Friday, August 3, 2012

Talk at ToorCamp: Visual Authorization Goes Digital

I'm giving an Ignite talk at ToorCamp on Friday August 10th.


Analog visual authorization is an extremely effective and widely used method for allowing access to resources. Many paper or physical systems work by visual inspection: Transit tickets, driver's license, amusement park bracelets, event invitations, movie tickets, corporate ID badges, and paper money all generally operate by visual inspection.

Visually inspectable authorization is where an authority can visually and tactilely inspect a token and determine with acceptable confidence that its is authorized to access a resource or perform some action. For example, a movie-goer (bearer) can use a ticket (token) by handing it to a movie theater employee (authority) in order to get access to a movie (resource).

Several attempts have been made to apply visual authorization to digital tokens through the use of smart phones. However, digitizing visual authorization introduces new vulnerabilities and the systems that we have examined are each vulnerable to new attacks that are much worse than the types of attacks that physical systems are vulnerable to.

I argue that these vulnerabilities are inherent to the digital medium and that they cannot be completely solved with current techniques. However, there are mitigations that developers can put in place to make forgery of tickets difficult enough to fall into an acceptable threshold.

In this talk, I will present the properties that a physical or digital visual authorization system should have to be secure, discuss the challenges to getting that security in a digital system, demonstrate those vulnerabilities in currently visual authorization systems, and present a set of proposed solutions.

Is the NIST Risk Management Framework poised to become a national cybersecurity standard?

A lot of organizations, including small businesses and critical infrastructure operators, might soon get new technical security requirements from the federal government. This will probably be very costly, especially for small businesses that don't already implement the kinds of security measures that are standard for large federal contractors. I'll give a brief overview of two new efforts: a bill in the US Senate called the Cybersecurity Act of 2012 (CSA) that, if passed,  will impact critical infrastructure operators, and a new federal contracting rule that's closely related to parts of CSA in its goals and technical details. Both of these efforts focus on NIST's Risk Managment Framework, and if you're not already familiar with this process, now might be the time to get up to speed.

Read more at the Galois blog.

Friday, November 11, 2011

A Disciplined Approach to Talking About Security

Recently, a thread about a security problem in a piece of open source software got a lot of attention. There was a vulnerability report, a defensive developer, persistent security folks, and of course sideline comments taking one side or the other. This discussion perfectly illustrates why it can be hard to have a civil discussion about security, and why even with the best of intentions and with skilled developers, security problems can persist in a software system.

Read More at the Galois Blog

Tuesday, October 4, 2011

Passwords are past their prime

Passwords are past their prime. Users are buried under the weight of too many passwords, and most of us constantly struggle with these password conundrums: Simple passwords are easy to guess, but complex passwords are hard to remember. Writing passwords down means not having to remember them, but it also means they might get stolen. Sharing passwords between accounts means that if one account has a password database spill, all the accounts are compromised.

Animate Login replaces passwords with mobile phones and replaces typing passwords with scanning a barcode on that phone. The phone uses two-dimensional barcodes to make a link between the user’s browser session and the physical presence of the user, then utilizes the phone’s Internet connection to send a long and complex shared secret to the web site to prove the user is who he/she claims to be.

Read More on G+

Tuesday, August 23, 2011

Cloud Security Risk Agreements for Small Businesses

Cloud computing can be particularly beneficial to small businesses since it can decrease the total cost of ownership for IT systems. Unfortunately, one of the major barriers to adoption of cloud services is the perception that they are inherently less secure, exposing the organization to unacceptable risk. There are standard processes for managing security risk that can help businesses make trade-off decisions, but these processes currently cannot be applied to cloud computing since the security details of cloud services are not typically available to small businesses. This lack of information leads to a lack of trust: small businesses cannot evaluate the security of cloud services. This paper proposes an approach for cooperation between cloud vendors and small businesses based on the NIST Risk Management Framework. Security Risk Agreements would address the lack of trust so that small businesses can confidently adopt cloud services, benefiting both small businesses and cloud vendors.

HTML and PDF versions at