1dent1ty cHa0s

I was recently given the great honor of contributing to the already stellar body of work put forth by Robbie Allen and Laura Hunter on the previous two editions of the , published by O'Reilly Media Inc.

I will be updating the chapter on MIIS (contributed originally by Gil Kirkpatrick of NetPro and Stephen Plank of Microsoft) converting much of the language from MIIS to ILM and inserting a full primer as well as expanding on some of the recipes.  Unfortunately, I don't think this is the right venue for my Jambalaya recipe!

So over the weekend I had an interesting opportunity to bring the power of ILM to bear on a GroupWise to Exchange migration. The first hurdle was to get the data out of GroupWise and into ILM for processing while filtering for the objectTypes I cared about. The idea was to push 1100+ distribution lists into AD complete with memberships. This is pretty close to what I used over the weekend to have LDIFDE export the contents of an LDAP-enabled GroupWise directory:

ldifde -f export.ldif -s -r "(|(objectClass=organizationalUnit)(objectClass=inetOrgPerson)(objectClass=groupWiseDistributionList))" -p Subtree -l "o,ou,objectClass,member,cn,dn,nGWBlindCopyMember,nGWCarbonCopyMember,description,uid,mail,nGWVisibility,fullname,emailAddress" -a "" *

Now I know squat about GroupWise and whether or not LDAP interfaces to it are a big deal and luckily that is not what I am here to talk about. You see, after much wrangling with SoftTerra's LDAP Browser and not being able to filter attributes on the LDIF export, I decided to tackle something I knew I could control the attribute filter for - LDIFDE. The only issue here was that this particular instance of GroupWise LDAP only supported anonymous bind and I couldn't find anything that talked about doing anonymous bind using LDIFDE. 

"Can't be done," you say?  Bah, check out the innocuous -a "" * at the end of that command line.  It performs an anonymous bind!

"I knew that," you say? Gee thanks, how about telling the rest of us?

"Hey, use the OpenLDAP XMA,"  you say? Sure, but this was supposed to be one of those "I'll knock this out in few hours deals" and LDIF was going to be faster in my mind. Plus I was stubborn and committed to LDIF.

"How did it go," you ask? After the typical complement of fixing mangled CNs, displayNames, and DNs, and having the duplicate samAccountNames I generated fixed in the source I'd say it went rather well. At least my blog-term memory now has a handy coupla' filters and a dandy new method for binding anonymously.

So, my friend Jason Willey sent this one to me today - wow! Here is yet another reason where Q&A based reset is a poor choice, regardless of the depth of information you can choose from.

We found you can hijack a Sprint user's account as long as you know their cellphone number, just a smidge about them, and have half a brain. Once inside, you have total access to their account. You could change their billing address, order a whole bunch of cellphones sent to a drop location, and leave the victim paying the bill. There's also the stalker's wet dream: add GPS tracking to their cellphone and secretly watch their every movement from any computer. Reader Jim told Sprint about this 2 months ago but they ignored him, so I tested it out and am publishing the results in the hope of getting Sprint to fix this exploit. I'll show you we cracked into a Sprint account and just how much damage I could have done, inside...

As a Sprint customer, former employee and stockholder I can say this is pretty disappointing and unfortunately becoming typical. The law of diminishing returns prevails here - in the quest for higher security and ease of use, the result can be a less secure solution overall.

And just something to note because it's ultra-cool - Jason is the basis for one of the characters in the comic book adaptation of "24".

Identity Theft: Flawed Security Lets Sprint Accounts Get Easily Hijacked

Every customer I know that is interested in password management inevitably asks for Q&A based self-service reset because that is the standard today. These customers quickly learn how inaccurate such a system is and these systems can generate as much or more of a burden on IT helpdesks than the original expired password was. After all, before this "new process" I just called the helpdesk, they reset my password and it worked - now I have to struggle through this "new and improved process" leading to further frustration and lost productivity.  Case in point, my recent email to the Media Relations department (the closest email I could find to the business) at ING Direct where my savings account is:

To Whom It May Concern,

I’ve had a rather unsatisfactory experience with your PIN login and reset feature exposed on your ING Direct website. After several calls to your help desk they are unable to reset the PIN over the phone and my attempts at resetting it online are frustrated by the fact that at least one of my security questions is no longer valid. As an Architect in the Identity and Access Management space I can say that this method of password/PIN reset is inherently flawed as the information captured is relative to the time it was given and the answer to these questions will change over time leading to inaccuracy.

I’m sending this email to your department since you are most likely related to the business components within ING and not the technology side. Therefore, your requirements for ease of use and security can drive change in the customer facing portals and improve the overall customer satisfaction.

I would strongly urge you to consider implementing a technology like Windows CardSpace or OpenID. These technologies provide a secure method of authentication to web applications without the need to remember a unique account name and password for each site. While the company I work for – Ensynch, Inc, would love a chance to speak to you about this the most important consideration for ING is to reduce help desk support costs and improve the customer experience of which both of these technologies were designed to accomplish. Windows CardSpace also has the added benefit of providing additional phishing and identity theft deterrence built-in and the implementation of either technology would be a very small investment considering the amount of money you are spending servicing login support and mailing out PIN reset letters.

I now lose 5 to 7 days of service while I wait for them to mail me a piece of paper with my new PIN on it and that was after spending 10 to 15 minutes speaking to customer service reps. Conservative estimates would place the cost of that call anywhere from $7 to $35 while most enterprises spend as much as $150 per call to the helpdesk. Combine that with the lost earning ING takes while I'm not able to transfer money and this ends up being an expensive transaction.

Q&A password reset gating is not the answer here folks - the only practical alternatives internally are centered around SmartCard solutions but in the B2C realm this boils down to InfoCard based transactions. The password/pass-phase is dead - please let it rest in peace. PIN's aren't much better but in conjunction with SmartCard self-service they are the best we have currently. Personally, I'd love to see managed InfoCards used to replace or supplement the PIN reset process as well.