[SecurityRatty] tag: transactional

Secure the Heritage

Mon, 27 Oct 2008 18:26:08 +0000

Good post by Scott Stender on using the SDL on legacy code (ht Andy), it is always refreshing to see security pros talk about real world tradeoffs. I would also add the following:

1. What most people call "legacy" systems should be called "heritage" systems. Legacy has a negative connotation. Most places I go, the "legacy" is the reason why people get paid and what actually runs the business. I think its more respectful to call them heritage systems a la Krafzig, Banke, and Slama.

2. Most heritage systems have almost no security mechanisms whatsoever. They were designed for benign environments. Most mainframes have no encryption. You talk to a mainframe over MQ Series, yet MQ Series literally has no access control. This is the transactional backbone of 499 of the fortune 500 we are talking about. You still with me? Good. So writing security requirements is important, but you are not going to have anywhere near the security architecture capabilities that you are used to.

3. So one *big* thing to consider with heritage is - don't connect your heritage to hostile environments at all, use an ESB to connect indirectly and/or replicate out to data caches. So the heritage publishes data and subscribes to data, but is not in any way connected to a world it was never designed to deal with. Of course this doesn't always work either, but it is something to consider. The starting point should not be - "how do I connect the heritage to the web?" the starting point should be "how do I share resources and functionality on my heritage with the web", again, often you do have to connect but sometimes not.

Whenever I read something from iSec it is generally thought provoking because they have worked on a lot of interesting stuff. How do we get these folks to blog more?

Transactional Confidentiality in Sensor Networks

Thu, 31 Jul 2008 09:30:21 +0000

In a sensor network environment, elements such as message rate, message size, mote frequency, and message routing can reveal transactional data—that is, information about the sensors deployed, frequency of events monitored, network topology, parties deploying the network, and location of subjects and objects moving through the networked space. Whereas the confidentiality of network communications content is secured through encryption and authentication techniques, the ability of network outsiders and insiders to observe transactional data can also compromise network confidentiality. Four types of transactional data are typically observable in sensor networks. Measures to limit the availability and utility of transactional data are essential to preserving confidentiality in sensor networks.

The Network Firewall is a Consensual Hallucination

Fri, 18 Jul 2008 07:04:34 +0000

James McGovern asks why we don't see enterprisey folks focusing on SOA *and* security? Well there are a lot of reasons here, but lets look at some facts. Most enterprisey folks look at security in binary terms - inside the firewall or outside the firewall. When a transaction is "inside the firewall" they can do silly things like load all their transaction on to something like MQ Series with no authentication, send it to the mainframe which runs their entire book of business, and in essence run their transactional backbone on anonymous ftp. Because its "inside the firewall"

Problem is - its just a Visio drawing, its not reality, its historical baggage. We were trained to think about things in these terms in the 90s

But the business and software worlds have changed a bit from the early 90s, even if security tooling hasn't

If you sent an alien from outer space to observe what an enterprise looks like today, and asked that alien to file an objective report as to the actual connections and message exchanges it wouldn't look like the idyllic, clear separation of good stuff from bad stuff, it would look like this

There is no firewall in any meaningful sense, there are links, federations, communities of interest, business units, integration points, outsourcing arrangements, business processes. In short, there is information and commerce in all its messy vitality.

Inside the firewall and outside the firewall is not a security architecture, its historical cruft a Victorian, industrial age artifact that snuck into your Visio, not something that protects your businesses' applications and data.

If you want to let the world access your maifnrame, SAP, Siebel, or whatever so they can buy things from you, that is probably a really good idea. But don't assume that RACF or what have you came down on stone tablets from Moses. Just because your transaction is "inside the firewall" doesnt mean that your security model can only focus on resources and objects in isolation. It has to focus on how your business just broke everything apart and then re-connected everything. The subjects are different, the sessions are different, and the transactions are different. Just because the objects and resources are the same and are "inside the firewall" means little when all the context and all the relationships are different.

The world is not firewalled, its federated. Just because its convenient for enterprisey folks to buy into the same hallucination doesn't make it reality.

Next week, I am speaking at Ping's SSO Summit on Web Services SSO basically everything that happens after you press "SUBMIT" on a website. Your data has a journey as dangerous as Frodo Baggins' travels through Mordor. The talk traces the path from the website through the perils that lurk in the enterprise and legacy systems, we will look at ways to get Frodo and Sam home safely and we won't rely on Visio firewalls where Mithril is required.

(Note - Thanks for reminding me of the analogy Jim)

Securing Financial Services Beyond the Perimeter

Thu, 01 May 2008 09:00:00 +0000

(Source: SonicWALL) The traditional financial services network has evolved into a transactional e-commerce model, offering customers products and services beyond the network perimeter. A "clean VPN" integrates intelligent UTM firewall technology with intelligent SSL VPN remote access technology to deliver centrally-managed, multi-layered security and compliance.

NSA's Domestic Spying

Wed, 26 Mar 2008 03:02:18 +0000

This article from The Wall Street Journal outlines how the NSA is increasingly engaging in domestic surveillance, data collection, and data mining. The result is essentially the same as Total Information Awareness.

According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic emails and Internet searches as well as bank transfers, credit-card transactions, travel and telephone records. The NSA receives this so-called "transactional" data from other agencies or private companies, and its sophisticated software programs analyze the various transactions for suspicious patterns. Then they spit out leads to be explored by counterterrorism programs across the U.S. government, such as the NSA's own Terrorist Surveillance Program, formed to intercept phone calls and emails between the U.S. and overseas without a judge's approval when a link to al Qaeda is suspected.
[...]

Two former officials familiar with the data-sifting efforts said they work by starting with some sort of lead, like a phone number or Internet address. In partnership with the FBI, the systems then can track all domestic and foreign transactions of people associated with that item -- and then the people who associated with them, and so on, casting a gradually wider net. An intelligence official described more of a rapid-response effect: If a person suspected of terrorist connections is believed to be in a U.S. city -- for instance, Detroit, a community with a high concentration of Muslim Americans -- the government's spy systems may be directed to collect and analyze all electronic communications into and out of the city.

The haul can include records of phone calls, email headers and destinations, data on financial transactions and records of Internet browsing. The system also would collect information about other people, including those in the U.S., who communicated with people in Detroit.

The information doesn't generally include the contents of conversations or emails. But it can give such transactional information as a cellphone's location, whom a person is calling, and what Web sites he or she is visiting. For an email, the data haul can include the identities of the sender and recipient and the subject line, but not the content of the message.

Intelligence agencies have used administrative subpoenas issued by the FBI -- which don't need a judge's signature -- to collect and analyze such data, current and former intelligence officials said. If that data provided "reasonable suspicion" that a person, whether foreign or from the U.S., was linked to al Qaeda, intelligence officers could eavesdrop under the NSA's Terrorist Surveillance Program.

[...]

The NSA uses its own high-powered version of social-network analysis to search for possible new patterns and links to terrorism. The Pentagon's experimental Total Information Awareness program, later renamed Terrorism Information Awareness, was an early research effort on the same concept, designed to bring together and analyze as much and as many varied kinds of data as possible. Congress eliminated funding for the program in 2003 before it began operating. But it permitted some of the research to continue and TIA technology to be used for foreign surveillance.

Some of it was shifted to the NSA -- which also is funded by the Pentagon -- and put in the so-called black budget, where it would receive less scrutiny and bolster other data-sifting efforts, current and former intelligence officials said. "When it got taken apart, it didn't get thrown away," says a former top government official familiar with the TIA program.

Two current officials also said the NSA's current combination of programs now largely mirrors the former TIA project. But the NSA offers less privacy protection. TIA developers researched ways to limit the use of the system for broad searches of individuals' data, such as requiring intelligence officers to get leads from other sources first. The NSA effort lacks those controls, as well as controls that it developed in the 1990s for an earlier data-sweeping attempt.

Barry Steinhardt of the ACLU comments:

I mean, when we warn about a "surveillance society," this is what we're talking about. This is it, this is the ballgame. Mass data from a wide variety of sources -- including the private sector -- is being collected and scanned by a secretive military spy agency. This represents nothing less than a major change in American life -- and unless stopped the consequences of this system for everybody will grow in magnitude along with the rivers of data that are collected about each of us -- and that's more and more every day.

More commentary.