New Gig!

I am so tardy in writing this, tsk tsk…

I am now officially a Senior Technical Architect at Ping Identity.   All of you who know the Ping folks know that this will be an exhilarating ride.  I work for Patrick Harding in the Office of the CTO, and I can honestly say that this is one crazy learning curve!

Ping Identity

For those of you who aren’t familiar with Ping Identity, they do Internet Identity Security – SSO and token transformation using SAML, WS-Trust, WS-Federation, and whatever else is necessary to get the job done.  They also do federated provisioning, which of course is one of my passions. It’s a fun time to join; the current interest (dare I say mania?) around cloud computing is starting to resolve into common-sense questions around potential risk to the Enterprise caused by mis-management of cloud resources – and at least in my mind, I see these questions changing the adoption patterns for technologies like SAML from a early adopters and massive organizations to everyone’s organizations.  I’m also very excited to see what the addition of consumer identity protocols like OpenID and oAuth will do to adoption patterns.

From the employment front, it has been fascinating to have insight into the inner workings of a product company – I have always been on the customer side before this, and the change in perception is fascinating.  I think it must change some of what I write here – but change is good, I think.   The biggest challenge will be finding the time to write —  keeping up with these Ping folks is hard work, they are aggressive and agile, and they are focused, holy cow are they focused.  Er, we are focused.  I am we!  Woohoo!!!

Ok.  Gotta run.  Life at Ping is a sprint, and I’m loving the adrenaline high :)

Axel’s Challenge

Axel says he’ll fetch you a beer at IIW if you can decrypt the token he has made publicly available on his blog: crypto doubters in the crowd,  this is your big chance!   As someone who was recently burned while copying and pasting encrypted tokens off of a web page and trying to decrypt, I would be careful of the white space though, I bet if you ask really nice he’d even send you a file version.Axel's Challenge

Canadian IAM Community

Are you a Canadian member of the identity or access management community?  In case you don’t know already, there are a number of new venues evolving to service this community, and I’m really excited to be a part of them!

  1. The CanadIAM Blog – this blog is dedicated to the Canadian take on Identity and Access  Management, thanks to the organizing efforts of Mike Waddingham over at Code Technology.  It’s just getting off the ground, but I think it will attract a very strong community — make sure you add it to your blog reader!
  2. The ICE Conference — this will be the very first Canadian tech conference that I’ve spoken at, I can’t wait to actually meet folks from my own backyard and compare notes and experiences!   The conference is in Edmonton on November 2-4, 2009 – the only sad thing is that it happens to conflict with the Internet Identity Workshop;  as a result I’ll have to split my time between the two rather than getting the full benefit of either, which is such a shame!IAM Canadian

It is great to see these kinds of resources evolving, and I think it speaks to the maturity and growth of I&AM practices in Canadian organizations.   I believe that the best way to be successful in many of these ventures is to share – and what better way than to do so than with a group of people who have strong common interests.

Photo credit: http://www.flickr.com/photos/michael40001/1828017204/

Rocky Mountain Bank should be more solid now

I’m tired of yelling and complaining about data breaches.  As a result, I think I’m going to change my tune.

Take, for example, Rocky Mountain Bank of Wyoming USA.  An employee of the bank emailed sensitive details about 1375 customers to the wrong Gmail user, and now the bank is suing Google to discover who this anonymous user is, in an attempt to try and figure out just who they managed to gift their data to, and whether their gift kept on giving.    In the meantime, the Gmail account of a completely innocent bystander has been deactivated by court order.

As I see it, Rocky Mountain Bank is in their own little hell right now – they are being widely ridiculed, they have initiated an expensive legal action that can only partially assuage their fear of exploitation by a third party, they have at least 1375 really pissed off customers, and they have incurred some amount of liability and/or responsibility to those customers should their data be criminally exploited in the future.

You can think of these guys as one more incompetent organization and call them names.  Or you can think of it as one more organization whose eyes have been opened to the cost and danger of playing fast and loose with customer privacy.  Perhaps we simply have to hit a tipping point where enough people are close enough to enough victims that our societal internal risk meter changes.  If you look at it that way, every breach can also be viewed as an education…  and I’m a big fan of education.

So congratulations Rocky Mountain Bank on having your eyes opened as a corporation, serving as an example for others, and personally educating 1375 otherwise clueless end users.  It is appreciated.

Sears == Slimy

I want to talk about the Sears Holding Company, and I have nothing nice to say.

They encouraged their own Sears and Kmart CUSTOMERS to download a piece of software that seriously compromised privacy, transmitting banking details, unrelated shopping card details, and online prescription orders back to the mothership.

To me, this is worse than an accidental breach.  This isn’t about ignorance or stupidity, but about willful intent to do harm.  A whole group of people inside this organization decided it was a good idea to write a piece of software that “monitored consumers’ online secure sessions – including sessions on third parties’ Web sites – and collected consumers’ personal information transmitted in those sessions, such as the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for Web-based e-mails” (from the FTC notice).   How could this project be designed, written, approved, and then evangelized without anyone raising the ethical issues?  How about the lack of respect shown to the very group of people whose privacy the Sears Holding group should have felt beholden to protect?  Worse, why *could* it be done? Oh yes, right.  We all use operating systems every day that have an egregious lack of granularity in access control.

There is little to do except spit in Sears’ general direction – so I do.   Ptooey.

My Case is MADE

I wrote not long ago about the HSBC Canada banking site, and its odd and frightening ways of dealing with access control.  Their fanciful notions of authentication proved to me that passwords were being stored in a retrievable format rather than in a format where the password can be verified as matching but not retrieved and examined.

This exact same issue has come up on the OSIS list with respect to privatepersonalidentifiers – some have argued that it is perfectly safe to store raw ppid and modulus information at the RP,  and I cannot tell you how STRONGLY I disagree with that idea.

Luckily, Gunnar has pointed me to the perfect example:  apparently the HSBC France banking site has been hacked,  and guess what?  They are storing their customer’s passwords in clear text too (surprise surprise).  And a handy little SQL injection attack gives the hacker everything he needs to log in as anyone he can think to query for.

Had the HSBC stored their passwords in some kind of encrypted format,  the same attack would have netted the hacker a fraction of the value,  because there would still be a significant and likely cost-ineffective amount of time and work necessary to turn the data into a set of credentials that could be used for actual authentication.  This is why encryption of passwords is an industry best practice, and why you will and should be laughed out of this community if you can’t get such a simple mitigation right.

If an RP stores the ppid and modulus of a self-issued information card in clear text, and that RP becomes the victim of a SQL injection attack,  a hacker has everything they need to get in the front door too.   The data must be stored in a way that mitigates this danger,  period.  I consider this to be identity 101 for information cards, and anyone who writes an RP should consider this to be a best practice.

Second Class (Non) Citizens

Just in case you all still thought that on the internet, no one knows you’re a dog: Heaven forbid you’re a plain ol’ Canadian dog who wants to experience streaming content now and then… and no, things like Hotspot Shield don’t work, sites like Hulu have been assiduous in their efforts to ensure that I cannot be a customer.

The truth is:  yes I am disappointed, and no I don’t understand.  I am sure this all about somebody somewhere insisting that I not be served until they get their pound of flesh.  I’m willing to PAY for my little part of whatever kickback has to happen – but apparently that isn’t enough.  It would seem that profitability can only be found in a scheme that rewards large demographics and denies everyone else.  What a shame.

Pandora ONE: US-only

Pandora ONE: Canadian FAIL

DIY Security for the Utterly Paranoid

I talked to several people who were somewhat disturbed about my last blog post.  Surely it can’t be that easy?

The  potential exists – and I think it is worthwhile to ask why.  Most people have been taught to guard their passwords, but have been carefully instructed to feel no responsibility for the other ways in which an attacker could access their account.  Why is it we can educate about password complexity and reuse, but don’t want to explain under what circumstances a “personal identification” answer might be used?   Why is it we will force a user to change their password every three months, but the email address that would be used in case of a password recovery effort is never tested, and security questions are never refreshed or reinforced?   Why is it that we as a culture have recognized the concept of a “fire drill” in the real world, and advise people to understand alternate exit routes in cases where the elevators are out of order, but in the online world, we feel that advising those users who happen to be of the more concerned persuasion to familiarize themselves with and verify the operation of the page behind their “forgot my password” links is a crazy and unthinkable thing to ask?

If you are someone who worries about being hacked, and if you are willing to take a little bit of time and energy to at least understand the risk you might be facing, my advice to you is:  Go forth and recover.

Go ahead.  Recover all of your accounts.  You probably needed to rotate those passwords anyway.  Find those “forgot password” links and click ’em. Chances are, you will be able to reset your password in an automated fashion,  either by answering a pre-specified question, or by getting a link sent to an email account (sometimes, both approaches are combined).    If you are asked a question, is the answer guessable?  Is it searchable?  Is it short? Is it a single dictionary word?   Can you control the guessability of the answer, or is it a hard-coded format such as a postal code or a birthdate?   If you are emailed a link, follow the chain to your email provider and recover your password there too.   Is it more pre-specified questions?  Are they the same questions? Were you required to click on a link sent to yet another email address?  If so, follow the chain again.  Rinse and repeat.  This is the same trail that a hacker would follow – often they find something you’ve forgotten, something out of date, an expired account or a typo that you never would guess could end up in a compromise of your identity.  Password recovery mechanisms were used to compromise Sarah Palin’s email account, and also used to steal corporate data from Twitter.   If you can satisfy yourself that the password recovery loop is closed, that your answers are not guessable, that you haven’t specified incorrect, out-of-date, or non-existent email addresses, and that the services you use don’t use unsafe mechanisms, you will be safer.

Don’t believe me?  Check out the techniques this guy used to compromise the identity of a mere acquaintance.  He gained access to supposedly “secure” accounts whose password recovery mechanisms depended on password recovery mechanism that depended on grossly guessable data.

Should you have to do this?  No.  Not according to almost anyone in this business.  Are you expected to do this?  Of course not.  How many people actually memorize an alternate exit route from every hotel room they ever stay in?  Only the ultra paranoid, I am sure.  Still, if you care, if you are motivated,  and if you want to know what to do, perhaps this can be a starting point.

So funny I forgot to laugh

Have you ever had to enter CHARACTERS from your password to log in?   No?  Me either.  How would you feel if you entered your credit card number into your credit card provider’s website and instead of the usual password you were given this screen:

Yer kidding RIGHT?

This is the second screen of my credit card provider’s authentication workflow.  They are asking me to answer my “Personal Identification Question”, and asking me to type 3 random digits of my password instead of my entire password.  The ramifications of this set of implementation choices just blows my mind.    Three strikes and you’re out, if you ask me:

1. Downright Terrible Personal Identification Questions

Worst Security Questions EVARAnyone who reads my blog can probably figure out my favorite hobby, I even mention it on my about page.  That question was one of five terrible security questions. Three of the questions are standard web access management fare. They aren’t great, but at least the 8-character minimum character limit keeps away answers like “golf”, “ford”, and “rex”.   The other two questions are in my mind criminal however.  No financial institution should give a customer the option to use their mother or father’s name as a method of personal identification.  I can’t believe anyone put those questions into production. The worst part: because of the list given, those two questions are the only ones that can be answered in a straightforward way while also fitting the complexity rules.

2. Removing The Guesswork from Password Hacking

Password Complexity?Then there is the 8-character password. I could have sworn that one of the variables that make a password tough to brute force is the fact that the length is unknown.  If you *know* you’re working with 8 characters, you can seriously narrow down your brute force parameters.  Plus the only punctuation allowed is an underscore.  Ouch.


3. One-way Hashes are *so* 2008

Security TheaterSince my bank is performing character matches on my password, there is no way that they are using a one-way hash algorythm to store my password.   If they were, they would be able to match the whole thing or nothing at all.  Instead, they have chosen to be able to retrieve my password and play with it.  I can only hope that it isn’t stored in clear text, but frankly anyone who asks “What is my mother’s name” as a security question can’t be too worried about security.  Don’t get me wrong,  HSBC is very worried about the appearance of security, in fact I was forced to positively acknowledge a big long page of statements about how firewalls are used, and how they require me to use 128-bit encryption. In spite off all the assurances, it seems to me that I’m at risk in a number of ways now, and all so that the password interface can be turned into a primitive and easily overcome turing test.

So, what am I missing?  Is there some brilliant element to this setup that makes up for the sins that appear to have been committed?  Something that will make me happy my credit is in the hands of this company?  I hope so, because right now I feel like maybe it’s time to do my best ‘rat leaving a sinking ship’ impression.