It took me a while but I finally found someone that had solved this. I am linking the solution. However, typing in a password and following it up with the one-time-password (OTP) is *extremely* user unfriendly. Anything that is hard to do to make better security actually makes worse security. Instead my approach protects the private keys with a password, and you then only use the OTP as the user’s password each login.

So, here is the process. Assuming you have pivpn already installed and working with an OpenVPN configuration.

1. Install google authenticator on the pi: sudo apt-get install libpam-google-authenticator
2. Edit your openvpn server configuration: sudo nano /etc/openvpn/server.conf and add plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn (to use google authenticator) and reneg-sec 0 (to not reconnect every x minutes as the password changes every few seconds).
   • NOTE: This will make this server configuration only work with OTP. If you have accounts that will just be using passwords then you will need to have a separate server configuration and separate port for that. Info on how to do that is here.
   • NOTE 2: If you are on Buster, or some version of Linux where the openvpn-plugin-auth-pam.so is not in that location, you should link it into that location. For example in Buster, this would be the command you would run to create the appropriate link: sudo ln -s /usr/lib/arm-linux-gnueabihf/openvpn/plugins/openvpn-plugin-auth-pam.so /usr/lib/openvpn/openvpn-plugin-auth-pam.so 
3. Create a pam.d openvpn profile: sudo cp /etc/pam.d/common-account /etc/pam.d/openvpn
4. Edit it sudo nano /etc/pam.d/openvpn to add this line at the end: auth required pam_google_authenticator.so 
5. Newer versions of linux with sec-linux use a more strict sandboxing config in systemd which interferes with google-authenticator. To get past this, we will need to edit /lib/systemd/system/openvpn@.service and remove this line to make sure it can read the .google_authenticator files in the home directories of the accounts we create:
   ProtectHome=true
6. Now run sudo service openvpn restart to reload the configuration change.

Now, create your user. For this to work you will use system accounts (accounts you use to log to your raspberry like ‘pi’). You can create as many account as you with the sudo adduser username command. The user’s password really doesn’t matter. Once you’ve created the user:

1. login as the user on the raspberry pi: sudo su - username (replace username with the actual username)
2. run the google-authenticator command and follow the instructions (save the barcode url for next step, or import it directly on the user’s device at that time)
3. Type exit to get out of that user’s shell and return to your own. 
4. Executing google-authenticator adds a file .google_authenticator in the user’s home directory. This file must have no rights except read for the user, so run sudo chmod 400 /home/username/.google_authenticator (change to the correct username)
5. create a pivpn account with the exact same name as the user : pivpn -a Note: the username must be the same than the system account. (The original directions suggest doing this with no password; It is safer to use a password to protect the private key. The password used here will need to be communicated safely to the user)
6. edit the freshly created username.ovpn file and add the lines auth-user-pass (to tell the client to request username and password on connection) and reneg-sec 0 (to not reconnect every x minutes as the password changes every few seconds) And comment out the auth-nocache line by putting a # at the front of it. (This will keep the connection from re-negotiating every 60 minutes which is not good for an always-on VPN.)

Now, just install your .OVPN file on your client. (You can save the private key password if your client supports it, or require prompting for it every time.) Use the barcode URL generated earlier to show the QR Code for import into your authenticator app on your mobile device, and profit! 
Login with the same username and the OTP as the password. (The private key password being the one used when you created the account with the pivpn -a command.) You’re now using multifactor authentication!. Something you know (the private key password) and something you have (your authenticator app which is a one-time-password generator).

The post PIVPN with 2-Factor Authentication appeared first on Security Musings.

The post OWASP Top 10 in 10 Minutes appeared first on Security Musings.

As I write this, we are halfway through the fifth month of the COVID-19 pandemic. All of us have had some amount of upheaval in our lives including restricting travel and our contact with friends and family. Some have had even more difficulty – loss of jobs, businesses, and the downturn of entire economic sectors. An uncertain future remains before us. 

The rapid move by many businesses to support teleworking has caused a boom in technology fields. Some organizations like Amazon, Twitter, Teledoc, and Siemens are treating working remotely as not just a temporary change, but as a more permanent shift. Tech adoption, disruption, and digital transformation are all on the rise. As a result, the CISOs that are lucky enough to remain employed are facing a greater challenge than before. Do more with less. Move from the tactical (implement this tool, remediate this vulnerability) to the strategic. Tackle the challenges of not just working remotely but onboarding new hires and creating team camaraderie remotely. And do not let this turbulence affect the security of your organization.

The False Tradeoff

Everyone is navigating uncertainty, and CISOs are being asked to quickly implement or approve new technology solutions to simplify working from home. They are asked to sign off on a new tool that will make sharing information easier—but find that the solution doesn’t have even the most basic security principles in place.

“There’s a tradeoff between security and usability,” someone will inevitably say.

People believe that there must be a compromise between how easy something is to use, and how secure it can be. This simply isn’t the case. In fact, the best security measures should allow for seamless protection while enhancing user experience.

Look at the rise of new online ordering systems that have taken off to enable small restaurants to survive the shift to take-out only. Many of these do not require a complicated signup or registration process at all. Instead, they leverage your email or phone number as an identifier, and a browser cookie to remember you between visits. There is no log in with a username and password, just a link by text or email.

These solutions focus on improving the online ordering experience without compromising on security. They use HTTPS to protect transactions, secure their browser cookies, and don’t even save your whole credit card number. The only risk if your email or SIM is compromised is your order history! It’s ok with me if someone can crack my Gmail that they will find out I love my local restaurant’s Pad Thai.

Apply Design Thinking Principles

In these times of volatility and uncertainty, it is important realize that everyone is facing the same challenges, and some are having a tougher time than others. There is already so much change going on in everyone’s lives, and introducing new security controls or solutions may be met with more resistance than usual.

This is actually a great opportunity for security leaders to leverage human-centric design thinking principles.

Start by empathizing with your user community to find their pain points and get their feedback. Ask questions. See how it impacts their day-to-day process.

In uncertain times like these, you shouldn’t expect individuals to be willing to accept holistic changes. You need to prioritize the most important goals, and clearly define them. This may slow you down – but a little patience will go a long way to ensure that the solution will be embraced, and not something to “work around”.

And of course, you will need to test and iterate. Roll out your solution to small groups. Get their feedback, improve, and test again. Ensure the solution works for everyone. Value everyone’s feedback – not only executives and the security team.

Make it Easy to do the Right Thing

User experience (UX) professionals use a method called “choice architecture” to carefully design the way a choice is presented. People’s decisions can be influenced based on the context of the choices provided. For example, bolding or outlining a button that should be the default choice.

By working together with UX teams, you can make it easier for users to make the safe choice.

Let’s take the example of a tablet-based system to view medical records. Replacing the clipboard at the end of a hospital bed, it allows the nurse or doctor to view medical history, recent vitals, allergies, and other important medical information. It must be very easy for a nurse or doctor to view key information quickly – perhaps without even logging in. In an emergency, quick access to this information could make the difference between life and death for the patient.

However, if you wanted to use the same tool to view the information of a different patient, it should be more difficult. Perhaps you should have to log in, go through a menu, confirm that you will erase the current record, search for a new record, and confirm you want it to be available in emergency situations. Where the original use case involved only one tap, in this case we use choice architecture and to make it more difficult to make a more risky choice.

Work Together

Too often, efforts to create or adopt new technology either ignore security or usability until too late in the process. Security is asked to approve a new product which has already been purchased, or security tools are rolled out to the whole company without any user feedback.

By working as one team, UX/UI designers, user researchers, and security professionals can create a customer experience that helps and encourages users to make better security choices. 

The notion that security and usability are a tradeoff is a false premise. Coordinating the two disciplines is the key – and leading technology companies that embrace this co-creation process are seeing quicker adoption of their solutions.

The post Usability vs Security appeared first on Security Musings.

As the global pandemic has kept everyone at home, our interaction with everything and everyone has increasingly had more of a digital footprint than ever before. That digital footprint without encryption exposes a lot of information.

Encryption is needed due to the way the Internet works. The Internet is a loose confederation of companies, educational institutions, and telecommunication providers. Everything passes through networks owned by others.

Without encryption, any party along the way can see what you’re doing. What web pages you’re visiting. Contents of your email. Your instant messages and texts. It’s all visible, trackable, traceable.

Encryption is the basis for our only chance of privacy online. Whether it’s privacy from your stalker ex, from retailers, advertisers, or the government – the only thing that keeps others from seeing everything you do online is encryption.

People deserve to not have their every online move scrutinized, analyzed, and archived forever. Everyone should have the right to be able to interact in the digital world without fear. The only way to enable this is through encryption.

But, you say, if you’re not doing anything illegal, what is the harm in the government being able to access things that are encrypted? I’ll give you three simple reasons.

1) Encryption that can be bypassed by any third party must be fundamentally weakened. When I started in this field, DES encryption was common – which can now be cracked in seconds on a smartphone. Anything that weakens encryption must be avoided.

2) The US government’s own security is so bad (see: SolarWinds, Shadow Brokers, OPM breaches) that eventually whatever backdoor they have access to will eventually make it out of the government’s hands and into the hands of enemies.

3) Encryption that can be bypassed by the government will eventually be abused. We have already seen the US create illegal mass surveillance capabilities, and this capability will just agencies give carte blanche to do it again.

So – when the debate around “government should be able to view all encrypted internet traffic to keep us safe” starts up again – educate your representatives on why it’s a bad idea for all of us. Get them to commit to voting against it.

Ben Franklin’s quote rings out: “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” Encryption is the key to the liberty of privacy online. Do not give it up in the false hope of safety.

The post Encryption Isn’t A Debate appeared first on Security Musings.

#PKI. Public Key Infrastructure. It’s where my career in security began.

Digital #certificates protect so many things we use. From this website you’re visiting (check the icon on your address bar to be sure), to your ability to use your LinkedIn login to federate to other sites, to the authenticity of the patch just applied to update your browser… And it’s just scratching the surface.

PKI has gone from #security technology to #infrastructure. And if you are a user of Microsoft Teams, today you may have seen a failure of that infrastructure.

Microsoft Teams, like many modern solutions, has a separate front-end and back-end, connected through an #API. And communicating over this API requires a valid PKI certificate.

Unfortunately, Microsoft allowed this certificate to expire, which meant that the back-end didn’t trust the front-end any longer. And you couldn’t chat with your team.

All infrastructure needs regular checks and maintenance, and PKI is no different.

The post Required Maintenance appeared first on Security Musings.

Both Ghazanfar Ghori and I agreed that failure represents permanence. Anything that seemed like a failure at the time becomes a learning opportunity and a chance to do better next time.

So instead, I shared a mistake.

And my mistake was not coming to visit Karachi sooner!

It has been an absolute pleasure getting to learn more about our team and the culture here.

You can see my smile in this picture, as I’m hanging on to the front of a rickshaw as we traveled the city!

#pakistan#tech

The post Karachi appeared first on Security Musings.