Lazybit

If you use Google's two-step verification feature, you will stumble upon an authentication error with SIM Manager, when attempting to synchronize your SIM with the online phonebook.

Two-step authentication is something that can easily slip out of your mind, so you may think that the problem is with your password, or with the software. After repeated attempts to synchronize your phonebook, you just give up (and maybe blame it on SIM Manager)

 

To fix this, you have to create an application-specific password in your Google account settings, and use that password with SIM Manager.

 

1. Log onto your Gmail account and click account settings

   

2. Edit your two-step verification settings

   

3. Click Manage application-specific passwords

   

4. Generate a password for SIM Manager

   

5. Use this password with SIM Manager

   

That's it. Have fun synchronizing your contacts!

p.s. the password in the screenshot has been changed, don't try to use it ;-)

A fresh version of smart card Logon for Windows 7 x64 is now available: httx://dl.dropbox.com/u/3258602/DKbeta/Logon-x64.msi

The software is also compatible with:

• Windows Vista
• Windows Server 2008

This is a free version without any feature limitations. Get it while it is hot! ;-)

A fresh beta of Logon for Vista is now available for download: http://files.dekart.com/beta/Logon-2.23.1-TVMonday.msi

 

Changelog:

• It works in Windows Seven
• It works with biometric scanners integrated into most modern laptops, as well as other fingerprint scanners (no additional configuration is needed, as long as the fingerprint scanner driver is installed)
• Key backup feature has been added
• Various bug-fixes

A new beta of Logon for Vista is now available for download: http://files.dekart.com/beta/Logon-Vista-2230.msi It is not yet a final, and it does not provide all the features that are available in the non-Vista version. Here are some highlights that will be useful to you if you're planning to play with it:

• You must logon using a key once, in order to make the Dekart credential provider the default one;
• Press Other credential providers to choose key authentication;
• This version does not provide support for biometric authentication as a third factor, but the feature will be available in the next release;
• A restart after the installation is not needed;
• The current version cannot use keys created by the older version, therefore you should make a backup of your sensitive data.

The GUI of the key administration tool is not yet final, there will be changes here and there.

The Citrix ICA client can be migrated to a removable disk, so you can connect to Citrix servers without having to install a client locally. This can be paired with Dekart Logon for Citrix, which can also run from removable media. As a result, a bundle is obtained, offering you a secure way to connect to remote servers.

How does it work?

1. Uninstall the Citrix ICA client from your system
2. Install Citrix Program Neighborhood by running ica32.exe

3. Edit C:\Program Files\Citrix\ICA Client\WFCLIENT.INI, by adding

   [WFClient]
   UsersShareIniFiles=On

4. Save the file
5. Run Citrix ICA Client, then close it (do nothing else).
6. Verify the contents of C:\Program Files\Citrix\ICA Client\, a new folder should be there - INIFiles; it should contain the following files:
   • Appsrv.ini
   • Wfclient.ini
7. Copy the Citrix folder (and its subdirectories) to the removable drive
8. Install Dekart Logon for Citrix ICA Client (advanced mode) to the flash disk
9. Uninstall Citrix ICA Client from the computer
10. Run Dekart Logon for Citrix ICA Client from the flash disk (try creating a new connection in the KSD manager, to confirm that everything works as expected)

Here is a set of points that emphasize the benefits of a smart-cart or token-based authentication solution, coupled with biometric authentication; the example is focused on Dekart Logon for Citrix, but it also applies to other user authentication software by Dekart.

Q: what are the benefits of using your product? Am I simply substituting a PIN for a user/password combination? And can an external user without a flash drive or smart card still access the server?
A: Dekart Logon for Citrix is not a server-side application, it should be used on the clients.

The benefits can be summarized as:

• users don't have to enter passwords manually
• therefore you can use extremely complex passwords (they won't have to memorize them anyway)
• since they don't have to memorize them, you can be sure your passwords won't show up in clear-text on sticky notes, or written somewhere under the keyboard, etc
• the fact that the credentials are stored on a smart card means that brute-force attacks are out of the question
• optional biometric authentication takes that one step further

• the software can also be used with flash disks, being entirely self-contained:

  • the Citrix client itself can be migrated to the USB disk
  • and the same applies to our program
  • as a result, an end-user can plug the USB drive into any computer (even where the Citrix ICA Client is absent), and log on to the Citrix server. (Of course, this is also possible if you use a web-based client, but in that case you have to beware of keyloggers [note: we have a solution for that too])

In this case the user is immune to keyloggers. Even if the keylogger manages to capture the PIN:

• they won't obtain the connection credentials themselves, therefore they won't be able to connect to the server without actually having the smart card (token, or USB drive)
• and even if they do - you can use biometry as an added layer of security
• further, the program can be installed in 'simple' and 'advanced' modes. In the first case, end-users can only connect to predefined servers, they cannot change the credentials, nor see the connection details - this makes the system fool-proof.

And as a side effect, this also means that unloyal end-users won't be able to disclose confidential data even if they want to. In other words, you can implement the "need to know" approach, by not giving users more information than they actually need to get their work done.

The data stored on USB drives are encrypted with AES-256 bit, our implementation of the algorithm is certified by NIST. This is much stronger encryption than the one used by the Citrix client itself.

Q: And can an external user without a flash drive or smart card still access the server?
A: Technically, this is possible, but you can counter that by:

• using extremely complex passwords, or randomly generated ones
• not disclosing them (just write the credentials to a key and issue it to an end-user)

You will probably want to take a look at Key Manager, this is the tool that allows you to write credentials to keys, make copies, edit contents of a key, etc.

Note - you can do these with Dekart Logon for Citrix itself, but if you're planning to operate with many keys (in a corporate environment), you'll find Key Manager very useful. A license for the tool is given for free if a certain number of licenses for Logon for Citrix is purchased.

Q: Couldn't someone with a citrix client installed on their machine get to my server logon screen on the remote machine and execute a brute force attack there?
A: Although that is technically possible, it is not an optimal scenario for the attacker to use:

• most network admins configure the servers in a way that prevents any host from connecting again if they've connected N times during the last M minutes (to prevent brute force attacks, conserve CPU cycles and network bandwidth, thus avoid denial-of-service attacks)
• from the attacker's point of view, the bottleneck of the procedure is the network bandwidth. When brute forcing a local resource, it goes much quicker because reading/writing RAM is much faster than crafting a packet, sending it over the network, then waiting for a response from the server, etc.

In other words, a local brute-force attack can take thousands or millions of years, while doing it over the network is totally insane. It may only work for trivial passwords such as '11111' or ones that can be found in any dictionay. But even in that case, a dictionary attack won't be feasible if the network admin took the right measures and prevents one from physically connecting to the server if they've had too many unsuccessful attempts.

Finally, the last detail is that you can use randomly generated passwords, which are extremely long - brute forcing THAT is impractical.

If I were an attacker, I'd try to find alternative ways, such as social engineering applied against a naive employee.