2016-09-18

YubiKeys demystified

When I saw the Bloodhound Developer use his YubiKey at Black Hat to access Github (in front of hundreds of people), I knew then I had to get a YubiKey of my own!

This article documents some of the initial “hands-on” experience – with accompanying comments and conclusions.

2016-09-03

LastPass, Duo, Google “Push” for 2FA

Came back from Black Hat / Defcon all fired up about 2FA (“Two-Factor Authentication”).

I was particularly impressed when the Bloodhound developer used his YubiKey to access GitHub in front of all the hackers, er,  security people.

So decided to take a quick look at LastPass, Duo, as well as Google’s new Push 2FA. The result is this 3-part series.

LastPass (or is it LostPass?)

LastPass has great Password Management function. But would a better name have been “LostPass”? This article takes a quick look.

Duo: Here-a-Push, There-a-Push, Everywhere a Push-Push

Duo innovated with their 2FA (“Two-factor Authentication”) using mobile Push notification.

Although Duo’s primary focus is corporate, they have a great “freemium” version that is useful for SMBs as well as individual users.

This article takes Duo out for a test drive as well as a technical dive into Duo ssh configuration.

2016-08-07

Black Hat USA 2016 and defcon 24 - The Last Word

This year's BH and Defcon were historic. Nothing less.

It was truly "The Rise of the Machines".

defcon 24 - Notes for Friday 2016-8-06

Defcon sure has changed since the last time I was there.
This blog post has my notes from defcon 24 Friday 2016-8-06.

2016-08-06

defcon 24 - Notes for Saturday 2016-8-06

Here are my notes from Defcon 24 for Saturday 2016-8-07.

You should check out the new Bloodhound graph tool for analyzing MS AD architecture. From the Empire folks. Wow! See my notes below for more details and the link.

2016-08-05

BlackHat 2016: Some general impressions (FWIW!)

Not that my opinion counts for much.
But here are some general trends and impressions from BlackHat 2016.

Passwords as a means of protection - - - Not!

Out with the “old” – in with the “new”In response to recent trends in password attacks, NIST is considering changing their standards on password management.


Black Hat 2016 Conference Notes

Here are some (raw, down-in-the-trenches) notes from Black Hat 2016 presentations I attended.


The whitepapers and slides can be found here: https://www.blackhat.com/us-16/briefings.html

More Black Hat 2016 Presentation Notes

Yep, another batch of presentation notes from Black Hat 2016.

Reminder that the slides and whitepapers are here: https://www.blackhat.com/us-16/briefings.html

Black Hat 2016 Presentation notes - III

Final set of Black Hat 2016 presentation notes.

2016-02-26

Big Data Malware Analysis - Novetta Totem

Novetta is working on a "Big Data" approach to Malware Analysis. Their community / proprietary product is called "Totem".

Looked at their pres at BH US 2015 and then dove into their recent report (yes - yet another one!) on the Sony incident. Surprisingly, (parts of) their Sony report is worth a read.

You can find my summary here.

2016-02-25

Microsoft's Azure Active Directory: A new paradigm for Authentication

Looked at some introductory videos for Azure Active Directory ("AAD") Developers. Wow!

MS is reinventing itself with a whole new paradigm for AuthN / IDaaS out in the cloud.

Wrote a quick report summarizing video content. You can find it here.

TL;DR summary:


  • AAD and AD become a single logical entity. On-premise AD driven from cloud-based AAD.
  • Strategic AuthN protocols are:
    • OpenID Connect (MS extension of OpenID)
    • OAuth
    • WS-Federation / SAML are *not* strategic. Neither is Windows Identity Foundation.
  • Apps (public or corporate) must be registered to AAD. After that federation is easy.
  • ADAL is MS multi-platform open-source SDK to do AuthN, also Xamarin, Apache Cordova
  • Win10 will have new AuthN flows integrated at OS level: “WebAccountManager” API
  • Whole effort is serious MS “catch-up”; work in progress, rough around edges, incomplete at times
    • Eg.Kludgy support of single-page web apps with Javascript calling multiple background Web APIs.
  • Major MS paradigm shift / change in fundamental architectural direction.


2016-02-22

AWS' Security Model; AWS MS AD support

After a long hiatus ....

Took a quick look at Amazon AWS' Security Model, followed by a closer look at their Active Directory integration offerings.

The following small report summarizes the distilled wisdom of 20-odd whitepapers for your reading pleasure and enjoyment.

AWS’ Security Model and MS AD support