The Security Roundtable

Welcome to the Security Round Table for September, where our panel of passionate security and privacy professionals considers the question: Do we have privacy anymore?

Our Panel

• Michael Santarcangelo – Moderator – expert on changing the way people protect information. www.securitycatalyst.com & www.intothebreach.com
• Rebecca Herold - Information security, privacy and compliance professor, writer and consultant.  http://www.realtime-itcompliance.com & http://www.privacyguidance.com
• Andrew Hay - Manager of Integration Services @ Q1 Labs, blogger (http://www.andrewhay.ca), author (OSSEC Host-based Intrusion Detection)
• Dr. Anton Chuvakin - Chief Logger and Blogger from the “No privacy - ‘get over it!’ camp” -  http://www.securitywarrior.org
• Martin McKeay - Affectionately called Cpt. Privacy by Mike Rothman, he still refuses to wear tights and a cape (especially the tights) http://www.mckeay.net
• Dan York - Producer and Co-Host, Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com/  &  http://www.voipsa.org/blog/

Talking points

• Definition of privacy
• How does privacy in the 21st century differ from privacy in the 20th century and before?
• How have the attitudes of government and the populace changed privacy in the last decade?
• Does the average end user understand privacy?
• Online databases
• What can we do today and can we recover the privacy we’ve lost (or never had)?

Coming in October

In October we will be exploring the role/value of end-user awareness with a panel of differing opinions. If you are responsible for creating an end-user awareness program – this is an episode you will not want to miss!

As an added bonus, we’re going to start using Talk Shoe for our monthly SRT episodes – and after the show taping, Security Catalyst Community (http://www.securitycatalyst.org) members will have the option to participate in a live Q&A session.

If you have ideas for topics or want to be invited to serve on one of our panels, contact me directly at securitycatalyst@gmail.com

 

 SRT - September - Do we have privacy anymore? [63:31m]: Play Now | Play in Popup | Download

The August Security Round Table podcast assembled an expert panel to explore the keys to a successful security career - and how you can find the perfect job for you.  We recorded this discussion on Tuesday, August 14th 2007 and present it now for your listening pleasure.  

Your esteemed panel

Michael Santarcangelo | http://www.securitycatalyst.com/ & http://www.intothebreach.com/

Martin McKeay | http://www.mckeay.net/

Mike Murray | http://episteme.ca/ & http://www.forgettheparachute.com/

Ron Vereggen | http://www.rapidsuccesscoach.com/

Daniel Sweet | http://fracat.com/

Questions or Comments?

If you have questions or comments for our panelists, please send an email to question [SHIFT-2] securityroundtable [DOT] com and we’ll work to answer it - either in the Security Catalyst Community forums (http://community.securitycatalyst.com/forums/index.php) , or in an upcoming episode.

Coming up on future Security Round Table Episodes

We’ll be exploring and debating.. 

• Security Fundamentals
• Do we have privacy anymore?
• Security ROI: Fact or Fiction

Do you want to participate or listen live? 

We’re also exploring the ability to host the SRT on a regular basis so that SCC members can listen live - and then participate in a private chat right after the recording. I’m exploring some different options, but if you have an idea or suggestion - please let me know by sending a message to me – securitycatalyst [SHIFT-2] gmail.com

 

 SRT August 2007 [52:52m]: Play Now | Play in Popup | Download

We’re back! Dan York, Martin McKeay and Michael Santarcangelo came together to revitalize the SRT effort and concept. First up - Dan York led an effort to research and put together a program on OpenID. In this episode, we explore the question, “what is open ID and should we care?”- Dan York, Blue Box: The VoIP Security Podcast- Martin McKey: The Network Security Podcast- Michael Santarcangelo: The Security CatalystThese show notes are going to be swamped with links and information about OpenID. A HUGE thank you to Dan York for an amazing effort, here. This is actually the single best collection of OpenID links I’ve yet to see.If you feel like discussing OpenID (or looking to find some positive and passionate security professionals), come discuss this in the Security Catalyst Community: http://community.securitycatalyst.com/forums/index.phpHere is the OpenID thread: http://community.securitycatalyst.com/forums/index.php/topic,46.0.htmlNOTE - found another recent (Dec 2006) podcast about OpenID:- blog entry - http://herestomwiththeweather.blogspot.com/2006/12/openid-podcast.html (interesting notes about moving a site over to OpenID)- MP3 - http://www.stuffopolis.com/interactive/openid.mp3- Outline - http://www.stuffopolis.com/interactive/openid_talk.txt

Why is OpenID in the news right now?

Microsoft Announcement at RSA generated news - announced by Bill Gates in keynote:

• Microsoft view: http://www.identityblog.com/?p=668
• JainRain view: http://kveton.com/blog/2007/02/06/cardspace-openid-working-together/
• Sxip Identity: http://identity20.com/?p=90
• Netmesh: http://netmesh.info/jernst/Digital_Identity/cardspace-openid.html
• Brad Fitzpatrick (who wrote OpenID back at LiveJournal): http://brad.livejournal.com/2287909.html
• - see the TailRank summary for follow-on commentary
• Digg adopts OpenID: http://www.techcrunch.com/2007/02/20/kevin-rose-at-fowa-digg-adopts-openid

• Slashdot discussion - good comments: http://yro.slashdot.org/comments.pl?threshold=0&mode=thread&commentsort=0&op=Change&sid=221002

Excellent summary - “Five Key Takeaways from Microsoft, OpenID Announcement“Other recent news - AOL support OpenID: http://journals.aol.com/panzerjohn/abstractioneer/entries/2007/02/15/aol-and-openid-where-we-are/1406It also appears that AOL enabled OpenID support for all 63 million AIM users! - http://chimprawk.blogspot.com/2007/02/is.html

What is OpenID? What problem is it trying to solve?

Main OpenID website - http://www.openid.net/Wikipedia - http://en.wikipedia.org/wiki/OpenIDCommunity marketing - http://iwantmyopenid.org/illustrated overviews:

• OpenID 1.1 protocol flow - http://openid.net/pres/protocolflow-1.1.png
• http://www.openidenabled.com/openid/openid-protocol
• OpenID pingpong - http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong/

• Screencast - http://simonwillison.net/2006/openid-screencast/
• Presentation - http://identity20.com/media/ETECH_2006/ - great history of web identity systems - gets into company-specific stuff at the end, but does a nice overall job.

OpenID specification- http://openid.net/specs.bmlZDNet: “The Case for OpenID” - http://blogs.zdnet.com/digitalID/?p=78

How does it work?

See http://openid.net/about.bmlList of presentations at http://openid.net/presentations.bmlOpenID screencast - http://simonwillison.net/2006/openid-screencast/From http://www.openidenabled.com/openid/about-openidGood description of process (from Microsoft’s Kim Cameron ): An interaction starts with the user telling the RP (relying party) what her URL is (1). The RP consults the URL content to determine where the user’s IP is located (not shown). Then it redirects the user to her IP (identity provider) to pick up an authentication token, as shown in (2) and (3). To do the authentication, the IP has to be sure that it’s the user who is making the request. So it presents her with an authentication screen, typically asking for a username and password in (4). If they are entered correctly, the IP mints a token to send to the RP as shown in (5) and (6). If the IP and RP already know each other, this is the end of the authentication part of the protocol. If not, the back channel is used as well.More details:

• You register with a Identity provider (IdP or “i-broker”). Some are commercial, some are free. Examples:

• ClaimID: http://www.claimid.com/
• MyOpenID (JainRain): http://www.myopenid.com/
• Verisign: http://pip.verisignlabs.com/
• LiveJournal - your LiveJournal account can be used as an OpenID.
• Long list of public OpenID providers - http://openid.net/wiki/index.php/Public_OpenID_providers

• OpenID Site Directory: https://www.myopenid.com/directory
• OpenIDEnabled Site: http://www.openidenabled.com/
• Technorati: http://technorati.com/weblog/2006/10/144.html
• Mag.nolia: http://ma.gnolia.com/blog/2006/11/30/sign-in-your-way

So for a blog comment, for instance, instead of typing in your username, password, etc., you could just use your OpenID.More sites will be using it soon… note the bounty for OpenID in open source projects: http://iwantmyopenid.org/bounty

Security issues - phishing

• Critical part is where you login to your IdP… what if a phisher set up a site to dupe your OpenID provider? They could then capture your credentials
• Description of threat (and Microsoft response): http://www.identityblog.com/?p=659
• Ideas to respond: http://kveton.com/blog/2007/01/24/myopenid-new-anti-phishing-tools-available/
• Another idea (and MITM attack): http://usablesecurity.com/2007/01/20/phishing-and-openid/
• Aswath Rao: http://www.mocaedu.com/mt/archives/000287.html

Open option for Firefox: PHOff - http://chile.ootao.com/phoff/Other commentary on the phishing issue:

• http://www.links.org/?p=187 and http://www.links.org/?p=188
• “OpenID, before you get too excited” - http://www.clipperz.com/users/marco/blog/2007/01/26/openid_before_you_get_too_excited

Security issues - single point-of-failure

• So what happens if your Identity provider goes away? Or you decide you want to stop trusting them?
• Two solutions:
  1. Have multiple OpenIDs - no reason you can’t.
  2. Use a domain that you own as your OpenID and delegate back to a IdP - just by adding two lines of HTML code to that website - see http://simonwillison.net/2006/Dec/19/openid/
• This second solution is probably best because you retain control. In first solution, what happens to all those accounts you created with the ID that you no longer trust.

Future of OpenID

• Steve Kveton’s predictions - http://kveton.com/blog/2007/01/04/2007-openid-predictions/
• OpenID 2.0 specification? - http://openid.net/specs/openid-authentication-2_0-11.html
• Further adoption - AOL’s plans. Yahoo? Google? (will it work with those accounts?)
• CardSpace and other complementary products
• OpenID as an authentication mechanism in VoIP? - http://www.mocaedu.com/mt/archives/000285.html
• OpenID as a way to maintain control over blog content? - http://www.micropersuasion.com/2007/01/blog_platforms_.html (I don’t know that this will actually work, as I learn more about OpenID)

• Competing systems? SAML from Liberty Alliance? Proprietary? Typekey ? (although see the SixApart page on OpenID)

Links for more research:

Dan’s del.icio.us links - http://del.icio.us/dyork/openidPlanet OpenID (splice of blogs) - http://planet.openid.net/OpenID Wiki - http://openid.net/wiki/index.php/Main_PageMore del.icio.us links - http://del.icio.us/keepthebyte/openid and http://del.icio.us/tag/openidConverting your site to OpenID: http://kveton.com/blog/2006/11/28/converting-your-site-to-openid/emphemeral profiles - do some people really want identity anyway? http://www.zephoria.org/thoughts/archives/2007/01/01/ephemeral_profi.html and http://vquill.com/2007/01/throwaway-identities.htmlKim Cameron’s lengthy paper on digital identity - see the “Laws of Identity” section: http://www.identityblog.com/?page_id=352/

 

 SRT - February 2007 - OpenID [42:32m]: Play Now | Play in Popup | Download

Finally, the sixth episode of the Security Round Table! Earlier this month we had the opportunity to talk with Krishna Kurapati, Chief Technology Officer of Sipera Systems.

We know that Intstant Messaging is in the workspace and is increasingly harder to block. Should it be blocked, how can it be blocked or should it become part of the corporate infrastructure, just like voice and email? And more importantly, what are the dangers of Instant Messanging?

Thanks once more to Krishna Kurapati for joining us on the conference call. He answered an email sent out by Dan York to the VOIP Security mailing list with very short notice.

Present on this episode:
Larry Pesce | Pauldotcom Security Weekly
Alan Shimel | SSAATY (Still Secure After All These Years)
Martin McKeay | Network Security Podcast

And this will be the last time I ever give Michael a hard time for taking a couple of weeks to post a podcast. - Martin

 

 SRT 6: Play Now | Play in Popup | Download

Join us for our fifth exciting episode of the Security Round Table. Our special guest (and now newest member) is Dan York from: Blue Box: The VoIP Security Podcast. In this episode, we look at the general overview of VoIP technologies and the security risks - as well as the myths.

Dan is a true expert and instructor on this topic - and school was definitely in for the SRT team!

Joining in on this episode:

Paul Asadorian | Pauldotcom Security Weekly
Martin McKeay | Network Security Podcast
Larry Pesce | Pauldotcom Security Weekly

Michael Santarcangelo | The Security Catalyst
Alan Shimel | SSAATY (Still Secure After All These Years)
Dan York | Blue Box: The VoIP Security Podcast

 

 SRT Episode 5 [57:27m]: Play Now | Play in Popup | Download

How many times have you wondered what you would do if you find out your company wasn’t protecting information as they promised? What if you were a consultant or contractor?

Is there a right way to report on privacy and security breaches?

Join the Security Round Table with Special Guest Randal Schwartz to discuss this important issue.

On this episode:

Larry Pesce | Pauldotcom Security Weekly | Haxor the Matrix
Martin McKeay | Network Security Blog & Podcast
Michael Santarcangelo | The Security Catalyst
Randal Schwartz | Stonehenge | Legal Information: Friends of Randal Schwartz

Note: we did reach some interesting conclusions and directions for future advancement. Continue the discussion at the Security Catalyst Community (currently open to trusted catalysts until October 15, 2006 when it becomes available to the entire community).

 

 SRT 4 [56:33m]: Play Now | Play in Popup | Download