Saturday, May 31, 2008

Students DO NOT crack Microsoft CardSpace

From Kim's blog on this topic...

Student researchers have NOT demonstrated the simultaneous compromise of the systems necessary for the attack to succeed.

Students at Ruhr Universitat Bochum in Germany have published an account this week describing an attack on the use of CardSpace within Internet Explorer. Their claim is to “confirm the practicability of the attack by presenting a proof of concept implementation“.

I’ve spent a fair amount of time reproducing and analyzing the attack. The students were not actually able to compromise my safety except by asking me to go through elaborate measures to poison my own computer (I show how complicated this is in a video I will post next). For the attack to succeed, the user has to bring full administrative power to bear against her own system. It seems obvious that if people go to the trouble to manually circumvent all their defenses they become vulnerable to the attacks those defenses were intended to resist. In my view, the students did not compromise CardSpace.

Kim is right. I'm still glad to see that there are people out there trying because the hope is anything found leads to a more secure system for us all and, in the end, that's what we all want.

Technorati Tags: , , , ,

Friday, May 30, 2008

Students crack Microsoft CardSpace

Pre-Script: Please check out Kim's comment to this post and his blog for more details on this "breach":

This is a good thing. The more people looking at the security of CardSpace the better. The end result will be a more secure solution...

Students at the Ruhr University of Bochum, Germany, say they have found a way to steal security tokens in Microsoft's new CardSpace authentication framework. Attackers can apparently get access to protected, encrypted user data – such as passwords, credit card numbers, and delivery addresses – when they are transmitted.

Technorati Tags:
, , , ,

The Many Faces of Single Sign-on

Aberdeen Research just published a research brief that shows organizations are supporting far too many passwords, which leads to weakened security, inconvenienced end users, and increased cost of management and support.

Several approaches are available to help companies work towards the ideal of a single sign-on, including directory synchronization, password synchronization, enterprise single sign-on, web access management, and identity federation. The brief leverages the findings of recent Aberdeen research on user authentication to provide insights into the factors that should influence selection among these different approaches to a common problem.

What's the upshot of the research?

The Good: Nearly half of the respondents have deployed at least one stronger, non-password method of user authentication.

The Bad: Nearly nine out of 10 enterprise users have multiple work-related passwords.

The Ugly: Nearly two-thirds of the respondents stated they do not require that passwords be changed!

Lots of other great statistics and what enterprises are doing to solve these problems is in the report - including how many customers want to standardize authentication around Active Directory.

Check it out!

Technorati Tags:
, , , , , , , ,

Wednesday, May 28, 2008

Quest & Microsoft Perfectly Matched

If you subscribe to CIO Magazine there's an insert in the May 15, 2008 called "Perfectly Matched" that Microsoft put together and placed. The section on Quest Software focuses on how Dell is cutting costs with an enterprise-ready directory.

Dell launched a project called Multi-Platform Management Integration, with the goal of making Microsoft Active Directory the master authentication system and overall source for all user accounts across all systems—including those running Microsoft Windows, IBM AIX®, Sun™ Solaris™ and various Linux operating systems. Quest’s approach allows organizations to achieve single sign-on from Active Directory for SAP® applications, the Oracle® E-Business Suite and the entire PeopleSoft life cycle.

Download the PDF at the above link if you're interested in what we have done for Dell. There are also many other excellent identity-related partners listed in the PDF.

Technorati Tags:
, , , ,

Tuesday, May 27, 2008

Is Red Hat late to the directory server party?

I've been fairly fascinated by Red Hat (and Linux) ever since I made the move from Microsoft to Vintela. I was trolling around the RedHat web site checking out a few things recently and came across Red Hat's Directory Server web page which features a prominent section called "Directory Server Small Business Bundles". The small business bundle consists of one master and one replica server for $5000 which supports up to 500 users. There was an additional bundle that adds in two copies of Red Hat Enterprise Linux AS Premium for $9000 for the same maximum number of users. A further caveat is that you can buy a maximum of four of these packages for a total of 2,000 users. Do the math and you get $10/user for the bundle without the Red Hat server licenses and $18/user with the server licenses. If you didn't fit into these categories you could click a button to contact sales.

For those of you that don't know, the origin of Red Hat's directory server is from Netscape. In 1996 - I still remember the day - Netscape turned the directory world on its ear - with the release of the Netscape Directory Server. That day was the day that both X.500 and X.400 began their death spirals. The Netscape Directory Server was king of the LDAP directory servers for quite some time. With the three wise men of LDAP (Tim Howes, Mark Wahl and Mark Smith) working at Netscape how could they go wrong? Well, we know how that story finally ended don't we?

Anyway, my point is the Netscape Directory Server was, and is, a solid product. That said, the three wise men all moved on and so did Netscape. I'm not sure how much work has been done on the server over the years after Howes left Netscape, the AOL purchase in 1998 and the acquisition of a bunch of assets from Netscape in 2004 by Red Hat - include the Netscape Directory Server. Red Hat has obviously been working on the product because

I do know that a lot of work has gone on in the LDAP arena by companies like Microsoft, Novell, and Computer Associates to name a few and even the open source community's OpenLDAP project. There are a number of no-charge LDAP servers available today. Microsoft's Active Directory Application Mode (ADAM) and, of course, OpenLDAP. I haven't read the OpenLDAP license but I know that Microsoft allows the redistribution of ADAM by ISVs at no charge as an added benefit.

Would I pay for an LDAP directory server today? No, I wouldn't. I'd either go with OpenLDAP, ADAM or deploy an actual Active Directory domain controller (not free, but at ~$800 or less for unlimited users...) because I've talked to customers that have deployed >million user directories with each of those choices, they have vibrant user communities, are supported (vendor or community) and are technically sufficient for almost every purpose. I think if I was a small business with 500-2000 users I'd be looking at using a free solution, too - $10/user is just too much for a piece of history.

Monday, May 26, 2008

Sun Solaris, Kerberos and Active Directory

Last week I had the pleasure of meeting Pat Patterson who is Sun's Federation Architect. It's always a treat to meet fellow bloggers. As I was perusing Pat's blog I came across his post about "Using Kerberos to Authenticate a Solaris 10 OS LDAP Client With Microsoft Active Directory". It's definitely worth a read for obvious reasons. The only thing I didn't like about the article was the all caps admonition in the introduction:


Yuch. I hope that changes someday.

Anyway, it is certainly a step forward and nice to see Sun explaining how to enable their machines for joining Active Directory domains. Nice job.

Technorati Tags:
, , , , ,

Sunday, May 25, 2008

Microsoft Identity Metasystem Design Review

I attended this event on May 22-23 across the street at Microsoft's campus. Unfortunately, it is covered under our non-disclosure agreement and based on the way the Microsoft speakers kept repeating that over and over again to the audience I guess they were serious. They also mentioned numerous times that they didn't want to see the details plastered all over various blogs.

Maybe 50-75 people attended from many companies. Of course, I won't mention who else was there other than us. Click on the picture above if you would like to see the release schedule for all the cool stuff.

p.s. Check out this presentation if you'd like more information on the Identity Metasystem.

Technorati Tags:
, , , , , , , ,

Thursday, May 22, 2008

iPhone & two-factor authentication

Here's a video that shows the initial version of the Quest Defender Desktop token for the Apple iPhone. The Desktop Token is the latest addition to Quest's range of electronic security devices. Quest developed the Desktop Token so that it integrates with the iPhone's security mechanisms enabling a more secure connection between the device and your corporate network. The iPhone token allows the iPhone to authenticate the user in the same way as a Quest hardware token - and, of course, via Active Directory.

I think this is pretty cool and as more and more iPhones get utilized with Microsoft Exchange and integrated with corporate environments folks are going to want stronger security.

Reminder: We have a couple of webcasts coming up next week on Defender. Sign up here:

Technorati Tags:
, , , , , ,

Tuesday, May 13, 2008

Who analyzes the analysts?

I stumbled across an interesting blog the other day: Who analyzes the analysts? Certainly folks like myself or James McGovern have written about analysts in the past. I was attracted to the blog by the statement below:

I’m not against analysts, more against the fact that no-one analyses or compares them or holds them to their word, rather we just keep on paying them the money…

I also really like the recent post titled: Quadrants and Waves don’t count - references do?

Sound familiar, James?

Monday, May 12, 2008

The Last Templar in Montreal

I'm visiting customers in Montréal and from my hotel room noticed a bunch of NYPD police cars parked alongside a church. Curiosity overcame me and I walked over to see what was up and snapped a bunch of pictures (click a pic above to see the album).

Turns out they are filming parts of the NBC mini-series "The Last Templar" here in Montréal. It's starring Mira Sorvino and Omar Sharif. Maybe I'll see them around town?!

Technorati Tags:
, , , , ,

McGovern on Oracle Operating Systems Security - #2

James McGovern's second question over at his blog to me is:

What would you think if there was a way for PAM to talk with an XACML PDP?

Answer = Awesome! All kinds of scenarios spring to mind. Mark Wilcox poo-poos the question by stating that PAM is about authentication and mentions SUDO as a more appropriate scenario. I clearly agree with the SUDO scenario. However, the fact of the matter is that authentication and authorization go hand in hand. An example would be checking if the authenticated user was authorized to logon to that particular machine. It just seems obvious to me that there would be scenarios where you'd want to leverage both auth'n and auth'z in the PAM - but that's just me.

P.S. Do to my misunderstanding of the software I use to publish these posts I blew out my answer to James' first question (and the comments I received on it). I'll try to find it and re-create it. Sorry.

Technorati Tags: Quest Software, Oracle, Kerberos, Vintela, Linux, Microsoft, Active Directory

Thursday, May 08, 2008

Two-factor authentication and Active Directory

Please join Quest Software, Microsoft 2007 Global Partner of the Year, and Avaleris for a webcast on using Quest’s Defender strong authentication solution in Microsoft centric environments.

Finally, a truly cost effective and fully integrated 2-factor authentication solution leveraging Active Directory and Microsoft’s Identity Lifecycle Manager (ILM) certificate & credential lifecycle management capabilities -- providing greater solution flexibility and enabling user authentication wherever it is required.

You will learn about:

  • How Defender uses Active Directory to minimize infrastructure complexity and simplify deployment while providing robust capabilities - manage your tokens and users directly from Active Directory as there is no need for a separate management server or directory

  • Integration with Microsoft Identity Lifecycle Manager 2007 for centralized provisioning and lifecycle management of certificates, smart cards and OTP (one time passwords) devices

  • How Defender supports multiple tokens: hardware, software, OATH, combo cert/OTP tokens and a proprietary mobile SMS solution

  • ZeroIMPACT – Migration to Defender with no impact on existing/incumbent solutions.
    How Avaleris can provide domain expertise and consulting services to ensure a successful implementation

Defender was rated SC Magazine's best buy with a 5 star product rating! Come and see what all the buzz is about.

Questions? Please contact Phil Berton - Quest Software Identity Management Development Manager at or Bill Tompkins – Avaleris Vice President, Marketing & Business Development at

Wednesday, May 28th, begins at either 9:00am or 12:00pm EST.


Technorati Tags:
, , , , , , , ,

Wednesday, May 07, 2008

Oy vay Oracle!!!

Fear, uncertainty and doubt aka FUD. You thought only Microsoft used it? Think again, because here comes Oracle.

I caught a post over at James McGovern's blog on Oracle Authentication Services for Operating Systems and tonight noticed a follow-up to it over at Oracle's own Mark Wilcox where he posted Understanding the Benefits of Oracle Operating System Security (OA4OS). Here's the whole post: (color highlights are mine)

Today is a day it catch up on some blogging.

James McGovern posted a few questions on our new operating system security product - aka Oracle Authentication Services for Operating Systems or OA4OS.

First quote - " On one level, this feels like a good story, but on another it feels like a long-term trap."
It's just a good story :). There is no trap. Unlike competing solutions - we don't use any proprietary hooks or changes to the Unix /Linux systems. We are using all standard - based interfaces like PAM, NSS and SUDO.

Thus it would be possible to move to another directory solution.

Second quote - "First, if you are running Solaris, this you can setup NIS domains to aid in this problem." NIS has been out of favor for a while. It has now been officially deprecated. And for the kicker - it is not SOX compliant.

Thus many customer's we've talked to about OAS4OS are specifically looking for how to replace NIS. This is one of the features we offer.

Third quote - "Consider that if you are a shop running Active Directory, Microsoft provides Active Directory Services for Unix where by you can have Unix servers and daemons participate as if they are native to the Windows domain. This simplifies administration significantly, cheap to rollout and even cheaper over the lifetime. There are of course some features missing, which Microsoft will be addressing in upcoming releases."

Yes - Microsoft does offer this. However, it has many limitations that in many organizations will not be solvable. For starters - you must extend AD schema - in many organizations this is not allowed by corporate policy. Second, by storing this data this can add severe impact to your AD replication which affect desktop login (which is why this is not allowed by many corporate policies). Third - it does not auto-generate UID & GUID numbers (we do :)). Fourth - they do not have any system to allow you to address use case of where you have same username but different uid/gid numbers on different hosts (hello OVD)). These are all features that AD lacks and some (such as schema change) will never be avoided.

Final quote- "You can also consider third party software such as Vintela and Centrify which also provide deeper Unix/Linux integration to Active Directory. Anyway, I humbly predict that the open source community will realize that this type of integration should be in the box and not something add-on and therefore will address within the next six months."

To my knowledge Vintela and Centrify require proprietary components and/or extensions to AD. Also they don't provide any mechanism to manage SUDO policies in your directory. And I would also point out that this if our first release (if he can mention MSFT updating AD as being OK, I can use it hear for us too :)) so we are going to be adding in additional functionality in the future.

I take issue with the highlighted statements above...

1. Unlike competing solutions - we don't use any proprietary hooks or changes to the Unix /Linux systems. We are using all standard - based interfaces like PAM, NSS and SUDO.

I'm not sure who you mean when you say "competing" but let me state that our product (Vintela Authentication Services) uses no proprietary hooks and requires no changes to the Unix/Linux systems other than the same ones you use: PAM, NSS and SUDO. Mark, this is plain old FUD.

2. storing this data this can add severe impact to your AD replication which affect desktop login (which is why this is not allowed by many corporate policies).

Also, by walking across the street I could get hit by a bus. Are you kidding me? I have never seen this happen in all my years working with Active Directory and Vintela Authentication Services. Severe impact to your AD replication? Man oh man. This was the FUD comment that really launched me. Schema extensions "not allowed by many corporate policies"?Any Microsoft customer that has installed Exchange or Live Communications Server has extended their schema. FUD, FUD, FUD.

3. To my knowledge Vintela and Centrify require proprietary components and/or extensions to AD.

I won't speak for others and I'll take into account your statement "to my knowledge" and, once again, state that Quest does not require proprietary components and/or extensions to AD.

Mark may not be familiar with RFC 2307. RFC 2307 is an IETF standard for representing NIS data in a directory service. Let me point out that Microsoft incorporated RFC 2307 schema extensions in the base Active Directory schema with Windows Server 2003 R2. Most of the customers I talk to that are running pre-Windows Server 2003 R2 have extended their schema to include the RFC 2307 extensions. Oh, and of the thousands of customers I have talked to I have never ran into one who has a corporate policy about not extending the schema. Again, more FUD.

4. Also they don't provide any mechanism to manage SUDO policies in your directory.

A quick search of the Quest website would have shown that not only does Quest provide a SUDO tool but it can be managed via Active Directory.

I'm going to save my comments on the new "Oracle Authentication Services for Operating Systems" product for another post. There's only so much fun and ROFLMAO that I can take in one evening...


Mark responds to my post here:
He says he runs into customers all the time that can't extend the schema. My bet is he is running into EMPLOYEES who say they can't extend the schema. Extending the AD schema is not for the faint of heart and many companies have a policy about it but when push comes to shove they all extend. Otherwise, they would still be on Exchange 5.5.

Technorati Tags:
, , , ,

Tuesday, May 06, 2008

Control access by privileged users

There was a review recently in Network World on this topic.

Privileged IT staffers literally holds the keys to the castle. Access to those keys that open the doors to critical operating system and application resources must be carefully managed and legally audited. Enter the class of products referred to as privilege account management wares.

Quest Software's "Privilege Manager for Unix" was one of the products reviewed along with products from Cyber-Ark, e-DMZ and Symark. While Quest wasn't the winner of the review I can assure you that we're working to narrow the gap against all of our competitors.

This is a space I intend to be #1 in thank you very much. For example, we have a swap-out program around Symark. We'll swap in full production Privilege Manager licenses to replace all existing Symark PowerBroker license instances as long as the prospect is an existing Symark PowerBroker customer, and commits to a complete replacement of PowerBroker.

The detailed review of our product can be found here.

Technorati Tags:
, , ,


Got your attention, eh?!

Nice post by Tim Paul on some of the problems he ran into with a customer who had an SSO deployment collapsing because of identity collisions. I love how the problem was solved through the use of a virtual directory.

Single Sign-On

There was an SSO webinar today by Quest Software. I would like to thank them for actually putting some content into it and actually explaining what their solutions offer. I have become a bit weary of webinars so laden with marketing message, you really have no idea what the technology is offering you or if it will fit your infrastructure or not.

The recording is available here. My big take-away's had a familiar ring to them, as I have repeated some of these points too many times to count at this point. Quest has an offering of multiple applications for an SSO package. Also, check out Mr Shaw's white paper on the subject.

First SSO means different things to different people; enterprise SSO, Federated SSO, Web SSO, Single Password, Reduced SSO, etc. But I believe that some things are the same regardless of the "type" of SSO you want to deploy.

Shaw had a nice list of the "perfect world" for SSO:

- Standards based
- A single password or login
- A single directory
- Strong Authentication support / multi-factor authentication
- Support for multiple platforms
- Support for multiple applications
- Support for "thick, thin, and web applications"

This week I have been faced with some of the problems in solving SSO integration problems and how to deliver identity information to enable SSO. A client had previously deployed a SSO solution for 35+ applications, using only two sources that were disjointed. Now they were faced with integrating another data source that contained intersection of identities. Some users in the new source exist in one of the other two sources - now the entire SSO solution collapses because it was based on the idea that they would never face an overlap of identities within the repositories. Again, the answer was to deploy a virtual directory server as the abstraction layer to simplify the management of identities in these, now jointed data sources.

The lesson is, yes you can deploy an application without building a unified infrastructure, but you take a big risk. When new data sources need to be incorporated (including acquired applications with their respective user-base), you can expect problems.

PLAN AHEAD.. if you don't need to solve this integration problem now, YOU WILL at some point if you expect any level of scalability. YES, it is possible to have one source for all your users, without replication. By using the features of a virtual directory server to create a true union of identities (identities are correlated appropriately and duplicates are eliminated) and extend those entries with additional attributes from the needed data sources, you provide an identity infrastructure to provide authentication and authorization services to your SSO application.

Great insights, Tim. Thanks!

Technorati Tags:
, , , ,

Monday, May 05, 2008

Using Single Sign-On to Improve Security, Lower Costs and Improve Productivity

We've sponsored a webcast on this topic with Redmond Magazine. Details below. You can register here.

Event Date: Wednesday, May 28, 2008 at 11:00am PT / 2:00pm ET
Featured Speaker: Michael Osterman, President, Osterman Research

Users employ a growing array of desktop systems, laptops, smartphones, email clients, Web tools, applications and other capabilities. The security of the network is now more cumbersome and less secure because of the growth in usernames and passwords used for access to these systems. Single Sign-On (SSO) technology can help solve these problems. SSO offers many benefits, including easier access to systems and applications, greater control, lower costs and better security. Quest Enterprise Single Sign-On uses Microsoft Active Directory for a complete sign-on capability. It allows users to access a wide range of applications, Web sites and other resources using a single set of credentials.

Please join us and bring lots of very difficult technical questions!

Technorati Tags:
, , ,