Lecture on Internet Security. lecture and exercises .
What we do in Internet Security.
Dimensions of Security( powerpoint slides ).I've done a little talk on security for SPIQ. I tried to give an overview of some current problems and ways to tackle the awareness problem (e.g. by using threat models). I was going from technical things over to the social dangers without and with security. As usually, reality makes our fears come true faster than one would expect. The next morning I read about the european initiative by France, Sweden and others to collect ALL data from internet and phone traffic WITHOUT PROBABLE CAUSE. And of course terrorism is one of the reasons for that. And equally normal is that no explanation is given about the positive and negative uses of all those data. See Bürgerrechtsgruppen warnen vor europaweiter Pauschalschnüffelei
Events, conferences, talks etc. on Security
Take a look at the current events of our faculty for so called security days or other public talks and presentations like CS&M at the BSI conference where faculty staff and students successfully participated in this well known conference.
A few words on the 10th BSI conference at Bonn-Bad Godesberg.
Or our 1. Digital Rights Day at HDM - the digital assault on civil rights
which brought together lawyers, civil rights activists (e.g. CCC) and others.
the first digital rights day covers important topics from internet right, open source, patent right and last but not least civil rights. Not to forget the legal aspects of virtual worlds. Well known lawyers and members of the Chaos Computer Club will guarantee lively sessions. Kurt Jaeger as a representative of the "Freiheitsredner" and head of a local ISP will talk about the various aspects of freedom.
An integrated view on web application security, testing and Web Application Firewalls (WAF), more...
Application Architecture needs to drive application security internally, external security components like WAFs and the whole testing process. Read more about some ideas to leverage application models. Application security is going to be a core topic for our next Security Day. And read more about current security related work at HDM.
IT and the law - results from the Digital Rights Day™, more...
Does IT change the law? Does the law cover virtual worlds? Have we lost the war on civil rights? Read more on the results of our Digital Rights Day and get an idea what is coming up next.
Trends and new Developments
On new developments in security
- Security as an eduction problem??, more..
A few comments on a CCCS talk on web application security and a rant against the "security is an eduction problem" for both users and developers. There are too many counter-examples. Security needs to be built in. Otherwise we should tell the car makers to finally get rid of all airbags and safety belts: its all a matter of disciplined driving.
- Multi-faceted client identity or the misconfigured SCIP problem, more...
An addendum to the first security book on the problem of badly configured SCIP proxies which map serveral different client IDs onto one SSL-SessionID. When client identity becomes a heuristic outcome. (Thanks to Matze Schmidt and Thomas Huber).
- Sex, Lies and Appliances - how to tame the anonymizer, more..
I read a disgusting piece of advertisement by a security company who offers a filtering appliance against the threat of anonymizers. Typical US lingo, full of rightousness, scares of legal repercussions and turning everybody into a little "sheriff". Not to forget the lack of technical information or its weaknesses. Trying to detect the use of an anonymizer through URL filtering and rules is rather hard with an SSL tunnel!.
- Security in Online Worlds , more..
An excellent thesis by Martin Scheffler on the use of capability-secure languages in scene graphs. Shows the lambda based capability patterns like facet, forwarder and sealer/unsealer at work to allow anonymous, distributed and context dependent access control.
- Are security laws "immutable"?
and why would somebody say so? A short bit on so called "immutable laws" of security proposed by Microsoft guys. I've used structural text analysis methods to uncover the assumptions behind. It's the typical MS argumentation: the operating system is OK. Systems can't be safe against malware. It has nothing to do with architecture. And it's the users fault anyway.
- Web Application Firewalls to the rescue, more..
Want to know what a WAF can do for your health? Don't wait till you get an honorable mention in newspapers for your security leaks. Learn how to profit from a WAF both in case of an emergency and as a long term defense in depth strategy. Learn what they can do and how. Read the thesis by Sebastian Roth..
- So you are famous now, more..
Security warnings from Heise made you and your application famous! And in times of viral and guerillia marketing we all know that bad publicity is better than no publicity. But there are cases when you might not really like the publicity. Read on how the talks from our Security Day might save your butt one day!
- Internet-Security: Grundlagen, now in print, more..
Looks like it is finally done. The first volume is in print, the second one on "Sichere Systeme" needs to be proofed and will follow shortly.
Additional information, bug-fixes and the slides will be privided here, as well as Q&A stuff. The authors welcome comments and suggestions for improvement.
- Usability and Security, more...
The KES article that Roland Schmitz and myself wrote is now available online. Core topic: usability chances in a world of reduced authority.
- The security-industrial complex (SIC), more...
Is there already a SIC in place - just like the well-known military industrial complex? Is there still an interest in systems that are more secure - or is this considered damaging to a thriving business?
- The thing from the internet - a good way to create awareness?
How to scare people for all the wrong reasons. Some funny "fifties" posters on security topics. But are they really teaching the right ideas or are they just documenting and re-inforcing what is wrong in our software? The "duck and cover" approach to bad security design?
- Authority reduction in Vista, more...
Does it really improve end-user security? Or does it only help Microsoft? A short discussion of an article by Joanna Rutko.
- On RFID's, passports and a clever business model, more...
Ever wondered why there is an RFID chip on the new passports? Stop wondering - it's for your good, dummy.
- On being digital, patents and so called western democracy, more
I've updated my piece on software patents, open source software and its new economy and how the EU again became the lobby instrument of the big zaibatsus. The whole process is depressingly far from democracy. But that is nothing uncommon to us Europeans where a Mr. Baroso - after two devastating votes against the EU constitution - tells Mr. Bush: Don't worry - business as usual in Europe. And he is right!
- Like a Cookie
After reading an excellent article by Chen Junwei on a lightweight RFID framework I got some afterthoughts on similiarities between cookies and RFID tags - and that the information IN the tags is not the real problem. And take a look at the infrastructure for RFID processing!
- New security technology
Read more on Grids, proxy certs, OSGI and SELinux.
- To authenticate or to be authenticated
If you thought that this does not make a difference - read on about RFIDs or smartcard based passports and how the distance argument is abused by politicians. In the wireless world distance is no longer a safety measure. And this means loss of control on your side.
- Digital Identity, more...
Digital identity is a concept much larger than usually discussed in the context of information security. The new book by Phillip Windley explains technical and organizational ways to create an Identity Management Architecture. If you need to understand how SOA and federation of identity are related, read this book. The same goes of you need to build a SSO architecture. The book is for technical as well as business readers due to its top-down approach. And it makes you realize that so called identity provider networks are probably unavoidable - but what are the dangers behind? Answering this question will be easier after reading this excellent book.
- Have fun with security, more...
Some good links on security related topics like crypto, google hacks etc. mostly assembled by Mathias Schmidt.
On useless or dangerous security measures and who gets the profits
- In the name of security, more...
A "background check" covering educational data, credit data, criminal records from WAY BACK when you were young and dumb - to get an IT job? Read about some disturbing proposals from security companies to make more money. The ideas would have made Himmler and Heydrich proud. It makes you really worry where the US society is going. And why system architecture needs to include damage control.
- Security Madness continued, more...
On silly arguments around future security and terror.
- Lyin' Eyes - or how they take our freedom away, more...
You don't need to look at the US to see big brother watching us: Beckstein an Co. are busy chipping legal pieces away towards a general spying system without due cause. Now it is toll data that "law enformcement" needs to do its job. What is next? Read on how the political strategy works.
On how to bridge the gap between usability and security requirements
- Usability and Security now taking off, more...
After Garfinkels PHD Thesis on usability and security there is now finally a book that covers current activities in this area. The new book from Oreilly (which I will discuss shortly) contains articles from Garfinkel, Ka Ping Yee etc.
- ITANs, Man-in-the-Middle and a really poor explanation, more...
Does two factor authentication really help in the context of phishing? The university of Bochum has built a MITM proxy which was able to subvert the new ITAN scheme of the Postbank. This did not really surprise anybody in security but made a big splash in the media. The funny thing was that they where able to build the attack code but in an interview on TV completely failed to explain how users can protect themselves.
On the importance of secure platforms and how to develop those
- Enemy contact - dotnet security, more...
Shock after buing a dotnet magazine and reading the editorial: is it really dead? Not dotnet in Vista? Only a handful large projects world wide? Some open words by several old windows developers raise interesting questions. On a sideline: looks like the dotnet patterns are not much different from those used in J2EE developments.
- Security Improvements to the Windows Platform
Can the security of a local system be achieved through collaborative services? And what is the price you have to pay for it in the long run? A few comments on Bill Gates talk at the RSA 2005.
- Using System Calls for Access Control - Systrace
While the last years have been dominated by network based security approaches at least in my opinion the next couple of years will (need to) see an improvement in host based security. Too many times network based security like firewalls are only an excuse for deficits in software security. The systrace facility in OpenBSD is a nice and understandable way to create sandboxes for daemons, servers and untrusted users.
- Security Enhanced Linux
Security Enhanced Linux is NSA's open source version of a better Linux. The work on SELinux has taken many years (some aspects of the implementation look a bit old-style) but it is an interesting approach towards better host based security.
The following is based on the excellent book about SELinux by Bill Mccarty and concentrates on the concepts behind SELinux and its implementation.
A few notes on this seemingly endless topic.
- Re-mixing applied: Secure Software Demonstration Package
Finding good examples on secure software is hard. Especially when it comes to multi-tier enterprise environments. Here comes my idea: develop a software package that serves as a demonstration of secure coding with above technologies. Luckily we don't have to start from scratch here if we apply some re-mixing. If you don't know what re-mixing is: check the lates Etech infos
MI Students: if you would like to try some secure coding examples this term - get in touch with me for a SWT-Praktikum.
- Developments driving security today
Security technology awaits a big change in the next years. Good old role-based security, provided by a tight system administration, will not be able handle the new demand. (This does not mean that we are able to do this "good old" security stuff in a decent way. What I mean is that new requirements will require a completely different form of security technology as it is needed in the typical intranet or web-shop scenario.
- Java vs. .NET Security
Denis Pilipchuk wrote a comparison of both platforms. Don't expect a shoot-out. Instead, a good introduction into current security services and mechanisms is provided.
- Single-Sign-On via Kerberos
On Jason Garman's book "kerberos - the definitive guide. Read why I like the book.
- Secure Coding - a new O'Reilly book by Mark Graff and Kenneth R. van Wyk. And literature tips, more...?
Books and articles that really explain how to write secure code are rare. They need to combine abstract policies with deep technical details of certain areas like web application architectures. This is a collection of stuff that helped me a lot.
This is more of a tkitchensink kind of section because of the disparate nature of the topic.
- Security Analysis Methods, more...?
I had a hard time finding some methods that where both useful and usable at the same time. E.g. not over-formalized. Some diagrams are taken from existing architecture methods and adapted. Some are invented and need some improvement.
- Building technology and its relation with IT, more...?
Today building technology and automation is mostly based on IT. Networks, sensors, controllers, administration. But does building technology also suffer from the security problems which plague business systems so much?
- Doing security in creative environments, more...?
What if your colleagues are mostly "free spirits" and tend to hook up whatever is available to your precious network. A situation common on campus networks, broadcast companies etc. where creativity rules and getting a new idea onto the air is more important than anything else. How does commercial security technology fare in this environment?
- On motorbikes and security, more...?
A discussion of Bruce Schneiers "beyond fear" in the context of a biker trip. How security can be a threat to our freedom by itself. The trade-off between security and its side-effects.
- Multi-level databases and what we can learn from them
I found some interesting bits on protecting data with a high granularity in Charles and Sheri Pfleegers book on "Security in Computing". Read how this could be useful for smartcard applications as well. And a few sentences on what the book covers and what not.
Smartcards, architecture and use
An interesting decentralized approach to improve authentication and usability but still let users in control of their data. Could be the basis for healthcards, jobcards etc.
- The things we don't tell our wifes - how the german dentists protect our privacy
I found an ad in a TV-magazine where the dentists lobby argues against the medical records on the planned health card. They want to protect the patients privacy:"there are things you don't even tell your wife". Is the ministry of health the evil empire or do the dentists arguments not really bite? And why a transparent patient is something different than a transparent medical professional.
- The German Jobcard architecture - technical and political aspects of its security design, more...?
A discussion of a Heise article on the jobcard.
- Finread - a multi application smartcard reader
From looking at the german health card security architecture it became clear that a smartcard reader for users is necessary to give users control over their data and applications. FINREAD provides an open architecture for running multiple applications (e.g. VISA, EC etc.) safely. The FINREAD documentation is mostly available and gives a first hand insight into the complexities of secure embedded control card readers.
- The german healthcard - security architecture
Some considerations of the security concepts behind the planned health card for Germany. Plus resources. An example of the complex relations between security mechanisms and politics. We look at problems, proposed solutions and alternatives. This will lead to a renewed interest in smartcard reader technology as a core piece for user controlled smartcard applications. (see below: article on finread)
- An open architecture for smartcards , more...?
Mulitfunction cards are a hot topic for the financial industry - and not only for them: healthcards, jobcards etc. are all designed to run different applications from different companies. How can those systems increase the security in e-banking?
Portal and Web-application Security
The lecture has a number of sessions on attacks, infrastructure and software architecture. Every once in a while I invite a friend to a talk on current portal security technology
- OBSOC: total embarrassment for T-COM and Microsoft
Some reflections on software architecture behind the latest T-COM security mess. And some questions you should ask your IT-Security people. Actually, some companies might not be so amused about all this. E.g. those mentioned as T-Systems customers in T-Systems "Hosting Business Solutions". If the hackers of today are worth their salt I would expect some activities here...
- Security Architectures for Internet Applications, more...
Slides from Christophe Gevaudan, a chief architect of the well-known UBS AG of Switzerland. He is the architect of leading e-usiness applications and responsible for security infrastructures as well.
- Developing Secure Software, more ...
Two excellent papers on how to develop secure software.
- Can we fight spam together?, more....
Collaborative filtering is so powerful as personalisation engines have shown us. Can't we use the same technique to filter spam? Can I reduce my spam because you've deleted yours already?
Running online elections was a hot topic last term - both in the US as well as in my security lecture. Together we have analyzed different implementations of e-voting with the goal to perhaps one day run the university elections through our system. Here are some bits and pieces of what we learned. Not final yet but the discussions show our way from machine based security (e.g. like in the Diebold voting systems) to an externally controllable, cryptography based model of secure voting (e.g. using blind signatures). The work will probably continue in the next term.
- E-voting at the euro and community elections in Germany - Koblenz rulez?, more...?
The city of Koblenz is preparing for direct democracy with monthly votes on community issues like building a new sport arena, how big classes at school should be and so on (or did I misunderstand the reason for spending money on e-voting?).
- How do you want to e-vote today?, more ...
Part one of a series about the e-voting scandal in the US. Could e-voting be done properly or should we stick to the good old paper ballots? On technical, economic and political issues around voting in the 21st century. (just wonder why Clay Shirky did not write about this yet - it's truly about culture and networks (;-)
- How do you cheat in a paper voting system, more ...
We must understand the regular (paper) voting process before we can analyse e-voting systems. On threat models, attack trees and last principles.
- Examples of e-voting systems, more ...
Let's discuss some alternatives for e-voting systems: browser based, kiosk or election places. On authentication, anonymity and how to capture the voters will.
- Ballot design for e-voting, more ...
On screen-design, usability and computer-illiterate voters.
- Voter verifiable audit trail, more ...
Why cucumbers and salad seem to be more valuable than democracy.
My believe is that security is first an awareness problem. Once you have realized that there is a security problem - which means you have understood that you are putting a lot of trust in some place - the solution is not far away. Here are little bits that show how my awareness has grown as well.
We slowly start to understand what terrorisms goal really is: Terror want to change our society into a prison by raising fear and causing governments to cut down on the rights of citizens. And as far as I can see Bin Laden is well on his way to reach this in many western countries. Here are some bits which try to fight the hunger for data which is displayed both by government and the private sector.
It is not enough to always mention social engineering as the most successful practice of intruders. One has to explain how it works. Some ideas after reading Kevin Mitnick's art of deception:
- Social engineering: Going beyond the "art of deception", more ...
Kevin Mitnicks book on "The Art of Deception" made for a fun reading during my vacation. The book consists mostly of entertaining stories which make it totally credible that even experienced security personel falls for simple tricks. It ends with good advice like creating awareness for security issues in your company. But I found the book lacking in one aspect: it does not take a systematic look at how deception really works. Let me try to explain how deception works.