Domdingelom on security, fun and life

We are moving

2009-02-10T13:39:00.000-08:00

as of now, please refer to http://blog.remes-it.be aka 'The Security Kitchen'.
This blog is officially closed.

because not everybody will use transparent proxies.

2009-01-26T13:58:00.000-08:00

As I travel around and attach my laptop to different networks, I'm left to disable/enable the proxy server settings ever so often. I grew tired of it and that's why I messed around with a small vbscript that :
a) detects whether the proxy settings are enabled or disabled
b) asks you to reverse that state

you may want to add additional code to enable disable different proxies.

Here's the code :
const HKEY_CURRENT_USER = &H80000001
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\"&_
strComputer &"\root\default:StdRegProv")

strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
strValueName = "ProxYEnable"

oReg.GetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue
If dwValue = 1 Then
answer=Msgbox("Proxy is currently enabled. Disable it?",36)
ProxyOn = True
Elseif dwValue = 0 Then
answer=Msgbox("Proxy is currently disabled, Enable it?",36)
ProxyOn = False
End if

If ProxyOn=False Then
If answer = 6 Then
dwValue = 1
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue
Elseif answer = 7 Then
dwValue = 0
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue
End if
Elseif ProxyOn=True Then
If answer = 6 Then
dwValue = 0
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue
Elseif answer = 7 Then
dwValue = 1
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue
End if
End If

Have fun!
Stay Secure!

why procedures are important.

2009-01-07T17:05:00.000-08:00

It's 2am as I write this blogpost and first let me give you a little history :-)

The past 2 days I spent at the hospital because I went through some excrutiating pain because of a 2mm big kidney stone. It was detected on a scan and I was instructed to drink as much fluids as possible while on painkillers and some other alleviating drugs. I also had to pee through a sift, so I would be able to find the stone if it so chose to make its exit.
(TMI ? Maybe, but bear with me ;-) )

This evening I was painfree and I was discharged from hospital (thank God, I'm back with the family again. I also chose to take my little sift home. No stone was found yet and I wanted to see that little bugger.

So, here I was, just after a shower, and I needed to pee, badly. Our bathroom is upstairs and my little sift was in the toilet room downstairs. I was juggling with the thought of peeing upstairs, without my sift, because I was really feeling tired but I told myself 'no, you HAVE to use the sift'.

I don't have to add that the stone has chosen to make its exit now. I caught it and I'm happy.

All this to tell you that, however tired or stressed you are, whatever deadline you are up against, procedures are massively important in our job. If you decide to cut corners because you know better and/or because you think that 'one time doesn't hurt', you might as well be wrong this one time. Think about it, be flexible, but don't sacrifice procedure just for the sake of it.

Dear Internet, I love you

2008-12-30T11:41:00.000-08:00

but I don't trust you anymore.

I remember meeting U here in the good ol' days
I would never pick the flower of my favourite protegé
Maybe if I would have
Then U would not treat me this way
U tricked me - but U will not anymore

No, no
I love you, but I don't trust U anymore

It doesn't happen very often that I can quote an appropriate Prince lyric when blogging about Information Security :-)

For the third time this year this year the internet has been broken, this time it's the fact that some Certificate Authorities failed to phase out MD5 signatures from their PKI back when MD5 collisions were proven (2004). Kudos to Mr. Appelbaum and Mr. Sotirov.
You can read all the juicy details here : http://www.phreedom.org/research/rogue-ca/
Great work.

Now where are we ? What can we do ?

Let's list the CA's that are identified as issuing MD5-based certs in 2008 and by default trusted in our browsers :
RapidSSL
FreeSSL
TrustCenter
RSA Data Security
Thawte
Verisign.co.jp

These CA's have promised to move to SHA1 as soon as possible, In the mean while it might
be better not to trust them. That means removing them from the certificate store in your favorite
browser. I did just that on my machines.

In a business environment it's a little bit more complex. Take your time to assess your risk, the game stores in China and Russia probably don't have sufficient stocks of PS3's, so we can assume it will take a while for the first real attack to take place ;-)

An interesting feature in an Active Directory environment might be to control CA certs through Group Policy. You can export root certificates from a trusted machine, or you can download them from the different CA vendors (more cumbersome, yet more secure). The following policy allows you to push out your set of trusted CA's to your install base.
Open Group Policy Management Console
Open a Policy of choice or create a new one
Goto the following policy setting :
Computer Configuration > Windows Settings > Security Settings > Public Key Policies.
And configure as needed.

Ah, but by default, Windows will update the list of trusted CA's itself ... damn that :( Luckily Microsoft has thought about that :-) They're not all bad, you know. This article shows how
to disable this function. The same article lays out how to disable this update feature on stand alone computers. You see, if you want to, you can be in control.

Please note that Firefox keeps it's own certificate store, seperate from Windows/IE. I'm not aware of a possibility to centrally control root certificates in FF. If I stumble upon something I'll post it here in an update.

Now I'm off to go break the internet using a bench of 500 Wii consoles all controled with a Wii Fit board and my Guitar hero guitar. because after all, that is how we roll.

As some wise man said : trust, but verify.

as it stands now this will be my last blog post

2008-12-29T15:16:00.000-08:00

Since we have been notified that the internet will break at 3.15pm CET tomorrow. It's nice when the buzz gets at full speed and nobody knows what will happen.

Anyway, Jacob Appelbaum and Alexander Sotirov are presenting 'Making the theoretical possible'
tomorrow at 3.15pm at 25C3.

With a quick count, the internet will be broken 3 times this year. First we had DNS, then Sockstress and tomorrow ... a wild guess would be DNS (again) with a wild bend to abuse SSL weaknesses ... we'll see. BGP ?

If this is goodbye, it's been fun. I love you all, see you on Web 3.0 ;-)

on the risk of inaccurate 'assessments'

2008-12-29T04:04:00.001-08:00

I've pondered on a '$security_topic is dead' title for this blogpost, but I managed to steer clear of that one. I personally don't believe that anything (except for Antivirus ;-)) is really dead and my buddhist little toe tells me that if anything is dead, it will most probably live on in another shape or form.

I've been involved in penetration tests, security assessments and audits of different kinds (both regulatory and not) and from both perspectives (as the tester and as the testee). When sitting on the tester chair, I've experienced how hard it is to translate ones findings to a proper report that, without resorting to FUD, accurately assesses the risks the customer is exposed to. On the other hand, I've been frustrated with numerous reports I received that qualified risks as High, Medium, Low and/or Red, Yellow, Green. From a customer perspective, what am I to do with these 'values' ?

While a qualitative assessment is the easiest way to qualify risks, it also completely disconnects us from the business and/or the customer. When making a qualitative assessment we are not taking in account the nature of the business and the processes that our customer actually practices to run his business.
Some practicioners refer to 'best practices' or 'good practices' (marketeers, please take a one-way ticket to a deserted island ?) but still I don't feel that this positively impacts the result of the analysis.

Within the limits of a penetration test, quantitative risk assessment is nearly impossible. First and foremost because you will never* receive accurate numbers within the limited timeframe but again also, and more importantly, because as a technical tester you are completely and utterly disconnected from the business.
Running meaningless numbers through complicated formulas and creating scatter plot
graphs representing risks are probably comparable to trying to kill a deer by
throwing a bullet at it. It does not work.

In short :
a) penetration tests and security assessments are, today, mostly technology oriented.
Yes, we do assessment on the process level too, but not as much and not as thorough.
b) results are often poorly communicated due to lack of connection with the business and/or lack of feedback from the business.
c) customers are not up to par considering risk assessment as a vital part of doing business. Security is still the responsibility of IT.

Conclusion :
If we want to create value by providing penetration testing and security assessment services, we should stop selling 5 days, fixed prices 'solutions' providing a detailed report. We should engage with our customer on a very high level so we can first understand the business and then tailor security solutions to their needs by going through shorter iterative cycles solving problems one at a time, raising awareness throughout the business and in the end providing a company with the necessary processes to tackle security processes on their own.

I'm looking forward to be a part of this in 2009.

I have nothing more to add

2008-12-21T04:23:00.000-08:00

As I am sitting here, watching this video, I really can't say much more. At the moments when you are not tied up in projects, deadlines, working for the boss every night and day, please think about the fact that it is all about love, life and people.

From here I extend to all of you a virtual hug and the sincere wish that whatever you do, whatever you plan allows you and yours to grow.

Love.
Peace out.

Wim

Mankind is not an island

2008-12-19T03:27:00.000-08:00

Brilliant

Emotional

Genius

how 800,000 people can still be wrong

2008-12-18T14:36:00.000-08:00

This is not a security related post !!!

May I introduce to you, Mr. Yves Leterme, prime minister of our little country. In June 2007 he was elected prime minister with a whopping 800,000 votes behind his name. I'm not going to lay out the history of Belgium in this blogpost, but some of you may know we have a Dutch-speaking part (Flanders) and a French-speaking part (Wallonie). It has been a troubled marriage for the past decades and it came to no surpise Yves won so many votes by touting a far-going federal reform of the country (on the verge of seperatism). That was medio 2007. We are now at the end of 2008 and the following has happened :
1) Mr. Leterme has not been able to form a functioning government in 18 months.
2) Mr. Leterme was not able to deliver on his promise of a federal reform, which he promised would 'benefit' the whole country. Instead his demeanor drove a wedge between the two parts of Belgium and mutual understanding has been far gone since his appearance on the main stage.
3) In 09/2008, 10/2008, the financial crisis hit. Big Belgian banks (Fortis, Dexia) got into trouble and were bailed out by the Belgian government. This was the moment Yves proved himself to be quite the leader, or so he thought. He messed up countless times, lied about the European authorities not being reachable while decisions were being made. Mrs. Kroes proved him wrong on national television. Talking about humiliation.
4) Shareholders took the Belgian government to court over the Fortis deal, because Yves decided to move fast and sell off the left-overs to BNP Paribas without consulting the shareholders. And this is where his amateurism culminates. While the higher courts were deliberating the case. Mr. Letermes minions decided it was time to 'intervene', putting pressure on judges to rule in favor of the government. This was brought out in parliament yesterday and today and in more than 24 hours, the Belgian government has not been able to formulate an answer to its defense or say something sensible about the shit we're in.

All this while the global financial crisis is developing at rapid speed, corporations are struggling to stay afloat and workers are scared senseless about their future. While some say worse than having a disfunctional government is having no government at all, I am not so sure. When we wake up tomorrow morning, Mr. Leterme is no longer a leader, he is an incompetent person grasping to power, while knowing he does not have the ability to make right what he did wrong, nor does he have the power to control the crisis at hand. Mr. Yves Leterme will be a lame duck. Sure we will suffer with no government but at least he won't be able to do further damage.

Mr. Leterme,
While you were cheering when you 'won' the elections, you knew you didn't have it in you, didn't you ? You knew that it all was a big fat lie just to be part of history. Did you think about 'the people' at that time ? Did you think about the fact that your power-hunger would have an impact on 10,000,000 people ? You fucked up, realize it, step down and let us move forward.
Thanks.

the internet police is here

2008-12-13T06:15:00.001-08:00

Out to take on all the internet crooks :-)

Belgian bank accounts compromised

2008-12-13T05:21:00.000-08:00

As I'm reading through the Belgian news, there's a report about hackers compromising about a dozen Belgian bank accounts. The bank involved is not named, but it would be one of the bigger banks in Belgium, either Fortis, Dexia or KBC. Belgian law enforcement has started an investigation, no doubt this will die a silent death. What's even more worrysome is that all banks I know, in Belgium, use two-factor authentication. Not unbreakable, but still pretty rigidly implemented.

However, what struck me most is the comment by Febelfin, an organisation grouping Belgian financial institutions. Here's what they said :

"You are safe if you are running a regularly updated antivirus application."

Allow me to disagree, and I don't even want to bring this down to a "AV is dead" post, cuz we all
know we had too much of that lately ;-) However, what amazes me the most is that a professional organisation that (especially in these times, cuz they f'd up mucho lately) dares to come with as lame an advice as this. If you truly care about your customers and their money, I'd expect a little more than this. If you truly care about your customers, come out and tell us how this happened and what your customers can really do to protect themselves (which, in the current situation is close to nothing). If you truly care about your customers, take up your responsibility and disclose.

I'm not accepting "protecting the investigation" or "protecting the customers", you and I know the culprits are long gone and/or hiding behind networks and servers hosted in far away lands.

I don't expect to be answered though ... but at least I got to rant ;-)

All the praying in the world won't save you.

2008-12-10T15:53:00.000-08:00

While watching the news on our local news station tonight, I saw an item on a Belgian
priest that had his Outlook (looked like 2000 to me) crash on him. The result of this event was
the loss of all weddings, baptisms and other church events for the coming weeks and months.
I'm pretty convinced that most parish members won't move to another parish because of this
event, but if this were the hard-working plumber (by brother is one and no his name is not Joe), carpenter this would have hit hard.

Imagine that you have planned your wedding on January 22nd, it is now just another free date. Someone else might book the spot and knowing how bridezillas can behave (let alone groomillas) it ain't gonna be a pretty sight. It might even cost a dime (or two).

God might be everywhere, but he isn't on your harddrive, saving your bytes.

IM spam is not dead yet

2008-12-10T15:38:00.001-08:00

it doesn't happen very often. For me about once a month and mostly from the same people :( I guess some just never learn. Todays domain was just.realcoolss.com, a name that resolved to 208.116.34.163, which is an IP address in the block 208.116.0.0/18 owned by FortressITX in New Jersey and the domain name is owned by Jeff Fisher of TST Management Inc in ... Panama.
Based on my originating IP address I'm redirected a Dutch webpage for a subscription service.
No malware involved on first sight.

Spam is international, spam is global and apparently, spam is still ota lucrative. I guess we should consider spam a cloud service.

When I read blogs I don't want to be annoyed ...

2008-12-03T04:13:00.000-08:00

with so many dependencies !

If you are a blogger and force me (as a reader) to
allow (or temporary allow, or forbid) some or all of these sites to make
visiting your site at least enjoyable, you're wrong.

I love my Noscript, some might argue that it's Noscript that
makes my life difficult. I beg to differ.

I love lean blogs, if you expect people to read your blog, try to keep it lean as well.

kthxbai

PS : if you recognize your blog, go do your job :-)

all your twitter are belong to us

2008-12-01T06:03:00.000-08:00

This is a follow up to my post of earlier today, where I noticed that authentication on twitter.com worked no matter what the password safed in FF3 was. I delved a little deeper and came to this
conclusion:

A propietary cookie named auth_token is send with any GET to twitter.com (both http and https).
This cookie contains a hashed value that never changes, not over time, not when you change your password and not when you change machines. Your auth_token will always be the same. I first
checked in IE and FF3 on my Windows XP laptop, then I verified on my Macbook. It's all the same
as a test, I created a auth_token cookie (using the Add n Edit FF3 plugin) on a Fresh Ubuntu linux clone and lo and behold, I was not requested to login, it took me directly to my personal Twitter homepage.

As twitter gains more and more traction in the enterprise, I can only imagine the possibilities ...

Using the https twitter site would be good to mitigate this problem but your company might still use a transparent https proxy, exposing your twitter credential. Twhirl (a twitter client) uses the https variant by default.

What twitter could do is obvious, make the auth_token an expiring cookie (preferably at end of session) and make it unique, by salting it. When somebody much smarter than me finds on which parameters the auth_token is based, twitter is gone.

Update !!
Thanks to @DidierStevens : the auth_token cookie is not created when you do not select the Remember me option. @Security4All also has some interesting tips in the comments.

Update 2
DidierStevens (in the comments) did some follow-up research and if it is a hash (which it seems to be, based on the length either SHA-1 or RIPEMD-160) it is not based on username, name, id or e-mail address. Changing either of these parameters doesn't change the value of the cookie (or invalidate it). Didier, thanks for following up. I will look into this further soon as I am still waiting for feedback from Twitter after reporting this.

Is firefox+twitter+https messing with me ?

2008-12-01T00:54:00.000-08:00

first thing in the morning? Coffee, then check on twitter, that is if I can. So I start FF3 and browse to https://www.twitter.com/. Https, because that is how I roll.

Now, for one reason or the other I decide to click on the little lock on the bottom right and check out security on the website and this is what it says to me :

Apparently I've visited this website 64 times today. I'm sorry, but I'm not THAT addicted :)

Moreover, it says I have no passwords saved yet it logged me in automagically, so lets click through on the View Saved Passwords button. I would expect it to be grayed out since there are no passwords saved. Damn, it even has the correct username, how would it otherwise be able to log me in? Indeed. So I click the Show passwords button and it reveals my password. Sorry, let me rephrase that, Firefox reveals A password but not my current password.

WTF ?

I tried this again and again, same behaviour. How can it log me in with a wrong password. At this moment it looks like the culprit is the auth token, which is a cookie saved and set to expire 20 years from now.

I'll have to get back to this since duty calls but FF3+Twitter right now doesn't feel like the right combination. If anybody can and/or wants to shine a light on this behaviour, I'm open to suggestions.

Ten not-so-good practices for avoiding data loss during layoffs

2008-11-18T14:33:00.000-08:00

Richard Stiennon blogged about 'best' practices for data protection during these difficult economic times. I can see where they come from and I can comprehend the business logic behind them, I do have a problem with most of the suggested 'best' practices ... lemme explain

1. Restate and re-publish your organization policy on confidential information. Require everyone in the company to sign it.

if you have a policy and it is not signed off on, you're a dork. Assume you have some disgruntled employees, after requiring everybody to sign off on the policy you will have a shitload of disgruntled employees. These people will know what you are up to. People are not stupid cows, you're just covering your bases. How are you gonna pick up the pieces when recovery starts ? You're throwing all your HR management principles out of the window. Good luck

4. Identify and restrict access to key data such as employee records, resumes, customer lists, and financial statements.

well yeah ... if it's touch or go, this is a project worth spending your valuable money on. For one it's gonna f* up your business processes if handled in haste and you'll spend money that you could better use in places where they actually benefit the business at this moment.

5. Log, monitor and audit employee online actions

I'm not even going into privacy isses here. but logging and monitoring would assume you have a baseline to compare anomalies against. Again, starting 'now' because times are precarious is too late and it's also wasting precious resources which (when laying off people) are only gonna get scarcer.

7. Use extra caution with system admins and privileged users.

if you have over-privileged users, and that's what you're talking about here, you haven't been really on-par with your security efforts. Extra caution is not gonna help you much, it is also not a very measurable security control.

All in all, I'm mostly appalled by the disrespect these 'best' practices show for the people that worked their ass off for you in the past years. Yes, the people that pulled all nighters for meeting deadlines and those people that in your (the average managers) eyes represent costs (-$$).
If this is the time to justify security controls, you're one bad-ass CISO, CSO or whatever title you carry.

I'm not saying security controls (including those in the above-mentioned article) are not worth it, but NOW ? I'm sorry, it's too little, too late.

Belgian wardriver not punished

2008-11-14T04:25:00.000-08:00

When earlier this year a wardriver was arrested for using an unprotected network, everybody thought a precedent would be set. About 6 months later (yes, the Belgian justice system is fast like that), he was convicted but he does not have to serve time (about 1 year).

How did he get caught ? A passer-by found it suspicious that someone was using his laptop from a car and called the cops.

The whole case leaves me with some questions :
How did the cops make sure he wasn't using a 3G card for internet connectivity ?

How did they confiscate and forensically investigated his laptop to prove that he had been using that specific network? Did they actually do that ?

How did they forensically investigate the router/WAP to prove that he had been connected to that specific network? Did they actually do that ?

If not, I don't think they can have a legal case. If the case wasn't build with forensic evidence and just on testimony by 'the neighbour', the network owner (residential network) and/or the wardriver, I do get a little concerned.

Unfortunately I don't have access to legal cases ... I would love to go through those details ...

Selling Vodka or selling security solutions ... an analogy.

2008-11-10T13:17:00.000-08:00

As I was waiting in line @ the nightshop I was pondering and it hit me hard. In front of me was a man, drunk as a skunk, completely wasted. He needed 10 minutes to collect his change from the counter after buying a bottle of Vodka. This was one of those moments ... Why did this shop clerk sell 75cl of Vodka to a person that was clearly completely unaware of himself ? I know there are laws here in Belgium that should prevent this from happening but Belgian law is a little like a corporate security policy, there's a vast amount of paper covering Belgian law, but there's not a lot of it that's actually enforced.

The analogy is clear. As a reseller or an integrator, we try to deliver quality service to our customer. That's our added value, it's basically who we are, what makes us different from the shop next door. Or does it ?

I feel, more often than not, that the quality that sets us apart is sacrificed for the sell. While we realize that a certain product (within our portfolio) is not as good a match as another product we don't master, and it may fit the requirements today but maybe not 1,5 years from now, it will get sold. And the customer will have to live with the consequences. This doesn't hurt the relationship because the project definition doesn't mention those future requirements and 1,5 years from now ... Mr X will probably not think about that past project, so everything is a-ok.

To me it isn't. While we tout that "IT should align with the bizniz" and "We, as integrator Y, think of YOUR business first", we don't very often put our money where our mouth is. The sell counts, it adds to todays bottom line of OUR business, the fact that the customer will have to overhaul that specific part of his infrastructure/solution in 24 months or something, buying new gadgets, training his people, aligning the new stuff once again with his business (or worst, aligning his business with his new stuff) ... might be the least of our worries.

Is ethic important to you while doing business? Especially security business ? What's your thoughts ?

My thoughts : ethics in doing security business is #1 , making money is one thing, making money and jeopardizing businesses is something completely different.

countering spam with a vengeance.

2008-11-07T16:09:00.000-08:00

You know them, heartwarming stories that try to tear you up about kids, sick people, adoptions gone awry ... whatever. It never seems to stop, until I received this one.

In 1986, Peter Davies was on holiday in Kenya after graduating from Northwestern University .

On a hike through the bush, he came across a young bull elephant standing with one leg raised in the air. The elephant seemed distressed, so Peter approached it very carefully.

He got down on one knee, inspected the elephants foot, and found a large piece of wood deeply embedded in it. As carefully and as gently as he could, Peter worked the wood out with his knife, after which the elephant gingerly put down its foot. The elephant turned to face the man, and with a rather curious look on its face, stared at him for several tense moments. Peter stood frozen, thinking of nothing else but being trampled. Eventually the elephant trumpeted loudly, turned, and walked away. Peter never forgot that elephant or the events of that day.

Twenty years later, Peter was walking through the Chicago Zoo with his teenaged son. As they approached the elephant enclosure, one of the creatures turned and walked over to near where Peter and his son Cameron were standing. The large bull elephant stared at Peter, lifted its front foot off the ground, then put it down. The elephant did that several times then trumpeted loudly, all the while staring at the man.

Remembering the encounter in 1986, Peter could not help wondering if this was the same elephant. Peter summoned up his courage, climbed over the railing, and made his way into the enclosure. He walked right up to the elephant and stared back in wonder. The elephant trumpeted again, wrapped its trunk around one of Peter legs and slammed him against the railing, killing him instantly.

Probably wasn't the same fucking elephant. This is for everyone who sends me those heart-warming bullshit stories.

can we escape from password hell ?

2008-11-05T14:02:00.000-08:00

You know the drill, ever so often (30 days ? 45 days ? 3 months ?) you are required to change your password in each and every business application. Sometimes you're lucky and some applications share a common directory, good for you but most often this is not the case. If this drill is accompanied with a requirement for complex Pa$$w0rd5 , sticky notes are your saviour whether your CISO likes it or not. And we're back to square one, welcome to password hell.

In comes the holy grail : (enterprise) SSO. Finally there's an application that takes over the management of all your passwords, leaving you with one (preferably complex) password to logon to your computer and no headaches afterwards. But is this really true ? What are the caveats ? What should you look for in an eSSO solution and what are the problems you might face during rollout ?

What is eSSO ?
enterprise Single Sign-On solutions allow you to reduce the # of times your users have to provide a username and password to an application (any application ?). Most of the solutions work through technology that 'recognizes' logon screens which is matched to a specific userid+password combination in a password safe.

Who are the competitors (I only list the top 4 in the Gartner magic quadrant

Imprivata
Citrix
Passlogix
Evidian

* disclaimer : I do not comment on the specific vendors solutions. It is up to the reader to
select the solution that best fits his/her needs.

What does it offer ?
a) your users don't have to worry about changing several passwords anymore. They keep one single password that allows them access to their workstation, then the eSSO software takes over. Simple, easy peasy (or maybe not).
b) Obviously this will reduce the time your helpdesk people spend on password resets, how much that is greatly depends on your organisation. Quantifying this cost is often difficult.

And now ?
We don't really care about users do we ? Why would we want a solution that makes their life easier? Well there's a number of reasons.

A. You might be driven by compliance regulations. While your applications might not support detailed user access logging, your eSSO solution can do that for you, uniformely over all your applications.
B. Your users' drawers (desks !!) look like craigslist.com for passwords. Passwords are traded, especially during holiday seasons, when specific responsibilities are informally delegated. Some solutions allow formal delegation among users without disclosing the password. This is a powerful tool and worth considering.
C. You have decided to implement an Identity and/or Access Management solution, while eSSO certainly isn't IAM, it may prove an important part of the puzzle. A properly deployed eSSO solution will get you buy-in from the workfloor and allow you to embark on the long and hard journey that your IAM roll-out will be.
D. You actually care about your users, productivity and the protection of your information resources.

Ok, so tell me now, where is the bad stuff you refuse to tell me ?

Different vendors, different solutions. Almost all of them will offer you a replacement for the microsoft GINA (msgina.dll), which means they come and mess in the basic login process of your windows environment. Call it a corporate wide Man in the Middle attack if you will, it is what it is. Take a good look at this GINA during PoC, because some might not have all functionality implemented (I've seen GINA replacements that didn't include a password expiration/rotation function !!!). Additionally, take a careful look at what your needs are. If you take this project on, define your goals and don't submit to scope creep (your worst enemy), nifty features might be tempting, but featurism can get you (and your project) killed. It's better to work in short cycles, adding functionality in every cycle than ending up in a high-speed vortex that leaves you and your users with a broken solution.

Appliances, appliances, they look shiny and tempting. Yet, that box represents a single point of failure. Yes you can have 2 boxes and make them redundant, how redundant depends on the solution, do they support Active/Active failover ? Some of the solutions work with middleware installed on a server while all properties are stored in the LDAP directory of your choice. Cool, your corporate directory is already redundant and there's no black box to be worried about. Transparency FTW !!! Consider it.

Make an application inventory and start of with a PoC for your most critical applications. Most vendors will tout to support any application. They don't.
Java applications are the most work-intensive. There's some very special magic to be performed to make them work with SSO. Sometimes simply installing the SSO client can already break all your Java-based apps (don't get me started over Oracle Forms, Oracle Frommels for the Dutch speaking).

To conclude this installment, there's the possibility of adding 2-factor authentication (2FA) to the solution. Yes, I'm talking the "something you have/know/are" combination, but not in the RSA, Vasco, (add OTP vendor here), sense of the word. Most of the companies I know use RFID badges for Access Control, it is fairly easy to also use them in any eSSO solution so users need their card and their password (or a pincode) to logon. I know RFID is broken beyond repair, I know it has been haXored, don't worry ... I'm aware.
Make sure you only use them for identification and let the authentication of the user depend on either the "something you know" (password/pin) or "something you are" (biometry) factor.

I will elaborate on the possibilities of 2FA in eSSO solutions later this week, talking about smart cards, active and passive RFID, eID and PKI. For now, I hope you enjoyed the read. Stay safe !

The French crack down on illegal downloads

2008-11-02T14:01:00.000-08:00

On Friday, the EUObserver came with an interesting article on a new French law (http://euobserver.com/9/27026) that will introduce a cut-off from internet access for people that are caught 3 times illegally downloading copyrighted content.

To me, it's mind-boggling how the recording industry lobby has been able to push the French in accepting such a law. There was an amendment requesting to replace the cut-off by a fine but that was not accepted because "The principle of a financial penalty changes the philosophy [of the bill], from instructive to repressive". And that in times where e-government is becoming more and more of a reality. Would we really allow a citizen or a family to be cut off from the intertubez for a year (yes, 365 jours !!) ? Is making them pay XXX euros less repressive ?

That's what you get when your prez marries a recording artist (* I'll leave the interpretation of the word artist to the readers discretion).

does Twitter suck ?

2008-10-31T02:37:00.000-07:00

Social media is what it is, you either love it or you hate it. Mark Horstman from Manager tools ranted on twitter in his most recent audio blog "Twitter, I hate it". I love the Manager Tools podcast (I am a regular listener) and I obviously am nowhere near a C-suit position (nor do I aspire to be), it provides me with some interesting tidbits I can use in my daily busi-business. If for nothing else but to understand my bosses better :-). On this I have to disagree however. Twitter in and of itself is not the problem Mark, it is how you use it. If used wisely, it is a tool that a C-suit can use to be closer to the workfloor and/or the customer. the EULA of Twitter doesn't say you have to be constantly connected nor do your 'friends' have to expect you are. twitter search provides you a tool that you can use to find users' comments on your company, brand, product name. You can just review private messages once in a while. For instance, Guy Kawasaki uses it, do you think he reads all messages from his 20k+ followers ? I don't think so. Lance Armstrong is on Twitter, he has 2k+ followers and is following 2 profiles himself.

let's say it like this, Twitter is the nail, you choose how you hold the hammer.

A new beginning

2008-10-28T03:12:00.000-07:00

I've been blogging for a while now, back at www.remes-it.be. While it's fun to own and maintain my own site, it's also quite labor-intensive and it uses time that I'd rather spend on other things.

From here on of, I'll use this blogspace for my weekly musings on information security, what keeps me buzzing and life in general.

Be Secure,

Wim