CAC PIN Scam Alert

This is probably a little late.  As a contractor, we get these notices a little late; my guess is that this came out near the beginning of February.  Of course, the entity that sent our company the alert told us not to click on the link (sound advice) but left the link active in the note.  The SPAM that is circulating has been reproduced below:

Subject: IMMEDIATE ACTION REQUIRED: CAC PIN length increases

Recent world events have uncovered a potential weakness in DoD Common Access

Card (CAC) security systems using a PIN length of less  than 10 digits.

Therefore a new requirement has been established that calls for PIN length

to be at least 10 digits and no more than 14 digits.  Security systems DoD

wide will begin imposing the new restriction on 10-FEB-2011.  In order to

handle the high volume of CAC PIN resets, an automated CAC PIN Reset site

has been stood up.

Please log in to hxxp://www(dot)activeident(dot)com/DoD immediately and

establish your new PIN with the increased length requirement.

NOTE:  If you fail to establish your new PIN before the new restrictions are

imposed, you will need to visit a CAC issuance location before you will be

able to access the network.

SOURCE: Directorate of Plans, Training, Mobilization and Security Plans and

Operations Division Fort Bliss, Texas 79916

I have never heard of CAC PINs being reset over the web, so right away I would be skeptical.  If you receive an email like this, immediately check with your Facility Security Officer and do not click the link.

New DISA Checklist and STIGS - February 2011

This is a little late, as I believe these checklists and STIGS started showing up early this week.

Updated:

• Browser Security Guidance
• Generic Desktop Application STIG
• Domain Name System Checklist
• Microsoft Exchange 2003 STIG
• Network Infrastructure
• Secure Remote Computing STIG
• UNIX Security Checklist
• Windows OS guides
• Enclave STIG
• IBM Hardware Management Console (HMC) STIG
• Microsoft ISA 2006 Proxy STIG
• OS SRG UNIX
• Removable Storage and External Connection Technologies STIG
• Voice and Video over Internet Protocol (VVoIP) STIG
• Web Server STIG
• zOS STIGs

Enabling Retina to connect to a target remediated by Gold Disk

This past week, I worked with a large team to audit a very large and complex system.  The Information Assurance Manager at the site explained to us how he audited the system.  He would run Gold Disk on the machine, remediate, open a few holes, then run Retina against the target.  He then closed the holes so Gold Disk would not report the errors.  However, this presented a problem for my team and I as we could not get Retina to connect properly and report on any findings.  Here's what we did in order to open up the machines such that Retina could connect and properly scan the target:

• Navigate to HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
• add a key:  autoshareservices, REG_DWORD, and make the value 1.
• Go to Start, Run, and type Services.msc
• Restart the Server service
• Start, or restart the Remote Registry service

Going through these simple steps enabled Retina to connect to the target and run a proper scan.

If there is a more simple solution, I would love to hear it.  Or, if I've botched this somehow, please correct me.

Auditing IIS 7

I want to thank the anonymous commenter on my previous post regarding IIS 7.  I was out testing this past week on a very long engagement when our team came across two IIS 7 servers.  After learning of the servers existence, I went to the Center for Internet Security's benchmark tools, and downloaded their IIS 7 Benchmark, which is at version 1.0.  (I would hard link to it, but you need to fill out a form first - and the link is wonky after filling out the form.)

I used the guide to go through the IIS servers, and I have to say it's pretty easy and straightforward.  Of course, the guide is not as in-depth as a typical DISA STIG/Checklist, but it covered much of the low hanging fruit.  The guide was easy to read, easy to follow, and even gave remediation advice.  I wholeheartedly recommend the guide for auditing IIS 7 servers until DISA puts out an official checklist.