers, etc.).

There seem to be a couple subtle themes this year. Cloud computing is of course very prevalent, but it’s far less “in your face” than last year. A lot more vendors seem to be realizing that “cloud” is a tool, not a destination or silver bullet. This observation seems to suggest that a reasonable degree of sanity may be returning to PR and marketing, if only for a short time.”

///

See the rest of these posts and their exciting conclusions over at RSA 2010 – Innovation Sandbox: Not Really Innovative and RSA 2010 – Day 1 Round-up. If you are based in NoVA, DC, and MD and would like to have posts from your blog considered, please Contact Us or mention @grecs with the request on Twitter.

If you haven’t had the opportunity to check out some of NoVA’s local security bloggers, here’s your chance. We’ve found the cream of the crop, making it easier for you to identify bloggers you like and information you need.

This week, we’ve picked posts that cover everything from books to careers. There’s also some congratulations in order for one of NoVA’s very own bloggers that won “Best Non-Technical Security Blog” at RSA. Can you guess who it is? If not, we’ll reveal the answer at the end of this post.

#3 – Hack This Book: Discussing the book Chained Exploits: Advanced Hacking Attacks from Start to Finish by Andrew Whitaker, Keatron Evans, and Jack B. Voth, @carnal0wnage provided an interesting review that talked about how valuable Chained Exploits is for people in the industry. According to @carnal0wnage, one of the pros of Chained Exploits is that “I couldn’t think of another book that approaches the problem from the ‘chained exploit’ perspective meaning one exploit doesn’t give you the keys to the kingdom or your final end state.” But it seems that the pros of  Chained Exploits were outweighed by the cons, with @carnal0wnage saying that “the ‘chained exploit’ approach is valuable from a teaching point of view but anybody that pentests for a living has been doing this for awhile now, its just part of ‘the process.’” 2carnal0wnage also noted that while the idea  of ‘chained expolits’ might be new to print, it’s nothing new to the security community. You can read the full review here. 

#2 – Toot Those Horns: Using another great analogy to get his point across, Marcus (@marcusjcarey), stresses the importance of ‘tooting your own horn’ in the infosec community. In his “Toot Your Own Horn” post, Marcus says that the majority of us out there blog or tweet about stuff that’s said by the ‘big wigs’ or people who we perceive to be important in the security community, when really, we should be giving our own thoughts and opinions. In essence, ‘tooting’ our own horns. Part of ‘tooting your own horn’ also applies to interviewing, which Marcus talked about in his “Own Your Technical Interview” post. Don’t be afraid to show what you know, but as Marcus pointed out, don’t lie, and don’t be afraid to say ‘I don’t know.’

#3 – S.773: Finishing up his original posts about the Cybersecurity Act of 2009, @rybolov wrote parts three and four of his “Blow-By-Blow on S.773″ series. While @rybolov encourages readers to look at the actual bill, he does a great job of breaking it down so even the most non-politically savvy of us can understand what it’s all about. He also gives his own thought on each section of the bill, which we found to be immensely enlightening. It’s definitely something all of us should be aware of, so please take the time to read part 3 and part 4 if you haven’t already.

So, were you able to guess who the winner of the “Best Non-Technical Security Blog” at RSA was? Frequently featured in our “Top 3 Blog Posts of the Week” section, it’s Richard Bejtlich of TaoSecurity. If you haven’t already, please take the time to congratulate him!

Well, that’s all for now. Feel free to comment below or send us a tweet @grecs if you feel like we left out a post that should have been included this week.

###

Speaking of bloggers… we’re currently looking for some great guest bloggers to feature on NovaInfosecPortal. If you’re interested, drop us a line, or send us a tweet @grecs.

Somewhere, the creators of Adobe Reader are weeping.

And if they’re not, it won’t be long until they do; with all of the recent vulnerabilities swirling around Adobe Reader, things are going from bad to worse.

But just how bad is bad?

According to CNET, at the RSA security conference earlier this month, F-Secure Chief Research Officer Mikko Hypponen said that users should go so far as to switch their .PDF readers altogether due to the security issues with Adobe Reader. (You can check out a list of alternate .PDF readers here.)

While swearing off Adobe Reader altogether might seem a bit a bit extreme, it’s gotten to the pointwhere avoiding it might be the best thing to do. Since the beginning of this year, more than 47 percent of attacks exploit holes in Acrobat Reader, while six vulnerabilities target Adobe Reader specifically (CNET).

The question that many people are asking is, “how did it get this bad?” We’re going to risk beating a dead horse when answering this question, since a lot of the problems with Adobe Reader can be traced back to an issue that we’ve talked about frequently during the past few months: Disabling scripting by default. We’re constantly advocating the disabling of scripting by default, and the recent vulnerabilities found in Adobe Reader offer yet another reason why it’s a good idea to go no-script.

According to the recent advisory by US-CERT, it’s the “getAnnots()” JavaScript function in Adobe Reader that allows users to be exploited and allows attackers to execute code on the workstation remotely. 

While the obvious answer to the “getAnnots()” problem is to disable scripting, we can accept (albeit reluctantly) that having scripting disabled by default might never happen. That’s why an alternative solution would be to have a white list. Creating a white list is not only more effective, but also less time-consuming than creating a black list. Providing users with the ability to augment the white lists in their profile would afford them the flexibility to view non-mainstream sites like NovaInfosecPortal.

But this is one of those topics where we really want to put a call out to all of you about what can be done to help fix the current problems associated with scripting, and how some of these problems can be avoided in the future. What are you currently working on (whether at work or at home) to make sure that you, your family, and your workplace isn’t taken advantage of due to scripting? Leave a comment or send us a tweet @grecs.

###

If you’re looking for some additional ways to keep your company—and yourself—a little safer, we’ve put together a handy list of books that might do the trick. 

The RSA Conference infosec event just occurred. We weren’t able to go but did spend some time scouring the web for some interesting take-aways. Some of the key points included tidbits from the speakers, vendors, and attendees.

Event Talks

On the speaker front, Department of Homeland Security Secretary Michael Chertoff gave the keynote address in which he stressed a major focus on enhancing cybersecurity for the upcoming year. Microsoft’s Craig Mundie had a “fireside chat” with an interviewer about end-to-end trust and announced a public beta of their Forefront “Stirling” product line. Even Al Gore got into the act … this time discussing further research that global warming is real and the role of technologies in addressing the climate crisis. Although, Gore did not allow press because of other contract obligations. This decision perplexed many attendees since Gore didn’t seem to present anything new. Overall, many referred to the keynotes and other major talks as non-event marketing presentations compared to other more technical talks.

Vendors

In previous years the conference always seemed to have a theme as to the types of vendors that attended … This year that did not happen. If anything, vendors did seem focused somewhat on Data Loss Protection (DLP). Specifically, encryption vendors are growing because of recent high-profile data breaches, PCI mania, and laptop-theft paranoia. The products aren’t offering anything new but just simplifying the user interface/use. Additionally, the security market seems to be tipping from small point solutions from small companies toward large integrated solutions from large corporations.

Attendees

Once you get past all the speakers and vendors, you are left with attendee discussions. Everyone seemed to be thoroughly confused with the myriad of regulations that must be adhered to as well as how to properly address PCI. Additionally, there was a lot of talk about tightening security budgets due to the current economic slump.

Overall if you can handle the crowds of around 17,000 people, RSA should definitely be on your short list for next year. For those that couldn’t attend but are interested in any of the talks, the conference organizers have posted the audio of all sessions on their web site. For more information on the RSA Conference, see its description in our Infosec Conferences section.