Recently I came across YubiKey, which is a hardware token generator from a young Swedisch comapny called Yubico. YubiKey is a small and slim USB device with just one button. If you push it, the device produces a 1-time password and sends it to the server. Compared to token generators in card format, you don´t need to manually enter your 1-time password anymore through a computer keyboard, which makes YubiKey unreachable for trojans directly listening to keyboard entries. One more remarkable thing is, that Yubico offer an identity platform for their device, which already contains an OpenID Server.

If this device holds it´s promise, there should be reason to worry for the other players in the strong authentication market. I wrote a mail to Yubico´s CEO Stina Ehrensvärd, asking for some background and a sample device, and got an answer within minutes. So I´now waiting for the YubiKey and will keep you informed.

I´m definately amongst the last ones to join the crowd blaming German Universities to lag behind international standards with regards to their educational program, especially in the fields of technology and computer sciences. But reading this press release, issued by the Faculty of Network and Data Security at University Bochum (sorry, the English version of their website seems to not work), makes me think.

The press release says, that two students of said faculty “broke” Microsoft´s CardSpace through some kind of man-in-the-middle-attack, where they took over an existing session between a user authenticated with an InformationCard and Microsoft´s InfoCard sandbox in manipulating a DNS server. Reading through the description of this “attack” shows, that the sophisticated part of their work was to manually change the DNS settings of their client computer in a way, that it resolved webadresses through an internal DNS service within their institute (where they have admin access to) which they had manipulated before in adding a round robin entry for the sandbox server, redirecting every second client request to an evil system, which then stole the session token.

So, what are the learnings from this intended act of creative distruction? Yes, once again we learn (what we have known for decades now), that without a proper client certificate, man-in-the-middle-attacks are possible, independently from the authentication methods and tools used, and that SSL/TLS provide means to avoid the risk of such attacks, as well independently from the authentication methods and tools in place.

It is great that University Bochum is teaching their students how these things work and eventually, we may have a generation of well educated IT experts knowing how to make corporate IT infrastructures and the Internet more secure. Maybe, they should add some HTML training courses to their timetable as well. If you look at this description of a “hacker course” that university is offering, some nice error messages coming from malformed HTML are displayed, like this one:

System Message: WARNING/2 (<string>, line 11)
Block quote ends without a blank line; unexpected unindent.

But what is the message behind that press release saying that University Bochum students broke “Microsoft´s Identity Metasystem CardSpace”? Just to feed some outdated opinion about Microsoft producing error-prawn and insecure Software? To my opinion, this is not enough for some productive discussion on how to increase security.

Today I listened to a podcast where Kevin Cunningham and Darran Rolls from Sailpoint Software talk in an interview with Jackie Gilbert about their impressions they brought back home from EIC 2008. Besides describing EIC as an event not to miss next year (thanks!), they compare the US and European identity management markets and agree that there are more similarities than differences when it comes to GRC. Yes, compliance requirements are increasing everywhere in the world and SOX is not the only framework responsible for this increase.

I think it was Kevin who mentionned one important difference: Privacy and data protection for employees seem to be stronger regulated here in Europe than it is in the US. This may be true, although they don´t really play a role in reality, as recent espionage cases like the one within Deutsche Telekom impressively show.