Tuesday, February 27, 2007

Hey look, this guy created Identity.

Yes, I am being smug about this. I used to work for ATG and we got sued by Broadvision because Broadvision had a patent that basically said Broadvision invented E Commerce so they had a right to sue anyone in the eCommerce space. So they went after ATG, their chief competitor (who was kicking the crap out of them in the marketplace BTW) and ATG is still in business, Broadvision went public, went private. Broadvision also sold their name to Black & Veatch (bv.com) so my guess is that ATG has done a little better.

Anyway, this guy Reid is seeking unspecified damages (a.k.a. whatever he can get) and I also noticed that he is not going after companies worth less than several billion. Guess he owes a lawyer friend or two a favor. Best of luck Mr. Reid.

Note to developers - study the patent, find the loophole, and write an alternative application that AD users can port over to quickly. You'll make more than Reid...

Looking at the patent, it's pretty broad, and the Patent keeps referring to a 'Master Directory' which in practical terms doesn't exist. Is it the HR database, AD, LDAP? It doesn't mention access to files/content explicitly which is why people connect to the network to begin with, right?

Check out the Sept 29, 2006 post at my pal Sean O Neill's blog about this very topic. This guy's legal team has its work cut out for it...

http://www.informationweek.com/news/showArticle.jhtml;jsessionid=1RUAGNLANJMWKQSNDLRCKHSCJUNN2JVN?articleID=197009007

A former IBM scientist claims that the network identity-management systems used by corporate giants Charles Schwab, General Motors, and Halliburton violate a seven-year old patent he holds. The inventor also claims that Microsoft's Active Directory technology infringes on his intellectual property.

In court papers filed in the U.S. District Court for Eastern Texas, William Reid claims that the network ID management systems used by the defendants violate U.S. patent 6,131,120, which Reid owns and which describes an "Enterprise Network Management Directory Containing Network Addresses Of Users And Devices."

"Microsoft has been and continues to infringe directly and indirectly on one or more claims of the [patent]," according to Reid's suit, which was originally filed in 2005. A so-called Markman hearing, during which a judge will rule on the meaning of terms used in the complaint, is scheduled for May.

Virtually all corporations use such systems to authenticate and verify the identity of individuals logging onto their computer networks.

In his suit, Reid claims that Halliburton's use of Microsoft's Active Directory technology to create its ID management system violates the patent. Reid further claims that Active Directory itself, as well as Microsoft products that embed the technology, including Windows 2000 Server and Windows Server 2003, violate his patent.

In court filings, Microsoft, GM, Schwab, and Halliburton all deny violating Reid's patent. Halliburton, however, has asked Microsoft for indemnification should it lose the case. "Microsoft stands behind its technology. As such, Halliburton has tendered an indemnity demand to Microsoft if Halliburton is found to infringe in this case," Microsoft says in a related filing.
In an interview, Reid, who says he worked on artificial intelligence for IBM from 2000 to 2002, says he determined that GM, Schwab, and Halliburton were violating his patent after visiting a trade show. Reid says he watched presentations by IT officials from the companies while attending the Burton Group's Catalyst conference. "They made presentations and distributed material that described their architectures," says Reid.

Word of the suit marks the latest in a series of legal headaches for Microsoft. On Monday, it emerged that the company is being sued over its use of the Office Live name for a suite of online business productivity tools. Last week, Microsoft was ordered to pay Alcatel-Lucent $1.5 billion for violating patents related to the MP3 music format.

Reid is seeking unspecified damages.

Monday, February 26, 2007

Two Factor Authentication - Squared

I was working with a large SI last week who does a lot of work for the government. I was there to prove out a solution to protect their DHCP servers from unatorized users getting an IP address and subsequently on their network, and their customer's network. I showed them how the solution worked in 15 minutes and was done with that part of the discussion. We just showed a viable alternative to 802.1x - both in implementation time (2 hours of set up, 15 minute deomonstartion) and cost (fraction of $$$ the solutions I know about).

The next part of the discussion was around authentication. Part of it was academic discussion, part was to think through a business problem - authentication, and how much is enough?

We were able to figure out that with the same solution we just used to solve one problem would also solve another, and one that is on the minds of anyone working on HSPD-12 initiatives.

Long story short - four factor authentication. Two factor authentication, squared, or 2F2.

Here is how it works:

I identify the user in two ways - PIV Card (something they have), and Login credentials (PAC & LAC Controls)

I identify the machine in two ways - by unique machine ID (hardware serial numbers encrypted in every packet), and certificate exchange. Unalterable, proven, and deployed in hours.

Why does this matter?

Audit - Be able to see every network layer event, by who, from what machine, in real time and know that the data is irrefutable and will hold up in court vs. spoofable MAC addrress/IP address.

Control - Make policy based access decisions based on some combination of 4 different attributes providing the ultimate in flexibility and rollout options.

For example - known/trusted user AND known trusted machine on my LAN - access to what they need to do their job from DAY ONE (email). Known user/unknown machine (vendors/guests) get access to Port 80 only so they can demo, check webmail, etc.

At the macro level -You have just scoped down your threat vector area to only those you know and trust, be they machines and people.

Add to it the functionality of immediate real time alerting in the event something bad looks like it is happening, and reporting to understand exactly how they tried to do what they did, were blocked, but still logged - Priceless...

identitystuff@gmail.com

Wednesday, February 21, 2007

Machine Identity

There have been quite a number of searches in the past 90 days about machine identity that have hit this blog looking for information. A lot of interest from the EU in particular, although I have not been able to pinpoint if it's because the usual ways of ID-ing machines (MAC and/or IP address) are not as absolute as they once were, if it's related to the privacy laws that are different in the EU than they are in the US, or if it is something else altogether.

What I do know is that a MAC address and/or an IP address are not as reliable in the forensic world. It used to be that Law Enforcement could get an affadavit by producing a MAC and or IP address from a suspect and get a warrant right away. Things are different with the ability to spoof these two components of Identity with easily available software since the reliability is in question and the irrefutability is not what it was.

Trusted Network Technologies has come up with a unique and patented way to ID a machine based on hardware components and the associated serial numbers and embed that information in TCP packets. In short - it's the new irrefuatble machine identity. Your company may have 5,000 Dell laptops, but each one has a unique hardware profile, that when captured and embedded into the packet creates a unique identifier based on that build. Totally unique, totally proovable. It's a logical badge for the network that compliments the physical ones we're all familiar with.

Why this may emerge as the new Identity attribute most important to companies, law enforcement, and others is that it provides a layer of privacy - you are your machine not who you say you or your machine is, and you can govern access control by those inside and outside your organization based on this attribute and add user identity information to the mix and extend what you have.

With all of the talk about NAC and keeping unhealthy machines off the network I believe it is crucial to establish that irrefutable identity of the machine so that you know what that machine is, can quickly find out who is using it, and whether or not to allow that user and/or their machine anywhere near your network. It's a nice way to keep things open and secure at the same time whether you're human or hardware...

identitystuff@gmail.com

Wednesday, February 07, 2007

FBI Cyber Attack data - Interesting stuff

http://www.fbi.gov/page2/jan06/computer_crime_survey011806.htm

Among the key findings:
§ Frequency of attacks. Nearly nine out of 10 organizations experienced computer security incidents in a year's time; 20% of them indicated they had experienced 20 or more attacks.

§ Types of attacks. Viruses (83.7%) and spyware (79.5%) headed the list. More than one in five organizations said they experienced port scans and network or data sabotage.

§ Financial impact. Over 64% of the respondents incurred a loss. Viruses and worms cost the most, accounting for $12 million of the $32 million in total losses.

§ Sources of the attacks. They came from 36 different countries. The U.S. (26.1%) and China (23.9%) were the source of over half of the intrusion attempts, though masking technologies make it difficult to get an accurate reading.

§ Defenses. Most said they installed new security updates and software following incidents, but advanced security techniques such as biometrics (4%) and smart cards (7%) were used infrequently. In addition, 44% reported intrusions from within their own organizations, suggesting the need for strong internal controls.

§ Reporting. Just 9% said they reported incidents to law enforcement, believing the infractions were not illegal or that there was little law enforcement could or would do. Of those reporting, however, 91% were satisfied with law enforcement's response.

And 81% said they'd report future incidents to the FBI or other law enforcement agencies. Many also said they were unaware of InfraGard, a joint FBI/private sector initiative that battles computer crimes and other threats through information sharing.

Accountability and Identity

I can't help but think that holding company's management, and their boards, personally accountable for customer data theft is a good idea and may actually speed up the adoption of better security.

I would love to see what TJX spent on Christmas decorations, christmas parties and coffee the past 2 years and compare that with what they spent on security infrastructure. If they spent less on the security portion of their business they deserved to be hacked. By the way, that goes for any company who is placed in a position of customers sharing data and their trust with them.

So how does this stuff stop happening? PCI DSS is one initiative from the card companies, but I believe until there is personal accountability in these breaches at the Management or Board level, this will continue to happen. Did we learn nothing about SOX (Sarbanes Oxley) and compliance. The teeth in that is Management goes to jail - or put another way - accountability.

How about legislation for increased corporate accountability vs. legislation about data breaches and consumer protection. Companies who are more secure, will get more business, be trusted more, have a better brand, and continue to grow. Those who don't figure it out, or see the benefit to maintaining trust with your customers, lose.

identitystuff@ gmail.com