Jul 28, 2008

Webcast: Mechanics of User Identification and Authentication

Dobromir Todorov updates his highly rated session from RSA Conference Europe 2007.

People using their computers, credit cards, mobile phones or accessing bank accounts may be providing identification and authentication information several times a day. Yet many remain ignorant of the true nature of identification and authentication. This session will present the taxonomy of identification and authentication mechanisms in IT.

Dobromir Todorov has 15 years of IT experience in UC, IT Security, and Internetworking. Dobromir is the author of Mechanics of User Identification and Authentication: Fundamentals of Identity Management, published in 2007.

Dobromir will be presenting a new session at RSA Conference Europe 2008: DEV 208 “Unified Security for Unified Communications.” 

<Download Now>

Apr 09, 2008

The user-centric identity interoperabilty event

Kaliya Hamlin, Identity Woman, Facilitator and Co-Producer of the Internet Identity Workshop

The OSIS user-centric identity interoperability tests and demonstrations kicked off Tuesday at RSA 2008 User-Centric Identity Interop with an active working session followed by demonstrations to RSA attendees. Amidst laughter and intense collaborative discussions, a new milestone of cooperation has been reached -- 2X more companies, 2X more participation, 10X more functional tests than ever.

Pamela Dingle presented on Wednesday the Identity Meta System and Friday Dale Olds a leader of OSIS is presenting about Experiences Validating Secure Open Source User-Centric Identity Systems.

The Identity Commons Wiki shows in real time, the interoperability matrices between solutions.

See a list of the solutions (selectors, identity providers, relying parties) at this interop. Within each solution, you can find links to the matrices of interoperability tests and their results. For example, here's  one of the matrices:  relying parties x identity selectors results.

Here's a sample demo: This link shows how information cards interoperate with desktop applications.

Feb 13, 2008

Ami Grynberg: Are we missing the obvious?

Consumer oriented online fraud – an introduction to the security potential of effective password management

The Threats 
Before we delve into the issue of online fraud, we must define this threat. Let us define it as:
‘Eavesdropping on, or interfering with, online transactions made by consumers.’

To facilitate a better understanding of the threats and available (partial) solutions, one should first analyze the various methods that are employed.

Naturally, there are multiple means through which fraudsters can retrieve confidential information. Such activities are classified under different names. Let us distinguish between fraud conducted through non-invasive means external to a user’s machine and those which are invasive, requiring installation of malware on the user’s PC.

Non-Invasive Fraud
Non-invasive techniques trick users into making actions, which they could have avoided, had they been more careful.

Phishing - luring users into submitting confidential information to fraudulent websites. This is usually accomplished by triggering users to navigate to a phishing website, and by convincing them to submit confidential information to that site.

Triggering is mostly accomplished by emails, purporting to be sent from a website they know. Convincing is carried out by presenting look-alike forged websites to users who are then asked to enter their confidential information. (password, social security number etc.).

Phishing websites leverage visual tricks as means for fooling consumers into thinking that the fraudulent site they are visiting is in fact genuine. Mostly, they use domain names that look similar to a real domain name.

Static Phishing - using a forged website that is purpose built to look like a real website.

Real-time Phishing - unlike static phishing, in which a static forged page is displayed, real-time phishing plays a man-in-the-middle role. It passes user requests to a real website and passes responses back to that user. Thus, it can imitate any website. A phishing website can also use its own digital certificate.

When a real-time is active, this is what may happen:

• a) Joe clicks on a link purporting to be his banking website ‘joebank.com’.
• b) Joe is directed to a real-time phishing site ‘joebankk.com’.
• c) The phishing site retrieves a login page from ‘joebank.com’ (possibly via https) and sends it to Joe. From the real website’s point of view, the phishing site is just a user (albeit, without cookies that prove a previous visit)
• d) Joe fills-out and submits a login form, which he sends to the phishing site.
• e) The phishing site can now save the login credentials it received from Joe. But, it can also continue to play the game by submitting those login credentials to the real site. Once this is done, the phishing website is now logged into the real site and it can do whatever it wants with the account. Meanwhile, it can send an error page to Joe.
  

Pharming – technically, directing a web browser to the wrong IP address of the right website. Pharming is achieved through, what is known as, ‘DNS poisoning’. Thus, Pharming does require an invasive technique, but not to the user’s machine. Poisoning of an ISP DNS server can accomplish Pharming fraud with many users.

Invasive Fraud
Invasive techniques rely on installing malware onto a user’s machine.

Key Logging – recording whatever a user types on her machine. Key loggers can take many forms. From software malware that is installed on a user’s machine, to hardware based spying at the keyboard level.

Malware browser extensions – they can capture and collect form data, or, take over (hijack) an authenticated session and execute transactions on behalf of the (unsuspecting) user.

Local Pharming – directing a local web browser to the wrong IP address through modifications to routing tables of the local machine.

Hostile Host – this is a special case of a computer engineered by its rightful owner to capture confidential information entered by guests. This is most common in Internet Café like environment. In such a case it is very difficult to detect and remove malware.

Common Technical Responses & Their Drawbacks
Attempts at solutions to those threats, range from black listing, of suspicious websites, to two factors and mutual authentication schemes and anti-spyware tools.

Non-invasive fraud:

Email filtering – is based on parsing an email and classifying it as a phishing email. This technique is non deterministic. It is similar to spam filtering and the problems are similar, mainly, false positives and false negatives.

Website filtering – is based on parsing website links and classifying them as phishing websites. It is either based on a black list or real-time analysis of a website itself. This technique again, is non deterministic with similar drawbacks. Furthermore, real-time analysis of a website may cause a marked delay during browsing.

Two factors – an OTP (one time password) is used as one of the credentials for authenticating a user to a site. Thus, even if that OTP is stolen, no harm is done due to the short time of its validity. Other methods include phone call backs and other out of band verifications.

However, all these methods do not overcome real-time phishing attacks since the phishing site is in the loop, it can hijack the authenticated session after verification is completed.
Looking back at step (e) of real-time phishing (above) one can see that if a phishing site allows Joe to complete his authentication, two factors or not, the phishing site cannot use captured credentials later, but it can use the currently open session to transact business or download information as if it were Joe (see further details below).

Mutual authentication - is an attempt at socially engineering users to expect certain verifications from websites, before they submit their credentials. However, studies show that it is not effective. Further, it does not overcome real-time phishing either.

Consider this scenario (replacing step d above):

• Joe submits a form with an account name.
• The phishing site forwards the form to the real website.
• The real website returns a page with an image or voice tag or text message which Joe previously selected. This feedback is aimed at proving to Joe, that it is the real site is an authentic website.
• The phishing website forwards the returned graphics to Joe who is happy with this confirmation.
• Joe now confirms that he recognizes the real site. Such confirmation is forwarded to the real site by the phishing website.
• The real website decides that with cookies not present (due to phishing redirection), it needs to ask Joe a security question.

And so it goes on and on until finally a form with the correct password is forwarded by the phishing site to the real site. At that point, the real site sets a session cookie at the phishing site and the session starts. Yes, a session between a phishing site and a real site using Joes’s stolen credentials.

Invasive fraud:
Anti-spyware – This is very similar to fighting virus infection. It usually works by looking at signatures, although some day-one measures are available as well.

However, none can protect from a hostile host.

Have We Missed the Obvious?

Yes. A password manager is a common tool that helps users memorize and enter login credentials to websites. It so happens, that it is also an effective solution for phishing and pharming.

Here’s why:

i.  It solves the problem

A password manager is not sensitive to website forgery. It does not look at page graphics; it rather looks at behind the scene, page addresses.

A password manager stores login credentials in a database, for each site, where the site’s domain name is the key for accessing that saved record. When a login form is presented, a password manager looks up a matching record within the list of stored domains. If one is found, it automatically fills-in the form with requested credentials. If no match is found it does not fill-in the form.

Very simple and effective because:

A password manager is a commodity. Users get used to relying on their password managers. In fact they do not remember their passwords any more. (Especially, if they use the password manager’s password generator function to create a complex password each time they sign-up)

Thus, when a form is not auto-filled, a user will be alerted to the fact that something unusual is going on.

ii   It is an easy to sell concept

A password manager improves online browsing experience, thus an easy sell to consumers.

Most, anti-phishing tools interfere with users’ online experience, as they popup from time to time with right or wrong alerts. However, a password manager provides for convenience in addition to security to users. It does not interfere, it helps. The lack of help at a particular moment in time is the alert.

It is therefore easier to convince users to use a password manger than an anti-phishing tool (especially when those tools are not effective).

iii   It is free

Simple password managers are available for free with popular browsers. But, even the best password managers, which can cope with complex login procedures like ‘multi-step login’, are available for free (limited to 10 passwords).

iv   It can be portable

Some password managers are available in a portable edition form. With portable password managers, users can carry their confidential data with them, securely stored on any portable disk drive (USB thumb drives, U3 drives). True, a portable edition requires a portable device, but most users, now days, have portable storage devices in one form or another. Even cell phones are now emerging as storage devices.

v   It can protect from Pharming

Instead of identifying a website by its URL, a password manager can look for a domain’s signed digital certificate. If this simple check is added, a password manager will not respond to Pharming spoofing because a phishing website can never use the authentic certificate of the real website.

vi   It protects from key loggers

A password manager can mitigate the risk of key-loggers. When using a password manager, a user does not type passwords. They are automatically entered into the relevant fields by the software tool.

A good password manager, also provide for a virtual keyboard (avoiding real keyboard) that users can use to enter the ‘master password’ that opens up the software and allows access to its stored data.

vii   It does not however protect from other Spyware

A standard password manager does not solve the problem raised by spyware. However, once a password manager is available to users, there is an upgrade path for stronger authentication protocols leveraging the existence of a cooperative password manager.

Do all password managers deliver on this concept?

Essentially, yes. Event the simplest password manager contributes to anti-phishing more than other methods.

When selecting a specific password manager, however, one should consider their focus on security and the way they handle chores related to phishing and Pharming. Further, one should consider the way a password manger handles complex login scripts to financial websites.

In summary:

A readily available password manager can do more than all other anti-phishing tools. It is a matter of educating consumers (and organizations) as to the benefit of this best kept secret.

Our guest blogger, Ami Grynberg, is a 25-year software veteran and the CEO of Protecteer, LLC.

Feb 01, 2008

RSA Conference Europe Podcast: Dobromir Todorov

Dobromir Todorov is Technical Readiness Manager for BT Global Services/ITCE and the recent author of Mechanics of User Identification and Authentication, also the title of his session.

listen / download now (5:57)

Jan 21, 2008

It’s Time to Start Thinking about Identity 3.0

Tim M. Mather, Chief Security Strategist, RSA Conference 

Yahoo’s announcement last week that it intends to support OpenID, allowing users to access multiple Internet sites with their Yahoo ID, is a big step forward for acceptance of OpenID.   According to InfoWorld, “Yahoo's move will triple the number of OpenID accounts to 368 million by adding its 248 million active registered users to the rolls”.

For users of many Web (2.0) sites, such as multiple social-networking sites, this increased use of OpenID looks to bring increased convenience when logging in. Yahoo users will be able to use either their OpenID identifier (a unique URL string in the format http://me.yahoo.com that will be assigned to each Yahoo member), or in websites that embed a conventional Yahoo log-in prompt on their site. This later method is a federated authentication process that will verify Yahoo users on Yahoo servers and, once authenticated, Yahoo will inform the external site that the person is a Yahoo user.

However, in spite of recent security improvements to OpenID (2.0 specification), OpenID will not assure security when logging into sites needing greater security in the authentication process, such as banking and e-commerce, as use of these security provisions is entirely optional on the part of implementors and/or deployers.

OpenID is certainly not the only authentication framework identified with Identity 2.0 (federated identity). SAML (Security Assertion Mark-up Language) has been available since November 2002, and has become the most widely-deployed single sign-on solution for enterprise identity management.  And, more recently, Microsoft CardSpace was introduced in April 2006.

While each of these three solutions is clearly an improvement over the previous use of non-federated usernames and passwords for users, it is also clear that none of these three solutions satisfactorily meets all users’ needs and expectations for identity management. Also, it is clear that two-factor authentication, whether tokens or biometrics, is not going to meet user needs or expectations for a wide variety of online usage cases.

While we don’t even have a satisfactory solution to Identity 2.0 (federated identity), it is not too early to begin articulating requirements for Identity 3.0.  In fact, unless we do so quickly, we are going to find the identity problem quickly getting worse.  While the popular press has been focused on Web 2.0 (the likes of Facebook, MySpace and YouTube), nascent implementations of Web 3.0 are rapidly leaving labs and migrating into initial deployments. We’re behind schedule on developing an Identity 3.0, and I’m not seeing a lot work on this problem.

Mar 08, 2007

RSA Conference Podcasts

At the RSA Conference we interviewed many of the speakers in the Industry Experts track to get a snapshot of their presentations.  For Identity and Access Management, we recommend the following podcasts.

Rich Baich, a Principal in the Enterprise Risk Management Group for Deloitte & Touche, moderated an interactive session where attendees analyzed a strategic scenario about how to handle a massive theft of identity data, including dealing with law enforcement, corporate executives, legal and PR issues.

listen/download now > (5:43)
 

Mary Dixon, Director for the Defense Manpower Data Center, is responsible for the oversight of the largest and most comprehensive identity protection family of systems in the U.S. Department of Defense. Mary explains some of the challenges she faces day-to-day and how Federated Identity and Access Management is necessary for the future.   listen/download now > (9:17)

Eve Maler is Technology Director at Sun Microsystems. She develops interoperability strategies and partner engagements related to identity, security, and web services.

listen/download now > (5:00)

As Executive Director of Liberty Alliance, Brett McDowell works with industry and government to facilitate the deployment of open, privacy-respecting network identity solutions.

listen/download now > (5:06)

Dr. Michael Mestrovich is President of the FiXs Federation and leads the initiatives to enable identity credential interoperability between the Department of Defense and commercial entities for both physical and logical access. Mike discusses the technologies that are being used to satisfy the government’s requirements for its identity and access management scenarios and why Federation is essential to being able to compete in the future.   listen/download now > (6:48)

As Vice President of Identity Management and Security Products at Oracle, Hasan Rizvi heads the company's Identity Management and Security product development, product management and architecture. His area of responsibility includes Access and Identity Management, User Provisioning, Web services security, LDAP Directory and Audit and Compliance products.   listen/download now > (6:29)

Mar 01, 2007

Our List of Top Blogs for Identity and Access Management

The following is a sampling of the blogs that primarily focus on identity and access management issues.  

Identity and Privacy Strategies Blog  
A blog from the security analysts at the Burton Group.

IdentityStuff by Mark Macauley
Identity Management Implementations, Identity Management Support, Sun (Waveset) Identity Manager, Novell Identity Management, IBM (Tivoli) Identity Management, Trusted Network Technologies, etc..

Jackson's Identity Management & Active Directory Reality Tour Travelblog 
Jackson Shaw's comments, commiserations, confabulations and simplifications on identity management and Microsoft's Active Directory all based on his continous "reality tour" of meetings with customers, ISVs and Microsoft.

Pushing String by Eve Maler
Thoughts from the Technology Director at Sun Microsystems, responsible for interoperability strategies and partner engagements related to web services, security, and identity.

The Security Catalyst
Michael Santarcangelo (and friends) write on security and the protection of information assets. 

Let us know of your favorite blogs.