[SecurityRatty] tag: defines

OAuth for Secure Mashups

Tue, 18 Nov 2008 14:41:00 +0000

Posted by Eric Sachs, Senior Product Manager, Google Security

A year ago, a number of large and small websites announced a new open standard called OAuth. This standard is designed to provide a secure and privacy-preserving technique for enabling specific private data on one site to be accessed by another site. One popular reason for that type of cross-site access is data portability in areas such as personal health records (such as Google Health or Microsoft Healthvault), as well as social networks (such as OpenSocial enabled sites). I originally became involved in this space in the summer of 2005, when Google started developing a feature called AuthSub, which was one of the pre-cursors of OAuth. That was a proprietary protocol, but one that has been used by hundreds of websites to provide add-on services to Google Account users by getting permission from users to access data in their Google Accounts. In fact, that was the key feature that a few of us used to start the Google Health portability effort back when it was only a prototype project with a few dedicated Googlers.

However, with the development of a common Internet standard in OAuth, we see much greater potential for data portability and secure mash-ups. Today we announced that the gadget platform now supports OAuth, and the interoperability of this standard was demonstrated by new iGoogle gadgets that AOL and MySpace both built to enable users to see their respective AOL or MySpace mailboxes (and other information) while on iGoogle. However, to ensure the user's privacy, this only works after the user has authorized AOL or MySpace to make their data available to the gadget running on iGoogle. We also previously announced that third-party developers can build their own iGoogle gadgets that access the OAuth-enabled APIs for Google applications such as Calendar, Picasa, and Docs. In fact, since both the gadget platform and OAuth technology are open standards, we are working to help other companies who run services similar to iGoogle to enhance them with support for these standards. Once that is in place, these new OAuth-powered gadgets that are available on iGoogle will also work on those other sites, including many of the gadgets that Google offers for its own applications. This provides a platform for some interesting mash-ups. For example, a third-party developer could create a single gadget that uses OAuth to access both Google OAuth-enabled APIs (such as a Gmail user's address book) and MySpace OAuth-enabled APIs (such as a user's friend list) and display a mashup of the combination.

While the combination of OAuth with gadgets is an exciting new use of the technology, most of the use of OAuth is between websites, such as to enable a user of Google Health to allow a clinical trial matching site to access his or her health profile. I previously mentioned that one privacy control provided by OAuth is that it defines a standard way for users to authorize one website to make their data accessible to another website. In addition, OAuth provides a way to do this without the first site needing to reveal the identity of the user -- it simply provides a different opaque security token to each additional website the user wants to share his or her data with. It would allow a mutual fund, for example, to provide an iGoogle gadget to their customers that would run on iGoogle and show the user the value of his or her mutual fund, but without giving Google any unique information about the user, such as a social security number or account number. In the future, maybe we will even see industries like banks use standards such as OAuth to allow their customers to authorize utility companies to perform direct debit from the user's bank account without that person having to actually share his or her bank account number with the utility vendor.

The OAuth community is continuing to enhance this standard and is very interested in having more companies engaged with its development. The OAuth.net website has more details about the current standard, and I maintain a website with advanced information about Google's use of OAuth, including work on integrating OAuth with desktop apps, and integrating with federation standards such as OpenID and SAML. If you're interested in engaging with the OAuth community, please get in touch with us.

OAuth for Secure Mashups

Tue, 18 Nov 2008 14:41:00 +0000

Wee-Fi: Routing Out an Address; Badger-Fi

Fri, 12 Sep 2008 07:34:26 +0000

Slashdot breathlessly posts an item by coderrr that Skyhook Wireless is exposing people's addresses: Yeah, whatever. Skyhook has accidentally offered an API that lets you query their Wi-Fi positioning system for latitude and longitude using a MAC address. Skyhook constantly drives major cities around the world and integrates scans created by users of their systems as well. The poster defines a non-existent problem: first, a scammer needs to get someone's MAC address; then you need to pair a rough lat/long with their street address; then, coderrr says, you'd get a phishing email with your home address. Whatever. If my machine is compromised enough that you can obtain my MAC address and then launch a phishing attack, I have worse problems already than my street address being in the email--which is unlikely given that most Wi-Fi scans will be in urban areas. It's likely Skyhook will modify their systems to prevent submission of such queries, or perhaps open their API further.

Madison Wi-Fi network sold to Atlanta firm: Xiocom purchases Mad City Broadband, a firm that has suffered significant criticism over the performance of its Wi-Fi network in Madison, Wisc. The press release from Xiocom (some quoted in the Badger Herald article) are a bit over the top about a network that reportedly has few users, inconsistent performance, and covers only a fraction of the city.

Don't Mix MX And CNAME Records

Wed, 10 Sep 2008 04:59:33 +0000

An ambiguity in RFC 2821, which defines how email should be delivered, causes problems for some users, according to Ferris Research. In their first blog on the subject they relate a story of someone (names are expunged to protect the innocent from embarrassment) who decided to configure his DNS with both an MX record (which advertises the mail server) and a CNAME record defining where the web server was. More specifically, the CNAME defined "the-domain-in-question.com." to be "www.the-domain-in-question.com", the IP address of which was defined in a separate A record. After this, Mr. Anonymous's e-mail wasn't consistently reaching the mail server anymore. Some external servers were no longer finding the mail server. The problem turns out to be that when a server has a CNAME record some sending mail servers will attempt to connect to that and not to the server pointed to by the MX record. So in the example, the outside mail was being sent to the web server, which of course didn't respond to it. The problem, says Ferris, is in an ambiguity in RFC 2821. They have a point. The SMTP standard seems to recommend against mixing CNAME and MX records, but it doesn't prohibit it, and it's unclear on how the server should behave when it finds both. Bottom line: Don't mix them.

More on Why Routing is Not Complex Event Processing

Thu, 04 Sep 2008 05:38:58 +0000

Interestingly, CEP is Not BPM, BAM, BRE, BRMS or SOA stimulated many great comments and the rebuttal Smart Order Routing and CEP - Made for Each Other. James Taylor responded with Business rules, decisions and events. I followed up with CEP is Not Low Latency Messaging, EAI or ESB and James replied in turn with Still More on Event Processing. It’s great to see the blogosphere doing so well. Continuing, I would like to discuss smart order routing (SOR) a bit more and why routing is not CEP.

First of all, let’s ground the discussion a bit by translating “smart order routing” to “rule-based message routing” since in this application “smart” translates to “using rules” and “order” translates to “message”. Basically, Mark (and other “new on the routing scene” stream processing players) argue that rule-based message routing is CEP. I will argue that routing is not even close to CEP. Here is why,

Let’s take a look at a router on the backbone of the global Internet. A backbone router has very sophisticated software developed over many decades. These routers run sophisticated, mature algorithms to determine how to route messages (packets) and use these algorithms to build complex routing tables.

In addition, these routers process messages (packets) from countless sources and route messages (packets) to countless destinations. Using some of the terms in early posts (above), there is a great “confluence of events” processed by routers. Futhermore, there are normally quite complex authentication, authorization and other security parameters managed in a router, all in real time. Routers do much more, but I don’t want to get too deep into routing in this post.

My point is that, without any doubt, global Internet routers process very “cloudy” “confluence of events” with much more sophistication than order routing applications. However, we do not call Internet routing “CEP”, regardless of how many connections are processed or how much sophisticated processing occurs. The reason is because the “C” in “CEP” defines a complexity that is at a higher abstraction than messaging and routing.

If you study the literature on CEP, some of which I posted recently, CEP was envisioned to solve complex event processing problems “on top of the routing layer” because the routing layer is a mature technology layer. We can route, pure and simple. Of course, we are always seeking faster, more scaleable and more secure routing.

I admire some of the startups in the CEP/ESP/EP space for working hard to make money and for aggressively positioning their products and attempting to build market share. However, issues surface when these same companies seem to believe they are the first companies to work in the event processing or message routing space and that they can define whatever they want as “complex event processing” as long as it benefits their sales targets.

There is no doubt that a router does much more sophisticated event processing than the new rule-based stream processing systems running continuous queries across streaming data. There is no doubt that a router processes a complex “confluence of events”. However, we don’t call routers “CEP”.

We do not call routers “CEP” because CEP is about a higher level of knowledge processing. CEP was created to detect the “complex events” that happen above the mediation and routing layer. The literature and original examples on CEP are quite clear on this.

McIrony: An unexpected response from McAfee

Sat, 30 Aug 2008 09:04:00 +0000

Irony: incongruity between what might be expected and what actually occurs.

Right before Black Hat, I put together what I believed was a pretty strong arguement against McAfee Secure - Hacker Safe, at a level heretofore unexplored. I believe it was more damaging than anything I've said to date, and as such, presented potential risk for me. So I ran it by some friends before publishing it. Then a most extraordinary thing happened. I had a long chat with Nate McFeters, who described an awakening he'd recently experienced. He shared with me the belief that a better approach to potentially negative security research might be to try to create a positive outcome, and worry less about press cycles or exposure, the 15 minutes of fame if you will. He pointed to people like Mark Dowd as an example of people who conduct crushingly good research, and steer clear of the petty, ego driven bulls**t.
There I sat, repose like the thinking man, frozen for minutes. "Nate", I said, "I think you're right."
What do I aspire to as an information security professional; more readership or street cred than the next guy, or the respect of my peers for contributing to the greater good? Attention, press cycles, 15 minutes...it all has its allure, trust me on this.
But at the end of the day, I really do want to contribute to the greater good.
So I did something different. I sent my findings to McAfee and offered them an opportunity to respond, rather than publish first, ask questions later.
Here's the real kicker.
They responded.
I had a three hour lunch this past Thursday with two gentlemen from McAfee, who flew up from the Bay Area to Seattle to have a face to face with me. This, all by itself, speaks volumes to me. In addition to meeting with Kirk Lawrence, the new Director of Product Management for McAfee Secure, there I sat with, of all people, Joe Pierini, the very guy who has suffered more than his share of abuse, up to and including the Pwnie. As I have been a direct contributor and participant in heckling Joe, you can imagine our meeting could have been uncomfortable. It was not.
I have had expectations of McAfee and Scan Alert that to date have not been met, or my (your) perception has been that they have not been met.
This meeting was designed as an opportunity to voice some of these expectations, and see if McAfee, in turn, believed there was any merit to them.
Surprisingly, at least as spoken, we weren't all that far apart.
While, as a naive idealist, I believe that security should come before conversions, I am also grounded enough of a realize that the most attainable goal can be a marriage of both. This premise frames my expectations of McAfee.
Can they not be more of a "thought leader" for all the Ma & Pa websites who rely on McAfee Secure, first for a higher conversion rate, then security?
Can they not hold merchants to a higher standard, without alienating them and losing business?
Can they not embrace the security research community in a fashion that McAfee, the security community, the merchants, and consumers can all benefit from?
Can they not be more transparent in their approach, providing more details and feedback about their methods, their findings, and their vision?
I know McAfee Secure - Hacker Safe scans can find vulnerabilities.
I know they report the vulnerabilities to merchants.
What happens thereafter is where things begin to break down.
Can the scan engine be improved to find more vulns? Sure. That's really not that big a deal; technology can always be improved.
But, regarding holding merchants to a higher standard; therein is the whole point of this debate.
Anyone can throw a badge on a site.
But what happens when the site proves vulnerable is the key. I'll be candid here: I don't give a damn about the merchant at that point; it's the consumer who is at risk and needs something better from McAfee and their peers.
So, here begins a different approach. I know that making changes at a company the size of McAfee can be likened to the three miles it takes to turn around an aircraft carrier. I'm willing to work with them, and allow for a positive outcome.
I have been told that, in two or three weeks, we can expect a published standard, that clearly defines exactly what the McAfee Secure product offering adheres to, inclusive of their expectations for merchant remediation timelines, potential badge downgrades for unresolved vulnerabilities, and hopefully even a more clear stance on XSS.
I have been told that I will have the opportunity to discuss this standard, and invite feedback. Any standard is better than no standard.
I have also been told that this is just the beginning of changes that will lead to more of what I have hoped for in my expectations, over the next 6 months or so.
I am hopeful that we can take McAfee at their word, and even if slowly, see a positive outcome.

del.icio.us | digg

EPTS: Proposed Event Processing Definitions, September 20, 2006

Thu, 21 Aug 2008 01:47:11 +0000

For interested readers, here are the event processing definitions we provided to the (future) EPTS working group on September 20, 2006, coordinated (edited) by David Luckham and Roy Schulte;

adaptive process management (n.) an element of resource and business process management, adaptive search and event processing. Sometimes referred to as “Level 4” event processing or process refinement.

application concept (n.) a definition of a set of properties that represent the data fields of an application entity. An application concept can describe relationships among themselves. For example, an order concept might have a parent/child relationship with an item concept. A department concept might be related to a purchase requisition concept based on the shared property, department_id. Application concepts can include an application state model.

application state modeler (n.) a UML-compliant application that allows you to model the life cycle of a concept instance — that is, for each instance of a given concept, you can define which states it will pass through and how it will transition from state to state. States have entry actions, exit actions, and conditions, providing precision control over the behavior of an event processing agent. Transitions between states also may have rules. Multiple types of states and transitions maximize the versatility and power of the application state modeler.

derived event (n.) an event that is created as a result of processing one or more other events.

complex event (n.) an event that is a situation-entity abstraction of two or more simple, derived or other complex events.

complex event processing (n.) CEP is a technology for extracting information from message-based systems. CEP is primarily an event processing concept that deals with the task of processing multiple events from an event cloud with the goal of identifying the meaningful events within the event cloud. CEP employs techniques such as detection of complex patterns of many events, event correlation and abstraction, event hierarchies, and relationships between events such as causality, membership, and timing, and event-driven processes.

event (n.) a instance of an event definition. It is an immutable object that represents a business activity that happened at a single point in time. Just as one cannot change the fact that a given activity occurred, one cannot change an event — events are immutable.

event aggregation (n.) the aggregation of simple, derived or complex events into higher levels of event abstractions.

event definition (n.) a set of properties related to a given activity that represents an important or interesting change of state in a human, system or computational activity. An event definition includes event properties such as event priority, event time to live (TTL), and a description of the payload, which is comprehensive information related to the activity that occurred. Events expire when the TTL has elapsed, unless the event processing agent has instructions to consume them prior to that time.

event channel (n.) a communications channel in which events are transmitted from event source to event receivers, typically received as electronic messages. Each channel can have multiple destination and. events can be configured to transmit to a default destination. JMS is an example of an event channel.

event cloud (n.) a partially ordered set of events (poset), either bounded or unbounded, where the partial orderings are imposed by the causal, timing and other relationships between the events. Typically an event cloud is created by the events produced by one or more distributed systems. An event cloud may contain many event types, event streams and event channels. The difference between a cloud and a stream is that there is no event relationship that totally orders the events in a cloud.

event-driven (n.) the behavior of a human, system or computational entity whose execution or actuation is in response to events, typically received as electronic messages.

event-driven architecture (n.) an architectural style for distributed computing applications in which some of the components are event-driven and communicate by means of events.

event processing (n.) computing that performs operations on events, including modifying, creating and destroying events.

event-object (n.) an software object that represents an event, generally for the purpose of computer processing, that exhibits both encapsulation, inheritance and polymorphism.

event prediction (n.) computational activity where the impact of events, complex events, and situations caused by events identified, including both opportunity or threat. Sometimes referred to as “Level 2” event processing, impact assessment or predictive analytics.

event pre-processing (n.) computational activity where events are cleansed or normalized to produce semantically understandable data. Sometimes referred to as “Level 0” event processing.

event processing (n.) computational activities on events dealing with the association, correlation, and combination of event data and information from single and multiple event sources to achieve refined identity and situation estimates for observed event objects, and to achieve complete and timely assessments of opportunities, threats, and their significance. Event processing is characterized by continuous refinements of event estimates and assessments and by evaluation of the need for additional sources, or modification of the process itself, to achieve improved results.

event processing agent (n.) an EPA is a computational entity that performs event processing.

event processing network (n.) a set of event processing agents and a set of event channels connecting them.

event properties (n.) data representation of an event, typically by name-value pairs of type string, integer, real, boolean or a complex data type.

event refinement (n.) filter, identify and track events & make initial processing decisions based on association, correlation and state estimation. Sometimes referred to as “Level 1” event, or event-object, track and trace.

event stream (n.) a time-ordered sequence of events. An event stream may be bounded by a certain time interval or other contextual dimension (content, space, source, certainty), or be open ended and unbounded.

event stream processing (n.) a time-ordered sequence of events. An event stream may be bounded by a certain time interval or other contextual dimension (content, space, source, certainty), or be open ended and unbounded.

rule (n.) defines what triggers unusual, suspicious, problematic, or advantageous activity within an event processing agent and what the EPA does when it discovers these types of activities. Rules execute actions based on certain conditions on events, instances, or a combination of both. A rule includes a group of condition-rule statements and action-rule statements. The condition statements instruct the EPA what to look for in events, and action statements instruct the EPA how to respond when conditions are met. If all the conditions in a rule are satisfied by events or instances or both, the EPA fires the actions. The action might be to execute tasks, create an event instance, modify property values in an event instance, create and send an event, or something else.

rules engine (n.) a type of event processing agent that uses a declarative programming model to process events. Formally described as “an abstract structure that describes a formal language precisely, i.e., a set of rules that mathematically delineates a (usually infinite) set of finite-length strings over a (usually finite) alphabet“. Informally, it can be any system that uses rules, in any form, that can be applied to data to produce outcomes.

rule language (n.) is an artificial language that is used to control the behavior of an event processing agent. Rules languages, like human languages, have syntactic and semantic rules to define meaning.

situation refinement (n.) identify situations, or complex events, based on event clustering, event-event relationships and relationship analysis and context. Sometimes referred to as “Level 2” event processing.

simple event (n.) an event that is not an abstraction or composition of other events.

virtual event (n.) an event that is imagined, modeled or simulated.

Note: The Emerging Technologies Engineering Team at TIBCO Software significantly contributed to these event processing terms and definitions.

UK National Risk Register

Wed, 13 Aug 2008 07:05:09 +0000

The UK has made public its previously classified National Risk Register.

The National Risk Register is intended to capture the range of emergencies that might have a major impact on all, or significant parts of, the UK. It provides a national picture of the risks we face, and is designed to complement Community Risk Registers, already produced and published locally by emergency planners. The driver for this work is the Civil Contingencies Act 2004, which also defines what we mean by emergencies, and what responsibilities are placed on emergency responders in order to prepare for them. Further information about the Act can be found on the UK Resilience website.

Seems like the greatest threat to national security is a flu pandemic.

Event Tracking Google Style

Tue, 22 Jul 2008 15:46:05 +0000

Most readers who operate a web site are familar with Google Analytics (GA). GA users add a bit of Javascript on their web pages. The Javascript has tracking code that executes when visitors request web pages. The GA tracking code basically sets or updates cookies on the user’s browser and requests a single-pixel image from the GA servers.

In the last release of the GA code, Google added Event Tracking. In Google-speak, events are actions that visitors take on a web page that do not generate new pageviews. Examples of these events are, interacting with a Flash player, a AJAX widget or an audio player. In the old GA, webbies could track event-data as a pageview. However, because event tracking using crude pageviews is not very effective, GA added new functionality they refer to as Event Tracking.

There are 4 components in the GA events data model; Objects, Actions, Labels and Values. GA Objects are areas of web pages that visitors interact with, for example a video player or an Ajax widget. The second part of the GA event tracking data model is Actions. Actions are related to an Object, representing Actions that visitors perform on the Object. Labels further describe Actions, associating context with Actions. Last, but not least, Values are quantities associated with Labels.

Notice how Google defines this event processing model as Event Tracking. Similar to the reference architecture we described in What is Complex Event Processing?, operations on single event objects are generally tracking-oriented, often referred to as Event Refinement in the art-and-science of multisensor data fusion (MSDF).

The GA event tracking model does not (yet) incorporate Situation Refinement, which in MSDF-speak, would be object-to-object processing, representing a higher level of interaction modelling.

Can you provide examples where object-to-object interaction between various objects on a single web site represents a real-world situational (complex event) model?

Taking this one step further, can you think of some examples where object-to-object interaction between various objects on different web sites represents a real-world situational model?

Complex Events are Composed of Objects Defined by States

Tue, 15 Jul 2008 02:17:30 +0000

Often you will read or hear people talking about CEP and they will define a “complex event” as an event composed of other event-objects. Caution is advised, because a complex event is more than just a simple composite or aggregation of other events.

For example, in my earlier post Modelling Situations for Event Processing, we illustrated modelling in CEP by looking at an example situation, “airplane collision”. This complex event is composed of many objects than are not event-objects. In fact, depending on how you define “event” most of the components of the complex event, “airplane collision” are not events at all, but other situations or sub-states of the objects under observation, in this case an aircraft.

For example, the direction an airplane is flying is not necessarily an “event” per se. Also, the amount of fuel on the aircraft at any given moment in time is not necessarily an “event” either. The same holds true for other components that comprise the object we are modelling. In fact, again depending on how you define “event”, most of the states of the components that are critical to processing a complex event are not events at all, they are simply object-states.

Complex events are generally composed of objects and the state of the complex event is defined by the objects in the complex event determined by the states of the components of the objects in the model.

Another way to view this key point is that CEP is characterised as predicting outcomes (states) based on the relationship between the objects in the model which are, in turn, composed of the states of various components of each of the objects.

So, in a nutshell, what is important to complex event processing is not just processing events, but processing the relative state of objects that comprise model of the complex event.

Furthermore, if you are someone who defines “event” as simply a “change of state,” stay tuned in to the blog for another discussion in a future post; because the vast amount of state changes are not events per se; they are simply changes in states which may or may not have context and meaning in complex event processing.

Having said that, a complex event can be comprised of other events, including other complex events, that is why the notion of OO modelling and programming is very important in CEP.