Stu's Security Blog

Quest Software & Yubico Partner to Offer Two-factor Authentication With YubiKey for Quest Defender

2011-02-09T15:15:00.002Z

Quest offers IT management software across virtual, physical and cloud environments. Quest Defender enhances security by enabling two-factor authentication to network, Web and applications-based resources. Defender was designed to base all administration and identity management on an organization's existing investment in Active Directory, and eliminates the costs and time involved in setting up and maintaining proprietary databases. In addition, Defender works with the full range of OATH-compliant One Time Password (OTP) methods, including mobile phone apps, display tokens – and most recently – YubiKeys.

"With its ease of use, robust design and minimal size, the YubiKey is a great complement to our existing offering of authentication methods," said Jackson Shaw, Sr. Director of Product Management for Identity & Access Management, Quest Software.

The YubiKey simplifies the process of logging in with a One Time Password token, as it does not require the user to re-type long pass codes from a display device into the login field of the computer. The YubiKey is inserted in the USB-port of any computer and the OTP is generated and automatically entered with a simple touch of a button on the YubiKey, without the need for any client software or drivers. The rugged, ultra-thin, battery-free, crush safe, and waterproof design has also been fundamental to the success of the YubiKey, currently used by over 10,000 customers globally.

"We are pleased to partner with Quest Software to offer Defender customers unmatched ease of use, and the Yubico community a new proven validation server choice," said Stina Ehrensvard, CEO and Founder, Yubico.

The joint solution will be demonstrated at the RSA Conference in San Francisco Feb. 14-18, 2011 in the Quest Software booth #2232.

Defender 5.6 goes live!

2010-12-03T11:46:00.005Z

I'm delighted to announce that Defender 5.6 has been released.

The team have made some fantastic new additions to this, the latest version of Defender.

A few of this highlights include:

Brand new [very shiny] token deployment system that now includes user self-service for both software and hardware tokens.
Brand new, super easy to use, delegation wizard for administrators to easily set permissions for users and/or groups of users.
We've taken away the need to request any licensing from Quest by including a trial 90 day license upon installation of 5.6 hopefully making things even easier to install and get up and running.
You can now download all the Quest software tokens online, saving you time and effort when it comes to deployment.
We've added new software token types for the Android platform as well as OTP delivery via eMail.
With the integration we've done with our fellow Quest Authentication Team (QAS), you can now deploy two factor authentication with a 'single click' to almost any Unix or Linux host in your environment.
Loads more!

Download Defender 5.6 today and let us know what you think!

It's been a while!

2010-04-15T15:32:00.004+01:00

It's been some time since my last post, mainly due to the fact it's been a very busy few months on the product development and strategy side of things with a fair amount of travel thrown in for good measure.

The good news is that we're making serious headway with both Defender and QPM from and engineering standpoint and we’ll have even more fantastic new features available for both products later this year. Watch this space! And whilst I’m on the good news, a big thanks to everyone involved for making Defender a knock-out product for us last year! We grew our defender business substantially and really had a fantastic year all round!

From the travel side of things I've been all over the place visiting customers and attending road shows, the most to date being the RSA Security conference in San Francisco. I have to be honest and say I have mixed feelings about the RSA conference because I think the quality of leads is arguable. That said, I did have chance to meet up with a few of our partners which has in turn has resulted in some very beneficial planning ideas for 2010.

The next conference I'll be attending (if the planes in Europe are flying that is) will be the Burton Group Catalyst Conference in Prague next week. I'm looking forward to this conference as a) I like the Burton guys, and b) I get the chance to sit in on a few of the sessions as opposed to presenting them for a change, and there appear to be some good ones on the agenda.

Following on from Prague, I'll be off to Infosec Europe the following week in London. Again, I'm looking forward to this as we have some exciting new stuff to demo at the show. This year we'll be on both the ScriptLogic stand as well as the GrIDsure stand so if you're attending Infosec this year, make sure you stop by and see what we've been up to.

Also don't forget that if you've not yet tried our Defender TFA solution, do so today FOR FREE: http://www.quest.com/landing/?id=1331

Let’s hope the next few months have been as profitable as the last and hope to see you at one of your future events!

5 Stars for Defender 5

2010-01-11T16:22:00.001Z

Once again, Quest's two-factor authentication solution, Defender, has received a full 5 Stars from SC Magazine!

Quest Password Manager 4.6 launched

2009-12-15T08:10:00.004Z

I'm thrilled to announce that we've launched the latest version of QPM, v.4.6.0

Some of the highlights are as follows:

Windows 7 support
Windows 2008 R1/R2 support
IE8 support
Captcha
Granular minimum/maximum password age
Quick Connect Integration providing cross platform password management
Integration with ActiveRoles Server Web UI (Help Desk site)
Reporting support for SQL/SRS 2008
Defender Integration enabling use of OTP to change password/unlock account and now for initial registration with QPM
Various reporting enhancements including email and Help Desk stats

Happy Thanksgiving!

2009-11-26T10:32:00.001Z

To all my American friends and colleagues, hope you have a great break!

Defender 5.5 launched

2009-10-07T10:29:00.005+01:00

I'm proud to announce that we launched the newest version of Quest Defender yesterday, version 5.5

This new version has a number of exciting new enhancements including:

Defender integration pack for Quest ActiveRoles Server for Defender user provisioning and administration
Extended token support, including iToken, GrIDsure and Go-6 hardware tokens
64bit platform support for core components
Improved diagnostics for token failures and verification
Improved integration with Quest Password Manager
New Defender ISAPI Agent to add Defender authentication to IIS websites
Defender Reports enhancements
Improvements to remote access support

For more information on Defender and to download version 5.5, please visit www.Quest.com/Defender

September update

2009-09-23T15:56:00.005+01:00

Well, it's been a good few weeks since my last update and I'm happy to say, for good reason.

Aside from some great time out over the summer period, it's been all hands on deck to get the next versions of Defender, Password Manager, InSync and WebThority ready for release later this year/early next.

The first new product version will be for Defender (v.5.5) scheduled to be released on the 6th of October this year. It has some great new features, a few of which are as follows:

New token support including iToken, GrIDsure and Go-6 hardware tokens
Brand new Defender ISAPI Agent to add Defender authentication to IIS websites
New Defender integration pack for Quest ActiveRoles Server
Improved integration with Quest Password Manager
Improved diagnostics and enhanced reporting
Improvements to remote access support

In addition to the above mentioned release, I will be giving a 1 hour live webcast tomorrow on Defender, so why not register for free and dial in?

To register for the webcast, simply go to the following link: http://whitepapers.techrepublic.com.com/abstract.aspx?docid=1139587

Attention all Apple Mac users!

2009-08-06T13:00:00.004+01:00

Mac users have been advised to install a patch after Apple warned of a serious flaw in Mac OS X.

Apple posted a security advisory after discovering the vulnerability that would allow hackers to create specially crafted image files capable of running malicious code without the user's authorisation.

Affected image file formats include PNG, Canon RAW and OpenEXR. Apple has issued the security update 2009-003 to users to update themselves to Mac OS X v10.5.8.

Graham Cluley, senior technology consultant at Sophos, said: “Owners of Mac computers would be wise to follow Apple's advice, else put their systems at risk of infection via rigged image files created by hackers.

“This year has seen a number of attacks against users of Apple Mac OS X. Many of these have relied upon social engineering to fool Mac owners into installing Trojan horses on their computers. There is no doubt, however, that cybercriminals would love to be able to exploit software vulnerabilities instead to make infection even easier.”

Article courtesy of SC Magazine

Quest to launch new hardware form-factor!

2009-08-04T13:26:00.009+01:00

As part of our ongoing goal to add new and improved functionality to all of our products, we will be launching a brand new hardware token to Defender's already extensive token list.

The Defender “SlimToken” is the latest addition to our hardware token list and provides full two-factor functionality in a token the size of a credit card.

The great thing about the SlimToken is not only its size & weight, but also the fact that it can easily be carried in something you take pretty much everywhere you go, your wallet!

This means there’s no more hassle of dragging a physical token along in your laptop bag and unless you forget your wallet, you’ll never forget your token behind when you need it.

Here’s a summary of some of the top features:

Great form-factor!
Can be fully customised physically (i.e. used as a security badge)*
Can have a physical door access chip/coil embedded (e.g. HID)*
Can have a smartcard chip embedded (e.g. for PKI use)*
3 – 4 years expected lifespan (governed by the internal battery
Fully OATH compliant

* Please contact Quest for further details.

Quest Defender meets PowerShell

2009-07-15T20:42:00.009+01:00

First off, a big thanks to my good friend and colleague Dmitry Kagansky for creating the first, of hopefully many, PowerShell scripts for Defender!

Taken directly from Dmitry's blog the details are as follows:

1. “Which tokens has which users assigned?”

foreach ($token in (Get-QADObject -IncludeAllProperties -Type "defender-tokenClass"))
{ Write-Output $token.Name $token."defender-tokenUsersDNs" }

2. The same question as number 1. above with the additional requirement to display user attributes as well (so you can no see violation counts etc.)

foreach ($token in (Get-QADObject -IncludeAllProperties -Type "defender-tokenClass"))
{
Write-Output $token.Name;
foreach ($user in $token."defender-TokenUsersDNs" | Where-Object{$token."defender-TokenUsersDNs".Count -gt 0})
{
Get-QADUser -Identity $user -IncludeAllProperties | Format-List samAccountName, "defender-violationCount",
"defender-resetCount", "defender-lockoutTime" ;
}
}

3. “Who can log in based on (direct) group membership allowed on the DAN (defender Access Node?”:

foreach ($dan in Get-QADObject -Type "defender-danClass" -IncludeAllProperties)
{
write-output "---";
Write-Output $dan.Name;
foreach ($ADGroup in Get-QADGroup -Identity $dan."defender-DANMembers")
{
Write-Host $ADGroup;
$ADGroup.Members | Get-QADUser | Format-List sAMAccountName;
}
}

I'm hoping that the simple yet effective examples Dmitry has provided for Defender will encourage others to embrace using PowerShell with Defender.

Which brings me to my next question, when are the other two factor authentication players going to join the PowerShell party? ;)

GrIDsure and Quest Software form strategic partnership

2009-06-18T10:19:00.016+01:00

@ Quest we're all about evolving our products to meet our customers needs.

A perfect example of this is the partnership we have just signed with GrIDsure.

Full GrIDsure press release as follows:

GrIDsure, the innovative alternative to PINs and passwords, today announced that it has formed a strategic partnership with Quest Software, Inc., to integrate GrIDsure's technology into the Quest ‘One Identity’ solution portfolio. Quest’s two factor authentication solution, Defender, is the first Quest product that will be enhanced with GrIDsure to extend the product’s existing two-factor authentication capability.

GrIDsure’s solution is based on its groundbreaking yet simple invention that allows users to authenticate themselves by remembering a minimum of a four block sequential pattern on a five by five grid. By integrating GrIDsure’s software-based solution, Quest will be able to offer its customers an enhanced level of scalable security at a very competitive price point, whilst enhancing the user experience.

Quest Defender is a standards-based strong authentication solution built to leverage Microsoft’s Active Directory for administration and management, and the addition of GrIDsure will maintain its level of interoperability for enterprises looking for a cohesive and holistic security strategy. Quest currently has approximately 300,000 users of Defender across many sectors such as healthcare, financial services and public sector. Quest expects Defender with GrIDsure to be commercially available in the summer of 2009.

Jonathan Craymer, Chairman, GrIDsure commented: “GrIDsure is a perfect fit for Quest’s product line and this is a great example of how our technology can become an extra ingredient for an existing product. Our technology has been easily integrated into Quest’s solution to enhance the security of the system whilst being much more cost effective than existing alternatives.”

Stuart Harrison, Product Manager, Quest, commented: “GrIDsure is a completely unique concept and we see great potential in this technology as our customers are always looking for enhanced security without the headache and cost of extra hardware. GrIDsure is very difficult to compromise and is a significant step in right direction for security both in terms of usability and cost effectiveness for the customer and the end user alike.”

More about GrIDsure:

The aim of GrIDsure is simple, to offer everyone an easier and more secure way to protect their own identity and authenticate themselves.

GrIDsure is a new ingredient in the security mix, able to generate 'one-time' codes that are more secure and resilient to 'spyware' threats, creating an extra security layer which can work on its own or alongside all existing or future technologies such as biometrics and PKI.

GrIDsure neatly replaces all fixed passwords, PINs or combinations, on any electronic device or system, ranging from computers and mobiles to the world of physical security. GrIDsure is more secure and more cost effective than traditional hardware-based alternatives, is highly scalable and reduces administrative time to run the system.

GrIDsure was awarded ‘Cool Vendor in Application Security and Authentication 2008' status by Gartner.

Press Contact:

David Atkinson

+44 (0) 207 608 4684

david.atkinson@hotwirepr.com

3rd Party links to this story:

http://www.securitypark.co.uk/security_article.asp?ArticleID=263283

http://www.prosecurityzone.com/Customisation/News/IT_Security/Data_Protection/Quest_One_Identity_to_incorporate_GrIDsure_solution.asp

2009-06-17T10:39:00.004+01:00

Quest's Defender TFA token for the iPhone is fully supported on the brand new iPhone 3.0 OS.

Search for 'iToken' from iTunes or click this link to download to your iPhone/iPod Touch: http://www.quest.com/itoken

Defender & ARS working together

2009-06-12T12:02:00.004+01:00

One of the things Defender does best is that it provides an easy to manage two factor authentication solution.

We've now gone one step further to increase this ease of use by extending Defender functionality within Quest Active Roles Server.

QARS provides you with all the additional security functionality you could want when it comes to managing AD and things like delegation, automated provisioning and much, much more.

Now that QARS can provision users' TFA credentials, you have a truly complete security management solution for your AD users.

Have a look at a high-level run through of Defender and ARS working together here: http://www.quest.com/activeroles-server/integration/demo/defender/index.htm

You can also find out more about ARS here: http://www.quest.com/activeroles-server/security.aspx

Password Management for dummies

2009-06-11T17:14:00.001+01:00

Password resets are a mundane, time consuming task but one vital to any organization.

Most if not all the companies I visit want to make the users more self sufficient so they can reduce the burden on the helpdesk and free them up to do other things.

One of the biggest HD overheads (time and hence cost)? PW resets!

So what are your choices? As I see it it can be narrowed to the following:

Continue spending loads of money on your own helpdesk
Build and application yourself
Buy a self service PW reset application from someone like Quest.

They all have their challenges:

Costly!
More costly!
Confusing

Most people agree they want a COTS app as it's often the easiest from an implementation perspective, and you can give the vendors a hard time when something goes wrong so there's and element of 'insurance' included.

That said, if you Google 'password self service' or the like, you'll most probably get a 101 million hits and it's difficult to know where to start.

Keep it simple:

Stating the obvious but it must offer good ROI and TCO.
It should be a proven technology. Are you willing to be a security guinea pig? Probably not.
Where are your users? In AD? If they are, you want a fully AD integrated solution. If they're not, go with whatever scales/is integrated best with your environment.
It should be flexible to the extent that you can include as many applications within the PW reset as you deem necessary. Is one secure PW better than 10 insecure PW's? I don't know but it's definitly more convenient for the end user meaning the chances they wrote them down is less. And yes, PW sync is WAY easier than SSO no matter what anyone says so if you're looking to rationalize PW's & ID's, this is a great start!
Future proof it. Don't buy proprietary!

Check out www.Quest.com/Password-Manager & www.Quest.com/InSync for more info on how Quest can help you with all the above and loads more.

Quest Defender - Superior Two Factor Authentication

2009-06-11T16:47:00.001+01:00

Yes I'm the PM so I understand your natural tendency to think I'd be biased towards my own product.

However, after working for the likes of RSA, Entrust, ActivIdentity and others in the TFA space, I have the experience to say that Quest's TFA solution offers some of the most significant cost savings I've seen to date and in addition, has some of the best technical functionality on any TFA solution I've seen.

If you want to reduce cost, integrate management, increase ease of use and embrace an industry standards based TFA solution, you should look at Defender.

SC Magazine agree and have awarded defender a full 5 stars, something very few (if any) other TFA vendors have achieved.

What are you waiting for? You can test the convenience of Defender without having to install a thing by simply registering for the www.TryDefender.com campaign here: http://www.quest.com/landing/?id=4344