Friday, December 19, 2008

Situational Awareness

One of the best defenses against phishing, scamming or pretty much any other type of social engineering attack is to be aware of your situation and what to expect to have happen as well as to know when it should happen. The various attacks that come along should all raise red flags at several steps in the process. In the real world, we get this through millions of years of survival training -- those who didn't sense trouble usually died out before they could reproduce.

However, in the internet world, most of the visual and/or aural queues that raise your sense of awareness and caution are missing and we need to learn a new set of such protection mechanisms.

To that end, I'm going to periodically talk through an attack and point out things that one might notice which should cause you to think twice about continuing (or at least do a much more detailed check of whats going on before you continue).

Today, I received an interesting email reportedly from "" (which, of course, we all know we can't trust as anyone can claim to be anyone else with current mailing technologies):

Your Classmates Events: Reunion January 16th 2009 " With pride and joy we invite you to share a special day in our lives and join us for the Class Reunion on Friday, January 16th 2009. Bring the gang from Our High School back together again! Great party - from start to finish! " Proceed to view details: Your favorite people are already here, so use ClassmatesTM to bring them together. With best regards, Carmine Hilton. Customer Service Department. Copyright 1995-2008 Classmates Online, Inc. All Rights Reserved.

At first glance this seemed somewhat legit because I am a member of and so could reasonably expect to get emails from them. I'm also in a graduating class that would have an interesting anniversary in 2009 so it does make sense that we would be scheduling a reunion.

However, the email address to which the email was addressed is not the one that I have associated with account - so clearly it wasn't sending me the email. The address that was used is one that I've had for ages and typically gets close to 99.9% spam, so my internal "what's going on here" guard sprung up.

In addition, the email didn't look like the typical email -- which is just stupid laziness on the part of the attacker as it's pretty easy to fake someone else's email style, so while the email looking right isn't a good sign, having it look wrong is a big red flag.

Finally, the link in the email wasn't at the domain (to find the actual domain you have to look at the third slash (/) in the URL and then work backwords -- the first two slashes should be right after the http: at the begining of the URL, so it's the next /). In this case it was which should be another big red flag since it clearly was made to look like the real domain.

If you did, somehow, follow the link, it brought up the following page:

This, too, doesn't look like the site -- another red flag and has no real information about what's going on. One would expect to at least have some text at this point with the name of the high school and other such information.

Instead all you have is a thing that looks like a video player application but actually is just an image and if you click anywhere on the image (like the play button or, if you're thinking of a YouTube video, the center of the video image) or on the Adobe Get media player button, the site tries to download and run a native application (an EXE). That should send big "DANGER WILL ROBINSON" shivers up your spine. Any website that tries to download an exe directly to your platform has to be treated as the enemy until proven to be a friend (no innocent until proven guilty here -- good sites rarely download EXEs directly like that without at least having some interactions with the user).

In this case the executable was Adobe_Player10.exe -- which I'm sure is a Trojan Horse which would do very nasty things to your computer at some point and it wasn't coming from Adobe's own web site, but rather from the site itself -- another red flag (which, I hope, you never got because you didn't get to this stage). If you did get here and you think everything's legit, you should stop, go to the adobe web site and check version numbers or at least download the application directly from Adobe -- never download/install software that you got to through an untrusted link or from an untrusted site.

UPDATE: I've gotten 7 more of these same invites. All to different email addresses that route to me. That's another really good sign that things aren't well in Kansas and you should stay away from the email.

Moral of the story: It's a jungle out there and you've gotta watch out for yourself as there's nobody else doing it for you.

Tags : / / /

Wednesday, December 03, 2008

Facebook vs DNS

Sometime back, about a couple of weeks ago, my Facebook page loads all of a sudden started getting very slow (like 20 seconds or so before the data started loading, but once it did start loading it was fast). It was only happening at Facebook (Google, WheresGeorge, Blogger, pretty much any other site) was working fine, so I thought the problem had to be at Facebook rather than on my side.

However, after it kept up for a week, I started to get irritated enough to dig into it. First I turned off my web proxy and went directly to the sites from my browser. Things worked fine then, so clearly it was an issue in my proxy. I run a Fedora Linux server at home that serves as my web proxy using the Apache HTTP daemon.

This past weekend, I started digging into the problem and spent several hours debugging, testing, searching the web and while I still don't have a clear reason as to the why, I do understand the what and have put together a somewhat nasty hack around the problem. Hopefully I will dig around and find or figure out what the problem is so that I can put in a good fix.

My first look at the server didn't show anything amiss. The httpd logs showed the accesses to Facebook with no errors. That led me to consider DNS as this felt like what you get when your DNS is timing out.

My /etc/resolv.conf file was clean and correct. Using the nslookup or dig tools, I was able to look up the names without problems and quite quickly on both my own name server as well as the name servers provided by my ISP. The system logs didn't show any problems in named or anything that looked like the firewall could be getting in the way.

However, using any other tool (telnet, wget, httpd) the name look ups would go through several failures before succeeding -- causing a substantial delay in accessing the site. This only happened with Facebook related sites ( and to mention two of them). The same tools, accessing any other site that I tried, had no problems and no delays.

Using strace, I could see that the first pass at the name service look ups were failing and each timing out after so many seconds before trying the next. Eventually, the tools go back and try again and the second time, the response comes back almost immediately and the tool continues. For example, "wget" returned the following:

01     0.000106 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
02     0.000068 connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("")}, 28) = 0
03     0.000076 fcntl64(3, F_GETFL)       = 0x2 (flags O_RDWR)
04     0.000054 fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
05     0.000042 gettimeofday({1227974358, 62163}, NULL) = 0
06     0.000048 poll([{fd=3, events=POLLOUT, revents=POLLOUT}], 1, 0) = 1
07     0.000059 send(3, "\0079\1\0\0\1\0\0\0\0\0\0\3www\10facebook\3com\0\0\34"..., 34, MSG_NOSIGNAL) = 34
08     0.000861 poll([{fd=3, events=POLLIN}], 1, 5000) = 0
09     4.998266 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
10     0.000065 connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("")}, 28) = 0
11     0.000071 fcntl64(4, F_GETFL)       = 0x2 (flags O_RDWR)
12     0.000046 fcntl64(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0
13     0.000041 gettimeofday({1227974363, 61621}, NULL) = 0
14     0.000046 poll([{fd=4, events=POLLOUT, revents=POLLOUT}], 1, 0) = 1
15     0.000053 send(4, "\0079\1\0\0\1\0\0\0\0\0\0\3www\10facebook\3com\0\0\34"..., 34, MSG_NOSIGNAL) = 34
16     0.000098 poll([{fd=4, events=POLLIN}], 1, 3000) = 0
17     2.998500 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
18     0.000070 connect(5, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("")}, 28) = 0
19     0.000073 fcntl64(5, F_GETFL)       = 0x2 (flags O_RDWR)
20     0.000045 fcntl64(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0
21     0.000043 gettimeofday({1227974366, 60548}, NULL) = 0
22     0.000045 poll([{fd=5, events=POLLOUT, revents=POLLOUT}], 1, 0) = 1
23     0.000052 send(5, "\0079\1\0\0\1\0\0\0\0\0\0\3www\10facebook\3com\0\0\34"..., 34, MSG_NOSIGNAL) = 34
24     0.000118 poll([{fd=5, events=POLLIN}], 1, 6000) = 0
25     5.997342 gettimeofday({1227974372, 58108}, NULL) = 0
26     0.000050 poll([{fd=3, events=POLLOUT, revents=POLLOUT}], 1, 0) = 1
27     0.000054 send(3, "\0079\1\0\0\1\0\0\0\0\0\0\3www\10facebook\3com\0\0\34"..., 34, MSG_NOSIGNAL) = 34
28     0.000416 poll([{fd=3, events=POLLIN}], 1, 5000) = 0
29     4.997778 gettimeofday({1227974377, 56418}, NULL) = 0
30     0.000063 poll([{fd=4, events=POLLOUT, revents=POLLOUT}], 1, 0) = 1
31     0.000055 send(4, "\0079\1\0\0\1\0\0\0\0\0\0\3www\10facebook\3com\0\0\34"..., 34, MSG_NOSIGNAL) = 34
32     0.000106 poll([{fd=4, events=POLLIN, revents=POLLIN}], 1, 3000) = 1
33     0.001235 ioctl(4, FIONREAD, [34])  = 0
34     0.000065 recvfrom(4, "\0079\201\202\0\1\0\0\0\0\0\0\3www\10facebook\3com\0\0\34"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("")}, [16]) = 34

As you can see, the delays come waiting for a response from the nameserver and it's not until the second try on the second name server (lines 31-34 before we get a response. You might think that this has something to do with my name server on, but that wasn't originally in my /etc/resolv.conf file until I started the debugging and the problem still occurs when I remove it.

A similar trace of the dig command shows that the first name server (whether it be or my ISPs) resolves the name almost immediately (though dig uses a different communications method (sendmsg vs send) and different networking libraries.

Traces for wget with other host names return successfully on the first lookup.

I haven't (yet) figured out what exactly is causing this. But I have figured out two workarounds (neither of which are all that nice):

  • Set one of Facebook's name servers as the first name server in my resolv.conf file (so my applications use that name server to resolve all host names.

    This does work (name resolutions worked first try and in very reasonable times). However, name servers are core trusted parties in your network access and I really don't like setting things up so that I totally trust Facebook's server for all of my outgoing name service look ups. Call me paranoid, but this one just isn't right for me.

  • Add and host entries to my /etc/hosts file (which is checked before name service look ups.

    This definitely works, though it does remove the usefulness of DNS from my access to Facebook (like if they change their IP address I won't know). However, it is the lesser evil of the two solutions I have found so far and so this is what I've done for now.

I'll post an update if I figure out exactly what's wrong (which I'm very unhappy about not being able to figure out so far -- I like being able to understand things and spent several hours after I had workarounds trying to figure it out to no avail).

Tags : / /

Paul can't be wrong all the time

I have to say that, for once, I totally agree with Paul. In responding to a post by Ben Laurie, Paul disagrees with Ben's opinions of passwords and phishing.

Ben had said (and I'm showing a bit more here than Paul did in his response):

Well, no. If your password is unphishable, then it is obviously the case that it can be the same everywhere. Or it wouldn’t be unphishable. The only reason you need a password for each site is because we’re too lame to fix the real problem. Passwords scale just fine. If it wasn’t for those pesky users (that we trained to do the wrong thing), that is.

First off the phishability and reusability of passwords are distinct and separate issues. They have pretty much nothing to do with each other.

The primary reason one should not use the same password everywhere is that once that password is discovered at one location, then it can be reused at other locations. So, if, for example, you use the same password at Amazon, eBay, PayPal and Facebook, all one needs to do is find out your password on Facebook and then they will be able to sell things in your name on eBay, buy things in your name using PayPal and ship lots of things in your name at Amazon).

As Paul mentioned, there are many attacks to finding your password -- an administrator at Facebook could look it up in the password database, you could have a weak password that the hacker could attack via brute force (and if you're using the same password everywhere, they could use multiple sites to break the password making all/most of the anti-brute force rate limiting capabilities at a given site pretty moot). Just to name a few.

All of that said, Ben did have several good points in his post. Yes, we, as an industry, have done a terrible job in the usability of passwords. The typical user has been prompted for passwords so often and in so many places that they have no feel for when it should or shouldn't happen (one of the best personal defenses against phishing).

Personally, I think the utopia for online identity comes in with strong authentication to a small number of identity providers which assert my identity through SSO and Federation out to a large number of relying parties. Ben's point about the attacks around issuance/re-issuance of such strong credentials is very valid -- they can't be based on much weaker socially engineerable factors. The credentials will end up having to be issued with strong levels of assurance.

I also look forward to being able to login once at the start of my day and maintain that state in a reasonably secure fashion for the entire day without having to re-authenticate every few minutes or deal with "your session has been terminated for your security" when I've been sitting at the computer the entire time.

Tags : / / / / / /

Tuesday, November 18, 2008

Is Sir Bonar one of Paul's aliases?

I just have to say that the article on ContactPoint written by Sir Bonar and quoted by Kim just feels like it was written by our one and only Paul.

Either Paul is writing under an alias, someone is working hard to emulate his ironic style, or somebody is writing seriously and just doesn't have an f***ing clue.

Interesting, very interesting....

Tags : / /

Thursday, November 13, 2008

Delayed Upgrades

One of the benefits one gets for being an elite member of United's Mileage Plus program is the ability to upgrade into the next class of service on select fares (most domestic fares qualify and some international fares qualify). Theoretically, there's also a benefit to being at a higher level in the program as your upgrades should clear sooner:

Clears at
General Member24 hours before flight
Premier Associate36 hours before flight
Premier48 hours before flight
Premier Executive72 hours before flight
Premier 1K100 hours before flight
Global Services120 hours before flight

This used to work pretty much dependably until there were very limited seats left (the last one or two seats usually were left until boarding time).

However, this fall I've noticed that United has not been clearing upgrades, even when there are a multitude of seats available. For example, I'm on a flight tomorrow (in less than 24 hours) that has 8 of 12 seats still available for purchase but my (and presumably several other's) upgrade still hasn't cleared.

This has been pretty consistent on the last 8 or 10 flights I've been on, both domestic and international. It seems that the guys in "inventory control" (the part of United that makes the seats available for upgrade) has decided to not release any seats for upgrade until 10-12 hours before the flight.

This kind of makes the cool table of when things clear pretty useless and, to some extent, a bit of misleading marketing if not an outright lie.

Here's to hoping it's just a temporary glitch in their systems and things will get back to normal soon.

Tags : / / /

Friday, November 07, 2008

Paying for upgrades

United Airlines has announced a host of changes for their Mileage Plus program for 2009. Many of the changes involved increased mileage for award travel (other than domestic economy travel).

However, the worst change, IMHO, is that like American Airlines, United is now going to charge $$ (in addition to mileage) for mileage based upgrades from anything other than full fare economy tickets.

To me, a long term, very loyal 1K, million mile flyer, this really sucks. This was the one real benefit (upgrades without $$) that would drive business travelers to want to fly on the same airline. Now our business trips are going to cost as much as $1,000 if we want to upgrade both directions on an international flight.

United, I suggest you reconsider this change or, a bit selfishly, make an exception for your most loyal customers (1Ks/GSs) like you do for most other fees. Otherwise, I suggest that those of you who are flying in 2009 or early 2010 make your upgrade requests prior to July 1, 2009 (the effective date for the upgrade charges).

I also suggest that if this change bothers you, you take the time to let United know so. Recently, negative feedback about moving to pay for meals on international flights cause United to change their minds and maintain their current meal program on such flights. Perhaps we can do the same with upgrade charges.

Tags : /

Thursday, October 02, 2008

Data Privacy Day

Please join the US, Canada (yeah, it's not just a blue state), and 27 European countries in celebrating second annual Data Privacy Day on January 28, 2009.

Designed to raise awareness and generate discussion about data privacy practices and rights, Data Privacy Day activities in the United States have included privacy professionals, corporations, government officials, and representatives, academics, and students across the country.

One of the primary goals of Data Privacy Day is to promote privacy awareness and education among teens across the United States. Data Privacy Day also serves the important purpose of furthering international collaboration and cooperation around privacy issues.

You can get more information, presentations, event information, etc from the Data Privacy Day web site.

Join the Facebook Data Privacy Day 2009 Group to hang with other participants and follow along with the developments.

Tags : /

Wednesday, October 01, 2008

Changing Planes

It happens to me a lot more than I would like. I'm booked on an Airbus A320 only to have United change it to an Airbus 319 causing my exit row seat in row 11 to be a standard economy seat (not even an economy plus seat) -- that's why I'm not too keen on booking exit row seats nowadays -- though booking exit row seats is one of the primo perks of a United Mileage Plus Premier Executive.

However, it seems to be a much worse change when you've got a seat booked in United's new Premium International Class only to have United change the plane at the last moment and replace it with a standard configuration plane. This happened to me 3 out of 4 flights this summer between Dulles and Frankfurt.

I mean would you rather have this (the old confirguration):

Or this (the new configuration):

It felt like a big bait-and-switch to me. Show me the cool fancy new seats that are a world of difference better than the standard seats (the premium seats lie flat, have 15" screens with 100s of video on demand shows/movies, have cushy cushions, etc., etc.) and then stick me in a standard configuration without telling me till I get on the plane. No notice before hand. No chance to change to a different flight. No compensation whatsoever. Not even an "I'm sorry."

I could understand this if it happens once in a while, but 3 out of 4 flights doesn't sound like once in a while. I could also understand it more if there wasn't such a big financial benefit to United in using the standard configuration plane (they get to sell a whole lot more business and first class seats in the old configuration than in the new configuration). How do I know that United isn't simply saying "well, we've oversold business by 20%, so let's use the standard configuration plan so that we can scoop all that revenue." ? There's also the fact that United started publicly announcing that they were using the new configuration planes on Asian international routes around that time, so perhaps they moved the planes from the europ

Perhaps I should take the advice I received from my friend George (who was on the last such change with me): Just go with the flow and be happy with what life brings you. That would certainly be better for my blood pressure, but I just don't think that's me. I think United should offer some form of compensation to those who chose to fly on the plane because of the premium seating that United is heavily advertising.

I guess the only thing to learn from this experience is to not depend upon the new configuration planes until United has completed its roll out of the upgrades. Originally the conversion was to be complete in 2009, but now they are predicting 2010. So far, as of Sept 2008, they have only converted 13% of their international planes (7 of 21 767s, 5 of 24 of 747s and 0 of 46 777s).

Tags : / / / / / /

Tuesday, September 30, 2008

Smart Card hackery

This is an old video (from May of '08) and probably accomplished using an older technology smart card (theoretically easier to break), but it's still quite interesting to watch how one can peel back the layers of a smart card in order to snoop the communications going on within the components.

The related story on gives a lot of interesting details to the ongoing cold-ware between satellite TV operators and hackers attempting to get free TV.

Tags : /

Thursday, September 25, 2008

Cardspace, Liberty, & Intel's ICP

A couple of weeks back at DIDW 2008, I reported on a proof-of-concept that we put together at Intel where we combined Cardspace with our Identity Capable Platform (ICP) to show how ICP could extend/strengthen a cardspace deployment. While we used Cardspace in this demonstration, the code should work with any Identity Selector conforming to the Identity Selector Interoperability Profile.

For those of you who don't know, ICP is a research project we have been working on at Intel exploring how identity capabilities could be added to a platform to enhance online transactions. Our contributions to the Liberty Alliance's Advanced Client Technologies are part of that work.

In this proof-of-concept, we showed how a mythical bank (ACME Bank, of course) could provision an identity agent to the platform which was then subsequently used as the identity source for Cardspace when the user initiated a session at the bank. To Cardspace, the identity agent was a full fledged STS and had a managed card that has been provisioned into Cardspace (so, essentially, this was an off-the-shelf Cardspace deployment).

The provisioning process made extensive use of the Liberty Advanced Client Technologies protocols to securely provision the identity agent to the platform.

One might ask what exactly is an identity agent. I use the term very loosely to define any identity related agent software. In this particular case, the identity agent exposes WS-Trust and ID-WSF Provisioned Module interfaces as well as containing a SAML token generator and an ID-WSF IdP Service client (to be able to get minting assertions).

If you want to take a look at the presentation it's here. However, I have to warn you I write my presentations as something that needs speaking to and not as standalone documents.

Even better, there's going to be an encore presentation as a Liberty webcast on November 18th. I'll post the details once I get them.

UPDATE: Britta found it for me: Info/Registration for Webcast . Where would we be without Britta!

Tags : / / / / / / /

Monday, September 22, 2008

Absentee Ballots

At last week's Liberty TEG F2F in Boston, Hubert (the guy living in French alps who just recently became a US Citizen) pointed out to the rest of us that the fall Liberty Alliance Sponsor's meeting in Tokyo is taking place the week of our presidential elections here in the US.

So, those many of you who will be attending the meeting in person should head on down to your local registrar (or however you would do it within your state/county) and register for an absentee ballot.

In Virginia, they only allow absentee voting for a limited set of reasons, none of which include "I'm more comfortable voting from home" or "I don't want to have to deal with the long lines at the local precinct." I think that they should allow anybody to use an absentee ballot, regardless of reason (even if they just feel like it). I mean, that's the point, isn't it: Get the person's vote counted.

I also don't like the fact that some/many/all places that use absentee ballots, only count them when they can make a material difference in the outcome (e.g. if the election's difference in votes is less than the total number of absentee ballots). I think that sucks. I would rather they just always count them (and perhaps start with those numbers first. Just makes sense to always count a vote. Imagine if they chose to not count a state's votes if the state's population couldn't make the difference in the outcome of a race.

In any case, if you're going to the meeting, be sure to get your ballot. This is sure to be an interesting election (though I wouldn't mind an Obama landslide -- even if that meant that they didn't count my absentee ballot).

Tags : / / / /

Wednesday, September 17, 2008

What ID-TBD means to me....

For those that don't know what ID-TBD is, it's an effort underway trying to tie the umpteen different identity efforts together into an uber identity organization. TBD as in To Be Determined (as in, we don't want to argue over the name till we get agreement on the organization and organizational structure).

My main goal here is to get out of the Liberty Alliance and away from it's exotic meeting locations like Singapore, Paris, Stockholm, Tokyo, Madrid, Sydney, Rome, etc.. I have become an active member in the Liberty 50 (those of us who have put on an extra 50 pounds or more since starting to participate in the organization). I'm probably at the head of the line and perhaps hit my peak at around 60lbs (30 or so kilos for the rest of you guys outside the US).

Yes, I blame Liberty for this (not my lack of good eating habits, my desire to have hamburgers and fries for every mean -- even breakfast -- my lack of exercise, etc., etc.). It's clearly Liberty's fault. You can see it in the pictures below:

That's me in 2001, shortly before I joined Liberty. And now, after 7 years participating in Liberty:

So by exiting Liberty and joining ID-TBD, I hope/expect to be able to loose my Liberty 50 and go back to my 2001 self. Even with just the announcement of the potential organization, I've made some progress in that direction:

This is why I am sooo supportive of the new organization. It has nothing to do with messaging convergence, coordination, consolidation or any other such mom and apple pie reason for me. I just want to get out of the Liberty 50 group!

Tags : /

Tuesday, September 16, 2008

Let me count the ways

Washington Dulles airport now has 4 separate security checkpoints for non-employees. These include:

  1. Regular security checkpoint. This is the old tried and true security queue on the check-in level of the airport. These are intended for use by the average traveler and frequently, especially around 4PM, has long, slow moving lines.
  2. Premium security checkpoint. This checkpoint is co-located with the regular security checkpoint but it has its own dedicated queue. This queue is restricted to premium travelers (those in first/business class or those traveling on a flight where they have premium status -- such as United's Mileage Plus Premier members). This queue is typically much shorter and sometimes moves faster than the regular security queue. Dulles added premium security lines a couple of years ago.
  3. Registered Traveler (Clear) security checkpoint. This checkpoint is restricted to people who have paid the annual $120 fee and subjected themselves to a background check. The registered traveler checkpoint at Dulles is managed by Clear. This checkpoint is down on the arrivals level near baggage claim 8 and is shared with the Employee checkpoint. Very short lines, quick processing (other than the time the x-ray scanner got a bag stuck in it with mine in there as well).
  4. Dulles Diamond security checkpoint. This is a new checkpoint that just recently opened on the arrivals level near baggage claim 7. The signs for this checkpoint say it is only for expert travelers (2 trips/month) traveling alone, with only one carry on item and all their liquids already in bags. Theoretically these frequent travelers know what they are doing and the line can move along at a good clip. I tried this checkpoint on my trip up to Boston yesterday. There was no verification that I was a frequent traveler (though if they've read my blog, they will know). I think any single traveler could walk in there. I also verified that you can go through with a carry-on bag and computer bag (the sign says only 1 carry on item so I thought they might be restricting those of us who also bring along computer bags). So it would seem that anyone traveling alone could use this queue (and it was totally empty when I came through mid-day). Perhaps they will have tighter checks when the queue backs up once people notice it is here.

Tags : / / /

Monday, September 15, 2008

Slamming SAML..... NOT!

Jeff responds to my note earlier suggesting that using psudonymous identifiers adds security depth:

This is a very dangerous suggest as it implies that SAML is not secure enough without pseudonymous identifiers, the use of which makes SAML deployment a lot more complicated. Pseudonymous IDs are for privacy not security. If your system requires them to be secure, you have done something wrong. Period.

I was in no way suggesting that SAML was not secure enough. However, I am of the opinion that any SSO system (including SAML) is weaker, from a security and a privacy point of view, without pseudonyms than the same system would be if it was using pseudonyms. That doesn't say or imply that it isn't secure without them, just that it would be better with them.

And I stand by my statement that had Google used good pseudonyms across relying parties, the impact of their lack of the audience restriction would have been minimal. That isn't saying that I think a system should rely on pseudonyms as their primary security model, just that the effect would have severely reduced the impact of the error.

Tags : /

Pseudonymity would help

Kim Cameron writes of Google's failing to scope SAML assertions:

But according to the research done by the paper’s authors, the Google engineers “simplified” the protocol, perhaps hoping to make it “more efficient”? So they dropped the whole ID and scope “thing” out of the assertion. All that was signed was the client’s identity.

The result was that the relying party had no idea if the assertion was minted for it or for some other relying party. It was one-for-all and all-for-one at Google.

While I agree totally that the intended recipient should have been identified within an <AudienceRestriction> in the SAML assertion (how SAML shows the intended scope of the assertion) the problem would have been moot if Google used good pseudonymous identifiers for its users.

Pseudonymous identifiers are random identifiers that change for each relying party (so my identity at relying party A might be 123 while my identity at relying party B might be 345). Good pseudonymous identifiers are large random values (so that they are unpredictable) and are not reused across multiple users (so the same identifier is never used at different relying parties for the same or different users).

The primary impetus behind pseudonymous identifiers is to prevent the use of the identifier as a correlation factor across multiple relying parties -- in contrast, a globally unique identifier would allow relying party A to ask relying party B about what user 123 did yesterday, whether or not the user was around. However, pseudonymous identifiers also provide the following benefits:

  • added security depth - an unknown user identifier adds another layer of security on the SSO system (which, in this case, would have protected the user accounts from attack since even if the assertion went to a different relying party, there would be no user account with that specific identifier, so it wouldn't be useful).
  • easier integration of new partners - when integrating new partners, the identity systems of the partners may have different data structures for user identity (at it's most simplest case a new relying party may store user identifiers in 32 bit integer values, while the IdP typically uses 128 bit random values -- a system that supports good pseudonymous identifiers and the assumption that identifiers are different on each system will easily be able to handle this.

One might be concerned about how relying party A could invoke a service of relying party B when they are all using different identifiers (such as a google relying party using Google Checkout). This is pretty simple. Typically, any such service invocation requires relying party A to get a security token for the user at relying party B. When that token is obtained, the issuer does the identity translation. SAML provides for the protection of the identifier in the assertion using encryption since relying party A should never know what the user's identifier is at relying party B and the assertion is given to relying party A.

Liberty ID-WSF provides several entities that provide this translation services depending upon the topography of the deployment. The most common such service is the ID-WSF Discovery Service.

Similarly, in WS-*, the WS-Federation Pseudonym service is called out to perform the same translation service (and it is possible for a deployment of a WS-Trust STS to perform this translation internally during token generation).

I strongly recommend that any deployment of SSO, even within a single enterprise, make use of pseudonymous identifiers. They only strengthen the identity infrastructure.

Tags : / / / / / /

Friday, September 12, 2008

Paul, Paul, Paul....

Paul writes about an upcoming Liberty Alliance futsal match in Tokyo and includes:

Conor "One-Sock" Cahill, when asked whether he would be participating, responded 'Only if I can get an upgrade to First. Currently, I'm booked in business on a Triple 7 in from SFO, but I'm trying to switch that because I'm in seat 4A and I hate that seat because the power plug is about 2 inches too high and I have to unbuckle my seatbelt to reach it. I generally like 3F but the window shade was broken last time and the sun woke me up, even though I had taken my Ambien.'

Paul, everyone knows that there's no 4A on a United Airlines Boeing 777. First class stops at row 3 and business class starts at row 8. 3F isn't a window seat (3A and 3J are, though 3A is frequently reserved as a pilot rest seat, but not on the long haul triple 7 that United uses for IAD->NRT flights).

My preferred seat is, of course, 3A since they would have to pick the best, quietest seat for pilot rest, followed by it's opposite window seat 3J.

And finally Paul, you *know* that I don't sleep on the way to Tokyo. My rule for flying west is to stay awake till arrival at the hotel. In fact, I remember you telling me that you had tried doing the same and it worked for you as well.

Please try to get your facts somewhat correct when generating a fake Conor "Mr. Travel" Cahill quote. And stop ragging on me about the sock. I was in the middle of putting my shoes on when the called us together to take the picture.

Tags : / / / / /

Thursday, September 11, 2008

Lipstick & Pigs

Just to be clear about lipstick and pigs, I want to point out that during my DIDW presentation -- before anybody questioned it -- I pointed out that our proof-of-concept demo showed a strong authentication credential being issued based solely on a username and password. I also explained that in a real-world situation, the bank would have only issued the credential under some higher level of authentication and went on to describe several options the bank would use.

Paul "claims" he had picked up on that issue before I mentioned it. With him sitting next to the very distracting Pamela during the session, I'm not sure we should believe him.

Close Friends

I've recently become active on Facebook, reaching out to a number of people with home I have worked/played/lived or otherwise come across over the past few years. I know it shocks Paul that I actually seem to have some people whom have confirmed that I am their friend (including Paul himself).

Facebook allows me to define access to portions of my profile depending upon a users status:

  • Friend - someone with whom I have a direct relationship (they're in my list of friends)
  • Friend of friend - someone who has a relationship with someone that I have a relationship with
  • Network - A group of people that is organized based upon geographic locations, work, etc. I belong to both the Intel and Washington DC networks.
  • Public - everyone else

This seems to be a simplistic picture of the world of relationships. I can see how I would like to be able to classify some people as acquaintances, some as friends, and some as close friends (giving them different access to my profile information). Just like I bring friends and close friends to my house, but not usually acquaintances.

This came up when, out of the blue, I received an friendship request from someone who I didn't know at all, but they were interested in one of the groups I'm interested in (solar energy) and it probably didn't hurt that they happen to be a fairly nice looking example of a female member of the human race. I wouldn't mind allowing them in as an acquaintance, but I really don't consider them a friend, nor do I want them to be able to see some of the portions of my profile that I make visible to friends. Also, as a responsible friend of my friends, I wouldn't want her to get access to the information exposed by my friends to friends of their friends (Paul, if you can't follow that, I can draw you a ven diagram of it later).

So I'd like to see some extended attributes around relationships added to social networking. Not just at Facebook, but also at other sites like Linked-In.

Tags : / / / /

Tuesday, September 09, 2008

Identity Leakage

It's interesting to see how much information you can learn about people just sitting around at the airport.

This past Sunday, I flew out of Dulles airport and running a bit late I arrived just 45 minutes before my flight (so I wasn't sitting around there all that long). What I noticed while I was there:

  • I was able to observe the full name and address for 3 people as they had luggage tags on their carry on luggage which had their name/address visible to all. This doesn't count the other people who had tags, but they happened to be face down, so I don't know what information was on the tag. My recommendation is to either a) use a tag that covers the information, place the information inside of one of the exterior pockets (I put my business card into the top external pocket) or just don't put anything on carry on luggage as you don't need to.
  • I was able to observe the name, airline status and account number on several people as I stood in line for the flight. While this isn't as much information as your complete address, I could easily wreak havoc with your travel plans calling the airline to cancel or rearrange flights or otherwise do interesting things with your airline points. What should you do: Remember that this information is on the boarding pass and don't show it off to everybody standing in line next to you. I keep my boarding pass in my shirt pocket printed side facing in or I keep it inside of the carrier until I'm up in front of the line. Note also that this information is printed on the portion of the pass they let you keep. Don't leave them lying about. Trash them like you would trash any other receipt.
  • Several people had those travel document/ID holders thinking that they are doing what frequent travelers do (which, of course, you never see a frequent traveler use). Problem is that they leak information like crazy. Most people that use them keep their driver's license in the clear holder. So all the way through the security line and while they are sitting around at the airport, anybody who wants to (and has good eyesight) can read all the information there (name, address, dob at least). Putting the passport in there just brags to the world that your a citizen of whatever country (yeah, for some of us that may be obvious, but there's no reason to confirm it for people who don't need to know it). I strongly recommend against using one of these things. If you just have to have such a holder, I would face all the documents in so that you control who gets to see them.

Moral of the story: Be aware of all the places that you leak information and minimize them just as you would want providers to minimize the amount of data they collected about you. Leaking such information opens you to potential stalking, identity theft or other non-fun activities.

Tags : / /

Saturday, September 06, 2008

Scripts, Browsers and Security

We all know that many of the common security exploits with browsers is accomplished through the use of the enhanced scripting/programming capabilities such as JavaScript or flash.

These usually aren't attacks on the browser itself, but rather are attacks where the scripting capability of the browser is used to take advantage of an existing session in another window. For example, one attack which was launched via email that included a link to a page which had javascript which opened a hidden window that went to a financial site and tried to make some stock trades. If the user happened to be logged into that institution in a different browser window, the script succeeded in selling/buying some stocks (as part of a pump/dump scheme). Sure, many people did not have that particular financial institution open at the time, but with enough spam, enough people (who should have known better) clicking on links in the email, the fraudster could generate enough successful traffic to enable their scheme.

How does one protect themselves against such attacks?

Turning off such capabilities will render many, if not most, web sites unusable. Turning on and off as necessary will make your browsing unusable for even the most patient user.

If you're running Firefox, there's an add-on you can get called NoScript which makes it pretty easy to manage which sites are allowed to run scripts and which sites are not. I've been using this for a few weeks now and while it was a little tedious at first (each time I went to a new site that used such scripts they would start out blocked and I would have to enable them with a simple click on the notice bar). I could choose to enable all scripts on the page (if I was lazy) or just certain scripts from certain parties that I trusted. I could enable the scripts permanently for sites I visited often, or only enable them temporarily for a site that I was just visiting as the result of some search.

This model makes it much less likely that I'll be surprised by some hidden script on a page that I pull up as the result of a Google search.

A very positive side effect is that those flash adds that I hate so much, are also blocked! Yeah!

I definitely recommend NoScript and what's really cool is that it's free as well.

Tags : / /

Sunday, June 22, 2008

Firefox 3.0

I've been using the new Firefox 3.0 browser for several days now and I have to say that I am very impressed with it.

The browser certainly feels substantially faster at loading the same pages that I frequently visited before with Firefox 2 and with Internet Explorer 7 -- though I have to admit that this is very subjective and that server and ISP performance come into play.

I was a bit concerned that the browser address bar no longer indicates the SSL status of the site I'm visiting. This was a conscious decision by Firefox developers and there are work-arounds for getting it back. I'm not sure I agree with the arguments either way yet, but I was a bit surprised when I first went to a site and the SSL status was no longer indicated in the address bar -- I had to go checking a bit to make sure I was where I thought I was.

The problem that drove this change was the fact that they are now indicating site status with the background around the site icon that shows to the left of the location bar and the colors for the three states (unsecure, ssl and ev) did not match the colors of the address background. The ultimate decision was to leave the address bar uncolored and solely rely on the icon background. While I agree that if there are colors on the background that they must be the same, I think I disagree with not also reflecting the colors on the address background as well. You can read more about this change and the logic/discussion behind it here.

The only problem I've observed so far is that the ordering process at the AT&T wireless site does not work (my son lost his phone and I had to order a replacement for him). I can't explain clearly what the problem is as the site just behaved incorrectly -- asking me for the same information multiple times or doing other strange things like showing nothing in the cart after I selected a phone, clicked on add-to-cart and the popup that resulted from that operation would show that no phone was put into the cart). I tried logging out and logging back in and restarting the browser -- all to no avail. I ended up having to use Internet Explorer to make the order.

Overall, I'm very satisfied with the new version of Firefox and recommend that others using earlier versions of upgrade -- you will like the speed improvements. Congrats Firefox team on a great upgrade!

Tags : / / / /

Monday, May 12, 2008

Back-to-myMac brings the Mac Back

An interesting story coming out of White Plans, NY talks of a woman who's apartment was burglarized with close to $5,000 of electronics stolen including a couple of Apple laptops and how she was able to help catch the culprits as well as get her stuff back.

The thief apparently was using the computer and one of the victim's friends (who knew her laptop was stolen) noticed a few days later that she was logged in (presumably on some instant messenger) and called her.

The woman was able to use Apple's "Back To My Mac" application on another computer to get control of her stolen laptop and activated the camera in the laptop, taking pictures of the thief. A quick review with her friends and they figured out that the guy was a friend of a friend of one of her roommates who had been at the apartment a few weeks before.

A quick call to the police and they arrested the thiefs as well as getting back most of the stolen electronics.

I'm guessing that she's happy she wasn't one of those self conscious users who tape over the camera to keep something like this from happening and I'm not at all worried about the thief's privacy violation. Of course, the chances of other thiefs really being this stupid to make use of a stolen computer without wiping it clean are probably pretty low, so I'm not sure how often this kind of think can happen (but you know they still do give out the annual Darwin awards).

Tags : / / / /

Thursday, May 01, 2008

I've been cleared

I've joined the US's Registered Traveler Program. Clear (a subsidiary of Verified Identity Pass Inc.) operates the local facility here at Dulles, so I joined their network.

In exchange for submitting to (and paying for) a background investigation and biometric authentication (fingerprint in my case, though they also had iris scanners there it wouldn't work on me) you get to have a very short security line -- though you still go through the same "take-off-your-shoes" security process. They seem to be working on getting some form of scanner approved for scanning shoes while they are still on your feet, but recently they did not pass the TSA testing that was done.

The cost of the program from Clear is $128 (at least for the first year -- they weren't clear on what subsequent years will cost). $28 of that goes to the TSA for the background investigation and the rest to Clear (of which, I'm sure, a portion goes to the airport). You can extend that by a year when you use a discount code (and the party who gave you the discount code also gets a year -- so there's something in it for everyone. My discount code, if you're interested in getting a free month added to your subscription is: DSCAM1142273 - use it to your hearts content.

One might ask why I would join the program given that I was already a United 1K member and able to use the premium passenger lines at Dulles. There were several reasons including:

  • The premium lines are only available when the flight you a premium member on the flight you are leaving Dulles on. I have seen the staff turn away United premium members when they were booked on some other airline where they did not have status.
  • Even with the premium lines, you can still get stuck in a slow line (I have waited as long as a half hour in the line) and if I'm tight for a flight, that can be too long.
  • The program is available at other airports (though I'm not sure if I'm only able to use it at Clear supported airports or any registered traveler airport) and in particular, San Jose Airport -- which has no premium lines and where the line for early morning flights can be crazy long -- is one of the Clear supported airports.
  • I travel often enough that the time savings, even if small, is worth it (in my opinion).

Of course, about 2 weeks after signing up (and paying), I received an email from Marriott (where I am a Platinum member, of course) with the following offer:

So, after I signed up I found out I could have gotten it for free. I called them expecting to get the "Gosh, I'm sorry, but it's too late now" and was pleasantly surprised to hear "No problem sir, we'll just extend you another year". Good deal!

You might be wondering what I think now that I'm a member. I've used it on 5 of my last 8 flights (Portland International Airport does not yet participate in the Registered Traveler program), nor is it available at foreign airports. In Dulles it's down with the employee security line it workes great -- in fact, the people from Clear are almost too helpful (trying to help gather things ready to go through security). I've timed it with another person who was going through the premium security line and I was about 10 minutes faster then them at a time when the lines were short. In San Francisco the clear area opens at the front end of the regular security line, emptying directly into the xray scanners (so, essentially, you jump to the front of the line).

One thing on the negative side, if you're traveling with people, you can't bring them with you, so either you have to go through the regular lines, or you have to split up. That already happened to me when I was traveling with George on our way to the European Identity Conference in Munich -- that's how I figured out that there was a 10 minute difference (it was an experiment!). Not sure what I'm going to do when I am traveling with my family to England & Ireland this summer -- I don't think my wife will be as easy going about it as George was :-).

All-in-all, I'm a happy customer..... And remember, if you want to sign up, use the discount code "DSCAM1142273" so we both can get a free month :-).

Tags : / /

Monday, February 18, 2008

Updated Liberty Open Source

I've updated my Liberty ID-WSF Open Source Toolkits again. This time to reflect the minor changes made in the Advanced Client specifications as they were finalized within the Alliance.

For those of you who aren't familiar with this code, I have two toolkits available -- a C++ client and an Axis1/Java Server -- which implement the Liberty ID-WSF protocols (both the basic framework and substantial portions of several services).

This new release of the toolkit does not add new functionality -- it only brings the code up to match the final specifications.

Have fun!

Tags : / / / / / /

Saturday, February 16, 2008

What's wrong with this picture?

I went to login to my discover card account to review my account activity (something I try to do on a regular basis). Using a bookmark (to make sure I don't accidentally enter a typo that gets me to a hackers site -- plus I'm lazy and a single click is easier than typing in the URL), I get to the web site and I notice something that isn't right (in my opinion). Take a look at the picture below and tell me if you see it before reading past it.

Look at the URL. It's non-SSL (http: vs https:). When I noticed that, I figured that somehow my bookmark was messed up, but looking at the bookmark, it does specify https:. What happens is that Discover is redirecting you from the SSL endpoint to the non-SSL endpoint. This happens with IE and with Mozilla whether directly connected or through a proxy server, so it's clearly something done on the server and not a side effect of the client.

That wouldn't be all that bad if Discover just had a link on the home page directing me to a login page that was SSL protected. That isn't the case. The home page prompts for the user's credentials. Now the technical people out there might say that the data from the login form is probably submitted via an SSL endpoint so the data is protected. However, without looking at the source code, the user can't know that.

In addition, since the URL itself isn't protected, the user (me in this case) doesn't have any way to know that they are actually talking to Discover. This could be a MITM phishing site.

So, if you do go to Discover's site to view your account, I suggest that you select the login link in the upper right corner before you enter your credentials. This will bring you to an SSL protected page where you can verify that the host you are talking to is and not some MITM.

Tags : / /