RSA SecureID is now 1.5 factor not 2

Everyone is trying to figure out what really happened. One theory is that there was a government backdoor. That is possible since SecureID is a closed technology and it is unclear how it works. It has not been reviewed for strength of architecture/algorithm that could cause unintentional security breach or absence of intentional backdoors.

Network World reported the following:

In its "Incident Overview," which was part of the update, RSA stated, "To compromise any RSA SecurID deployment, an attacker needs to possess multiple pieces of information about the token, the customer, the individual users and their PINs. Some of this information is never held by RSA and is controlled only by the customer. In order to mount a successful direct attack, someone would need to have possession of all this information."

This indicates that an attacker can get access to a protected system without having physical possession of the SecureID token. If that is true, the other RSA quote (from Network World)

Many are, in fact, bewildered by the statement Coviello made on March 17: "While at this time we are confident that the information extracted does not enable a successful direct attack on any of our SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack."

would mean that the "reduction in effectiveness" is basically that the authentication is no longer based on two factors. It is based on one factor (and some phishable data) only.

How is this possible?

I don't know how SecureID works but this is how 2 factor authentication works and it must do something like this:

One factor is something that you have, in this case, a hardware token. This presumably would have a private key which would be shared by the authentication server (or the server will have a paired public key). Ideally, every token would have a completely random key but RSA may have taken a shortcut and used one that is somehow dependent on the serial number of the token(or some other insecure input like customer id etc). If the attacker was able to get information that can be used to guess this key from the serial number(or other info) then he or she can succeed in authenticating without having access to the token itself.

This theory is not incompatible with the government backdoor; indeed the government may have asked RSA to use introduce the above weakness. Or it could have figured it out a long time ago on its own.

Evolution in the Data Center

Ok, this post does not have much to do with security (except for one of the points below). I've been catching up on happenings in the data center these days and it appears a gradual evolution is underway. The following is what I understand and I wrote it down so that
- you might avoid having to do the research
- more selfishly, you might point out mistakes in my understanding

1) What is virtualization -- First of all, the hypervisor has very little to do with what is happening in virtualization now. Until I figured that out (I thought virtualization and hypervisor are one nad the same; and although it is cool to be able to run multiple OS's on a CPU, one can achieve 80-90% of what a hypervisor provides without virtualization) I did not think virtualization was of much use and that is was hyped unnecessarily by the tech media. Now I realize that virtualization is not about the hypervisor (yes, it is now an important element but almost commoditized) but about tools that help IT admins to dynamically respond to changing IT needs such as:
- Provisioning new applications quickly
- Scaling them up or down to meet changing loads
- Migrating them to different servers in the same or a different data center for performance or power optimization or for disaster recovery etc.

2) Components of a virtualized data center -- To achieve the above goals the following components are needed:
- Servers -- Of course, where else would the applications run :)
- IP switches/routers -- For users to access the applications and for applications to talk to each other. If NAS is used these also provide access to storage
- Optional storage switches -- Although theoretically possible to use storage attached to servers directly, it is more efficient to use specialized storage like SAN or NAS. If SAN is used, FC and/or FCoE switches are needed.
The above components are not new. They have been used in data centers for ages. But virtualization does impose new requirements on them.
- Virtualization magic software -- This is a new and hence arguably the most important component. It is the software that allows the IT admin to orchestrate the changes needed to achieve the three goals mentioned in (1) above. This is what made VMWare successful (for a long time I thought it was the hypervisor!). Scalent makes another nice one...I am sure there are others

3) Market Dynamics -- This evolution of the data center provides an opportunity for vendors of the above components(incumbent and upstarts) to innovate within those product categories(to address the changing requirements). That will surely happen and within a year or two , I believe, all vendors within those categories will have 90% matching features with remaining 10% in a diminishing returns but unavoidable arms race. On the other hand, this evolution also provides large incumbent vendors an opportunity to innovate across categories providing vertically integrated solutions (like Cisco, VMWare, EMC). Of course, this creates an opportunity for exactly the opposite innovation: enabling standard, interoperable, multi-vendor solutions. Scalent is a good example of this. I think in the end the latter will win but it might still make sense for companies like Cisco to delay this for their products and pursue vertical integration to gain market share.

It will be fun to watch this happen!

Is SSL broken?

I was reading Network World and for a very brief moment was alarmed to learn that SSL is not secure and that Tim Greene recommends (or is he quoting the researchers opinion?) that people should not use public wifi even for SSL-safe browsing.

[Network World article says "SSL VPN..." although the threat if real should apply to non-VPN uses of SSL as well and the examples cited are for online banking and most people won't call an SSL connection to their bank an SSL VPN. SSL VPN is the extension on an "intranet" over the internet using SSL to secure it]

Then I found the this article that seems to have slightly more data. I havn't seen the demonstration but I have a suspicion that this is much ado about nothing. It seems the flaw is that if parts of the page are EV SSL and other parts are not EV SSL the browser does not complain as long as the domain is the same. (The part is bold is my assumption but if it is true, there is nothing to worry about. If my assumption is not true all hell will break loose, public Wifi or not!). I think all parts are not EV SSL because the site owner did not want to shell out extra money for EV SSL certificates for every sub-domain. This makes sense, because EV SSL is pretty much useless and I don't understand why the website got an EV SSL certificate at all!

If you read this and know that my assumption above is false, please comment and let me know. I should stop using the internet!

Update 3.11pm: Found the abstract here: http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html

[scroll down to find "Alexander Sotirov, Mike Zusman
Breaking the security myths of Extended Validation SSL Certificates" ]

My assumption is valid. SSL is still secure. Their point is that EV SSL is not more secure than cheapo SSL.

"Unfortunately, it turns out that the security offered by EV certificates is not any better than the security of even the cheapest $12 SSL certificate"

We already know that is true...this is one more reason and makes it "truer", if that is possible :-)

How safe is your Twitter account?

Twitter has been successfully hacked several times but the most egregious of them all is the breakin that compromised Twitter's own employee and other confidential information. I don't use Twitter but I am concerned about the security of other major social networks like Facebook, Orkut etc; frankly, I don't think they are much better. In the race to capture more and more users social networking websites and applications often ignore security and privacy issues. This is because these issues are considered an economic externality by these companies. In that respect, the information age is a bit like the early industrial era where corporations ignored the impact of their factories on the environment. We need laws that "internalize" these externalities. But given the focus of the government on the economic crisis, health reform and other issues, will this important issue be addressed?

How secure will the smart grid be?

There is a good article about the security of our power grid. Unlike the innumerable fear-mongering writeups I generally find, this one is quite reasonable.
In particular I find this paragraph about the increasing proliferation of "smart-grids" interesting:

While Meyerrose, Mansoor and other experts agree that the utility industry's vulnerability will grow as its command-and-control systems rely ever more on computer networks, those concerns are not new. Some security experts have cautioned against the growing use of "smart grid" technology — which relies even more on computer networks to allow both utilities and individual consumers to monitor and reduce power usage. There are already 2 million smart meters in use in the U.S., and the Obama Administration's 2010 budget includes $4.5 billion in spending on such technology. The fear is that these meters may allow hackers access to the grid's control systems. But smart-grid backers say the opposite is true: the use of more-sophisticated monitoring systems makes the grid safer.

Of course, they will say this because that is good for their business. The truth is that it depends on the details. If these systems are designed with security in mind they will be safer. If not (and this is more likely), the new smart grid will be less secure than the "dumb" grid we have today.

Phonefactor: how secure?

A system is only as secure as its weakest link. Phonefactor seeks to replace hardware security tokens with your phone. It is an interesting idea because not only does it use two factors: something you know (password) and something you have (phone)but also because it uses two channels: internet and phone (unless of course your phone is VoIP*). This would appear to increase security but it doesn't necessarily do so. The challenge in using a phone in real-time for authentication is that you have to handle the case where the user is not near the registered phone or if it is a cellphone and it is not reachable when the user wants to log into her account. And handling of this case is the weak link. The system has to fall back to what Phonefactor claims "strong security" but which in reality is quite weak. All you have to do in convince the call center staff to do a one time bypass or change the registered phone number. Usually this is done by asking for information like social security numbers, mother's maiden name etc. This is not secure. If it were, why have the phone factor at all? Just ask these questions on the internet while authenticating the user. Indeed, many banks/brokers have adopted this approach(I am not saying that this is secure). But some like one of my credit unions have fallen for the marketing gimmick and false sense of security provided by Phonefactor.

*Even if your phone is not VoIP, your provider may be susceptible to being hacked. For now, I ignore that angle, because there is a much easier way to bypass the 2nd factor.

Signs of intelligent life appear in Washington...still missing from Mumbai

There are signs of intelligent life in Washington security circles:

A federal appeals court in Philadelphia ruled that would violate the First Amendment, because filtering technologies and other parental control tools are a less restrictive way to protect children from inappropriate content online.
http://www.siliconvalley.com/latestheadlines/ci_11511321?source=email

But missing in the Mumbai police department

...several police teams, armed with laptops and internet-enabled mobile phones, will randomly visit homes to detect unprotected networks.
http://blog.wired.com/sterling/2009/01/bombay-cops-kee.html