[SecurityRatty] tag: consortium

Google's Android seeks mobile-security gurus

Thu, 21 Aug 2008 09:00:00 +0000

The invitation means Android will likely get a thorough review from developers outside the consortium of companies already contributing to the platform's development.

Digital Cash in Iraq

Mon, 11 Aug 2008 08:53:52 +0000

Smart cards have still never quite taken off across the US, and at this point its fair to wonder if they will or if they will be eclipsed by phones or some such, but smart cards sure are big outside the US. One of the most interesting applications is of course digital cash and transaction processing. Net1 UEPS (ticker: UEPS) out of South Africa appears to be the leader here having built a $1.2B business out of this model. there are lots of regions in the world where people are underbanked or unbanked altogether and where its dangerous to have too much cash. I blogged about this earlier on Beer, Shotguns and Digital Cash.

Now Net1 UEPS is in Iraq as well:

The first UEPS transaction was performed on Sunday, August 3, 2008, in Baghdad, Iraq, during the official launch of the UEPS smart card technology with the two state banks namely, Rafidain Bank and Rasheed Bank.

The official launch, attended by invitees from Rafidain Bank, Rasheed Bank, the Iraqi Government, War Victim Ministry and Martyrdom Ministry, demonstrated smart card registration, biometric enrolment and issuing of UEPS cards, offline loading of wage payments and government grants to the UEPS cards and dispensing of cash.

The pilot project involving 100,000 beneficiaries is now ready for implementation across selected bank branches and will enable the distribution and payment of government grants to war victims and martyrdom beneficiaries, as well as salary and wage distribution and payment to employees of the two state banks.

Brenda Stewart, Net1 Senior Vice President Sales and Marketing, said, "From the entire team at Net1, we congratulate the Iraqi consortium on this historic achievement and look forward to the successful implementation of the various projects already identified for implementation, as well as the projects currently in business development. Net1 is proud that the development of its core technology, from which it creates end-user products that satisfy the requirements of its customers, can change the way business is conducted leading to the improvement of people's lives. We share the belief of our Iraqi partners that our technology can play a fundamental role in the upliftment of the economy. The success of any technology should be measured, not only by the profits it generates for its inventors, suppliers and users, but also by the difference that it makes to the lives of people," Stewart concluded.

I think there are lessons to be learned here wrt data and message level security. Net1 UEPS is a good example a of system carrying valuable assets across hostile terrain, web security architecture can learn a lot from this model.

P.S. If you are a Joel Greenblatt geek - UEPS is a magic formula stock (meaning they make cash and are priced cheaply) last time I checked.

CTW Library Consortium Computers Containing A Database Breached By Hackers

Tue, 29 Jul 2008 06:46:24 +0000

Two computer servers containing a database of Connecticut College, Wesleyan University and Trinity College library patrons were accessed by hackers, Connecticut College officials said Friday. The database included the names, addresses, social security and driver’s license numbers. The personal information on the servers belonged to 12 Wesleyan University library patrons, approximately 2,800 Connecticut College library [...]

Private Details Available For Months On The Centers For Osteopathic Research And Education Website

Mon, 28 Jul 2008 13:57:34 +0000

The Centers for Osteopathic Research and Education (CORE) at Ohio University removed a Web document last week that inadvertently contained personal information belonging to individuals who have provided academic programming for the medical education consortium. CORE is an osteopathic medical education consortium comprising member teaching hospitals, clinical training sites and osteopathic medical schools. The Ohio [...]

SSO Summit Day One Morning Session

Thu, 24 Jul 2008 09:35:02 +0000

I am at the SSO Summit, high in the Colorado mountains (9200 feet elevation to be exact), the I-70 West sign is one of my favorite road signs. Ping Identity has done a great job putting this together. It is the perfect size around 125 people. Most of the best conferences I have been to have been around 60-150 people. There are a *lot* of enterprises involved here.

John Haggard who has an extensive background in SSO and lately is at Passfaces kicked off the sessions with a SSO history talk. Going through a lot of mainframe centric SSO protocols from the 80s and 90s, I am no expert in these areas and it was fascinating to see the way things vacillated between strength and weakness of SSO protocols.

A couple of points from the presentation:

The history of SSO is a story of extreme complexities, compromises, vulnerabilities and unintended consequences.

SSO is a story of one simple objective - to spin off units of computation work to execute on behalf of an authenticated user without requiring the original user's password.

Phishing has always been completely avoidable

He went through the various incarnations of mainframe SSO from logon id through things like ACF2, VTAM Session managers, terminal emulators, multiplatform access to web access through facades. The implication he drew from this last step are well worth repeating: "Time to rethink everything." Problem is - of course, people don't rethink, they put MQ Series in front of the mainframe and hook a web app in front of that and go.

Finally, he connected some interesting dots to SAML and SOA security issues.

SSO without strong auth is and always will be simply nuts

SAML gets its right

His points around common weaknesses in integration in SOA and Web 2.0 technologies for companies that are *not* using SAML were excellent. Of course, I will go into some more details on this tomorrow.

Ping's CTO Patrick Harding took the stage and gave an overview of the next generation of SSO options from Kerberos to present and as is his wont demonstrated various real world strengths and weaknesses, quoted a Gartner analyst (shock!) saying OpenID is the hare and Cardspace is the tortoise. Nice.

Andrew Cameron from GM is speaking now on GM's experiences implementing SSO, and there are a lot of real world lessons learned in his presentation. Plus my favorite identity architecture, user has Kerberos, services speak SAML. very nice, very scalable. All in all, its my starting point for how to identity in an enterprise. He also spoke about a pet peeve of mine - how to globalize authorization. This is not a problem that vendors have historically attacked with relish. They are very happy to help you solve authentication, but they are perfectly happy to keep their authorization internal either for vendor lock in reasons and/or for sloppy authorization design. This will take a LIberty-esque consortium of enterprises to resolve.

So many conferences are dominated by vendors and consultants who conspire to what I call the "sacred church of things YOU should be doing." Instead this conference is bringing together a great mix of real world in the trenches practitioners who have problems to solve today, with rubber meets the road deployable solutions and an eye towards longer term strategy for SSO and identity.

Massive Coordinated Patch Effort To DNS System Flaw

Tue, 08 Jul 2008 13:56:25 +0000

The DNS client and server patch in today's Microsoft monthly patches wasn't just a Microsoft problem. It was part of a coordinated effort to patch numerous DNS servers for a series of problems that are common to DNS implementations. The US-Cert advisory on the problem describes three problems which, research has shown, can be combined into effective spoofing attacks:

VU#484649 - Microsoft Windows DNS Server vulnerable to cache poisoning
VU#252735 - ISC BIND generates cryptographically weak DNS query IDs
VU#927905 - BIND version 8 generates cryptographically weak DNS query identifiers

The advisory lists 101 DNS servers, their status and the date of their last update. For the large majority of the servers the status is "Unknown," but several important ones are listed as Vulnerable and all of these were patched either today or late last week. Among the vulnerable systems, in addition to Microsoft, are Cisco, ISC, Juniper, Red Hat and Sun. Many of the servers whose status is "Unknown" were also patched quite recently, and it's a safe guess that it was for this reason. The advisory credits Dan Kaminsky of IOActive, Paul Vixie of Internet Systems Consortium (ISC) and Daniel J. Bernstein for the research. It also earlier mentions Amit Klein for work he did on one of the constituent attacks. According to CircleID, Kaminsky will reveal details of the attack in 30 days after users and vendors have had a fair shot at patching it.

Massive Patch Effort Coordinated for DNS System Flaw

Tue, 08 Jul 2008 13:56:25 +0000

The DNS client and server patch in the July 8 set of Microsoft monthly patches wasn't just a Microsoft problem. It was part of a coordinated effort to patch numerous DNS servers for a series of problems that are common to DNS implementations. The US-CERT advisory on the subject describes three problems that, research has shown, can be combined into effective spoofing attacks:

VU#484649 - Microsoft Windows DNS Server vulnerable to cache poisoning
VU#252735 - ISC BIND generates cryptographically weak DNS query IDs
VU#927905 - BIND Version 8 generates cryptographically weak DNS query identifiers

The advisory lists 101 DNS servers, their status and the date of their last update. For the large majority of the servers the status is "Unknown," but several important ones are listed as Vulnerable and all of these were patched either today or late last week. Among the companies that have vulnerable systems, in addition to Microsoft, are Cisco, ISC, Juniper, Red Hat and Sun. Many of the servers whose status is "Unknown" were also patched quite recently, and it's a safe guess that it was for this reason. The advisory credits Dan Kaminsky of IOActive, Paul Vixie of ISC (Internet Systems Consortium) and Daniel J. Bernstein for the research. It also earlier mentions Amit Klein for work he did on one of the constituent attacks. According to CircleID, Kaminsky will reveal details of the attack in 30 days after users and vendors have had a fair shot at patching it.

Massive Patch Effort Coordinated for DNS System Flaw

Tue, 08 Jul 2008 13:56:25 +0000

VU#484649 - Microsoft Windows DNS Server vulnerable to cache poisoning
VU#252735 - ISC BIND generates cryptographically weak DNS query IDs
VU#927905 - BIND Version 8 generates cryptographically weak DNS query identifiers

The advisory lists 101 DNS servers, their status and the date of their last update. For the large majority of the servers the status is "Unknown," but several important ones are listed as Vulnerable and all of these were patched either today or late last week. Among the companies that have vulnerable systems, in addition to Microsoft, are Cisco, ISC, Juniper, Red Hat and Sun. Many of the servers whose status is "Unknown" were also patched quite recently, and it's a safe guess that it was for this reason. The advisory credits Dan Kaminsky of IOActive, Paul Vixie of ISC (Internet Systems Consortium) and Daniel J. Bernstein for the research. It also earlier mentions Amit Klein for work he did on one of the constituent attacks. According to CircleID, Kaminsky will reveal details of the attack in 30 days after users and vendors have had a fair shot at patching it.

Qlusters Out of Business

Mon, 07 Jul 2008 18:00:07 +0000

Sarah let us know that Qlusters had “bitten the dust” after we mentioned the company in relation to Groundwork OpenSource last week. Thank you, Sarah!

What are the signs that a systems management company is going out of business?

a) they abandon their open source project, which was supposedly tied to their commercially supported version

b) they switch CEOs very very quietly

c) they are an “open source” company trying to actually make money (via paying customers, not VC)

d) all of the above

Amazingly, Qlusters blew through $34 million of capital, the last $10 million just in the past year. If you remember, these are the guys who were first proprietary software, then decided to go open source, then tried to figure out a revenue model off of open source plus relaunched proprietary software. Phew. In the same year (2006), they said they didn’t compete with the Big 4, just integrated with them, and then said they in fact did compete with the Big 4. Very confusing externally – wonder what it was like internally…

Does Qlusters going out of business put more pressure on the other open source systems management players to prove they can actually make it as a business? To prove that their business model can actually make money? To prove to their VCs that there will be a return on all those millions that were invested?

Can someone tell the Open Management Consortium?

Actually, now I’m wondering why this hasn’t been reported more in the media. Just called the company main line and support line and got recordings to leave a message. Hmm. When do you know that a company is officially dead??

ShareThis

Same Letters, New Acronym

Fri, 27 Jun 2008 08:50:12 +0000

On 26 June, Cisco, IBM, Intel, Juniper and Microsoft announced the formation of the Industry Consortium for the Advancement of Security on the Internet (ICASI). The major goal of the consortium is to be a forum where technology vendors can work together to share information and address new threats that have common impacts across their product lines. This is markedly similar to the goals of another consortium that all five vendors belong to, the Information Technology Information Sharing and Analysis Center (IT-ISAC), established way back in 2001 and largely ineffective.

There are some differences, though. ISACs were always U.S.-centric with the U.S. government trying to be involved. ICASI is supposed to be more global, but since it is being established by North American vendors, there is no real difference there, but at least it is government-neutral. The IT-ISAC had many member companies that were security product vendors and security services vendors, while ICASI is currently limited to five of the biggest infrastructure vendors, with Oracle and Sun and any telecom vendors noticeably missing.

Back in 2001, I commented that the IT-ISAC could make a difference only if it was driven by the vendors' corporate security officers, not by product managers, and if it focused on inward-looking improvements in security and not outward-bound marketing and press releases. The IT-ISAC never really met those goals and was largely ineffective. ICASI will have to take the same behind-the-scenes focus, or it will end up being just another multivendor acronym that goes nowhere.