Thursday, September 26, 2013

Why Your Unified Identity May Just Be FaceBook

The age of "unified identity" is coming ... in fact many of you are already starting to get comfortable with it. Unified identity (sounds similar to SSO - Single Sign On) is a concept where you authenticate to a single place (FaceBook, let's just say) and then your identity is federated out to various other places. You've been using it for a while, probably, as have your family and friends.

Today we are seeing this happening all over the place, mainly in the consumer online world. You can now log into several of your favorite websites and applications simply using your FaceBook identity. FaceBook verifies you know your password and are likely you, then federates (tells the 3rd party) that it has verified your credentials. Again, this is primarily happening in the consumer space right now, and while it's becoming more pervasive it's still a nice to have because almost every site still offers you the ability to create your own username and password. But ... let's be honest here, the convenience you get of having a single password to remember that works for many other places is hard to pass up and many of us (your humble blogger here included) simply acquiesce.

Is this really a good idea?
The answer to the question of whether this type of activity is a good idea or bad idea lies in whether you believe that individual web identities are manageable (I do not), and whether you trust yet another website with managing your credentials properly over FaceBook (I believe this is likely a toss-up, with FaceBook getting the benefit of the doubt).

Look, you're not good at managing the hundreds of websites, applications, and places where you have to create yet another username and password pair. Believe me when I say this because I know I'm terrible at it and I have to be paranoid for a living. I can probably remember ~15-20 site/app and credential pairs relatively sanely while using reasonably complex passphrases and passwords. Anything beyond that and I'm forced to re-use ... yep, I do it too. Let's face it though, the truth is that if I have 1 username/password combination for all the sites I'll never go back to again that have nothing really private about me, I don't care and neither do you.

So let's look at FaceBook. They've had many years to increase security in their authentication mechanism and federation system. I won't even insult your intelligence by saying they're secure, but they work very hard at knowing who you are, and being sure it's actually you. Why? Simple - this is how they make money, by getting good tracking data on you. Double-edged sword folks.

Do you really want to give FaceBook the power?
Well the simple answer to this question is heck no. Although have to ask yourself what privacy you're additionally giving away and if the juice is worth the squeeze. Are you willing to maintain that thin illusion of privacy by trying to manage potentially hundreds of logins and credentials? I'll save you the brain cycles - the answer is really no.

The other thing here, if I'm honest, is that FaceBook probably already tracks you on many of those sites anyway ... seriously. I'm not saying this makes it OK by any stretch of the imagination, but ... maybe... ?

Yes, we're inching towards a situation where the folks over at FaceBook are going to hold incredible analytical capabilities when it comes to who we are, what we do, what we buy, where we visit and just about every aspect of our digital lives in exchange for the convenience and added security of safe-guarding that information to a single central party over hundreds or thousands of organizations we know we don't trust.

So what if FaceBook gets compromised? Great question.

You probably use something similar to 1Password (if you're smart) to manage all of your web presence and logins ... right? What if they get compromised? That's just a risk we take, it's a calculated risk based on the fact that we know your passwords are stored in a database that requires your passphrase to unlock. Could someone insert malicious code into that application by compromising that password management group - of course. Will they? Maybe. The fact is I would rather have that single point of failure - if I can be reasonably sure it's well-defended - than hundreds of poorly defended ones.

The real issue is the future...
The real issue is this article right here - "FaceBook wants to make mobile payments easier with 'AutoFill'"...there are many that sprang up over night reporting on the same issue. The question isn't only whether FaceBook will become the de facto standard for Internet enabled identity, but how pervasive that identity will become. If you can not only log into, but also quickly pay using your FaceBook identity - would you subscribe? I'm guessing those of you who think like I do are saying to yourselves "Hell no!". The truth is that your family members, colleagues and friends can't wait to jump in on this.

Why you ask? Simple. It simplifies your life. As your life in the real world melts more and more into your digital persona services like FaceBook's "AutoFill" will becomes increasingly popular and useful. No doubt in my mind.

Alright, I'm worried
...and you should be, but probably not for the reasons you're thinking.
This trend troubles me because the war over your online and physical identity is being fought fiercely in the background and no one appears to be taking notice. Security professionals aren't noticing, privacy professionals aren't noticing in large parts - and I don't see or hear a lot of talk about this.

Can FaceBook swallow the world, and become a reasonably secure global federated identity provider? I think the chances of this are likely, and they've probably got this on their business plan because they're smart. Will Google keep trying to oppose them - heck yes. Should we all take notice and start to look at the way FaceBook manages our authentication and federates (including WHAT access it gives to your information to the party they federate out to) - absolutely.

I think this is the final frontier in the collision of our still-separate physical and digital lives. Once the identities melt together into a single federated FaceBook (or whom ever wins this war) identity, the game will again change.

You'll notice this post hasn't even begun to tackle the topic of authorization yet - that's another story for another time.

I'm curious what you think ... am I totally off my rocker? Chat me up on Twitter @Wh1t3Rabbit and let's hear what you think.

Monday, September 23, 2013

Apple's Touch ID - a gimmick or real security?

Earlier tonight (after I read that the CCC had broken Apple's Touch ID[1]) I posted this to Twitter:
"So hyperbole aside, #Apple just set back "real security" several years with this fingerprint gimmick (for the masses)? Awesome."
That was supposed to be a bit ironic, and some people got that others got mad at me, as well as insightful. I've been thinking a lot about this Touch ID that Apple has released with their latest version of the iPhone, the 5S. For me it all comes down to the opening paragraph of the above references page on Touch ID -
"Much of our digital lives are stored on our iPhones, and everyone should use a passcode to help protect this important information and their privacy. Unfortunately, not everyone does; more than 50 percent of smartphone users don't use a passcode. Your fingerprint is one of the best passcodes in the world. It's always with you, and no two are exactly alike. Touch ID is a seamless way to use your fingerprint as a passcode. With just a touch of the Home button of your iPhone 5s, the Touch ID sensor quickly reads your fingerprint and automatically unlocks your phone. You can even use it to authorize purchases from the iTunes Store, App Store, and iBooks Store."
Before we get into this, let me first give credit to Apple for good things they've done with the latest version of the iPhone and beyond. First, they've forced everyone to put in a passcode - this is already a leap forward. I've been telling people to protect their phones with a passcode, but it seems like every day I see someone new who isn't following that line of thinking and I have to explain all over again. So this push to something is better than nothing. Also, a 1 in 50,000 chance is always better than a 1 in 10,000, but when you consider many people never even use the passcode feature before this version of the phone - this seems kind of irrelevant. I wonder if Apple has statistics on how many people never enable the passcode at all, I'd be much more interested in that - although I suspect no one will ever give this information out, unfortunately.

Now - let me explain why I call Touch ID a gimmick. But one more thing... let me tell you what I'm taking as truth here...

  1. Apple is a largely consumer-based company, and markets primarily to the consumer
  2. The consumer demographic doesn't necessarily know the difference between good security and the stuff they see in the movies
  3. If you put 1 and 2 together above, you get "What Apple says people believe as gospel" for a large part of their user base (in other words: not for everyone)

OK, now that you understand where I'm coming from, let me move on.

To explain why I believe Touch ID is a gimmick I will simply cite two sources on the subject. First a presentation from PacSec 2006 (that's right 7 years ago) on the quality and worthiness of fingerprint readers as authentication mechanisms. You should walk through those slides on your own (Apple probably missed them), but if you're in a pinch let me sum it up for you with the conclusion Starbug reaches-
"Don't use fingerprint recognition systems for security relevant applications!"
You're probably saying to yourself, "self, but this application isn't necessarily high security" and I would agree with you if you weren't wrong. The problem is that this fingerprint application is the key to your phone, and can be set up to authorize purchases as Apple tells us. As soon as this catches on the average user will be asking for Touch ID to be the authenticator of choice for FaceBook, Twitter, and other authentication type applications. Trust me, it'll happen. Right - but there's a 1 in 50,000 chance of your fingerprint colliding (being close enough to) someone else, right? Except that after 5 unsuccessful attempts you still have to use your passcode so you don't get the full 50,000 tries. Wait. Then we're back to the 1 in 10,000 4-digit passcode? That can't be right ...logic doesn't make sense here. Does it make sense to you?

OK, moving on, instead of trying to tell you why I think fingerprints are a bad idea for authentication, I'll just point you to Dave Aitel's "Daily Dave" mailing list which quotes Dave ...
"...[T]here are two important reasons why biometrics won't work, and why the old-fashioned password is still a better option: a person's biometrics can't be kept secret and they can't be revoked...Since a person can't change their fingerprint or whatever biometric is being relied upon, it's 'once owned, forever owned.' That is biometrics' major failing and the one that will be hardest to overcome." - Dave Aitel, USAToday, 12 September 2013"
So let me sum it up for you...

  1. Because it's Apple, you'll now have a massive user base believing fingerprints are infallible, and likely be demanding this type of authentication for more applications (psst! your enterprise application is next
  2. Your super-secure fingerprint vault and amazing scanner (1 in 50,000 chance of collision) still defaults to a simple passcode (1 in 10,000 chance of guessing) after 5 failure guesses
  3. Your fingerprint is relatively simple to find, and duplicate because it's not secret
  4. You can't change your fingerprint once it's copied and compromised (oh oh)
[tinfoil hat]
But now we get to the really fun part, in case you're still not clear on why this is a gimmick at best, and a bad, bad idea at worst. Put your tinfoil hat on and follow me here for a minute.

Apple now has control of one of the largest fingerprint stores in the world (albeit mathematical representations, and distributed ... so we're told), potentially more than many local law enforcement or federal databases - by sheer size. Remember there were more than 9 million iPhone 5S's sold just over the weekend from Sept 20 - 22nd. How long until the NSA or some Federal entity comes calling and asking Apple for access to that mechanism, or ask Apple to modify the code? Feel secure right about now, do you?
[/tinfoil hat]

So why does this set back real security at least a half-decade? In my mind, we the "community" have been working very hard to change end-user's behaviors and to get them to make more complex passwords (pass-phrases) and not re-use, etc... and now along comes Apple promising security with the swipe of a finger. And just like that ... poof all that work we've done is out the window. Users will swipe their finger, enter 1234 as their backup pass-code because the fingerprint is good enough, and we're back to where we started.

[1] CCC breaks Touch ID blog post -

Friday, September 20, 2013

Engineering Software That Is Difficult To Exploit

A recent post to the SC-L mailing list lamented an interview with an executive where the executive stated his company's approach to software security was to raise the cost/complexity bar for exploring their software.

The poster wrote "The response to vulnerabilities was to raise the cost/complexity of exploiting bugs rather than actually employing secure coding practices."

I don't believe the person posting really understands the goals of software security, or is simply failing to understand these are not opposing goals. If you still delusionally believe that you can engineer all security bugs out of your code, I think you don't understand modern software security. You may also be setting some unrealistic goals.

Even though I've assisted enterprises with employing "best practices" and a plethora of tools and procedures to integrate software security into their various SDLCs, they still produce security defects/bugs. This is nearly universal. Even organizations that understand the difference between flaw and vulnerability, to quote Gary McGraw, still fail to eliminate all security defects. The answer for these groups is to make defects more difficult and more costly to exploit. There is absolutely nothing wrong with setting this as a goal, in my experiences.

This approach doesn't herald giving up on writing secure software but rather acknowledging ratcheting cost/complexity of exploitation is a valid piece of the overall software security program.

Quite simply, failing to understand this results in frustration and continued alienation between security and development personnel.

Should your goal be to produce more secure software? Absolutely.

Should you're goal be to force your adversary to spend more anf work hardet to exploit your code? Absolutely.

Are these two opposing concepts? Hell no.

Tuesday, September 17, 2013

Boogeymen from the NSA/GCHQ

If you're an American, you can't help but feel the weight of the world's disdain for the deeds the National Security Agency (NSA) has been caught with. Domestic spying, infiltration of international targets and who knows what else have given the world's hackers a target painted squarely on US interests. Private organizations and government agencies are the target for hackers seeking to make a point, like this one - a hacking of the NASA websites. This has done American tech companies a massive disservice for a number of reasons...

  1. Cloud - good luck trying to sell the European Union on cloud services based in the US, or from US-based companies. Hereforth we'll have to answer for the extensive erosion of trust that the NSA has accomplished. Good luck getting your US-based cloud service sold to any organization outside the US in the near term.
  2. Hacktivism- globally, hacktivists have mobilized against the US (and UK via GCHQ) spy agencies. The problem is that hacktivists are opportunistic and often pick low-hanging and weak targets such as the NASA site cited above. US businesses, government agencies, and anything exposed will continue to be the target into the foreseeable future for this hacktivist, anti-spying, anti-US war mongering campaign. For the record, I'm not implying that this is something new - only that there is a renewed sense of common enemy.
  3. Boogeymen - have you noticed that nearly every time there has been even a minor incident involving hacking, malware, or infiltration immediately the question of GCHQ and NSA comes up? This story on Belgacom's issue with malware takes up the NSA and GCHQ boogeyman, as if on queue. Of course, the accusation of infiltration from the NSA may be entirely valid, but at this point (of this writing) it's entirely unsubstantiated, publicly.
What makes this whole thing worse is that now the mainstream media will have something to feed on for the next few months. Every intrusion, discovered hack or malware infestation will be the NSA. Driving this type of hype is not only distracting, but can actually cause harm to those of us trying to bring sanity to the adversary conversation.

If you're on the defense - understand that you're a target even if you're a government 3-letter agency. Keep your guard up extra, but as far as I can tell the good news is that much of this hacktivism is defacements and protest - very little of it is actually destructive or otherwise malicious.

Remember, they're from the government, they're here to help.

Friday, September 13, 2013

HTCIA International 2013 - The Leading and Trailing Edge of Technology

In the security industry, we pride ourselves on having some of the best minds in technology, with cutting edge gear and techniques always on display. The perpetual arms race between offense and defense is just that – perpetual – but those who say that criminals are overwhelmingly winning are only partially correct. The HTCIA (High Technology Investigation Assn,) International conference this week showcased some of the most cutting edge technology, tools and techniques that could potentially shift the balance of power back towards middle against the criminal element.

There is a problem with this, because even as technology, tools, and techniques move forward at a blistering pace the trailing wave is still significantly behind. What I mean by this, is that there is an atypical distribution here on the technology adoption curve. Whereas you would expect to see a bell curve heavily concentrated in the middle, and thinning to either extreme, I think ( and this is a personal opinion formed from observation ) that the highest concentration of the curve is shifted towards the back – the laggards – of the technology adoption curve.

When you account for enterprise, law enforcement (LEOs), and government combined on the defense it becomes clear that the technology, tools, and techniques that are ‘cutting edge’ are slow to being adopted for a number of reasons. Awareness seems to be the biggest stumbling block, while budget and capability round out the top 3 reasons. Many of the folks that attended ( or should have attended ) the conference this past week, the ones who are most apt to get the maximum benefit from rapid advancements in technology, weren’t even here… or worse were physically here but missed many of the worthwhile sessions. Towards the middle of day 3 we saw the typical 1/3 of the audience that were there on day 1 evaporate. You can’t even blame it on good weather and Las Vegas because it was ugly, rainy and gloomy. So what was the issue? Honestly I don’t know… I do see it in the technology industry ( specifically security ) all the time though. No one wants to speak at the end of the day, the beginning of the 2nd and 3rd days, or on the 3rd day at all because people bail out, tune out, or end up nursing hangovers from the parties that happen. This is a sad commentary on these types of events in general – but it’s the reality. The ones who were here, were generally wide-eyed as if they had never heard of some of these things before. I know much of this gets published in journals, papers, blogs and sometimes tweets – but it somehow doesn’t make it down to the practitioners. There is just a general lack of awareness of some of the advancements in the industry – and this is unfortunate. As a community the security industry and the high-tech anti-crime community need to do a better job of getting together more than once a year.

Another issue I see is budget. Lots of the LEOs that were here, and even the enterprise folks, made it clear that while the things they saw were excellent unless they were cheap or open-source they weren’t going to be affordable. You can blame your government’s ineptitude to appropriate funding for that one in part, and just general lack of budget allocation for high-tech solutions. I could go on and on about budget but this is a problem all around the industry broadly in security – so let’s not flog a dead horse any further.

The 3rd reason for the disproportionate lag in the industry, to me, is just a general lack of capability. In the law enforcement sector the transition from physical investigations to cyber has been slow and painful. Training has been sparse and heavily vendor-centric at times which doesn’t help. There was also a murmur in the halls and an almost unspoken sense in many of the talks that there just weren’t enough people to staff these high-technology criminal investigations. DFIR (Digital Forensics and Incident Response) people are rarely available…and they’re expensive. Affording a good investigator or incident responder is difficult in most Law Enforcement capacities, and even worse in smaller enterprises. Even in bigger enterprise the few DFIR specialists that can be hired quickly get overwhelmed. This is a problem now, and will continue to be a problem in the future – and a major reason why it is largely true that the bad guys are beating us.

The conference was great, and I encourage you – if you’re in investigations and high-tech anti-crime – to attend next year or join your local HTCIA chapter. These types of associations and organizations need your support, your expertise, and your mentorship to help shift the balance of power close to the middle of the teeter-totter, and improve the general state of the industry. Get involved, contribute your skills, and bring others in. This is how we will collectively raise the bar and help push the bell in the curve towards the shape if should be, rather than a simple large trailing wave.

Tuesday, September 3, 2013

Tripyarn for the common post-breach enterprise

Something interesting is happening right now in the Information Security community. I’m reading and hearing more and more discussion, papers, blog posts refocusing efforts from preventing breaches to detecting and responding. This is a great thing, and quite frankly it’s about damn time.

Zane Lackey from Etsy posted a brilliant talk the other day on Slideshare, and since I follow Zane I got the alert in my inbox and immediately went to check the deck out. If you've not seen it, it’s right here, titled “Attack-driven defense”.  I love the slides, I love the idea, but I was left wanting more. Zane’s ideas clearly work within Etsy – but how many environments are there out there like this? While it’s clear that there are many, many enterprises facing a similar level of threat, what is unclear is how many of them can respond in the manner that Zane’s presentation outlined.

The challenge, in my opinion, is adapting the Tripyarn (love the name of this…) framework that is clearly proprietary to Etsy to the broader small-to-medium enterprise. Enterprises that don't have a Zane and multi-person team which has the capability to write custom-code. Enterprises which rely on Windows systems and servers more than they rely on Linux. Enterprises where the present threat far outbalances the ability to play defense. This is the problem space that I believe needs Zane’s framework and approach most urgently … right now.

The trouble with approaches so customized to the environment they’re developed for is they can’t easily be adapted elsewhere – except in concept. The trouble with adapting a concept is that you need capability and skill – that doesn't always exist plentifully in smaller organizations.

The challenge, then, is to build a “Tripyarn” framework which can be adapted in environments from Fortune 100 massive enterprises, to an enterprise which has a handful of IT security resources working through keeping patches current and encrypting endpoint hard drives. What these types of organizations need is a set of pre-build blocks (like Legos) that they can put together as it fits their business and operating capability, but that still provides some incremental level of benefit in detecting “interesting operational deviations” which may signal a compromise, or at very least something interesting to go investigate.

I think tonight we may have seen the beginnings of this, and I suspect before long there will be a group working together from enterprises big and small, to deliver a defensive framework that isn't pattern-based so it can’t be ”evaded” but that has great effectiveness at detecting interesting things that have a high degree of being important to security. I’m hopeful that Zane’s presentation and slides have started something, finally, and that we’ll get past the “break everything” over-focus on offensive breaking and get into a more offensively minded defense that actually is innovative.

If this sounds interesting to you, let me know, there is lots of room for ideas and collaboration here.