Use options such as password protection, disable right click, encryption, or even disable Internet Explorer toolbars on your website to protect images and overall content. There are also free software downloads to assist you in more in-depth protection for those of you who have clients information embedded into your website.

Whatever you chose, stay protected. Know the essentials such as not giving out information to unknown persons or using credit cards and bank cards on unsecured websites. Use these major tips below suggested by the US Securities and Exchange Commission:

• Beef Up Your Security. Personal firewalls and security software packages (with anti-virus, anti-spam, and spyware detection features) are a must-have for those who engage in online financial transactions. Make sure the computer you are using has the latest security patches, and make sure that you access your online brokerage account only on a secure web page using encryption. The website address of a secure website connection starts with “https” instead of just “http” and has a key or closed padlock in the status bar (which typically appears in the lower right-hand corner of your screen).

Security Tip: Even if a web page starts with “https” and contains a key or closed padlock, it’s still possible that it may not be secure. Some phishers, for example, make spoofed websites which appear to have padlocks. To double-check, click on the padlock icon on the status bar to see the security certificate for the site. Following the “Issued to” in the pop-up window you should see the name matching the site you think you’re on. If the name differs, you are probably on a spoofed site.

• Use a Security Token (if available). Using a security token can make it even harder for an identity thief to access your online brokerage account. That’s because these small number-generating devices offer a second layer of security – a one-time pass-code that typically changes every 30 or 60 seconds. These unpredictable pass-codes can frustrate identity thieves. While fraudsters can use keystroke logging programs to obtain regular username and password information, they can’t use these programs to obtain the security token pass-code. Ask your brokerage firm if you can protect your online account with a security token or similar security device.
   
• Be Careful What You Download. When you download a program or file from an unknown source, you risk loading malicious software programs on your computer. Fraudsters often hide these programs within seemingly benign applications. Think twice before you click on a pop-up advertisement or download a “free” game or gadget.
   
• Use Your Own Computer If You Can. It’s generally safer to access your online brokerage account from your own computer than from other computers. If you need to use a computer other than your own, you won’t know if it contains viruses or spyware. If you do use another computer, be sure to delete all of the your “Temporary Internet Files” and clear all of your “History” after you log off your account.
   
• Don’t Respond to Emails Requesting Personal Information. Legitimate entities will not ask you to provide or verify sensitive information through a non-secure means, such as email. If you have reason to believe that your financial institution actually does need personal information from you, pick up the phone and call the company yourself – using the number in your rolodex, not the one the email provides!

Security Tip: Even though a web address in an email may look legitimate, fraudsters can mask the true destination. Rather than merely clicking on a link provided in an email, type the web address into your browser yourself (or use a bookmark you previously created).

• Be Smart About Your Password. The best passwords are ones that are difficult to guess. Try using a password that consists of a combination of numbers, letters (both upper case and lower case), punctuation, and special characters. You should change your password regularly and use a different password for each of your accounts. Don’t share your password with others and never reply to “phishing” emails with your password or other sensitive information. You also shouldn’t store your password on your computer. If you need to write down your password, store it in a secure, private place.
   
• Use Extra Caution with Wireless Connections. Wireless networks may not provide as much security as wired Internet connections. In fact, many “hotspots” – wireless networks in public areas like airports, hotels and restaurants – reduce their security so it’s easier for individuals to access and use these wireless networks. Unless you use a security token, you may decide that accessing your online brokerage account through a wireless connection isn’t worth the security risk. You can learn more about security issues relating to wireless networks on the website of the Wi-Fi Alliance.
   
• Log Out Completely. Closing or minimizing your browser or typing in a new web address when you’re done using your online account may not be enough to prevent others from gaining access to your account information. Instead, click on the “log out” button to terminate your online session. In addition, you shouldn’t permit your browser to “remember” your username and password information. If this browser feature is active, anyone using your computer will have access to your brokerage account information.

  
http://www.sec.gov/investor/pubs/protectyourselfonline.htm

Contact me for information on those free software options to secure individual document files for email or publishing. 

Browse http://mi-token.com to get connected with Mi-Token Inc that offers simplified and secure two-factor authentication solution to secure your organization. The company was originally developed by expert bank security specialists and cryptographic professionals. The company caters to the security from external threats including cache poisoning and Trojan virus needed for banking. The company has earned the reputation of creating world-class and innovate security solutions.

Coming in early April, this new smartphone application will allow players to generate one-time passwords. We highly recommend it to our users as a quick and easy way to enhance the security of your Square Enix account with your iOS or Android device.

http://www.playonline.com/ff11eu/index.shtml

Are you a systems administrator? Quick, which system in your infrastructure is most vulnerable to hacker attacks? No, it’s not the web server — though it’s a good guess. No, it’s not the firewall. The answer may surprise you — it’s your workstation.

Think about it — unless you’re working for an agency with extremely rigid security policies, you are probably able to connect to servers you administer right from your workstation. Perhaps not all the time — perhaps you have to establish a VPN connection first in order to be on the “inside.” Once that is done, however, your workstation becomes an extremely interesting target for malicious hackers, since at that time your workstation happens to be the least protected system that sits both on the outside and on the inside of your trusted network.

Did you know that your workstation is currently running software that was written for the sole purpose of letting others execute arbitrary code? You are looking at it right now. Yes, I do mean the browser. Did you ever think of browsers in such terms? That’s all they do, they download someone else’s code from the Internet and then execute it. Yes, all browsers implement a “sandbox” — a sanitized environment that is supposed to prevent downloaded code from doing any harm. The key phrase is “supposed to,” because quite often the browsers don’t get it right. Especially plugins, such as flash. Don’t get me started on flash.

And don’t get me started on humans. Did you know that we’re made out of meat? “Evil hackers” are well aware of that fact. They know that the easiest (and the stealthiest) way to hack into a system is not to relentlessly attack it looking for exploits, but to wait until the admins do something meat-headed. Like, you know that time when your mom posted that link with a funny cat, and the page tried to load a movie but ended up crashing your browser? And then you tried it again in another browser, just to make sure? See? Made out of meat.

So, let’s say the sandbox around your browser fails and attackers get a foothold on your system. What’s their next move? The malicious script will probably search your browser’s history and try to judge whether you’re an interesting target or not. Then the script will most likely install a keylogger and a backdoor:

•    A keylogger is a small application that will record everything you type on your keyboard — it is particularly interested in anything that looks like a credit card number or an account password.
•    A backdoor is a way for attackers to execute arbitrary commands on your workstation, and it doesn’t matter if your workstation is on a private network or not. Most backdoors just connect to some “command and control” server over an encrypted http connection and either download a prepared “payload” to execute, or hold the connection open for attackers to have full real-time shell access to your workstation from anywhere in the world.

With the keylogger and the backdoor running on your workstation, the next time you VPN in to your work and type in your root or sudo password, you’ll be handing the attackers the keys to your kingdom. Unless, that is, your servers require more than just a password in order to authenticate users — which is really what I’m here to talk about.

What is multi-factor authentication

The problem I described above is well-understood among security professionals, and one of the ways to prevent the workstation compromise from leading to server compromise is to require the use of more than just a regular password in order to get access to the servers — especially when it comes to obtaining elevated privileges (i.e. “su” or “sudo”). The approach is called “multi-factor-authentication” — in addition to using a password (“something you know”), you also have to prove that you have in your possession some kind of a physical token that was given to you by the authority that issued your credentials (“something you have”). You may additionally have to prove that you are the same biological entity that received those credentials (“something you are”). Remember the movie “Sneakers?” In order to get access to the secret facility, the hacker crew had to defeat all these three factors — get the card (“something you have”), the PIN (“something you know”), and record the mark saying “My voice is my passport. Verify me (“something you are”).

Implementing all three factors is extremely costly and inconvenient, though — and the “something you are” bit can’t really be used to authenticate unsupervised access (as demonstrated in the “Sneakers” — since “something you are” never changes, the attackers only have to record and replay one successful transmission in order to fool the system). Therefore, the only additional factor worth implementing to authenticate unsupervised remote access is “something you have.”

The most widely known “something you have” devices are smartcards and the ubiquitous RSA Security “fobs” — the former store an encryption key directly on the card that must be unlocked with a PIN in order to authenticate the user, and the latter convert timestamps into a set of digits that change every 30-60 seconds. We only mention smartcards in passing, as they won’t actually help in our scenario, since they will be helpfully plugged into the workstation and the attackers will know the PIN from the keylogger. Time-based tokens, on the other hand, are an effective measure to prevent a workstation compromise from leading to a server compromise (with a few caveats, which we’ll touch on later).

Time-based hardware tokens work by converting current time into a string of characters that can’t be predicted without knowing the “secret hash.” That secret hash is only installed on the hardware token itself, plus on the authentication server, which is how we make sure that the user actually has the hardware device in their possession. When someone tries to authenticate, they submit the value shown on their hardware token as part of their credentials. The verification server then performs the same math as performed on the token, and if the results match, then the user is allowed to log in.

What happens next is extremely important — the server records that the token has been used once and therefore cannot be used again. So even if the keylogger has a record of all the tokens submitted by the user, none of them can be reused again, even if attackers do it right away. That is why it is called “One-Time Password” and there is even an open standard behind it is called Time-based One-Time Password Algorithm, or “TOTP.”

Challenges of using hardware tokens

There are several companies that provide both open-spec and proprietary hardware tokens. There is RSA Security, which has been offering two-factor authentication services and proprietary hardware tokens since the dawn of IT time. There is also Yubico, which is a more recent arrival to the scene and uses an open OATH standard. Their product, yubikey, plugs into a USB port and the operating system recognizes it as a USB keyboard. Once a button is pressed on the yubikey, it sends a string of characters containing the one-time password.

However, implementing two-factor authentication using true hardware tokens can pose its own set of challenges — particularly if your administration team is not located in one physical office. Take us at The Linux Foundation — we have admins who are located on both coasts of the US and Canada, one in Japan, and now one in Australia. The task of provisioning physical tokens suddenly becomes very complicated and involves international shipping, which is either slow or extremely expensive. And what happens if the admin leaves their token in the pocket of their jeans and it goes through the wash? Are they out of commission for a few days until the new token is provisioned and shipped?

This is exactly the problem that caused grief for the Fedora Project. Despite being officially hosted and sponsored by Red Hat, Fedora Infrastructure is entirely separate from the rest of the Red Hat network and is administered both by Red Hat employees and by volunteers who are physically located anywhere in the world. A few years back, Fedora Infrastructure started requiring the use of yubikeys for two-factor authentication, but ran into provisioning problems mentioned above. Fedora either had to dedicate a budget for purchasing and shipping the yubikeys, or require that volunteers spend their own money — neither of which was quite optimal.

Enter smartphones

Thankfully, this is the age of mobile computing. Nearly all of us carry a powerful computer in our pocket that is more than capable of calculating and displaying TOTP tokens. Google recognized this a while back and released a free mobile app called “Google Authenticator,” available on most mobile platforms. Anyone can set up two-factor authentication for their Google Account using the Authenticator, but the best part is that it’s not just limited to Google’s services. Since TOTP is an open standard, any infrastructure can use Google Authenticator to provision their own software tokens and implement TOTP-based two-factor authentication for their services.

It is generally recognized that tokens on the smartphones aren’t as secure as true hardware tokens. After all, smartphones are part of a worldwide network and can be hacked just like any other computing device. However, since your mobile phone is not physically connected to your workstation, isn’t running the same operating system, and isn’t even using the same processor architecture, that helps make it highly improbable that a casual attacker will be able to compromise both your workstation and your smartphone in order to defeat two-factor authentication.

Fedora Project and Linux Foundation join efforts

Recognizing that we have similar problems — namely, the need for two-factor authentication and a very distributed IT team, the Linux Foundation and Fedora Project Infrastructure joined forces to come up with a two-factor authentication solution that would use the TOTP standard and utilize software tokens. We first reviewed LinOTP, which implements a number of two-factor authentication standards including TOTP, but unfortunately their “community” implementation artificially removes crucial features, making them only available as part of their commercial “enterprise” product. Namely, the features we required was support for LDAP-based user store and support for yubikeys, as Fedora wanted to continue providing yubikey support for those members of the team who had already obtained one. Neither of these features is available in the LinOTP community branch.

Then we looked at the Google Authenticator open-source PAM module, but it is not suitable for centralized implementation (it can only be securely used on one server at a time) and has a number of other shortcomings, such as an odd architectural decision to put the secret hash in the same file that is used to record the used tokens. Generally, you don’t want to allow your security-sensitive applications to write state data to the file containing the secret.

Unfortunately, there was really not much else available that was both open-source and satisfied our requirements. Faced with that conclusion, we decided to roll our own solution that would both pass our security reviews and implement the functionality that we require. The Linux Foundation brought to the table the server component, and the Fedora Infrastructure — the PAM module. The final implementation therefore uses:

1.    totpcgi, which is the provisioning and token verification server, and
2.    pam_url, which is the pam module that communicates with totpcgi over a mutually-authenticated SSL link

In late November 2012, Red Hat sponsored a “Fedora Activity Day” that brought both Linux Foundation and Fedora Infrastructure sysadmins under the same roof to knock out the final showstoppers and implement two-factor authentication that supported both yubikeys and smartphone-based TOTP tokens. Despite some need for late-night hacking, the project was a resounding success and both infrastructures are now requiring two-factor authentication.

Both totpcgi and pam_url are released under GNU GPL and we hope that other distributed infrastructure projects will adopt and extend our offering in order to implement two-factor authentication on their servers.

There are no magic bullets

Security is a process, not a product. There is no one thing you can install or implement that would provide any kind of assurance against malicious hacking. Two-factor authentication makes the attackers’ lives more difficult, but it, too, can be defeated given enough time. For example, if you cannot trust the system binaries on your workstation, you can never be sure if you are actually connecting to your servers or if the attacker is simply simulating the login and recording your one-time-token, which they can then use to log in to your actual servers.

Observe the following best practices to make it more difficult for attackers to exploit your workstation:

•    Never turn off SELinux on your workstation. Your browser is actually running inside its own constrained SELinux domain, which means that even if attackers manage to escape the browser’s sandbox, they will have a hard time escaping the SELinux jail in order to gain a foothold on your system and install a keylogger.
•    Use NoScript for Firefox or ScriptSafe for chrome/chromium. Only allow javascript and plugins on the sites you trust.
•    Keep your workstation patched. Always apply critical security errata as soon as it is available.
•    Require two-factor authentication on your workstation for sudo, or only do it by switching to a text console (Ctrl-Alt-F2) and logging in as root.
•    When you need to use ssh, always execute it as /usr/bin/ssh. Don’t trust your $PATH.
•    Do the same when you use “sudo” on your server. Always type “/usr/bin/sudo -i”.
•    Require two-factor authentication when obtaining elevated privileges on all your infrastructure.
•    Routinely review account activity logs on your servers. Software such as logwatch or epylog will help you detect anomalous logins.

While these steps won’t guarantee that you are safe from malicious attacks, at least you will make the attackers’ lives extremely difficult while only introducing mild inconveniences into your regular sysadmin routines.

There are many companies attempting to implement new changes in the way that users authenticate themselves. The best example is Google’s 2-step authentication. This system allows a user to log into their Google account like normal when they access it on their common browser/app…however, whenever they log in elsewhere, it requires an access code specialized for that given with a name.

Google has come up with other ideas such as having a smartcard embedded finger ring or using a smartphone to authorize a new device/computer to add to your account.

More companies are attempting hardware-based authentication. Most companies attempting such measures only have prototypes, and are awaiting the ability to beta the use. Most of these types of measures are called security or hardware tokens.

A pin or password is usually needed for devices…right? However, depending on the type of device will show what other forms of authentication are needed in addition to that. For example, a one-time password may be in order, similar to the Google access code as a second step in authentication, which would be too hard to hack. Others would take a challenge code, which would prove that your a human in public, instead of a hacker/robot on a different network trying to hack.

Many networking authentication proposals for authentication would only allow a certain unique IP address to access the login section or be able to enter a password. Some require a smart card or fingerprint. All of these are good ways to help authentication become more physical and legitimate.

Proving possession is everything in the computer security world now, but this type of authentication has been proposed for around ten years, at least. It’s time tpo get serious about authentication, and develop better solutions. This is the call to action.

Banking Security Tokens – Out with the old and in with the new. I’m sure every single Singaporean who has a bank account has one of these with effect from Jan 2013. I wonder what do banking tokens overseas look like. I shall google it now.

In almost all Active Directory Inter-Forest migration scenarios the sidHistory functionality of Windows Server plays an important role to maintain resource access from migrated users to their not yet migrated Windows resources (e.g. file shares, Exchange mailbox etc.).

The sidHistory attribute of a migrated user in the target domain contains the SID of the original user from the source domain. When the user logs on with his/her account to the target Active Directory domain, the security token generated by the DC, contains both, the SID of the actively logged on target user account and the SID of the source user account of the source domain. If the user now accesses resources in the source domain, the target account and the source account SID are presented for ticket granting process. This ensures that the user can use his/her resources seamlessly, no matter if the resources are located in the source Forest or are migrated to target Forest already. An alternative to using sidHistory is the re-ACLing of the resources in the source Forest, which can be a large, long running task.

NOTE: SidHistory does not work in the following cases:

• SID Filtering is enabled on the Forest Trust or Domain external Trust Relationship
• For all permissions that are set by using well known SIDs (like Domain Users, Account Operators etc.). Those well-known SIDs are filtered out by default when accessing resources over the trust.
   

Disadvantages of sidHistory

Although sidHistory is a very big help in Inter-Forest Active Directory migration, it challenges all security considerations at the same time. A rogue administrator can add the SID of a given user account to his account’s sidHistory and thus gets access to the user’s resources. Another disadvantage is the blow up of the security token of a user account, since when using sidHistory, the token contains the SID of the account and the SIDs of all groups where the account is member of + the source account’s SID  and all SIDs of all the groups from source domain – assuming the groups have been migrated. There is a system limitation on token size which allows a maximum of 1015 groups. Using sidHistory for groups every group membership in a migrated group counts twice. If the source user is member of 550 groups in source domain and all groups have been migrated to target domain with sidHistory, the target account will most likely not be able to log on, because the security token is bloated. As long as the groups contain their sidHistory from before the migration, the group membership of users must be monitored constantly.

For Active Directory limits check here:

(http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=ws.10).aspx#BKMK_Groups)

RECOMMENDATION: Taking into account the security and system related disadvantages of sidHistory, we recommend removing the sidHistory value after migration of accounts and resources.

In Part 2 of this thread we will show some ways to remove sidHistory values which is not possible via ADUC and ADSIEDIT and other LDAP based tools.
Go to http://migration-blog.com/2013/01/03/active-directory-migration-how-to-remove-sidhistory-after-migration-part-2/

Tweetings for Twitter v2.7.5.1 Android Apk App

Tweetings is a powerful Twitter Client for Android devices.
- Large screen support with panes
- Supports posting to TwitLonger and inline expansion
- Uploading pic.twitter.com images as well as Img.ly, TwitPic and yFrog
- Customize, edit, apply filters to photos
- TweetMarker & Tweetings Cloud Timeline Sync support
- Stream Tweets over WiFi… let the tweets flow, no need to refresh your main timelines again
- Manage multiple accounts
- Google Cloud push notifications for mentions, dms, when you get a new follower, when you are retweeted, etc
- Inline image previews
- Saved Searches
- Local Trends
- Translate tweets
- Shorten links with a variety of providers
- List support
- Mute twitter users, words or applications
- View conversations
- Delete your own tweets and Direct Messages
- Change timeline text size
- Enable or disable retweets on a user by user basis
- Pull to refresh
- Picture preview
- Geotagging
- Compose username autocomplete
This is just the beginning, we plan to add many more features.
Tweetings is based on the open source project Twidere, more information here http://tweetings.net/android/source/

 What’s in this version:
Ability to add your own OAuth consumer tokens. If you do, please help us out by releasing a Tweetings authentication token back to the pool (https://twitter.com/settings/applications). Note: if you decide to use your own consumer tokens, push notifications and scheduled tweets won’t work
Internal twitter4j HTTP bug fixes
Mention coloring was case sensitive previously

https://play.google.com/store/apps/details?id=com.dwdesign.tweetings

Download Instructions:Released by chathu-ac
http://ul.to/p8xw73ds

mirror：
http://www.secureupload.eu/fmhv10hir…r_v2.7.5.1.apk

– Tweetings for Twitter v2.7.5.1 Android Apk App

UsernameToken
Usernametoken ini dibagi lagi menjadi beberapa cara implementasi dengan kelebihan dan kekurangan masing-masing.

• UsernameToken dengan Clear-Text Password

  Cara ini tidak melindungi password yang dibawa oleh SOAP Message. Kelebihannya adalah implementasi yang sederhana namun SOAP Message dengan tipe token seperti ini harus di kirim menggunakan SSL (atau Secure Transport lainnya) sehingga SOAP Message ini di enkripsi secara keseluruhan pada saat di kirim.
  Struktur awal token tipe ini adalah sebagai berikut:

  <S:Envelope>
      <S:Header>
              ...
          <wsse:Security>
              <wsse:UsernameToken>
                  <wsse:Username>Zoe</wsse:Username>
                  <wsse:Password>ILoveDogs</wsse:Password>
              </wsse:UsernameToken>
          </wsse:Security>
              ...
      </S:Header>
      ...
  </S:Envelope>
  

• UsernameToken dengan PasswordDigest

  Token tipe ini memproses password menjadi suatu hash tertentu pada saat dikirim akan tetapi dengan syarat pada dua sisi (pengirim dan penerima) harus mengetahui password asli sebelum diubah menjadi hash untuk proses validasi. Yang dijadikan hash tidak hanya passwordnya saja, dapat ditambahkan:

  • Timestamp : berfungsi selain menambah randomness dari hasil hash juga membantu mengecek masa berlaku hash tersebut. Namun dikarenakan selalu terdapat perbedaan jam pada server, perkirakan toleransi perbedaan waktu tersebut. Hal ini dapat mencegah penerobos sistem menggunakan hash yang sama untuk melakukan kembali proses yang sama (replay attack).
  • Nonce : merupakan sekumpulan byte acak yang dibuat untuk mencegah replay attack dan juga meningkatkan randomness.
  • Password itu sendiri.

  Berikut adalah struktur awal token bertipe passwordDigest:

  <wsse:Security>
    <wsse:UsernameToken
      xmlns:wsse="http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
      xmlns:wsu="http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  
      <wsse:Username>David Remy</wsse:Username>
      <wsse:PasswordType="wsse:PasswordDigest">
        D2A12DFE8D9F0C6BB82C89B091DF5C8A872F94DC
      </wsse:PasswordType>
      <wsse:Nonce>EFD89F06CCB28C89</wsse:Nonce>
      <wsu:Created>2001-10-13T09:00:00Z</wsu:Created>
    </wsse:UsernameToken>
  </wsse:Security>
  

BinaryToken

Token tipe ini mengirim dalam bentuk binari dari kelas tertentu. Kelas binary yang dibuat untuk WS-Security adalah X.509 Version 3 Certificate dan Kerberos tickets. Berikut adalah tempate BinaryToken:

<wsse:BinarySecurityToken wsu:Id=...
        EncodingType=...
        ValueType=...>
      ...Binary Data ...
<wsse:BinarySecurityToken/>

• X.509 Version 3 Certificate

  Merupakan penampung bersifat digital untuk bagian kunci umum pada sepasang kunci private dan umum. Kunci umum yang digunakan dalam mengenkripsi pesan, sedangkan kunci private yang digunakan dalam mendekripsi pesan tersebut.
  Sertifikat X.509 ini bersifat umum yang bebas didistribusikan sehingga cara untuk memastikan identitas pengirim adalah dengan menyertakan digital signature yang dalam hal ini berarti XML Signature pada pesan yang dikirim. Apabila penerima pesan dapat memverifikasi XML signature dengan sertifikat X.509 dan penerima percaya bahwa identitas pengirim itu benar, maka X.509 menjadi mekanisme otentikasi yang kuat.
  Berikut adalah contoh token bertipe binary:

  <wsse:BinarySecurityToken Id="myX509Token"
          ValueType="wsse:X509v3"
          EncodingType="wsse:Base64Binary">   
       NIFEPzCCA9CrAwIBAgIQEmtJZc0 ... sisa data X.509 base 64
       FExErTECA ...
  </wsse:BinarySecurityToken>
  

• Kerberos Tickets

  Kerberos merupakan protokol otentikasi network yang berbasi teknologi kunci rahasia yang melibatkan KDC (Key Distribution Center) terpusat. WS-Security memungkinkan untuk mengirim Kerberos ticket dalam binary token ini. Terdapat dua kemungkinan tipe ticket di Kerberos, berarti dua ValueTypes untuk merepresentasikan masing-masing. ValueType wsse:KerberosV5TGT untuk Ticket Granting Ticket (TGT) dan ValueType wsse:KerberosV5ST untuk Service Ticket (ST). TGT lebih sering digunakan untuk single sign-on sedangkan ST spesifik untuk service tertentu.
  Berikut adalah struktur SOAP Message yang mengandung Kerberos ticket:

  <wsse:BinarySecurityToken
      wsu:Id="myKerberosToken"
      ValueType="wsse:Kerberosv5TGT"
      EncodingType="wsse:Base64Binary">
      MIIEZzCCA9CgAwIBAgIQEmtJZc0 ... sisa data Kerberos base 64...
  </wsse:BinarySecurityToken>
  
  

XML Token

Spesifikasi XML token dibuat setelah UsernameTokens dan BinarySecurityTokens. Ciri utamanya adalah token ini tidak di group menjadi satu elemen seperti pada BinarySecurityTokens namun setiap token memiliki elemen masing-masing.

• SAML Token

  WS-Security sudah mengenali SAML assertion elemen. Berikut adalah template SAML token di WS-Security

  <S:Envelope>
      <S:Header>
          <wsse:Security>
            <saml:Assertion 
     xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
              MajorVersion="1" MinorVersion="0"
              AssertionID="myAssertion"
              Issuer="www.yourIssuer.com"
              IssueInstant="2003-03-31T12:58:21.132Z">
              <saml:Conditions
                NotBefore="2003-03-31T14:21:22.133Z"
                NotOnOrAfter="2003-03-31T16:02:11.123Z"/>
           </saml:Assertion>
        </wsse:Security>
      </S:Header>
      <S:Body wsu:Id="msgBody">
         ...
      </S:Body>
  </S:Envelope>
  

• XrML Token

  eXtensible Rights Markup Language (XrML) merupakan sintak XML untuk Digital Right Management (DRM). XrML dapat digunakan dalam WS-Security dengan cara mengikutsertakan elemen license pada header. XrML ini memiliki permasalahan yang sama dengan sertifikasi X.509 yaitu untuk membuktikan kepemilikan license, maka XML Signature harus di ikutsertakan juga.

  <S:Envelope>
  
      <S:Header>
        <wsse:Security>
          <r:license licenseId="urn:foo:SecurityToken:ab12345">
            <r:grant>
              <r:keyHolder>
                <r:info>
                  <ds:KeyValue>...</ds:KeyValue>
                </r:info>
              </r:keyHolder>
              <r:possessProperty/>
              <sx:commonName>John Doe</sx:commonName>
            </r:grant>
            <r:issuer>
              <ds:Signature>...</ds:Signature>
            </r:issuer>
          </r:license>
  
          <ds:Signature>
            <ds:SignedInfo>
              ...
              <ds:Reference URI="#msgBody">
                <ds:DigestMethod
  Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>...</ds:DigestValue>
              </ds:Reference>
            </ds:SignedInfo>
  
            <ds:SignatureValue>...</ds:SignatureValue>
            <ds:KeyInfo>
              <wsse:SecurityTokenReference>
                <wsse:Reference
                  URI="urn:foo:SecurityToken:ab12345"
                  ValueType="r:license" />
              </wsse:SecurityTokenReference>
            </ds:KeyInfo>
          </ds:Signature>
        </wsse:Security>
  
      </S:Header>
      <S:Body wsu:Id="msgBody">
          <PictureRequest xmlns="http://www.myCompany.com/pics">
              <Picture format="image/gif">
                  AxE1TrsRGGH...
              </Picture>
          </PictureRequest>
      </S:Body>
  </S:Envelope>
  

• XCBF Token

  XML Common Biometric Format (XCBF) juga salah satu token yang dapat diikutsertakan dalam WS-Security Header.

Inti utama dari XML Token adalah bahwa WS-Security token memiliki fleksibilitas terhadap token yang diikutsertakan pada WS-Security header.

Sumber:

• Rosenberg, Jonathan : “Securing Web Service with WS-Security”, First Edition, Sams Publising, 2004.

With a hand-in-glove relationship with the world of business, it’s key that Microsoft ensures it can keep companies data safe. That’s what prompted Steve Ballmer to whip out his checkbook to snap up PhoneFactor, a multi-factor authentication company that uses smartphones instead of code-generating security tokens. With its new toy, Redmond plans to integrate the feature into its services like SharePoint, Azure and Office 365, letting users sign on with their own device as a key element of the signing in process.

After much research, the solution to fix this is pretty simple!

Some background info: Under the health analyser, the security token service was marked as a service that could not start.

Event logs showed an error every hour, since the health analyser runs.

Error is:

Log Name:      Application
Source:        System.ServiceModel 3.0.0.0
Date:          7/14/2011 6:00:00 AM
Event ID:      3
Task Category: WebHost
Level:         Error
Keywords:      Classic
User:          NETWORK SERVICE
Computer:      109-104-81-240
Description:
WebHost failed to process a request.
Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/41149443
Exception: System.ServiceModel.ServiceActivationException: The service ‘/SecurityTokenServiceApplication/securitytoken.svc’ cannot be activated due to an exception during compilation.  The exception message is: Exception has been thrown by the target of an invocation.. —> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. —> System.InvalidOperationException: The farm is unavailable.
at Microsoft.SharePoint.Administration.Claims.SPSecurityTokenServiceManager.get_Local()
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenServiceConfiguration..ctor()
— End of inner exception stack trace —
at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandle& ctor, Boolean& bNeedSecurityCheck)
at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean fillCache)
at System.RuntimeType.CreateInstanceImpl(Boolean publicOnly, Boolean skipVisibilityChecks, Boolean fillCache)
at System.Activator.CreateInstance(Type type, Boolean nonPublic)
at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceHostFactory.CreateSecurityTokenServiceConfiguration(String constructorString)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceHostFactory.CreateServiceHost(String constructorString, Uri[] baseAddresses)
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenServiceHostFactory.CreateServiceHost(String constructorString, Uri[] baseAddresses)
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.CreateService(String normalizedVirtualPath)
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(String normalizedVirtualPath)
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
— End of inner exception stack trace —
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath)
Process Name: w3wp
Process ID: 53044

I resolved this issue by going into IIS, going to the security token application pool, advanced and saw that “enable 32-bit applications” was set to true, change this to false, re-run the analyser and bamb! Problem solved.

Hope this helps.

Image via CrunchBase

On the 30th June Reuters Published a very interesting interview with Jeremy Burton the Chief Marketing Officer of RSA/EMC. The interview as published by Reuters is below.

Reuters 30/6/11 Data storage firm EMC has a good idea of who was behind an attack on its RSA security division that may have compromised SecurID keys used by 40 million employees of governments and corporations worldwide.

But Chief Marketing Officer Jeremy Burton said on Thursday the identity of the hacker or hackers was less important than what measures companies could take to defend against such attacks, and declined to name the suspected party.

“We’ve got an idea although we can’t pin it on Joe Brown from such and such. We’ve got a very good idea because of the nature of the attack but actually that’s not even that important,” he told Reuters in an interview in London.

RSA disclosed in March that hackers had stolen information that could be used to reduce the effectiveness of SecurID tokens in keeping intruders from accessing corporate networks.

It has said it believes the attackers were more interested in intellectual property than in financial gain.

SecurIDs are widely used electronic keys to computer systems designed to thwart hackers by requiring two passcodes: one fixed PIN and another six-digit number that is automatically generated, typically every 60 seconds, by the security system.

Burton reiterated that EMC was working hard to rebuild the trust of its customers in the RSA brand. “Basically, since March, we’ve been doing nothing but doing one on one sessions.”

“Where we’re at right now with our customer base is making sure that the guys who have asked for token replacement get one in a timely fashion and we’ve ramped up the manufacturing to be able to cope with that,” he said.

RSA’s reputation took a second hit after the initial disclosure of the breach in March last when hackers used technology stolen from RSA to attack defence contractor Lockheed Martin last month.

EMC has since offered to replace millions of potentially compromised SecurID electronic keys.

Burton said the company intended to ramp production of RSA tokens into the millions per month from a baseline rate of a few hundred thousand. He could not predict for how many months the increased production might continue.

EMC said last quarter its RSA margins had fallen to 54.1 percent from 67.6 percent a year earlier for costs associated with the security breach.

“If there are more costs and we need to take another charge in the name of customer satisfaction, we will,”Burton said.

EMC’s chief financial offer said in April that growth in the RSA business would slow in the short term.

RSA is small in terms of EMC’s revenue, last year accounting for $730 million (454 million pounds), or 4 percent, of its $17 billion in sales.

 Yet it is a high-profile asset whose technology EMC has used to secure the company’s other products, including its software and data storage equipment.

Companies that sell alternatives to RSA’s SecurIDs, such as Symantec and Vasco Data Security International, have leapt on the opportunity to win customers.

 Burton said he was not aware of any other customers beyond Lockheed Martin who had suffered cyber attacks as a result of the RSA security breach.

Reprint of Reuters Page which can be found here.

.

Image via Wikipedia

[From http://arstechnica.com/security/news/2011/06/rsa-finally-comes-clean-securid-is-compromised.ars]

SecurID tokens are used in two-factor authentication systems. Each user account is linked to a token, and each token generates a pseudo-random number that changes periodically, typically every 30 or 60 seconds. To log in, the user enters a username, password, and the number shown on their token. The authentication server knows what number a particular token should be showing, and so uses this number to prove that the user is in possession of their token.

The exact sequence of numbers that a token generates is determined by a secret RSA-developed algorithm, and a seed value used to initialize the token. Each token has a different seed, and it’s this seed that is linked to each user account. If the algorithm and seed are disclosed, the token itself becomes worthless; the numbers can be calculated in just the same way that the authentication server calculates them.

VeriSign Identity Protection

•  VeriSign Identity Protection (VIP) Authentication Service helps companies to mitigate risk and maintain compliance with a scalable, reliable Two-Factor Authentication platform delivered without the high cost of infrastructure and operations.
• With VIP Authentication Service, the end user experiences a fast response and the assurance that their identity is protected by an added layer of security

A Scalable, Reliable Platform

Our flexible platform is highly available, scalable and reliable, leveraging VeriSign’s expertise in running on-demand, critical Internet infrastructure globally. With VIP, the end user’s identity information stays within your enterprise; only the security code and credential ID pass anonymously to VeriSign for validation.

A Convenient Choice of Credentials

• VIP Authentication Service supports a range of OATH-compliant credential form factors to meet the diverse needs of end users. Enterprise customers who use VIP have immediate access to the most convenient and cost effective form factors available for employees, business partners and customers.
• Freely available credentials for mobile handsets and PC desktops dramatically reduce the total cost of ownership for typical Two-Factor Authentication solutions. VeriSign also offers the most deployed and innovative hardware credentials including tokens and credit card-sized credentials.

Preferred for the Enterprise

End Users may use their VIP credential on any participating Web site that displays the VeriSign Identity Protection logo. VIP Network Members include eBay, PayPal, AOL and more.

VeriSign® Identity Protection (VIP) Access for Mobile turns a mobile phone into a two-factor authentication security device

VIP service

How It Works

• Most enterprise networks and externally facing Web sites require a username and password to identify you online. But usernames and passwords can be cracked, hacked and faked. Your VIP Access for Mobile verifies your identity by generating a unique security code or one-time password each time you use it.
• Use your VIP Access for Mobile to protect your identity, financial assets, and privacy when you sign-in to your enterprise or leading Web sites like PayPal, eBay, AOL, and other Web sites displaying the VIP Network Member logo.

පහුගිය දවසක කන්තෝරුවේ වැඩකට නොදන්නා භාෂාවක යුනිකේත අමුණ අමුණ ඉද්දි පොඩි කාලේ රහස් භාෂා එක්ක ඔට්ටු වුණු හැටි සංචාරකයාට මතක් වුණා. ඒ මතකයන් ටිකක් තමයි අද ලියන්න යන්නේ.

රහස් කේතනය ගැන සංචාරකයාගේ මතකයේ රැඳිච්ච පොත් කිහිපයක් තියෙනවා.  පළමුවැන්න තමයි ‘ප්‍රහේලිකා’ කියලා පොතක්. කතුවරයා නම් මතක නෑ [මතක කෙනෙක් ඉන්නවා නම් කරුණාකරලා කමෙන්ටුවක් දාන්න]. 1960 දශකයේ වගේ තමයි මුද්‍රණය කරල තිබ්බේ. ගණිතයට උනන්දුවක් දක්වන අයට ඉතාමත් හොඳ පොතක්. දෙදාහ අවුරුදුවල මුල් කාලේ අලුත් මුද්‍රණයක් ආවා වගේ මතකෙකුත් තියෙනවා. ඔය පොතේ තිබුණා සිංහල භාෂාවෙන් හදපු තවත් රහස් භාෂා සහ පණිවිඩ ගණනාවක්.

දෙවැන්න තමයි ‘රන් මකුණා සහ වෙනත් කතා’. මෙහි අන්තර්ගත වෙන්නේ ඒඩ්ගා ඇලන් පෝ විසින් රචිත කෙටි  කතා කිහිපයක්. සිංහලයට පරිවර්තනය කරන්නේ කේ.ජී කරුණාතිලක මහත්මයා.  මෙහි ‘රන් මකුණා’ කියන කතාවේ තියෙනවා ඉංග්‍රිසි හෝඩියට ආදේශක හෝඩියක් භාවිතා වන රහස් පණිවිඩයක් කියවා ගන්නා ආකාරය පියවරෙන් පියවර.  ඉංගිරිසි භාෂාවෙන් ලියපු ලියවිල්ලක අකුරු තියෙන සාමාන්‍ය සංඛ්‍යාතයක් තියෙනවා. වැඩියෙන්ම තියෙන්නේ ‘e’ අකුර. කතාවේ හැටියට නම් ඊළඟට එනනේ ‘a’ අකුර, හැබයි පහත විකි පිටුවේ හැටියට නම් ඊළඟට තියෙන්නේ ‘t’ අකුර.

http://en.wikipedia.org/wiki/Letter_frequency

මේ විදියට අකුරුවල සාපේක්ෂ සංඛ්‍යාතය පාවිච්චි කරලා ඉංග්‍රිසි භාෂාවෙන් ගොඩනඟලා තියෙන රහස් පණිවිඩයක් විසඳන්න පුළුවන්. මේ අකාරයටම ෂර්ලොක් හෝම්ස් ආදේශක ගැටළුවක් විසඳනවා සර් ආතර් කොනන් ඩොයිල්ගේ ‘The Adventure of the Dancing Men’ කතාවේ. මේකේ පැහදිලි කරනවා අර උඩින් කියපු දෙවෙනි අකුරේ නොගැලපීමට උත්තරේ.  සිංහල භාෂාවට මේ වාගේ අධ්‍යනයක් වෙලා තියෙනවද කියලා සංචාරකයා දන්නේ නෑ. හැබැයි වැඩේ ටිකක් සංකීර්ණ වෙයි කියලා හිතෙනවා. මොකද ඉංග්‍රිසි භාෂාවේ නම් ස්වරාක්ෂරවලට සහ ව්‍යඤ්ජනාක්ෂරවලට වෙන වෙනම අකුරු තියෙනවා. සිංහල භාෂාවේ ව්‍යඤ්ජනාක්ෂරයක් සහ ස්වරාක්ෂරයක් එක්වීමෙන් සෑදෙන ශබ්දයට වෙනම අකුරක් තියෙනවා. එතකොට හිතන්න යමක් තියෙනවා, සිංහල භාෂාවේ වැඩියෙන්ම භාවිතාවන ව්‍යඤ්ජනාක්ෂරය මොකක්ද? ඉංග්‍රිසිවල නම් ‘t’ අකුර. ඒක වෙන්නේ ‘the’ කියන වචනේ බහුලව භාවිතා වෙන හින්දා වෙන්න ඕනේ.

මීට වඩා වෙනස් ආකාරයක, සරල රහස් පණිවිඩයක් ෂර්ලොක් හෝම්ස් විඳනවා ‘The Gloria Scott’කියන කතාවේ. මෑත කාලීනව ආපු ඩෑන් බ්‍රවුන්ගේ පොත්වල මේ වාගෙ පණිවිඩ විශාල සංඛ්‍යාවක් අන්තර්ගත වෙනවා.

තවත් දෙයක් තියෙනවා නොකියාම බැරි, ඒ තමයි ඡායාරූප භාවිතා කරල පරිඝණක ඇසුරෙන් රහස් පණිවිඩ යවන්න පුළුවන්. වැඩිය විස්තර ලියන්න මේ ලිපිය ගොඩක් දික් වෙනවා. උනන්දුවක් තියෙන අය පහත විකි පිටුවෙන් බලන්න. ඔන්න ඔය උඩින් තියෙන ඡායාරූපයේ නම් එහෙම පණිවිඩ මොකුත් නෑ.

http://en.wikipedia.org/wiki/Steganography

අවසාන වශයෙන් සංදේශ කාව්‍යයයක එන කවියක් සුප්‍රසිද්ධ රහස් කේතන ක්‍රමයක් භාවිතා කරලා සංචාරකයා කේතනය කලා. උත්සාහයක් දාලා බලන්න කැමති අය.

“වසනඅ දිවනරෙදිල මිසලසිගව න්හැතු

සොල්බඅ බනිමිනුතුල මසුණිල්රපු න්න්වි

පරන්අ තවගියෙවැල සඅරිටිටෙක න්නැන

විත්රිඅ ලිරපවේවිඅ කුසුලනිමල න්වැඬ”

ප.ලි: ලිපිය පටන් ගද්දී නම් කලින් දවසක කියපු ප්‍රථමක සංඛ්‍යයා සහ අංක ගණිතයේ මූලික සිද්ධාන්තය ඇසුරෙන් ගොඩ නැඟෙන Public-Key Encryption ගැන ලියන්න හිතන් හිටියත් ලිපිය දික් වුණු නිසා අදහස අත ඇරලා දැම්මා. ඒ ගැන ඉදිරි ලිපියකින් ලියන්න සංචාරකයා බලාපොරොත්තු වෙනවා.

The Cash for Security Tokens program is looking for the best method to decommission tokens traded under the program. Anyone who has been frustrated by a lost or out-of-sync security token has probably already thought of a few ways.

Submit your suggestions for how best to “disable” a security token.

Sarah

Become a Facebook Fan
Learn More

Sarah

Baca Selengkapnya Di Sini