Download our latest white paper to learn why passwords alone may be a large risk to your business, and show how two-factor authentication and identity assurance can help to protect your business against attacks to weak, shared or stolen passwords.

You can download it here.

Thank you to all our partners who have been working hard to deliver AuthAnvil solutions to your clients.

We now are represented in 10 different countries, and are now represented in so many interesting and different verticals, we are starting to lose count. As part of our commitment to drive revenue opportunities to our partners, we continue to refine our partner program in a way to add real value to your business, and your partnership with us.

One thing you guys have been asking for is new brand awareness about our partner program and your status, including better materials for your own website and partner logos. You can visit the Partner Portal to download the latest materials to aid in that. Of particular interest is the new rebranded partner logos:

The last logo is interesting. Based on the continued requests by our partners who are integrating AuthAnvil strong authentication into their own applications (or applications they install and distribute), Scorpion Software will issue "AuthAnvil Protected Solution" status to vendors who have shown their product to work with ours.

Over the next year we hope to build a catalog of "Protected Solutions" so you and your clients can be assured your investment in AuthAnvil can carry on to complimentary products. if you have a solution you would like tested, please get in touch with us.

Thanks again for all the partner feedback on how we can refine our program. We hope the new branding will aid our partners as we continue to gain more mindshare in the market place.

When I was initially building Scorpion Software, I interviewed all the major shipping organizations, to make sure I was selecting the best shipping provider for our business. After all, whomever I chose would become an extension of Scorpion Software, being the first thing our customers experience when they receive our products.

I ultimately decided to go with UPS because I knew I could count on them. They treated me with respect and didn't make me feel unwelcome. That was in total contrast from other carriers such as FedEx where they felt we were too small to be worth an actual face to face interview. And over the past year, the experience has shown UPS works really hard for us.

Recently though, I have had an experience that shocked me so much, I am starting to wonder if I made the right decision. Between US Customs brokerage/billing problems and poor delivery service, I am wondering if you as my customers are getting the service you deserve.

Today takes the cake. I recently ordered more gray pack (the gray envelope our product comes in), only to find that on delivery, it was torn to shreds, with the contents MELTED together from extreme pressure. I can't believe this. It's their own product, and it's being delivered to me like this.

That picture doesn't do it justice of just how ripped up this thing is. I can't believe the UPS driver would even leave it.

I'm concerned. If they are willing to deliver their own product in such a state, just how are our packages arriving to you? If you feel that UPS hasn't fulfilled their role as a trusted carrier of our goods, I want to know. Please send me an email to dana@scorpionsoft.com and include a picture of how your product has arrived. If it hasn't arrived in an acceptable state, I will make sure you are taken care.

Of course, if you feel UPS has gone out of their way to help you, I also want to know about it. My goal is to make sure your experience with our company exceeds your expectations. I welcome your comments and suggestions as to how we can improve your experience working with our company, our products and our partners. Including UPS.

I was pleased to see Eriq talk openly about how they secure RDP access with AuthAnvil over there, and I encourage you to go read the approach they took on his OnQ blog. I was really impressed with how he summed up the benefits he gets from AuthAnvil:

• Local access to the sever is still possible with the Administrator account and no security token.
  
• Remote access to the server is limited to the secondary administrative account, which also requires the use of a security token to successfully log in.
  
• The access logging in AuthAnvil gives me an accurate accounting of which of my staff accessed one of our support servers and when.
  
• When staff turnover occurs, access to remote systems is denied in a single step by disabling the employee's token in the main AuthAnvil system.

When you need to manage HR issues to remote client sites, AuthAnvil can work rather well. With no extra licensing costs on the number of servers or workstations the software runs on, it's rather easy to deploy strong two-factor authentication to limit your exposure to client networks. When staff change roles or turn over, by simply revoking their token at the central AuthAnvil SAS you simultaneously block them from accessing all remote sites. Never mind your own. Instantly.

Now you no longer have to be so reactionary when the HR incident occurs. You don't have to rush out to all client sites to change administrative passwords. That saves you a lot of money on non-billable time you would normally have to spend dealing with this issue. Many of our customers recoup the cost for AuthAnvil the FIRST time they deal with staff changes. Talk about a great ROI!

Thanks to Eriq for such a great post. And also to his other post where he praises us for our service:

It's clear to me that some vendors "get" service while others do not. Dana and the rest of the staff at Scorpion Software get it. They have embraced the SMB market, and even though their product is head and shoulders above the competition, they've not developed an attitude about it. I've learned a few things in my interactions with Scorpion, and I'm going to try to incorporate a couple of elements of those experiences into the way we run our operation, so that we can continue to provide outstanding service to the clients we work with.

Awww... you made me blush. We appreciate your business Eriq. And I am flattered that you feel that we are providing outstanding service. It's amazing what happens when you have a corporate culture that treats that as the norm, and not some foreign event.

I think that might come from the Strategic Objective that I set for my company from the on-set. I wouldn't normally share this with the world, but I think that this is a special case that warrants the openness. Here is the relevant paragraph from Scorpion Software's Strategic Objective:

Our mantra of "Custodit Nuntium" (Protect Information) is core to our Code of Ethics and we will put the protection of our customers before the protection of our profits, while still being responsible to our stakeholders in the business. The success of our company is through the success of our customers, and every aspect of our business will be focused on refining processes to achieve this.

I don't show you that to impress you, but impress upon you that this is what makes up our belief system here. Eriq isn't having a unique experience, and I am pleased to see he is successfully using our products to protect his own business, and that of his clients.

So the real question is, when are you going to start deploying AuthAnvil in the same manner? You can start by reading our AuthAnvil Multi-Site Configuration Guide.

It is an interesting approach, and very cost effective. (It's like a $1 a month for the new service). But is it strong enough? An adversary from a remote computer does not NEED the encrypted file to get in if he can answer the challenge questions. Questions you can ferret out with social engineering. Let's "face" it... it's not hard anymore to find out what school someone went to if they are on Facebook.

I applaud Google for making access to their online apps more difficult to gain access to with this new layer of defense. For the cost of the solution, it does reduce the risks to some forms of automated collection and attack. But I do not believe a motivated adversary focusing on a target will be deterred by the extra security question(s). You would be better off challenging them with a one-time-password generated from some 2FA server where a physical device has to be present for the login to occur.

If Google wants to make some real intersting inroads when it comes to adding strong authentication to it's premium apps, I encourage them to consider some of the other technology that exists out there like OpenID. In this way, credential management can be handled by other identity providers that might offer stronger solutions such as Cardspace or our own AuthAnvil Strong Authentication System. Heck even companies like Arcot (the company behind Google's new 2FA) could build support in as an OpenID provider to give the same level of authentication as we now see in this new system, but departmentalized so customers wanting stronger authentication could do so with other providers.

As more companies realize the benefits of online applications, on-demand authentication is going to become more interesting. Web apps will need to embrace departmentalized identity providers so that companies can manage their employee credentials across multiple, unrelated systems. Google had the perfect opportunity to embrace this in their apps. It is too bad they chose this approach.

It's an interesting question that I thought I would share with everyone. It's all about the "keyscape". Or in other words, the number of different possible permutations that can be produced by the token.

The calculation of a token's keyscape is represented mathematically using the formula X^N, where X is the number of possible values and N is the length of the password. As such, the potential keyscape of a 6 digit OTP is 10^6, or 1,000,000 possible values.

Now consider our token keyspace. We use an OTP that is 8 characters in length and is a combination of the English alphabet and the normal 10 digits that other token vendors use. That means an AuthAnvil token calculates out to 36^8, or 2,821,109,907,456 possible values. Yes, that's right. 2.8 TRILLION.

When we look at security here we balance usability and cost against the effective strength it will provide. It was our decision that we would rather pay double for a token that could offer SIGNIFCANTLY stronger OTPs, than to go cheap to save our customers a couple of bucks and expose them to more risk.

So there you have it. Consider how quickly a computer could brute force 1,000,000 permutations against 2.8 trillion. Add to it the 4 to 8 digit PIN that we also require that many other vendors do not, and you now see why it becomes extremely easy to make that decision. Yes, we make you type in TWO extra keystrokes and have to use more of the keyboard... but it seems like a small price to pay for the extremely high benefits from our approach.

Now to be fair, this doesn't mean that 6 digit OTPs are not strong. One-time-passwords are MUCH better than static reusable passwords at any reasonable length. But numbers don't lie. I'll take 2.8 trillion permutations any day.

How about you?

Harry was nice enough to get me a reprint PDF so you can see the column yourself if you don't subscribe to the magazine. You can download it here.

Thanks Harry!

Sales Associate

Department: Sales
Posting Date: January 2008
Reports to: VP of Sales
Job Location: Chilliwack, BC, Canada

Job Summary:
Our goal at Scorpion Software is to make strong authentication and identity assurance accessible and usable for small business. As a Sales Associate you will help customers understand how Scorpion Software can help them to reduce the risk of unauthorized access to privileged information assets, and show them how we can remedy their pain points as it relates to remote access.

This role is responsible for growing the sales of our AuthAnvil solutions worldwide. This role will create and manage the business sales and development process, and includes finding new customers, developing and training them in the use of AuthAnvil, working on opportunities with partners and assisting them to close business.

Key Responsibilities:

• Drive new customer and partner development and sign-ups.
  
• Drive product promotions and programs.
  
• Identify and cultivate sales growth opportunities in existing accounts as well as new accounts.
  
• Create and analyze sales reports, identify issues contributing to success or shortcomings and take any corrective action.
  
• Accurately report sales activity and forecast sales.
  
• Support partners in appropriate sales opportunities.
  

Preferred Job Skills:

• Possess a strong understanding of the sales process.
  
• Proven track record of achieving sales targets.
  
• Detail orientated with strong follow-up skills.
  
• Strong negotiating skills with ability to close sales.
  
• Excellent communications skills, both verbal and written.
  
• Ability to be productive in a globally distributed team through self-discipline and self-motivation.
  

Special Considerations:

• Flexible work hours ideal for a parent with children in school.
  
• Opportunities to telecommute on a semi-regular basis.
  
• Deep technical knowledge NOT a requirement. We will provide training.
  
• Profit sharing commission structure above normal remuneration.
  

Candidates interested in an opportunity to learn, be challenged and strive for excellence are encouraged to apply. Any interested parties should submit their resume by email before January 31st, 2008 to iwannawork@scorpionsoft.com. We thank all those who apply. However, only those candidates selected for an interview will be contacted.

She also blogged how you can try to get the information manually. Not as pretty. And doesn't offer you clear visualization of the events.

So if you want to know WHO is coming into your network via RWW, WHERE they are coming in from, and WHEN they do it, check our RWW-Guard. It's a great tool for this sort of thing, and allows you to add strong authentication to boot (assuming you have a SAS like AuthAnvil)!

Some of the sessions are going to be very interesting. From virtualization and backups to access control, there is quite a bit to learn from when it comes to mitigating risk in the face of disaster. There is something for everyone, and is an event you shouldn't miss.

The format is quite interesting as well. This isn't about slidedecks and single people speaking TO the audience. It's about a leadership panel that communicate WITH the audience to answer questions and explore issues facing our organizations today.

If you are going to be going down, let me know. Maybe we can hook up during the conference, or go check out the jazz scene in the evening. If you would like some personal one-on-one time to discuss AuthAnvil, drop me a line and we can set something up.

Just to keep a heads up. Yesterday in our newsletter there was some information on joining the RWW-OTP beta. I want to personally thank everyone who has replied to that call... its been overwhelming. So overwhelming in fact that I simply can't answer each and every one of you in what I would consider a responsible time frame.

I have received your request, and have added you to the list. Although I haven't responded, that doesn't mean you are not in. Before the end of the month I will add a new forum for RWW-OTP and those who are chosen for the closed beta will be emailed with information on how to log on.

Looks like RWW-OTP has more early interest than we originally thought. Thanks again for all the responses. We want as much community involvement as we can get, and we want to include as many of you as we can. Our goal is to get great testers with tonnes of great feedback on how to make the product better.

Lately, I have been going through that when people download the Firewall Dashboard with SOME versions of Internet Explorer. I say some versions, as many people don't have problems. I can't explain it, its just crazy. When someone would download the file and be prompted to save it, it wouldn't include the *.exe extension. So when complete, the file would SEEM to be corrupt, when all that was wrong was that it had to be renamed with the exe extension.

Talk about frustrating.

Anyways, this morning we got another 3 reports of it and I said that was enough. So I called up a dev friend of mine and we went through the headers line by line trying to see what was different between different versions of IE and a browser that always worked (aka Firefox). Ends up that some patched versions of IE deal with the content-type differently, as well as the content-disposition. Oh what a headache.

Long story short, we were able to FINALLY figure out the problem, and have now updated the Download Manager. As such, customers should no longer have any problems downloading exe files from our servers. If you do, PLEASE let Customer Support know right away.

Some insights from those interactions:

• Linksys routers suck. Two different people came to me with similar network problems that Susan Bradley saw when she first installed the Firewall Dashboard. Boat loads of router packets banging on the SBS box. When you go into the configuration, even though dynamic routing is turned off, it is STILL SENDING the packets. Wow. That's ugly.
  
• Fortinet SAYS they support WELF, but it's their own version of the standard. It is a very subtle difference, but enough that our current WELF parser will not accept it. As a result, I am going to write a new parsing plugin using a more "generic" WELF format that will be a little less aggressive in the regular expression parsing of the data. This will then support Fortigate firewalls natively, and other firewalls that aren't so strict with following the WELF standards.
  
• I am impressed with some of the deployment scenarios I am seeing in the field that we don't currently support. My favorite is pointing multiple ISA servers to log to a single remote SQL server source. Removes the overhead in MSDE on the SBS box, while allowing correlation of multiple logging sources. I like it so much, that we already have an alpha build of a remote SQL server parsing plugin. We hope to have a beta for it next week.
  

I received some interesting feedback through this process. And I found it a lot of fun interacting with potential customers at the conference in this manner. Thanks to SMBTN for asking me to come down. It was a great experience.

I loved hearing from Amy Babinchak (ISA MVP) on her blog that:

Fellow MVP Dana Epp has created a useful add-on tool for ISA. It's a Firewall Dashboard application that takes the ISA logs and presents the information in an easy to use graphic format. You can also configure it to send you a report on your firewall activity daily. It's a nice addition to the native monitoring tools built into ISA. I've been using the Beta and have found it easy to install and the reports easy to configure and understand. You'll learn things you never knew about your firewall. Why didn't you know? Because you weren't looking. Scorpion Software's Firewall Dashboard makes it easy to look.

Great point Amy! The information is there. But when you have thousands and thousands of firewall events, how do you find out what really matters? Thats exactly what the Firewall Dashboard is for.

Susan Bradley (SBS MVP) had some kind words to say too:

Today [Dana's] gone from being a security friend and guru, to a Small Business Security guru. It's cool to see [Firewall Dashboard] come to the marketplace. I find that it adds a great deal to my already daily routine of my morning email.... in the next phase, SBS 2003 R2 will give me "green checks" in my daily email. But today, I get blue magnifying glass every day at 6 a.m that keeps me aware and is part of that "hardening me" the business owner process.

Being called a guru by Susan is a treat in itself. But being called a "Small Business Security guru" by the SBS Diva herself... wow.

So where to now? Well, with the blue shield with the magnifying glass now out, its time to go to the black shield with the radar on it. What's that you ask? You will have to wait and find out. Some of you will be invited to the private beta soon enough. :)