[SecurityRatty] tag: sign

Will Passwords Become Obsolete?

Fri, 15 Aug 2008 09:46:48 +0000

I can’t keep track of how many different passwords I have, although I know it’s not nearly enough — I tend to be lazy like most people and re-use the same passwords for many different accounts.
But here’s a new idea — what if passwords for online accounts were replaced entirely by cryptographic keys that sat on our desktops like icons, and functioned in the background, so we wouldn’t need to remember a string of letters or numbers?

An interesting blog post this morning discusses the obstacles and implications of this kind of technology, in part quoting a recent New York Times article —

In short, we need a log-on system that relies on cryptography, not mnemonics. As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code.

An obstacle to this kind of system are the current initiatives toward Open ID and single-sign on services, strategies that are backed by large industry players such as the Equifax, Google, Novell, Microsoft, Oracle, etc. In the open ID system, you would log in to a session on the web with one password, which would be accepted by any application/account supporting the open ID infrastructure.

To me Open ID sounds like a step backwards, toward less security…
then again, I would think that encrypting everything could also make your system run significantly slower, and that it wouldn’t prevent all the risks either…

Experts Accuse Bush Administration of Foot-Dragging on DNS Security Hole

Wed, 13 Aug 2008 15:45:00 +0000

The internet remains vulnerable to a spoofing attack recently discovered by security expert Dan Kaminsky. The only real solution is to digitally sign the DNS root zone, but security experts say politics in the Department of Commerce are slowing the effort and endangering the trustworthiness of the net.

One security implementer shares his single sign-on best practices

Tue, 12 Aug 2008 20:00:00 +0000

At the recent SSO Summit I moderated a panel of single sign-on implementers. One of them, Christopher Paidhrin HIPAA & IT security officer for ACS Healthcare Solutions, was kind enough to let me share with you his "best practices" list which he calls: "To Do & Not To Do: SSO implementation lessons learned."

Privacy group: Identity-theft monitoring service a waste

Tue, 29 Jul 2008 20:00:00 +0000

Consumers who sign up for identity-theft monitoring services may be getting a lot less protection against some common types of fraud than they assume they are, according to an online guide released Monday by the Privacy Rights Clearinghouse (PRC).

Easy Google Income

Tue, 29 Jul 2008 13:58:49 +0000

Here's an interesting piece of spam trying to cash in on the Google name that could wind up being quite costly for anyone willing to take a chance and see what it's all about. This was sent to one of my friends:

Click to Enlarge

Is it a good thing or a bad thing that the office is based in the West Indies and to unsubscribe your email goes to Romania? At any rate, they don't seem to want my patronage - unfortunately, I'm not particularly interested in free iPods or a Nintendo Wii so a few clicks later and I'm where I should be:

Click to Enlarge

At the bottom of the page, it says "Google does not sponsor, endorse, and is no way affiliated with Easy Net Income or this promotion."

Well, they could have fooled me what with all the Google material they've splashed across the site. The quote in the box is interesting, too: "Riches range from a few hundred dollars a month to $50,000 or more a year".

Go hunting on USA Today though, and the quote doesn't have anything to do with something called "Easy Google Income" - it's to do with Adsense. Bits missing have been reinserted and bolded:

"Tales of AdSense riches range from a few hundred dollars a month to $50,000 or more a year, though high-dollar paydays are rare. They require a Web site with tons of traffic and the ability to put in 18-hour days working the system.

I think the missing parts are kind of important, don't you? Of course, the CD title clearly makes you think you're going to get some mysterious money magnet, but stops short of telling you whether it would be a program, ebook or magical leprechaun.

In fact, what happens is you apparently sign up for the CD at the cost of subscribing yourself to some kind of "free trial" - at the end of which, you have to pay $39.90 a month for access to training courses to "Internet Wealth University" (I swear I'm not making this up). There's also an "activation fee" charged immediately to the card you subscribe with, though I'm guessing you only enter your details once you've entered your name / address and moved onto the second page (which I'm not about to do, in case you were wondering).

Internet Wealth University must have an awful lot of poor students, going by the problems people are having unsubscribing.

"When you try to call the company, you get an automated answering system that tells you all representatives are busy and then puts you on hold-forever, or they disconnect you after 5 minutes!"

Indeed, there's quite a lot of people wondering what this is all about, including the inevitable concern over billing issues.

Our advice? Steer well clear. There is a lot of money up for grabs here, but it's all being netted by the people running these websites. Their customers don't appear to be so lucky...

Reminder: WebEx Seminar on Risk Analysis

Tue, 29 Jul 2008 13:56:58 +0000

Hey everybody! Quick post this morning to remind you guys that Cisco has been kind enough to let us give a follow on WebEx presentation on July 31, 2008 at 11:30 a.m. EDT. The link to sign up is <<>>. There are only about 40 slots left. It looks like it’s going to be a good crowd.

We’re calling this part II - and it’s being advertised as:

“How to conduct a risk analysis and produce a high impact deliverable to senior management.”

With topics:

The life-cycle of a quantitative risk analysis
Key control opportunities against targeted attacks
Getting senior management to understand the risk posed to the business

I got to do the Q&A backchannel on the last presentation, and there were great questions asked. I think this presentation will be even more exciting, as it’ll cover both analyst and management considerations.

If you’re a regular reader of the blog, I don’t think you’ll have to have attended the last one for this one to be worth your while.

REPEAT PERFORMANCES OF THE FIRST WEBEX ARE AVAILABLE

And if you missed it the first time, the playback of the first preso is here, and the slides are here.

SSO Summit Day One Morning Session

Thu, 24 Jul 2008 09:35:02 +0000

I am at the SSO Summit, high in the Colorado mountains (9200 feet elevation to be exact), the I-70 West sign is one of my favorite road signs. Ping Identity has done a great job putting this together. It is the perfect size around 125 people. Most of the best conferences I have been to have been around 60-150 people. There are a *lot* of enterprises involved here.

John Haggard who has an extensive background in SSO and lately is at Passfaces kicked off the sessions with a SSO history talk. Going through a lot of mainframe centric SSO protocols from the 80s and 90s, I am no expert in these areas and it was fascinating to see the way things vacillated between strength and weakness of SSO protocols.

A couple of points from the presentation:

The history of SSO is a story of extreme complexities, compromises, vulnerabilities and unintended consequences.

SSO is a story of one simple objective - to spin off units of computation work to execute on behalf of an authenticated user without requiring the original user's password.

Phishing has always been completely avoidable

He went through the various incarnations of mainframe SSO from logon id through things like ACF2, VTAM Session managers, terminal emulators, multiplatform access to web access through facades. The implication he drew from this last step are well worth repeating: "Time to rethink everything." Problem is - of course, people don't rethink, they put MQ Series in front of the mainframe and hook a web app in front of that and go.

Finally, he connected some interesting dots to SAML and SOA security issues.

SSO without strong auth is and always will be simply nuts

SAML gets its right

His points around common weaknesses in integration in SOA and Web 2.0 technologies for companies that are *not* using SAML were excellent. Of course, I will go into some more details on this tomorrow.

Ping's CTO Patrick Harding took the stage and gave an overview of the next generation of SSO options from Kerberos to present and as is his wont demonstrated various real world strengths and weaknesses, quoted a Gartner analyst (shock!) saying OpenID is the hare and Cardspace is the tortoise. Nice.

Andrew Cameron from GM is speaking now on GM's experiences implementing SSO, and there are a lot of real world lessons learned in his presentation. Plus my favorite identity architecture, user has Kerberos, services speak SAML. very nice, very scalable. All in all, its my starting point for how to identity in an enterprise. He also spoke about a pet peeve of mine - how to globalize authorization. This is not a problem that vendors have historically attacked with relish. They are very happy to help you solve authentication, but they are perfectly happy to keep their authorization internal either for vendor lock in reasons and/or for sloppy authorization design. This will take a LIberty-esque consortium of enterprises to resolve.

So many conferences are dominated by vendors and consultants who conspire to what I call the "sacred church of things YOU should be doing." Instead this conference is bringing together a great mix of real world in the trenches practitioners who have problems to solve today, with rubber meets the road deployable solutions and an eye towards longer term strategy for SSO and identity.

The Not-So-Sweet Life of Supplicants

Wed, 23 Jul 2008 11:23:00 +0000

There are plenty of integration and configuration challenges when we look at 802.1X, but one of the most notable issues is choosing the right supplicant to best serve your end users.

Some of the major obstacles we face with 802.1X center around creating a smooth end user experience. We, as integrators, have the distinct ability to make ‘whatever’ work- we find a way. But, what I hear most from my customers is “it has to be easy for the end user.” (Sometimes they go on a little further, but I’ll leave it at that.)

Why does it matter?

Wireless, wireless, wireless. Although wired 1X is popular with our customer-base, the world isn’t quite flocking to it yet. However, 802.1X is certainly the best way to increase security and ease management of wireless networks. It’s standard, it’s flexible, it’s widely-supported by devices and endpoints and it eliminates the need for pre-shared keys or secondary passwords. It’s what most enterprises, government and educational organizations are implementing now, so it’s important.

What are some of the problems?

The end user will have some adjustments to make, and network admins and support desks aren’t always thrilled with the propect of re-training users for these expectations.

First of all, the time to authenticate and connect to the network is going to drastically increase. I say drastically- it’s only a few seconds- but I’m sure it feels like minutes to a new 1X end user.
In addition, we’re in a transition and growing period where we’re trying to integrate and authenticate multiple pieces- the machine and/or user as well as any other clients residing on the endpoint, so there can be single-sign-on issues. Not SSO in the traditional sense, but single-1X-sign-on vs logging in to authenticate and open the port, logging in again to get to network resources (such as Novell).
There may also be issues supporting multiple profiles, so end users may need to understand the concept of enabling 802.1X on an interface at their office, then disabling it when they go home.
Or perhaps, in a shared or lab-type environment, we may have multiple unique users logging in to the same endpoint device, so we have to make it easy for end users to log off so there’s a forced re-auth for the next user.

There are plenty more, but this hits on the major concerns of most organizations planning to implement 802.1X (wired or wireless).

How do we address the issues?

There are different ways to deal with the complexity of supplicant and end-user interactions. First and foremost, a good end user training program will be needed. There’s a learning curve, but eventually end users will get it- we just have to make sure the transition for ‘now’ to ‘got it’ is smooth and doesn’t overwhelm help desk resources.

As the operating systems and clients progress, we’re seeing more integration and the ability to share 802.1X information between disparate pieces of the endpoint.

In the meantime, there are also 3rd-party supplicants that can ease several of the pains. Cisco’s Secure Services Client (acquired from Meetinghouse’s Aegis supplicant) and Juniper’s Odyssey Access Client (acquired from Funk) both offer options and configurations not currently available in native OS supplicants. (For example, both offer the GINA shim for integrating Windows 1X login with Novell as well as multiple profile support.) Although I haven’t tried it, my understanding is you can still operate both of these clients independent of the controllers provided from the same vendor.

Is it a deal-killer?

It can be. The struggle to provide a smooth transition for end users is often a deal-killer for organizations looking at deploying 802.1X. Although there are ways to combat most of these obstacles; often the time, planning and money required to proceed make it unattractive enough to abandon the project. In most cases, the more heterogeneous the endpoint environment is, the less attractive the solution becomes. In an all-Microsoft environment, you can have an 802.1X framework up in a matter of hours. With a mix of authentication directories, endpoint OSs and user expectations, you could spend weeks or months ironing out the details.

The good news.

Yes, there’s some good news here. The increased adoption of 802.1X is continually leading to increased integration of the software, operating systems and clients on endpoints. While 802.1X may never reach ‘plug-and-play’ status, pretty soon the integration will reach a point where configuration is simplified enough for more wide-spread adoption, even in the most diverse environments.

Just hang tight, we’ll get there!

# # #

Phila. Network Use Skyrockets while Free

Mon, 21 Jul 2008 15:32:31 +0000

No surprise that more people use a free network than one that charges: However, the strategy of Network Acquisition Corp. (someday to be renamed) is to create a best-efforts Wi-Fi network that will be subsidized through their other business and residential offerings. So the 17,000 daily users now versus 6,000 EarthLink subscribers as of last month seem like a good sign of interest.

The network hasn't been revamped yet to focus on more complete outdoor coverage, but that should start happening soon, the company told Metro Philadelphia.

Game Controllers Driving Drones, Nukes

Sun, 20 Jul 2008 17:30:00 +0000

War is getting more like a videogame, as hardware and software from the gaming industry is increasingly being adopted for military use. The latest sign of this appeared at the Farnborough air show this week, where arms-maker Raytheon showed off its new Universal Control System for robotic aicraft.