[SecurityRatty] tag: sloppy

SSO Summit Day One Morning Session

Thu, 24 Jul 2008 09:35:02 +0000

I am at the SSO Summit, high in the Colorado mountains (9200 feet elevation to be exact), the I-70 West sign is one of my favorite road signs. Ping Identity has done a great job putting this together. It is the perfect size around 125 people. Most of the best conferences I have been to have been around 60-150 people. There are a *lot* of enterprises involved here.

John Haggard who has an extensive background in SSO and lately is at Passfaces kicked off the sessions with a SSO history talk. Going through a lot of mainframe centric SSO protocols from the 80s and 90s, I am no expert in these areas and it was fascinating to see the way things vacillated between strength and weakness of SSO protocols.

A couple of points from the presentation:

The history of SSO is a story of extreme complexities, compromises, vulnerabilities and unintended consequences.

SSO is a story of one simple objective - to spin off units of computation work to execute on behalf of an authenticated user without requiring the original user's password.

Phishing has always been completely avoidable

He went through the various incarnations of mainframe SSO from logon id through things like ACF2, VTAM Session managers, terminal emulators, multiplatform access to web access through facades. The implication he drew from this last step are well worth repeating: "Time to rethink everything." Problem is - of course, people don't rethink, they put MQ Series in front of the mainframe and hook a web app in front of that and go.

Finally, he connected some interesting dots to SAML and SOA security issues.

SSO without strong auth is and always will be simply nuts

SAML gets its right

His points around common weaknesses in integration in SOA and Web 2.0 technologies for companies that are *not* using SAML were excellent. Of course, I will go into some more details on this tomorrow.

Ping's CTO Patrick Harding took the stage and gave an overview of the next generation of SSO options from Kerberos to present and as is his wont demonstrated various real world strengths and weaknesses, quoted a Gartner analyst (shock!) saying OpenID is the hare and Cardspace is the tortoise. Nice.

Andrew Cameron from GM is speaking now on GM's experiences implementing SSO, and there are a lot of real world lessons learned in his presentation. Plus my favorite identity architecture, user has Kerberos, services speak SAML. very nice, very scalable. All in all, its my starting point for how to identity in an enterprise. He also spoke about a pet peeve of mine - how to globalize authorization. This is not a problem that vendors have historically attacked with relish. They are very happy to help you solve authentication, but they are perfectly happy to keep their authorization internal either for vendor lock in reasons and/or for sloppy authorization design. This will take a LIberty-esque consortium of enterprises to resolve.

So many conferences are dominated by vendors and consultants who conspire to what I call the "sacred church of things YOU should be doing." Instead this conference is bringing together a great mix of real world in the trenches practitioners who have problems to solve today, with rubber meets the road deployable solutions and an eye towards longer term strategy for SSO and identity.

Share, but share insecurely?

Wed, 25 Jun 2008 08:08:00 +0000

In all the hoopla about IT admins getting into your stuff, (from the recent Cyber-Ark survey) most folks might have missed this interesting nugget...

"Majority are sloppy at handling and exchanging sensitive data Seven out of 10 companies rely on out-dated and insecure methods to exchange sensitive data when it comes to passing it between themselves and their business partners with 35% choosing to email sensitive data, 35% sending it via a courier, 22% using FTP and 4% still relying on the postal system. This shouldn’t be any big surprise when you learn that 12% of these senior IT personnel who were interviewed also choose to send cash in the post!"

Over 70% of companies share sensitive information within and without in an insecure way! Here we are, locking down data at rest within the company. However, as it leaves the safe haven - it is sent out in the clear!

This is where I think a more information-centric approach can help - protect the data rather than the devices and wherever the data goes, the protection follows. A bit like Mary's little lamb, if you get my drift...

Data thieves get focused (but buyers get sloppy)

Tue, 17 Jun 2008 20:00:00 +0000

When it comes to online data theft, credit card numbers and bank account data are so 2007.

Information Centric Security is dead!

Thu, 22 May 2008 02:11:00 +0000

Ok,ok, I just want to jump on the bandwagon. It seems you are not regarded as an innovative and forward thinking Information Security Blogger unless you declare something dead so I will do that with Info-Centric Security.

So, what do I elect to replace this with? Process-centric Security.

I think that as we get closer to Information Security Nivana (and isn't that what we really want?) we will start to get closer to the point where we look at Business and how it uses Information to do what it does. We define processes, work out what Information is needed, add in resources and voila we have all the information (process, standard, information classification, user details, etc) that we need to properly define and hence secure a process.

If this brings back bad memories of Flowcharts and the like then maybe, just maybe, flow charts are what we really need to secure our businesses. Maybe when we decided to throw out all of those tools we had way back when, we did it without thining of the repurcussions. The goal to get a "Fast Company" and "be more adaptable" and "beat our competitors" just made us more sloppy and insecure. It may be a good time now to reassess.

And, by the way, Information Centric Security is not really dead... its just part of this larger idea, just like IDS is part of IPS.

In Passing on DLP

Fri, 16 May 2008 15:08:00 +0000

Now, I am not some world-famous DLP analyst, but it doesn't mean that I cannot have an opinion on this "searing-warm" :-) security concept: "data leak 'prevention'" or DLP (notice the double quotes around prevention...)

I admit that in the past I poked jokes at DLP for being "ADLP", with "A" standing for "accidental." Indeed, most of the technology approaches I've seen were "good enough" for preventing accidental leaks (e.g. Excel sheet with SSNs being emailed to an external party by mistake) and for preventing truly idiotic "insider" attacks of the same nature. Whether they sniffed or used desktop agents, the tools were good enough to do the above, but not much more (or, they allowed you to do more, but via a truly ginormous effort by your security team). And then a retarded kindergarten kid can bypass them in his sleep without working up a sweat ...

In other words, DLP was for keeping honest (but sloppy) people honest and keeping idiots idiotic (but a bit safer). Which is, don't get me wrong, pretty darn useful: after all, overall, employee mistakes still cause more damage than hackers (!)

However, whenever I heard about DLP, I always felt some deeper longing for more - maybe for a technology that CAN actually stop some, clearly defined classes of malicious data theft, perpetrated by non-idiots.

What such technology might be? Well, IMHO, it should have three things:

Easy on the end user (=information owner) - thus no manual information tagging needed (don't you know, its dead!)
Easy on the tool operator (=security team) - thus no super-granular policy-writing needed (and please - spare me the regexes!)
Effective enough to stop malicious insider of reasonable skill over specific information channels- thus, some new technology for accurate detection of possibly modified documents across channels (e.g. common network)

Tough to match? Yup, it sure it. But that's not all: I'd like it to defend against theft of structured, unstructured and structured->unstructured (e.g. database contents pasted to email!) information over just about any network channel (not device theft and not USB/portal device download - these are a different story). What's more, I think that to enable #3 above the DLP "box" needs to actually understand what the document is about and to do it in a human-like fashion (Yes, including rephrased (!) content. Yes, I am picky :-)).

The above clearly does NOT mean that the technology is not bypassable - there is always an encrypted zip file and gpg, custom encrypted network protocols, or even a screenshot emailed, etc (not even going to device theft, USB xfers or camera phone + screenshot + MMS). It just means that it takes DLP a few big notches up from "anti-retard defense" to blocking a malicious and dedicated non-IT employee from stealing the crown jewels.

And, if one is trying to be honest about DLP, he need to define what is out of scope (after all, only narrowly defined problems are actually solvable in this space, not "our MagicBox 6.1 will block ALL data theft," which is absurd - if you believe that, you need your head examined).

I was pretty shocked to learn that something like this actually exists today: the next wave of DLP start-ups is about to emerge. For example, NexTierNetworks can detect information traces even in modified and heavily edited documents (I would like to try rephrasing as well; I suspect it will work!). When I saw a demo I was pretty impressed that you can get a financial document, change a few things here and there, paste it to email - and the system will still stop it by saying "uh-uh, this is sensitive info, no can do" :-) Mind you, this is not what current DLP vendors call "fingerprinting," since it actually uses what the document is about i.e. works on a - hate the word! - semantic or meaning level. So, DLP + a bit of NLP (the other NLP) = magic :-)

As a disclosure, I have to say that I just joined their Advisory Board, but, as you can guess, I joined because I am impressed (not "impressed because I joined!" :-))

Technorati tags: security, DLP, new technology

Risk Preferences in Chimpanzees and Bonobos

Thu, 17 Apr 2008 02:20:51 +0000

I've already written about prospect theory, which explains how people approach risk. People tend to be risk averse when it comes to gains, and risk seeking when it comes to losses:

Evolutionarily, presumably it is a better survival strategy to -- all other things being equal, of course -- accept small gains rather than risking them for larger ones, and risk larger losses rather than accepting smaller losses. Lions chase young or wounded wildebeest because the investment needed to kill them is lower. Mature and healthy prey would probably be more nutritious, but there's a risk of missing lunch entirely if it gets away. And a small meal will tide the lion over until another day. Getting through today is more important than the possibility of having food tomorrow.
Similarly, it is evolutionarily better to risk a larger loss than to accept a smaller loss. Because animals tend to live on the razor's edge between starvation and reproduction, any loss of food -- whether small or large -- can be equally bad. That is, both can result in death. If that's true, the best option is to risk everything for the chance at no loss at all.

This behavior has been demonstrated in animals as well: "species of insects, birds and mammals range from risk neutral to risk averse when making decisions about amounts of food, but are risk seeking towards delays in receiving food."

A recent study examines the relative risk preferences in two closely related species: chimanzees and bonobos.

Abstract
Human and non-human animals tend to avoid risky prospects. If such patterns of economic choice are adaptive, risk preferences should reflect the typical decision-making environments faced by organisms. However, this approach has not been widely used to examine the risk sensitivity in closely related species with different ecologies. Here, we experimentally examined risk-sensitive behaviour in chimpanzees (Pan troglodytes) and bonobos (Pan paniscus), closely related species whose distinct ecologies are thought to be the major selective force shaping their unique behavioural repertoires. Because chimpanzees exploit riskier food sources in the wild, we predicted that they would exhibit greater tolerance for risk in choices about food. Results confirmed this prediction: chimpanzees significantly preferred the risky option, whereas bonobos preferred the fixed option. These results provide a relatively rare example of risk-prone behaviour in the context of gains and show how ecological pressures can sculpt economic decision making.

The basic argument is that in the natural environment of the chimpanzee, if you don't take risks you don't get any of the high-value rewards (e.g., monkey meat). Bonobos "rely more heavily than chimpanzees on terrestrial herbaceous vegetation, a more temporally and spatially consistent food source." So chimpanzees are less likely to avoid taking risks -- as most species are.

Fascinating stuff, but there are at least two problems with this study. The first one, the researchers explain in their paper. The animals studied -- five of each species -- were from the Wolfgang Koehler Primate Research Center at the Leipzig Zoo, and the experimenters were unable to rule out differences in the "experiences, cultures and conditions of the two specific groups tested here."

The second problem is more general: we know very little about the life of bonobos in the wild. There's a lot of popular stereotypes about bonobos, but they're sloppy at best.

Even so, I like seeing this kind of research.

Sensitive Milwaukee County information posted to Web

Wed, 13 Feb 2008 14:06:24 +0000

Technorati Tag: Security Breach

Date Reported:
2/11/08

Organization:
Milwaukee County (Wisconsin, USA)

Contractor/Consultant/Branch:
Citizens for Responsible Government Network

Victims:
Persons involved with the county

Number Affected:
Unknown

Types of Data:
"patient and legal records"

Breach Description:
Milwaukee County officials released a copy of their "county spending database" to the activist group Citizens for Responsible Government Network that contained sensitive personal information belonging to various persons who had contact with the county. Citizens for Responsible Government Network agreed to remove the confidential information at the request of county officials, but the information had been posted for as many as six (6) days.

Reference URL:
Milwaukee Journal Sentinel story
United Press International story

Report Credit:
Milwaukee Journal Sentinel

Response:
From the online sources cited above:

Citizens for Responsible Government Network agreed to dump descriptions from some 6,900 bills that county officials feared included names of people who had court-ordered psychiatric exams, other patient service information and guardianship case details.

The information had been displayed on the group's Web site for six days, after CRG obtained a database on all county spending for the last two years.

CRG pulled a few hundred descriptions on court spending from its Web site over the weekend, after county Clerk of Court John Barrett complained about the release.

The group on Monday trashed thousands more county records CRG had displayed that came from the Sheriff's Department, the House of Correction, the district attorney's office, the Department of Health and Human Services, the Personnel Review Board and the Division of Economic and Community Development.

The county will supply the group with an edited version of the same county spending database, after department heads get a chance to better scrutinize the records, said Cynthia Archer, acting director of the county's Department of Administrative Services.

On Monday, Archer said she "questioned the wisdom" of Barrett's office forwarding confidential information included in its vendor database in response to a public record request by the group.
[Evan] What wisdom?

County Executive Scott Walker said he had not heard of any complaints from anyone whose confidential information was placed on the Internet for nearly a week.

Barrett said he was happy the records that identified court-ordered psychiatric exams and guardianship details were removed from the site but still worried about whether they had been found by any browsers. That type of information is generally confidential.
[Evan] I am not sure if this information was indexable by the various search engines, but it should definitely be explored and attended to, if necessary.

"Now I have to concern myself with whether we can put the toothpaste back into the tube," Barrett said.
[Evan] This is an excellent analogy. Once information (toothpaste) is disclosed, it is very difficult if not impossible to re-secure it (put it back in the tube).

Commentary:
The database is backup (without the confidential information it appears) here; milwaukeecounty.headquarters.com/search_mke.aspx

It was a really poor decision to send information without looking at it or considering sensitivity issues. I bet they wish they had a "do over".

ACLU ALERT:
Chris Ahmuty, executive director of the American Civil Liberties Union of Wisconsin, said the county's sloppy handling of confidential information could expose it to a lawsuit for invasion of privacy.
[Evan] We need more lawsuits like we need a hole in the head.

"It seems like careless disrespect for the rights of individuals receiving service from the county," Ahmuty said.

Past Breaches:
Unknown

New survey: Consumers plan to sharply limit use of cards (AKA, have we awakened a sleeping giant?)

Wed, 28 Nov 2007 12:39:00 +0000

We have heard it all over – customers do not seem to be concerned about retailers mismanaging their data. They still spend money in those stores. It does not impact retailer revenue or stock price. So, let us not worry about it too much.
Wrong. I believe it is just a matter of time before consumers understand the issue and become intolerant of sloppy data protection. And maybe that time has come. The recent story on “60 Minutes” is shining a light on the issue and is an indicator of rising consumer awareness.
Coincidently, we at BitArmor, in partnership with several local TV news departments, conducted a survey over the Black Friday weekend (400 respondents) on this very issue. The results are significant, if not surprising:
· Three out of four consumers are concerned about companies not adequately protecting their data;
· Two-thirds of consumers plan to use their credit card for less than 25% of their holiday purchases;
· Only around 2% say they will continue shopping at a retailer they have heard does not do a good job of protecting data;
· More than 40% have had their identity stolen or know of someone who has;
· 75% of respondents say they would warn friends and family if they knew a store where they shopped wasn’t adequately protecting their data, 33% would sign up for credit monitoring and around 70% say they would be more careful while using their cards.
This should serve as a huge wakeup call to any company that works with sensitive payment card data; their customers are seeing what’s going on, and they don’t like it. Shoppers are increasingly concerned about what’s happening to their data. It’s reflected in fewer people using their credit cards, and it’s reflected in them saying they’ll shop at other stores if they don’t feel their personal information is being adequately protected. It seems we have awakened a sleeping giant…consumers who are spreading the word among friends and families about whom they consider to be are “poor” retailers (from the data protection point of view).
I’ve talked with some analysts who reject the notion that things will ever change. They say that consumers talk a good game, but don’t change their actual buying habits. Perhaps…but when “60 Minutes” starts referring to TJX by name, and calling its security efforts “outdated” and “obsolete,” I have to believe that a lot of shoppers will think twice before using their credit cards there right away. (And apparently Michael Horowitz at CNET agrees with me.)
All this points to the importance of securing customer data and making sure the right policies are in place. Is that enough? Maybe, but to increase customer confidence in a retailer, they will have to work just as hard in protecting their brand and increasing perception of trust.