Saturday, December 19, 2009

1-factor authentication in the Matrix

I just remembered the way Seraph tells Neo in the Matrix "You do not truly know someone until you fight them." and I was trying to sort the fight that follows into one of the typical categories of authentication:
  1. Check what someone has.
  2. Check what someone knows.
  3. Check what someone is.
when I realized that in the precise context of the Matrix, in the case of Neo, categories 2 and 3 are the very same.
  • Neo is the One because he knows he is the One.
  • Being the One, Neo knows he is the best kung fu fighter.
  • Knowing he is the best kung fu fighter, Neo is the best kung fu fighter.
He is because he knows and he knows because he is. Seraph indeed performs a 1-factor only authentication to check Neo is the One.

-+- The little joys of security-thinking ! -+-

Thursday, December 3, 2009

Vulnerability in VPN/SSL platforms: so what?

The US-CERT points that using a VPN/SSL to access arbitrary web sites circumvents the security features of modern browsers.

I have an odd sensation of being in a troubled IT/ITsec world when I read that. What seems so strange to me is not the vulnerability, it's that it requires a US-CERT advice for people to notice.

I mean... For years the web has been struggling to build protocols like HTTPS (and to get the mainstream browsers support it correctly). And we hear every day that even though the protocol is a jewel in itself, it is not sufficient for security. That's why we have vulnerability reports for browsers, anti-phishing features, certificate authorities, etc.

Now we build a new tool that will handle web sites and forward them to and fro and we should think that it does not deserve the same amount of care and time to mature? No, no, no...
Big expert organizations like Microsoft, Google or Mozilla struggle at it, why should Cisco, Juniper or SafeNet have it right from the first time?

Pessimistic: It's always the same game. You build something strong and then you build it anew making the same mistakes. And every time you get surprised.

Optimistic: Now that the vulnerability is public (I thought it always was!) maybe the VPN/SSL makers will improve their products.

Realistic: If you use the intranet from the Internet, you should be prepared to handle the security of the intranet as if it were exposed to the public. That means, for instance, investing some time in understanding a VPN/SSL product before entering wildcards in its policies.

EDIT 12/04/2009: Cisco says it very well ^^
"Administrators are advised to configure clientless SSL VPN sessions so that only trusted internal networks are accessed using the VPN session. All other connections should be accessed without using the SSL VPN session."

Common antivirus products disabled within minutes

It was the subject of a contest organized by the French IT (and other disciplines) engineering school ESIEA. Results are available as slideshows at this address.

Summarizing roughly, the most common antivirus products (McAfee, Norton = Symantec, Kaspersky...) can be disabled within minutes by a clever virus maker.

Shredding files mostly useless (review)

Bruce Schneier points that filesystems sometimes get in the way of secure file deletion.

I blogged about that six months ago (second point in that bill) after checking my understanding of the question with the developer of Inferno.

I since heard about similar stories quite a few times, either from software like filesystems or recovery systems or from hardware like Flash memory putting the content of a file in arbitrary locations. It seems to be a fairly well known fact among people who spent time on the matter.

To my mind, apart from shredding entire drives when the hardware is disposed of or goes from an user to another, companies should not waste time on shredding.

Of course, I guess Bruce Schneier would argue about encryption, rather than deletion :-)