EYEdentityOnline.com

Thanks to Michael Berman over at Grok Computer Security for the mention Friday, following the announcement of ID Tool ToGo. Also a nice article over at Dark Reading “Authentication Goes USB Route“.

I thought I’d respond here to Michael Berman’s comments and provide a couple confirmations and clarifications:

Yes, we use two authentication “stores”. In the TriCipher solution (our name alludes to our 3-key technology) set, we use public key crypto, but instead of having a single private key and public key, each user has 2 private keys and a public key. A private key the user controls and a second private key kept on the TriCipher ID Vault appliance. Of course, then there is a 3rd key, the public key.

For our “USB key” feature, the USB device serves as the 2nd “what you have” factor and of course works in conjunction with the user’s password. These two components are used to recreate what is best to think of as the “user’s key”. Note that loss or theft of the USB key provides an attacker no attack vector to guess or work backward to the password. Same with theft of the password. Whether phished, pharmed, keylogged or social engineered in any way, possession of the password alone is useless without the USB key.

The “user’s key” is used in conjunction with the other private key for that user kept on the ID Vault (ID Vault key). To properly authenticate both the user’s key and the ID Vault key are used to co-sign, if you will, and consequently create a standard, x.509 certificate based, verifiable signature for any client-SSL enabled relying party site. A decent analogy is going into a bank to open a safety deposit box where the bank manager has a key and you have a key. The safety deposit box can only be opened when both parties are present and perform their function.

Couple important points:

• Relying party needs no TriCipher code to accomplish this standards-based function.
• The two private keys for each user are never recombined anywhere to be compromisable in a single location.
• The user’s private key is never stored anywhere, ever.

While an understandably confusing point, no, we do not get in the middle between authenticating sites and users. We utilize the true two-way, mutual authentication SSL mechanism built into both the server and client ends. All our “magic sauce” briefly described above is done between the client and the TriCipher ID Vault directly. It is pretty accurate to think of the connection between the client and the ID Vault as forming a secure, virtual smart card. Certainly as far as all the client code is concerned, the signature is performed by a local, smart card as we again use the existing standards for signing procedures, CAPI and PKCS11.

Of course, there is a lot more to tout about the benefits of our solution, but I’ll restrain myself to hopefully clarifying a couple points this particular product function raised.

As a vendor in the strong authentication space I feel that my criticism of certain practices that competing vendors live and breathe on are not only not taken seriously, but nearly completely discounted. To be honest, this is completely understandable, but consequently, I am happy when 3rd party sources point out various shortcomings and problems. Recently, the following bulletins were pointed out to me and I thought I would mention them here too buttress points made in earlier posts. In this case SiteKey / Passmark is called out, but I would generalize these problems to many offerings in the “strong authentication” space. I put “strong authentication” in quotes as most of these approaches are not actually strong and never were, but were pitched as such. Let’s review them in order as listed on the NIST National Vulnerability Database. I hope readers will perform their own searches and comment on other pertinent situations back here.

Warning, this post contains blatant compare and contrast content about TriCipher’s offering in context of these three vulnerabilities. I’ll try not to do this too often, but I believe these are valuable touchpoints to discuss fully and removing my own vendor hat doesn’t seem particularly useful for this post.

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-7199
“EMC RSA Security SiteKey allows remote attackers to display the correct image via a man-in-the-middle (MITM) attack in which an attacker-controlled server proxies authentication data to and from a legitimate SiteKey server.

“This vulnerability basically points to what I’ve generally referred to as the “device registration man-in-the-middle (MITM) problem. In this attack users are drawn to a false site which proxies the actual site. The proxy of course doesn’t have the cookie that the user does and consequently walks the user through the source site’s “register your device” screens. This happens whether the user actually has the 2nd factor cookie or not. Given that users have now been conditioned to go through this process many times such, that it isn’t an exception event worthy of concern, they complete the process. The attacker now ends up with the password and a legitimate cookie and off they go with the user none the wiser.

The “vendor disputes” note points to the fact that everyone acknowledges this is a weak system and that backup monitoring is necessary. This is why so many solutions that originally touted themselves as a “two-way, two-factor” solution moved much more strongly into the fraud detection space such that the detection offering became the true value of their products. Passmark (which is what Bank of America’s SiteKey is) and Bharosa are two examples of this. See my earlier post “Pictures and fraud detection” for more. All solutions using such light touch, as in no-client-touch solutions are vulnerable to this simple attack, even the lowest part of the TriCipher solution utilizing cookies / device markers. Vendor pitch alert: Fortunately for us, we have many more secure offerings off the same platform such that as risk and attacks rise, our customers have somewhere to go without a new implementation.

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-7200
“EMC RSA Security SiteKey issues challenge-bypass tokens that persist forever without a cancellation interface for end users, which makes it easier for attackers to bypass one stage of authentication by stealing and replaying a token.”

This one is pretty simple and straightforward. Cookies are planted and except when deleted, are persistent and consistent across all registered machines. The Passmark system apparently doesn’t know which machines are registered and does not have the ability to unregister devices. To be honest, I’m pretty surprised they haven’t fixed this as it was, and apparently still is, a nice competitive differentiator for us at TriCipher.

Vendor pitch alert: We mark each device independently and provide an interface such that users can name each device for their own ease of use. We then provide the interface for users to unregister single devices or if in a real moment of paranoia, can unregister all devices. Seemed like prudent and obvious practice to us and the fact Passmark hasn’t fixed this indicates they truly are focused on the back end detection, best-guess approach to supposedly strong authentication.

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-7201
“EMC RSA Security SiteKey does not set the secure qualifier on the SiteKey Flash token (aka the PassMark Flash shared object), which might allow remote attackers to obtain the token via HTTP.”

To be honest, this is a nice technical callout by the folks at NIST, but given the simplicity of the attack in CVE-2006-7200, not sure adding this secure qualifier would buy much. Sure, this “secure qualifier” attack is rated higher, presumably because authentication is not required to exploit, but it still does require the victim’s voluntary interaction with the attack mechanism. Certainly something nice to fix from an “attention to security detail standpoint”, but addressing the “device registration MITM” attack seems to buy more.

Vendor pitch alert: Of course, moving up TriCipher’s Authentication Ladder would buy significantly more protection across the board.

So there you have some 3rd party call-outs of issues with the light touch, pictures and cookies approach. While I’m tempted to apologize for the strong TriCipher pitch content in this post, I believe it is important to discuss not only these vulnerabilities, but the entire “light-touch, make the user feel safe, but not actually make them safe” approach.

I did a few searches on one time passwords, OTP and MITM, but didn’t find anyentries on the Vulnerabilities database calling out the known and real world implementation attacks against OTP systems. I’ll keep looking and report back here should I find them or not.

Needless to say, I’ve been busy regardless the lack of activity here on on the blog. I’ve crisscrossed the U.S. several times and the Atlantic twice as well. Once on business and once more for pleasure.

For my first post after such a long gap, I’m going to chat quickly about two events I attended that tie most directly to this blog. The FTC: ID Proof Positive event in Washington, DC on April 23-24 and the Online Game Developers Conference in Seattle May 10-11.

The FTC event as you can imagine was a bit dry, but I’d like to share one positive line of thinking I heard and one negative.

First the positive. Several speakers actually reiterated an important point: The threat to user confidence is at least as, and probably more, important than the direct $$ losses to online attacks. There is a big disparity between speaking to user communities under constant assault from a dizzying array of attacks and press coverage of millions of user’s identities being compromised on one hand. On the other hand then speaking to financial institutions that point to their “very manageable fraud loss rates”. Indications from the past holiday cycle point out that while total spending was up, the number of folks doing that spending didn’t grow much. Looks like confidence is down except for those already “in”. But if loss rates are still low, there’s no incentive for anyone to get too concerned.

Really? Are we digital life people just so insulated from the rest of the real world that we believe everyone is on the e-bandwagon? Check around you. I’m constantly surprised by the number of people in high-tech sectors that won’t transact online on a dare. The majority of my non-high-tech friends also are very skitish about transacting online. Seems everyone on the e-field should be anxious to get those spectating from the stands to join us and bring their e-money.

Now to the negative. There was a panel late on the 23rd roughly titled “FFIEC 4 Months In”. I almost felt sorry for the FFIEC guidance representative on the panel. Clearly I’m not the only one who believes the latest guidance was so loose as to accomplish almost nothing for consumers, though admittedly it was a boon to us vendors . Here’s a couple interesting high points I noted:

1. When asked about what was and wasn’t actually suitable for online banking he indicated “anomaly detection alone does not satisfy the guidance” [undoubtedly a paraphrase, I’m not that great a note taker]. Wow. It will be interesting to get back with some banks that placed their entire guidance compliance in the hands of anomaly detection. While I am clearly a strong authentication kinda guy, am I against fraud detection? Of course not. I believe in defense in depth as much as any competent security practioner in the virtual or real world, but as the sole security layer of supposed multi-factor authentication, no way.
2. When asked about where things should then next head for MFA, he actually mentioned OTPs as the next big thing for moving up in security levels. Now I can understand why an FFIEC guy (or gal) wouldn’t be up on the cutting edge of security attack vectors, techniques and cracks, but doesn’t he read his own industry press? Citibank wasn’t the only publicly compromised OTP last year. Heck the FFIEC is mentioned specifically in this article, though don’t get me started on the non sequitur of the last line from Mr. Lam.
3. Given #1 and #2 above and that one smart tech guy on the panel had already rained on most of the rest of the FFIEC guidance items as broken and busted, I could hardly spit out my question, “So if this guidance is already full of measures that are compromised, when can we expect FFIEC-2?”. There was a lot of hemming and hawing, but basically the direct answer was, [paraphrased] “The FFIEC doesn’t want to create confusion and pain for the financial institutions. Our last note on these lines was in 2001, sooo…”. Seriously, I swear to you he trailed off. Clearly then it will be years before they step up, if the same gap holds true, they won’t come back with something till 2009. Will other regulators step in? Will they also seriously undershoot the already demonstrable threat level in 2009?

So now onto a more pleasant topic, online gaming. The OGDC was very interesting both from a professional and personal standpoint. When there weren’t direct security or infrastructure sessions, I sat in on a few of the more creative sessions. It was very interesting to listen to some “inside baseball” discussions from those that take technology, story and interfaces to deliver entertainment and that ever elusive “fun”.

Not as much to report there. Couple points pretty well sums it up.

1. Several sessions reported on a data showing that a compromised World of Warcraft (WoW) account is worth twice as much ($10) than a compromised credit card ($5) on the black market.
2. I chatted with a senior developer about his MMO’s need to strengthen authentication against phishing and other social engineering attacks that we gamers increasingly hear about. He indicated that his company preferred to deal with these theft cases as a customer support issue. Should a user’s account get compromised and they login to find all their hard earned loot sold out from under them, the support folks will investigate the logs and try to validate the “supposed victim’s story”. If the story seems true, the stuff can be reinstated. Good luck proving a customer did or didn’t share the account and just get taken by “friendly fraud”.

Now, that is certainly a feasible approach, but I’d be one irritated user as what would stop this from happening again? Especially if the attack was launched with a keylogger just waiting to do it to me again? Doesn’t seem like customer care to me, but then I’m biased, cuz I’m a vendor trying to sell the MMO something, right?. True enough, but doesn’t mean that as a gamer I’m not seriously peeved at this attitude.

Curious as to others thoughts about why a WoW account is so much more valuable than a credit card. My quick and dirty analysis is thus:
* Check the prices online for purchase of a top level character. Looks like starting prices are around $454 running up to $749 for some of the quick searches I ran on this site.
* What do you think will get the FBI or other law enforcement’s attention more: “Our merchant database of 200,000 credit cards was stolen” or “200,000 had all their Shadoweave Robes and other virtual stuff stolen”?

Seems like the old risk / reward equation makes this seem pretty self explanatory, but maybe I’m oversimplifying.

I would like to pick up the thought thread from my Feb 23, “Pictures and fraud detection” entry, you may want to scroll down there, read that and come back.  Tying into that thread are two news items from last week that you should also read or at least scan before continuing:

1. Tracking the Password Thieves by Brian Krebs / Security Fix
2. Thieves raid online accounts in penny stock scam by Kathleen Pender / San Francisco Chronicle

So what’s special about two more “people got ripped off online” stories?

First tie-in to my Feb 23 posting is the fact that this is just another in an ongoing line of similar stories and regardless of whether they indicate some new attack vector or not, these add up to an ongoing drumbeat to many consumers that they should continue to avoid the online channel.  This of course has immediate impact on e-commerce bottom lines as revenue is lost and profit margin and productivity gains remain unrealized.

Second tie-in to the previous post is that the seven affected brokerage firms spent roughly $300k each “attempting to make their customers whole”.  Being a vendor in this space I can pretty confidently assert these seven firms could have purchased “a product” on average for no more than that and it would have prevented this attack.  Note the attackers logged in as the victims.  Simple password theft, though the method of password obtainment is not mentioned in the pump-n-dump article. 

• Unbelievable to me that John Reed Stark of the SEC indicates the thieves “did not penetrate the brokerage firms’ infrastructure or security systems”.  If I were one of the 30 - 40 victims, I would certainly be taking issue with that statement.  The thieves make off with $732,941, the brokerages spend $2,000,000 making victims whole (no, the math doesn’t make sense to me either, must be some “hush-type” money involved, eh?), the attackers likely have lots of personal identity information on these same victims and there wasn’t a penetration of the security system?  Really?!  Or is he saying this is how they designed their security system to work?

Third tie-in, fraud detection is a great thing, but it is lousy all alone as a security system.  Did you only install motion detectors in your house when you installed your security system?  Didn’t think so.  Time to add truly strong perimeter, i.e. strong authentication, to your defense-in-depth strategy.

These are all obvious things really, but the last and actually most important thing I’d like to tie-in here is:

Can we please quit playing the “educate the end-user” card?  This can no longer be proffered by serious security professionals as a prominent part of a security plan.  I would actually argue it is exactly the lack of a plan that leads to this being plied as a significant e-commerce security component.  I’m reminded of my favorite line from my favorite B-movie, Tremors.  While running for their lives from the monster, Kevin Bacon asserts “I have a plan”, to which Fred Ward replies, “Running isn’t a plan, running is what you do when a plan fails!”.

Please go back and revisit the list of victims in Brian Krebs piece on Password Thieves.  So only one of them is a computer security professional from IBM, but these aren’t exactly Ma & Pa Smith online bankers either.  Do I have anything against Ma & Pa Smith?  Of course not.  On the contrary, Ma & Pa Smith are the realization of the adoption being sought.  Get everyone to the presumably low cost online channel, once you quit paying “make customer whole” settlements, anyway.  If we can’t provide an environment where even arguably “educated” consumers, such as these, can safely and confidently transact, what hope is there to get the timid, the paranoid or just plain “newbie” to come join us?  By the way, at this point, aren’t they only showing properly rational behavior given the identity theft and account compromise coverage they see and hear daily?

We need to give our current and would-be customers a security environment that protects them not only from the thieves, but from themselves and the complexities of their computing environment.  Customers shouldn’t have to maintain associates degrees in computer security and maintain a “25 best practices” list to get online and get something done.  We need to give them secure tools properly designed to be “user-proof”, attacker thwarting and still simple to use.  I know that for me, this is the starting point of all design discussions in my particular arena, strong authentication and digital credential issuance.  How about where you ply your trade?

 
 

Both of you that read this blog thus far may be wondering what the picture in the upper right corner is, as it obviously isn’t a picture of me.  Also to the right in the Blogroll you’ll see a link to “Hahleq’s Hideout”, a web page of mine that generally is neglected, but does provide a few links to other interests of mine.  The picture of “me” is actually the picture I use associated with my Xbox Live persona.  Basically, except for business communications, if you want to find me on any forum just look for me as “Hahleq”.

So the obvious answer to the question posed in this post’s title is, Hahleq is my online alter ego.  So the next question is, why bring that into this forum?  The answer should be obvious and transparent.  This blog is about identity and Hahleq is one of my identities.  I have used this identity online now for over 10 years.  There a lot of people I frequently correspond with in various forums and across various interests that know “me” only as Hahleq.

Clearly, I’m not doing this to try and mask who I really am, as a couple quick links around and some use of Google would reveal that the “real world” identity of Hahleq is actually, Tim Renshaw.  Interesting to think however, that for many of those who know me only as Hahleq, what would the revelation of my real name really gain them?  What they think of me and how they relate to me is established by our historical interactions.  We generally refer to this as reputation. 

Sure, they might feel differently to find out my age, my career pursuit and background, my marital status, my geographic location, etc., but this is generally immaterial to the context in which I currently interface with them.  These relationships range from very shallow to relatively in-depth.  Of course, many of these folks also are known to me by their online nom de plume (sorry, as a blogger, I feel incented to occasionally use needlessly intellectual phraseology) or screen name.  This is where the idea of anonymity comes into play.

I’m obviously not revealing any novel or earth shattering concepts here, but these concepts lie behind so many discussions I’m having lately across so many seemingly disparate online venues, that I need to put some of these thoughts on a page.  Strong authentication, validated identity, reputation, anonymity, privacy, verifiable assertions, etc. across everything from the very business oriented forums such as online banking, brokerage, e-commerce payment, digital content controls to the seemingly less serious (that’s in the eye of the beholder or partaker, though, no?) community forums ranging from social networks of all types to online video gaming from the PC to the various consoles both handheld and in the home entertainment center.  You can check out my thoughts on how important identity is for me, and I suspect for many others over at my purely gaming related blog at GameSpot in this particular post.

What are your various online identities and how do you view their value (i.e. why use an avatar)?  Or do you forswear such schemes and use your real name everywhere?  If so, why?

If you haven’t had a chance to read the Harvard / MIT study on user’s lack of attentiveness to various visual clues, including the ludicrous “pick a picture” scheme popularized by Passmark, you should go give it a look.  It is aptly titled “The Emperor’s New Security Indicators“.

Louie Gasparini, co-CTO of the consumer division of RSA, the security division of EMC stuck selling the Passmark site-to-user authentication technology was given a chance to respond to this study over at the Wall Street & Technology blog.  My response to his response is the first comment on that page or for your reading pleasure, as follows:

I find it interesting that Mr. Gasparini would use the door lock analogy given that he’s arguing for a security system that is completely reliant on the equivalent of motion detectors alone in a physical security system. Fraud detection techniques, the invisible authentication he aludes to, is a perfectly reasonable approach in a layered approach, but not as the only layer. The Harvard / MIT study and Mr. Gasaparini’s own response point to the fact that the entire, supposed 2-way, 2-factor picture mechanic is nothing more than a “reassuring” device and of no security value at all. So where are the layers?

How many motion detectors, pressure pads, video surveillance cameras would you need to have in your house or business before you would feel comfortable to remove all the doors and windows? Yet, this is what consumers are being asked to put up with from those that want their online business, but aren’t willing to exert anything but the bare minimum to protect themselves and nothing to protect the consumer. Bank risk mitigation? Yes. Consumers though, feel good with your pictures, manage your own risk and good luck out there.

Until we security professionals can impress upon our business application colleagues / customers that we need to do something from the client side and not just the server side, customers remain on their own. “Caveat emptor” should be changed to “caveat surfer”.

I want to build on this in following posts.  in the meantime, ponder who is to blame for the sad state of affairs that exists with regard to how chintzy and half-hearted efforts are to secure consumers, instead forcing them to be their own security experts when they can’t or won’t even follow the seemingly simplest instructions.  Also, why do financial institutions fear customers actually calling them for a little security support more than they can envision the revenue upside of more customers actually using a more secure online channel confidently?  When will online entities move to use true, strong security features as a competitive driver similar to when automakers embraced safety features as differentiating components?

Welcome. Let’s get right to it. Why are we here? You, I don’t know. Hopefully you are looking for the content we will build together here. Me, I’m here to blather about my thoughts on a wide variety of online identity, privacy and general online or digital life issues. Hopefully, this will very much be a two-way discussion where we kick around ideas started here or in other sites covering the same topics, so chime in.

Since this is my kick-off post, it seems there are a couple launch items we should get out of the way:

1. Who the heck is Tim Renshaw?
2. What is the affiliation with TriCipher, Inc. my employer?
3. What is going to be discussed here?

You can check out my bio here on the TriCipher, Inc. web site.  I am a married guy, no kids, two dogs, who has worked in the e-commerce space certainly since joining CheckFree back in 1998. My two main hobbies are electronic gaming of all kinds and on all platforms and fishing, you know for actual fish like bass, not phishing. We’ll get to that in due course :-). I have been involved in IT matters and technology as part of my career since the late 80s when PCs and networks exploded throughout the Bank enterprises where I worked.  As a result, I got sucked into technology and found it appealled to me much more than the actual banking business did.  A lot of hands-on hours later mucking around in the guts of PCs, networks and servers I ended up working in the audit department of Banc One, now part of JPMC, where I was exposed to not only being audited but what a good auditor and audit process accomplishes.

Needless to say, all along the way security has been a day to day concern, both for the user communities I served, and as everything increasingly came online to the larger world, concern for my own servers and systems.  Authorization and authentication issues were part of daily, real world management and implementation.  Walking the line of enforcing security and audit policy while trying to keep my support calls and general user unhappiness from escalating has been part of my daily thought process for years.  Additionally, while at CheckFree working on various bill presentment and payment products, the clear linkage between user authentication, account authentication and fraud relationships made a distinct impression.

Which brings me to my current employment / affiliation at TriCipher, Inc.  I joined the company, then called SingleSignOn.Net in 2001 after being introduced to their novel digital credential technology developed into a deployable product. I’m still with the company, now TriCipher, after 6 years because what I saw then as an effective and workable answer to the issues of strong authentication, reliable identity, federated identity, digital signing, personal data controls and privacy / anonymity issues are unfortunately, only now being seriously addressed in the internet e-commerce and emerging inter-social-blogo-web2.0-mobile-multidevice world.  All that being said, this is not going to be an ad site for TriCipher, however, I am also not going to try and mask the fact that I am a huge advocate for our technology or that I come from a pro-TriCipher technology point of view.  I don’t believe anyone can be completely objective about things they truly believe in and I believe in strong, easy to use, digital credentials and I believe TriCipher Armored Credentials are all that and a bag of chips.  The items posted here will be mine alone and by no means are to be taken as official TriCipher statements, policy or (insert your own typical legal CYA-speak here).  So there, that’s out of the way.

Last on my “first post list” is what are we going to be disccussing here?  Well if it hasn’t become clear at this point I’m going to be posting about issues loosely around: strong authentication, reliable identity, federated identity, digital signing, personal data controls and privacy / anonymity issues as well as how these relate to the things we like to do online:  shop, chat, game, blog, consume and interact with various digital media.  Roughly stated, I’m going to speak my mind on items relating to our ever emerging online life and the issues that matter to those of us that consider online as an important part of what comprises our overall lives.  Where it goes from there is up to you, the readers and hopefully posters.