Security Now 307
Recorded: June 29, 2011
Published: June 29, 2011
Security Now 307: The Future of Identity
Microsoft / Three patchy non-security things: Fixed fragmented SSL/TLS packet acceptance Fixed fuzzy fonts in IE9 Office File Validation (OFV) (Office 2003, 2007, or 2010)
Firefox to get native Adobe-Free PDF rendering: "We intend to use pdf.js to render PDFs "natively," within Firefox itself. Our most immediate goal is to implement the most commonly used PDF features so we can render a large majority of the PDFs found on the web. We believe we can reach that point in less than 3 months (the entire code so far is less than one month old, and it already renders a large set of PDF features). "Initially we will make a Firefox extension available to interested users that enables inline PDF rendering using pdf.js, but our ultimate goal is of course shipping pdf.js with Firefox. This will result in a substantial usability but also security improvement for our users. pdf.js uses only safe Web languages and doesn't contain any native code pieces attackers could exploit.
Attacks & Breaches
Lulz Security said goodbye on June 26th by releasing 750,000 accounts, many with eMail addresses and passwords in cleartext, obtained from various sources.
LulzSec: Arizona Dept of Public Safety 446.6 Mb of authentic Arizona State Department of Public Safety documents available for download from The Pirate Bay. Spokesman Captain Steve Harrison of the Arizona Dept of Public Safety confirmed that the agency's systems were hacked. "We are releasing hundreds of private intelligence bulletins, training manuals, personal e-mail correspondence, names, phone numbers, addresses and passwords belonging to Arizona law enforcement," the group said in a statement on its site. "We are targeting AZDPS specifically because we are against SB1070 and the racial-profiling anti-immigrant police state that is Arizona." (SB1070 makes it a crime to be in Arizona without documentation proving United States residency.) http://news.cnet.com/8301-27080_3-20073843-245/lulzsec-releases-arizona-law-enforcement-data/
Citigroup attack will cost Citi ~$2.7 million The recent online security breach involving the theft of 360,000 credit card numbers will cost Citigroup $2.7 million, the company confirmed to U.S. government officials on Monday. Hackers infiltrated Citigroup servers last month and stole account numbers and personal information associated with over 360,000 Citi-branded credit cards. According to Citigroup, personal information and card numbers from approximately 3,400 cardholders was subsequently used to make about $2.7 million in unauthorized purchases. Citigroup stated that affected customers would be reimbursed for the fraudulent charges. No arrests have been made in association with the breach.
From the Twitterverse
@AlienCG : If using GMail, an additional label can be added with (firstname.lastname@example.org). Could this help add some security to a login?
@jnaz (John Nasers) Free Peter F. Hamilton Kindle book (short story) If At First. amzn.to/m4wINX "If at First..." Peter F. Hamilton has proven himself a modern master of epic space opera, carrying the tradition of far-future empire building begun by Heinlein and Asimov into the new millennium. But Hamilton is also a master of the short story, and when he tackles one of science fiction’s most enduring themes—time travel—the result is as provocative as it is entertaining. It starts in 2007 with a break-in. The victim: Marcus Orthew, the financial and technological genius behind Orthanics, the computer company whose radical products have delivered a one-two punch to the industry, all but knocking PCs and Macs out of the ring. The perpetrator: a man obsessed with Orthew. Just another simple case of celebrity stalking—or so everyone assumes at first, including Metropolitan Police Chief Detective David Lanson. But when Lanson interviews the suspect, he makes a startling claim: Orthew is from the future. Or, rather, a future—a parallel timeline. Thus begins the ride of a lifetime for Lanson, as his pursuit of the facts tumbles him headlong down a rabbit hole—and the hunter finds himself hunted. Greg Mandell "The Mandel Files" coming from Del Rey Preorder from Amazon Paper or Kindle Available August 23rd. Mindstar Rising ('93) “Great fun . . . sort of a post-catastrophe techno-thriller.”—The San Diego Union-Tribune “Reads like a collaboration between William Gibson and Ian Fleming.”—Publishers Weekly A Quantum Murder ('94) The Nano Flower ('95) (Night's Dawn Trilogy: 1996-1999 / Fallen Dragon 2001))
NSTIC - National Strategy for Trusted Identities in Cyberspace
The US Government, through the National Institute of Standards and Technology (NIST) has released the National Strategy for Trusted Identities in Cyberspace (NSTIC) vision, mission and goals. This strategy has a goal to foster a public/private partnership where industry and communities come together to solve the issues identified in the NSTIC to create and identity ecosystem which enables web service interactions to be: Faster: Once you use your credential to start an online session, you would not need to use separate usernames and passwords for each Web site. For example, your computer or cell phone could offer your "trusted ID" to each new site where you want to use the credential. The system would work much like your ATM card works now. By having the card and a PIN you can use your ATM card all over the world. By having a credential and a password you would be able to use your trusted ID at many different sites. This saves you time while enhancing security. No more searching in your drawer for your list of passwords. More convenient: Businesses and the government will be able to put services online that have to be conducted in person today like transferring auto titles or signing mortgage documents. Safer: Your trust credential will foil most commonly used attacks from hackers and criminals, protecting you against theft and fraud, safeguarding your personal information from cyber criminals. Private: This new "identity ecosystem" protects your privacy. Credentials share only the amount of personal information necessary for the transaction. You control what personal information is released, and can ensure that your data is not centralized among service providers. Voluntary: The identity ecosystem is voluntary. You will still be able to surf the Web, write a blog, participate in an online discussion, and post comments to a wiki anonymously or using a pseudonym. You would choose when to use your trusted ID. When you want stronger identity protection, you use your credential, enabling higher levels of trust and security.
Liberty Alliance Formed in 2001 by ~30 organizations to establish open standards, guidelines and best practices for identity management. Today a global membership of more than 150 organizations. http://projectliberty.org Now the Kantara Initiative (Swahili for "bridge") http://kantarainitiative.org
SAML 2.0 Security Assertion Markup Language
OpenID - Single Signon Give a person a unique URL - user proves control over that URL Facebook, Google, Twitter, Windows LiveID, Yahoo, OpenID
OAuth - moving info Uses secure tokens to authorize selective disclosure of information You tell Flickr to get your Facebook friends. Flickr redirects you to Facebook with a token You, logged into Facebook, authorize the transfer Facebook provides the data to Flickr
UMA - User Managed Access What information will be revealed. For what purpose will it be used. Who will have access to it.
- Edited by:
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|