Tuesday, September 30, 2008

Smart Card hackery

This is an old video (from May of '08) and probably accomplished using an older technology smart card (theoretically easier to break), but it's still quite interesting to watch how one can peel back the layers of a smart card in order to snoop the communications going on within the components.

The related story on Wired.com gives a lot of interesting details to the ongoing cold-ware between satellite TV operators and hackers attempting to get free TV.

Tags : /

Thursday, September 25, 2008

Cardspace, Liberty, & Intel's ICP

A couple of weeks back at DIDW 2008, I reported on a proof-of-concept that we put together at Intel where we combined Cardspace with our Identity Capable Platform (ICP) to show how ICP could extend/strengthen a cardspace deployment. While we used Cardspace in this demonstration, the code should work with any Identity Selector conforming to the Identity Selector Interoperability Profile.

For those of you who don't know, ICP is a research project we have been working on at Intel exploring how identity capabilities could be added to a platform to enhance online transactions. Our contributions to the Liberty Alliance's Advanced Client Technologies are part of that work.

In this proof-of-concept, we showed how a mythical bank (ACME Bank, of course) could provision an identity agent to the platform which was then subsequently used as the identity source for Cardspace when the user initiated a session at the bank. To Cardspace, the identity agent was a full fledged STS and had a managed card that has been provisioned into Cardspace (so, essentially, this was an off-the-shelf Cardspace deployment).

The provisioning process made extensive use of the Liberty Advanced Client Technologies protocols to securely provision the identity agent to the platform.

One might ask what exactly is an identity agent. I use the term very loosely to define any identity related agent software. In this particular case, the identity agent exposes WS-Trust and ID-WSF Provisioned Module interfaces as well as containing a SAML token generator and an ID-WSF IdP Service client (to be able to get minting assertions).

If you want to take a look at the presentation it's here. However, I have to warn you I write my presentations as something that needs speaking to and not as standalone documents.

Even better, there's going to be an encore presentation as a Liberty webcast on November 18th. I'll post the details once I get them.

UPDATE: Britta found it for me: Info/Registration for Webcast . Where would we be without Britta!

Tags : / / / / / / /

Monday, September 22, 2008

Absentee Ballots

At last week's Liberty TEG F2F in Boston, Hubert (the guy living in French alps who just recently became a US Citizen) pointed out to the rest of us that the fall Liberty Alliance Sponsor's meeting in Tokyo is taking place the week of our presidential elections here in the US.

So, those many of you who will be attending the meeting in person should head on down to your local registrar (or however you would do it within your state/county) and register for an absentee ballot.

In Virginia, they only allow absentee voting for a limited set of reasons, none of which include "I'm more comfortable voting from home" or "I don't want to have to deal with the long lines at the local precinct." I think that they should allow anybody to use an absentee ballot, regardless of reason (even if they just feel like it). I mean, that's the point, isn't it: Get the person's vote counted.

I also don't like the fact that some/many/all places that use absentee ballots, only count them when they can make a material difference in the outcome (e.g. if the election's difference in votes is less than the total number of absentee ballots). I think that sucks. I would rather they just always count them (and perhaps start with those numbers first. Just makes sense to always count a vote. Imagine if they chose to not count a state's votes if the state's population couldn't make the difference in the outcome of a race.

In any case, if you're going to the meeting, be sure to get your ballot. This is sure to be an interesting election (though I wouldn't mind an Obama landslide -- even if that meant that they didn't count my absentee ballot).

Tags : / / / /

Wednesday, September 17, 2008

What ID-TBD means to me....

For those that don't know what ID-TBD is, it's an effort underway trying to tie the umpteen different identity efforts together into an uber identity organization. TBD as in To Be Determined (as in, we don't want to argue over the name till we get agreement on the organization and organizational structure).

My main goal here is to get out of the Liberty Alliance and away from it's exotic meeting locations like Singapore, Paris, Stockholm, Tokyo, Madrid, Sydney, Rome, etc.. I have become an active member in the Liberty 50 (those of us who have put on an extra 50 pounds or more since starting to participate in the organization). I'm probably at the head of the line and perhaps hit my peak at around 60lbs (30 or so kilos for the rest of you guys outside the US).

Yes, I blame Liberty for this (not my lack of good eating habits, my desire to have hamburgers and fries for every mean -- even breakfast -- my lack of exercise, etc., etc.). It's clearly Liberty's fault. You can see it in the pictures below:

That's me in 2001, shortly before I joined Liberty. And now, after 7 years participating in Liberty:

So by exiting Liberty and joining ID-TBD, I hope/expect to be able to loose my Liberty 50 and go back to my 2001 self. Even with just the announcement of the potential organization, I've made some progress in that direction:

This is why I am sooo supportive of the new organization. It has nothing to do with messaging convergence, coordination, consolidation or any other such mom and apple pie reason for me. I just want to get out of the Liberty 50 group!

Tags : /

Tuesday, September 16, 2008

Let me count the ways

Washington Dulles airport now has 4 separate security checkpoints for non-employees. These include:

  1. Regular security checkpoint. This is the old tried and true security queue on the check-in level of the airport. These are intended for use by the average traveler and frequently, especially around 4PM, has long, slow moving lines.
  2. Premium security checkpoint. This checkpoint is co-located with the regular security checkpoint but it has its own dedicated queue. This queue is restricted to premium travelers (those in first/business class or those traveling on a flight where they have premium status -- such as United's Mileage Plus Premier members). This queue is typically much shorter and sometimes moves faster than the regular security queue. Dulles added premium security lines a couple of years ago.
  3. Registered Traveler (Clear) security checkpoint. This checkpoint is restricted to people who have paid the annual $120 fee and subjected themselves to a background check. The registered traveler checkpoint at Dulles is managed by Clear. This checkpoint is down on the arrivals level near baggage claim 8 and is shared with the Employee checkpoint. Very short lines, quick processing (other than the time the x-ray scanner got a bag stuck in it with mine in there as well).
  4. Dulles Diamond security checkpoint. This is a new checkpoint that just recently opened on the arrivals level near baggage claim 7. The signs for this checkpoint say it is only for expert travelers (2 trips/month) traveling alone, with only one carry on item and all their liquids already in bags. Theoretically these frequent travelers know what they are doing and the line can move along at a good clip. I tried this checkpoint on my trip up to Boston yesterday. There was no verification that I was a frequent traveler (though if they've read my blog, they will know). I think any single traveler could walk in there. I also verified that you can go through with a carry-on bag and computer bag (the sign says only 1 carry on item so I thought they might be restricting those of us who also bring along computer bags). So it would seem that anyone traveling alone could use this queue (and it was totally empty when I came through mid-day). Perhaps they will have tighter checks when the queue backs up once people notice it is here.

Tags : / / /

Monday, September 15, 2008

Slamming SAML..... NOT!

Jeff responds to my note earlier suggesting that using psudonymous identifiers adds security depth:

This is a very dangerous suggest as it implies that SAML is not secure enough without pseudonymous identifiers, the use of which makes SAML deployment a lot more complicated. Pseudonymous IDs are for privacy not security. If your system requires them to be secure, you have done something wrong. Period.

I was in no way suggesting that SAML was not secure enough. However, I am of the opinion that any SSO system (including SAML) is weaker, from a security and a privacy point of view, without pseudonyms than the same system would be if it was using pseudonyms. That doesn't say or imply that it isn't secure without them, just that it would be better with them.

And I stand by my statement that had Google used good pseudonyms across relying parties, the impact of their lack of the audience restriction would have been minimal. That isn't saying that I think a system should rely on pseudonyms as their primary security model, just that the effect would have severely reduced the impact of the error.

Tags : /

Pseudonymity would help

Kim Cameron writes of Google's failing to scope SAML assertions:

But according to the research done by the paper’s authors, the Google engineers “simplified” the protocol, perhaps hoping to make it “more efficient”? So they dropped the whole ID and scope “thing” out of the assertion. All that was signed was the client’s identity.

The result was that the relying party had no idea if the assertion was minted for it or for some other relying party. It was one-for-all and all-for-one at Google.

While I agree totally that the intended recipient should have been identified within an <AudienceRestriction> in the SAML assertion (how SAML shows the intended scope of the assertion) the problem would have been moot if Google used good pseudonymous identifiers for its users.

Pseudonymous identifiers are random identifiers that change for each relying party (so my identity at relying party A might be 123 while my identity at relying party B might be 345). Good pseudonymous identifiers are large random values (so that they are unpredictable) and are not reused across multiple users (so the same identifier is never used at different relying parties for the same or different users).

The primary impetus behind pseudonymous identifiers is to prevent the use of the identifier as a correlation factor across multiple relying parties -- in contrast, a globally unique identifier would allow relying party A to ask relying party B about what user 123 did yesterday, whether or not the user was around. However, pseudonymous identifiers also provide the following benefits:

  • added security depth - an unknown user identifier adds another layer of security on the SSO system (which, in this case, would have protected the user accounts from attack since even if the assertion went to a different relying party, there would be no user account with that specific identifier, so it wouldn't be useful).
  • easier integration of new partners - when integrating new partners, the identity systems of the partners may have different data structures for user identity (at it's most simplest case a new relying party may store user identifiers in 32 bit integer values, while the IdP typically uses 128 bit random values -- a system that supports good pseudonymous identifiers and the assumption that identifiers are different on each system will easily be able to handle this.

One might be concerned about how relying party A could invoke a service of relying party B when they are all using different identifiers (such as a google relying party using Google Checkout). This is pretty simple. Typically, any such service invocation requires relying party A to get a security token for the user at relying party B. When that token is obtained, the issuer does the identity translation. SAML provides for the protection of the identifier in the assertion using encryption since relying party A should never know what the user's identifier is at relying party B and the assertion is given to relying party A.

Liberty ID-WSF provides several entities that provide this translation services depending upon the topography of the deployment. The most common such service is the ID-WSF Discovery Service.

Similarly, in WS-*, the WS-Federation Pseudonym service is called out to perform the same translation service (and it is possible for a deployment of a WS-Trust STS to perform this translation internally during token generation).

I strongly recommend that any deployment of SSO, even within a single enterprise, make use of pseudonymous identifiers. They only strengthen the identity infrastructure.

Tags : / / / / / /

Friday, September 12, 2008

Paul, Paul, Paul....

Paul writes about an upcoming Liberty Alliance futsal match in Tokyo and includes:

Conor "One-Sock" Cahill, when asked whether he would be participating, responded 'Only if I can get an upgrade to First. Currently, I'm booked in business on a Triple 7 in from SFO, but I'm trying to switch that because I'm in seat 4A and I hate that seat because the power plug is about 2 inches too high and I have to unbuckle my seatbelt to reach it. I generally like 3F but the window shade was broken last time and the sun woke me up, even though I had taken my Ambien.'

Paul, everyone knows that there's no 4A on a United Airlines Boeing 777. First class stops at row 3 and business class starts at row 8. 3F isn't a window seat (3A and 3J are, though 3A is frequently reserved as a pilot rest seat, but not on the long haul triple 7 that United uses for IAD->NRT flights).

My preferred seat is, of course, 3A since they would have to pick the best, quietest seat for pilot rest, followed by it's opposite window seat 3J.

And finally Paul, you *know* that I don't sleep on the way to Tokyo. My rule for flying west is to stay awake till arrival at the hotel. In fact, I remember you telling me that you had tried doing the same and it worked for you as well.

Please try to get your facts somewhat correct when generating a fake Conor "Mr. Travel" Cahill quote. And stop ragging on me about the sock. I was in the middle of putting my shoes on when the called us together to take the picture.

Tags : / / / / /

Thursday, September 11, 2008

Lipstick & Pigs

Just to be clear about lipstick and pigs, I want to point out that during my DIDW presentation -- before anybody questioned it -- I pointed out that our proof-of-concept demo showed a strong authentication credential being issued based solely on a username and password. I also explained that in a real-world situation, the bank would have only issued the credential under some higher level of authentication and went on to describe several options the bank would use.

Paul "claims" he had picked up on that issue before I mentioned it. With him sitting next to the very distracting Pamela during the session, I'm not sure we should believe him.

Close Friends

I've recently become active on Facebook, reaching out to a number of people with home I have worked/played/lived or otherwise come across over the past few years. I know it shocks Paul that I actually seem to have some people whom have confirmed that I am their friend (including Paul himself).

Facebook allows me to define access to portions of my profile depending upon a users status:

  • Friend - someone with whom I have a direct relationship (they're in my list of friends)
  • Friend of friend - someone who has a relationship with someone that I have a relationship with
  • Network - A group of people that is organized based upon geographic locations, work, etc. I belong to both the Intel and Washington DC networks.
  • Public - everyone else

This seems to be a simplistic picture of the world of relationships. I can see how I would like to be able to classify some people as acquaintances, some as friends, and some as close friends (giving them different access to my profile information). Just like I bring friends and close friends to my house, but not usually acquaintances.

This came up when, out of the blue, I received an friendship request from someone who I didn't know at all, but they were interested in one of the groups I'm interested in (solar energy) and it probably didn't hurt that they happen to be a fairly nice looking example of a female member of the human race. I wouldn't mind allowing them in as an acquaintance, but I really don't consider them a friend, nor do I want them to be able to see some of the portions of my profile that I make visible to friends. Also, as a responsible friend of my friends, I wouldn't want her to get access to the information exposed by my friends to friends of their friends (Paul, if you can't follow that, I can draw you a ven diagram of it later).

So I'd like to see some extended attributes around relationships added to social networking. Not just at Facebook, but also at other sites like Linked-In.

Tags : / / / /

Tuesday, September 09, 2008

Identity Leakage

It's interesting to see how much information you can learn about people just sitting around at the airport.

This past Sunday, I flew out of Dulles airport and running a bit late I arrived just 45 minutes before my flight (so I wasn't sitting around there all that long). What I noticed while I was there:

  • I was able to observe the full name and address for 3 people as they had luggage tags on their carry on luggage which had their name/address visible to all. This doesn't count the other people who had tags, but they happened to be face down, so I don't know what information was on the tag. My recommendation is to either a) use a tag that covers the information, place the information inside of one of the exterior pockets (I put my business card into the top external pocket) or just don't put anything on carry on luggage as you don't need to.
  • I was able to observe the name, airline status and account number on several people as I stood in line for the flight. While this isn't as much information as your complete address, I could easily wreak havoc with your travel plans calling the airline to cancel or rearrange flights or otherwise do interesting things with your airline points. What should you do: Remember that this information is on the boarding pass and don't show it off to everybody standing in line next to you. I keep my boarding pass in my shirt pocket printed side facing in or I keep it inside of the carrier until I'm up in front of the line. Note also that this information is printed on the portion of the pass they let you keep. Don't leave them lying about. Trash them like you would trash any other receipt.
  • Several people had those travel document/ID holders thinking that they are doing what frequent travelers do (which, of course, you never see a frequent traveler use). Problem is that they leak information like crazy. Most people that use them keep their driver's license in the clear holder. So all the way through the security line and while they are sitting around at the airport, anybody who wants to (and has good eyesight) can read all the information there (name, address, dob at least). Putting the passport in there just brags to the world that your a citizen of whatever country (yeah, for some of us that may be obvious, but there's no reason to confirm it for people who don't need to know it). I strongly recommend against using one of these things. If you just have to have such a holder, I would face all the documents in so that you control who gets to see them.

Moral of the story: Be aware of all the places that you leak information and minimize them just as you would want providers to minimize the amount of data they collected about you. Leaking such information opens you to potential stalking, identity theft or other non-fun activities.

Tags : / /

Saturday, September 06, 2008

Scripts, Browsers and Security

We all know that many of the common security exploits with browsers is accomplished through the use of the enhanced scripting/programming capabilities such as JavaScript or flash.

These usually aren't attacks on the browser itself, but rather are attacks where the scripting capability of the browser is used to take advantage of an existing session in another window. For example, one attack which was launched via email that included a link to a page which had javascript which opened a hidden window that went to a financial site and tried to make some stock trades. If the user happened to be logged into that institution in a different browser window, the script succeeded in selling/buying some stocks (as part of a pump/dump scheme). Sure, many people did not have that particular financial institution open at the time, but with enough spam, enough people (who should have known better) clicking on links in the email, the fraudster could generate enough successful traffic to enable their scheme.

How does one protect themselves against such attacks?

Turning off such capabilities will render many, if not most, web sites unusable. Turning on and off as necessary will make your browsing unusable for even the most patient user.

If you're running Firefox, there's an add-on you can get called NoScript which makes it pretty easy to manage which sites are allowed to run scripts and which sites are not. I've been using this for a few weeks now and while it was a little tedious at first (each time I went to a new site that used such scripts they would start out blocked and I would have to enable them with a simple click on the notice bar). I could choose to enable all scripts on the page (if I was lazy) or just certain scripts from certain parties that I trusted. I could enable the scripts permanently for sites I visited often, or only enable them temporarily for a site that I was just visiting as the result of some search.

This model makes it much less likely that I'll be surprised by some hidden script on a page that I pull up as the result of a Google search.

A very positive side effect is that those flash adds that I hate so much, are also blocked! Yeah!

I definitely recommend NoScript and what's really cool is that it's free as well.

Tags : / /