YubiKeys demystified

When I saw the Bloodhound Developer use his YubiKey at Black Hat to access Github (in front of hundreds of people), I knew then I had to get a YubiKey of my own!

This article documents some of the initial “hands-on” experience – with accompanying comments and conclusions.


LastPass, Duo, Google “Push” for 2FA

Came back from Black Hat / Defcon all fired up about 2FA (“Two-Factor Authentication”).

I was particularly impressed when the Bloodhound developer used his YubiKey to access GitHub in front of all the hackers, er,  security people.

So decided to take a quick look at LastPass, Duo, as well as Google’s new Push 2FA. The result is this 3-part series.

LastPass (or is it LostPass?)

LastPass has great Password Management function. But would a better name have been “LostPass”? This article takes a quick look.

Duo: Here-a-Push, There-a-Push, Everywhere a Push-Push

Duo innovated with their 2FA (“Two-factor Authentication”) using mobile Push notification.

Although Duo’s primary focus is corporate, they have a great “freemium” version that is useful for SMBs as well as individual users.

This article takes Duo out for a test drive as well as a technical dive into Duo ssh configuration.


Black Hat USA 2016 and defcon 24 - The Last Word

This year's BH and Defcon were historic. Nothing less.

It was truly "The Rise of the Machines".

defcon 24 - Notes for Friday 2016-8-06

Defcon sure has changed since the last time I was there.
This blog post has my notes from defcon 24 Friday 2016-8-06.


defcon 24 - Notes for Saturday 2016-8-06

Here are my notes from Defcon 24 for Saturday 2016-8-07.

You should check out the new Bloodhound graph tool for analyzing MS AD architecture. From the Empire folks. Wow! See my notes below for more details and the link.


BlackHat 2016: Some general impressions (FWIW!)

Not that my opinion counts for much.
But here are some general trends and impressions from BlackHat 2016.

Passwords as a means of protection - - - Not!

Out with the “old” – in with the “new”In response to recent trends in password attacks, NIST is considering changing their standards on password management.

Black Hat 2016 Conference Notes

Here are some (raw, down-in-the-trenches) notes from Black Hat 2016 presentations I attended.

The whitepapers and slides can be found here: https://www.blackhat.com/us-16/briefings.html

More Black Hat 2016 Presentation Notes

Yep, another batch of presentation notes from Black Hat 2016.

Reminder that the slides and whitepapers are here: https://www.blackhat.com/us-16/briefings.html

Black Hat 2016 Presentation notes - III

Final set of Black Hat 2016 presentation notes.


Big Data Malware Analysis - Novetta Totem

Novetta is working on a "Big Data" approach to Malware Analysis. Their community / proprietary product is called "Totem".

Looked at their pres at BH US 2015 and then dove into their recent report (yes - yet another one!) on the Sony incident. Surprisingly, (parts of) their Sony report is worth a read.

You can find my summary here.


Microsoft's Azure Active Directory: A new paradigm for Authentication

Looked at some introductory videos for Azure Active Directory ("AAD") Developers. Wow!

MS is reinventing itself with a whole new paradigm for AuthN / IDaaS out in the cloud.

Wrote a quick report summarizing video content. You can find it here.

TL;DR summary:

  • AAD and AD become a single logical entity. On-premise AD driven from cloud-based AAD.
  • Strategic AuthN protocols are:
    • OpenID Connect (MS extension of OpenID)
    • OAuth
    • WS-Federation / SAML are *not* strategic. Neither is Windows Identity Foundation.
  • Apps (public or corporate) must be registered to AAD. After that federation is easy.
  • ADAL is MS multi-platform open-source SDK to do AuthN, also Xamarin, Apache Cordova
  • Win10 will have new AuthN flows integrated at OS level: “WebAccountManager” API
  • Whole effort is serious MS “catch-up”; work in progress, rough around edges, incomplete at times
    • Eg.Kludgy support of single-page web apps with Javascript calling multiple background Web APIs.
  • Major MS paradigm shift / change in fundamental architectural direction.


AWS' Security Model; AWS MS AD support

After a long hiatus ....

Took a quick look at Amazon AWS' Security Model, followed by a closer look at their Active Directory integration offerings.

The following small report summarizes the distilled wisdom of 20-odd whitepapers for your reading pleasure and enjoyment.

AWS’ Security Model and MS AD support