Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: 2-factor auth poll-results; Sticky firewall question; Handling Incidents Involving Dynamic DNS; Sybase Buffer Overflow Vulnerability Details to Be Announced; Mac OS X Issues Released; Belated Happy N - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
2-factor auth poll-results; Sticky firewall question; Handling Incidents Involving Dynamic DNS; Sybase Buffer Overflow Vulnerability Details to Be Announced; Mac OS X Issues Released; Belated Happy N

2-factor auth poll-results


As of this morning, ~60% of the 1260 respondents either don't use two-factor authentication or don't know what it is (see the current results .) It is common practice for European banks to use two-factor authentication. It's only recently being tested in American financial institutions. I'm referring to their clients-- two-factor is fairly common internally. If you're looking for a solution to the phishing-problem, two-factor authentication is an effective countermeasure (but not foolproof, if a site immediately uses your cached credentials there is a window of exposure that can be exploited.) It certainly raises the bar a bit. The most common versions of two-factor authentication are one-time-password lists, RSA tokens and smart cards. I've even seen clever little cards with images on them where the user is given a challenge-image, and the user applies their "algorithm" to it (e.g. two images up, three to the right,) and returns the counter-image. Two-factor doesn't have to be expensive. Soft-tokens and the image cards are cheap and easy to distribute. I think users would accept the "inconvenience" of two-factor authentication to protect their bank accounts. I carry a cluster of RSA tokens around my neck, and sometimes it feels like I'm launching a polaris missile when I'm VPNing in--so there's some improvement to be had there.

Sticky firewall question


This came into the mailbag this morning: "How long do you recommend firewall logs be retained? Is there a general baseline or best practice on length of time and where to store the log?"

A question like that gives me pause, much like: "honey, do these bloomers make me look fat?"

I've chosen to answer the question with more questions:

How long can you afford to keep them?

What regulatory requirements are you subject to?

What is the longest resolution time out of all of your internal incidents? (thanks for that metric Swa.)

These answers will give you some boundaries and drivers. If you can afford to keep them longer than your worst case requirements, you're set. If not, well... that's why managers get paid the big bucks.

My client is subject to Sarbanes-Oxley (SOX) and there is debate amongst the auditors and lawyers over it being 5 or 7 years. I also have concerns on the format that the logs are stored in. The vendor of the internal log storage solution says that their logs reduced into databases is okay, while I feel that raw logs are better (at least from a evidentiary standpoint.) But they're vendors, of course they're going to say their product is fine.

Dynamic DNS and its impact to Incident Handling


When dealing with a static IP number the process is fairly simple: identify humans associate with the IP and the DNS name. Okay, it's not so simple, doing a whois lookup and sending emails is one thing, but sometimes you have to followup with phone calls and do a little bit of investigative work. When a dynamic DNS services enters the equation the problem gets a little more complicated. First, you have a moving target, and so have to follow the normal process, but with a larger list of contacts. The dynamic DNS service admin must also be included. Many services are quite cooperative when trying to resolve an issue. The problem gets much worse when a DNS server is being updated dynamically without the owner's knowledge. You can help by ensuring that your DNS servers are configured securely.

Sybase Buffer Overflow Vulnerabilities to be Announced


NGSS discovered serious Sybase issues in 2004 and reported them to Sybase, who released patches
. The technical details of the vulnerability were scheduled to be released today Mar 21, 2005.

Mac OS X Issues Released


Today Apple updated
which addresses a number of Mac OS X issues

Happy Nowruz!


A belated happy
! Please, don't forget to feed the goldfish! :-)
Kevin Liston

292 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!