Ping Identity > Blogs > PingTalk 

PingTalk Blog

(Updated April 10 to include link to corporate statement)

While the OpenSSL Heartbleed bug continues to feed a patching frenzy across the Internet, those using PingFederate, PingOne and/or PingAccess can rest easy.

None of our platforms is vulnerable to the bug. No updates or patches are required. Customers that share certificates across platforms and applications, however, should exercise due diligence on their non-Ping platforms.

Ping's Security Engineering confirms that PingFederate does not use the affected software. But for the sake of transparency, customers should note that we do distribute and use OpenSSL with our Apache Integration Kit for Windows, but our package does not contain the vulnerable code, we don't use it to run HTTPS, and it's not a method that is exposed.

In addition, our Apache Integration Kit for Linux is dependent on the OS's OpenSSL library, but we do not distribute the library - just use it. But it is key to note that we aren't using the library in a way that is exposed. However, PingFederate may be exposed indirectly to Heartbleed when configurations of PingFederate incorporate certificates created or used by another application or platform that has been compromised, e.g. a shared certificate. Follow our recommendations listed here.

In addition, Beau Christensen, Ping's director of infrastructure operations, confirmed that Ping Identity's cloud services, notably PingOne, are not affected by the Heartbleed vulnerabilities. He said that as a precautionary measure, "we are forcing credential updates across all systems, and are rotating public certificates and keys." His full report is available here.

Also, the engineering team for PingAccess, our mobile, Web and API access management platform, confirmed it was not affected by the bug.

Brian Whitney, Beau Christensen, Paul Marshall, Stephen Edmonds, Andrew King, Bill Jung, Yang Yu and John Fontana contributed to this blog.

OpenSSL Ping sso. cleared.png

The Heartbleed bug landed an MMA-style left hook on the Internet's security jaw this week. Zulfikar Ramza, chief technology officer at Elastica, saysthis_week_in_identity-sm logo.png Heartbleed cast a shadow over beliefs that the Internet is safe for transactions. "For people to be able to transact with confidence online, they had to believe that SSL was sacrosanct." Sadly, it was not.

John Biggs: Heartbleed, The First Security Bug With A Cool Logo
Heartbleed was one of the first "branded" exploits, a computer bug that has been professionally packaged for easy mass consumption. How did happen?

xkcd's stick-figure look at Heartbleed
Exploits aren't funny, but in the stick-figure world anything is fair game.

To stem the bleeding, read on...

If there was any doubt that it's a bad idea to hard-code a default password in firmware, this_week_in_identity-sm logo.pngespecially a password that is the same as the name of the product, then look no further than Phillips to end the skepticism.  The result: it takes no skills to "hack" 2013 Phillips Smart TV models.

Turn off the TV and read on 

For the last two decades, authentication has been limited to the use of static passwords and token/One-Time-Password (OTP)-based solutions.

That limit needs to be lifted in order for businesses to minimize risk; to secure end-users' data, privacy and identity; and to free the mobile computing revolution to meet its lofty expectations. Current authentication techniques can't hit those high-water marks.

Forrester Research analyst and IAM expert Eve Maler takes a look at some of this_week_in_identity-sm logo.pngthe variables presented in secure authentication when looking through the lens of the "Age of the Customer." Maler says companies need to up their game in authentication strategies and take on "usability vulnerabilities" with the same gusto they tackle security vulnerabilities.

Read on for more topics we took on this week.

In three years, you will no longer log into a website directly. Mobile authentication and single sign-on will become commonplace. For the first time since the mid-1990s, we will start to experience fewer passwords than the password proliferation we endure today. Federation will, for the first time since the early 2000s, begin to link and consolidate our identities faster than we're able to fragment them.

 This past week we announced the acquisition of accells technologies, a mobile identity and multi-factor authentication company out of Israel that has developed some incredible technology we'll be sharing with all of you very soon!

I've always believed that identity will one day converge around our mobile devices, but there are a number of things about this acquisition that have me really excited right now.

Is Fin's Bluetooth ring the future controller in the Internet of Things world? You be the
judge. The company says, "Fin is a trendy gadget you can wear on the thumb and make your whole palm a digital touch interface." Can this device go from trendy to mainstream and become the centerpiece for running all connected "things?" The company more than doubled its Indiegogo goal, raising more than $200,000. Will initial interest give rise to great success or sore thumbs.

More from the IoT file:

Kyle Vanhemert: Needy robotic toaster sells itself if neglected
His name is Brad, and he's an addict. And a toaster. What if the smart objects of the future aren't just smart, but also potentially jealous, petty or vindictive? 

Butter your toast and read on.

Mozilla tried and tried to catch fire with a federated identity service called Persona but could never get the big email providers to buy in and take it global. this_week_in_identity-sm logo.pngPersona's goal of having half of the Internet on Persona by the end of last year did not materialize. Chris Duckett reports that the project has been handed back to the Mozilla community, although Mozilla intends to continue support for Persona and is not looking to shutter the service in 2014.

Read on for other items of interest

The first casualty of the Target breach is the company's highest ranking technology executive. Beth Jacob, chief information officer and executive vice president for technology services, announced her resignation from the retailer, which publicly this_week_in_identity-sm logo.pngconfirmed in December that credit and debit card information for 40 million of its customers had been compromised. Target also said on Wednesday that it would create a high-level position to focus on web security. 

Networks have their honeypots to trap bad guys and now security administrators could get something sweet to root out password breaches.

"Honeywords" are false passwords that set off alarms when hackers try to use them to break into accounts.

"It's not a big idea, but it's a good idea," Ronald Rivest, a Vannevar Bush professor of computer science at MIT, told the audience Wednesday at the RSA Conference during his session, "Honeywords, A New Tool for Protection from Password Database Breach."

Rivest is one of the developers of the Honeywords technique.

It works like this: false passwords, Honeywords, are maintained along with a user's real password. If passwords are stolen and hash files are cracked the thief won't know which password associated with the account is the correct one. If the hacker tries one of the false passwords to sign-on an "alarm" sounds to alert IT that someone is trying to break into the network.