federalcto.com The Blog of a Federal CTO


Breach Directory Doc – First draft

I just posted an incomplete, and rough document here:

Going forward, this link will always have the latest, published version of the doc. For more information about the overall project, have a look here:

Filed under: Uncategorized No Comments

Your Directory Has Been Breached – landing page

This is a landing page for a project Bob Bobel and I have been working on recently. Today (May 30th, 2012), I am presenting the first draft of the slides which will be posted shortly. A white paper is due out shortly. All information will be posted on this page, so it will be revised in the coming weeks.

(2012-05-30 - 13:00 ET)
First up, here is Bob's initial post on the topic:

(2012-05-30 - 16:15 ET)
Here is the slide deck just presented at the Department of Energy NLIT Conference (National Laboratories IT Summit):

(2012-06-05 - 18:00 ET)
Here is the first (rough) draft of the document to correspond with the slides. Yes, whole sections are missing, and will be filled in during the coming weeks. Stayed tuned.



Think there’s no cold war?

You think the cold war is over? You think things have settled? Have a read of this article - Full on hacking and cyber warfare is going on as we calmly surf the web. Have a read of this Business Week article: China-Based Hacking of 760 Companies Shows Cyber Cold War


Meant to mention

I put up a post on 2-factor authentication here: http://www.idmwizard.com/2011/10/31/quest-on-2-factor-and-3-factor-authentication/ that can be considered an addendum to the last post I had here.

Going forward, this blog is going to be more about my travel and observations in my job as Quest's Federal CTO, and the IDM Wizard site will be for the more technical, identity-focused activity. With any luck, that site may have a new contributor as well, which is why I'm looking to revive it.


US Government Smartcards; CAC, PIV and PIV-I

Recently, I had the pleasure of trying to get some government certified smart cards for some of the technical people at Quest, and I can't believe how much of a headache and hassle it was. I actually don't work for Quest Software, but a subsidiary (Quest Software Public Sector) which is focused on the public sector space. And while most Quest employees don't have a need for government-issued or government approved smart cards, our company does. And while I knew that non-government employees can get a relatively new (a little over a year old) flavor of the PIV card called PIV-I, I was amazed at how difficult the process was to navigate. Thankfully, we have some pretty good and persistent purchasing folks, but the process is still pretty arduous for an organization that has been working with the government for years.

I won't get into all the details, but if you're interested, feel free to contact me offline.

In any case, I find myself constantly having to explain what the different is between a smart card, a CAC, a PIV card, and now a PIV-I card. A smart card is pretty straight forward - it's a generic term, and all the other cards fall into this category. You can find a lot more details on them here at Wikipedia. In any case, the thing that makes a smart card a CAC (which means Common Access Card, so please don't say, "CAC Card" as it is redundant) is that it is used by the US DoD (Department of Defense). If you want to do any work on government systems in the military, you will most likely need one of these.

Like their military counterparts, employees within civilian agencies also need smart cards. Of course, they opted for a similar, but not the same, standard. That standard is a PIV card (Personal Identification Verification). The cards are slightly different from CACs, and have varying information printed on them, depending on the issuing agency. Plus, they use a different set of CA (Certificate Authority) servers than the ones that CACs use, as the DoD have their own servers.

Finally, and this is the confusing thing, there are PIV-I cards. PIV-I stands for PIV-Interoperable. There are some great docs about PIV and PIV-I at www.idmanagment.gov which is a site run by GSA but I'll save you the trouble of wadding through a lot of documentation. The PIV-I FAQ here states:

2.2    What is the difference between a PIV-I Card and a PIV Card?
The term “PIV Card” may only be used to describe an identity card that is fully conformant with Federal PIV standards (i.e., FIPS 201 and related documentation). Only a Federal entity is capable of fully meeting these standards and issuing a PIV Card. A PIV-I Card meets the PIV technical specifications of NIST SP 800-73 and is issued in a manner that may be trusted by Federal Government Relying Parties, but does not meet all of the requirements of FIPS 201.

What does this mean? A Federal entity (aka employee) uses a PIV card, and a trusted, non-government entity has to use a PIV-I card.

So there you go. In summary:

  • CAC is for Department of Defense users
  • PIV is for civilian users working for the Federal government
  • PIV-I is for non-Federal entities that need to access government systems

Smartcards, certificates & OS X: Does Lion Roar or Meow?

I spent some time the week before last dealing with smartcards, certificates, Macs and OS X Lion (10.7), specifically. My initial take on Lion was this; I can't believe Apple has taken this direction for the enterprise user.

Before going any further, I should come clean and say I love Apple products. As a consumer, they do what I need, and work as expected. The fact that I've not had to rebuild my wife's MacBook in it's entire life (of more than 3 years) is remarkable. That all changed with OS X Lion. I downloaded it, and was not impressed from the get go. Just starting with the fact that I had to hunt down the DMG file so I would have a copy was irritating, and things continued from there. But I work with technology, need to keep up, and wanted to check out the buzz.

I also did some initial research, but articles like this one didn't help; http://www.macworld.com/article/161493/2011/08/lion_enterprise.html . This guy clearly doesn't run an "enterprise shop" and probably considers an office of 10-15 people to be representative of an enterprise. But I bit the bullet, upgraded my personal MacBook Pro, and have been wincing since. But that was as an end-user. On the enterprise side, things turned out to be worse. The AD Plug-in - broken. The Login Screen - completely screwed up. Apple broke everything when it came to Directory Services and the Login page. And to top it all off, smart card support has been deprecated! Really? This is enterprise ready?

Before we go any further, here's a quick review of how smart cards worked in OS X prior to 10.7:

  1. A card is inserted into the reader
  2. The reader uses the tokend file (ships with the OS) as a driver to read the certificate off the card
  3. The login screen is re-drawn, the username is pulled off the card (to display on the screen), and the screen is changed to only display the PIN request field
  4. The user enters the PIN tied to the card
  5. The certificate (issued by a Certificate Authority aka CA) is confirmed to be valid
  6. The CA's certificate is also checked, and confirmed to be valid, so it's certificate (and any up the chain) have to be in the OS X Keychain
  7. The user is allowed to log in

Apple no longer ships tokend files (step #2), and the default login window is no longer refreshed by a smartcard insert (though it does still flicker). We have since had a very helpful conversation with an Apple architect, and will be making changes to make it all work properly in Lion, but in the mean time, it's possible to get it all working with some elbow grease and lowered expectations.

So . . . how did we do it? Well, we started with the QAS Smartcard guide that you can find with the standard QAS documentation. And there's a whole lot of good stuff there about smartcards and certs, but here's what I boiled it down to:

1. Go to http://smartcardservices.macosforge.org/ and download the latest package to get the tokend needed to read the specific cards you are using. Apple has open sourced it all, and are relying on non-Apple folks to maintain this. If your card is not there, you will need to ask your smartcard vendor to give you a tokend file (basically, a little library to allow you to work against the specific card). We were lucky enough to be using CACs so the tokend we needed was in the beta2 batch from Aug 19, 2011.

2. Once the tokend is installed, and in place (and QAS is already up and running), run the following commands in Terminal to set up QAS to be able to use the smartcard:

sudo /opt/quest/bin/vastool smartcard configure \
pkcs11 lib /usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so

# just a test with a valid smartcard to make sure it works
sudo /opt/quest/bin/vastool smartcard test \
library /usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so

sudo /opt/quest/bin/vastool smartcard configure macos

(note that tokendPKCS11.so is the name of the file we used - your mileage may vary)

3. The client I was working with had 3 CAs in their certificate chain, so all 3 CAs had to be imported into Keychain. What that means is that Keychain had to have a copy of every CA cert that is in the chain of the user. We actually used a Windows host, and got those certificates in a cer format (crt would work as well) and used the QAS Files policy to get them over to the /etc/opt/quest/vas/ folder. We then imported them onto the Mac using the following commands:

sudo /usr/bin/security add-trusted-cert -k \
/Library/Keychains/System.keychain -r trustRoot -d /etc/opt/quest/vas/enterpriseCA.crt

sudo /usr/bin/security add-trusted-cert -k \
/Library/Keychains/System.keychain -r trustRoot -d /etc/opt/quest/vas/layer1.crt

sudo /usr/bin/security add-trusted-cert -k \
/Library/Keychains/System.keychain -r trustRoot -d /etc/opt/quest/vas/layer2.crt

We put these 3 commands into a script that deployed as a GPO Script policy that ships with QAS and set to 'run once' after the machine is joined.

After that, we were able to log in, but not without some trial and error. It turns out that if we had our card in the reader, and everything configured before the login window was drawn, we had the correct username read off the card, and a single field (labelled 'Password') that allowed us to enter a PIN and login. If we inserted the card after the login screen was already drawn with 2 fields (labelled 'Username' and 'Password'), we could not use the smart card to login, but could get in with the AD credentials, or a set of local credentials.

That was it. Most of it was what you'll find in the install guide, along with some additional configuration and troubleshooting sections. Also, don't think that smartcards can be bypassed with QAS. In the testing that we did, we left it open to allow username/password and local accounts to log in. But we didn't have to. QAS allows you to configure an entire host to require smart cards for login by editing vas.conf. Add the following directive:

require-smartcard = true

under the [vas_macos] section. You can set this option for multiple machines using group policy QAS Configuration policy extension. In addition, you can enforce this on a user-by-user basis by setting the 'SmartCard Required For Interactive Login' option on each user using Active Directory Users and Computers (ADUC).

(edited 2011-09-13 21:42 GMT to correct some formatting problems)


Gogo does away with 30 day pass, so going from GoGo is a no go

As a pretty regular traveler, I find the need to use GoGo from time to time. Pretty decent service, and if I had a bunch of flights in 1 month, or several long haul (east to west coast) flights, I would buy a 30 day pass. However, they took that away, and now only allow me to do their regular monthly plan, with a recurring charge. So if I forget to cancel the service in 30 days, they charge me for another 30 days. Lovely. And how do I cancel? Apparently, removing my stored credit card is a way to do it, but not outlined on their site. The only way I could find to do it was to select 'Live Help' which opened an FAQ. Now, I hate dealing with people when something can be automated, so for a brief moment, I thought they had what I wanted. But, alas, I still had to waste time in a chat session, as the only option provided was:

How do I cancel my Gogo Unlimited or Gogo Traveler Flight Pass?

If you would like to cancel your Gogo Unlimited or Gogo Traveler recurring subscription, simply click the Chat With Us link to speak to a Customer Care representative.

Here is the chat session:

Graeme: Welcome to Gogo. My name is Graeme.
Graeme: Hi, Dmitry!
Dmitry Kagansky: hi
Dmitry Kagansky: please cancel the monthly charge
Graeme: I do see that you've removed your stored payment card from this account, so your subscription will expire automatically. You won't need to do anything else.
Dmitry Kagansky: you could point that out in your FAQ
Dmitry Kagansky: this is a real nuisance
Dmitry Kagansky: so in order to do a '30 day pass' as I had in the past, i'll need to add and then remove my credit card
Dmitry Kagansky: or chat with one of you guys every time
Graeme: Yes, you need to contact us to cancel your subscription.
Dmitry Kagansky: that's just lovely
Graeme: What other questions can I answer for you?
Dmitry Kagansky: no others
Dmitry Kagansky: thank you
Graeme: Thank you for choosing Gogo. Fly classy.
Graeme has disconnected.

Good times; thanks for wasting more of mine, Gogo. Way to make things easier. I'll definitely have second thoughts on that hour long flight as to whether I want to put in my credit card number, and have to remember to cancel it within 30 days.


VDI – nothing like watching the lightbulb go on!

I was a conference for a Federal agency this week, and had a fantastic experience with a (prospective) customer. We were talking about this and that, but the conversation worked it's way around to mobile computing. And while agencies are announcing "mobile initiatives" left and right, the reality is that everyone is still really concerned about what BYOD (Bring Your Own Device) means.

My friend, Joe Baguley, has been going on about "the consumerisation of IT" for a while (and he's English, so it's an "s" and not a "z" in consumerisation) as have others, but the Feds work differently. It's not purely about savings, and things are a bit more measured. And that's one of the reasons that the Blackberry continues to hold on, and the iPad has made no movement yet. When the OS cannot be locked down through a central server, and policies cannot be set on applications and data, the device has a slim chance of making it in the Federal space.

But Quest have an interesting solution to the problem; one that took 5 minutes to demonstrate, and turn on the lightbulb for a senior-level manager at this agency. It was vWorkspace. He had his iPad with him (running a beta of iOS 5, in fact - good to know it looks like it works there, too!), and we started talking about how he can control data and access. Thankfully, I had a demo account on a set of servers that a colleague had up  and running (Rob Mallicoat - many thanks!), and he had a network connection on the iPad. Within 5 minutes, I was able to download the vWorkspace iPad app, configure the settings, and voila! I was showing him Visio running on an iPad in no time.

And the thing is, I tell people about it time and again, but until you actually see it working, you don't realize how cool it is. Even the sales guy in the booth lit up when he saw how easy it was, and what it did. That got this manager interested, and proved one of the core problems with VDI; users need to touch it and see it for themselves. It's not enough to give them docs and white papers, and even web demos don't cut it.

But that's not enough; what's unique is how Quest does it. We don't care if you have some apps and desktops on VMware, and others on Hyper-V. You could even be running Terminal Services! We combine all of that, and give you a single interface. As a user, you don't know (and shouldn't care) how an app or a desktop is delivered. We even have a slick, "local VDI" option, thanks to MokaFive.

That's what got the manager really excited - he realized he didn't have to be tied to a single VDI option or vendor, and he can even provide multiple environments all through 1 app, delivered to his users' desktops. Plus, add the fact that it can all be remote means he could even give out iPads, but keep all the data in his data centers.

So if you have an iPad or Android device, ping a Quest person, and see if they can get you access to a demo system. Or ping me if you're with a Federal agency. Because this is something you simply need to try, and not just watch or read about.


NFL Game Pass – not very good at keeping commitments, or giving any info out

As you probably expected, no one contacted me from the NFL this week. Despite my last post, where the anonymous person said I would be contacted by a supervisor, nothing showed up in any mailbox. And I was even checking my spam folder diligently. However, last night, they did manage to send me a reminder that my account is set to auto-renew, and will be charged again! What is wrong with these people?

So I tried to call, but after 20 minutes of waiting, decided to go down the chat route again. And here is the result of that session:

You are now chatting with NFL Game Pass

NFL Game Pass: Hello, how may I help you?
Dmitry Kagansky: I have 2 problems. The first is that I got an email that reads: "Your NFL Game Pass - Season subscription is currently set to auto-renew on 8/3/11 for the 2011 NFL Season." I specifically asked for a cancellation last week in a chat session. Also, a manager was due to contact me by this past Tuesday about my second problem. You can find the details here: http://www.federalcto.com/2011/07/nfl-game-pass-charging-credit-cards-they-have-no-right-to-charge/ .
NFL Game Pass: What is the user name for your account?
Dmitry Kagansky: xxxxxxxxxx
NFL Game Pass: Your account has already been taken off of automatic renewals and is not set to renew for this season.
Dmitry Kagansky: ok - then 2 questions
Dmitry Kagansky: 1. why did i get this email yesterday?
Dmitry Kagansky: 2. when will a manager contact me, as you committed to last week?
NFL Game Pass: The email was sent out to all previously subscribed GamePass users.
NFL Game Pass: In regards to your second question, I would be more than happy to forward your contact info along to a manager for follow up support.
Dmitry Kagansky: that's fine - but you committed to have a manager contact me last week
Dmitry Kagansky: you, or one of your colleagues
Dmitry Kagansky: did you have a look at the link I sent you?
NFL Game Pass: Well sir, it was not me. What I am able to do is what I have stated, and I would be glad to do that for you.
Dmitry Kagansky: The short story is that you charged me in august with a card that had been expired in may. You were never authorized to make that charge.
Dmitry Kagansky: terrific - when will the manager contact me
NFL Game Pass: Yes sir, I read the chat history that your supplied.
Dmitry Kagansky: please do not say 48 hours as you did last time
NFL Game Pass: The normal response time is within 48 hours.
Dmitry Kagansky: and please give me a contact name, or a reference of some sort
Dmitry Kagansky: who will contact me?
Dmitry Kagansky: you realize this chat session will go up on that site, yes?
Dmitry Kagansky: feel free to call me, as well, at 770-xxx-xxxx
Dmitry Kagansky: i got tired of waiting on hold when I tried to call
Dmitry Kagansky: but I'll warn you that the call will be recorded
NFL Game Pass: No need to warn us of that sir, we record all calls as well.
Dmitry Kagansky: i'm happy that you do, but I'll record it on my end for publication
NFL Game Pass: Again, I have passed your information along to my supervisor, and you can expect to be contact back within 48 hours.
Dmitry Kagansky: how will I be contacted?
Dmitry Kagansky: and by whom?
NFL Game Pass: The first contact is typically via email.
Dmitry Kagansky: fantastic
Dmitry Kagansky: now, i didn't get contacted last time
Dmitry Kagansky: so how do I know I won't be having this same chat again next week?
NFL Game Pass: All I can offer you is my word as an employee of Neulion that I will preform the requested tasks as promised.
Dmitry Kagansky: terrific, mr anonymous employee of a company other than the nfl
Dmitry Kagansky: or ms anonymous employee
Dmitry Kagansky: i look forward to the email
Dmitry Kagansky: cheers
NFL Game Pass: Thank you sir, and you have a wonderful day.
Dmitry Kagansky: Were you going to leave the conversation, or is there any more to add here? I busy prepping the current blog post now.
Dmitry Kagansky: I just want a nice, clean "your chat has completed" message for the blog, and it's been about 5 minutes since you wished me a wonderful day


Well, I didn't have any more time for the silliness, so I closed the window at this point. It'll be interesting to see whether I get contacted within 48 hours. Something tells me that I'll have yet more chats posted up. And I did find an interesting iPhone app, as well, by www.recordacall.com . Unfortunately, I didn't have the patience to sit on hold past the 20 minutes, or this whole thing would have been an audio post.


NFL Game Pass – Charging credit cards they have no right to charge

When I lived in the UK, I subscribed to the UK Game Pass plan. It's actually a neat option for ex-pats, however, it's not available in the US. About an hour ago, I got an email from Game Pass saying that my account was "auto-renewing." Given that I'm quite diligent in making sure I don't auto-renew anything, I was a bit surprised to see this email, and figured it was a mistake, as the last season I would have subscribed to was 2008, and I was pretty certain I read the fine print. In fact, I remember having to renew the 2008 season, even though I'd subscribed the previous year.

So, I decided to use the chat feature, and figure out what was going on. Here is the complete chat thread:

You are now chatting with NFL Audio Pass

NFL Audio Pass: Hello, how may we help you?
Dmitry Kagansky: I just got an email that read "Your NFL Game Pass - Season subscription is currently set to auto-renew for the 2011 NFL Season at $239.99 USD." I haven't been in the UK for the last 2 seasons, and should not be set to 'auto-renew.' I cannot use Game Pass in the US, or I'd gladly subscribe.
NFL Audio Pass: can we have your user name
Dmitry Kagansky: Please cancel this subscription.
NFL Audio Pass: can we have your user name please
Dmitry Kagansky: xxxxxxxx
Dmitry Kagansky: or yyyyyyyy
NFL Audio Pass: one moment
Dmitry Kagansky: not sure which i used - the email address is xxxxxxxx@gmail.com
NFL Audio Pass: The auto renewal feature has been removed. There will no further billing for Game Pass on your account
Dmitry Kagansky: Have I been billed for Game Pass the last 2 seasons?
NFL Audio Pass: Our records show your account was charged on 8/10/09 and 8/02/10
Dmitry Kagansky: You have got to be kidding me - I never asked for the auto renewal option
Dmitry Kagansky: there's no way I could have used the service in the US
Dmitry Kagansky: and I moved back in sept of 2009
NFL Audio Pass: The renewal feature is explained at the time of purchase
Dmitry Kagansky: Plus, the credit card you guys used was expired
Dmitry Kagansky: you should not have charged it
Dmitry Kagansky: and i would not have given you a new one
NFL Audio Pass: We are unable to refund an a transaction after 7 days of the charge
Dmitry Kagansky: right, but you charged an expired credit card - that's certainly against your contract with Visa
NFL Audio Pass: The card on file was active at the time
NFL Audio Pass: it expired on 5/2010
Dmitry Kagansky: right
Dmitry Kagansky: so how did you charge me on 8/2/2010?
NFL Audio Pass: Ufortunately i do not have that information
Dmitry Kagansky: exactly
Dmitry Kagansky: so you need to issue a refund for the 8/2/2010 charge
Dmitry Kagansky: as it was unauthorized
NFL Audio Pass: We can escalate this to our manger, so he can look into it furrther'
Dmitry Kagansky: last i checked, may came before august
Dmitry Kagansky: please do
Dmitry Kagansky: what is his/her name and contact information?
NFL Audio Pass: Can we have an email to contact you at
Dmitry Kagansky: you have it
Dmitry Kagansky: xxxxxxxx@gmail.com
Dmitry Kagansky: what is your contact information?
Dmitry Kagansky: and the reference or case number?
NFL Audio Pass: Thank you. He will be in contact with you within 48hrs
Dmitry Kagansky: what is the reference or case number, please
NFL Audio Pass: one moment please
NFL Audio Pass: We have no reference number to give. The information will be escalated, and the manger will be in contact with you. He will then provide his contact information. We apologize for any inconvenience this may have caused.
NFL Audio Pass: Your account will be noted also
NFL Audio Pass: Thank you for contacting NFL support

NFL Audio Pass has left the chat conversation
Click Here to Leave a Message

That is the entire and actual conversation, with just my username and email address redacted. There were some rather long pauses by "NFL Audio Pass" in all of this, as well. But this chat system is awful. No time stamps, no references as to who I "spoke" to, and certainly no feeling that this will get resolved. We'll see what happens in 48 hours, but I'm not holding my breath.

Copyright (C) 2010-2011 Dmitry Kagansky – All opinions expressed are those of the respective author and do not reflect the views of any affiliate, partner, employer or associate.