Hello, welcome to the Tuesday, November 28th, 2017 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Augusta, Georgia.

The Golden Sammel attack has made some news these last few days, and I want to spend a little bit time talking about it. So Sammel is a standard that's

being used to authenticate users and the one application that is really affected here is

something called federated identity. If you as an organization sign up for a web service, for example, Office 365 or Amazon,

support this, you can basically tell Microsoft, hey, if someone from my organization is trying to

connect to you, send them to us, we'll authenticate them, and then verify whether they are a legitimate user.

Now, this is first of all a pretty good idea.

You now have one central spot, your existing Active Directory service that you use to manage your users.

And your users have a consistent user interface, one username and password that they use in order to

authenticate to these cloud services.

In addition, it allows you to implement things like two-factor authentication relatively cheaply.

You just need one token, for example, that is used with your Active Directory service,

and then again, you can leverage this

to authenticate users for these different cloud services. The way the mechanics of this work is

that a user is going to the cloud service trying to log in. The cloud service will now redirect the

user to your authentication service.

With that redirect, there will be a challenge that's being attached to the URL.

Your service after authenticating the user signs that challenge using a secret key,

and that signature is now used to verify that this is a legitimate user.

Things go bad and that shouldn't really be a surprise if someone compromises your active directory service

and gets a hold of that secret key.

...