It’s getting exciting in the world of cross-network authentication. Let’s review. I can now:

• sign into Digg using Facebook
• sign into DISQUS using Facebook or Twitter
• sign into Facebook automatically using OpenID (with two-factor authentication) or Google
• sign into FriendFeed using Google, Twitter, or Facebook

We’re quickly approaching the point where we’re going to be able to log into one major service (Google, Facebook, OpenID, etc,) and from there access all of our other services without authenticating.

As it stands now, I can already log into my OpenID provider, visit the Facebook homepage, and be transparently logged in. Today this works on Facebook. Soon something like it will work for your bank as well.

This is a good thing, but there’s a catch.

Security

While this is completely phenomenal from a functionality standpoint, we need to consider the fact that single-sign-on (SSO) raises a serious security concern: it significantly increases the impact of an account compromise.

If my OpenID account gets me into Facebook, and my Facebook gets me into Digg and DISQUS and FriendFeed (where I can post to Twitter, of course)…then a compromise of my OpenID account means a compromise of all those other accounts as well. Basically, once someone gets into your main service, your entire online identity can be hijacked.

Authentication Strength: More Important Than Ever

As single-sign-on solutions get more popular (i.e. now) we are going to have to give significantly more attention to our authentication standards and processes. Traditionally this has meant having a strong password, and while that is an essential piece of it, it’s arguably no longer enough.

What we really need to do is move to a strong/multi-factor authentication system. This means combining at least two of:

• something you know (passwords, pins)
• something you have (tokens, smartcards)
• something you are (biometrics)

So if someone guesses your password to my OpenID account, for example, they still can’t get into my account. They know my password, but they don’t have my mobile phone with my soft token on it. That’s multi-factor authentication, and it improves your security greatly when done right.

My current recommended way of doing this is by adding two-factor authentication to OpenID, which can be done via Verisign PIP for free. VIP can be used to add two-factor auth to major sites like eBay and PayPal as well, and soft tokens are available for popular mobile phone platforms if you don’t want to carry an actual token.

Strong Authentication Alternatives

In addition to tokens a number of other innovative options are available for multifactor authentication. Vidoop is an interesting system that combines OpenID functionality with a unique picture-based authentication system. It’s not technically multi-factor since it relies on something you know twice (password, then the images), but it’s still considered strong authentication.

Plus there are number of systems that use other things we commonly have with us to provide an additional factor of authentication, like sending a one-time password to your mobile phone via text message.

Conclusion

Social web service integration is upon us. Very soon, signing into websites using local credentials is going to be an indication of one of two things: 1) your single-sign-on system is broken, or 2) you’re using a website so ancient that you might want to consider an alternative.

This is progress, and it’s progress we should embrace, but we need to keep the risks in mind and take steps to mitigate them. So yes, enjoy the new powers given to you by single-sign-on, but do your best to protect yourself by looking for strong/two-factor authentication options within your favorite online services. ::

Links

[ Strong Authentication | wikipedia.org ]
[ Two-factor Authentication | wikipedia.org ]
[ Single Sign On | wikipedia.org ]
[ OATH | openauthenticaton.org ]
[ Facebook Connect | facebook.com ]

Exciting stuff–Facebook is rolling out full support for OpenID. Once it’s done being pushed to all users, you’ll be able to log in seamlessly to Facebook if you’re already logged into your OpenID provider.

Combine this with two-factor authentication from PIP, and things are shaping up nicely.

Oh, and they’re supporting seamless logon from Google as well. Very cool stuff. ::

[ 2009-05-19 : Confirmed--I just logged out of Facebook and re-visited the homepage while logged into my OpenID provider (with two-factor, mind you). It seamlessly logged me in. Totally sick. ]

I’ve moved to Chrome and Safari as my primary browsers, but nothing compares to Firefox when it comes to functionality and plugin support. Shown below are the information security related plugins I recommend any infosec professional (or enthusiast) install upon spinning up a new Firefox instance.

XSS Me

This plugin discovers all the fields on the current page, and gives you the option to launch targeted attacks on each field, or to launch all of its attacks against all fields.

SQL Inject Me

From the same group as XSS Me, this plugin finds all fields on the page you’re on and let’s you launch the most common SQL injection attacks against them.

Live HTTP Headers

See exactly what your browser is sending and receiving in real-time.

User Agent Switcher

Change your user-agent on the fly. So, you can make it look like you’re coming from Lynx running on AIX, or like you’re the GoogleBot.

Web Developer

Modify all sorts of options related to the site you’re viewing. Disable scripting, modify forms, etc., etc. Trust me–good stuff.

Tamper Data

Lets you view the data that’s being passed back and forth between you and the web server…and let’s you mess with it. Think “WebScarab”, but far simpler, and as a Firefox plugin.

ASnumber

Find the Autonomous System Number (ASN) of the network that your current site is served from. Simple. Useful.

DT Whois

Do a domaintools.com lookup of the site you’re currently visiting. If you haven’t used domaintools.com yet, you’ll be even more impressed.

Firebug

Gives you a developer’s view into the page you’re viewing, showing exactly what scripts are running, what the stylesheet is, etc. Oh, and let’s you change them and see what the result would be. Not really a security thing, but strong enough to be included in a list of musts.

SwitchProxy Tool

Allows you to quickly switch back and forth between multiple proxies, or between using your main proxy and going straight out to the Internet. My configuration always includes at least one proxy: localhost:8008 for WebScarab.

Hackbar

This tool, added on Zach’s (@quine’s) request, is kind of interesting. It allows a lot of functionality from a very simple interface. Essentially, it presents you with the ability to modify the current URL in a number of interesting ways, including giving access to a number of simple tools for translating data formats. Worth adding to the list of essentials.

So there they are. If you have any I should add to this list of essentials, do let me know in the comments or via email. ::

(Thanks to those who helped me build this list including Johannes Ulrich and Steve Crapo)

Related

[ Information Security Posts | dmiessler.com ]

But at RSA 2009, which I just returned from, I found out Verisign has released a soft token as well, and it works for all the main mobile platforms–including iPhone. The app is free from the app store, and here’s how it looks:

So you’re probably asking what all this works with. Well, here’s a list of supported websites:

These sites directly support Verisign VIP, which is really just an OATH-based multi-factor authentication system.

This is cool, but the real reach of this system is that you can use your VIP credential as a second factor to pip.verisignlabs.com, which is Verisign’s OpenID implementation.

And that’s why I use Verisign for my OpenID system: it’s not only a solid OpenID implementation, but it also allows me to use a token for two-factor authentication. And now that they have a soft-token for the iPhone, it’s even better.

I suggest you check it out. ::

Links

[ Verisign VIP (Two-Factor Auth) | verisign.com ]
[ Verisign PIP (OpenID) | verisignlabs.com ]

There’s an issue with md5sum where it returns unexpected results due to the fact that appends a carriage return to what you’re trying to get a sum of.

So if you try and get a sum of “password” by summing a file with the word “password” as the only line in the file, you won’t actually be summing “password”, but rather “password[^M]“, which obviously won’t be the same.

The Fix

So a quick fix for this is to use echo to feed md5sum with the -n option, which removes the trailing carriage return:

echo -n "password" | md5sum

::

I often have to explain to other IT people (and even too many in infosec) why I prefer OS X as my primary operating system. If you lack the time to make a complete argument, one shortcut to giving strength to your position is to give a list of well-known security professionals that have made the same decision.

So here’s the beginning of this list; if you want to add someone to it, you can do so in the following ways:

1. In the comments below
2. Email it to me at daniel@dmiessler.com
3. Tweet it to me with #macsec appended

• Martin Roesch
• Mike Poor
• Taylor Banks
• Johannes Ulrich
• Chris Hoff
• Rich Mogull
• Jeremiah Grossman?

Being in Information Security, I understand that knowing what’s going on is the first step to being secure. The way this translates to networked computers is knowing who they’re talking to.

And for this task I use Little Snitch to both monitor and control what applications are able to reach out from my OS X system.

In addition to being able to control what apps can do what (rule manager seen above), what I most like about this application is being able to roll over the menubar icon to see what apps are currently sending or receiving on the network.

So imagine you’re just writing something locally on your system, and you see that your Little Snitch menu bar icon is lit up (meaning something’s talking on the network).

You simply touch the menubar icon with your mouse and the window seen above appears to show you exactly what application is talking on the network.

This is invaluable. Nothing is more annoying to a good security person, or even a good sysadmin, than not knowing what on your system is putting packets on the wire. Little Snitch gives you this visibility, and if you’re running OS X I’d highly suggest you check it out. ::

[ Little Snitch | obdev.at ]

If you’re into Information Security, and you use Twitter, you probably want to be following @securitytwits.

It’s a group of security professionals and enthusiasts that use Twitter to share ideas. The group is herded by Zach Lanier (@quine), and the list of members can be found here online.

For a decent introduction to the ideas behind the group, here’s a short podcast of Bill Brenner (@billbrenner70) interviewing Zach on the topic of Twitter itself as well as the Security Twits list.

[ Bill Brenner / Zach Lanier | csopodcasts ]

A random, innocent tweet by Gunnar Peterson (@oneraindrop) got me emoting about whether or not Information Security should be viewed/pitched as a business enabler. This is the tweet that got me going:

Please remember that security is a business enabler kthxbye

Security isn’t an “enabler”; that line can hurt us. Security is about NOT doing things wrong, as part of overall quality. To “enable” business is to add value above and beyond simply not sucking. So if security is an enabler then so is an oven mit.

My problem with that approach is that it widens the definition so much as to make it useless. If a word means everything then it means nothing. And if everything a company does, including having fire extinguishers and a parking lot, is going to be called a “business enabler”, then there’s no point in pitching infosec as one as well.

But let’s not get too caught up with definitions. Business “enabler” might mean different things to different people, and I agree that it CAN mean everything including free coffee and hand sanitizer. But that’s not what matters. What matters is what it means to those we’re selling it to, i.e. the business. So if you say to a business person, in an attempt to promote information security, that information security “enables” business, I think you should have a more direct link in your claim than one to general supporting infrastructure.

And that’s where Gunnar added to the conversation again with a simple yet powerful quote:

“Because we have brakes in our cars we can drive fast.” – Robert Garigue

I’ve always liked this analogy, and I’ve used it before when flirting with the whole concept of “business enabling” and “security ROI” in the past. But I no longer believe in such things.

The reason this analogy fails is that it is looking at the speed of the car WITHOUT brakes as a comparison to the speed of the car WITH brakes. This is wrong. The speed of the car is the speed WITH brakes, and improvements to the brakes are improvements to the car. The car as a whole is all that matters. It’s infrastructure. It’s plumbing.

In a CEO’s big picture, there’s no difference between a web application firewall and a fire alarm and sprinkler system. Ultimately they both reduce to one thing: an operating expense. I think IT in general can be an enabler, say through a new VPN system that lets a CEO quickly spin up a workforce, but even then it’s not likely to be perceived, by the business, as the same type of “enabler” as an ad campaign, for example.

I have more to say on this, but the ideas are still brewing. I’d love to hear thoughts in the interim. ::

So a fellow infosec buddy of mine, Hoff, wrote a great piece about how Brock Lesnar is like Cisco. His main points seemed to be that 1) Cisco/Brock is really good in an area other than infosec/mma, and 2) people are mistakenly dismissing them because of this.

Those are solid points, and I agree with his analysis, i.e. they’re foolish to underestimate them–but I have another angle which is where I thought Hoff was going with the analogy when I first saw the title.

To me the more interesting observation is that “when skill levels are close to equal, size and strength matter. A lot.

So when Brock fights most people it’s almost like an adult fighting a young teenager. It’s almost unfair to the point of brutality. Sure, the teenager can win, but the skill difference between him and Brock would have to be extraordinary. And the better Brock gets the lower the chances anyone can be that much better than him.

It’s the same with Cisco. They’re already in your network. They have the routers, they have the switches, they have the VPNs. That’s the size/power difference between them and $foobrand. It’s true that many companies have some functionality (technique) that Cisco doesn’t have, but Cisco is good at being good at things. They can buy a gym and pay someone else to work out for them.

In the end, the Brocks and Ciscos of the world will crush the competition. Not because the competition can’t win any given battle, but because the more times they fight, and the more time the big guys get to train, the less difference there will be in technique and functionality.

And at that point it’ll just be a man against a boy. ::

I inwardly smile when I hear the term “Unified Threat Management”. It means different things to different people, but to me it means consolidating the different “types” of security filtering, e.g.:

• ACLs
• Firewalling
• Stateful Inspection
• Deep Packet Inspection (whatever that is)
• Network Intrusion Detection
• Network Intrusion Prevention
• Application Security Filtering (Web, Database, etc.)

…onto a single device.

This isn’t really all that special. The only reason things didn’t start out this way in the first place is because the technology wasn’t there yet. We didn’t have the horsepower on the devices nor the various types of inspection to leverage.

So now the technology is finally catching up, and the marketing folks evidently decided not to go with, “UTM: The Way Things Were Supposed to Be Originally!” as their slogan.

The VIA Model

The reason combining these various pieces is brutally obvious is because they’re all doing the same thing. There is, fundamentally, very little difference between a router ACL and a Web Application Firewall. Once distilled there are basically three components to any security filter:

1. Visibility: what portion of the input does the system inspect?
2. Identification: what types of knowledge and/or intelligence can be used evaluate on?
3. Action: what can be done once something is found?

So what’s the difference between an IDS and an IPS? In the action phase you get an extra option to drop. Awesome. What’s the difference between an IPS and a WAF? WAFs understand HTTP better (the identification phase); they both see through layer 7 and can drop stuff they don’t like. Looking at it this way, even a router ACL and a WAF aren’t that far apart; the WAF simply beats it in all three VIA categories.

So no matter how cool the name of your filtering system is, it’s only doing a combination of those three things. It could be “Deep Packet Inspection”, or it could be, “Bob’s Packet Looker Thingy”–either way you have to a) see packets, b) find stuff in them, and c) do something when you do.

That’s why the future of security filtering is for every trust boundary and every endpoint to be running all of these simultaneously. You see the traffic once, run it through all your various identification pieces, and then you take whatever actions based on your policy.

The fact that we’re getting to that point doesn’t constitute evolution; it just means we’re finally getting to where we should have been all along. ::

Hat tip to Markus Ranum for pointing me in this direction back in 2003 with a talk on the difference (or lack thereof) between IDS and IPS.

As an example, if you use Flash in a standard way you are often sending websites information about the other Flash sites you’ve been to–even if you’ve done the standard browser privacy stuff. So you can think you’ve covered your tracks, but in fact still be blabbing about where you’ve been to any site you visit running Flash.

Using this application shown above, you can actually see this invisible content. From there you can manage not only the Flash artifacts you currently have, but also apply settings for handling them in the future.

Pass it on. ::

Links

[ Flash Cookie Manager | adobe.com ]

The Current List

• Bob Blakely
• Dan Geer
• Craig Wright
• Bruce Schneier
• Marcus Ranum
• Tom Van Vleck
• Richard Bejtlich
• Gene Spafford

[ Lots of good input received; list of potential adds below ]

Potential Adds

• Hal Pomeranz
• Gene Kim
• Kevin Behr
• Dorothy Denning
• Alec Yasinac
• Christopher Hoff

[ Cloud Control with Google Talk | elasticvapor.com ]

nmap -vv -p0- -sSUV -O -oA $outputfile $target

Links

[ My Nmap Page | dmiessler.com ]

::

I really hope Twitter’s pushing of OAuth is successful. ::