Strong Authentication

So my buddy Shimmy did his best imitation of My Little Pwnie last week. Basically his blog account was compromised, which seemed to yield information on one of his webmail accounts and from there, it was game over. His domain was hijacked, credit card information published, amongst other things.

Basically it's was a nightmare, and agonizing for both Alan and his family to be victimized by what can only be termed as a hate crime.

Alan has talked a bit about it, and hopefully we'll learn more soon since I believe this is a great opportunity to educate a lot of folks about what to do when they've been compromised. The sad thing is that Alan had to call in a bunch of chits to get activity from some of his service providers. This is while his blog is being redirected to a pretty nasty site.

Clearly anyone with a website and/or an email address needs to have a scripted plan when you get pwned. I'm not sure if Alan did or not, but he seemed to handle the situation as well as can be expected. So if you don't have your own containment plan documented, get to work. It's important.

But that's not really what I want to discuss, relative to Alan's issue. It's the dependability of many of these web services. Things like web mail, or your domain registrar, or a DNS service, or your banking/credit card accounts. All of these are online and pretty much all have a "password reset" capability, which probably filter into one (or many) email accounts.

Clearly for anyone that has forgotten a password (happens to me at least once a week), these password resets are a life saver. Anyone who has suffered having to wait a week for their airline to resend a 4 digit passcode to get into their frequent flyer account knows what I'm talking about.

And password reset is also a huge benefit to the web site. Not having to deal with forgetful idiots like me save them a lot of money as well.

Lest we cannot forget that password reset is also one of the bad guy's best friends. The fact is that if someone can own your email account where the password reset requests are routed, then it's game over. They can reset all of your passwords and lock you out of your own life. Now that's a bad day.

Most folks use webmail because it's convenient. I know I do. But with that convenience is this clear and present danger. If via some type of sidejacking, or man in the middle, or XSS, or even CSRF the bad guys get into your webmai, and then start resetting your passwords. You are done.

So what do you do? I guess one option is to pray. Though I'm a bit skeptical that will work over the long term. You can also use strong passwords. That's what I do. Really strong passwords. But that's not a panacea.

You can also hope that most of these websites require some security questions to be answered before they actually reset the password. In my experience, so do and some don't. And I don't want easy questions like my Mother's maiden name. It should be stuff that would be hard to know without being me. Like my 7th grade science teacher. If you can figure that one out, then you deserve to be in my account. You are really good.

What I'm thinking is that we need to protect the email account that does password reset. Optimally I'd like to use an account that is not obvious (like not my typical work or personal address) and not a web based account - so it won't be subject to typical XSS or other web attacks. This is a bit of security by obscurity. If it's a domain you don't know I own, it would be hard to specifically target it.

Then you lock down the account to the best of your ability. Clearly you use a strong password on this "reset" account. And maybe you only use secure IMAP to access the account, only from one of my trusted machines.

You use the "reset" account as the email of record for the sensitive accounts. Things like banking, credit cards, ecommerce (if I have my credit card stored there), DNS, domain registration, web site hosting, etc. Basically any place that if that account is owned, it would be bad. Maybe you have a few "reset" accounts, just to diversify the risk a bit.

And to be clear, this is really a pain in the ass and it is not truly an answer. You can still be compromised. But you would be making it a bit harder. Building walls, so if one account is pwned, you don't fall like a house of cards.

Alan suffered significant pain through this situation. Shame on us if we don't learn some lessons and work a bit harder to make sure it's not us next time.

Photo credit: "berlin_my little pony" originally uploaded by madchenkrawall

Let's keep plugging along. This Incite deals with Identity. Not just from the standpoint of who you are and what you are supposed to have access to, but also how identity information is increasingly being integrated into the fabric of our computing infrastructures.

Incite #8 - Identity Everywhere

Identity becomes the most overused term in 2007, as NAC vendors, systems management vendors, Big Security, and everyone else “identity-enable” their offerings more as a marketing initiative than to add value. Pragmatic CSOs focus on solving problems, embracing non-disruptive mutual authentication and integrating directory stores with network equipment to streamline management and problem isolation. The first inklings of an interoperable “identity network” emerge, making cheap multi-use tokens more compelling to a broader market.

Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-8-identity-everywhere
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-12-2007

Final grade: C

Let’s start off with the positive. Cisco TrustSec. ‘Nuf said.

OK, it’s probably not enough, but it should be. Cisco finally jumped on the identity-aware bandwagon in December with its TrustSec architecture, which is basically just validating everything that everyone else has been saying for a long time. You can’t really separate out who you are, from what you are allowed to get to. Moreover, you need to enforce that as close to the network fabric as you can.

But the rest of the Incite was a bust. Mutual authentication is not really happening because the banks have no incentive to make it happen. Sure some of them are making a half-assed attempt to train their users about little marks or SiteKeys or something else, but these have had precious little impact on fraud.

The extent of directory store integration with the network is for the devices to suck information from a LDAP data store and then use it to set policy. It’s not like they are externalizing any of their policy or storing that policy in the directory store – now are they?

Finally, the idea of an “identity network” has been a real bust. You can get your little token from PayPal, but then what? Again, I was a bit optimistic here because I know it’s something that should happen – but I forgot the importance of a profit motive.

The reality is there just isn’t a real compelling need. It would be convenient for me as a customer to be able to use the same set of credentials in a lot of different places, but I’m not going to stop buying stuff from Amazon because they don’t play nice. So I’ll put this one in the “swing and a miss” bucket and look forward to getting closer in 2008.

Check out the other posts in the Report Card series.

Identity becomes the most overused term in 2007, as NAC vendors, systems management vendors, Big Security, and everyone else “identity-enable” their offerings more as a marketing initiative than to add value. Pragmatic CSOs focus on solving problems, embracing non-disruptive mutual authentication and integrating directory stores with network equipment to streamline management and problem isolation. The first inklings of an interoperable “identity network” emerge, making cheap multi-use tokens more compelling to a broader market.

Read the rest of the 2007 Incites here.

Identity is one of those words that security professionals hate. It can mean everything to everyone, or nothing to no one. Most folks think Identity just refers to single sign-on and provisioning, which remains a pretty big business. But I’m pulling back on my direct coverage for IdM topics, because it’s big, ugly and pretty much every vendor sounds the same.

Which makes it a lot different than the rest of the security disciplines I follow. NOT!

But back to the topic. Identity is increasingly being used as differentiation and leverage for network security gear. What does that mean? It means that some brain surgeon finally figured out that it’s a big pain in the ass to use IP address as the way to implement policies on users.

As I roam around and connect into the network from all sorts of places, my IP address is pretty much useless. What I need is a way to map the IP address to my identity and provide a location-aware enforcement capability so that “Mike Rothman” can only get to the resources that I’m supposed to, depending on where I am.

Thus there is a big rush to integrate all security equipment with LDAP and Active Directory. But here’s the rub. Whenever every vendor is doing exactly the same thing, it’s not novel. And even if a vendor has to totally re-architect their offering to make it identity-aware, which won't happen for 2 or 3 quarters - they’ll still announce that they are all over "identity."

So customers are confused for a change. Being the Pragmatic type of guy that I am, I say we get back to focusing on problems, as opposed to paying attention to marketing hype and other fabrications. Don't worry about "Identity NAC" unless you have a real, defined (and budgeted) project to implement NAC (either pre- or post-connect).

Worry about the problems you know you have. How about authentication, especially if you are a bank? Got that one licked. Yes? Then you are probably lying, even if FFIEC says you need to be done. Address those issues. So work on mutual authentication projects to make sure it’s harder to Phish you. Think about other less token-centric authentication technologies. See as keystroke dynamics improves and starts to make an impact in 2007.

There is also a movement to build “identity networks” that will allow stronger authentication credentials to be used across web sites. To use my own business as an example, I use PayPal as my credit card processor. I could get an authentication token from them for free, but at this point, I’d only be able to use it for PayPal, and that’s not interesting. But if I could use it for my brokerage accounts and banking, that would be much more interesting – and I’d actually carry one around with me.

Will it happen in 2007? Nope. But as more and more consumer brands look to differentiate on security, there is a clear opportunity for an “identity network” to emerge providing interoperability. There are lots of hurdles, but given the compelling value to customers, it’ll happen by 2009.

I'll be at the Security Standard show (here) September 6-7 in Boston, which is the latest brainchild of John Gallant - President of NetworkWorld and producer of Vortex. As opposed to some of the more technically oriented (Black Hat) or vendor oriented (RSA), the Security Standard is trying to target the business of security and keep it at a high level for decision makers. For those in the networking space, John's annual Vortex conference is a must attend event and I'm sure he's hoping to find similar success with this new show.

I'll be speaking on September 6 at 3:20 PM (agenda) on the strong authentication panel. Moderated by Bob Bragdon, publisher of CSO Magazine, I'll be discussing strong auth alongside folks from RSA and Entrust to get a feel for how the technology is evolving and what's important for decision makers.

Usually I'm not a fan of attending new shows because there are always kinks to be worked out, but I think this one will be an exception. Vortex is a machine at this point, so John's minions understand the logistics of these kinds of shows and the subject matter is interesting.

Hope to see you there.

In this week's column, I go into the EMC/RSA deal - but more from the perspective of why all of the detractors have it wrong. I seem to be one of the only folks that is positive about the deal, but I like it that way. If I agree with everyone, I'm not doing my job.

I'll also note that I have to be more careful about using cliches like "game-changing" in my mass market columns. I do use that term here, but then I went on to say about how the term game-changing makes me want to puke. Surprisingly, that part got edited. Arghhh!

But I guess that is part of the game. We'll see how this deal plays out over the next few years.

http://www.networkworld.com/columnists/2006/071706rothman.html

Technorati tags: EMC, RSA, security, M&A, data security, authentication, identity management

You know how that old nursery rhyme ends, right? It seems that the rumor mill is pumping about the possibility of EMC acquiring RSA for about $1.8 billion. There also seems to be another bidder in the picture, which could drive the price even higher. RSA has confirmed the strategic discussions, but predictably hedged as to whether a deal was going to get done. The fact they acknowledged the discussions means something is close, very close.

TheStreet.com has a pretty comprehensive story on the potential deal here.

It's been no secret that I think RSA is once again in the right place at the right time (here and here). LIghtning usually doesn't strike twice, but given the renewed interest in authentication and some savvy acquisitions - RSA is a plum property. But why sell now?

There's an old adage about how no one ever went broke by selling too soon, and that's exactly right in RSA's case. Sure they are hot and sure things look pretty good, but security is notoriously fickle and to monetize today wouldn't be a bad thing. And Art Coviello could ride off into the sunset as a hero.

But why is EMC interested? Is Symantec's John Thompson right in that security and storage are inextricably linked now? Has NetApp's increased interest in security (they acquired Decru a while back) shown the shape of things to come? Actually the answer is yes and yes.

It gets back to the Pragmatic Security model. Securing the infrastructure and securing the information that rides on top of it are DIFFERENT things. It will not be the same vendor that dominates both, that is clear because they are different buyers. The network or desktop guys buy information security. The application or database guys buy information security. How many more ways can I say different?

Though RSA gets most of it's notoriety nowadays from authentication, remember what RSA stands for - and that's encryption. EMC is all about "information lifecycle management" and that MUST include data security. They dipped their toes in the water by acquiring Authentica a while back, but you had to figure there would be more where that came from. RSA would give them instant credibility in the security space, a hot authentication product family, and most importantly a really big story regarding persistent control of data that no other vendor can match.

That's right, not even Symantec will be able to play at the same level. Symantec's entire security perspective is focused on the infrastructure. They do pretty much nothing (with the exception of some messaging security) in the application/information or identity space. In one fell swoop, EMC would become the horse to beat on the information side of the Pragmatic Security equation. John Thompson would have another reason to bury his head in the sand.

So who would the other bidders be? Thestreet.com indicates potentially CA or even Symantec. CA is pretty much in shambles right now, so I'd be very surprised if they could get their act in gear to do a big deal, though strategically it makes sense. But clearly Symantec would be the dark horse. For every reason this deal makes sense for EMC, it makes even more sense for Symantec. It gives the Veritas group some encryption and identity mojo and provides the glue to make the Symantec/Veritas deal work. Additionally, the tokens would fit very nicely into Symantec's security business giving them another cash cow to milk for a while.

But could John Thompson pull that off? They did just raise a bunch of money in a convertible offering, so the cash is there. I'd have some operational concerns given that Symantec has a poor track record of retaining talent and that's critical to make a growth deal work, but the potential of a Symantec/RSA combination is very interesting.

Stay tuned. It should be an interesting couple of days.

As the number of drive-by's I want to do continues to grow, I'll start to chip away by looking at Bharosa. They do authentication stuff for financial institutions. I came across a couple of their press releases over the past few weeks, and am particularly interested in the topic. Two-way authentication is going to be big in the 2nd half of the year as the FFIEC guidance suggesting stronger authentication is closer to its end of year deadline. 

So let's swing by their website (www.bharosa.com). Here are my first impressions:

1. Headline doesn't mean anything to me - Identity theft is inevitable, but vulnerability isn't? What the hell does that mean and I tire of the old lock and key visual metaphor.
2. They do "multifactor online authentication" - OK. I can get that. I'm not sure what exactly they mean, but at least these are familiar terms.
3. IDC recommends these guys for FFIEC - Hmm. I guess they must have gotten some funding so they could pay IDC to say something nice about them. This isn't a positive in my book, but then I know too much about the business. But FFIEC indicates they are targeting the financials.
4. They've got 10.4 million users licensed - I'm not sure what that means either, but it's a big number. Clearly they are targeting financials and have some decent numbers. This should be more prominent on the homepage because it adds some credibility.
5. They have a video, let's check it out - This was pretty good. The CEO did the pitch and was clearly not a professional speaker, but did a decent enough job. It was too long. I lost focus about 2 minutes into the 5 minute pitch. But it did give a pretty good overview of what the product does and how it does it.

Overall assessment of the homepage is that it's pretty weak. Good thing I'm not one of those folks that just gives up if I don't see something interesting on the front page. So let's see what I can learn in the product section.  Here are a few quick observations:

1. They've got two products, Tracker and Authenticator (the video indicated this as well). Tracker verifies the user is coming from an authorized device, using it as kind of a second factor. And authenticator uses some visual authentication tokens to provide a multi-factor experience.
2. Tracker works behind the scenes, so using attributes like a user's device and location and even some behavioral stuff (like what they are doing) to determine if it is the user. But that's about all the information that is there. Kind of like Cyota, in that they use a lot of different data sources to figure out if something is OK to do, but they don't seem to have any kind of policy to enforce contextual authentication (forcing the user through additional hoops depending on what they are trying to do).
3. Authenticator is less clear (and it's not like Tracker is very clear). They protect the PIN. How? All they show on the page is a few graphical "virtual authenticators." I have no idea how this works.

So I dig a bit deeper into the product section and discover that I still have no idea what Authenticator does or how it does it. They claim it protects data from key loggers, etc. because neither the keyboard nor the mouse is used to enter information. Hmm. I guess they've mastered that elusive telepathic interface. Yeah, I'm lost at this point. Let me check out the Tracker page and see if at least I can learn a bit more about that.

Tracker does the work behind the scenes as I describe above. But it does seem that depending on what the policy says (and what they find through their analysis), it can ask for  additional authentication.

Tooling around the site some more, it seems they are pushing FFIEC pretty heavily, as expected. They also have a deal with the Air Force to build some strong auth into their web applications. So not just financial centric.

Overall, Bharosa is playing into the hot strong authentication market. But after driving-by their web site, I don't have any idea about what differentiates them from someone like RSA, nor to I get a clear understand of how their technology works. If I'm a buyer here, I probably move on because the last thing I have is time to get someone to explain everything to me.

Just goes to show, if folks can't go to your website and tell what you do and how you do it, you better get back to work. End users will disqualify you from consideration if they have to do too much work to figure it out.

 

In VeriSign's latest flexing of the checkbook, they have acquired GeoTrust for $125 million in cash. I don't really do market share numbers, but it would seem that this deal would give VeriSign a virtual monopoly on the SSL certificate business. But GeoTrust claimed to be the second largest certificate authority and they are being bought by the first. Sure Entrust and CyberTrust are still in the business, but no one else of note.

But does it matter? Is VeriSign all of a sudden going to start turning the screws on customers and raising prices, which is where anti-trust would be an issue? I don't think so. The switching costs on SSL certs are virtually nil. I mean if you have 10,000 of them, then it may be a bit of a problem - but short of that, I don't see VeriSign doing anything on the pricing front. Status quo is good. You just want the customer to renew every year and keep milking that SSL cash cow.

I'd be surprised if they even changed the branding. I still see the "Protected by Thawte" seal every now and again, even though VeriSign bought them like 6 years ago. Again, why mess with anything? It's not like those web seals cost a lot to maintain.

So why do the deal? It's all about scale. GeoTrust has 100,000 customers representing who knows how many certificates and those can be plugged directly into VeriSign's infrastructure. They can gain operational efficiencies from the deal and continue to control that market. For GeoTrust, this is a way to get liquidity. Do you go out and raise money to get another 3-4 points of market share? Nah, not worth the effort. Take the money and run.

VeriSign thinks the deal will be accretive in 2007, so there you see the power of integrating the infrastructures. VeriSign has additional data center capacity, so if they can drive more revenue through - it flows right to the bottom line. Nice. 

Customers don't really care either. It's business as usual on that front. Your cert is your cert is your cert. But in all likelihood it's been issued by VeriSign. 

 

SearchSecurity just published a tip from yours truly on how to protect the credential in an SSO environment. There are huge user experience and cost efficiency advantages to SSO, but it does create a single point of "failure" in terms of the credential. You steal that, and you get the keys to the kingdom. I go through some of the common technologies for strong authentication/SSO and a new trend I've dubbed "contextual authentication." Check it out.

http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1186252,00.html 

 

Anti-phishing is a problem getting a lot of attention lately. Mostly because the existing solutions are not getting the job done. Corporate users are pretty well insulated because of sophisticated anti-spam defenses, it's really the consumers that are at risk.

So it's been the consumer anti-fraud offerings that have most effectively targeted this issue by working with the banks, which are most typically targeted by these attacks. Cyota's eFraudNetwork is like a phishing analogy to the Brightmail spam-catching honeypot network. Lots of honeypots out there to gather and pinpoint phishing messages ahead of the curve.

Now Symantec is leveraging some technology they acquired from WholeSecurity to get back into the game. (link to NetworkWorld story) Whole had launched the "Phish Report Network" in February of 2005, but it had limited effectiveness. So now they think they are going to sell information that is largely available elsewhere and for free from folks like WebSense (they've got a phishing blog) and the anti-phishing working group.

More importantly, these services don't address the issue from either side. Just getting information does not alert the right folks nor help to take down the phishing sites.

The right folks that really need to get this information are the consumers. They need to know about possible phishing sites BEFORE they are compromised. The toolbar in IE 7.0 does pinpoint sites using high security SSL certificates, which will put folks on alert if a site is shown as potentially problematic. I'm not sure how getting a list of bad sites from someone like Symantec is going to help unless it drives a desktop web filtering solution that would block bad sites in real time.

It's also not clear to me how this kind of offering helps the banks (or other targeted institutions). One of the most interesting aspects of Cyota/RSA's eFraudNetwork is the established relationships and process to quickly get a phishing site taken down once identified. Also the ability to uniquely identity a banking website to the consumer is another key requirement to defeat phishing from all sides.

Is Symantec investing in these capabilities? They'll need to if they want to be a player in the anti-phishing space.