Down the Security Rabbithole, The Blog. Herein are thoughts, ideas, musings of my own making. I invite you to think freely, respond, or share. Together we move intellectual thought on our industry forward.
Thursday, September 26, 2013
Why Your Unified Identity May Just Be FaceBook
Today we are seeing this happening all over the place, mainly in the consumer online world. You can now log into several of your favorite websites and applications simply using your FaceBook identity. FaceBook verifies you know your password and are likely you, then federates (tells the 3rd party) that it has verified your credentials. Again, this is primarily happening in the consumer space right now, and while it's becoming more pervasive it's still a nice to have because almost every site still offers you the ability to create your own username and password. But ... let's be honest here, the convenience you get of having a single password to remember that works for many other places is hard to pass up and many of us (your humble blogger here included) simply acquiesce.
Is this really a good idea?
The answer to the question of whether this type of activity is a good idea or bad idea lies in whether you believe that individual web identities are manageable (I do not), and whether you trust yet another website with managing your credentials properly over FaceBook (I believe this is likely a toss-up, with FaceBook getting the benefit of the doubt).
Look, you're not good at managing the hundreds of websites, applications, and places where you have to create yet another username and password pair. Believe me when I say this because I know I'm terrible at it and I have to be paranoid for a living. I can probably remember ~15-20 site/app and credential pairs relatively sanely while using reasonably complex passphrases and passwords. Anything beyond that and I'm forced to re-use ... yep, I do it too. Let's face it though, the truth is that if I have 1 username/password combination for all the sites I'll never go back to again that have nothing really private about me, I don't care and neither do you.
So let's look at FaceBook. They've had many years to increase security in their authentication mechanism and federation system. I won't even insult your intelligence by saying they're secure, but they work very hard at knowing who you are, and being sure it's actually you. Why? Simple - this is how they make money, by getting good tracking data on you. Double-edged sword folks.
Do you really want to give FaceBook the power?
Well the simple answer to this question is heck no. Although ...you have to ask yourself what privacy you're additionally giving away and if the juice is worth the squeeze. Are you willing to maintain that thin illusion of privacy by trying to manage potentially hundreds of logins and credentials? I'll save you the brain cycles - the answer is really no.
The other thing here, if I'm honest, is that FaceBook probably already tracks you on many of those sites anyway ... seriously. I'm not saying this makes it OK by any stretch of the imagination, but ... maybe... ?
Yes, we're inching towards a situation where the folks over at FaceBook are going to hold incredible analytical capabilities when it comes to who we are, what we do, what we buy, where we visit and just about every aspect of our digital lives in exchange for the convenience and added security of safe-guarding that information to a single central party over hundreds or thousands of organizations we know we don't trust.
So what if FaceBook gets compromised? Great question.
You probably use something similar to 1Password (if you're smart) to manage all of your web presence and logins ... right? What if they get compromised? That's just a risk we take, it's a calculated risk based on the fact that we know your passwords are stored in a database that requires your passphrase to unlock. Could someone insert malicious code into that application by compromising that password management group - of course. Will they? Maybe. The fact is I would rather have that single point of failure - if I can be reasonably sure it's well-defended - than hundreds of poorly defended ones.
The real issue is the future...
The real issue is this article right here - "FaceBook wants to make mobile payments easier with 'AutoFill'"...there are many that sprang up over night reporting on the same issue. The question isn't only whether FaceBook will become the de facto standard for Internet enabled identity, but how pervasive that identity will become. If you can not only log into, but also quickly pay using your FaceBook identity - would you subscribe? I'm guessing those of you who think like I do are saying to yourselves "Hell no!". The truth is that your family members, colleagues and friends can't wait to jump in on this.
Why you ask? Simple. It simplifies your life. As your life in the real world melts more and more into your digital persona services like FaceBook's "AutoFill" will becomes increasingly popular and useful. No doubt in my mind.
Alright, I'm worried
...and you should be, but probably not for the reasons you're thinking.
This trend troubles me because the war over your online and physical identity is being fought fiercely in the background and no one appears to be taking notice. Security professionals aren't noticing, privacy professionals aren't noticing in large parts - and I don't see or hear a lot of talk about this.
Can FaceBook swallow the world, and become a reasonably secure global federated identity provider? I think the chances of this are likely, and they've probably got this on their business plan because they're smart. Will Google keep trying to oppose them - heck yes. Should we all take notice and start to look at the way FaceBook manages our authentication and federates (including WHAT access it gives to your information to the party they federate out to) - absolutely.
I think this is the final frontier in the collision of our still-separate physical and digital lives. Once the identities melt together into a single federated FaceBook (or whom ever wins this war) identity, the game will again change.
You'll notice this post hasn't even begun to tackle the topic of authorization yet - that's another story for another time.
I'm curious what you think ... am I totally off my rocker? Chat me up on Twitter @Wh1t3Rabbit and let's hear what you think.
Monday, September 23, 2013
Apple's Touch ID - a gimmick or real security?
"So hyperbole aside, #Apple just set back "real security" several years with this fingerprint gimmick (for the masses)? Awesome."That was supposed to be a bit ironic, and some people got that others got mad at me, as well as insightful. I've been thinking a lot about this Touch ID that Apple has released with their latest version of the iPhone, the 5S. For me it all comes down to the opening paragraph of the above references page on Touch ID -
"Much of our digital lives are stored on our iPhones, and everyone should use a passcode to help protect this important information and their privacy. Unfortunately, not everyone does; more than 50 percent of smartphone users don't use a passcode. Your fingerprint is one of the best passcodes in the world. It's always with you, and no two are exactly alike. Touch ID is a seamless way to use your fingerprint as a passcode. With just a touch of the Home button of your iPhone 5s, the Touch ID sensor quickly reads your fingerprint and automatically unlocks your phone. You can even use it to authorize purchases from the iTunes Store, App Store, and iBooks Store."Before we get into this, let me first give credit to Apple for good things they've done with the latest version of the iPhone and beyond. First, they've forced everyone to put in a passcode - this is already a leap forward. I've been telling people to protect their phones with a passcode, but it seems like every day I see someone new who isn't following that line of thinking and I have to explain all over again. So this push to something is better than nothing. Also, a 1 in 50,000 chance is always better than a 1 in 10,000, but when you consider many people never even use the passcode feature before this version of the phone - this seems kind of irrelevant. I wonder if Apple has statistics on how many people never enable the passcode at all, I'd be much more interested in that - although I suspect no one will ever give this information out, unfortunately.
Now - let me explain why I call Touch ID a gimmick. But one more thing... let me tell you what I'm taking as truth here...
- Apple is a largely consumer-based company, and markets primarily to the consumer
- The consumer demographic doesn't necessarily know the difference between good security and the stuff they see in the movies
- If you put 1 and 2 together above, you get "What Apple says people believe as gospel" for a large part of their user base (in other words: not for everyone)
OK, now that you understand where I'm coming from, let me move on.
To explain why I believe Touch ID is a gimmick I will simply cite two sources on the subject. First a presentation from PacSec 2006 (that's right 7 years ago) on the quality and worthiness of fingerprint readers as authentication mechanisms. You should walk through those slides on your own (Apple probably missed them), but if you're in a pinch let me sum it up for you with the conclusion Starbug reaches-
"Don't use fingerprint recognition systems for security relevant applications!"You're probably saying to yourself, "self, but this application isn't necessarily high security" and I would agree with you if you weren't wrong. The problem is that this fingerprint application is the key to your phone, and can be set up to authorize purchases as Apple tells us. As soon as this catches on the average user will be asking for Touch ID to be the authenticator of choice for FaceBook, Twitter, and other authentication type applications. Trust me, it'll happen. Right - but there's a 1 in 50,000 chance of your fingerprint colliding (being close enough to) someone else, right? Except that after 5 unsuccessful attempts you still have to use your passcode so you don't get the full 50,000 tries. Wait. Then we're back to the 1 in 10,000 4-digit passcode? That can't be right ...logic doesn't make sense here. Does it make sense to you?
OK, moving on, instead of trying to tell you why I think fingerprints are a bad idea for authentication, I'll just point you to Dave Aitel's "Daily Dave" mailing list which quotes Dave ...
"...[T]here are two important reasons why biometrics won't work, and why the old-fashioned password is still a better option: a person's biometrics can't be kept secret and they can't be revoked...Since a person can't change their fingerprint or whatever biometric is being relied upon, it's 'once owned, forever owned.' That is biometrics' major failing and the one that will be hardest to overcome." - Dave Aitel, USAToday, 12 September 2013"So let me sum it up for you...
- Because it's Apple, you'll now have a massive user base believing fingerprints are infallible, and likely be demanding this type of authentication for more applications (psst! your enterprise application is next)
- Your super-secure fingerprint vault and amazing scanner (1 in 50,000 chance of collision) still defaults to a simple passcode (1 in 10,000 chance of guessing) after 5 failure guesses
- Your fingerprint is relatively simple to find, and duplicate because it's not secret
- You can't change your fingerprint once it's copied and compromised (oh oh)
But now we get to the really fun part, in case you're still not clear on why this is a gimmick at best, and a bad, bad idea at worst. Put your tinfoil hat on and follow me here for a minute.
Apple now has control of one of the largest fingerprint stores in the world (albeit mathematical representations, and distributed ... so we're told), potentially more than many local law enforcement or federal databases - by sheer size. Remember there were more than 9 million iPhone 5S's sold just over the weekend from Sept 20 - 22nd. How long until the NSA or some Federal entity comes calling and asking Apple for access to that mechanism, or ask Apple to modify the code? Feel secure right about now, do you?
[/tinfoil hat]
So why does this set back real security at least a half-decade? In my mind, we the "community" have been working very hard to change end-user's behaviors and to get them to make more complex passwords (pass-phrases) and not re-use, etc... and now along comes Apple promising security with the swipe of a finger. And just like that ... poof all that work we've done is out the window. Users will swipe their finger, enter 1234 as their backup pass-code because the fingerprint is good enough, and we're back to where we started.
[1] CCC breaks Touch ID blog post - http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid
Friday, September 20, 2013
Engineering Software That Is Difficult To Exploit
A recent post to the SC-L mailing list lamented an interview with an executive where the executive stated his company's approach to software security was to raise the cost/complexity bar for exploring their software.
The poster wrote "The response to vulnerabilities was to raise the cost/complexity of exploiting bugs rather than actually employing secure coding practices."
I don't believe the person posting really understands the goals of software security, or is simply failing to understand these are not opposing goals. If you still delusionally believe that you can engineer all security bugs out of your code, I think you don't understand modern software security. You may also be setting some unrealistic goals.
Even though I've assisted enterprises with employing "best practices" and a plethora of tools and procedures to integrate software security into their various SDLCs, they still produce security defects/bugs. This is nearly universal. Even organizations that understand the difference between flaw and vulnerability, to quote Gary McGraw, still fail to eliminate all security defects. The answer for these groups is to make defects more difficult and more costly to exploit. There is absolutely nothing wrong with setting this as a goal, in my experiences.
This approach doesn't herald giving up on writing secure software but rather acknowledging ratcheting cost/complexity of exploitation is a valid piece of the overall software security program.
Quite simply, failing to understand this results in frustration and continued alienation between security and development personnel.
Should your goal be to produce more secure software? Absolutely.
Should you're goal be to force your adversary to spend more anf work hardet to exploit your code? Absolutely.
Are these two opposing concepts? Hell no.
Tuesday, September 17, 2013
Boogeymen from the NSA/GCHQ
- Cloud - good luck trying to sell the European Union on cloud services based in the US, or from US-based companies. Hereforth we'll have to answer for the extensive erosion of trust that the NSA has accomplished. Good luck getting your US-based cloud service sold to any organization outside the US in the near term.
- Hacktivism- globally, hacktivists have mobilized against the US (and UK via GCHQ) spy agencies. The problem is that hacktivists are opportunistic and often pick low-hanging and weak targets such as the NASA site cited above. US businesses, government agencies, and anything exposed will continue to be the target into the foreseeable future for this hacktivist, anti-spying, anti-US war mongering campaign. For the record, I'm not implying that this is something new - only that there is a renewed sense of common enemy.
- Boogeymen - have you noticed that nearly every time there has been even a minor incident involving hacking, malware, or infiltration immediately the question of GCHQ and NSA comes up? This story on Belgacom's issue with malware takes up the NSA and GCHQ boogeyman, as if on queue. Of course, the accusation of infiltration from the NSA may be entirely valid, but at this point (of this writing) it's entirely unsubstantiated, publicly.
If you're on the defense - understand that you're a target even if you're a government 3-letter agency. Keep your guard up extra, but as far as I can tell the good news is that much of this hacktivism is defacements and protest - very little of it is actually destructive or otherwise malicious.
Remember, they're from the government, they're here to help.