The WiKID Blog | WiKID Systemshttp://www.wikidsystems.com/blog/2012-08-14T20:45:00+00:00The WiKID Blog, musings on two-factor authentication, information security and some other stuff.WiKID support for Cloudstack2012-08-14T20:45:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/wikid-support-for-cloudstack/<p>We're pleased to announce the release of a prototype authentication plugin for Cloudstack that will add WiKID Two-factor authentication to the administrator login. The jar is available for download at our Sourceforge site. The license is GPL. We have very brief installation instructions as well.</p>
<p>There's been a lot of commotion recently about consumer's needing to add <a href="http://www.mattcutts.com/blog/google-two-step-authentication/">two-factor authentication to their cloud-based services</a> due to the <a href="http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/">Matt Honan hack</a>. This is certainly true and a case we've been making at WiKID for a long time. If you believe that is true and you run a cloud service, you should really be looking at adding two-factor authentication to your clould management interface. If you want to see us add two-factor authentication to some other cloud management software, <a href="http://twitter.com/wikidsystems">let us know!</a></p>Where to keep the keys?2012-03-29T12:40:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/where-to-keep-the-keys/<p><a href="https://twitter.com/#!/lmacvittie">Lori MacVittie</a> has a great post over Devcentral at F5 about the current state of <a href="https://devcentral.f5.com/weblogs/macvittie/archive/2012/03/28/identity-gone-wild-cloud-edition.aspx">Identity for Cloud</a>. It is well worth a read.</p>
<p> I agree completely with Lori's post, especially this quote:</p>
<blockquote>
<div class="pullquote">From a technical perspective what’s necessary is a better method of integration that puts IT back in control of identity and, ultimately, access to corporate resources wherever they may be.</div>
</blockquote>
<p>It is the wherever they may be part in relation to your authentication server that I have been pondering. Lori suggests using identity bridging to connect SaaS services to corporate identity management services. This is essentially the setup when you add WiKID <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-wikid-strong-authentication-to-google-apps-for-your-domain" title="How to add WiKID Strong Authentication to Google Apps for your Domain">two-factor authentication to Google Apps for your Domain</a>. The user logs into a corporate identity server (the WiKID server) and the WiKID server vouches for the user via Google's SAML interface. (We do not perform SSO functions, though.)</p>
<p>So let's say you are a corporation moving "entirely to cloud services". In this instance, let's say Google Apps is the only SaaS service you need for now. You're worried that all your corporate data is out there on the Googles. You've decided that Google is better at managing uptime and security, but the lack of control is irksome. (Kind of like the move from IPSec to SSL-VPNs.)</p>
<p>So, you have decided to add two-factor authentication to your SaaS services. Where do you put your authentication server? In the cloud? At home? I think the biggest determinant is what resources do you have at home. In particular, do you have any resources that rely on RADIUS for authentication, such as a VPN? Unlike SAML, RADIUS is not encrypted. Of course, you can tunnel it, but that would increase the complexity of the setup. If you are running your authentication through Active Directory using the <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps" title="How to add two-factor authentication to NPS">Microsoft RADIUS plugin NPS</a>, do you want that traffic coming from the Internet?</p>
<p>So, for me, I would tend to keep the keys to kingdom at home. What about you?</p>ViTM - The Vendor in the Middle2011-06-01T15:14:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/vitm-the-vendor-in-the-middle/<p>Enterprise security architects are traditionally very wary of systems that rely on 3rd parties for access, uptime or security. Ironically, many of these same architects deployed RSA SecurID systems not considering (or heavily discounting) the fact that RSA kept copies of the seeds for licensing purposes.</p>
<p>My intention here is not to pile on RSA, but rather to clarify the root cause because as organizations evaluate options to SecurID, they are often making the same mistake: Relying on a security vendor's infrastructure - or worse, using a system like SMS, where the provider is not even a security vendor! That's not to say that some organizations might be better off using a service, but that they should be aware of the risks. Just as some organizations will be better off "in the cloud" while some will not.</p>
I dislike all the confusion around two-factor authentication. Security people seem to ignore the difference between shared secrets and asymmetric encryption, services and software, etc. I don't know why that two-factor authentication is such an emotional issue. Pundits like to say things like "to<a class="external-link" href="http://www.schneier.com/blog/archives/2005/03/the_failure_of.html">o little, too late"</a>
<p> about it. Excessive negativity does nothing to increase security. </p>
<p>There are two big trends occurring now: an increase adoption in two-factor authentication due to cloud-based services and compliance requirements such as PCI and a re-evaluation of the price/benefit of expensive hardware tokens (which started well-before the RSA attack). It is my hope that organizations will make intelligent decisions about the products they choose based on their risk profile and capabilities. It is my concern that we are not giving any clear thoughts on the matter.</p>WiKID Strong Authentication Community Edition on the Amazon Cloud2011-05-31T15:17:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/wikid-strong-authentication-community-edition-on-the-amazon-cloud/<p>We have created a public AMI version of the WiKID Strong Authentication System for Amazon's EC2 cloud offering. While it is quite simple to install WiKID on a Redhat or Ubuntu linux AMI, we hope that this will make it even easier for people to learn about two-factor authentication. </p>
<p>In particular, we hope that developers working on cloud-based systems will take a look at our wAuth API and the <a class="internal-link" href="http://www.wikidsystems.com/downloads/api-network-client-packages/" title="API & Network Client Packages">code packages we have available for it</a> (Python, Java, PHP, Ruby, C#) and will add two-factor authentication to cloud-based services. </p>
<p>We've considered putting an Enterprise Version (see <a class="internal-link" href="http://www.wikidsystems.com/community-edition/" title="What's the difference between the Community release and Enterprise release?">the differences here</a>) up there too, but apparently we would have to accept payment through Dev pay and we haven't figure it out yet. If there is interest, we will.</p>
<p>To get the AMI, just search for WiKID is the AMI console! </p>
<p> </p>
<p> </p>An Analysis of the Inevitable Analyses of the Gawker Password Breach2010-12-13T13:45:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/an-analysis-of-the-inevitable-analyses-of-the-gawker-password-breach/<p>Here we go again. Another attack results in a password file being posted on the Internet. Queue the analysis of the password file. State how users always choose the simplest passwords and cannot be trusted with their own security choices. Of course, this is a great time for WiKID to note that two-factor authentication solves this problem. </p>
<p>However, this is not the case. The users that chose 'password' or 'gawker' or whatever are the winners. If your Gawker password is '6asd980*&)-0sdf-09=9=2354' plus some ascii characters that you have the cut and paste each time, you are the loser. If you log into Gawker using a 12 digit alphanumeric password generated by a pseudo-random password generator, you are just as owned as the person who uses 'letmein'. </p>
<p>And while two-factor authentication will solve this problem, even WiKID's multi-domain capability would get awkward for all the sites that need to have account information, but don't really require a great deal of security. The concern is that users will use the same credentials across multiple sites and that some of those sites will be more critical than others. It's less of a concern now that most critical sites (e.g. banking & finance) have password policies. What happened in this case is that the user's <a class="external-link" href="http://www.bbc.co.uk/news/technology-11981816">Twitter accounts were compromised to send spam</a>. Now the user face the hassle of reclaiming their Twitter accounts.</p>
<p>What we need is more support for Oauth, SAML and other services to minimize the need for static passwords for low-security sites. That brings up two points: 1. Do I want Google or Facebook tracking my logins across the Internet? and 2. If I have all these keys to kingdom in one place, shouldn't I have two-factor authentication for that?</p>
<p>Of course, this situation shows that a certain number users already have created a Twitter/Gawker connection.</p>
<p> </p>HTML5 software token tutorial & some comments2010-11-22T17:00:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/html5-software-token-tutorial-some-comments/<p>We've published a short-tutorial on how to install the W<a class="internal-link" href="http://www.wikidsystems.com/downloads/" title="HTML5 Token - Registration Page">iKID HTML5 software token</a> over on <a class="external-link" href="http://www.howtoforge.com/installing-the-wikid-html5-token-client">Howtoforge! </a> </p>
<p>It's worth noting how simple the setup is for the HTML5 software token. Our mission at WiKID is to make two-factor authentication brain-dead simple, <a class="internal-link" href="http://www.wikidsystems.com/learn-more/features-benefits/extensible-strong-authentication/" title="WiKID Mutual Authentication">extensible</a>, and <a class="internal-link" href="http://www.wikidsystems.com/learn-more/features-benefits/wikid-save-big-on-your-total-cost-of-ownership/" title="WiKID Pricing">affordable</a>. Integrating with the browser has long been a goal for us. However, if it meant having 3 or 4 browser plug-ins, each of which might need a major overhaul periodically, the cost was frankly too high. </p>
<p>Also, it wasn't clear based on our experience with our 2.0 Firefox plugin, that there was a market. Now however, with the explosion in browser-based SSL-VPN and cloud-based services delivered through the browser and the increasing adoption of HTML5 by the browsers (so far it works will all the browsers except IE) we believe that the time is ripe for an in-browser token.</p>
<p>Are their security trade-offs embedding the token in the browser? OF COURSE! There are always trade-offs. Right now the most important one is trading in static passwords, an old, broken technology for stronger authentication mechanisms. </p>
<p> </p>
<p> </p>Cloud Security and Two-factor authentication2010-10-21T15:10:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/cloud-security-and-two-factor-authentication/<p>We've <a class="internal-link" href="http://www.wikidsystems.com/company/recent-press-releases/secure-hosting-provider-partners-with-wikid-systems-for-two-factor-authentication" title="Secure Hosting Provider partners with WiKID Systems for Two-factor Authentication">recently partnered</a> with VM Racks, Inc a secure virtual hosting specialist for their <a class="external-link" href="http://esx-hosting.vm-racks.com/hipaa-compliant-hosting.html"><span class="Apple-style-span"><span class="Apple-style-span">HIPAA-compliant ESX VMware Hosting </span></span>service</a>. There are three take-aways from this news:</p>
<p>1. Cloud services need two-factor authentication. This could be for everyone - even consumers (think how much more you would have liked <a class="external-link" href="http://www.mint.com">Mint.com</a> if it used two-factor authentication) or just for administrators. <a class="external-link" href="http://taylorbanks.com">Taylor Banks</a> drove this home in his NAISG Atlanta presentation on Cloud Security. </p>
<p>2. Compliance raises the bar for IT and that makes outsourcing make even more sense. In some scenarios <a class="internal-link" href="http://www.wikidsystems.com/learn-more/authentication-compliance/hipaa-compliance-and-strong-authentication/" title="HIPAA Compliance and Strong Authentication">HIPAA-compliance</a> may require man-traps, biometric readers and visitor escorts. If you in-house data center does not these items will be more cost-effective to outsource them or to add them internally? </p>
<p>3. WiKID has some particularly strong capabilities that are attractive to "cloud" providers (whatever the *aas). </p>
<ul>
<li>WiKID's multi-domain capability means you can have one WiKID domain for your administrators and one for your customers - or one per customer.</li>
<li>WiKID's flexible licensing means you can start slow and grow.</li>
<li>WiKID's API has built-in support for multi-tenancy and <a class="internal-link" href="http://www.wikidsystems.com/downloads/api-network-client-packages/" title="API & Network Client Packages">code examples in python, ruby, java, c# and PHP</a>. With the wAuth API cloud providers can create a simple application that will allow customers to manage their own- and only their own - users - drastically reducing support costs.</li>
<li>The <a class="internal-link" href="http://www.wikidsystems.com/downloads/api-network-client-packages/" title="API & Network Client Packages">WiKID API </a>will also allow users to be added programmatically based on any trusted credentials the cloud providers chooses. </li>
<li>WiKID's <a class="internal-link" href="http://www.wikidsystems.com/learn-more/technology-architecture/wikid-mutual-authentication/" title="WiKID Mutual Authentication">mutual https authentication</a> will validate the SSL certificate for the user and will present an error if there is a MiTM attack occurring. This feature <strong>greatly increases the security of cloud services</strong>.</li>
<li>WiKID's token clients can be embedded in your application, including on wireless platforms such as the iPhone, Android, J2ME, Blackberry and Windows mobile.</li>
</ul>
<p>We expect to see more partnerships with cloud providers in the future. </p>Traditional two-factor authentication is dead.2010-10-13T16:30:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/traditional-two-factor-authentication-is-dead/<p>At <a class="external-link" href="http://www.securitybsides.org/BSidesAtlanta">Bsides Atlanta</a> last week, Eric Smith (@infosecmafia) and Dave Kennedy (<a class="external-link" href="http://www.twitter.com/dave_rel1k">@dave_rel1k</a>) demonstrated a real-time attack against a Juniper SSL-VPN that by-passes the authentication method used including time-bound one-time passcodes. (Dave's post on "<a class="external-link" href="http://www.secmaniac.com/october-2010/traditional-penetration-testing-is-dead-bsides-atlanta/">Traditional Penetration Testing is DEAD</a>" on their BSidesAtlanta talk inspired my title. ;)<br><br>This type of attack against SSL and DNS has been predicted for some time, taking advantage of user's willingness to accept any SSL certificate. Kudos to Eric and Dave for showing how this type of attack combined with a strategically aimed penetration test can really wreak havoc on an enterprise.</br></br></p>
<p>It's quite easy to perform a MiTM attack these days with malware, a rogue WiFi AP or a DNS cache poisoning. it is a serious concern and worth addressing.</p>
<p>The good news is that we have addressed it. WiKID has long supported a system of <a class="internal-link" href="http://www.wikidsystems.com/learn-more/technology-architecture/wikid-mutual-authentication/" title="WiKID Mutual Authentication">mutual https authentication</a> that validates the SSL certificate for the end user before they are presented the one-time passcode, in both the open-source Community Edition and the Enterprise Edition. The token will attempt to match a hash of the targeted site's certificate with one retrieved from the WiKID Strong Authentication Server. If they match, the OTP is presented and the browser is launched to the URL. If they do not match, an error message is presented.</p>
<p>I made a quick screencast demonstration to show how this works. Enjoy!</p>
<p><br> </br></p>Secure internet access from security conferences2010-02-26T19:45:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/secure-internet-access-from-security-conferences/<p>Have you ever been on the Wall of Sheep at a security conference? Do you go without Internet to avoid the same? Well no more (at least for RSA/BsidesSF).</p>
<p>We have setup OpenVPN on an Amazon instance and configured it to use WiKID Strong Authentication without any user validation. This configuration will allow you to get an outbound Internet connection without your static credentials. The OpenVPN client is set up to push all your connections through Amazon.</p>
<p>How do you get it? </p>
<p>First, <a class="internal-link" href="http://www.wikidsystems.com/downloads/software-token-clients/" title="Token Clients">download and install a WiKID software token</a>. You can use any token. Add the domain 888888888888. You will be prompted to set your PIN and you will get back a registration code. <strong>You need this code</strong>. Enter this code into <a class="external-link" href="http://www.wikidsystems.com//simple_reg_form/">this registration page</a>. Use any info you want. The email does not need to be real.</p>
<p>Ok, you've swapped public keys with the server and you've associated the key exchange with the username you submitted on the form. Now, install OpenVPN and <a class="external-link" href="http://www.wikidsystems.com/webdemo/openvpn_wikid_client.zip">download this zip file</a> or just grap this <a class="external-link" href="http://www.wikidsystems.com/webdemo/client.conf">client.conf</a> file and the <a class="external-link" href="http://www.wikidsystems.com/webdemo/ca.crt">ca.crt</a> file if you have issues with zip files. </p>
<p>The client should route all your traffic through the Amazon cloud over OpenVPN and from there out to the Internet. It has been tested on Windows and Ubuntu.</p>
<p>If you have problems, you can try to find me at RSA or more likely, <a class="external-link" href="http://www.securitybsides.com/BSidesSanFrancisco">Security bSidesSF</a>. You can ping me on twitter too: <a class="external-link" href="http://twitter.com/wikidsystems">@wikidsystems</a></p>
<p>BTW, WiKID Systems is sponsoring Bsides once again and really looking forward to it.</p>
<p>Enjoy & be safe.</p>
<p> </p>Securing Gmail & Google Apps2010-01-13T19:17:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/securing-gmail-google-apps/<p>Google claims that <a class="external-link" href="http://googleblog.blogspot.com/2010/01/new-approach-to-china.html">China has accessed gmail accounts</a> amongst other things:</p>
<p class="callout">Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers.</p>
<p>In response Google has made https access the default for gmail and is recommending some basic steps for users:</p>
<p class="callout">In terms of individual users, we would advise people to deploy reputable anti-virus and anti-spyware programs on their computers, to install patches for their operating systems and to update their web browsers.</p>
<p>However, I doubt that standard anti-virus would have stopped the <a class="external-link" href="http://www.youtube.com/watch?v=nFw9ZHy0V3c">targeted attacks</a> (youtube) that China used. A more secure approach would be to use Google Apps for your Domain combined with two-factor authentication, so I'm taking this opportunity to point out that <a class="internal-link" href="http://www.wikidsystems.com/support/how-to/how-to-add-wikid-strong-authentication-to-google-apps-for-your-domain/" title="How to WiKID Strong Authentication to Google Apps for your Domain">the WiKID Strong Authentication System includes support for Google SAML out of the box.</a></p>
<p> </p>