I should be able to see exactly what data is being shared and be able to limit it and control its use. Until this happens I am unlikely to signup to too many more applications on Facebook.

It is fascinating watching how the “gen y” crowd is using this and other social networking services. They are totally fearless about sharing every last detail about their lives. It makes me feel like an old fart to say so but the way that they these services is completely different to my own. They practically live in these worlds; or rather they co-exist in both the online and offline worlds.

For me though these worlds are still quite separate and the world of Facebook has taken a noticeable back seat to the rest of the non-Facebook universe.

In the context of providing a strong authentication solution the concept of a Federated Digital Identity is often mentioned. This essay seeks to explore this concept to review and challenge the benefits that ‘Federation’ of digital identity management can provide.

However before discussion Federation the concepts of a Digital Identity and even Identity itself will be briefly discussed.

IDENTITY

What is an ‘Identity’? Here are two definitions :

1. The collective aspect of the set of characteristics by which a thing is definitively recognizable or known.
2. The distinct personality of an individual regarded as a persisting entity; individuality.

These definitions represent the two view points of an identity. The first one is external to the entity being identified, using it’s characteristics to provided recognition. The second definition can be from the view point of the entity itself. Both of these perspectives need to be considered when in identity management.

The degree to which an external party needs to recognize a entity will depend on familiarity with the entity and the activity to be engaged. The greater the degree of trust involved, the more characteristics of the entity to be known and verified.

Consider the differences between the interactions in the following scenarios:

1. A service technician unexpectedly visits your house and requests access to check ‘something’
2. A scheduled service technical visits your house to repair a faulty appliance.
3. An old school friend visits you out of the blue after looking you up while they are in town.
4. A close family member pops in for a chat and a cup of tea.

In all of these cases the request it the same “Please let me in to your house” however the credentials that define trust will be very different in each case. The first scenario is likely to require a large number of credentials before trust and access is offered. These might be sourced from a business card or phone number that can be contacted to validate the identity of the visitor. With out a trusted third party to confirm the purpose of the visit and the credentials of the visitor it is unlikely that access to the house will be granted.

In the second scenario the expectation of a visitor increases the belief that this is a legitimate visitor should only require if minimal additional credentials before access is granted. However it is the recognition of an external trusted 3rd party that supports the trust in this individual.

In the 3rd and 4th scenarios you have an existing relationship with the person so no third party is required to make a decision about providing access. You may still want to refuse access but this will be based on your terms not the recommendation of a third party.

DIGITAL IDENTITY

In the digital or online environment we are stripped of many of the tools that we use to establish a trust relationship in a face to face meeting. We have to work with small individually provided pieces of data that can be validated before trusted access to services will be provided.
As with the example above, of providing access to your home, the importance of a validated identity will vary depending on the activity of service being requested.
In the online environment interactions with websites and applications may be once only events or they may develop into longer term relationships. It is during the creation of an online relationship that a digital identity of some description becomes necessary. This also requires a method of preventing that identity from being used without authorisation by someone else.
In the vast majority of cases all that is required to create a digital identity is:

• a locally unique identifier (eg a username, an email address, an account number) and
• a locally shared secret or password.

Additional personal information may be requested depending on the nature of the interaction being offered, but it is not necessarily required to create a local digital identity.

The term ‘local’ here refers information that will only be recognised within a closed and limited environment. For example, the local environment may be an organisation or a website or an online application. Importantly it cannot be used and verified outside of this environment.

DIGITAL IDENTITY PROTECTION

The importance of protecting Digital Identities has increased with the growth in the number of uses, applications and interactions that are possible online. Even more critical is that many of these online interactions are also alternatives or proxies to their original offline interactions.

This evolution has not been ignored by criminal elements that have developed methods, both technical and social, of compromising and stealing Digital Identities. Although there are many possible methods of making this increasingly difficult for criminals to achieve, finding a balance that still balances ease of use by a legitimate owner of the Digital Identity is a difficult balance. The additional costs of delivering more complicated security solutions are also a very important factor.

Specific digital identity security solutions are however a topic for a different paper.

FEDERATION

In the previous topic the idea of a local Digital Identity was discussed and the importance of protecting it. One of the features and limitations of these local Digital Identities is that they cannot be used outside of their original environment without some sort of agreement or sharing of 3rd party trust relationship.

A Federation can be defined as ‘a group of people united in a relationship and having some interest, activity, or purpose in common’ . In the context of Digital Identities this would provide a method of sharing between one of more applications, services or organisations a trust relationship.

This is a valuable proposition since it allows the scope of use of the original Digital Identity to be increased beyond the one localised environment. For example if both an online banking service and a online shopping service use Federated Digital Identity, then a trust relationship established via the bank may also be applied when performing online shopping activities.

Entities like banks and government organisations that require a higher level of identity verification before establishing a Digital Identity for their customers would be best suited to sharing their trust relationship with others who are not required to apply such strict identity verification guidelines.

FEDERATED DIGITAL IDENTIY – A DOUBLE EDGED SWORD?

BENEFITS

There are clear benefits for both users of online services and the entities that offer them in an environment where a trusted Digital Identity can be used across multiple ‘local’ environments. For example:

• This trust relationship may allow implied identification information to be used in to facilitate transactions without sharing a customer’s private data.
• The user can access features and services without the need to create a new local identity in each new environment.
• The cost of protecting the Digital Identity can be shared or recouped from the additional participating entities.

All of these benefits depend on the strength of the trust relationship and the integrity of the Federated Digital Identity. But what if these dependencies cannot be guaranteed?

DANGERS

In the last 5 years and in particular since late early 2003 criminal activity using the internet has been increasing alarmingly. The payoffs of successfully compromising a digital identity that is linked to financial services has also been increasing as the use of these channels by customers grows.
There is no evidence that criminal activity to finding new ways of stealing digital identities is slowing down. In fact the opposite is true.

Banks and financial institutions globally have been seriously impacted by these activities both financially as well as by the threat to consumer confidence that these threats bring.

Is there any guarantee that a Federated Digital Identity system will be able to defend against these attacks? Certainly pooling resources between organisations may help make the cost of increased security implementation easier, but if this security can be still be compromised or customers are unable to effectively use it will the benefits be worth it?

If a Federated Digital Identity is compromised who will bear the liability of losses across multiple entities?

COMMAND AND CONTROL

The other major challenge for the implementation for the Federation of Digital Identities is that of command and control of the ‘Federation’.

Will this be a coalition or union of willing industry participants, a government body, or a service offered and sold by a ‘trust’ vendor? How much trust and control will organisations be willing to a 3rd party (even a ‘trusted’ one) before further localised identity validation will be required. If a Digital Identity is compromised or security is breached who will be responsible for fixing it?

CONCLUSION

The ideal of a Federated Digital Identity is a noble one; however both the dangers and the benefits increase with the federation’s scope.

• A Federated Digital Identity does not imply a secure one. In fact is will most likely become slower to react to changing security threats that smaller localised security management.
• A strong, functional and secure Federated Digital Identity service will most likely evolve slowly and be limited in scope between co-dependant organisations (like banks and ecommerce for example).
• Large scale federation between competing organisations in the same industry is unlikely due to the difficulties in managing a balance between trust and liability as well as costs and command and control.

A Federated Digital Identity system has benefits and dangers. It is my opinion that the as the scale of the federation increases the dangers begin to outweigh the benefits and this should be carefully considered before launching an industry wide system to customers fully formed.

nick coster (October 2005)

A whitelist is simple a list of places that are good and safe to go to. Ideally you would add the website address of all of the banks and financial institutions to the list, and all of the legitimate online vendors. Then anyone not on this list would be considered, at best as unknown, and at worst blocked by default.

The problem with whitelists is in their management. How does a vendor get on this list? Who manages the list? What happens if a legitimate vendor changes the web address of their payment page?

Quite quickly this becomes an operational nightmare, particularly if considered on a global scale. I can see this being beneficial if there is a way to create and manage personal whitelists, where the customer identifies a site as being good and trusted. Unfortunately this can then become the next target of the social engineers, by tricking customers into adding their fake sites to private whitelists.

Glancing at the rest of the paper it looks like a great resource, but the 6th recommendation for action ‘ISP’s and domain name owners can cooperate on whitelists’ sounds simple but will be operationally infeasible.

The phishing battle continues…

Bill Gates: “That’s called federation, where we take their trust statement and we accept it, within a certain scope. So they don’t have to get another user account password. There’s no central node in this thing at all, there never can be. Banks are a key part of it, governments can be part of it. The US, probably not as much.”

This statement highlights the number one problem that a federated identity system is going to face – the federation of trust. Compared to the problem of trusting ‘trust’ identity management is a piece of cake. Yet the discussion continually seems to revolve around the sharing of identity secrets, but it is the trust of the owners of the identity secrets that is the greatest challenge. It is fairly clear that in the world today trust is an expensive commodity that is not easily transferable.

I believe that there needs to be a way of abstracting this trust problem to one or more (competing?) third parties. The question is ‘who do you trust’?

For me this has appeared in projects where two ISP businesses have brought their customers under one organisation and these customers do not have unique username to identify them selves to the new ISP. What! Two ‘Fred’s!! Will the real Fred please step forward? Hmm, if only it was that simple. In the late ’90 when ISP’s and online portals were coming together this happened time and again, and it was always messy.

At around the same time the ‘kiddies’ got their hands on software that would allow them to steal passwords from customers in the school holidays. So now usernames and passwords are under siege. A single stolen password could be reused by the baddies over and over again without recourse.

Then spam came along and polluted the one personal identifier that the whole internet had agreed from the outset would be unique. Bugga. Stopping spam and protecting mailboxes became another major project. Without a way of identifying who the hell sent the spam in the first place, or even being sure who sent what looks like the good email, then all manner of arcane solutions had to be employed.

By now the ‘kiddies’ have grown up and are selling their password stealing skills to the spammers who are selling their spam networks to real criminals, who don’t want you email. They want your bank account. Enter the rise and rise of ‘phishing’.

So now I am looking at ways of improving on the humble static password. When was the last time you changed yours? Are you sure nobody else knows it?

All of these things tie right back to ‘identity’ (as the industry insists on calling it). Who am I? Who are you? And how do we prove it to each other in such a way that it doesn’t get in the way of what we were trying to do in the first place.

I want to talk about this here because there is a lot in this idle mind that I need to get out. I know this stuff and I hear some of the biggest names in many different industries grappling with the same problems and, in my opinion, in quite misdirected ways. This surge of blog energy was inspired by an interview with Kim Cameron on Microsoft’s Channel 9. I get frustrated because i believe that they are trying to solve the wrong problem, and as a result won’t get the outcome they are seeking.

But although privacy is important that is not the real threat. There is a real danger that spyware has already found its way onto your computer. Over the last three years there has been a very dangerous convergence between organized crime and the writers and creators of these online nasties.

This past year I have been working with a bank to help them find a solution to help their customers to protect themselves when they bank online. This has been an exciting job, but ultimately disappointing. Disappointing because there is an ongoing denial of the inability of customers, who are just general computer users , to reasonably be able to protect their home computers.

I recently experienced this for myself. when out of the blue i started to get my homepage redirected, and popup began to harass my browsing experience. More than anything, this passed me off. How dare someone compromise my machine! This happed despite a security update regime that borders on the obsessive, with OS patches, antivirus updates, firewalls, and multiple anti spyware applications running and regularly updated. And still it got through, and even after running separate spyware & virus scans I couldn’t get it off.

Now I did get rid of it eventually by going through every running process and looking it up via the omnipresent Google, then killing off the nasty manually, but this is beyond the reasonable expectations of the majority of computer users.

To add insult to injury I noticed today that Westpac have updated their terms of use for internet banking. The amazing (to me anyway) addition is a clause on spyware:

“Part 3, page 11 – Spyware
If you knowingly use a computer that contains software, such as Spyware, that has the ability to compromise access codes and/or customer information, you will be infringing our rules for access code security referred to above and we will not be liable for any losses that you may suffer as a result.”

For all of the reasons above it is unreasonable to expect that mass market pc users are going to comply with this clause .simply because even with the best intentions they are defending against a determined and financially motivated foe. Actually that probably describes the bank as well.

This is really important, since the out of the box WinXP installation is full of well exploited security exploits. The Internet Storm Center tracks the average time before an unpatched system is exploited by the white noise of port scanning and exploit hunting viruses. It is currently tracking at about 23 minutes.

Unfortunately it takes longer than 23 minutes to download the required security patches to protect the system. So my first step was to load up antivirus and firewall software. My product of choice at the moment is Symantec Internet Security 200x. There are arguments against using this, like “virus writers create viruses specifically to defeat Symantec software”, and “there are better apps available for free”, but so far this is what I have at hand and it has performed well for me so far.

Ironically is was the loading of this software that killed my system in the first place, but this time around it loaded up without a hitch. Of course now i have a completely out of date antivirus program, but you have to start somewhere.

Time to get online. I was a bit worried that this would be a problem since I have a wireless network at home, and getting the proper drivers etc might have required a download. I used the old Netgear software that can with the network card in the first place. I was actually surprised that it all worked so easily (even after a bit of stuffing around with network security keys, etc.).

Knowing that I now had to act fast my first stop was to ‘Windows Update’ for the first of many downloads and installs. All I can say is thank god for Broadband. Without it I there is simply no way that these downloads would be feasible. Although the process is not difficult it takes a long time. Each wave of downloads are 10′s of MB in size. With the broadband link I was also able to start updating the Symantec software in parallel.

After multiple downloads and re-boots, and in excess of 150MB of downloads (i lost track after a while) the basic operating system and security software was completely up to date. In total this took over 4 hours. Quite frankly this is absurd, and highlights the reason why the average PC user has no chance to really protect themselves properly even if they are trying to take all possible precautions.

Probably a bit belatedly I then loaded up the remaining hardware drivers for the PC, i.e. motherboard chipset, Video drivers, Sound drivers and USB. Probably should have done these first. No matter.

I guess the next action demonstrates my order of priorities…
* download Firebox for browsing
* downloaded iTunes and iPodder to get the podcast stream back online.

This has turned into a big hassle (not a problem though) as I try to get iTunes to recognise all of the previously downloaded podcasts, and to get iPodder re-subscriber to all my previous podcast feeds.

That is where I am at today. The iPod is at home getting nearly 3GB of music and podcasts re-loaded into its little shiny case.

More geeky updates to follow

Nicks thoughts on future trends.

• Customers will want to do more for themselves and from more locations at any time of the day or night.
• As a mass market group customers will continue to very slow to learn about security risks and even slower to change their behaviour.
• The protection of customer data will become as important as the protection of customer funds, since in the virtual (Internet and phone based) channels access to funds is controlled by the data that you have.
• The information that is used for identification will need to change to banking specific, non public information. Ie No more birth dates and originating branch questions.
• It will become harder to reset Phone banking and Internet banking passwords with out Physical ID. (eg second factor authentication or visit to a branch with proof of Identity)
• Regular changes to passwords will become enforced and additional rules will need to be applied to prevent the same password used for physical and virtual access.
• Second factor authentication will need to be used by customers to view or modify data that might be able to be used for authentication.
• Second factor authentication on ALL virtual channels may be offered as a premium opt-in service initially, before full deployment to all customers.
• Attacks from criminals will become more targeted as the volume of stolen customer data accumulates.
• Identities successfully stolen once will be re-used and resold to others again and again, since once stolen it is much harder to change than a username and password to change.
• The bank will adopt multiple methods of communicating security-related issues to customers, eg message minder and/or SMS to alert customer that they should have received a mailed credit card.
• There will be a tipping point event (or series of events) that will cause customers to expect and demand better security from the banks. “Why have we been lied to? They knew that this was happening all along…”

Bruce Schneier’s article http://www.schneier.com/essay-083.html implies that two-factor authentication is too out dated to be of any real use.

I believe that this is a very dangerous argument to be promoting, particularly since the existing username and password security that every service currently uses is not enough and criminals are easily compromising this fact already. In my experience the biggest hurdle is the get organisations to spend any money on any more advanced security solution.

Although second factor authentication using one-use changing passwords from a token device or from an SMS, can be compromised by some increasingly sophisticated attacks, they do stop most of the common existing ones. Key stroke loggers, standard phishing and other methods of just stealing static passwords can currently be used to passively generate databases of stolen login details. They become obsolete with the implementation of second factor authentication.

I also believe that online businesses are at the threshold of a new phase of development where the old username and password combination will be complemented with increasingly sophisticated levels of security solutions. These businesses must invest in these solutions and their customers must be given a choice over the usage of them. The penalty for choosing not to use them may be limited functionality or increased costs elsewhere.

Second factor authentication will not be the final solution for online security but it is the most mature solution for the next phase of security developments.

I looks like Bill has discovered bigger phish to phry. In an interview in Germany regarding security Bill Gates has lost some of his optimism about defeating spam although still believes that there will be a spam free future. His attentions have turned to the promotion of the newer security threats like phishing. This time he is talking a lot about collaboration, which I agree, had to be the case.

In Australia I have seen different industries (ie ISP and financial) all scrambling collaborating amongst themselves but not engaging each other. This should be a great way of getting messages about security out to customers (again both ISP and Financial services). The banks could identify the messages that they need their customers to hear and then work with ISP’s to help distribute these messages. After email and general browsing, the use of online banking is the biggest driver of online take up so there should be a shared interest in getting customers online and feeling safe about using online banking services.

For myself, I have also had to back track from my earlier bravado. My old email account nick@bigpond.com is dead and gone, swallowed by the deluge of spam that it received. Even though I had a multi-layered defence to wipe out the worst of it, too much time was wasted in the fight.

Every now and then I will see an article that is expressing a new idea or opinion I think is worthy of some feedback. It was with some surprise that today Google news roundup on “Phishing” returned my very own comments.
I am not sure what to read into this:

a) my comments matter
b) Google can find anything anywhere
c) Google’s news sources are more limited than first guessed

I think that the answer is a combination of b & c. Some day I may be able to claim with more authority that a) applies but I think that will require more people either strongly agreeing with me or strongly disagreeing. Just responding in some way will do.

Question:
“I received an email that I was expecting and the information I needed was sent as an attachment. When I tried to access this it received a message stating I was denied access to an “unsafe attachment”. Others I talked to received the same attachment with no warnings and no consequences to their system.”

The problem here is that the email program is assuming that the attached file is dangerous and will not allow it to be used. This is based on the file type and not the contents of the file. File types that are considered dangerous include .exe, .zip , .scr, .pif, .bat, etc. Also applications like Word and Excel that can contain macros will also be considered unsafe.

To access these files you will need to change the security settings of your email program. It is best to do this only when there is a particular file that you want and that you are expecting. This way the software forces you to think twice before clicking on a dodgy attachment. For example in Outlook Express (version 6.0) go to “Tools –> Options” then select the Security tab.

Uncheck the box next to “Do not allow attachments to be saved or opened that could potentially be a virus”. You should now be able to open the file but don’t forget to re-check this setting once you have opened your file.

All the best from the E-Genie!

However there is one thing that does send a shiver down my spine and that is how Bill is going to stop the spam. Better filters, bigger bounties, lobbying law makers? Somehow I dont think so, because all of these are reactive, and that is not Bills way. So I think to myself how would I make spam go away if I was Bill Gates.

Assumption 1 – I am Bill Gates and I own and control Microsoft. (ps i know there are other share holders but this is a dream, ok)
Assumption 2 – I own all of the computer desktops and servers that I care about. I don’t care about those silly unix or linux systems, or those annoying little fruity things (apples).

Idea… Why don’t I add a patch to Windows email software that only accepts messages from other Windows email applications. Well at least the ones that require product activation so that I know that there is a unique system to use it. It can even be optional. My customers don’t have to use it, but if they want to get rid of spam then maybe they will want to.

It is hot where I am sitting but this idea makes me feel cold. We need a better solution that one that Bill dreams up.