CONFERENCE ROUNDUP

Security Sleuths Search for a Single Sign-On Solution

Security vendors are working to create a single sign-on that would make it easy for users to log on to the Web and to different Web sites. Project Concordia — formed last year by vendors offering electronic identity products to create a harmonized standard and ensure identity initiatives and protocols can interoperate — held a series of demonstrations by seven vendors: FuGen Solutions, Internet2, Microsoft, Oracle, Ping Identity, Sun Microsystems and Symlabs.

Sponsored by the Liberty Alliance and Microsoft, the project demonstrated interoperability scenarios using Liberty Alliance and Microsoft (Information Card, Liberty Alliance and WS-*) identity protocols.

The demonstrated solutions were still pretty rough, but “this is not the end product,” Ashish Jain, PingIdentity’s director of technology, said during his presentation.

One of the things the demos showed was that Microsoft CardSpace “is a step in the right direction,” Brian Campbell, senior engineer and architect at PingIdentity, told TechNewsWorld.

Sandbox Analyzer Traps Malware, Picks It Apart

Norman Data Defense Systems showed off its Sandbox Analyzer malware forensics analyzer for the government and corporate IT security markets. It is the only company in the U.S. to make this kind of tool commercially, and only one of three in the world.

The Sandbox Analyzer product line is a collection of high-powered security applications and services that let IT teams analyze files in-house so they can identify, reverse engineer and debug malware instantly.

A new feature lets analysts use automatic analysis and advanced debugging on the trickiest packers, such as Thermida, which is a component that reduces the executable size of an application.

This is for large organizations as “they are the ones who can afford their own malware analysis teams; companies with only 600 to 700 people cannot,” Arvid Gomez, Norman Data’s vice president, OEM and technology sales, told TechNewsWorld.

Malware will always be with us because “there is no perfect solution,” Norman data’s chief research officer and internationally renowned computer security expert Righard J. Zwienenberg told TechNewsWorld. Also, malware is plentiful and is mutating very rapidly. “You download a Trojan from servers in Brazil and, a millisecond later, you download another one that looks just the same but has been recompiled.”

VeriSign’s New Authentication Tool

At the show, VeriSign announced its VIP (VeriSign Identity Protection) solution, which consists of two services. One is VIP Authentication, a two-factor authentication solution offered in Software as a Service (SaaS) form. The other is the VIP Credential.

The VIP Credential consists of a credit card-sized device that generates a six-digit number forming the basis of a password. VeriSign uses an open standards-based algorithm for this.

This algorithm has a static factor, which is known to VeriSign, and a dynamic factor, which is the password. The system adds time, or another factor, to the static factor and runs a calculation that will generate the password. Verisign’s servers do the same thing and match their password to that generated by the user.

Because VeriSign uses an open algorithm published through the Initiative for Open Authentication, OATH, “you don’t have to buy the devices from us, you can buy them from the 70 other companies that work with the OATH standard, and it will work with us,” Kerry Loftus, VeriSign’s vice president of consumer authentication, told TechNewsWorld.

VeriSign also announced the QuickStart Program, under which it offer enterprises 5,000 free credentials each to distribute to their customers in a bid to add to the 17 enterprises who are already part of the VeriSign network. These 17 include eBay and PayPal, and Loftus said VeriSign has 2 million credentials out there through the network.

VeriSign also announced that AOL has signed on as a member of its network, which means “we can support OpenID in other environments,” Loftus said.

At RSA, VeriSign also announced the Test Drive Program, under which it will “open up the hood and publish our APIs” and publish “10 or so” soft credentials so that any enterprise that wants to test its environment or build hooks to it can use those application programming interfaces.

FireScope Puts IT Monitoring on iPhone

One problem enterprise IT support always faces is that its staff gets multiple reports on multiple devices when things go wrong.

FireScope offers a product that will change this — the Engage navigation system for secure IT operations.

This uses a 42-inch touch-screen interface in the operations room that provides a visual map of all IT operations. The mobile device for users: The iPhone.

The dashboard consolidates reports from every piece of equipment. “Typically, IT ops has to deal with reports from a dozen devices; we give them all the reports on a single dashboard,” Ryan Counts, FireScope’s director of marketing, told TechNewsWorld.

Not only that, but users also are told the impact of the failed equipment on business. “When you’re in a meeting with management and you get an alert, you want to know whether it’s a redundant router and so you won’t have to leave the meeting, or it’s something that will have a huge impact on the business, and it’s going to cost you (US)$3,000 an hour until it’s fixed, so you’d better get out there,” Counts added.

FireScope selected the iPhone for mobile use because “when you look at mobile Web usage, iPhones are off the chart in terms of Web access, and now with Apple’s release of its SDK (software development kit), it opens up new possibilities and we can use the iPhone as a complete interface for IT support management.”

FireScope is also looking at a Wireless Access Protocol interface for Web-based access.

Whether or not FireScope extends its reach to Android or other mobile Linux phones “will depend on how that plays out in our customer base,” Counts said.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Security

E-Commerce Times Channels