Blog: SMS

Here are two links to articles discussing the NIST and their discouraging of SMS use for multi-factor authentication. The special publication by NIST actually says

If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”

https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/

 

https://www.engadget.com/2016/07/29/sms-two-factor-authentication-isn-t-being-banned/


 

We were trying to update Symantec Mail Security (SMS) for SMTP from v4.0 to v4.1 and the upgrade routine seemed to hang during the ‘Java Liveupdate’ portion.  Server hard-drive activity was heavy at that point and Task Mgr showed the upgrade ‘running’, but we did not seem to be making progress.  We installed a Java-runtime update and found a Symantec Java-liveupdate hotfix, but we ran out of time and had to leave the server @ v4.0  We went back on site Monday ready to uninstall Java Liveupdate, but the add/remove routine behaved similarly – heavy drive paging and the routine showed running, but no progress was occurring (waited 15 minutes).  I found a symantec procedure to manually remove Java Liveupdate and was going thru that, deleting folders, when I came upon ‘C:\Documents and Settings\All Users\Application Data\Symantec\Java Liveupdate’  Before deleting it, I looked inside – it had 1 folder called ‘downloads’, which contained approx 21,000 pattern update folders going back to 2004.  I deleted all these subfolders, which took about 25 minutes.  After that completed, I re-ran the v4.1 upgrade, which ran thru with no problems.  Whether it was the upgrade routine or Jave Liveupdate uninstall, the server was obviously trying to process all these subfolders and choking on them (might have eventually completed if given long enough).  So, when working with Java Liveupdate, it is probably a good idea to look for this downloads folder first and clear it out.


 

I was working on a server that was running low on disk space on the system (C:) partition.  I was able to free up some space rather quickly (by removing the Automatic Update downloads), but when I checked the Event Logs, the Application log was filling up with errors from SMS for Exchange.  The message was that the virus definitions were corrupted.  It appeared that the XDB down script had run around lunch time and updated the virus definitions, but wasn’t able to complete the install due to low disk space.  Despite the partial install, SMS for Exchange appeared to be trying to use the corrupted definitions.  When I tried to run LiveUpdate (as recommended by the Event Log message), LiveUpdate said everything was current.  People were starting to have problems with their e-mail (and for some reason the server was beeping irregularly on site).  I stopped the SMS for Exchange service (which fixed the e-mail and the beep), but the service wouldn’t restart.  I tried restarting the main Antivirus service as well, and it would not restart (also because of corrupt virus definitions).  I had to manually stop all the Symantec services, remove the partially installed virus definitions from the C:\Program Files\Common Files\Symantec Shared\VirusDefs folder, manually edit the USAGE.dat file (which tells the Symantec products which defs to use), then restart the services.  Once the services were up and running on the previous virus defs, I was  able to re-run the XDB down script and let it update the defs to the most current.