I know. I know. Passwords are the simplest means of providing security to applications. It is the simplest piece of knowledge that a subject/user can carry, rather than smart cards, certificates, finger prints, retina scans or whatever stronger forms of security, the world desires.
With the increasing processing speeds/powers of cheap/low cost computers, it will get increasingly easier to crack passwords.
So what is the solution?
* Look to make passwords the strongest? How will I remember all the passwords? I can just write it in my notebook.
* Ensure that the user changes the passwords often and do not allow him to have the last 10-20 recently used passwords? Ok, back to the notebook to keep track of all the accounts and their passwords.
Given the complexity of passwords and the proliferation of accounts that an individual manages in this socially connected, increasingly online world, I would say that the user will probably (wait, will definitely) use the same password in multiple accounts.
So what happens when the apache infrastructure gets compromised and the attacker steals all the passwords? I will have to refer to my notebook to see what my apache password was and which other accounts have the same password. I will then do due diligence in making changes to the password and then feed that information back to the notebook. Lets save paper. We will just maintain the password information in a simple file in my laptop.
I am sorry. I do not have any such notebooks. But my brains are operating at thresholds, right now, in trying to remember all the accounts and their common passwords.
What are the solutions?
Showing posts with label GeneralSecurity. Show all posts
Showing posts with label GeneralSecurity. Show all posts
Wednesday, April 14, 2010
Wednesday, January 13, 2010
US Health Care : Patient Identity Identifier related White Paper
Over a decade ago, the US Congress voted against establishing an unique patient identifier in the US for every individual utilizing health care.
The Healthcare Information and Management Systems Society (HIMSS) is the healthcare industry’s membership organization exclusively focused on providing global leadership for the optimal use of healthcare information technology (IT) and management systems for the betterment of healthcare.
Developed by the HIMSS Patient Identity Integrity Work Group, the purpose of the Patient Identity Integrity White Paper is to identify the complex issues relating to the accuracy and completeness of electronic health data attached to or associated with an individual patient and the linking of all such data within and across systems. The paper discusses the critical business processes that must be in place to support and maintain the integrity of the data for quality of care, patient safety and cost management.
Download the White Paper here.
I was fortunate to be invited to this working group long ago and had provided some initial feedback on pseudonyms as the torch bearers of privacy.
The Healthcare Information and Management Systems Society (HIMSS) is the healthcare industry’s membership organization exclusively focused on providing global leadership for the optimal use of healthcare information technology (IT) and management systems for the betterment of healthcare.
Developed by the HIMSS Patient Identity Integrity Work Group, the purpose of the Patient Identity Integrity White Paper is to identify the complex issues relating to the accuracy and completeness of electronic health data attached to or associated with an individual patient and the linking of all such data within and across systems. The paper discusses the critical business processes that must be in place to support and maintain the integrity of the data for quality of care, patient safety and cost management.
Download the White Paper here.
I was fortunate to be invited to this working group long ago and had provided some initial feedback on pseudonyms as the torch bearers of privacy.
Wednesday, December 23, 2009
Howard Schmidt: US Cyber Security Czar
Its official now.
Howard A. Schmidt is the newly appointed US Cyber Security Czar in the President Obama administration. From the White House Blog entry, Introducing the New Cybersecurity Coordinator and email from Mr.John Brennan, Assistant to the President for Homeland Security and Counterterrorism to the WhiteHouse.gov registered email addresses, a great introduction to Howard is provided.
My guess over the last few months was either Bruce Scheneir or Howard Schmidt would get elected to the role. So my educated guess has been right.
In an illustrious career that has included being an advisor to a former President, Howard was also the president of the ISSA. He was an invited expert to the European Network and Information Security Agency (ENISA). His wikipedia entry will provide more justification to his stature than this blog post. :)
I do hope Howard will increase his confidence in Open Source Software after "Open source software a security risk, study claims". He gave a generic negative gesture toward Open Source software. :( In spite of this study, adoption of OSS has only increased.
Howard A. Schmidt is the newly appointed US Cyber Security Czar in the President Obama administration. From the White House Blog entry, Introducing the New Cybersecurity Coordinator and email from Mr.John Brennan, Assistant to the President for Homeland Security and Counterterrorism to the WhiteHouse.gov registered email addresses, a great introduction to Howard is provided.
My guess over the last few months was either Bruce Scheneir or Howard Schmidt would get elected to the role. So my educated guess has been right.
In an illustrious career that has included being an advisor to a former President, Howard was also the president of the ISSA. He was an invited expert to the European Network and Information Security Agency (ENISA). His wikipedia entry will provide more justification to his stature than this blog post. :)
I do hope Howard will increase his confidence in Open Source Software after "Open source software a security risk, study claims". He gave a generic negative gesture toward Open Source software. :( In spite of this study, adoption of OSS has only increased.
Cyber Security Supply Chain Assurance
Reading the latest Information Week article by J. Nicholas Hoover titled : Securing The Cyber Supply Chain, I am wondering whether a trusted supply chain model for cyber security can give an advantage to large enterprises that handle the entire supply chain for their products.
While the reference assurance model designed by SAIC and the Robert H Smith School of Business (University of Maryland) is commendable, I still have this lingering doubt about the undue advantage well established vertically-integrated companies (or a partnership/alliance) have.
On the flip-side though, the threat is big. Ensuring a trusted eco-system for critical systems in Government, Financial Institutions and National Security is a herculean task. So the reference model is certainly a good positive step. But will it be harsh on smaller players? Maybe I am missing something.
While the reference assurance model designed by SAIC and the Robert H Smith School of Business (University of Maryland) is commendable, I still have this lingering doubt about the undue advantage well established vertically-integrated companies (or a partnership/alliance) have.
On the flip-side though, the threat is big. Ensuring a trusted eco-system for critical systems in Government, Financial Institutions and National Security is a herculean task. So the reference model is certainly a good positive step. But will it be harsh on smaller players? Maybe I am missing something.
Monday, December 21, 2009
PicketLink:: Identity Management and JBoss
It gives me pleasure in announcing v1.0.0 of Project PicketLink
(Formerly JBoss Identity).
Website: http://jboss.org/picketlink
What does the project do?
PicketLink addresses the various facets of Identity Management and other
areas of security at JBoss.
What does v1.0 provide?
* Federated Identity: Support for SAML v2.0, WS-Trust v1.3 and OpenID.
* IDM: An Identity Model for managing identities and associated behavior.
Which Servers are supported?
For Federated Identity support, we support servlet containers, but
provide deeper integration with JBoss Application Server and Apache Tomcat.
What Projects have integrated?
* JBoss Seam has SAML support [From community volunteer Marcel Kolsteren].
* JBoss ESB has WS-Trust STS with SAML Token Support.
* RestEASY wants the OpenID integration.
Looking forward to v1.1:
* AuthZ, a developer friendly access control API, led by Sohil. Built on
top of our XACML offering.
* Negotiation, led by Darran, with integration in EPP as well as WS-T
Kerberos support.
* oAuth Support.
I know there will be gaps and bugs which we will fix as we go forward.
(Formerly JBoss Identity).
Website: http://jboss.org/picketlink
What does the project do?
PicketLink addresses the various facets of Identity Management and other
areas of security at JBoss.
What does v1.0 provide?
* Federated Identity: Support for SAML v2.0, WS-Trust v1.3 and OpenID.
* IDM: An Identity Model for managing identities and associated behavior.
Which Servers are supported?
For Federated Identity support, we support servlet containers, but
provide deeper integration with JBoss Application Server and Apache Tomcat.
What Projects have integrated?
* JBoss Seam has SAML support [From community volunteer Marcel Kolsteren].
* JBoss ESB has WS-Trust STS with SAML Token Support.
* RestEASY wants the OpenID integration.
Looking forward to v1.1:
* AuthZ, a developer friendly access control API, led by Sohil. Built on
top of our XACML offering.
* Negotiation, led by Darran, with integration in EPP as well as WS-T
Kerberos support.
* oAuth Support.
I know there will be gaps and bugs which we will fix as we go forward.
Thursday, December 17, 2009
The Changing Terrain of the Internet
This week, I have seen two interesting bits of information on the internet that at least forces you to think a bit.
Although the overall value of the Internet as a global information highway and enabler of International eCommerce cannot be undermined, there certainly have been some alarming trends happening on the internet that would not have materialized otherwise (Refer to item 1).
Information Item 1:-
One interesting view is in the Mint, an Indian newspaper from WSJ which goes as follows: THE NEW FRONTIER OF TERROR—CYBERSPACE Mr.Raghu Raman raises some very important questions about the usage of the Internet for reasons not in line with its original intent (the intent by which Sir Tim Berners-Lee created the WWW).
Information Item 2:-
On a lighter side, we do have the Israeli Rabbis issuing an ultimatum for ban of the internet.
Ultra-Orthodox Israeli Rabbis Rage Against The Internet
Is the Internet Evil? ;)
Although the overall value of the Internet as a global information highway and enabler of International eCommerce cannot be undermined, there certainly have been some alarming trends happening on the internet that would not have materialized otherwise (Refer to item 1).
Information Item 1:-
One interesting view is in the Mint, an Indian newspaper from WSJ which goes as follows: THE NEW FRONTIER OF TERROR—CYBERSPACE Mr.Raghu Raman raises some very important questions about the usage of the Internet for reasons not in line with its original intent (the intent by which Sir Tim Berners-Lee created the WWW).
Information Item 2:-
On a lighter side, we do have the Israeli Rabbis issuing an ultimatum for ban of the internet.
Ultra-Orthodox Israeli Rabbis Rage Against The Internet
Is the Internet Evil? ;)
Wednesday, December 9, 2009
Subversion caches clear text passwords
If you are a subversion/svn user, then you may not be aware of this. By default, subversion caches your password to the repositories under the $HOME/.subversion/auth/svn.simple directory in one or more files with names that match some arbitrary strings.
You need to do the following:
1) Delete all the files under $HOME/.subversion/auth/svn.simple
2) In the $HOME/.subversion/config file
uncomment the
store-passwords = no
The documentation says:
Have a safe source control system.
Disadvantage of not caching:
You will have to enter the password more frequently.
Related Issues:
There are similar issues with Maven. You need to provide clear text passwords to your repositories in the settings.xml file
Additional Notes from Colleagues:
----------------------------------------------------------------------------
If you are using Fedora and have the subversion-gnome package installed,
subversion will store passwords in the GNOME keyring. The equivalent
package for storing passwords in the KDE wallet is subversion-kde.
Only if you do not have these packages will subversion store clear text
passwords, but it will warn you about it and recommend installing the
keyring support. Fedora users might want to double check whether they
have the aforementioned package installed. I'm sure distros other than
Fedora provide this feature as well.
-Alejandro
---------------------------------------------------------------------------
It does not seem to be the case with Mac OS, it seems to be linked to the keychain somehow.
That being said, if someone has root access to my machine, it shouldn't be too much of a problem to open keychain.
- Emmanuel
---------------------------------------------------------------------------
You need to do the following:
1) Delete all the files under $HOME/.subversion/auth/svn.simple
2) In the $HOME/.subversion/config file
uncomment the
store-passwords = no
The documentation says:
### Set store-passwords to 'no' to avoid storing passwords in the
### auth/ area of your config directory. It defaults to 'yes'.
### Note that this option only prevents saving of *new* passwords;
### it doesn't invalidate existing passwords. (To do that, remove
### the cache files by hand as described in the Subversion book.)
Have a safe source control system.
Disadvantage of not caching:
You will have to enter the password more frequently.
Related Issues:
There are similar issues with Maven. You need to provide clear text passwords to your repositories in the settings.xml file
Additional Notes from Colleagues:
----------------------------------------------------------------------------
If you are using Fedora and have the subversion-gnome package installed,
subversion will store passwords in the GNOME keyring. The equivalent
package for storing passwords in the KDE wallet is subversion-kde.
Only if you do not have these packages will subversion store clear text
passwords, but it will warn you about it and recommend installing the
keyring support. Fedora users might want to double check whether they
have the aforementioned package installed. I'm sure distros other than
Fedora provide this feature as well.
-Alejandro
---------------------------------------------------------------------------
It does not seem to be the case with Mac OS, it seems to be linked to the keychain somehow.
That being said, if someone has root access to my machine, it shouldn't be too much of a problem to open keychain.
- Emmanuel
---------------------------------------------------------------------------
Tuesday, December 30, 2008
Dr.Ron Rivest on Computer Security and Cryptography
Dr. Dobbs Journal has posted a transcript of an interview with Dr.Ron Rivest from 1997. He talks about Computer Security and Cryptography. Even though the interview is dated - the concepts, concerns etc. remain the same.
You can find the interview here.
Some important comments from Dr.Rivest.
You can find the interview here.
Some important comments from Dr.Rivest.
In general, security consists of implementing the policies of someone who designed the system, policies regarding who should have access to, and who should control, various kinds of information.
.. probably safer using their credit card for Internet transactions than they are using it in a local restaurant. It's much easier for the clerk with a credit card slip to make off with your number than it is for someone to mount a sophisticated attack against an encrypted Internet line.
With electronic voting, you can tell that your vote has been counted.
Friday, July 25, 2008
JBoss is secure
We certainly strive to reach that goal.
Think about this: when you sleep at night, most of us lock the doors of our house. Why? We want to feel secure. Same phenomenon happens when we go out of town for a couple of days - we tell our neighbors to watch our house. Many a times, burglars just break open a window and get in or take something immediately. When that happens, you fix the window and continue to hope that your house is safe. Even when you install a security system to your house and pay some company a monthly fee, your house is not totally secure. Someone can still break in, pick something quickly and vanish before the authorities show up. What I am trying to drive is that - a totally secure system is a myth. The reasons are plenty - these so called systems are developed by humans who are prone to make mistakes - prone to overlook something. But we certainly can try to reach that goal of making a system as secure as possible. The system will become secure with the help of implementers, testers, users, maintainers, researchers and those who scream - "fire, fire"!!! JBoss is no different. We get better as usage and feedback increases.
This week, there was a news article "Open-source software a security risk, study claims" which basically generalized that Open Source Software is risky from security perspective. I will not go into a debate about the merits of this study or get into an argument over whether closed source products are more secure than the open source ones? You can read some debate here.
This report has been widely cited in the media. A postive thing about this report is that they have given top marks to JBoss on security and pulled us down on not having a separate email address for privately reporting security vulnerabilities. Ok, that was an issue with our html editing abilities that we had not posted it in the right places to look.
You can view the following pages to get the security vulnerability reporting information now. I hope everyone is happy: JBoss Security
I have also put the information on my project page here: JBoss Security and Identity Management
Have you found a Security Vulnerability in any of the JBoss Products/Projects?
If yes, then you can email either at (security AT jboss DOT com) or (security AT jboss DOT org) for a private handling of your vulnerability information. You can also use the Red Hat Security page to report the vulnerability here.
At JBoss, we take security very seriously. I try hard to keep up to speed with all the latest developments in the security field. I am a member of multiple technical committees at the W3C, Oasis and the JCP. We try to provide the latest cutting edge technology to the users while maintaining high security standards. I do interact with security experts in the industry and adopt best practices from discussions. As an example, I had a breakfast discussion with Johnathan Nightingale, Human Shield, Mozilla Software Foundation. During the discussion Johnathan described how Mozilla tries to adapt test cases on report of every vulnerability such that regressions can be detected with every release. There, I had a perfect best practice to be adopted into our process at JBoss. :) Jeremiah Grossman, during his presentation at CSI 2007 had told us that he would go to sleep at night (when he was the CSO at Yahoo and a early 20s kid) knowing fully that Yahoo would be hacked in the night from across the world. But he kept trying to beat the hackers out. All that experience made Yahoo strong as well as launched a platform for his new company, White Hat Security. Security is not easy. Security is not complete. We just have to get better at it. ;)
Howard Schmidt has cautioned to be wary with the usage of Open Source Software. I respect Howard mainly because he is the president of ISSA (where I am a member and I read his message on the ISSA Journal every month). Howard is also an invited board member at ENISA. He has tons of security experience and is a well respected visionary. He has made a general statement about open source software which may not be totally applicable to every OSS product.
Lets look at how US Federal Agencies are dealing with Open Source Software with information from the public domain:
1) GSA has placed huge bets on JBoss. Read it here.
2) NSA is using RHEL5 and has provided security guidance here. RHEL is based on Fedora.
3) Bill Vass of Sun Federal says:
The march of the Open Source into the Federal Domain continues.
What else are we doing at JBoss to make everyone feel secure?
JBoss is undergoing Common Criteria Evaluation process to give its users the confidence needed that they are using a secure product that has undergone rigorous security evaluation.
I thank everyone for using JBoss. I also thank the author of the study for giving us top marks for being secure (and we have fixed the html pages to showcase an email address to report vulnerabilities).
Looking onward!
If you are unhappy with JBoss Security and would like to devour me for dinner, then you can email me at Anil DOT Saldhana AT redhat DOT com.
Anil is the Chief Bottle Washer for Security at JBoss. He greatly appreciates the gesture from the community here.
Think about this: when you sleep at night, most of us lock the doors of our house. Why? We want to feel secure. Same phenomenon happens when we go out of town for a couple of days - we tell our neighbors to watch our house. Many a times, burglars just break open a window and get in or take something immediately. When that happens, you fix the window and continue to hope that your house is safe. Even when you install a security system to your house and pay some company a monthly fee, your house is not totally secure. Someone can still break in, pick something quickly and vanish before the authorities show up. What I am trying to drive is that - a totally secure system is a myth. The reasons are plenty - these so called systems are developed by humans who are prone to make mistakes - prone to overlook something. But we certainly can try to reach that goal of making a system as secure as possible. The system will become secure with the help of implementers, testers, users, maintainers, researchers and those who scream - "fire, fire"!!! JBoss is no different. We get better as usage and feedback increases.
This week, there was a news article "Open-source software a security risk, study claims" which basically generalized that Open Source Software is risky from security perspective. I will not go into a debate about the merits of this study or get into an argument over whether closed source products are more secure than the open source ones? You can read some debate here.
This report has been widely cited in the media. A postive thing about this report is that they have given top marks to JBoss on security and pulled us down on not having a separate email address for privately reporting security vulnerabilities. Ok, that was an issue with our html editing abilities that we had not posted it in the right places to look.
You can view the following pages to get the security vulnerability reporting information now. I hope everyone is happy: JBoss Security
I have also put the information on my project page here: JBoss Security and Identity Management
Have you found a Security Vulnerability in any of the JBoss Products/Projects?
If yes, then you can email either at (security AT jboss DOT com) or (security AT jboss DOT org) for a private handling of your vulnerability information. You can also use the Red Hat Security page to report the vulnerability here.
At JBoss, we take security very seriously. I try hard to keep up to speed with all the latest developments in the security field. I am a member of multiple technical committees at the W3C, Oasis and the JCP. We try to provide the latest cutting edge technology to the users while maintaining high security standards. I do interact with security experts in the industry and adopt best practices from discussions. As an example, I had a breakfast discussion with Johnathan Nightingale, Human Shield, Mozilla Software Foundation. During the discussion Johnathan described how Mozilla tries to adapt test cases on report of every vulnerability such that regressions can be detected with every release. There, I had a perfect best practice to be adopted into our process at JBoss. :) Jeremiah Grossman, during his presentation at CSI 2007 had told us that he would go to sleep at night (when he was the CSO at Yahoo and a early 20s kid) knowing fully that Yahoo would be hacked in the night from across the world. But he kept trying to beat the hackers out. All that experience made Yahoo strong as well as launched a platform for his new company, White Hat Security. Security is not easy. Security is not complete. We just have to get better at it. ;)
Howard Schmidt has cautioned to be wary with the usage of Open Source Software. I respect Howard mainly because he is the president of ISSA (where I am a member and I read his message on the ISSA Journal every month). Howard is also an invited board member at ENISA. He has tons of security experience and is a well respected visionary. He has made a general statement about open source software which may not be totally applicable to every OSS product.
Lets look at how US Federal Agencies are dealing with Open Source Software with information from the public domain:
1) GSA has placed huge bets on JBoss. Read it here.
2) NSA is using RHEL5 and has provided security guidance here. RHEL is based on Fedora.
3) Bill Vass of Sun Federal says:
Vass, president and chief operating officer at Sun Microsystems Federal Inc., also cited open-source software, a Sun specialty. “More agencies are standardizing on open source, he said. Small-business partners who understand the value of open source in addition to consolidation and virtualization are especially useful in government work, he said.
The march of the Open Source into the Federal Domain continues.
What else are we doing at JBoss to make everyone feel secure?
JBoss is undergoing Common Criteria Evaluation process to give its users the confidence needed that they are using a secure product that has undergone rigorous security evaluation.
I thank everyone for using JBoss. I also thank the author of the study for giving us top marks for being secure (and we have fixed the html pages to showcase an email address to report vulnerabilities).
Looking onward!
If you are unhappy with JBoss Security and would like to devour me for dinner, then you can email me at Anil DOT Saldhana AT redhat DOT com.
Anil is the Chief Bottle Washer for Security at JBoss. He greatly appreciates the gesture from the community here.
Saturday, May 3, 2008
Incorporating Secure Coding Guidelines in Curriculum
An interesting read on Mary Ann Davidson's blog on the Supply Chain Problem. Mary is the Chief Security Officer of Oracle Corporation. She brings out some excellent observations about the lack of security education in universities as part of regular curriculum. The "Time To Market" and "Please The Market" courses have kind of engulfed the typical curriculum. Hence the traditional Computer Science courses have taken the back seat. If developers have no clue what the O-notation means, what depth-first/breadth first search or traversal means etc, then you can visualize the quality of software over time.
Do we need to incorporate secure coding practices in to the curriculum of Computer Studies? I am sure having at least one mandatory course will not be bad. Question is where will the colleges find the right faculty to teach Security..... Now that is a interesting question to be answered.... The right things would be to inculcate security into the relevant courses.
But what Mary is pushing for is a necessity of the software industry.
Do we need to incorporate secure coding practices in to the curriculum of Computer Studies? I am sure having at least one mandatory course will not be bad. Question is where will the colleges find the right faculty to teach Security..... Now that is a interesting question to be answered.... The right things would be to inculcate security into the relevant courses.
But what Mary is pushing for is a necessity of the software industry.
Friday, January 25, 2008
New $2B Dutch Transport Card is Insecure
Ed Felten in his blog entry "New $2B Dutch Transport Card is Insecure" writes about the Dutch Transportation Card that is supposed to be insecure.
The problem is highlighted in the following statement:
An extremely healthy discussion is going on in the comments section of the afore-mentioned blog post of Ed.
The problem is highlighted in the following statement:
Unfortunately the designers of Mifare Classic did not follow this principle. Instead, they chose to combine a secret algorithm with a relatively short 48-bit key. This is a problem because once you know the algorithm it’s possible for an attacker to search the entire 48-bit key space, and therefore to forge cards, in a matter or days or weeks. With 48 key bits, there are only about 280 trillion possible keys, which sounds like a lot to the person on the street but isn’t much of a barrier to today’s computers.
An extremely healthy discussion is going on in the comments section of the afore-mentioned blog post of Ed.
Subscribe to:
Posts (Atom)