Tag Archives: security

RSA SecurID Authentication Manager Unexpected Error searching Active Directory Identity Source

For some reason I can’t get Mr. Mackey out of my head on this one – “Quotes are bad…mmmmkay.”  I recently inherited a project to get SecurID working and, it seemed pretty straight forward.  I had setup SecurID at previous companies so I   was sure it was something obvious.

After reviewing the config, and reviewing the documentation from RSA – which is good, it doesn’t read as a “Step-by-step to setting up AD” but it works.  I opened a support ticket with RSA (non-urgent) and they got back to me within just a couple hours.  The documentation provided by RSA for both the Authentication Manager installation and configuration and the firewall configuration were both spot on.

The problem was, when the identity source was originally setup in the RSA Operations Console, “quotes” were used around the user and user group base DN fields.  What was odd, if I entered an OU that didn’t exist I would get an error, so it was seemingly reading the fields with the quotes but when I went to search for users in the Security Console I would get an ‘unexpected’ error.  Removing the quotes around the user and user group base DN fields fixed this problem.


Setting up Alienvault / OSSIM and Snare to collect Windows Event Logs

Recently, I implemented a Security Information and Event Management (SIEM) tool called Alienvault / OSSIM  to monitor servers/event logs to ensure compliance with several customer security agreements.  I chose Alienvault because it combined several open source tools, providing a single pane of glass view into what would otherwise be several different tools (oh and I had no budget to do this with).  During the implementation I hit a snag when configuring Alienvalt to monitor Windows Server event logs.  After combing through the forums I found a combination of problems that needed to be fixed – hopefully this will help out others (while giving credit to all the posts we used to find the solution to our problem).

First, follow the documentation for setting up Alienvault and Snare (here).  When you get to the ‘That’s all’ line, that is where the fun begins (c’mon did you expect it to be THAT easy…it is Linux).  First off, I found that the Registry file you were told import did not import properly, I had to change the following key in the Windows Registry: HKLM\SOFTWARE\InterSect Alliance\AuditService\Network\DestPort – change this key to 514.  It was set to 6161.  Now I could see events appearing in the SYSLOG on our OSSIM server (you can do this by SSHing to your OSSIM server and running a tail -f ./var/log/syslog).

The second problem was the SNARE plugin was set to read and normalize the information from a log file that did not exist.  To correct, again SSH to your OSSIM server and edit the snare.cfg file by typing vi ./etc/ossim/agent/plugins/snare.cfg (quick vi reference sheet).  Comment out the source log line that reads location=/var/log/snare.log by placing a # in front of it, and entering a new line which reads location=/var/log/syslog and restart the OSSIM agent by running ./etc/init.d/ossim-agent restart.

Now all seemed swell, BUT (again c’mon its linux there is always a but) when we tried to add custom events to the SNARE configuration they would not appear even though I could see them hit the SYSLOG.  I tested the config file against the rules thanks to this post.  The first step was to create a test log file which I did by running grep -i 011104 ./var/log/syslog >> ./var/log/logtest.log.  Replace 011104 with the category ID from SNARE that matches your specific event.  Now I ran ./usr/share/ossim/scripts/regexp.py ./var/log/logtest.log /etc/ossim/agent/plugins/snare.cfg V to make sure it was matching the rules in the SNARE config file (snare.cfg) – which it was.  I found this updated config file thanks to ithowto.ro and replaced all of the events (just the last section of the file) in our SNARE config (for my Windows friends use FileZilla to SSH to your OSSIM server and navigate to the snare.cfg file, backup and replace it) and restarted the ossim agent again, but now we were not matching any of the rules.  After comparing the original snare.cfg with the one from the previous website, we pulled out the [Snare -zzz- Generic Rule] which we were matching to previously, dropped it at the top of the new list and renamed it it to [Snare-whywontyouwork] (I was a little grumpy after fighting this for 2 days), replaced the config file again and restarted the agent again and – like magic, our events were now appearing in the OSSIM web interface.  Why….1 word – linux.

A few other shout outs to folks in these posts:  http://labs.alienvault.com/labs/index.php/2007/tutorial-5-windows-event-logging/https://www.alienvault.com/forum/index.php?t=msg&goto=7781&S=0040ef7607b76619b65b9362027f16achttp://forums.fedoraforum.org/archive/index.php/t-241555.htmlhttps://www.alienvault.com/forum/index.php?t=msg&goto=11110&S=aeff4b798095bfa89d45711ff32a743fhttp://stujordan.wordpress.com/2012/02/15/snare-plugin-not-working-on-alienvault-ossim-3-1/

Password security is more than just forcing a really complex password

Everyone seems to be all concerned about passwords lately, you know those things most people hate and us geeks have come up with a system so we don’t forget ours (I can go back about 6 years).  More and more companies are enforcing stricter password policies to “protect their data” but in reality, most users don’t have access to very sensitive data or even systems that could cause problems for other users on the network.  Now I am not suggesting passwords aren’t needed, but auditors and other people responsible for setting password policies need to take into account everything that makes up “password security” – not just password length and complexity.

Most password policies have several layers:

  1. Password Length
  2. Password Complexity
  3. Account Lockout Threshold
  4. Account Lockout Duration
  5. Security Log Monitoring

Lets review and see how forcing long, complex passwords may not always be the best answer.  First, if we have learned nothing else from XKCD its that longer passwords are better than single words with special characters and numbers, so IT and security practitioners enforcing longer passwords are on the path to being correct, however we should look at pass-phrases, not passwords.  Also consider that PCI compliance only requires a password to be 7 characters long.  Now a 7 letter password is quite easy to crack, if you have no other security measures in place you could expect a password like ‘academy’ to be compromised within 2 seconds (according to http://howsecureismypassword.net/), an 8 letter word could be compromised in 52 seconds, a 12 letter password – ‘disinfectant’ would take 276 days!   Now if we go with a pass phrase ‘i like frosted flakes’ it would take 413 QUADRILLION YEARS!

Password complexity, while a good habit, does not offer the affect people expect, especially when combined with very long password length policies.  Again, lets think about the XKCD example – whats a better password, one a person can remember or one that a person has to write down on a post it note attached to their laptop?  For my money, a “secure” password is one that exists it only one place – someones memory and a “weak” password is really only at risk once it has been targeted and compromised.  Its much easier to compromise a password when it is written down in front of you.  Lets consider the previous example passwords and do a common letter/special character replacement.  ‘@cad3my’ would take 3 minutes to be cracked, quite a bit longer than 2 seconds but not very long at all if there are not other security measures in place.  ‘D1sinfe(t@nt’ would take 344 Thousand years to crack – not to shabby at all, probably won’t be around to worry about that so you are all set right?  Well thinking about the ability for someone to remember their passwords versus writing it down and having it instantly compromised, what do you think someone is more likely to remember – ‘i like frosted flakes’ or ‘D1sinfe(t@nt’?  I like me some frosted flakes to.

Now, lets for a second pretend I am wrong and that a “weak” password is a hackers dream and there are hackers constantly on your network trying to crack passwords and logging into the receptionists email with derail the efforts of the entire company (not saying receptionist don’t work hard or not valuable, but they probably don’t have access to social security numbers or confidential company information).  Your Account Lockout Threshold should account for this.  Lets say Sam uses a very basic password and the hackers are secretly on your network because you have no other network or security monitoring in place and don’t review your event logs, generally after 3 failed log in attempts your account is locked – problem solved now Sam or the hacker can’t log in.  If you set this to a reasonably low number, I normally use 3, the hacker has 3 shots before the account is locked so even if they guessed/cracked the password on the 4th try, it will look like it is failed because the account is now locked.  Also, someone in IT has now been notified, and if it continues to happen hopefully a light bulb will go off in said IT persons head that something is fishy.

It’s fun pretending to be wrong, so lets continue and Discuss Account Lockout Duration.  What’s that – you have your network accounts set to re-enable after 15 minutes because you hate talking to people?  Well yea then you have a problem, but if you have good security practices in place your accounts will stay locked until someone unlocks the account, or even in a semi-lazy environment maybe it resets after 30 minutes or 1 hour.  Good news is a constant, brute force type attack will only get off 72 password attempts per day (3 attempts before its locked, locked for an hour, 3 more attempts before locking again – 3 x 24 = 72 passwords).

Last but not least, hopefully someone, somewhere in your IT group at least glances at event logs or has something like Splunk or Snare setup to capture and alert on certain events.  Even if you don’t, someone would have to notice the uptick in help desk requests coming in and start to wonder what is happening and look into stopping the password cracking attempts.  Now some of you are saying, what about password expiration – forcing people to change passwords they finally remembered every 30, 60 or 90 days?   As I have said a couple of times previously, a password is only insecure when it actually has become compromised, so forcing password changes every 30 days is simply overkill – you can’t crack my ‘i love frosted flakes’ password in … well a long time so what are we solving by forcing people to replace them?

Password security is about much more than just length + complexity.  We have seen that a long, easy to remember password is just as secure from cracking as a single word with random characters replacing letters.  A good password is one someone can remember and not instantly compromised by being written down on a laptop or monitor.  We don’t need special characters and case to make a secure password – just remember what cereal you are eating that week is more secure than than random character replacement.

VMware View Mobile Secure Desktop Bootcamp Day 6

Sorry for the lack of notes, have setup enough radius servers that it all made sense.  Still a good view though, nice to see PhoneFactor still around!!


VMware View Mobile Secure Desktop Bootcamp – Day 6

Setting Up Radius 2-Factor Authentication Best Practices

– Intro to radius Auth
– Setup radius
– Config View for radius
– HA for radius
– Troubleshooting

Radius used for AAA, RFC 2865 2866
View 5.1 and newer for 2 factor auth
View user supplies credentials, view connection server talks to Radius

Setup radius
Config view for radius via view admin
– If RSA SecurID, use that instead of radius

If multiple, setup on each connection server – select/existing created for first server


VMware View Mobile Secure Desktop Day 5

Day 5 – VMware View Mobile Secure Desktop

TrendMicro – Agentless AV

Zero footprint, agentless via VMware API

VMware vSheild end point on ESX
Trend Micro Deep Security installed, integrated with vCenter, drivers installed, Virtual appliance deployed

Profile based
– Settings/features

Mobile Secure Desktop Profiles:
– Knowledge Worker
– Power User
– KW – Traveling
Diff VMs in diff folders

Continue reading VMware View Mobile Secure Desktop Day 5