tag:www.authenticationworld.com,2007:/blog//1 2007-12-08T16:35:00Z The Business of Authentication Movable Type 3.33 tag:www.authenticationworld.com,2007:/blog//1.270 2007-12-08T16:01:45Z 2007-12-08T16:35:00Z

I was just reading an article on Dark Reading "Ranum's Wild Security Ride" that got me thinking. The article is about Marcus Ranum, who helped create one of the first firewall. The article quotes ""Computer security is going to disappear...

Guy Huntington http://www.authenticationworld.com Ranum's Wild Security Ride" that got me thinking. The article is about Marcus Ranum, who helped create one of the first firewall. The article quotes ""Computer security is going to disappear after a while," he says." I couldn't agree more. That's the point of this blog. Computer security today is all about other companies making products to compensate for the poor security design of other products. Further, enterprise system software, like ERP's, doesn't provide end to end security either. About seven or eight years ago I saw that one day ERP vendors would "own" the security space for large enterprises. Their software would set business risk in a module and then using the risk, set the security policies around the identities, business and web processes automatically. They would control the enterprise firewall's security policies as well as integrate with physical security systems. The business risk module would also then determine the physical security authentication risk for specific physical locations. Further, I also saw that independent application vendors would be forced, over time, to build good security into their products. I believed then that litigation lawsuits and regulatory pressure would, over time, force developers to change their coding practices from getting something out the door quickly ,to one of getting something out the door that also has good security built into it. Is this a dream or not? I don't think so. Today, the ERP vendors are being led by Oracle, who is quickly buying up middleware companies to build an end to end security driven product suite. Their recent acquisition of Bharosa is but one example of integrating authentication security into their architecture. They are also actively partnering with companies like QuantumSecure. This is the early beginning of integrating physical security into ERP architectures. Is all of this going to happen overnight? No. Not even for the next ten years. However, at the large enterprise level, you can see the winds of change gently blowing towards integrating security into the core product development. On the flip side of my vision, many people will say that having all your eggs in one ERP basket is also dangerous. I agree. There will be many twists and turns on a bumpy road from where we are today to one where the ERP product suite is robust. Many enterprises may believe the ERP sales rep's security spiels when they shouldn't. My take is that the large enterprise market for security products will dwindle over the next ten years. I believe that the ERP vendors will own this section of the market. I also see that vendors like Google and others will slowly take over portions of the current Microsoft market. I think that since they are starting off without having to maintain backward compatibility to poorly securitized code which Microsoft has to support, that they will begin to introduce better security standards into the marketplace. I don't want to put Google on a pedestal, since their own products have security holes as well. However, in the long run, I believe that, as we move towards a digital world where servers run and store most of the code and the desktop becomes a thin client, better security will slowly evolve. That's why I too agree with Marcus Ranum. Over time, the security product market will slowly dwindle from the market it is today. They will become specialty firms addressing new attack vectors but won't be focusing on general protection as it is today. Guy www.authenticationworld.com guy.huntington@authenticationworld.com ]]> tag:www.authenticationworld.com,2007:/blog//1.269 2007-09-18T03:38:54Z 2007-09-18T03:44:11Z

This past week, Tim Wilson published a very interesting article in Dark Reading " Quantum Research Could Threaten Encryption Schemes". In it he documents the recent research in Australia and China on photon computers that is able to deploy something...

Guy Huntington http://www.authenticationworld.com Quantum Research Could Threaten Encryption Schemes". In it he documents the recent research in Australia and China on photon computers that is able to deploy something called "Shor's Algorithm". According to Tim's article he says "Using an experimental computer based on photonics, the researchers in Australia and China have independently been able to do a full-scale implementation of something called Shor's Algorithm, a non-linear method of factoring composite numbers. Shor's Algorithm breaks many of the rules of linear computing and therefore has no trouble finding the prime factors in any number, no matter how large. The research shakes the foundation of all types of currently available encryption methods. If the quantum computer can factor any number of any size with equal ease, then, theoretically, no algorithm based on linear computing is safe. " All of this should give CSO's and CIO's pause for consideration. It means that over the next ten or so years, as quantum computing comes into being, that most of their precious secrets and defense mechanisms relying upon encryption can be broken. Guy www.authenticationworld.com guy.huntington@authenticationworld.com]]> tag:www.authenticationworld.com,2007:/blog//1.268 2007-09-18T03:20:47Z 2007-09-18T03:30:42Z

There's a must read on Dark Reading "Report: Attacks on ISP Nets Intensifying". It refers to a report from Arbor Networks that outlines the increasing threat of denial of service attacks on ISPs. As I have blogged about before, denial...

Guy Huntington http://www.authenticationworld.com Report: Attacks on ISP Nets Intensifying". It refers to a report from Arbor Networks that outlines the increasing threat of denial of service attacks on ISPs. As I have blogged about before, denial of service attacks are an increasing threat to enterprises large and small. As Dark Reading documents, the Arbor report showed that "While most large ISPs have upgraded their backbones to 10-Gbit/s speeds over the past two years, three respondents said they have experienced sustained attacks from 20- to 22 Gbit/s, and one hosting services provider in the survey reported a 24-Gbit/s DNS-targeted attack. The most powerful sustained attack previously was 17 Gbit/s, which was reported in last year's survey by Arbor." Further, Dark Reading's article said "Not surprisingly, ISPs say botnets are the number one threat to their networks, and that these malicious networks are growing in size and sophistication. Botnets are used for DOS attacks (71 percent), sending spam (64 percent), as open proxies (34 percent), for storing ID theft information (16 percent), and as part of phishing systems (37 percent), according to respondents." Most worrisome to me was the ending to the Dark Reading article: " There are a couple of vulnerable hotspots on service provider backbones: More than half said they had no way to detect or mitigate DNS attacks, and nearly 90 percent don't have the ability to protect VOIP." As enterprises move to VOIP they are incurring a significant risk they probably are unaware of. A successful denial of service attack would not just bring down their internet web site BUT WOULD ALSO CURTAIL ALL PHONE ACTIVITY! Guy www.authenticationworld.com guy.huntington@authenticationworld.com ]]> tag:www.authenticationworld.com,2007:/blog//1.267 2007-09-14T17:29:44Z 2007-09-18T23:17:26Z

I was talking to Phil Hunt from Oracle last week and he began to talk about "Enterprise 3.0". According to Phil: "Identity 2.0 and Wed 2.0 have often been defined by "social" or person-to-person relationship systems. The social-networking phenomena. In...

Guy Huntington http://www.authenticationworld.com I was talking to Phil Hunt from Oracle last week and he began to talk about "Enterprise 3.0". According to Phil: "Identity 2.0 and Wed 2.0 have often been defined by "social" or person-to-person relationship systems. The social-networking phenomena. In Enterprise 3.0, consider what happens when businesses start building the kinds of dynamic relationships that individuals do. Example: in LinkedIn we see a ceremony where individuals can choose to be "linked" enabling a set of features and communication between individuals. But what are the possibilities if businesses chose to be linked? What we are talking about is a derivative of social networking being applied to business services networking." I liked his idea and in this blog and others, I will lay out my thoughts for Enterprise 3.0. So, first let's begin with what Enterprise 3.0 will offer enterprises that currently doesn't exist: * Use of mashups with appropriate security automatically applied (as opposed to today's world where mashups occur without security applied automatically for content providers and, automatic billing for content providers based on contracts) * Easy use of videoconferencing to enterprise desktops and cellphones where enterprise authentication and authorization rules are automatically enforced and, also easily enforced in enterprise to enterprise interactions (as opposed to today's world where authentication and authorization need to be manually applied in many instances, or sort of created by having certain IP ports applied or, not applied at all) * Ability to move around and direct existing user sessions to be passed from one device i.e. a laptop to a cellphone to another a desktop. Compare this to today's world where workers and management are tied to a device and unable to keep the existing user session, application and information going without logging off and logging on to the new device * Passing of digital content within the enterprise and between enterprises with automatic enforcement of enterprise content management security policies for each piece of content (as opposed to today's world where content management policies are not usually enforced once they leave the enterprise content management silo) * Increasing control of business processes by ERP's where the content flowing within the business process is automatically enforced with security policies (as opposed to today's world where ERP business processes control don't normally control all aspects of the business process. Further, they don't normally enforce enterprise security standards from risk management all the way to database security, especially when the business process is enterprise to enterprise) * Integration of user centric social interaction models into the enterprise where the interactions are automatically enforced with enterprise business, social and security policies (as opposed to today's world where the use of things like Facebook and MySpace are done in enterprise silo's with little or no enforcement of enterprise social, business and security policies) * More B to C interactions leveraging mashups, social interactions and provision of rich digital content with automatic billing and business process and security enforcement of the enterprise's content (as opposed to today's world where the interactions don't leverage the integration of the enterprise's digital content, the bringing in of other enterprise's digital content, the user's content, and the appropriate security, business and identity enforcement along with automatic billing where appropriate) * Ability for enterprises to quickly pass security policies, digital content and files to different levels of trust between parties. I liken this to social interactions between individuals where levels of trust are established. However, this needs to be modeled on levels of trust between enterprises where different contractual models exist. Compare this to today's world where the establishment of levels of trust is very time, labor and lawyer intensive and is not quickly do-able beyond tightly defined borders. So is Enterprise 3.0 a revolution? No. It's a evolution where portability, security, interchangeable content with security policies, worker and enterprise interaction are enriched. It's also a world where enterprise intellectual content is protected and automatic billable revenue streams made possible where enterprise content is reused. In separate blogs, I will dive into the details of the challenges required to create as well as the potential for each of these Enterprise 3.0 features. Thanks for the idea Phil! Guy www.authenticationworld.com guy.huntington@authenticationworld.com tag:www.authenticationworld.com,2007:/blog//1.266 2007-08-22T22:28:13Z 2007-08-22T22:30:37Z

Earlier this month, Joanna Rutkowska published a blog updating the Blue Pill attack and the recent comments made at the last Black Hat conference. It's definitely worth a read. Guy www.authenticationworld.com guy.huntington@authenticationworld.com...

Guy Huntington http://www.authenticationworld.com published a blog updating the Blue Pill attack and the recent comments made at the last Black Hat conference. It's definitely worth a read. Guy www.authenticationworld.com guy.huntington@authenticationworld.com]]> tag:www.authenticationworld.com,2007:/blog//1.265 2007-08-22T22:13:32Z 2007-08-22T22:31:27Z

Ryan Narine yesterday published a great blog "Can Microsoft ever stop kernel tampering in Vista?". He refers to the recent Black Hat conference and the presentation by Joanna Rutkowska and documents the almost impossible task of preventing kernel attacks on...

Guy Huntington http://www.authenticationworld.com Can Microsoft ever stop kernel tampering in Vista?". He refers to the recent Black Hat conference and the presentation by Joanna Rutkowska and documents the almost impossible task of preventing kernel attacks on Microsoft's Vista. Add to this the development of Blue Pill attacks and the future looks scary from a defense perspective. Guy www.authenticationworld.com guy.huntington@authenticationworld.com ]]> tag:www.authenticationworld.com,2007:/blog//1.264 2007-08-22T22:06:50Z 2007-08-22T22:12:39Z

Dan Thies has a very interesting blog he published on August 16 "Google Proxy Hacking: How A Third Party Can Remove Your Site From Google SERPs". The blog documents his frustration at dealing with Google for the last year to...

Guy Huntington http://www.authenticationworld.com Google Proxy Hacking: How A Third Party Can Remove Your Site From Google SERPs". The blog documents his frustration at dealing with Google for the last year to fix the hacking of Google page ranks by the use of proxies. The challenge is that as page ranking becomes extremely valuable to businesses who do business online, criminals or hackers get involved to remove competitors from the Google search results. Guy www.authenticationworld.com guy.huntington@authenticationworld.com]]> tag:www.authenticationworld.com,2007:/blog//1.263 2007-08-21T00:02:16Z 2007-08-21T00:10:39Z

The last several weeks has seen very busy activity in the authentication community developing an API for Authentication. For clients, this means that there will be a simple way to publish and interact with protected data and also a simpler...

Guy Huntington http://www.authenticationworld.com The last several weeks has seen very busy activity in the authentication community developing an API for Authentication. For clients, this means that there will be a simple way to publish and interact with protected data and also a simpler way to allow people to give you access to their data. On the server side, it allows users to not have to spread their passwords around the net to get access to the data. OAuth allows users to get access to their data while protecting their account credentials. Stay tuned for more on this as the spec is released. It is built using much of OpenID. Guy www.authenticationworld.com guy.huntington@authenticationworld.com tag:www.authenticationworld.com,2007:/blog//1.262 2007-08-15T18:44:28Z 2007-08-15T19:06:44Z

Several years ago I had a vision for enterprise security management. In my vision I saw that security risk would be assigned by ERP modules. The risk would be assigned based on value of business processes, enterprise information capital, physical...

Guy Huntington http://www.authenticationworld.com Several years ago I had a vision for enterprise security management. In my vision I saw that security risk would be assigned by ERP modules. The risk would be assigned based on value of business processes, enterprise information capital, physical assets and identities. Once the risk was assessed, the ERP would then automatically create security policies. These policies would then be automatically enforced throughout the enterprise by the enterprise security/identity/physical access systems. Further, I saw the problems that large enterprises were going to have understanding the security policies. In my vision, I saw that the ERP security module would display the enterprise graphically. A senior manager or Board member, would be able to slice and dice security visually. For example, enterprise assets could be displayed by levels of risk. This could then be displayed on a building by building basis. Then role access could be displayed overlaying this. The same thing could be done to display business processes by risk. All of this could then be displayed against real time. At the time, I thought that this vision was not possible. The ERP vendors weren't players in the identity security space. There weren't any standards for identity access and authorization. Today, the stage is becoming set to begin creating this vision into reality for several reasons: 1. There is the beginnings of an emergent identity data governance protocol in Liberty Alliance that would allow for intercommunication and enforcement of data security across disparate identity silos and identity protocols. 2. BPM and BPEL allow for protocols to manage business processes and tie this to security. 3. ERP vendors like Oracle and SAP are now players in the identity/security space. 4. Many physical access devices are now LDAP compliant allowing them to talk to the enterprise LDAP systems. 5. There is virtual directories allowing for rapid integration of enterprise databases into enterprise directories. What's missing to complete the vision? * No document management protocols allowing for interchange of document management security policies tied to identity management authentication and authorization protocols * Lack of strong security modules in ERP that talk to the risk modules and the identity governance modules I am quite optimistic that over the next three to four years, my vision will become reality. Guy www.authenticationworld.com guy.huntington@authenticationworld.com tag:www.authenticationworld.com,2007:/blog//1.261 2007-08-09T19:19:54Z 2007-08-09T19:24:54Z

eWeek has a very interesting slide show "The Security of Biometrics: Two Screws and a Plastic Cover" which I strongly recommending viewing. The slide show shows, step by step, how to hack a biometric system. One of the weak spots...

Guy Huntington http://www.authenticationworld.com The Security of Biometrics: Two Screws and a Plastic Cover" which I strongly recommending viewing. The slide show shows, step by step, how to hack a biometric system. One of the weak spots in many biometric systems is the use of Wiegand protocol. As the slide show says "The Wiegand protocol is, Franken said, a) in plain text, b) easily intercepted, c) easily replayed, d) includes output from biometric readers, and e) includes output from even strong crypto contactless smart card readers. This means the output, including all data pertaining to a card holder, can be captured on a hacked system." Security is only as strong as the weakest link. Guy www.authenticationworld.com guy.huntington@authenticationworld.com]]> tag:www.authenticationworld.com,2007:/blog//1.260 2007-08-09T17:53:23Z 2007-08-09T18:01:07Z

A very interesting article appeared yesterday in Dark Reading "New Bank Practices Make Hacking Easier". The article quotes Brendan O'Connor, an independent researcher on his research into the recent increase in use of stronger authentication by US Financial institutions as...

Guy Huntington http://www.authenticationworld.com New Bank Practices Make Hacking Easier". The article quotes Brendan O'Connor, an independent researcher on his research into the recent increase in use of stronger authentication by US Financial institutions as a result of FFIEC requirements. The article states as follows: "To prove his point, O'Connor signed up for a number of online banking services, then installed an inline proxy so that he could monitor the exchange between his computer and the bank's. "I just watched the HTTP requests and responses for these sessions, and immediately knew how to break them," he says. "The methods [banks] are using for device 'fingerprinting' are effectively Javascript and, in some cases, a flash object," O'Connor explains. "If you think about it logically, they are sending code to my computer, and asking it to be honest about its characteristics. Because I can see the code they are using, I can see exactly what questions they are asking my computer, and what a proper response needs to look like. "I'd hate to call this a 'hack,' because they did the hacking for me," O'Connor says. The banks believe that by adding a second question or image -- or by requiring the user to send an email -- they are increasing the odds against an attacker guessing his way into a user's account, O'Connor says. But most savvy phishers and thieves don't break in by guessing, but by stealing information through different means, such as keyloggers or social engineering, O'Connor observes. The banks' new "second" factors of authentication actually improve the attackers' chances of a break-in by making the penetration path more clear, he explains. "Effectively, I just downloaded the authentication scripts from the target Website -- it happens before you are authenticated, so you just go to the login page and copy and paste," O'Connor says. In his DefCon presentation, O'Connor demonstrated an exploit against one of his own accounts, "to show the audience how ridiculously easy this stuff is to bypass or impersonate," he says. "At the end of it, I delivered my security image and phrase via my 'phishing' Website to show how an attacker can impersonate the real bank," O'Connor says. "I also did a standard man-in-the-middle attack for challenge questions, to illustrate that [one-time passwords] and challenge questions are just as easy to get past." O'Connor believes that the efforts of banks and the FFIEC to add additional factors of authentication are a misuse of resources. " This article merely confirms something I have been writing about for the last two years i.e the need for transaction authentication. The other forms of stronger authentication are prone to man in the middle attacks and, as the article points out, often better attacks by traditional phishing and keyboard logging coupled with social engineering attacks. Guy www.authenticationworld.com guy.huntington@authenticationworld.com]]> tag:www.authenticationworld.com,2007:/blog//1.259 2007-08-03T04:26:34Z 2007-08-03T04:31:45Z

Information Week today ran a story "Number Of Hackers Attacking Banks Jumps 81%". Secureworks, today at the Black Hat conference, also said that attacks against credit unions rose 62% from last year. The article says: " "You go to a...

Guy Huntington http://www.authenticationworld.com Number Of Hackers Attacking Banks Jumps 81%". Secureworks, today at the Black Hat conference, also said that attacks against credit unions rose 62% from last year. The article says: " "You go to a Web site and pay a $100 to several hundred dollars, and you can buy a turnkey exploit package," said Stewart. "You can buy the malware too, and then you're in business You put these components up on a Web site and immediately start infecting people. All you really need to know how to do at this point is set up a Web site." This new ease-of-use is evident in the numbers. SecureWorks reported that between June 2006 and December 2006, they blocked attacks from about 808 hackers per bank per month. From the beginning of this year through June, there's been an average of 1,462 hackers launching attacks at each of the company's bank clients. As for the credit unions, SecureWorks reported blocking attacks from 1,110 hackers per credit union per month. That number rose to 1,799 this year. " Guy www.authenticationworld.com guy.huntington@authenticationworld.com ]]> tag:www.authenticationworld.com,2007:/blog//1.258 2007-08-03T04:07:14Z 2007-08-03T04:10:44Z

I cam across an article written early in June by Robin Bloor, an IT director called "10 reasons why the Black Hats have us outgunned". It is worth a read. The article comments on many of the same things I...

Guy Huntington http://www.authenticationworld.com 10 reasons why the Black Hats have us outgunned". It is worth a read. The article comments on many of the same things I have blogged about for the last year. Have a layered defense. Guy www.authenticationworld.com guy.huntington@authenticationworld.com ]]> tag:www.authenticationworld.com,2007:/blog//1.257 2007-08-03T01:26:33Z 2007-08-03T01:46:32Z

An article yesterday in Dark Reading "MPack Banking Malware Infects 500,000 Computers" should put the jitters into financial institution security and IT managers. It documents the hacking tool for sale by the Russian underground, for $1,000, that downloads the software...

Guy Huntington http://www.authenticationworld.com MPack Banking Malware Infects 500,000 Computers" should put the jitters into financial institution security and IT managers. It documents the hacking tool for sale by the Russian underground, for $1,000, that downloads the software via a website the user visits and then obtains bank uids, pins and social security numbers. The success rate is 16% which is quite high. The article then goes on to claim the following about the malware: " "The crimeware is capable of stealing account information from several banks around the world without leaving any traces behind," Finjan researchers reported in an advisory. "Stolen data is being sent to the criminals over a secure communication channel (SSL) to avoid detection. Users whose machines were infected by this crimeware will not notice any change to their normal PC and online browsing experience. The rootkit nature of the crimeware leaves no sign and does not impact the end-user experience." To make matters even worse for users and IT managers, the malware downloaded by the MPack toolkit is still not detected by the majority of popular security products, according to Finjan. And that makes it very effective in infecting PCs. "This form of attack is more dangerous than previous forms of Phishing, which relied on fraudulent Web sites," said Yuval Ben-Itzhak, Finjan's CTO, in a written statement. "Because this attack happens on the customers' own PC and is encrypted, it makes it extremely difficult to detect. After the customer fills in the login form on their Web site and clicks on the 'Log In' button, the crimeware, running on the infected user machine, intercepts the communication. The crimeware sends the intercepted UserID and password to the criminal's server, instead of sending to bank's server. The customer thinks they are still on the bank's Web site but they are actually sending data to the criminal's server over an encrypted connection." Ben-Itzhak explained that the crimeware takes over the browser and creates a copy of the real banking page in real-time so the user is further tricked into thinking they're at a legitimate site. For each financial institution, the crimeware sends a customized set of crafted forms and pages, designed to harvest the specific information needed to log into that particular service. " Now here's what I think is going to happen in the near future as banks deploy stronger authentication such as card readers, tokens, biometric keyboard, etc. The software will be configured to recognize the bank's authentication mechanisms. Then, in real time, it will construct the bank's webpage and request the user's strong authentication. Then, the rest is the man in the middle attack. The customer enters the info, the criminals pass it along, the criminal is successfully authenticated posing as the customer and it's withdrawl time! In my own opinion, this type of attack is going to become more common over the coming two years than conventional phishing attacks. No email link to click on. Just have the customers visit a website where the code is downloaded quietly into their computer. The only real way to mitigate risk from this form of attack is to deploy transaction authentication software. By examining the customer's IP address, their geolocation, time of withdrawl, use profile, past history, hardware on the computer being used, etc. is the way to see a potential loss in the making. Guy www.authenticationworld.com guy.huntington@authenticationworld.com]]> tag:www.authenticationworld.com,2007:/blog//1.256 2007-08-02T18:19:28Z 2007-08-02T18:34:26Z

A former Black Hat today wrote an interesting article in Searchsecurity.com " Metamorphic malware sets new standard in antivirus evasion". The author, Noah Schiffman, outlines the growing challenge of metamorphic viruses. Read the article as he outlines the general architecture...

Guy Huntington http://www.authenticationworld.com Metamorphic malware sets new standard in antivirus evasion". The author, Noah Schiffman, outlines the growing challenge of metamorphic viruses. Read the article as he outlines the general architecture of viruses. At the end he states a great recommendation: "Protection from any type of metamorphic malware is best addressed by blended threat management platforms using a multi-layered approach. Antivirus software, updated frequently, remote access restrictions and compliance monitoring should be employed at the server and end-user levels. Network and personal firewalls should have any unused service ports shut down. Email servers should employ content filters and file scanning. Finally, any corporate setting should develop, maintain and enforce a well-defined and effective set of security policies. In extreme situations, when dealing with highly sensitive data, extra security measures such as real-time emulation analysis and specialized network segmentation may be considered." Layered defenses. It's the only way to mitigate risk in today's world. Guy www.authenticationworld.com guy.huntington@authenticationworld.com]]>