Here you go..OWASP Hartford !

      No Comments on Here you go..OWASP Hartford !

Last night, I had the opportunity to present at an OWASP event @Hartford, CT.  James McGovern, a long-time buddy of mine organized this event at one of the Hartford skyscrappers – What a great view !  I had contributed code artifacts to OWASP projects before, but it was the first time I had a chance to attend an OWASP event. Amazing to see..it was an enthusiastic crowd with a lot of focus on the emerging trends in IT security.  I took a small piece of the IT puzzle.. to present  a topic on “Multi-factor Authentication” and then a demo showing OpenSSO w. PKI/Biometric authentication. It was a well-organized event and I saw a lot of interests around OpenSSO.

As promised, here is my slides for your reading pleasure. Enjoy.

I am a CISA now.

      No Comments on I am a CISA now.

IT Security, Compliance Auditing and Governance has been on my focal areas for many years now…but I did’nt have a chance to explore it more closely due to my hands-on technical focus on implementing security solutions. Ofcourse, you can’t practice IT security implementation and compliance auditing together as a job – that certainly defeats the fundamental principles of security.  So at the least, I wanted to know the skills of an IT auditor who evaluates the appropriateness and effectiveness of security controls — from a security practitioner’s perspective before there’s a audit violation or serious security issue that threatens required compliance. Additionally, I  wanted to have the confidence of highlighting my customers, which types of security technologies are relevant and appropriate to meet their security control objectives and IT audit criteria.  So I ended up exploring a CISA certification – to understand common body language of IT audit and governance process particularly to know the several critical areas of IT auditing which is not in the scope of IT security. I was also intrigued by the fact, many private and public organizations recognize ISACA’s CISA credential as the standard for information systems auditors.

I received my CISA exam results last week – it is great to know that I passed the exam – with an excellent score that was beyond my expectations :-).  From my experience, It was not a tough exam. I did prepare for this exam a bit seriously for atleast couple of weeks (mostly evenings).  I am not good at cramming techniques, so I ended up reading the select domains (IS Audit process and IT Governance) of CISA Review Manual 2008 where I was weaker..and glimpsed through other domains where I was very comfortable right from the beginning.  Anyway it is good to have this designation..when the state of IT industry is in a turmoil.  One note from a Deputy State Auditor still ringing in my ears – “Ramesh, with all the current audit regulations and more in the making…. IT Security industry remains stronger with growing demands and having a CISSP and CISA designations makes it easier to furthering your IT security career”.

Every Cloud requires a Security lining !

      1 Comment on Every Cloud requires a Security lining !

Security is the paramount challenge of Cloud computing – Ofcourse, what is the point of scaling out if your data is available naked on the Internet ? It comes as no surprise to me, to find out the recent IDC research survey revealed Security as the top concern – critical to the success of Cloud adoption.

For more details of this survey, refer to IDC Cloud Services User Survey.

Security Guidance for "Sun Certified Enterprise Architect" for Java EE5 exam

      No Comments on Security Guidance for "Sun Certified Enterprise Architect" for Java EE5 exam

Not a shameless promotion – I came to know from multiple feedback and praises from the people who took the Sun Certified Enterprise Architect exam.  Core Security patterns is overwhelmingly suggested as a reference text for “Section 8 – Security” of Sun Certified Enterprise Architect for Java EE5 exam.

 Section 8: Security

  • Explain the client-side security model for the Java SE environment, including the Web Start and applet deployment modes.
  • Given an architectural system specification, select appropriate locations for implementation of specified security features, and select suitable technologies for implementation of those features
  • Identify and classify potential threats to a system and describe how a given architecture will address the threats.
  • Describe the commonly used declarative and programmatic methods used to secure applications built on the Java EE platform, for example use of deployment descriptors and JAAS.

Absolutely…. “Core Security Patterns” provides INDEPTH coverage on the above topics with detailed examples.  You can certainly rely on that for “Section 8 – Security” of SCEA.

Congratulations to those who become SCEA and Goodluck for those aspiring to become SCEA.  Thanks for all the feedback…Please do keep us posted.

Massachusetts 201 CMR 17.00 imposes "Protection of Personal Identity Information".

      1 Comment on Massachusetts 201 CMR 17.00 imposes "Protection of Personal Identity Information".

A month ago, I had a chance to meet with John Beveridge (Deputy State Auditor at Office of the State Auditor of Massachusetts) at an ISACA event in Boston. During a casual chat, he briefly mentioned about the upcoming regulation highlighting “Mass 201 CMR 17.00 – Massachusetts Standards for Data Protection of Personal Information”  and it’s compelling security requirements !  With all curiousity…I had my first dig at Mass 201 CMR 17.00 last week… it is the toughest data protection law so far (as a Govt initiative for preventing identity theft).. I am quite amazed by the stringent rules imposed by this regulation for protecting the personal identity information of Massachusetts residents. I am not a lawyer or an auditor by profession…so here is a my layman interpretation of the regulation and its dictated requirements for securing personal identity information.

  • Comprehensive Information Security Program mandates ALL businesses that deals with personal identity information of Massachusetts residents  (in paper and electronic forms)  to provide  comprehensive documentation of all practiced security measures taken for preventing unauthorized access and ensuring confidentiality and integrity of the personal identity information.
    • Access control policies and rules for all employees who have access to identity information and enforce disciplinary action on those who violated the rules.
    • Upon employee termination, all physical and logical access privileges must be instantly revoked.
    • Third-party service providers need to comply with the Information security program and it requires a contractual binding before providing them access to personal information.
    • Identification of media including Laptops and PDA devices that store identity information and written procedures detailing how the physical access to those media is restricted.
    • Monitoring to verify the information security is operational preventing unauthorized access and support putting safeguards for minimizing both internal and external risks.
    • Require atleast an annual review and also whenever there is a material change has occurred in the business practices that relates to security and integrity of the information.
    • Documentation of incidents, response actions and post-incident review of events and actions.
  • Secure User Authentication
    • Control of user identifiers and secure methods for selecting and assigning passwords.
    • Use of authentication technologies such as Token devices and Biometrics.
    • Restricting access to active users only.
    • Blocking access to multiple unauthorized access attempts.
  • Data Encryption for all personal information in transit and storage.
    • Encryption of all records/files in storage (Laptops/other media) and transmitted over the wired/wireless networks.
  • Firewall protection and Operating System Security Patches must be updated to support maintain the integrity of personal identity information.
  • Malware and Virus protections ensuring all patches and definitions are updated on regular basis.
  • Education and employee awareness training on the Information security program and practices.

Mass 201 CMR 17 data protection requirements aligns well with Federal Trade Commission’s Red Flag rules on Identity Theft Prevention. Some of the security practices has already been in use at many big companies addressing PCI-DSS, GLBA and HIPAA requirements. At the outset, this is a big business boost to Security architects and consulting companies deal with providing Information Security and identity management infrastructure and solutions.  This regulation supposed to be effective on Jan 1, 2009 and now for some reasons the deadline is extended till May 1, 2009 – Not sure it helps everyone – but the deadline for compliance is chasing and not too far !

Provisioning/De-Provisioning Biometric credentials and Convergence of Physical/Logical Access Control Systems

      2 Comments on Provisioning/De-Provisioning Biometric credentials and Convergence of Physical/Logical Access Control Systems

It’s been a while, I had been hearing a lot of talk about unified biometric credentials and using then for convergence of physical and logical access control systems – Like me, you might’ve heard a lot of high-level marketing or analyst’s stuff … so here is some realities from my hands-on experience ! Frankly, there is no magic silver bullet that allows to support provisioning credentials to and from every Biometric middleware providers on the earth (poor standards..they are all proprietary) and it is another uphill task supporting their biometric data provisioning requirements to physical/logical access control systems (PACS and LACS).  With Sun Identity Manager, we can support selected biometric middleware integration through resource adapters but the complexity grows greater when we require provisioning of biometric data to a growing list of biometric middleware (AuthN providers, AFIS systems), PACS, LACS and Smart card management systems (CMS).  Lately, I had been working on a couple of interesting “Convergence” proof-of-concepts for ISVs aligned with PIV and National eID projects. Although it sounds great, converging the biometric credentials with heterogenous systems is not a trivial job, particularly when provisioning them for  smart card issuance  and further support post-issuance scenarios of enabling on-card/off-card biometric data for identification and authentication of individuals at heterogenous PACS and LACS systems. After thoroughly looking into the bottom of the issue, realizing and test-driving several usecases, with no option it become critical for us to enable biometric data as a managed attribute in Identity Manager – to support provisioning/de-provisioning of biometric data, changes and its associated reconciliation operations with PACS and LACS. This certainly helped us to exercise control on those discrete PACS/LACS resources that required provisioning of biometric credentials (for authentication/identification) and then ensuring no back-door account entry exists with the biometric middleware that circumvents IDM initiated biometric enrollment processes or rogue smart card issuance requests. This mandated us the Identity manager to support managing the complete provisioning/de-provisioning lifecycle of the user enrolled biometric information (i.e FIngerprints in CBEFF/INCITS-378 templates, Iris Image Interchange format/INCITS-379 templates, Facial images etc).

With Sun Identity Manager, we accomplished this through interfacing with biometric enrollment systems and enabled support provisioning/de-provisioning/reconciliation of biometric information by extending the identity attributes and establishing a managed database resource that stores CBEFF data as a CLOB.

Pre-requisites:

  1. IDM Resource adapter that supports provisioning/de-provisioning/reconcilliation of user accounts with Biometric enrollment middleware.  Alternatively, you would able integrate through Java BioAPI (JNI Wrapper) if the biometric provider support BioAPI.
  2. IDM access to Biometric enrollment repository database as a managed resource – Configured as a database resource. This resource is enabled with read-only access to the CBEFF information of the biometric enrollment system.
  3. Extend the user attributes to include a Text/String attribute (bioAttribute) that identifies “Biometric Information”.
  4. Ensure all user forms of target resources are updated to include a derivation that identifies the bioAttribute.
    <Field name=’accounts[$(TARGET_BIOMETRIC_RESOURCE_NAME)].bioAttribute’>
    <Display class=’Text’>
    <Property name=’title’ value=’bioAttribute’/>
    </Display>
    <Derivation>
    <ref>accounts[Database Table].pivData</ref>
    </Derivation>
    </Field>
  5. Configure the  resource adpaters that requires provisioning of biometric information.  Incase, of provisioning of PIV Smart cards you may choose to use the XML Resource Adapter that captures all the demographic data and it can be combined to use the CBEFF information available from the ‘bioAttribute’ data obtained from the database resource.

We verified this solution with selected Biometric vendors and Smart card management systems (CMS) to support enabling “Convergence of biometric credentials use with Physical access control systems (PACS) and Logical access control systems (Using biometrics for Web SSO, Federation, Desktop authentication etc) . Sorry folks, I intentionally avoided identifying the vendor names to avoid any conflicts with my friendly ISV peers.

Stronger Authentication with Biometric SSO (Using OpenSSO and BiObex).

      3 Comments on Stronger Authentication with Biometric SSO (Using OpenSSO and BiObex).

I had been involved with multiple Biometric ISV providers and its integration with Sun technologies particularly OpenSSO, IdM, Sun Rays and Solaris. I also had the opportunity to deploy Biometric solutions to few govt organizations that starts with “D” and “N”. Believe it or not…we have few of them in production.

Now, getting down to the specifics – Putting it all together, in simpler terms you will see the solution would look like this…..

Ofcourse the Desktop can be your PC or Sun Ray or anything that capable of running a browser and allows plugin a Biometric Fingerprint Scanner (USB device). If you look into the ingredients of this solution, you would need the following:

  1. OpenSSO Enterprise 8
  2. Glassfish V2 Enterprise (Configured to use NSS for FIPS mode)
  3. BiObex Middleware (Biometric enrollment and authentication provider)
  4. SecuGen Hamster IV (FIPS-201) or Hamster Plus Fingerprint Scanners.
  5. BiometricLoginModule (Currently made available through BiObex).
  6. OpenSSO policy agent (based on your target web container) to help enforce authentication on your protected resources.

Here is my quick presentation that digs deeper into the architecture and deployment steps for enabling Biometric SSO using OpenSSO and BiObex.

For those curious to know ….and concerned about security of using Biometrics as a network credential…here is my answer to those known security issues.

  1. The communication, callbacks and biometric samples acquired from the device (In transit to the JAAS LoginModule and then to Biometric authentication provider)  has been cryptographically protected ensuring a trusted path with both transport and message-level security (as per FIPS-140 requirements). This ensures end-to-end confidentiality and integrity of the messages/communication and thwarts image capture, rogue injection and replay attacks.
  2. The user session is verified for proof-of-origin that includes host verification and validation for known IPs and hostnames.
  3. The deployment requires authentication chain with username/password or Certificate authentication (ex. Smartcard PKI) modules to ensure Biometric authentication is used as a second or third factor of the authentication.
  4. OpenSSO callbacks prompt for random fingerprints as enrolled in BiObex.
OpenSSO and BiObex

Multi-factor Authentication Chain : OpenSSO and BiObex

Understanding Biometric SSO


Biometric SSO allows users to access multiple applications (for example, Java EE or Web portal applications) after doing a single biometric authentication. In this case, the biometric authentication is managed by the identity provider infrastructure (ex. OpenSSO) that provides single sign-on services to support participating applications (protected resources). The identity provider encapsulates and protects access by making use of pluggable authentication modules (including a JAAS LoginModule for the Biometric authentication provider) from authentication providers. Upon authentication, the identity provider issues an SSO token that is trusted by all participating applications. This means the identity provider grants or denies access to the secured application or resource by issuing an SSO token that represents the user’s sign-on and session information. All participating applications trust the SSO token issued by the identity provider and grant the caller request to proceed for further processing based on the policies and privileges.

OpenSSO provides JAAS based authentication framework for plugging in JAAS LoginModules (from authentication providers) and also allows enabling multi-factor authentication through OpenSSO authentication chaining and session upgrade features. Refer to OpenSSO Administrator guide for the finer details.

Few weeks ago, I posted another entry on Match-to-Smartcard PKI and Biometric authentication which is a different solution that makes use of Biometric information (CBEFF) stored on a PIV card. I am still working on the documentation….will keep you posted very soon.

Exploiting MD5 collisions and Creating Fake CA certificates.

      No Comments on Exploiting MD5 collisions and Creating Fake CA certificates.

It’s been a while, MD5 has been known for its several weaknesses and multiple proven attack scenarios showing how it can be compromised – For those known reasons, a lot of us try our best to stay away from using MD5. Last week at the Chaos Communication Congress Conference – Berlin a bunch of researchers disclosed this eye-raising MD5 collision exploit and how it can be used for creating a rogue CA certificate – particularly using a bunch of commercial CAs, couple of them you and I always considered them ;-(.

The researchers did a terrific job exposing the nitty-dritty details of the attack showing how to abuse MD5 collisions and explore creating fake CA certificates (..precisely fake).  This demonstrates a huge vulnerability of using MD5 with SSL, digital signature, etc.

You may find the details of their work here … and download their presentations from 25C3 web site.

You may not be surprised, the most popular OS and Linux OS allow using MD5 checksum to check integrity of files and also couple of freeware SSL solutions still issues certificates with MD5withRSAEncryption by default – Here is a Microsoft Security advisory in response ! For those curious, you would able to stay away from those known MD5 vulnerabilities by choosing SHA-1 or SHA-2 (for now !!)

Filthy' Rich JavaFX :-)

      No Comments on Filthy' Rich JavaFX :-)

I had my chance to play with JavaFX and its samples.  Wow ! unbelievably cool stuff and JavaFX raises the bar for other RIA API tools.  In my experience, JavaFX eats AJAX and other RIA scrApting tools for lunch !

  • JavaFX offers an easy to understand declarative API for building RIA applications that can include Media, Graphics, XML Web Services and also plugging Java libraries.
  • Comparing to Abobe Flex (esp. MXML) and Microsoft SilverLight, JavaFX Script is much simpler and easier to learn for any budding RIA developer.
  • Netbeans 6.5 provides terrific JavaFX development capabilities for edit/code completion/compile/run/deploy JavaFX apps.
  • JavaFX Deploys as a Java client application distributed via Java Web Start/JNLP running on existing Java environment.
  • JavaFX builds on JNLP Security, a very rugged and proven solution – than dubious AJAX security.

JavaFX and JNLP Security

JavaFX uses the Java Network Launch protocol (JNLP), which provides a standard way for packaging and provisioning the JavaFX applications  and then launching JavaFX applications from a client environment. Typically JavaFX apps are started from a Web browser using Java Web Start (JWS) runtime environment (bundled as part of JRE), that downloads, caches, and then executes the JavaFX application locally.

Typical to any other stand-alone Java application, JavaFX applications launched using JWS  runs outside a Web browser using the sandbox features of the underlying Java runtime platform. JWS also allows defining security attributes for client-side Java applications and their access to local resources, such as file system access, making network connections, and so on. These security attributes are specified using XML tags in the JNLP descriptor(.jnlp) file. The JNLP descriptor defines the application access privileges to the local and network resources. In addition, JWS allows the use of digital signatures for signing JAR files in order to verify the application origin and its integrity so that JavaFX applications can be trusted before it is downloaded to a client machine. The certificate used to sign the JAR files is verified using the trusted certificates in the client keystore. This helps users avoid starting malicious applications and inadvertent downloads without knowing the originating source of the JavaFX application. Signing a JavaFX application is quite similar to the steps involved in signing a JAR file or an Applet.

The JNLP descriptor file is an XML-based document that describes the application classes (JAR files), their location in a Web server, JRE version, and how to launch JavaFX application in the client environment. The client user downloads the JNLP file from the server, which automatically launches the JavaFX application on the client side. The JNLP file uses XML elements to describe the deploued JavaFX application. The root element is tagged as <jnlp>, which contains the four core sub-elements: information, security, resources, and application-desc. To enforce security, the <security> element is used to specify the required permissions. The security element provides two permission options: <all-permissions/> to provide an application with full access to the client’s local computing resources, and <j2ee-application-client-permissions/> to provide a selected set of permissions that includes socket permissions, clipboard access permission, printing permission, and so forth.

Here is a sample JNLP descriptor I played with the security constraints of a sample JavaFX application:

<?xml version=”1.0″ encoding=”utf-8″?>
<jnlp spec=”1.5+”  codebase=”http://www.example.com/HelloWebStartJFX/” href=”HelloWebStartJFX.jnlp”>

<information>
<title>Hello Web Start JFX</title>
<vendor>John Doe</vendor>
<homepage href=”http://www.example.com/HelloWebStartJFX/”/>
<description>Web Start example for JavaFX Scripts</description>
<offline-allowed/>
</information>
<security>
<j2ee-application-client-permissions/>
</security>
<resources>
<j2se version=”1.5+” href=”http://java.sun.com/products/autodl/j2se”>
</j2se>
<jar href=”javafxrt.jar” main=”true”/>
<jar href=”swing-layout.jar”/>
<jar href=”HelloWebStartJFX.jar”/>
</resources>
<application-desc main-class=”net.java.javafx.FXShell”>
<argument>HelloWebStart</argument>
</application-desc>
</jnlp>

To learn more, test-drive the JavaFX code and samples.

XSS plagues American Express Web site :-(

      No Comments on XSS plagues American Express Web site :-(

The Register exposed this !  Cross-site Scripting (XSS) vulnerabilities allow attackers to steal user authentication cookies from AmericanExpress.com – According to an independent vulnerability assessment firm… the XSS bug still remains unfixed !! To read more…follow this link:

http://www.theregister.co.uk)

AMEX XSS Bug (Source: http://www.theregister.co.uk)