Microsoft passport is a facility from MS which offers single sign on capabilities. With SSO, user don't need to remember each password for each service providers. This will eliminate the need, burden for many, of creating/maintaining and remembering different user IDs and passowrds for various web sites or services. When you authenticated to a universal authentication sign-on service, your service provider relies on the information from the SSO server.
For example, you want to use the services from example_flightbooking.com, a web site which provides services for booking flights online. This site accepts your credit card and otehr personal information and you expect those personal information would be kept secured.
Another service where you would want to book your accommodation at the place where you are flying to, using the web site, example_hotelbooking.com. This site provides services for you to view and book hotel rooms online. Authentication to this service provider is done by providing a seperate user name and password same or different from example_flightbooking.com
If the user chooses to use same User ID and Password for these two sites, there comes a major risk. If one of the site is fraduelent or an attacker obtains the User ID and password by means of social engineering, phishing and/or sniffing etc, he can use this User ID and password for both the sites and can obtain personal information stored in these sites, along with Credit card and other vital informations would be lost and the user would become a victim of Identity Theft.
Alternatively, if you choose to different User IDs and passwords with each of the service providers, users have the burden to remember all these login credentials. Chances are there for using same credentials or easily-comprimisable credentails.
Single Sign-on helps to reduce this problem to a great level. With this Universal Authentication service system, both Users and Service providers (like example_flightbooking.com, example_hotelbooking.com) trust a universal authentication service system.
There are a number of steps for successful enrolment and using the SSO. First Service Providers should be enroled with SSO servers by means of a contract. Some SSO needs a fee to use their service. Secondly, users who wish to use services from Service providers also need to be enroled with the SSO.
Whenever a service provider needs a user to be authenticated to use their service, the service provider redirects the user to the SSO login page. User provides the credentials he/she registerd with the SSO. ON successful login, SSO issues a ticket or a cookie, which are generated using cryptographic means. An example can be a shared key between the Service provider and the SSO (usually a shared thriple DES key). After this, when the user access the Service providers site, the ticket from the SSO is provided which will be verified by the service provider (here, as we mentioned, by a shared key agreed between the service provider and the SSO server). If its verified to be issued by the SSO, the user is authenticated.
Examples of SSO are MS Passport system which supports Kerberos protocol to issue a ticket to the service provider.
Advantages for the user is it helps to eliminate remembering various passwords. Also, they can trust a service provider as their enrolment with a SSO system gives some trust to the end user.
Disadvantage is that the server could be a single point of failure. That is, for example, if the MS Passport server which grants the service fails, the user won't be able to use any services offered by Service providers who use the Passport server system.
One of the threat can be a Denial of Service (DoS) attack to the central server which makes it impossible of users and merchants to access the MS Passport Server.
Like wise, if the central server is compromised by an internal or external intruder, all the data can be taken away and can be used fraud purposes.
Information Security
On this blog, I will be posting topics related to Information Security. This may cover Cryptography, Security Management, Network Security, Risk Management, Compliances, ISO 17799, ISO 27001, Security Developments, Application Security, Software Security, Laws and Regulations applicable to Information transmission and storage etc..
Thursday, 2 July 2009
Saturday, 26 July 2008
Single Sign On or SSO
With SSO, users don't need to remember each password for each service providers. When you authenticated to a universal authentication sign-on service, your service provider relies on the information from the SSO server.
For example, you want to use the services from example_flightbooking.com, a web site which provides services for booking flights online. This site accepts your credit card and other personal information and you expect it must be kept secured.
Let another sevice which you would be using in conjuntion with flight booking be a accommodation booking service where you would want to book your accommodation at the place where you are flying to, using the web site, example_hotelbooking.com. This site provides services for you to view and book hotel rooms online. Authentication to this service provider is done by providing a separate user name and password same or different from example_flightbooking.com
If the user chooses to use same User ID and Password for these two sites, there comes a major risk. If one of the site is fraudulent or an attacker obtains the User ID and password by means of social engineering or phishing, he can use this User ID and password for both the sites and can obtain personal information stored in these sites, along with Credit card and other vital information.
Alternatively, if you choose to different User IDs and passwords with each of the service providers, users have the burden to remember all these login credentials. Chances are there for using same credentials or easily- compromising credentials.
Single Sign-on helps to reduce this problem to a great level. With this Universal Authentication service system, both Users and Service providers (like example_flightbooking.com, example_hotelbooking.com) trust this system.
There are a number of steps for successful enrolment and using the SSO. First Service Providers should be enrolled with SSO servers by means of a contract. Some SSO needs a fee to use their service. Secondly, users who wish to use services from
Service providers also need to be enrolled with the SSO. Whenever a service provider needs a user to be authenticated to use their service, the service provider redirects the user to the SSO login page. User provides the credentials he/she registered with the SSO. ON successful login, SSO issues a ticket or a cookie etc, and these are generated using cryptographic means. An example can be a shared key between the Service provider and the SSO. After this step, when the user accesses the Service provider’s site, the ticket from the SSO is provided which will be verified by the service provider (here, as we mentioned, by a shared key). If it has been verified as issued by the SSO, the user is authenticated.
Examples of SSO are MS Passport system which supports Kerberos protocol to issue a ticket to the service provider.
Advantages for the user are it helps to eliminate remembering various passwords. Also, they can trust a service provider as their enrolment with a SSO system gives some trust to the end user.
Disadvantage could be the SSO is a single point of failure.
For example, you want to use the services from example_flightbooking.com, a web site which provides services for booking flights online. This site accepts your credit card and other personal information and you expect it must be kept secured.
Let another sevice which you would be using in conjuntion with flight booking be a accommodation booking service where you would want to book your accommodation at the place where you are flying to, using the web site, example_hotelbooking.com. This site provides services for you to view and book hotel rooms online. Authentication to this service provider is done by providing a separate user name and password same or different from example_flightbooking.com
If the user chooses to use same User ID and Password for these two sites, there comes a major risk. If one of the site is fraudulent or an attacker obtains the User ID and password by means of social engineering or phishing, he can use this User ID and password for both the sites and can obtain personal information stored in these sites, along with Credit card and other vital information.
Alternatively, if you choose to different User IDs and passwords with each of the service providers, users have the burden to remember all these login credentials. Chances are there for using same credentials or easily- compromising credentials.
Single Sign-on helps to reduce this problem to a great level. With this Universal Authentication service system, both Users and Service providers (like example_flightbooking.com, example_hotelbooking.com) trust this system.
There are a number of steps for successful enrolment and using the SSO. First Service Providers should be enrolled with SSO servers by means of a contract. Some SSO needs a fee to use their service. Secondly, users who wish to use services from
Service providers also need to be enrolled with the SSO. Whenever a service provider needs a user to be authenticated to use their service, the service provider redirects the user to the SSO login page. User provides the credentials he/she registered with the SSO. ON successful login, SSO issues a ticket or a cookie etc, and these are generated using cryptographic means. An example can be a shared key between the Service provider and the SSO. After this step, when the user accesses the Service provider’s site, the ticket from the SSO is provided which will be verified by the service provider (here, as we mentioned, by a shared key). If it has been verified as issued by the SSO, the user is authenticated.
Examples of SSO are MS Passport system which supports Kerberos protocol to issue a ticket to the service provider.
Advantages for the user are it helps to eliminate remembering various passwords. Also, they can trust a service provider as their enrolment with a SSO system gives some trust to the end user.
Disadvantage could be the SSO is a single point of failure.
Thursday, 12 June 2008
Importance of Security in Financial Industry
Importance of Security in Financial Industry:
Online banking allows customers a great flexibility to do much of the banking activities very comfortably. They can check their account, make arrangement for fund transfer, make changes to account details, set transaction limit etc.
However, compromising a bank account or online banking site poses unimaginable impact like money loses, reputation loses, trust loses, cost for data recovery and ensuring business continuity etc.
As banks have large amount of money, attackers from all over the world are targeting banking websites. Every second, banking sites are being attacked by various methods. Some uses ID theft methods for gaining user's account details and some attack the website itself. Other kinds of attacks are malwares which get installed to host machine and work as a backdoor or data mining activities.
There are many classifications of attacks:
1. By visiting some sites, may be a malware get installed to user's host and steal UID & Password. The malware can be a keystroke logger, and becomes active on visiting a specific target from a list of banks.
Even though, when using a secured channel, the information passed will be encrypted by using a session key if using SSL, the key logger can record key inputs before it gets transmitted
There are different methods to install a Trojan in user's machine
May use IE or other web browser vulnerabilities
Tempt user to install one seemingly-friendly program
Cross site scripting on trusted, reliable sites to get a program installed
2. Making systems as Zombies by installing malwares and then targeting banks and other financial institutions
3. Financial fraud methods like Nigeria email scams, luring users
give out information regarding bank details (419 scams)
4. Phishing methods which asks user to enter account information to sites that look-a-like original bank sites. As the phishing mails target mass recipients, some recipients will be customers of the bank and fall for the scam, visiting the phoney site and entering their log-in details, which a criminal can use to access an account fraudulently.
5. URL obfuscation
this targets non savvy users to hide URL of the bank
6. Even if using SSL connection, a injection vulnerability may allow an attacker to inject a Trojan in to the server site and which itself installs to the user's machine. This is also a problem with SSL where it can't be protected in this way
7. Sending malware along with emails. The worm contained email may be with new and relevant head lines like Primary election in US or support-victims of Myanmar or China etc ask users to see the attachment which would be a potential worm. As the content and subject change frequently, it would be difficult for a firewall/spam filter to detect the pattern
8. Lot of users of the internet banking sites are from a various back grounds and many may not aware of recent spams.
9. Phishing attacks that may target users to visit carefully crafted URLS that look like original sites and capture personal information for authentication, TAN etc
10. Even if using SSL, fraudulent redirection cause user to provide personal data to illegitimate servers causing ID theft. Unless the bank can prove the loss is due to customer error, they may loose money by a chargeback
11. Botnets are used to convert a system as a zombie. Then they can be used for Distributed DoS
12. Injection vulnerabilities in web sites can cause an attacker to inject SQL codes in to system and to execute the same. This makes services by the DB server to stop, or to manipulate data according to the intention of the attacker. In some cases, shell codes can be executed to compromise the system security.
13 Even if using 2-factor authentication, possibilities for key loggers, or man-in-the middle attack for capturing the OT Pass code and passwords, and to make unauthorised transactions
Web services security:
1. Web services obtain message confidentiality and integrity using XML encryption and signing respectively.
2. Using tokens, signatures as the means of Web service security with SOAP messages
3. Message encryption
There are various countermeasures used to protect against various vulnerabilities and attacks.
1. Encryption of the data stored in workstations and laptops make the attacker to get no information about the actual data, unless he/she has the correct encryption algorithm and key
2. Using a HSM which makes a server to trust the origin of the Hardware subsystem and Security state of the application. Mostly it’s a laboratory implementation and not used widely. But this can be an excellent way of assuring authenticity.
3. However, even if encryption tools are used, password separation policy must be used to ensure Operating system passwords are not used for encryption. This ensures there is another password for encryption and even if one password is been compromised, encrypted files stay safe.
4. On report from a phishing victim, banks can suspend access to the account to prevent further damage using the stolen information
5. In order to counter Trojan horses and phishing attacks, stronger authentication methods like 2-factor authentication can be used to provide One time passwords
6. Methods like authorizing a third party payment setup in an online bank account
can counter third parties setting up transfers and payments on compromised accounts
7. Urging banks to adapt CHIP and PIN technology and use SDA, DDA methods for authentication. Using the TTP as brand CA ensures origin of issuer certificates.
8. A combination of methods as in 3-D secure where a central directory is used to find the authenticity of the transaction and using secure channel for information exchange are very effective in countering hackers being stealing information.
Online banking allows customers a great flexibility to do much of the banking activities very comfortably. They can check their account, make arrangement for fund transfer, make changes to account details, set transaction limit etc.
However, compromising a bank account or online banking site poses unimaginable impact like money loses, reputation loses, trust loses, cost for data recovery and ensuring business continuity etc.
As banks have large amount of money, attackers from all over the world are targeting banking websites. Every second, banking sites are being attacked by various methods. Some uses ID theft methods for gaining user's account details and some attack the website itself. Other kinds of attacks are malwares which get installed to host machine and work as a backdoor or data mining activities.
There are many classifications of attacks:
1. By visiting some sites, may be a malware get installed to user's host and steal UID & Password. The malware can be a keystroke logger, and becomes active on visiting a specific target from a list of banks.
Even though, when using a secured channel, the information passed will be encrypted by using a session key if using SSL, the key logger can record key inputs before it gets transmitted
There are different methods to install a Trojan in user's machine
May use IE or other web browser vulnerabilities
Tempt user to install one seemingly-friendly program
Cross site scripting on trusted, reliable sites to get a program installed
2. Making systems as Zombies by installing malwares and then targeting banks and other financial institutions
3. Financial fraud methods like Nigeria email scams, luring users
give out information regarding bank details (419 scams)
4. Phishing methods which asks user to enter account information to sites that look-a-like original bank sites. As the phishing mails target mass recipients, some recipients will be customers of the bank and fall for the scam, visiting the phoney site and entering their log-in details, which a criminal can use to access an account fraudulently.
5. URL obfuscation
this targets non savvy users to hide URL of the bank
6. Even if using SSL connection, a injection vulnerability may allow an attacker to inject a Trojan in to the server site and which itself installs to the user's machine. This is also a problem with SSL where it can't be protected in this way
7. Sending malware along with emails. The worm contained email may be with new and relevant head lines like Primary election in US or support-victims of Myanmar or China etc ask users to see the attachment which would be a potential worm. As the content and subject change frequently, it would be difficult for a firewall/spam filter to detect the pattern
8. Lot of users of the internet banking sites are from a various back grounds and many may not aware of recent spams.
9. Phishing attacks that may target users to visit carefully crafted URLS that look like original sites and capture personal information for authentication, TAN etc
10. Even if using SSL, fraudulent redirection cause user to provide personal data to illegitimate servers causing ID theft. Unless the bank can prove the loss is due to customer error, they may loose money by a chargeback
11. Botnets are used to convert a system as a zombie. Then they can be used for Distributed DoS
12. Injection vulnerabilities in web sites can cause an attacker to inject SQL codes in to system and to execute the same. This makes services by the DB server to stop, or to manipulate data according to the intention of the attacker. In some cases, shell codes can be executed to compromise the system security.
13 Even if using 2-factor authentication, possibilities for key loggers, or man-in-the middle attack for capturing the OT Pass code and passwords, and to make unauthorised transactions
Web services security:
1. Web services obtain message confidentiality and integrity using XML encryption and signing respectively.
2. Using tokens, signatures as the means of Web service security with SOAP messages
3. Message encryption
There are various countermeasures used to protect against various vulnerabilities and attacks.
1. Encryption of the data stored in workstations and laptops make the attacker to get no information about the actual data, unless he/she has the correct encryption algorithm and key
2. Using a HSM which makes a server to trust the origin of the Hardware subsystem and Security state of the application. Mostly it’s a laboratory implementation and not used widely. But this can be an excellent way of assuring authenticity.
3. However, even if encryption tools are used, password separation policy must be used to ensure Operating system passwords are not used for encryption. This ensures there is another password for encryption and even if one password is been compromised, encrypted files stay safe.
4. On report from a phishing victim, banks can suspend access to the account to prevent further damage using the stolen information
5. In order to counter Trojan horses and phishing attacks, stronger authentication methods like 2-factor authentication can be used to provide One time passwords
6. Methods like authorizing a third party payment setup in an online bank account
can counter third parties setting up transfers and payments on compromised accounts
7. Urging banks to adapt CHIP and PIN technology and use SDA, DDA methods for authentication. Using the TTP as brand CA ensures origin of issuer certificates.
8. A combination of methods as in 3-D secure where a central directory is used to find the authenticity of the transaction and using secure channel for information exchange are very effective in countering hackers being stealing information.
Sunday, 25 May 2008
SYN Flood Attack - A DOS attack method
In TCP/IP protocol, the protocol uses SYN/ACK handshake to establish connection between two hosts. The communication host who initiating a connection sends a packet with SYN flag to the target host. Target host on receiving this packet, sends another packet with ACK flag set to indicate that the connection request is accepted. The reply will also be with a SYN flag to open a connection to the first host. The first host on receiving this SYN/ACK flagged packet, opens a reverse channel. This is the part of 3-way handshake protocol for establishing a communication channel.
To illustrate this, the protocol messages would be:
Host 1 --> Host 2: SYN
Host 2 --> Host 1: SYN / ACK
Host 1 --> Host 2: ACK
An attacker who wants to launch a Denial of Service (DoS) attack uses this property of the communication hosts, ie; if the ACK flagged packet from the Host 1 is not received, Host 2 waits for some time leaving the connection half-opened and memory allocated for the first received SYN message.
An attacker send thousands of packets to the target system. The target system then sends the ACK and SYN flagged messages and waits to receive the last ACK message from Host1. The attacker then sends no ACK flagged packets making Host 2 wait to wait for receiving ACK message. Eventaully, as large number of messages are waiting for the final ACK message, system will be running out of memory to accept more packets. Thus by flooding the memory, the target system accepts no new connection and DoS is successfully done.
There are a few countermeasures available. Users can use firewalls to filter out receiving repeated packets with SYN flag. Also, a Network based IDS (Intrusion Detection System) can efficiently counter this attacker by analyzing the packet signatures.
To illustrate this, the protocol messages would be:
Host 1 --> Host 2: SYN
Host 2 --> Host 1: SYN / ACK
Host 1 --> Host 2: ACK
An attacker who wants to launch a Denial of Service (DoS) attack uses this property of the communication hosts, ie; if the ACK flagged packet from the Host 1 is not received, Host 2 waits for some time leaving the connection half-opened and memory allocated for the first received SYN message.
An attacker send thousands of packets to the target system. The target system then sends the ACK and SYN flagged messages and waits to receive the last ACK message from Host1. The attacker then sends no ACK flagged packets making Host 2 wait to wait for receiving ACK message. Eventaully, as large number of messages are waiting for the final ACK message, system will be running out of memory to accept more packets. Thus by flooding the memory, the target system accepts no new connection and DoS is successfully done.
There are a few countermeasures available. Users can use firewalls to filter out receiving repeated packets with SYN flag. Also, a Network based IDS (Intrusion Detection System) can efficiently counter this attacker by analyzing the packet signatures.
Sunday, 27 April 2008
Java Runtime Environment - JRE
Java Runtime environment of JRE comprises of a Java Virtual Machine (JVM) and Java Core Classes.
While compiling a Java source code, it converts the source code to Java Bytecode. It's a standardized intermediate language and can be run by virtual machines. So the Java Virtual Machine or JVM present on each platform can directly execute the bytecode.
Core classes contains basic methods so that the Virtual machine can call them to execute tasks specified by Java source code which is compiled to Java bytecode.
Suppose, an instruction says to execute a IO operation, the JVM calls a method from the java.io library. This way, a Java Runtime Environment performs.
While compiling a Java source code, it converts the source code to Java Bytecode. It's a standardized intermediate language and can be run by virtual machines. So the Java Virtual Machine or JVM present on each platform can directly execute the bytecode.
Core classes contains basic methods so that the Virtual machine can call them to execute tasks specified by Java source code which is compiled to Java bytecode.
Suppose, an instruction says to execute a IO operation, the JVM calls a method from the java.io library. This way, a Java Runtime Environment performs.
Saturday, 16 February 2008
ISO 7498-2 : Information Processing Systems - OSI - Basic Reference Model - Part 2 Security Architecture
On the Open System Reference model, OSI, the 7498/2 defines the services and mechanisms that can be implemented to ensure the security of communication between open systems. This standards extends from ISO 7498 and details about the various services and mechanisms. As it just describes about various services and mechanisms, it does not guides how to implement or where to implement the measures.
Note: the basic ISO 7498:1984, defines the general standards of system interconnection.
Note: the basic ISO 7498:1984, defines the general standards of system interconnection.
Monday, 28 January 2008
Certification Hierarchy (Certification Authority)
this essentially means that when a new Certification Authority wants a certificate to authenticate it's trust, or to provide the customers about it's surety about it's trust, it will be acquiring a certificate from another Certification Authority. So there comes a hierarchy.
Note: The issuer and signer of a certification is known as the Certification Authority.
As an example:
Suppose a new Certification Authority (CA) wants a certificate from another CA, it obtains the same by submitting proper details.
Let the CA which is obtaining a Certificate is denoted by CA-New, and the one which is providing the certificate be CA-Old.
The hierarchy will be
CA-Old
¦
--- CA-New
So if a customer trust the CA of the CA-Old, as the CA-New is with a certificate from the former, it can also be trusted.
Note: The issuer and signer of a certification is known as the Certification Authority.
As an example:
Suppose a new Certification Authority (CA) wants a certificate from another CA, it obtains the same by submitting proper details.
Let the CA which is obtaining a Certificate is denoted by CA-New, and the one which is providing the certificate be CA-Old.
The hierarchy will be
CA-Old
¦
--- CA-New
So if a customer trust the CA of the CA-Old, as the CA-New is with a certificate from the former, it can also be trusted.
Subscribe to:
Posts (Atom)
Microsoft Passport - A Single Sign-on System
Microsoft passport is a facility from MS which offers single sign on capabilities. With SSO, user don't need to remember each password f...