02 Sep 2014

feedPlanet Identity

Vittorio Bertocci - Microsoft: Azure AD Records User Consent for Native Apps in the Refresh Token

An alternative title for this post could have been "Why users of my native app are prompted by Azure AD for consent every time they authenticate?".
In brief: for native apps, the consent granted by the user is recorded by Azure Active Directory in the refresh token issued on the first successful [...]

02 Sep 2014 5:45am GMT

01 Sep 2014

feedPlanet Identity

Kuppinger Cole: Microsoft OneDrive file sync problems

In Mike Small

A number of users of Microsoft's OneDrive cloud storage system have reported problems on the Microsoft community relating to synchronizing files between devices. So far I have not seen an official response from Microsoft. This can be very disconcerting so, in the absence of a response from Microsoft, here are some suggestions to affected users. These worked for me but - in the absence of a formal response from Microsoft - I can offer no cast iron guarantees.

What is the problem? It appears that files created on one device are synced to another device in a corrupt state. This only seems to affect Microsoft Office files (Word, Excel, PowerPoint etc.) which have been created or updated since around August 27th. It does not appear to affect other types of files such as .pdf, .jpg and .zip for example. When the user tries to access the corrupt file they get a message of the form "We're sorry, we can't open the <file> because we found a problem with its contents"

This problem does not affect every device but it can be very disconcerting when it happens to you! The good news is that the data appears to be correct on the OneDrive cloud and - if you are careful - you can retrieve it.

Have I got the problem? Here is a simple test that will allow you to see if you have the problem on your device:

  1. Create a simple Microsoft Office file and save it on the local files store of the device. Do not save it on the OneDrive system.
  2. Log onto OneDrive https://onedrive.live.com/using a browser and upload the file to a folder on your OneDrive.
  3. Check the synced copy of the file downloaded by the OneDrive App onto your device. If the synced file is corrupted you have the problem!

What can I do? Do not panic - the data seems to be OK on the OneDrive cloud. Here is how I was able to get the data back onto my device:

  1. Log onto OneDrive https://onedrive.live.com/using a browser and download the file to your device- replace the corrupt copy.
  2. Do NOT delete the corrupt file on your device this will send the corrupt version to the recycle bin. It will also cause the deletion of the good version on other devices.
  3. It is always a good idea to run a complete malware scan on your devices. If you have not done so recently now is a very good time. I did that but no threats were detected.
  4. Several people, including me have followed the advice on how to troubleshoot sync problems published by Microsoft - but this did not work for me or them.
  5. I did a complete factory reset on my Surface RT - this did not help. Many other people have tried this also to no avail.

Is there a work around? I have not yet seen a formal response from Microsoft so here are some things that all worked for me:

  1. Accept the problem and whenever you find a corrupt file perform a manual download as described above.
  2. Use WinZip to zip files that are being changed. It seems that .zip files are not being corrupted.
  3. Protect your Office files using a password - it appears that password protected files are not corrupted. In any case KuppingerCole recommends that information held in cloud storage should be encrypted.
  4. Use some other cloud storage system or a USB to share these files.

This example illustrates some of the downsides of using a cloud service. Cloud services are very convenient when they work but when they don't work you may have very little control over the process to fix the problem. You are completely in the hands of the CSP (Cloud Service Provider). If you are using a service for business, access to the data you are entrusting to the CSP may be critical to your business operations. One of the contributors to Microsoft support community described how since he was unable to work he was getting no pay and this is a graphic illustration of the problem.

KuppingerCole can offer research, advice and services relating to securely using the cloud. In London on October 7th KuppingerCole will hold a Leadership Seminar on Risk and Reward from the Cloud and the Internet of Things. Attend this seminar to find out how to manage these kinds of problems for your organization.

Mike Small August 31st, 2014.

01 Sep 2014 8:19am GMT

Kuppinger Cole: Microsoft OneDrive file sync problems

In Mike Small

A number of users of Microsoft's OneDrive cloud storage system have reported problems on the Microsoft community relating to synchronizing files between devices. So far, I have not seen an official response from Microsoft. This can be very disconcerting so, in the absence of a response from Microsoft, here are some suggestions to affected users. These worked for me but - in the absence of a formal response from Microsoft - I can offer no cast iron guarantees.

What is the problem? It appears that files created on one device are synced to another device in a corrupt state. This only seems to affect Microsoft Office files (Word, Excel, PowerPoint etc.), which have been created or updated since around August 27th. It does not appear to affect other types of files such as .pdf, .jpg and .zip, for example. When the user tries to access the corrupt file, they get a message of the form "We're sorry, we can't open the <file> because we found a problem with its contents".

This problem does not affect every device, but it can be very disconcerting when it happens to you! The good news is that the data appears to be correct on the OneDrive cloud and - if you are careful - you can retrieve it.

Have I got the problem? Here is a simple test that will allow you to see if you have the problem on your device:

  1. Create a simple Microsoft Office file and save it on the local files store of the device. Do not save it on the OneDrive system.
  2. Log onto OneDrive https://onedrive.live.com/ using a browser and upload the file to a folder on your OneDrive.
  3. Check the synced copy of the file downloaded by the OneDrive App onto your device. If the synced file is corrupted, you have the problem!

What can I do? Do not panic - the data seems to be OK on the OneDrive cloud. Here is how I was able to get the data back onto my device:

  1. Log onto OneDrive https://onedrive.live.com/ using a browser and download the file to your device - replace the corrupt copy
  2. Do NOT delete the corrupt file on your device - this will send the corrupt version to the recycle bin. It will also cause the deletion of the good version on other devices.
  3. It is always a good idea to run a complete malware scan on your devices. If you have not done so recently, now is a very good time. I did that but no threats were detected.
  4. Several people including me have followed the advice on how to troubleshoot sync problems published by Microsoft - but this did not work for them or me.
  5. I did a complete factory reset on my Surface RT - this did not help. Many other people have tried this also to no avail.

Is there a work around? I have not yet seen a formal response from Microsoft, so here are some things that all worked for me:

  1. Accept the problem and whenever you find a corrupt file perform a manual download as described above.
  2. Protect your Office files using a password - this caused the files to be encrypted and it appears that password protected files are not corrupted. In any case KuppingerCole recommends that information held in cloud storage should be encrypted.
  3. Use WinZip to zip files that are being changed. It seems that .zip files are not being corrupted.
  4. Use some other cloud storage system or a USB to share these files.

This example illustrates some of the downsides of using a cloud service. Cloud services are very convenient when they work, but when they don't work you may have very little control over the process to fix the problem. You are completely in the hands of the CSP (Cloud Service Provider). If you are using a service for business, access to the data you are entrusting to the CSP may be critical to your business operations. One of the contributors to Microsoft support community described how since he was unable to work he was getting no pay and this is a graphic illustration of the problem.

KuppingerCole can offer research, advice and services relating to securely using the cloud. In London of October 7th KuppingerCole will hold a Leadership Seminar on Risk and Reward from the Cloud and the Internet of Things. Attend this seminar to find out how to manage these kinds of problems for your organization.

01 Sep 2014 7:57am GMT

30 Aug 2014

feedPlanet Identity

Anil John: Attributes are the New Money

I said it. This is what I meant

30 Aug 2014 5:30pm GMT

Nat Sakimura: 「マイナちゃん」にマイナンバー・キャラクターの名前決定!

以前公募をお知らせしていた社会保障と税の共通番号制度(マイナンバー制度)のマスコットキャラクターの名前が、29日(金)発表されました[1]。 「マイナちゃん」 これは、6月20日(金)から7月21日(月)まで行われた一般 […]

30 Aug 2014 2:29am GMT

29 Aug 2014

feedPlanet Identity

Andreas Åkre Solberg - Feide/UNINETT: HTTPjs – a new API debugging, prototyping and test tool

Today, we released a new API debugging, prototyping and test tool that is available at: http://httpjs.net When you arrive at the site, you'll immediately be delegated a separate sub domain, such as http://f12.http.net. This subdomain is now ready to receive … Continue reading

29 Aug 2014 7:27am GMT

Ian Yip: How to spot a meaningless contributed article

What is a contributed article? They're the ones where the author works for a vendor or solution provider and not the publication. In other words, their day job is not as a journalist. I'm speaking from first hand experience as I've written a number for various publications and understand the process.

Contributed articles do not typically involve any form of payment. When they do, reputable publications will disclose this fact. More commonly, they are freely given to a publication based on a brief that was provided. For example, a publication may say they are interested in a contributed article about a new smartphone's features and the implications on digital security. A vendor's marketing and public relations team will then work with a subject matter expert (SME) on crafting such an article for submission. Of course, if the SME isn't really one, then nothing will save the article.

Naturally, the process results in content of varying quality. The worst ones are typically not written by the individual, but ghost-written by someone else (usually without sufficient domain expertise). The vendor spokesperson/SME simply gets the byline. These end up sounding generic and the reader learns nothing.

More commonly, the resulting article is an equal and collaborative effort between everyone involved. While this is marginally better, it still sounds unauthentic, somewhat generic and provides little value. Why? They keyword here is "equal". The SME needs to be the main contributor instead of simply providing their equal share of input.

The best contributed articles are the ones written by someone:
  1. With the necessary domain expertise.
  2. That knows how to write.
  3. That has the time to do it.
  4. Willing to allow an editor/reviewer to run their virtual red pens through it without getting offended.
  5. That is not blatantly trying to sell something.
Unfortunately, contributed articles tend to be mediocre or just terrible and that is a real shame, because there are lots of really smart people that could produce great content (with some help and editing) if they weren't under corporate pressure to be 100% "on message". The art of course, is to be "on message" subtly while still being able to contribute to the conversation in a meaningful way.

So how do you spot a meaningless contributed article? They usually look like this...

Meaningless headline that was put here for click-baiting purposes

You know that issue that's been in the news this week? And that other bit of similar news from last week? Oh, and those other countless ones from the past few months? They're only going to get worse because of buzzword 1, buzzword 2 and buzzword 3. Oh, don't forget about buzzword 4.

That large analyst firm, their biggest competitor and that other one that tries really hard to be heard all agree. Here's some meaningless statistic and a bunch of percentages from these analyst firms that prove what I'm saying in the previous paragraph is right. I'm adding some independent viewpoints here people, so it's not just about what I'm saying, even though it is.

So what to do about all this? You should be really worried about solving the problem you may or may not have had but now that I've pointed it out, you definitely have it. You aren't sure? Well, then listen to this.

Here's an anecdote I may or may not have made up about some organisation that shall remain nameless but is in a relevant industry relating to what I'm trying to sell you, oh wait, that I'm providing advice on because you've got this really big issue that you're trying to solve but just don't know you need to solve it yet but will do once you've read this.

So how do you solve your problem? Well, the company I work for happens to have a solution for this problem that you've now got. I won't be so blatant as to tell you this, but you will no doubt look me or my company up that search engine thing and see what we do and put it all together and then contact our sales team who will then sell it to you so I can get paid.

Here is another anecdote I may or may not have made up about how an organisation has solved the issues I've so clearly laid out for you that can so easily be solved, as shown by this very real (or fictitious, nameless) organisation.

My word-limit is almost up so I'll tell you what I've already told you but just in a slightly different way. In conclusion, you're screwed unless you solve this really generic issue with the silver bullet that organisation x used. So, buy my stuff.
I'm not saying every article with these characteristics is terrible. But very often, the "I have a hammer to sell, so everything is a nail" articles are structured this way. They are generic and leave the reader with the feeling that they just read a bunch of random words. I for one, stop reading an article when it starts to smell like this.

Note:
For the record, I NEVER allowed my articles to be ghost-written, much to the frustration of the people managing the whole process. The problem this introduced was that content could not be churned out as quickly because I became the bottleneck. I wouldn't even agree to have someone else start the article for me. I had to start it from scratch and have final approval on it (once my drafts were run past a set of editors and reviewers of course). This made for more authentic, balanced content while still maintaining some level of being "on message", which kept marketing happy.

29 Aug 2014 4:55am GMT

28 Aug 2014

feedPlanet Identity

Vittorio Bertocci - Microsoft: Use ADAL to Connect Your Universal Apps to Azure AD or ADFS

In short: using ADAL from a Universal App is easy, but not obvious.
For what we hear, your experience is that you try to add a reference to the ADAL NuGet in the shared project - and it fails.
There are a number of reasons for that. This post will give a bit [...]

28 Aug 2014 7:49am GMT

27 Aug 2014

feedPlanet Identity

Nat Sakimura: クラシック音楽の父、C.P.E. バッハ〜生誕300年

あーまた扇情的なタイトルを付けてしまった…。 でも、今年生誕300年のC.P.E. Bach (カール・フィリップ・エマニュエル・バッハ)、あの大バッハ(J.S.Bach)の次男ですね、彼を狭義のクラシック音楽=古典派音 […]

27 Aug 2014 5:57pm GMT

26 Aug 2014

feedPlanet Identity

Courion: Same “Stuff”, Different Day

Access Risk Management Blog | Courion

Chris SullivanOn August 20th, UPS Stores announced that they hired a private security company to perform a review of their Point of Sale (PoS) systems after receiving Alert (TA14-212A) Backoff Point-of-Sale Malware about a new form of PoS attack and, surprise, they found out that they had a problem. They released some information about which stores and the type of information was exposed, but little else. Freedom of Information Act requests have already been filed.

What followed was the predictable media buzz, where it was postulated that this was yet-another PoS breech similar to those that affected Neiman Marcus and Target. While there is some truth is this, there are interesting bits that make this case very different.

What's different?

  • This was a brute force password attack against remote desktop applications (the list named in the Alert includes Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop, Pulseway, and LogMeIn).

  • Because UPS is a franchise, the PoS systems are not centrally managed, so each store was individually hacked. This might explain why the actual impact was low (1% of the stores effected) and why UPS is not completely certain what was taken.

  • At the time of the breach, the malware was not detectable with conventional tools.

What's the same?

  • It was a Point of Sale PoS based attack using one of many PoS rootkits.

  • The initial compromise provided access to privileged accounts, enabling lateral movement and control of the payment systems.

  • Alert (TA14-212A) guidance on access related controls to reduce this type of risk is:

  • Define complex password parameters

  • Limit administrative privileges for users and applications

  • Assign strong password security solutions to prevent application modification

  • Implement least privileges and ACLs on user and applications on the system.

  • The official guidance fails to recognize that periodic reviews are done too infrequently and too superficially to prevent or, in most cases, even detect such activities.

  • European Union residents, armed with EMV protected cards, may feel they are immune to these problems. If this were the case, then why are we seeing a dramatic rise in the use of card scrapers throughout Europe? Perhaps that's a topic for another time.

What can you do to deter a breach that takes advantage of vulnerabilities in your identity and access equation? Begin by practicing good hygiene by following the identity and access controls recommended in Alert (TA14-212A), the 2014 Verizon Data Breach Report and the SANs Security Controls Version 5 as outlined by mUPS Stores Logoy colleague Brian Milas in this blog post.

What can you to detect a breach as soon as possible? Brian points out in the same post that by using a intelligent IAM solution, you will be better equipped to minimize the type of access risk that leads to a breach by provisioning users effectively from the start, but also will be better able to detect access risk issues as they happen and remediate them on an ongoing basis by leveraging continuous monitoring capabilities.

The point is, regardless of the exact details and mechanisms employed in an attack, you can and should do what is under your control to minimize risk and equip yourself for early detection. Identity and access intelligence is a good place to start.

blog.courion.com

26 Aug 2014 7:24pm GMT

Vittorio Bertocci - Microsoft: The Common Endpoint: Walks Like a Tenant, Talks Like a Tenant… But Is Not a Tenant

The common endpoint is one of the most powerful development features of AAD - unfortunately, it is also one of the least intuitive ones. In this post I will give you a brief taste of what it does, what it is useful for, and how ADAL surfaces its strange properties.

Azure AD Tenant Endpoints

You [...]

26 Aug 2014 7:34am GMT

25 Aug 2014

feedPlanet Identity

ForgeRock: Creating an Uber Customer Experience Multiverse

Last week Uber and Expensify inked a fascinating deal. The two services will seamlessly integrate so Expensify customers can now order Uber cars based on travel reservations submitted to Expensify. According to the joint announcement: "upon landing, an Uber can be automatically ordered to take the traveler straight to their...

The post Creating an Uber Customer Experience Multiverse appeared first on ForgeRock.

25 Aug 2014 11:07pm GMT

Nat Sakimura: 政府、マイナンバーを利用した「所得連動返還型奨学金」を導入する方針

文部科学省は、2018年度から大学生の奨学金制度に「所得連動返還型」を導入する方針を固めた。所得連動返還型はイギリスやオーストラリア、アメリカで採用されている制度で、卒業後の年収に応じて返還月額が変動する。景気や年収の増 […]

25 Aug 2014 1:33pm GMT

Nat Sakimura: Facebookに対してウィーンで集団訴訟–プライバシー法違反の疑い

Facebookは同社に対するプライバシー関連の苦情に対処しなければならない、とウィーンの裁判所が判断したことで、Facebookに対する集団代表訴訟が動き始めた。 8月初旬、プライバシー活動家で弁護士のMax Schr […]

25 Aug 2014 12:42pm GMT

Julian Bond: Yet another warning

Yet another warning
http://www.theguardian.com/environment/2013/jun/30/stephen-emmott-ten-billion

"If we discovered tomorrow that there was an asteroid on a collision course with Earth and â€" because physics is a fairly simple science â€" we were able to calculate that it was going to hit Earth on 3 June 2072, and we knew that its impact was going to wipe out 70% of all life on Earth, governments worldwide would marshal the entire planet into unprecedented action. Every scientist, engineer, university and business would be enlisted: half to find a way of stopping it, the other half to find a way for our species to survive and rebuild if the first option proved unsuccessful. We are in almost precisely that situation now, except that there isn't a specific date and there isn't an asteroid."

Then there would be a large number of people who didn't expect to be around in 2072 and didn't want to give up what they currently have in the mean time. There'd be the people who denied the asteroid existed. And then there would be the 5 Bn people who didn't even know about the asteroid and were mostly focussed on getting enough to eat and drink to survive another day.

Of course a world of 4B or 2B or 1B people in 100 years might well be a more pleasant place. But nobody will talk about the process of getting from the current 7B to the peak of 10B to a sustainable 1B. Because it ain't pretty.
 Humans: the real threat to life on Earth »
If population levels continue to rise at the current rate, our grandchildren will see the Earth plunged into an unprecedented environmental crisis, argues computational scientist Stephen Emmott in this extract from his book Ten Billion

[from: Google+ Posts]

25 Aug 2014 7:39am GMT

Kuppinger Cole: Executive View: IBM Security Policy Management - 70953

In KuppingerCole

Some years ago IBM brought out a brilliant product in the Tivoli Security Policy Manager (TSPM), a tool to centralize policy administration for access control solutions. It was IBM's first foray into attribute-based access control and provided a "discrete" externalized authentication tool to service multiple "relying" applications. It was released under the very successful Tivoli branding because it was part of IDM identity management product line...
more

25 Aug 2014 6:09am GMT