Internet Security

My friend and colleague Prof. Roland Schmitz held a presentation on Android security features at Droidcon. Take a look at the software techniques for security used in this operating system. And take notice of the "return of the process isolation idea".And that there is still a chance for "confused deputy" attacks.

Just a short comment on the latest member of the "Beautiful .." series from Oreilly.

How browsers could defend user data and actions based on what they know about communication and presentation. A short into to Bastian Zimmermans thesis on client-side security in browsers and some project ideas. (in german)

I just got through the book by McGraw and Hoglund on "exploiting online games - cheating massively distributed systems". I've tried to extract the most important attack vectors because I found the book rather verbose. And don't expect much "distributed". Most of the attacks discussed are purely local exploits of the game client. But the threat model is quite interesting: The server side needs to trust the game client while being aware that it might be under control of the attacker - so it uses heuristics to find out about the manipulations. This is not a scenario that most business e-services would survive...

A good overview paper from enisa on the dangers in virtual worlds with the title "Virtual Worlds, Real Money". Good links on various attacks and countermeasures. Let's one speculate about the realtion between virtual and real worlds. Lists several types of VW and compares core features. Discusses automated attacks, social engineering and many other forms of abuse and misbehavior and the respective technical or legal reactions.

After the freeway killing: are you scared about driving below highway bridges? Do you think about the incident while driving? How rational is this behavior? How natural? Read about surprising ways our stone-age brain does risk assessment and take a look at some real risks.

I have read those specs recently and I do not really understand them well. Read my objections and tell me where I am wrong. I will discuss both later in detail..

A few comments on a CCCS talk on web application security and a rant against the "security is an eduction problem" for both users and developers. There are too many counter-examples. Security needs to be built in. Otherwise we should tell the car makers to finally get rid of all airbags and safety belts: its all a matter of disciplined driving.

An addendum to the first security book on the problem of badly configured SCIP proxies which map serveral different client IDs onto one SSL-SessionID. When client identity becomes a heuristic outcome. (Thanks to Matze Schmidt and Thomas Huber).

I read a disgusting piece of advertisement by a security company who offers a filtering appliance against the threat of anonymizers. Typical US lingo, full of rightousness, scares of legal repercussions and turning everybody into a little "sheriff". Not to forget the lack of technical information or its weaknesses. Trying to detect the use of an anonymizer through URL filtering and rules is rather hard with an SSL tunnel!.

An excellent thesis by Martin Scheffler on the use of capability-secure languages in scene graphs. Shows the lambda based capability patterns like facet, forwarder and sealer/unsealer at work to allow anonymous, distributed and context dependent access control.

and why would somebody say so? A short bit on so called "immutable laws" of security proposed by Microsoft guys. I've used structural text analysis methods to uncover the assumptions behind. It's the typical MS argumentation: the operating system is OK. Systems can't be safe against malware. It has nothing to do with architecture. And it's the users fault anyway.

Want to know what a WAF can do for your health? Don't wait till you get an honorable mention in newspapers for your security leaks. Learn how to profit from a WAF both in case of an emergency and as a long term defense in depth strategy. Learn what they can do and how. Read the thesis by Sebastian Roth..

Security warnings from Heise made you and your application famous! And in times of viral and guerillia marketing we all know that bad publicity is better than no publicity. But there are cases when you might not really like the publicity. Read on how the talks from our Security Day might save your butt one day!

Looks like it is finally done. The first volume is in print, the second one on "Sichere Systeme" needs to be proofed and will follow shortly.

Additional information, bug-fixes and the slides will be privided here, as well as Q&A stuff. The authors welcome comments and suggestions for improvement.

The KES article that Roland Schmitz and myself wrote is now available online. Core topic: usability chances in a world of reduced authority.

Is there already a SIC in place - just like the well-known military industrial complex? Is there still an interest in systems that are more secure - or is this considered damaging to a thriving business?

How to scare people for all the wrong reasons. Some funny "fifties" posters on security topics. But are they really teaching the right ideas or are they just documenting and re-inforcing what is wrong in our software? The "duck and cover" approach to bad security design?

Does it really improve end-user security? Or does it only help Microsoft? A short discussion of an article by Joanna Rutko.

Ever wondered why there is an RFID chip on the new passports? Stop wondering - it's for your good, dummy.

I've updated my piece on software patents, open source software and its new economy and how the EU again became the lobby instrument of the big zaibatsus. The whole process is depressingly far from democracy. But that is nothing uncommon to us Europeans where a Mr. Baroso - after two devastating votes against the EU constitution - tells Mr. Bush: Don't worry - business as usual in Europe. And he is right!

After reading an excellent article by Chen Junwei on a lightweight RFID framework I got some afterthoughts on similiarities between cookies and RFID tags - and that the information IN the tags is not the real problem. And take a look at the infrastructure for RFID processing!

Read more on Grids, proxy certs, OSGI and SELinux.

If you thought that this does not make a difference - read on about RFIDs or smartcard based passports and how the distance argument is abused by politicians. In the wireless world distance is no longer a safety measure. And this means loss of control on your side.

Digital identity is a concept much larger than usually discussed in the context of information security. The new book by Phillip Windley explains technical and organizational ways to create an Identity Management Architecture. If you need to understand how SOA and federation of identity are related, read this book. The same goes of you need to build a SSO architecture. The book is for technical as well as business readers due to its top-down approach. And it makes you realize that so called identity provider networks are probably unavoidable - but what are the dangers behind? Answering this question will be easier after reading this excellent book.

Some good links on security related topics like crypto, google hacks etc. mostly assembled by Mathias Schmidt.

A "background check" covering educational data, credit data, criminal records from WAY BACK when you were young and dumb - to get an IT job? Read about some disturbing proposals from security companies to make more money. The ideas would have made Himmler and Heydrich proud. It makes you really worry where the US society is going. And why system architecture needs to include damage control.

On silly arguments around future security and terror.

You don't need to look at the US to see big brother watching us: Beckstein an Co. are busy chipping legal pieces away towards a general spying system without due cause. Now it is toll data that "law enformcement" needs to do its job. What is next? Read on how the political strategy works.

After Garfinkels PHD Thesis on usability and security there is now finally a book that covers current activities in this area. The new book from Oreilly (which I will discuss shortly) contains articles from Garfinkel, Ka Ping Yee etc.

Does two factor authentication really help in the context of phishing? The university of Bochum has built a MITM proxy which was able to subvert the new ITAN scheme of the Postbank. This did not really surprise anybody in security but made a big splash in the media. The funny thing was that they where able to build the attack code but in an interview on TV completely failed to explain how users can protect themselves.

Shock after buing a dotnet magazine and reading the editorial: is it really dead? Not dotnet in Vista? Only a handful large projects world wide? Some open words by several old windows developers raise interesting questions. On a sideline: looks like the dotnet patterns are not much different from those used in J2EE developments.

Can the security of a local system be achieved through collaborative services? And what is the price you have to pay for it in the long run? A few comments on Bill Gates talk at the RSA 2005.

While the last years have been dominated by network based security approaches at least in my opinion the next couple of years will (need to) see an improvement in host based security. Too many times network based security like firewalls are only an excuse for deficits in software security. The systrace facility in OpenBSD is a nice and understandable way to create sandboxes for daemons, servers and untrusted users.

Security Enhanced Linux is NSA's open source version of a better Linux. The work on SELinux has taken many years (some aspects of the implementation look a bit old-style) but it is an interesting approach towards better host based security.

The following is based on the excellent book about SELinux by Bill Mccarty and concentrates on the concepts behind SELinux and its implementation.

Finding good examples on secure software is hard. Especially when it comes to multi-tier enterprise environments. Here comes my idea: develop a software package that serves as a demonstration of secure coding with above technologies. Luckily we don't have to start from scratch here if we apply some re-mixing. If you don't know what re-mixing is: check the lates Etech infos

Security technology awaits a big change in the next years. Good old role-based security, provided by a tight system administration, will not be able handle the new demand. (This does not mean that we are able to do this "good old" security stuff in a decent way. What I mean is that new requirements will require a completely different form of security technology as it is needed in the typical intranet or web-shop scenario.

Denis Pilipchuk wrote a comparison of both platforms. Don't expect a shoot-out. Instead, a good introduction into current security services and mechanisms is provided.

On Jason Garman's book "kerberos - the definitive guide. Read why I like the book.

Books and articles that really explain how to write secure code are rare. They need to combine abstract policies with deep technical details of certain areas like web application architectures. This is a collection of stuff that helped me a lot.

I had a hard time finding some methods that where both useful and usable at the same time. E.g. not over-formalized. Some diagrams are taken from existing architecture methods and adapted. Some are invented and need some improvement.

Today building technology and automation is mostly based on IT. Networks, sensors, controllers, administration. But does building technology also suffer from the security problems which plague business systems so much?

What if your colleagues are mostly "free spirits" and tend to hook up whatever is available to your precious network. A situation common on campus networks, broadcast companies etc. where creativity rules and getting a new idea onto the air is more important than anything else. How does commercial security technology fare in this environment?

A discussion of Bruce Schneiers "beyond fear" in the context of a biker trip. How security can be a threat to our freedom by itself. The trade-off between security and its side-effects.

I found some interesting bits on protecting data with a high granularity in Charles and Sheri Pfleegers book on "Security in Computing". Read how this could be useful for smartcard applications as well. And a few sentences on what the book covers and what not.

I found an ad in a TV-magazine where the dentists lobby argues against the medical records on the planned health card. They want to protect the patients privacy:"there are things you don't even tell your wife". Is the ministry of health the evil empire or do the dentists arguments not really bite? And why a transparent patient is something different than a transparent medical professional.

A discussion of a Heise article on the jobcard.

From looking at the german health card security architecture it became clear that a smartcard reader for users is necessary to give users control over their data and applications. FINREAD provides an open architecture for running multiple applications (e.g. VISA, EC etc.) safely. The FINREAD documentation is mostly available and gives a first hand insight into the complexities of secure embedded control card readers.

Some considerations of the security concepts behind the planned health card for Germany. Plus resources. An example of the complex relations between security mechanisms and politics. We look at problems, proposed solutions and alternatives. This will lead to a renewed interest in smartcard reader technology as a core piece for user controlled smartcard applications. (see below: article on finread)

Mulitfunction cards are a hot topic for the financial industry - and not only for them: healthcards, jobcards etc. are all designed to run different applications from different companies. How can those systems increase the security in e-banking?

Some reflections on software architecture behind the latest T-COM security mess. And some questions you should ask your IT-Security people. Actually, some companies might not be so amused about all this. E.g. those mentioned as T-Systems customers in T-Systems "Hosting Business Solutions". If the hackers of today are worth their salt I would expect some activities here...

Slides from Christophe Gevaudan, a chief architect of the well-known UBS AG of Switzerland. He is the architect of leading e-usiness applications and responsible for security infrastructures as well.

Two excellent papers on how to develop secure software.

Collaborative filtering is so powerful as personalisation engines have shown us. Can't we use the same technique to filter spam? Can I reduce my spam because you've deleted yours already?

The city of Koblenz is preparing for direct democracy with monthly votes on community issues like building a new sport arena, how big classes at school should be and so on (or did I misunderstand the reason for spending money on e-voting?).

Part one of a series about the e-voting scandal in the US. Could e-voting be done properly or should we stick to the good old paper ballots? On technical, economic and political issues around voting in the 21st century. (just wonder why Clay Shirky did not write about this yet - it's truly about culture and networks (;-)

We must understand the regular (paper) voting process before we can analyse e-voting systems. On threat models, attack trees and last principles.

Let's discuss some alternatives for e-voting systems: browser based, kiosk or election places. On authentication, anonymity and how to capture the voters will.

On screen-design, usability and computer-illiterate voters.

Why cucumbers and salad seem to be more valuable than democracy.

No it is not the bird flu nor the martians - even if we would wish it where so. It is an outbreak of the most dangerous disease that human beings can catch - a fast spreading virus which mixes idiocy with political calculus. Read what started a big man hunt in Hamburg and some sad truth on London police as killers.

The german Bundesamt für Sicherheit in der Informationstechnik (a would like to be clone of the NSA) is taking great pains to ensure that the new german passport information cannot be read from the RFID chip without the owner knowing. Why there is an RDID chip on the passport? Wrong question, next please.

Did you ever wonder where they get all those security experts seen on TV? Here is my theory...

How companies manage to rip you off by selling security devices that make the situation even worse for you.

Sometimes you really wonder who is the real target of security measures. This is certainly the case with the iris scans at the Frankfurt Airport.

There are some activities which did NOT slow down when the economy did - and they affect our privacy.

Why are really basic features like being able to convert html-mail to text or to suppress image refs to other domains not available as options in most browsers?

Your operating systems and applications record just about everything you do.

Kevin Mitnicks book on "The Art of Deception" made for a fun reading during my vacation. The book consists mostly of entertaining stories which make it totally credible that even experienced security personel falls for simple tricks. It ends with good advice like creating awareness for security issues in your company. But I found the book lacking in one aspect: it does not take a systematic look at how deception really works. Let me try to explain how deception works.