Heads Up!

Well I haven’t posted anything here in quite a while, but I really do have a good excuse this time. Not the usual been busy with work, life, etc. Watch for a follow-up post in the near future discussing some of the stuff I have been busy working on. In the meantime, there are a couple of items I just wanted to throw up here to make everyone aware.

1. This Thursday, November 13, is the Chicago OWASP meeting. Scott Stender from iSec Partners will be presenting on Concurrency Attacks in Web Applications, and Thomas Ptacek from Matasano Security will be talking about The Seven Deadly Features of Web Applications. You can find all the details on the where, when, and who here. I plan on attending and hope to see everyone there.
2. The 8th Annual Workshop on Economics of Information Security recently put out their call for papers. Next year’s conference will be held at University College London. More details on the conference here and great resources on the topic of economics in information security can be found here.

Apologies for the link dumping. I will follow this up very soon with some more interesting news.

OpenID SSO Everywhere!

UPDATE: In TechCrunch this morning there’s a post about Microsoft accepting OpenID for their HealthVault beta. They note that Microsoft is only utilizing 2 OpenID providers, TrustBearer and Verisign for authentication. The reason, of course, is security.

Healthvault is obviously a product that will store highly sensitive information and will likely be regulated in some ways. This simply reaffirms my concerns in this post from February. As a relying party of OpenID, you do not have the insight in to what security measures are taken into account for authentication. Microsoft had to perform their own due diligence and then make a manual determination on which providers they would rely on.

Simon Willison says this is a good thing in his latest blog post here. While I somewhat agree, I think the adoption of OpenID would become greater if there was a more programmatic approach to this. As a relying party, I would not want to perform due diligence on every provider out there and then limit my users based on a point-in-time review. Read more below regarding my earlier thoughts this year on meta data. Could it be that my crystal ball is actually working? 🙂

Original Post ( 2/14/2008 ) Begins Here: Over the past few weeks OpenID has gained a lot of support and momentum from some very big sites. Last week the OpenID Foundation added Google, Microsoft, IBM, Verisign, and Yahoo! to its corporate board. A number of sites have come out supporting OpenID, mainly as identity providers. While it’s clear OpenID is getting a lot more support and use across the net, I would like to see more web applications ACCEPTING (relying party) OpenID. It seems much like the plethora of social sites cropping up on the web, everyone wants to be an identity provider and own the identity and profile data of the user.

So I’ve been meaning to dig deeper into OpenID for several months and write about my findings, but as usual my life had other priorities. After finally getting around to it, I must say I’m fairly impressed. Simon Willison has a great slidecast of his presentation last year at the Future Of Web Apps here. There were a number of ideas presented on various uses of OpenID that had not even crossed my mind. For those of you thinking OpenID = SSO (like the title of this entry), it’s so much more than that. I highly encourage you to watch the presentation.

That said, there are a few issues with OpenID. Some of them discussed by Simon at the end of his presentation.One that was not discussed that still bothers me is the lack of meta data about OpenID identity providers. One enhancement that I believe would really expand the use of OpenID across the web would be meta data associated with the identity provider. Right now, as a site that accepts OpenID, I have no ability to understand the authentication rules the user had to abide by with it’s identity provider.  While you may say, that’s up to the user to decide (and you’d be right, mostly), if I require a certain level of security for my web application for whatever reason, I would like to understand what rules the id provider made the user play by. Perhaps I am regulated on how my users authenticate to my application, this shouldn’t necessarily preclude me from accepting OpenID (it would today). If OpenID providers published meta data on the authentication rules, a site could then choose whether or not to accept the OpenID for authentication. Perhaps there could even be various security levels for OpenID providers (just thinking out loud). I could see an ecommerce site that stored additional sensitive information within a user profile to require a certain level of authentication rules from OpenID providers. Financial, trading, and tax sites would require even tighter rules.Right now the competition of the OpenID provider market should help. Users given a number of choices for providers can choose one that protects the user against phishing etc. (although given a choice, a user may choose a provider with less complex authentication rules).

Overall, OpenID is a really good idea, but I think it requires a few enhancements to expand its use beyond the social and email sites that seem to make up the majority of its use today. What do you think? Are you using OpenID today? I’d love to hear your thoughts in the comments section of this blog (which also acts as one of my OpenID’s, by the way) or send me an emal.

My New Browser!

OK, well not quite, I’m going to need an OS X version before I fully switch… but this is REALLY good to see.

Some CS researchers (Chris Grier, Shuo Tang, and Samuel T. King) at the University of Illinois have designed a new browser from the ground up with security in mind. While the new versions of Firefox and IE are beginning to build more security on top of their existing software, they are fundamentally flawed. There is so much tied together with the existing browsers that the trust model is broken.

The number of threats that are at least partially due to how the internet browsers are built is getting ridiculous. Whether it is trust issues with plug-ins like Flash and RealPlayer, or domain policy issues that lead to cross site scripting, the number of these vulnerabilities and exploits are piling up. The mere fact that malware can be downloaded, installed and started simply by opening a web page with a browser is a great indication that the situation is completely out of hand. According to the paper, there were 205 reported security vulnerabilities within the major browsers and an additional 301 security vulnerabilities within various browser plug-ins within the past year. The current browsers, for all intents and purposes, are broken.

The OP web browser partitions itself into subsystems and enforces security policies within the small kernel. This is very much how operating systems are designed, which means that even if a plug-in is compromised, the browser is not. To quote the abstract:

“To show the utility of our browser architecture, we design and
implement three novel security features. First, we develop novel
and flexible security policies that allows us to include plugins
within our security framework. Our policy removes the burden
of security from plugin writers, and gives plugins the flexibility
to use innovative network architectures to deliver content while
still maintaining the confidentiality and integrity of our browser,
even if attackers compromise the plugin. Second, we use formal
methods to prove that the address bar displayed within our
browser user interface always shows the correct address for the
current web page. Third, we design and implement a browser-
level information-flow tracking system to enable post-mortem
analysis of browser-based attacks. If an attacker is able to
compromise our browser, we highlight the subset of total activity
that is causally related to the attack, thus allowing users and
system administrators to determine easily which web site lead to
the compromise and to assess the damage of a successful attack.”

The OP browser currently runs on Linux with KHTML as the layout engine. They plan to create a cross-platform Webkit version and release it to the open-source community. Perhaps Mozilla could help out with this project 😉 .

Go read the paper and let me know what you think.

Two Places You Need To Be

Register for both now. Hope to see you soon.

1. The Front Range OWASP Conference
2. The Workshop on the Economics of Information Security – 2008

The Attackers Perspective

Bruce Schneier has written a good commentary in Wired Magazine about the security mindset. I have talked about hiring information security people in the past, and how I believe the most important skill-set is not any specific technical attribute, but rather how the person thinks. A good security person thinks about the world differently. Just as many engineers grew up taking things apart to understand how they work, good security people often grow up thinking about how to make things perform in ways they were not intended to (or breaking them altogether). They easily see the flaws in everyday items and how to exploit them.

As Bruce writes, they are now attempting to teach this way of thinking at the University of Washington. I think this is a great idea. If this way of thinking becomes more common for graduates, the products they design and build once in the workforce will be much easier for us all to protect and rely on. It’s the difference between bolting on security as an after thought versus building it in as part of the product in the first place.

Security Now

Special thanks to Ryan Huber for exposing this gem to me. The Security Now podcast with Steve Gibson and Leo Laporte is chock full of security technology goodness. Go check it out.

More on Security Economics

The European Network and Information Security Agency has released a study open for comment on the economic barriers to information Security found here.

To quote ENISA, The principal objectives of the report are:

 

• To identify existing economic barriers for addressing Network and Information Security (NIS) issues in a single, open and competitive Internal Market for e-communication;
• To assess these barriers’ potential impact on the smooth functioning of the Internal Market for e-communication;
• To identify and analyse incentives (regulatory, non-regulatory, technical, educational, etc.) for lifting these barriers identified to cause distortion of the smooth functioning of the Internal Market for e-communication;
• To provide a range of recommendations to relevant actors (decision-makers both at EU and national level, industry, academia, etc.) for policy options, possible follow-up actions and initiatives.

WEIS Call for Papers – 2008

The Workshop on the Economics of Information Security just opened up it’s call for papers for 2008. This year it will be held at Dartmouth College in New Hampshire.

I have written about this workshop in the past (here, here and here). The amount of quality content that comes out of this is incredible. As most readers of this blog know, information security is much greater than a technical issue. This workshop addresses many of those problems including the economic incentives of security and privacy, the various trade-offs individuals and groups must make to achieve a level of security, addressing negative externalities, the psychology of security and more.

If you have an interest in the driving factors of what makes many of our systems more or less secure, I would highly recommend this workshop. Last year’s workshop generated a tremendous amount of buzz about WabiSabiLabi. The online vulnerability marketplace for selling and purchasing vulnerabilities.

I would recommend reading Economics of Information Security as a great primer / introduction to the topics related to the workshop. You can find a link to it on the bookshelf of this site. It contains several papers that came directly from it. This is a great way to dig yourself out of some of the day to day technical details and start thinking about some of the more broad decision factors around security and privacy. While many of the papers come from academia, the information is a great way for those leading security programs in the private sector to understand the decision criteria that ultimately will fund or not fund their initiatives.

The Security Evangelism Tour Continues

Fresh off the heels of speaking at the Security Trends event in Milwaukee, I will be participating in a keynote panel at the Technology Executives Club Risk Management event in Chicago.  

It was a pleasure meeting everyone in Milwaukee and wanted to thank my fellow speakers and moderator for putting on a good event. As I said before, these events tend to bring a wide array of backgrounds and I am always impressed by the “wisdom of the crowd”.  

The Risk Management event in Chicago will take place on November 15th. You can get more information on the event here and register here. If you find yourself in Chicago during this time, I’d love to meet you there and looking forward to some lively discussions and note comparison of the issues we’re facing.

UPDATE: The tour went through a bit of a shuffle this week. Due to some last minute commitments I was not able to make it to the Risk Management event this week, however; I have agreed to serve on a panel at the IT Security Best Practices event on January  24th. Hope to see you there.