Monthly Archives: December 2009

I smell “Phish”!

There are more and more options for synchronization of passwords between Notes, HTTP, LDAP and/or Active Directory environments.  As you may know one form of “phishing” attack is one in which a seemingly authentic email is sent to a user requesting that a password and other user information be sent back to the sender.  The sender then takes that information and utilizes the userid/password information to authenticate to user accounts and send out spam (in the best of cases).  If a user replies with credit card information, well then of course…it’s a shopping spree!

After a recent phishing attack in which some of our users responded with their LDAP passwords, it occurred to me that it was a really good thing that we don’t synchronize our passwords with our LDAP passwords.  Those individuals who responded were primarily IMAP or web users.  And the Notes client users remained off the radar screen of the phisher (at least for now!).

Of course as phishing attacks become more sophisticated this could change. But I was imagining a situation where the password and Windows authentication password were synchronized, and the phisher was able to obtain access to the individual’s workstation.  Is the decision to set up password synchronization for the sake of single sign-on or for simplifying processes for a user’s sake justified?  Or maybe I’m over simplifying the whole process and giving a phisher too much credit?

Perhaps the message here is to err on the side of caution, and confirm that additional key structures, authentication services, and firewalls are in place.  Of course there is the little security nightmare with users using the same password anyway across most system or having it written conveniently somewhere on a Post-it® note!  So, don’t assume that a password is secure enough to protect users from themselves and a little phish.

More love for Lotus Notes Traveler!

I blogged earlier this week about our implementation of Lotus Notes Traveler.  We sent around an notice today to all faculty/staff regarding the availability of Traveler in the university’s daily electronic newsletter.  

For a Friday, and the last day of exams, we’ve added eight (twelve as of last check) new users.  Or let me rephrase that.  They added themselves, with almost no interaction from the support staff.  Which is just goodness all around wouldn’t you say?!  We’re hoping that the faculty and staff will find this a useful tool over the university’s two week winter break. 

Our internal marketing team (thanks to Gary Garbett and Sam Kennedy) also came up with a super graphic for use on the web page which I’d like to share here!

Notes Traveler 8.5.1 – iPhone Directory Lookup

As we have lots of Apple devices in our environment, we were eager to install Notes Traveler.  We installed Traveler 8.5.1 over an existing Traveler 8.5 server.  The install went smoothly, and Windows Mobile users connected and installed the new cab files.  Our iPhone users were able to connect – and they simply LOVE Traveler!  However, during our test phase, we discovered that the Domino Directory lookups were not completing as expected on the iPhone. No directory data was being returned at all, and the request was timing out. 

Lotus Support suggested the following:  Shutdown Traveler.  Rename the NTSConfig.xml file to NTSConfig.bak and restart Traveler.  This recreates the NTSConfig.xml file from the original template.  Once we did that, the Directory lookup was fully functional.  

Additionally, further information about the customization of the NTSConfig.xml file can be found here if you need to customize those fields to be included in the Domino Directory lookup.