Wednesday, 20 May 2015

Disrupting the paradigm

Not sure if I am quoting here, but be careful when someone says they are disrupting the paradigm, often when you look beneath the vale you will find an issue. The paradigm is usually there for a reason, cause it works.

I have discussed factorisation of authentication before here, this one will be a little more indepth;

To reiterate authentication currently works under a model of factors. Factors are simply classifications of things, in a cumulative manner. Things could be something you know (and preferably keep private), something you have, something you are, somewhere you are. This is 4 factors.

Something you know; Pin, password, passcode, passphrase, pictures in a certain order, last 4 digits of a credit card (even though this is something you have, it is a known never changing string).

Something you have; a key, a key-card, usb fob, Certificate, smart-card, rfid chip, SMS/Phone call receiving phone, Bluetooth paired phone or other device, laptop, tablet, phone itself.

Something you are; fingerprint, iris scan, voiceprint, DNA sequence.
I will rant on biometrics later, but you can't re-issue a fingerprint so if it gets compromised and copied by someone you are out of luck.

Somewhere you are; GPS location, IP-gelocation (thou as this would be in band checked on the connection you may be using to access the service the security doesn't increase), a landline or mobile phone could also be somewhere you are, eg you login to an app and it calls you on a separate phone at that same location to ensure you meant to.

Lets look at some examples.
  • You login to your computer with a username and password, this is 1 factor of authentication, just a password.
  • You login to your computer with a username and password, then onto a super-secret corporate system with a different username and password, this is still 1 factor of authentication. You only used a username and password.
  • You login to your PC using a swipe card only, this is still 1 factor of authentication.Yes you used something you have, but it was not cumulative on something you know.
  • You login to your PC using your username, password and Secure USB key, this is now 2 factors of authentication, something you know and something you have.
  • You login to your PC using your username, password, thumbprint and Secure USB key, this is now 3 factors of authentication; something you know, something you have and something you are.
  • You login to your netbanking via their app with username, password, fob token code, and your thumbprint on the home button. The app has rights to your phones GPS, it disallows transfers over $1000 from anywhere but inside your own home or registered place of work, if you go to transfer $1001 to another account and it then allows you due to the registered GPS, this could be considered 4 factors of authentication; something you know, have, are, and somewhere you are, all checked to ensure valid authorization.
Now comes the paradigm shifting. I wish it was me that thought of these.

Device profiling
This makes the device a factor, specifically a second factor.
This will do things like take the IP you are logging in from weighted with things like browser headers and put them in a database, if sees these to dramatically change it can deny you access.
A good example shoring the power of this hidden data that you send can be seen at the EFF's Panotoclick here;
There are certain banking and social media apps that do this already, alerting you via email when you have logged in from a new device.

Risk based authentication
Awesome idea, basically the application has some smarts. Similar to the above device profiling it does some device profiling and then if you fail it, it either challenges you for more authentication or simply denies you access. It has risk scores that it assigns to things, so risk +1 if you are logging in at a different time, risk +9000 if you are logging in from a country with a bad reputation that you have never logged in from before. This still works in the factorising model, but doesn't force a user to enter every-factor every time, it is an extension of the paradigm.

Pingrid and their ilk
As I mentioned last time, these aren't two factor. They are a challenge, with a user response based on something they know. Interestingly I think they do increase security, but still not as much as a second factor. This really doesn't fit the factorised model. See there demo here;
You can see how due to the randomness of the numbers it does reduce the likelihood that the users "password" will ever be compromised by an over the shoulder or man in the middle attack, but again repeat enough views of the users login through a screen scraper and you have them. Still doesn't stop Man in the browser attacks (where malicious code waits for you to authenticate to your bank then distracts you and gives control of that tab to the remote bad guys to transfer out your cash).

That being said, I think they are probably making the authentication process more complicated than it needs to be and not more secure. Hard tokens that are transparent to the user like Ubi-key or smart cards are much, much more secure.

So uhh disrupting the paradigm, I thought I could make case that the above three did disrupt the paradigm, but they don't. I started this article all gung-ho to prove to myself they did, but they simply extend what we already have.
Device profiling and risk based authentication either work with existing factors of authentication, or make a sting of numbers unique to you and your device part of auth (just like a certificate or token, and thus are a second factor), and pingrid is simply an extension of single factor authentication.

Seeing as I mentioned Schneier last time I posted about auth, I had a look to see is he has discussed pingrid or others, he hasn't. But I did find the below, which is awesome;

Saturday, 16 August 2014

Playing with google

So I was recently having a discussion with a vendor about the insecurity versus usability of the google play store, yep there is malware there, yep there are copycat scam apps. But google will eventually get it under control, just as apple has done...

Ok so you can't trust either of them, but I think Apple is actually doing a better job of keeping the look-a-like scam apps out, at least I haven't heard of any yet, and this is coming from me a very anti-apple person.

So what do you do if you have written an Android app. Well you could host it on your own site, but then you need to reduce your customers security by making them set their device to allowing apps be installed from anywhere, opening them up to drive by downloads that are becomming prevelent in Android land (mainly due to some manufacturers enabling this setting by default).
You could host a QR code on your site and point this to your play store app...

Maybe just a link on your site back to the play store to ensure they get the right version of the app.

This got me thinking, it doesn't really protect you from those that just look through the store for apps from your company, so you should protect yourself in some other way. I use google alerts already to monitor stuff I am interested in, as well as comments about things I am interested in for security reasons.

This is where I thought I could make a search alert for: appname
I wanted to try it out first, so I did: commbank
Commbank is a big bank in Australia, and they have a few apps, one caught my attention;
Looks to me like Commbank trust the store so much they trust a third party to put up an app for them for their users to access the intranet. The company that listed the app at time of writing was who's site looks like it is what is being loaded for the app;

The domain was suspiciously registered on the 28th of January this year.
I might need to reinstall this app and do a packet capture to see what web services it is trying to hit on this site, but this site is not https, and is hosted on a shared host that has unencrypted ftp, smtp and imap enabled. I let someone I have met from Commbank's IT security team know and this was all amazingly fixed within a few hours. Props to them.
I did a packet capture post their fixes and it is all over ssl/tls now.

So anyway I guess the take-a-way is, if you want to add some security even for google play apps, you can setup a google alerts at and do one for appname set it for As-it-happens and hope you never get that email.

Monday, 7 April 2014

Service hiding/protection

This is a bit of operational security, but it took me a lot longer than I would have liked to do, and no one had an example like the below. This command will use the open source Access control list command line utility SetACL to lockdown a service so that the user specified can't stop or start it, on testing it is even better than that the service dissapears from the services manager.

setacl.exe -ot srv -on "Service Name" -ace "n:domain\username;p:start_stop;m:deny" -actn ace

This is obviously a really good idea if you have admins of a box that you don't want to be able to stop a key service, it could also allow you to stop a malicious user from seeing a specific service, depending on the malicious users method of getting onto your server.