Security and Risk Management Strategies Blog

Blogger: Bob Blakley

There’s been a bit of a dust-up over OpenID recently in the blogosphere. First Eugene and Vlad Tsyrklevitch published a paper at BlackHat 2007 outlining a bunch of weaknesses in OpenID. Then Stefan Brands amplified the critique in a long blog post. David Recordon fired back in a post of his own, in which he expresses confidence that OpenID 2.0 will fix all of OpenID’s problems. I have less confidence than David, but I’ll leave that topic for later. What I’d like to do first is talk about getting the horse before the cart.

What I’d really like to see, as a security guy, is a problem statement and a risk analysis. Specifically, before we start arguing about whether OpenID 2.0 is the answer, I’d like to know the following things about the question:

1. What are the assets to be protected?

What do OpenID’s designers intend it to be used to protect? Blog comment lists? Blog entries? Persistent consumer accounts on commercial servers? Persistent employee accounts on corporate servers?

2. What are the services to be offered?

What services do OpenID’s designers intend it to offer? Authentication of users as the legitimate possessors of OpenID URLs? Linkage of OpenID URLs to user accounts on web-facing systems? Linkage of OpenID URLs to user attribute information (e.g. Information Cards)?

3. What quality of protection is claimed for these services?

Is the OpenID protocol intended to protect against phishing? Is it intended to protect against man-in-the-middle attacks? Is it intended to protect against attempts by one OpenID party to induce another party to execute malicious code? Is it intended to protect against session-splicing or session hijacking? Is it intended to protect against active or passive wiretapping?

4. What is the threat model?

What threats is OpenID designed to protect against? Accidental failures at a participating party? Malicious behavior by users? Malicious behavior by relying parties? Malicious behavior by OpenID providers? Wiretappers? Hackers attempting to penetrate a relying party? Hackers attempting to penetrate a provider? Hackers attempting to penetrate a client system? Cryptanalysts?

5. What is the trust model?

Who trusts whom to do what? Does the user trust the OpenID provider to actually check his password? Does the provider trust the relying party not to send maliciously constructed OpenID URL strings? Does the relying party trust the provider not to reissue OpenID URLs to different parties at different times? Does the relying party trust any particular OpenID provider to issue OpenID URL strings in a particular part of the namespace (e.g. “.gov”?)

All the arguments about OpenID are entertaining, but the claims and counterclaims are very difficult to evaluate in the absence of a coherent problem statement which includes answers to questions like these. The OpenID 2.0 Specification signally fails to address these issues; in this sense it’s a solution looking for a problem.

Blogger: Eric Maiwald

There were lines around the block. People waited to catch a glimpse of one and hopefully buy one. There were news stories about it. What could have caused this much anticipation? Was it a concert for some famous rock star? Was it a championship game? Was it a chance to catch Barry Bonds’ 756 home run ball?

Nope. It was the iPhone. Of course, the iPhone is not just any new cellular phone. With its slick graphics and user interface, it is leaps and bounds ahead of anything mortal man has seen before!

Well…maybe not.

One thing is certain, the iPhone has caused some concern for large enterprises. Since many employees are purchasing iPhones and hooking them up to their computers at work, there is a fear that large amounts of sensitive information may be transferred to the devices. Of course, this is nothing new (not really anyway). Many employees have PDAs, SmartPhones, or even USB memory sticks and use them to store sensitive information. Maybe it is just the fact that the hype around the iPhone has made it more visible than the other devices and that has gotten the attention of the enterprise.

Handheld devices like phones, PDAs, and memory sticks are so common as to be invisible while in plain sight. We all know that portable computers can hold sensitive information. The news media has seen to it that any time a portable computer is lost or stolen, the details of how many credit card or social security numbers were on it is a front page story. Of course, portable computers are assets that are tracked by enterprises. If an employee loses one, there tends to be a loss of productivity. I can just see a Dilbert cartoon coming:

Dilbert: “Hey Wally, why haven’t you responded to my emails?”
Wally: “I didn’t see them.”
Dilbert: “Why not? Don’t you check your email?”
Wally: “I lost my computer a few months ago so I haven’t been checking my email.”
Dilbert: “Three months ago? Why didn’t you call the help desk and get a new one?”
Wally: “I figured it would be easier to just wait for the hardware refresh cycle.”

So when a portable computer is lost or stolen, the enterprise hears about it. If the computer contains personal identifiable information (PII), the breach notification laws require customers to be contacted and a negative consequence occurs for the enterprise. Notice that the loss of PII may not in itself be a negative consequence to the enterprise. The cost of replacing credit cards is incurred by the banks. The cost of fraudulent purchases is incurred by the merchants. The individuals may incur costs associated with identity theft. The enterprise incurs costs because of the requirement to notify the individuals and admit the loss or theft. The banks and merchants may then sue them as is happening in the case of TJX.

Let’s go back to the handheld devices. If a PDA, phone, or memory stick is lost or stolen will the enterprise even know about it? Are these devices tracked as assets of the enterprise? Do employees report the loss or theft if the devices belong to them instead of the enterprise? In many cases, the enterprise will not know about the loss or theft and will likely not have any idea what information is on the device.

Does the enterprise want to know? That is not an easy question to answer. I’m sure that the enterprise wants to know if an event will impact the business. So a memory stick that includes secret designs, patent applications, or other trade secrets would interest the enterprise. Perhaps there are things that could be done after the fact to control or limit the negative consequences.

What if the information is PII? The negative consequences are going to occur to some other entity (banks, merchants, or the individuals). The negative consequences occur to the enterprise only if it knows that the information was lost when unencrypted. If the enterprise doesn’t track the devices and never learns that the device was lost or that it contained PII, then the enterprise can’t be expected to report it to the media or the individuals. If the PII is used to commit fraud or identity theft, will it be possible to follow the trail back to the lost device? Probably not.

So should enterprises track the use of handheld devices and memory sticks? Should the enterprise try to control them? Ethically, I think the answer is yes. Enterprises have a responsibility to protect sensitive information in their possession. However, from a risk management stand point, the decision may sometimes go the other way.