when you find the need to go beyond documentation.. IDentity EnAbled Services

“Secure web application development has become imperative due to the new PCI-DSS mandate. Companies who choose to adopt the form of training offered by SCIPP will benefit from a trustworthy yet cost-effective security awareness program.”

~Howard A. Schmidt, former CISO for Microsoft and ebay, SCIPP Advisory Board Member

A free webinar on "Security Awareness Requirement for Web Application Developers"

WHEN: Wednesday, October 22, 2008

TIME: 1:30pm - 2:00pm EST

TOPIC: "PCI-DSS ALERT: Complying with the NEW Mandatory Security Awareness Requirement for Web Application Developers"

PRESENTER: Dow Williamson, CISSP, Executive Director.

CHANNEL: IT Certification and Training

Webinar: http://www.brighttalk.com/webcasts/1220/attend

How Important is Security ?

Estimates Put T.J. Maxx Security Fiasco At $4.5 Billion

The security Breach at TJX Companies Inc. could cost the company $100 per lost record, or a total of $4.5 billion, according to the calculations of a database security company.

NY Bank ‘loses’ 4.5M unencrypted customer records

In yet another unbelievable story of data irresponsibility, the Bank of New York (BNY) Mellon lost two sets of unencrypted backup tapes containing private data belonging to 4.5 million individuals. Third-party vendors misplaced the tapes during transport to off-site locations. According to the bank, the tapes "included shareowner and plan participant account information, such as name, mailing address, social security number, and transaction activity."

Save the Date attend the webinar on the 10th of October 2008 @ 1:30 PM EST.

In todays world, where we all talk so much about identity management, identity theft and security, we get blindsided by the framework that dictates the workflow. We all have our arguments and justifications of how identity management can enable security and also inadvertently lower the risk of identity theft. Mark Dixon has a very nice post on identity problems. Sara Gates have a nicer one on "accelerate without fear", Robin Wilton has one on "identity fraud, not as we know it". All said and done, there's also the much talked about infocard, and Microsofts definitions of the "Laws Of Identity". I was reading between Sara Gates response to Dave Kearns post on Identity Theft. when I stumbled on Kim Camerons post on "Identity Information Theft versus Identity Theft". But hey !! hold on a second here... I just didnt get Dave's point... Dave goes on to say

Data breaches are a security concern, just as are stolen laptops (some of which hold identity data). But, so far, none have been shown to lead to identity fraud. There are few if any cases in which identity data was deliberately stolen in an online transaction.

in a post titled "How real is the threat of ID theft when holiday shopping online?" is he kidding by saying "There are few if any cases in which identity data was deliberately stolen in an online transaction" Yes, The Holiday shopping period can be considered "approached" rather than "soon approaching". I have found myself shopping online like crazy... AND THEN !! I read Dave Mathews, report on "Man In The Middle Attack". Hey SSL is good and thats what I relied on all this while when I shopped online... SSL specifications were initially drafted by Netscape, & the Sun-Netscape Alliance released the PKI Library Source Code to the community on 2000. Microsoft adopted it too (someone correct me if i'm wrong here) and Internet Explorer was built to support HTTPS transport. Well but after hearing the Dave Mathews, report on "Man In The Middle Attack", I am a bit reluctant to use Internet Explorer without being 100% sure of the security that the application itself provides me with. So: Is Identity Theft all about ensuring the authenticity of the "user/consumer". What about the Applications and Sevice Providers and their authenticity ?. Should it not be a two way trust? I understand the fact that service providers need to ensure that the user is who he/she claims to be, but at the same time I believe that the user also needs to be able to trust the service provider and the transport layer in between. What IF I inadvertently provide my "valid" credentials to some I believe to be a service provider ? Well, it's the "Man In The Middle" that I'm worried about. Identity Management frameworks today are all about protecting the interests of the "service providers". But what about us the consumers? has anyone given a thought to that ? Bill Gates had made an announcement about vintela being the Microsoft preferred vendor for extending Microsoft management technologies to Unix, Linux, and Macintosh systems. HEY !!! when Microsoft could not get a SSL implementations in Internet Explorer right, would I trust them to do "Identity Management" ? and that too with Active Directory as the backend ?

What IS clear is that Microsoft bought one of the first "metadirectory" companies (Zoomit) and is using their technology bits to build interfaces between Active Directory and the rest of the world.

HEY !! Didnt Kim Cameron come with it ::no offense Kim. ? (hint: remember: sun bought innosoft, and I believe that innosoft was also a forerunner in the "metadirectory" space.) Didnt Kim Cameron propose the Identity Metasystem? SO: Is the Identity Metasystem based on an Active Directory backbone and Internet Explorer Integration in mind ? (I'm not theorizing a conspiracy or anything here... I'm just thinking out loud) WOW !! I'm already SO lost in my OWN POST.... (I need a technical writer to help me I guess...) But however, my basic point is... WHO DO I TRUST ? YOU TRUSTING ME COMES LATER.... UPDATE :If I had the assurance that the service provider I was interfacing withg was using a SECURE COMPUTING structure and/or framework, I'd be more trusting of the vendor/service provider i'd deal with... (hint hint hint... see Sun's Suite Of Security Products...)

Microsoft has been condemning, the practice of using NON SSL browsing methods, especially for online banking. However, Bank of America, Wachovia and Chase, as well as financial services giant American Express have decided to not concurr with this approach according to this report on NetCraft.

Netcraft's SSL Survey provides detailed information about encrypted transactions and e-commerce, including the growth rate for SSL-enabled sites, and which operating systems, server software and certificates are most widely used on these sites.

I had blogged about Secure Passwords last month, and had mentioned the usage of a Password Hasher using JavaScript. If these banks DO NOT want to have HTTPS enabled on their high traffic login pages, they could at least use the Password Hasher to encrypt the data sent back to the server. I feel glad that this time I agree 100% with microsoft on their stance on SSL and NON SSL usage. Well, I also do understand the Bank's need for using NON-SSL for high volume traffic sites. But one should draw a line somewhere and not compromise the security of their customers Identity and credentials ! (and that too in this world of Identity Theft). NOW, that's where they should be looking at Access Manager. If they let Access Manager broker their authentication requests, they could continue using HTTP for high traffic pages and then when the user tries to access his online banking information Access Manager could Authenticate them over HTTPS (ah! did I forget to mention that Access Manager authenticates using TOKENS and not TICKETS), and well, with the complexities of the policies and rulesets that Access Manager can handle, the server serving up "critical" information could all be served securely. Did I also forget to mention that we have a Secure Remote Access Gateway too?

SOMEBODY !! Talk to these Banks Please...

GLSA 200507-13

1. Gentoo Linux Security Advisory
Version Information

Advisory Reference GLSA 200507-13 / pam_ldap nss_ldap
Release Date July 14, 2005
Latest Revision July 14, 2005: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
sys-auth/nss_ldap < 239-r1 >= 239-r1, 226-r1 All supported architectures
sys-auth/pam_ldap < 178-r1 >= 178-r1 All supported architectures

Related bugreports: #96767

Synopsis

pam_ldap and nss_ldap fail to restart TLS when following a referral, possibly leading to credentials being sent in plain text.

2. Impact Information

Background

pam_ldap is a Pluggable Authentication Module which allows authentication against an LDAP directory. nss_ldap is a Name Service Switch module which allows 'passwd', 'group' and 'host' database information to be pulled from LDAP. TLS is Transport Layer Security, a protocol that allows encryption of network communications.

Description

Rob Holland of the Gentoo Security Audit Team discovered that pam_ldap and nss_ldap fail to use TLS for referred connections if they are referred to a master after connecting to a slave, regardless of the "ssl start_tls" ldap.conf setting.

Impact

An attacker could sniff passwords or other sensitive information as the communication is not encrypted.

3. Resolution Information

Workaround

pam_ldap and nss_ldap can be set to force the use of SSL instead of TLS.

Resolution

All pam_ldap users should upgrade to the latest version:

Code Listing 3.1

# emerge ——sync
# emerge ——ask ——oneshot ——verbose ">=sys-auth/pam_ldap-178-r1"

All nss_ldap users should upgrade to the latest version:

Code Listing 3.2

# emerge ——sync
# emerge ——ask ——oneshot ——verbose sys-auth/nss_ldap

4. References

CAN-2005-2069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2069
 
http://www.gentoo.org/security/en/glsa/glsa-200507-13.xml

When I was working on a project a long time ago, I had implemented a zero knowledge Login module for the Sun Java Systems Access Manager (formerly known as identity server). Here I find myself again trying to advocate the use of zero knowledge password authentication techniques for web aplications and am having to explain and provide information to all those folks who are not aware of this authentication method. Well, I thought that it would be good to post a small blog on the same subject with links to all those resources online which can give you a pretty good idea of what zero knowledge password protocol (ZKPP) is all about.

In short: a zero-knowledge proof is an interactive method for one party to prove to another that a (usually mathematical) statement is true, without revealing anything other than the veracity of the statement. A zero-knowledge proof must satisfy three properties:

• Completeness: if the statement is true, the honest verifier (that is, one following the protocol properly) will be convinced of this fact by an honest prover.
• Soundness: if the statement is false, no cheating prover can convince the honest verifier that it is true, except with some small probability.
• Zero knowledgeness: if the statement is true, no cheating verifier learns anything other than this fact. This is formalized by showing that every cheating verifier has some simulator that, given only the statement to be proven (and no access to the prover), can produce a transcript that "looks like" an interaction between the honest prover and the cheating verifier.

The first two of these are properties of more general interactive proof systems. The third is what makes the proof zero knowledge.

Phoenix Systems has a product called SPEKE (simple password-authenticated exponential key exchange) which uses this technology. For those who would like to obtain an off the shelf product that emabled zero knowledge password protocol authentication SPEKE is a good start. Wikipedia has a very good explanation on ZKPP. This paper on Secure Login Protocols is another good resource for learning more about ZKPP. Hannu A. Aronsson from the Helsinki University of Technology also has a very nice paper on Zero Knowledge Protocols and Small Systems. Thomas Wu from Stanford University has a paper on The Secure Remote Password Protocol which gives a very nice background of the framework and the logistics behind implementing a ZKPP authentication structure.

Stanford University SRP Authentication Project hosts a JavaScript based DEMO of the Secure Remote Password Protocol. I RECOMMEND THIS DEMO TO ALL READERS OF THIS BLOG

RSA Security has a nice writeup by example on how the ZKPP system works. For those seeking ore information on ZKPP, Google the term and you'd find volumes of information on the subject.

& Hey !! The ZKPP Authentication Module atop the Sun Java Systems Access Manager, would make your network more than just comply with the term "SECURE"

Well, is this something we all should fear? I do think so; and here's why?

Al Taqwa bank, part of a network of financial companies named by the Bush administration as a major source and distributor of funds for Osama bin Laden's terrorist operations, has shareholders that include prominent Arab figures from numerous countries in the Middle East. Al Taqwa was a so-called "hawala" operation (an informal word-of-mouth system that keeps no records and relies on trust) that facilitated transfers of cash between agents worldwide. The bank also used correspondent accounts : accounts that banks have in other banks -- to transmit cash to its agents. Source: salon.com.

Also read The Counterterrorism Blog

So: Now you DO remember Sept 11 dont you ?. Well, Read this

Citigroup owns 23 percent of Saudi American Bank, the second- largest Saudi bank, known as Samba. ``Samba follows the same anti- money laundering rules as Citi, but it also complies with local (Saudi Arabian Monetary Agency) regulations,'' said Andrea Hurst, a spokeswoman for Citigroup.

So: In short, Citigroup is owned by Saudi Arabians, or am I making this up ?? Well, I have been told that a majority of the shareholders in Citigroup ARE Saudi Arabians. I am not so sure on whether this is true or not, However, you could research this for me and post your findings here. So anyway, why am I posting CitiBank's Boo Boo alongwith references to Sept 11th, Well, I Just hope it's not true, BUT, If CitiBank has lost huge volumes of it's customer data, AND if Saudi's DO have a huge stake in CitiBank, and IF this lost Data falls into the hands of folks that it was not meant to be, Well, Houston we sure do have a problem. Remember those Phishing emails we all receive, Well, expect that number to just increase from now on. Citibank is the largest financial group in the world and has long been a target for computer criminals. Computer criminals use "phishing" to gather confidential information from bank customers. But this "lost tapes" episode makes it all the more easy for them. There already has been a "HIT" All said and done; If YOU happen to be a citibank customer and are worried about this; CitiFinancial is inviting customers to enroll via a toll-free number, 1-888-469-8603, in a free credit monitoring service for 90 days.

"Jot Down Your Passwords" : said Jesper Johansson the senior program manager for Security and Policy Services at Microsoft Speaking on the opening day of the AusCERT conference at Australia's Gold Coast Resort. He continued to say He's got a point in what he's saying. Organizations enforce password policies on all their enterprise applications, sometimes strict and sometimes, weak. However the mininal feature that these password policies have is that they all expire in a pre determined period and sometimes we cannot use the same password as what had used before (or it just cannot be the same as the previous 6 password changes). This makes it extremely hard over a period of time to come up with really strong passwords and more importantly remember them. Well, I have forgotten quite a few myself, and then asking for a password reset with the support folks absolutely goes against the intent of the organizations establishing a "self service" portal for their employees. Then on the other hand, writing down passwords on a piece of paperas suggested by Johansson is simply ridiculous. The probability of that very piece of paper getting into the hands of a unintended recipient is extremely high.

I then remembered, Yahoo's webmail service allows their users to login to their mail accounts with a YahooID and password over HTTP. They DO have a feature where the user can switch to a secure mode and then enter his "login credential" and submit it over HTTPS. But how many folks really cick on the term "secure". If one types in https://mail.yahoo.com in their browsers address bar, they are immediately prompted with a WARNING that he certificate presented DOES NOT match the URL (because the cert is issues to login.yahoo.com instead of mail.yahoo.com.). WOW!!! So I did a little more digging around yahoo, and I found out that they are using this NEAT open source script by Paul Johnston which is a JavaScript implementation of the RSA Data Security, Inc. MD5 Message Digest Algorithm, as defined in RFC 1321. Thats a real cool one. I was impressed, (not with Yahoo, but Paul Johnstons script). NOW Thats a way in which passwords can be kept safe. So I went ahead and used that very same script (from yahoo/pajhome)on this site and modified it a little bit to concatenate 2 strings and here's what I came up with: A JavaScript version of obtaining a MD5 Hashed equivalent of you password thats unique for each site you use it on. Which obviously means that if your password is "hello" then the MD5 equivalent of that password on "sun.com" would be different from "yahoo.com".

Cheers !!! :: & I am really looking forward to your comments on this.