August 1, 2015 Leave a comment

The last couple of weeks have been pretty busy, which is why i’ve not been able to take care of my blog. But i was able to recover during our family vacation in Crete while reading a whole lot of material, that i’m currently preparing to get in here. So stay tuned…

Categories: Blog

Gartner Magic Quadrant for IDaaS (2015)

Early this month, Gartner released the 2015 edition of it’s Magic Quadrant for Identity and Access Management as a Service covering the worldwide market. The full report can be read here: Magic Quadrant for IDaaS (2015)

Gartner see’s Okta as the only vendor the Leader quadrant, while there’s a bunch of big names in the Visionaries quadrant, such as Microsoft, IBM, Ping Identity and Salesforce. I’m a bit surprised by the fact that Centrify made it into the Visionaries quadrant as well, I would have seen them in the Niche Players quadrant. But that might be due to the fact that I’ve a European focus.

Categories: IAM, IDaaS, IDM

Current Security Nightmares

February 10, 2015 Leave a comment

What’s going on out there in the networks in the last couple of days? We had a strange hack into a US health insurance provider exposing tens of millions of SSNs and addresses, a temporary shutdown of a online tax service due to identity theft fraud, a database security issue that came up just by accident using a search engine and finally today there was high level politician dumping emails containing personal information of residents of a US state.

Diving just in two of those security issues with some more detail:

The database issue I mentioned does affect MongoDB, a popular NoSQL database system. Three students just ran over round about 40.000 open MongoDB databases, containing sensitive information up to credit card information, names and email addresses. Anyone might wonder how that could have happen: by just using default configuration values without checking them.

    Default: true
    Disable authentication. Currently the default. Exists for future compatibility and clarity.
    For consistency use the auth option.

So it’s default to disable authentication? For future compatibility? Seriously? Wait… let’s check the auth option for consistency reasons…

    Default: false
    Set to true to enable database authentication for users connecting from remote hosts. Configure users via the mongo shell. If no users exist, the localhost interface will continue to have access to the database until you create the first user.

Yeah… great… Authentication is disabled by default… Pretty consistent…

Source for both: Configuration File Option – MongoDB Manual 2.2.7

Whoever did that decision, I won’t be in his position right now. We’ll see how long it might take until both options are flipped with their default configuration. The conclusion should be: the more you trust a product, the more you should focus on the default configuration before going into production. Spending too much trust in a vendor / community just because you’re a “fan” of the tool will put you at risk if you loose the insight on the configuration options.

The second issue I’d like to dive into is a US politician and potential presidential candidate just dumping emails containing sensitive data of Florida state residents. He just approached to shed some transparency into his work by posting emails he exchanged with residents of the state of Florida. Unfortunately he and his team did not redact the emails before. So he just dumped emails containing SSNs, clear text names and even emails with the following text add-on:

Confidential communications intended for indicated recipient only

Just keeping in mind that this guy might be a future president of the United States of America, trying to rule the world I’m getting worried and afraid. Guys like him are deciding on rules affecting hundreds of million of people without having the touch of a sense in how to deal with their residents data. Is that the future we’re moving into? I don’t hope so. It should be mandatory for politicians to have a brief understanding of privacy, data security, encryption and the way how to deal with sensitive information. I’m really upset right now…

Categories: Privacy, Security

Microsoft going to deprecate IDMU-features in Windows Server

February 5, 2015 Leave a comment

With this blog post, Microsoft is announcing to deprecate the Identity Management for Unix features in Windows Server, starting with Windows Server 2012 R2. Affected features are:

  • the UNIX attributes tab in the User and Computers (dsa.msc)
  • NIS (Network Information Service)
  • RSAT (Remote Server Administration Tools)
  • In the comments of the blog post, a member of the Active Directory Documentation Team made clarification that the Active Directory schema will not be touched. So extensions in place will stay as well as the data stored in these attributes.

    Microsoft made the decision to deprecate their features and to recommend using alternative tools for managing Unix attributes and features using Windows Server.
Categories: IDM, Tools

Installing and Configuring ForgeRock OpenDJ on Windows

February 4, 2015 3 comments

Unfortunately I’m currently out of business while being home sick. But this gives me the chance to get hands-on on some tools I have on my list to discover them during this year. The first of them is the OpenDJ LDAP Server of ForgeRock.

I’ve used the nightly build of OpenDJ 2.7 and ran through the MSI installation wizard first.



For the initial shot I’ve used the default installation directory.



The installation is done pretty quick. What I’m missing here is to start the configuration wizard directly out of the installation wizard. @ForgeRock: Maybe this might be a good add-on to future releases of OpenDJ.

To start the graphic installation you’ve to execute the setup.bat file located in the installation directory without any additional command line parameter.


This I the upcoming configuration wizard.


The first configuration screen comes up with the FQDN of the server we’re currently running on, asking for the LDAP Listener Port (default 389, my configuration will be 1028 as there are other LDAP servers already running on my current machine). I’ve left the administration port at 4444 as I’ve no service bound on this port yet.

For testing purposes I’ve not configured LDAP secure access yet, I’ll add that in a later blog post.

Last step on this configuration screen is to define the root user DN and password for the administration account.


The next screen is to configure replication if needed. I’m planning to set up a Linux server in parallel hosting a OpenDJ LDAP Server as well and to have it replicating with my current server. So I’ve left the default replication port, configured it as secure but left the replication information empty as this is my first OpenDJ LDAP Server so far.


Next configuration step is the definition of the Directory Base DN. I’ve chosen


for this initial shot (you might see different DNs in later blog posts).

There are some options to load data initially using a LDIF file or to import sample data for testing purposes as well. I’ve decided to just create the base entry so far and to set up the remaining LDAP structure later on.


The next screen is to define specific Java runtime options. I’ve used default here.


The next screen allows to review all settings before finishing the installation.


The configuration wizard is now taking care of creating my LDAP instance as I’ve configured it in the screens before.

In the end we do have a running instance of the ForgeRock OpenDJ LDAP Server. Pretty simple, isn’t it?

Categories: ForgeRock, IDM, LDAP, Open Source, Tools

Troubleshooting SAP .Net Connector issues

February 2, 2015 Leave a comment

While working with the SAP .Net Connector in a demo environment I was struggeling with the following error message being posted by my SAP connectivity component:

The type initializer for 'SAP.Middleware.Connector.RfcConfigParameters' threw 
an exception.

Checking the application eventlog I found the following error message:

Activation context generation failed for "C:\Program Files (x86)\Quest Software\Quest One Identity Manager\sapnco_utils.dll". Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="x86",

publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.4053" could not be found. Please use sxstrace.exe for detailed diagnosis.

This came with the Event-ID 33 of source SideBySide.

This error message indicates that the Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update is missing. The update is available here:Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update

More details on the Security Update is available here: Description of the security update for Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package: July 28, 2009

Categories: Programming

Biometry is broken

January 28, 2015 Leave a comment

From what we’ve seen during 31C3, biometry is broken. It’s not just broken if we do try to get the fingerprints of a potential victim by extracting them from whatever our victim might have touched before using forensic methods. With what we’ve seen during the talk given by starbug ( – attention: the talk was given in german), the physical barrier is broken. There is no more need to save a glass that was touched by our victim. The fingerprint can be restored using a photograph of the fingertips of our victim that has a certain quality.

During his talk, starbug already gave some insight on what might be next: 4K video. I’m curious about what he might come up for the next congress. Maybe he’s already working on extracting fingerprints from 4K videos.

So you might wanna say fingerprints are broken, what about other biometric factors. Let’s try to run them through:

  • fingerprints – broken
  • retina scans – broken (at least if the quality of the picture is good enough)
  • face scans – broken (as shown in the video)
  • heart beat – not broken yet
    So let’s keep up with what’s left on the list: heart beat. There was a startup showing up with the idea of a wristband using your unique heart beat signature as a identification token. Sounds pretty cool so far. But here it comes: I’ve been talking to different people about two different approaches that might break this as well.
    The first approach (although is much more theoretical and does have a moral and ethical impact) I’ve been discussing with a doctor. In the end she told me, that it would be possible to use a pacemaker to re-program a individuals heart beat. It has not been done before, but it’s possible.

The second approach I was talking to a guy working in device security for quite a while. From his expertise, it shouldn’t be the biggest deal to set up the specific electric signal that will look like a valid heart beat to the device.

So from where we are right now, there are only two conclusions:

  1. Don’t trust in biometrics as a single source of identification. They might be used in combination with other forms of authentication, but never ever alone.
  2. Biometric devices need to get better. The need to be able to determine if they are scanning a print version of the fingerprint, face or retina or if the are scanning a real human being. This will raise prices for devices.
Categories: IAM, Identity, Privacy, Security