Lecture on Internet Security. lecture and exercises .
Dimensions of Security( powerpoint slides ).I've done a little talk on security for SPIQ. I tried to give an overview of some current problems and ways to tackle the awareness problem (e.g. by using threat models). I was going from technical things over to the social dangers without and with security. As usually, reality makes our fears come true faster than one would expect. The next morning I read about the european initiative by France, Sweden and others to collect ALL data from internet and phone traffic WITHOUT PROBABLE CAUSE. And of course terrorism is one of the reasons for that. And equally normal is that no explanation is given about the positive and negative uses of all those data. See Bürgerrechtsgruppen warnen vor europaweiter Pauschalschnüffelei
Please use my pgpkey for this purpose.
There is no understanding of security without a good grasp of cryptography. My colleague Roland Schmitz runs a security class which explains all the fundamental technologies and the mathematics behind. He also covers security protocols for electronic buying etc. After this class we expect students to have a clear understanding of the crypto fundamentals. Roland can be reached over the HDM contact page
If you need to stock up on crypto, I found Bruce Schneiers book "applied cryptography" surprisingly easy to read even for non-math people.
Thanks to Jochen Bauer, CEO of Inside Security in Stuttgart we are able to offer a first class hands-on training in security. Jochen Bauer and our assistant Christoph Alscher have built an excellent security lab with 12 seats max. and Jochen Bauer covers most aspects of internet security in 4 hours per week over a whole term.
The (incomplete list) comprises:
|Sniffing and scanning|
|Virtual private networks (VPN)|
|Viruses and Trojans|
|Using SSL to protect systems|
|Web Server security|
|and so on|
We are extending the class to cover mobile security.
My lecture Internet Security covers the system aspect of security. We are developing a framework (policies, guidelines etc.) for security. After that we cover firewall technology in detail because it is ideally suited to explaiin many different security problems within the internet. Firewall types and architectures are discussed, services (middleware etc.) and after that we move to web application security. We use portals like Deutsche Bahn Ag to investigate online services and the necessary security. We discuss the necessary security infrastructure (canonical architecture, load balancing, reverse proxies, user registries etc.) and then move on to secure software development. Here we look at typical web application problems (cross site scripting etc.) and then cover security frameworks (JAAS, GSS-API, EJB). A session on trusted computing bases covers operating-system security, sandboxes and in general ACL based security. Another session on capabilities demonstrates advanced concepts of authority reduction. The term finishes with lectures on XML and web services security - going from a channel based security model to a message based. SSL/SAML/Single-sign-on are covered as well.
Security and Software-Quality are tightly related. Many security problems really are general software quality problems. The talk shows trends, root-causes and concepts for authority reduction. Usability is also touched. see BWCon Talk on Security and Quality at eXept AG
Jürgen Butz wrote an excellent thesis on mobile security, associated risk analysis and mitigating factors. A small excerpt of his thesis can be found in his talk at the Security Day at HDM. The full thesis with a complete risk analysis and coverage of almost every mobile device can be found here. I can only recommend reading it in case you worry about the use of mobile applications and devices in your company.
Our students usually do exercises in software development - some of them tackling advanced security problems like Capabilities, "E", Single-Sign-On, grid computing with delegation problems of certificates, from descriptive security to real infrastructure: How to create a user registry and map it to application servers using JAAS etc. etc. Roland and myself are planning a special seminar on those topics for the next term.
Before I forget: if you have a security related topic which you would like to present, don't hesitate and get in touch with me .
Distributed systems have special security needs due to the fact that central authorities are scarce and trust must be established differently. Two sessions in my lecture on distributed systems cover security from a business point of view (how to secure distributed e-business etc.) but also from an end-user point of view: how to protect out privacy (cookie tracking, central registries) or how to establish a repudiation (e-bay) anonymity (onion routing) and how to avoid cencorship. Recent developments in USA and Europe after September 11 warrant a close look on privacy violoations - a topic I'd like to investigate further in the future.
Take a look at the current events of our faculty for so called security days or other public talks and presentations like CS&M at the BSI conference where faculty staff and students successfully participated in this well known conference.
A few words on the 10th BSI conference at Bonn-Bad Godesberg.
Or our 1. Digital Rights Day at HDM - the digital assault on civil rights which brought together lawyers, civil rights activists (e.g. CCC) and others.
the first digital rights day covers important topics from internet right, open source, patent right and last but not least civil rights. Not to forget the legal aspects of virtual worlds. Well known lawyers and members of the Chaos Computer Club will guarantee lively sessions. Kurt Jaeger as a representative of the "Freiheitsredner" and head of a local ISP will talk about the various aspects of freedom.An integrated view on web application security, testing and Web Application Firewalls (WAF), more...
Application Architecture needs to drive application security internally, external security components like WAFs and the whole testing process. Read more about some ideas to leverage application models. Application security is going to be a core topic for our next Security Day. And read more about current security related work at HDM.IT and the law - results from the Digital Rights Day™, more...
Does IT change the law? Does the law cover virtual worlds? Have we lost the war on civil rights? Read more on the results of our Digital Rights Day and get an idea what is coming up next.
On new developments in security
My friend and colleague Prof. Roland Schmitz held a presentation on Android security features at Droidcon. Take a look at the software techniques for security used in this operating system. And take notice of the "return of the process isolation idea".And that there is still a chance for "confused deputy" attacks.
Just a short comment on the latest member of the "Beautiful .." series from Oreilly.
How browsers could defend user data and actions based on what they know about communication and presentation. A short into to Bastian Zimmermans thesis on client-side security in browsers and some project ideas. (in german)
I just got through the book by McGraw and Hoglund on "exploiting online games - cheating massively distributed systems". I've tried to extract the most important attack vectors because I found the book rather verbose. And don't expect much "distributed". Most of the attacks discussed are purely local exploits of the game client. But the threat model is quite interesting: The server side needs to trust the game client while being aware that it might be under control of the attacker - so it uses heuristics to find out about the manipulations. This is not a scenario that most business e-services would survive...
A good overview paper from enisa on the dangers in virtual worlds with the title "Virtual Worlds, Real Money". Good links on various attacks and countermeasures. Let's one speculate about the realtion between virtual and real worlds. Lists several types of VW and compares core features. Discusses automated attacks, social engineering and many other forms of abuse and misbehavior and the respective technical or legal reactions.
After the freeway killing: are you scared about driving below highway bridges? Do you think about the incident while driving? How rational is this behavior? How natural? Read about surprising ways our stone-age brain does risk assessment and take a look at some real risks.
I have read those specs recently and I do not really understand them well. Read my objections and tell me where I am wrong. I will discuss both later in detail..
A few comments on a CCCS talk on web application security and a rant against the "security is an eduction problem" for both users and developers. There are too many counter-examples. Security needs to be built in. Otherwise we should tell the car makers to finally get rid of all airbags and safety belts: its all a matter of disciplined driving.
An addendum to the first security book on the problem of badly configured SCIP proxies which map serveral different client IDs onto one SSL-SessionID. When client identity becomes a heuristic outcome. (Thanks to Matze Schmidt and Thomas Huber).
I read a disgusting piece of advertisement by a security company who offers a filtering appliance against the threat of anonymizers. Typical US lingo, full of rightousness, scares of legal repercussions and turning everybody into a little "sheriff". Not to forget the lack of technical information or its weaknesses. Trying to detect the use of an anonymizer through URL filtering and rules is rather hard with an SSL tunnel!.
An excellent thesis by Martin Scheffler on the use of capability-secure languages in scene graphs. Shows the lambda based capability patterns like facet, forwarder and sealer/unsealer at work to allow anonymous, distributed and context dependent access control.
and why would somebody say so? A short bit on so called "immutable laws" of security proposed by Microsoft guys. I've used structural text analysis methods to uncover the assumptions behind. It's the typical MS argumentation: the operating system is OK. Systems can't be safe against malware. It has nothing to do with architecture. And it's the users fault anyway.
Want to know what a WAF can do for your health? Don't wait till you get an honorable mention in newspapers for your security leaks. Learn how to profit from a WAF both in case of an emergency and as a long term defense in depth strategy. Learn what they can do and how. Read the thesis by Sebastian Roth..
Security warnings from Heise made you and your application famous! And in times of viral and guerillia marketing we all know that bad publicity is better than no publicity. But there are cases when you might not really like the publicity. Read on how the talks from our Security Day might save your butt one day!
Additional information, bug-fixes and the slides will be privided here, as well as Q&A stuff. The authors welcome comments and suggestions for improvement.
The KES article that Roland Schmitz and myself wrote is now available online. Core topic: usability chances in a world of reduced authority.
Is there already a SIC in place - just like the well-known military industrial complex? Is there still an interest in systems that are more secure - or is this considered damaging to a thriving business?
How to scare people for all the wrong reasons. Some funny "fifties" posters on security topics. But are they really teaching the right ideas or are they just documenting and re-inforcing what is wrong in our software? The "duck and cover" approach to bad security design?
Does it really improve end-user security? Or does it only help Microsoft? A short discussion of an article by Joanna Rutko.
Ever wondered why there is an RFID chip on the new passports? Stop wondering - it's for your good, dummy.
I've updated my piece on software patents, open source software and its new economy and how the EU again became the lobby instrument of the big zaibatsus. The whole process is depressingly far from democracy. But that is nothing uncommon to us Europeans where a Mr. Baroso - after two devastating votes against the EU constitution - tells Mr. Bush: Don't worry - business as usual in Europe. And he is right!
After reading an excellent article by Chen Junwei on a lightweight RFID framework I got some afterthoughts on similiarities between cookies and RFID tags - and that the information IN the tags is not the real problem. And take a look at the infrastructure for RFID processing!
Read more on Grids, proxy certs, OSGI and SELinux.
If you thought that this does not make a difference - read on about RFIDs or smartcard based passports and how the distance argument is abused by politicians. In the wireless world distance is no longer a safety measure. And this means loss of control on your side.
Digital identity is a concept much larger than usually discussed in the context of information security. The new book by Phillip Windley explains technical and organizational ways to create an Identity Management Architecture. If you need to understand how SOA and federation of identity are related, read this book. The same goes of you need to build a SSO architecture. The book is for technical as well as business readers due to its top-down approach. And it makes you realize that so called identity provider networks are probably unavoidable - but what are the dangers behind? Answering this question will be easier after reading this excellent book.
Some good links on security related topics like crypto, google hacks etc. mostly assembled by Mathias Schmidt.
On useless or dangerous security measures and who gets the profits
A "background check" covering educational data, credit data, criminal records from WAY BACK when you were young and dumb - to get an IT job? Read about some disturbing proposals from security companies to make more money. The ideas would have made Himmler and Heydrich proud. It makes you really worry where the US society is going. And why system architecture needs to include damage control.
On silly arguments around future security and terror.
You don't need to look at the US to see big brother watching us: Beckstein an Co. are busy chipping legal pieces away towards a general spying system without due cause. Now it is toll data that "law enformcement" needs to do its job. What is next? Read on how the political strategy works.
On how to bridge the gap between usability and security requirements
After Garfinkels PHD Thesis on usability and security there is now finally a book that covers current activities in this area. The new book from Oreilly (which I will discuss shortly) contains articles from Garfinkel, Ka Ping Yee etc.
Does two factor authentication really help in the context of phishing? The university of Bochum has built a MITM proxy which was able to subvert the new ITAN scheme of the Postbank. This did not really surprise anybody in security but made a big splash in the media. The funny thing was that they where able to build the attack code but in an interview on TV completely failed to explain how users can protect themselves.
On the importance of secure platforms and how to develop those
Shock after buing a dotnet magazine and reading the editorial: is it really dead? Not dotnet in Vista? Only a handful large projects world wide? Some open words by several old windows developers raise interesting questions. On a sideline: looks like the dotnet patterns are not much different from those used in J2EE developments.
Can the security of a local system be achieved through collaborative services? And what is the price you have to pay for it in the long run? A few comments on Bill Gates talk at the RSA 2005.
While the last years have been dominated by network based security approaches at least in my opinion the next couple of years will (need to) see an improvement in host based security. Too many times network based security like firewalls are only an excuse for deficits in software security. The systrace facility in OpenBSD is a nice and understandable way to create sandboxes for daemons, servers and untrusted users.
Security Enhanced Linux is NSA's open source version of a better Linux. The work on SELinux has taken many years (some aspects of the implementation look a bit old-style) but it is an interesting approach towards better host based security.
The following is based on the excellent book about SELinux by Bill Mccarty and concentrates on the concepts behind SELinux and its implementation.
A few notes on this seemingly endless topic.
Finding good examples on secure software is hard. Especially when it comes to multi-tier enterprise environments. Here comes my idea: develop a software package that serves as a demonstration of secure coding with above technologies. Luckily we don't have to start from scratch here if we apply some re-mixing. If you don't know what re-mixing is: check the lates Etech infos
MI Students: if you would like to try some secure coding examples this term - get in touch with me for a SWT-Praktikum.
Security technology awaits a big change in the next years. Good old role-based security, provided by a tight system administration, will not be able handle the new demand. (This does not mean that we are able to do this "good old" security stuff in a decent way. What I mean is that new requirements will require a completely different form of security technology as it is needed in the typical intranet or web-shop scenario.
Denis Pilipchuk wrote a comparison of both platforms. Don't expect a shoot-out. Instead, a good introduction into current security services and mechanisms is provided.
On Jason Garman's book "kerberos - the definitive guide. Read why I like the book.
Books and articles that really explain how to write secure code are rare. They need to combine abstract policies with deep technical details of certain areas like web application architectures. This is a collection of stuff that helped me a lot.
This is more of a tkitchensink kind of section because of the disparate nature of the topic.
I had a hard time finding some methods that where both useful and usable at the same time. E.g. not over-formalized. Some diagrams are taken from existing architecture methods and adapted. Some are invented and need some improvement.
Today building technology and automation is mostly based on IT. Networks, sensors, controllers, administration. But does building technology also suffer from the security problems which plague business systems so much?
What if your colleagues are mostly "free spirits" and tend to hook up whatever is available to your precious network. A situation common on campus networks, broadcast companies etc. where creativity rules and getting a new idea onto the air is more important than anything else. How does commercial security technology fare in this environment?
A discussion of Bruce Schneiers "beyond fear" in the context of a biker trip. How security can be a threat to our freedom by itself. The trade-off between security and its side-effects.
I found some interesting bits on protecting data with a high granularity in Charles and Sheri Pfleegers book on "Security in Computing". Read how this could be useful for smartcard applications as well. And a few sentences on what the book covers and what not.
An interesting decentralized approach to improve authentication and usability but still let users in control of their data. Could be the basis for healthcards, jobcards etc.
I found an ad in a TV-magazine where the dentists lobby argues against the medical records on the planned health card. They want to protect the patients privacy:"there are things you don't even tell your wife". Is the ministry of health the evil empire or do the dentists arguments not really bite? And why a transparent patient is something different than a transparent medical professional.
A discussion of a Heise article on the jobcard.
From looking at the german health card security architecture it became clear that a smartcard reader for users is necessary to give users control over their data and applications. FINREAD provides an open architecture for running multiple applications (e.g. VISA, EC etc.) safely. The FINREAD documentation is mostly available and gives a first hand insight into the complexities of secure embedded control card readers.
Some considerations of the security concepts behind the planned health card for Germany. Plus resources. An example of the complex relations between security mechanisms and politics. We look at problems, proposed solutions and alternatives. This will lead to a renewed interest in smartcard reader technology as a core piece for user controlled smartcard applications. (see below: article on finread)
Mulitfunction cards are a hot topic for the financial industry - and not only for them: healthcards, jobcards etc. are all designed to run different applications from different companies. How can those systems increase the security in e-banking?
The lecture has a number of sessions on attacks, infrastructure and software architecture. Every once in a while I invite a friend to a talk on current portal security technology
Some reflections on software architecture behind the latest T-COM security mess. And some questions you should ask your IT-Security people. Actually, some companies might not be so amused about all this. E.g. those mentioned as T-Systems customers in T-Systems "Hosting Business Solutions". If the hackers of today are worth their salt I would expect some activities here...
Slides from Christophe Gevaudan, a chief architect of the well-known UBS AG of Switzerland. He is the architect of leading e-usiness applications and responsible for security infrastructures as well.
Two excellent papers on how to develop secure software.
Collaborative filtering is so powerful as personalisation engines have shown us. Can't we use the same technique to filter spam? Can I reduce my spam because you've deleted yours already?
Running online elections was a hot topic last term - both in the US as well as in my security lecture. Together we have analyzed different implementations of e-voting with the goal to perhaps one day run the university elections through our system. Here are some bits and pieces of what we learned. Not final yet but the discussions show our way from machine based security (e.g. like in the Diebold voting systems) to an externally controllable, cryptography based model of secure voting (e.g. using blind signatures). The work will probably continue in the next term.
The city of Koblenz is preparing for direct democracy with monthly votes on community issues like building a new sport arena, how big classes at school should be and so on (or did I misunderstand the reason for spending money on e-voting?).
Part one of a series about the e-voting scandal in the US. Could e-voting be done properly or should we stick to the good old paper ballots? On technical, economic and political issues around voting in the 21st century. (just wonder why Clay Shirky did not write about this yet - it's truly about culture and networks (;-)
We must understand the regular (paper) voting process before we can analyse e-voting systems. On threat models, attack trees and last principles.
Let's discuss some alternatives for e-voting systems: browser based, kiosk or election places. On authentication, anonymity and how to capture the voters will.
On screen-design, usability and computer-illiterate voters.
Why cucumbers and salad seem to be more valuable than democracy.
My believe is that security is first an awareness problem. Once you have realized that there is a security problem - which means you have understood that you are putting a lot of trust in some place - the solution is not far away. Here are little bits that show how my awareness has grown as well.
No it is not the bird flu nor the martians - even if we would wish it where so. It is an outbreak of the most dangerous disease that human beings can catch - a fast spreading virus which mixes idiocy with political calculus. Read what started a big man hunt in Hamburg and some sad truth on London police as killers.
The german Bundesamt für Sicherheit in der Informationstechnik (a would like to be clone of the NSA) is taking great pains to ensure that the new german passport information cannot be read from the RFID chip without the owner knowing. Why there is an RDID chip on the passport? Wrong question, next please.
Did you ever wonder where they get all those security experts seen on TV? Here is my theory...
How companies manage to rip you off by selling security devices that make the situation even worse for you.
We slowly start to understand what terrorisms goal really is: Terror want to change our society into a prison by raising fear and causing governments to cut down on the rights of citizens. And as far as I can see Bin Laden is well on his way to reach this in many western countries. Here are some bits which try to fight the hunger for data which is displayed both by government and the private sector.
Sometimes you really wonder who is the real target of security measures. This is certainly the case with the iris scans at the Frankfurt Airport.
There are some activities which did NOT slow down when the economy did - and they affect our privacy.
Why are really basic features like being able to convert html-mail to text or to suppress image refs to other domains not available as options in most browsers?
Your operating systems and applications record just about everything you do.
It is not enough to always mention social engineering as the most successful practice of intruders. One has to explain how it works. Some ideas after reading Kevin Mitnick's art of deception:
Kevin Mitnicks book on "The Art of Deception" made for a fun reading during my vacation. The book consists mostly of entertaining stories which make it totally credible that even experienced security personel falls for simple tricks. It ends with good advice like creating awareness for security issues in your company. But I found the book lacking in one aspect: it does not take a systematic look at how deception really works. Let me try to explain how deception works.