Michael Mongold's Technology Security

Moderating Panel Today in San Antonio

2011-04-19T09:30:58-05:00

If you live or work in San Antonio and Information Security or Social Media is relevant to your daily world, drop in to Dave & Buster's from 11:30 to 1:00 and participate in what is sure to be a great discussion on Social Media and Security. I will be moderating the panel which consists of:

Lauren Madrid, Marketing Manager at Denim Group
Matt Scherer, Owner of Scherer Communications
Mark Goldman, Founder and a managing member of MGR Personnel

Topics will include:

Staying on top of Security news via Social Media outlets
Monitoring the competition
Job Hunting
Representing yourself and your company
Group participation
Social Media trends
Do's & Don'ts

Hope to see you there!

Michael Mongold

The Case for Hybrid Identity-as-a-Service (IDaaS) Part II

2011-03-29T15:13:19-05:00

The End User’s Dilemma

It is accepted now by business professionals and security practitioners alike, that identity theft and stolen credentials is a widely used vector for breaching organizations around the world. Passwords are still the most common form of credential used while also being the most abused method of authentication.

As organizations have required their users to provide higher and higher levels of password complexity with little or no uniformity between organizations, end users are required to track five, ten, twenty, or more login credentials. Best practices for password suggest at least eight characters, with uppercase, lowercase, numbers, and symbols utilized. It is also suggested that you changed the password at least every ninety days while not repeating the password again for at least four generations of passwords. Add in that you shouldn’t use birthdates, social security numbers, proper names, or really, any word from a dictionary and, oh yes, make sure that each site has a unique username and password so that if one is compromised, all of you identities will not be compromised. The situation, as presented like this, is untenable.

So the end user does what she must to do her job. Likely this means, either using one username and password for everything but then not every site has the same requirements. So that if she has a symbol as required by one site, but not allowed to use symbols by another site, she ends up being forced to remember a few variations and most likely just writes them down somewhere, either on her computer or on a piece of paper at her desk.

This defeats the purpose of implementing password security because if someone can walk over to her desk and acquire her passwords, non-repudiation and plausible deniability are thrown out the window. If a breach is traced back to her account, it can be difficult to show intent or complicity in the act of allowing the breach to occur.

Biometrics, OTP, and certificate-based authentication mechanisms are significantly more secure than passwords but all have struggled with supplanting passwords as the credential of choice for the vast majority of organizations and end users.

Come by PasswordBank to find out more or stay tuned until next week...

...Michael Mongold...

The Case for Hybrid Identity-as-a-Service

2011-03-22T21:48:43-05:00

The Case for Hybrid Identity-as-a-Service (IDaaS) Part I

Hybrid Identity-as-a-Service (IDaaS) provides a clear path to reducing the dangers associated with cloud-adoption.

The world of the information security professional continues to become further complex as more of the services that were traditionally within the control of the information security team, are outsourced to external entities. Just a few years ago, a CISO (Chief Information Security Officer) was able to confidently assure his CIO/CFO/Legal Counsel that their organization was providing adequate levels of protection for the confidentiality, integrity, and availability of the sensitive data that they were tasked with securing, by simply inspecting the organization’s internal hardware and software solutions.

But as organizations are being pushed to adopt more flexible working environments that includes the consumerization of the users’ laptops and mobile devices (BYOD: Bring Your Own Device), those organizations are also faced with no longer having direct control over the security of the locations that the data is served from and the infrastructure used to deliver those services.

Information Security team’s are now tasked with vetting an external service provider to ensure they are up to the task of providing the same level of confidentiality, integrity, and availability that they once provided internally. Now, the Information Security Manager has a new layer of abstraction between their role and the role’s responsibilities while maintaining the same level of liability if something goes wrong. If the CISO had difficulty sleeping before, they are certain to be bleary-eyed now.

So if there are inherent risks in rushing these services into the cloud, why is the business pushing for them? There are many truly exceptional benefits of leveraging cloud providers for reducing CapEx costs, realizing fast ROIs, and amazing, almost unlimited, scalability. Unfortunately, the speed of business can, and often does, exceed the speed of security.

One area where the vacuum has been most largely felt is in the expanse of secure access and identity management.

The Problem. When a panel was asked at a recent security conference “How many web or cloud services their organization is using and how do they manage identities and authentication into them?” One panelist, the CIO of one of the largest cities in America, initially responded, “How do you define the cloud?” Upon further reflection, he stated that there were more than six services with no centralized identity management or authentication mechanism in their organization. The CISO for a state government agency responded similarly but with over 20 (potentially 50) services that are utilized with no centralized access or identity management.

This will probably not surprise most. Just ask any business about the cloud services they use and how they manage the identities and authentication into those environments. Over the past couple of years, adoption of cloud offerings have accelerated to provide businesses’ solutions that deliver needed services without direct payroll costs or management in an incredibly scalable manner. The justification for cloud adoption is becoming clearer to the business-side of the house as there is little or no spin-up time for the organization between the purchase of a solution and using it. So business have jumped ahead at the savings-potential the cloud market provides.

But the information security team is not the only ones trying to catch up. Even now organizations such as the PCI Standards Council are struggling to redefine what is considered “in scope” as the boundaries of past networks are dissolved in order to allow access to valuable data anytime/anywhere.

With the gap widening between the services that a cloud offering can provide and the solutions that can secure the access and identity management to those services, it is clear that organizations must educate themselves of the dangers that this vacuum presents even as compliance organizations work to provide standardized controls.

Stay tuned for Part II next week or drop on by www.passwordbank.com for an advance copy. :)

Bank accounts hacked for over 1 million dollars

2010-08-24T10:14:51-05:00

Last month, a British bank and its customers were hit by a coordinated and targeted attack by criminals that launched their efforts from Eastern Europe.

In an impressive display of a blended threat, the crooks created advertising with malicious code that they then posted on legitimate websites (run by Yahoo for example) and their own websites. Once the advertisement was clicked on or the malicious website was visited, the user would unknowingly have an exploit kit (the Eleonore and Phoenix kits in this example) drill into the browser to embed the new and improved Zeus v3 Trojan onto their PCs.

Once installed the Trojan would announce to its Command and Control server (C&C) that it was ready and then wait for the user to log into their bank account.

When the unsuspecting user finally logged into their bank account, the Trojan would notify the C&C while the bank session was open. The C&C would then step in between the bank page and the user and provide a script that performed its own intelligence to determine how much money the user had in the account. If the user had over a certain amount, the script would transfer money into a money mule’s account which would eventually make its way to the criminals. The malefactors were aware of each process along the way receiving detailed information about the accounts and their values, the success or failure of any transactions – all via encrypted traffic to avoid detection.

An observation that everyone should take from this story is just how difficult it was(is) to detect the attack. Of all the anti-malware software that is on the market, only Sophos and Trend Micro would have caught the Zeus v3 Trojan which would have stopped the attack before it could have started. Most other anti-malware players have since updated their software to include Zeus v3.

The bank and the banking victims have been notified of the illegal activities and authorities are investigating. No responsible parties have been apprehended at this time.

Read more of the attack and the excellent research by M86 Security here.

Technorati Tags: Michael Mongold,bank,British,blended threat,zeus v3,money mule,sophos,trend micromicro,criminal,Yahoo,Eleonore,phoenix,exploit,trojan,command and control,malicious code

Trojan implicated in plane crash that killed 154

2010-08-23T15:55:48-05:00

A plane crash that occurred two years ago when taking off from Barajas Airport in Madrid was riddled with Trojans. The Spanish newspaper, El Pais, is reporting that the trojans did not allow alarms to sound which would have alerted the crew of the incorrect positioning of the plane’s flaps. While the crew should have discovered the out-of-position flaps during their pre-flight checklist, the alarms’ failure as a failsafe was a contributing factor.

It cannot really be said that the trojans caused the crash, but that they merely failed to alert the crew to something they already should have been aware of. However, as our reliance on technology to perform more and more critical tasks associated with human life grows, it is only a matter of time before the Titanic or Hindenberg of the future is associated with a compromised device. Some Skynet-futurists may even believe it will be on purpose…

Technorati Tags: Trojan,Michael Mongold,Barajas,plane,Madrid,El Pais,Titanic,Skynet,hindenberg

Researchers hack your vehicle (again)

2010-08-12T11:43:21-05:00

A few months ago, researchers with the University of Washington and UC San Diego released a paper detailing their "Experimental Security Analysis of a Modern Automobile". It presented a dark story where the electronic components of a vehicle, given the right access and know-how by a motivated individual, could program events to occur from the benign (windshield wipers come on when you reach 20 MPH) to the homicidal (disable brakes and ignition over 80 MPH). It even proposed that with newer vehicles self-parking capabilities, it might be possible for steering to be arrested from the driver. If there was a silver lining it was felt that the individual hacking the device needed physical connectivity in order for the exploit to be realized. There was some indication that with weak Bluetooth security it might be possible to use that as an access vector but nothing was firmly tested.

Now, another method of wirelessly accessing your vehicle has been exposed by researchers at Rutgers University. In a paper being presented this week at the USENIX Security Symposium, tire pressure monitoring systems (TPMS) are gaining quite a bit of attention. Most people are likely unaware that all new cars in the US have been required to have a wireless tire pressure monitoring systems since 2008. The paper explains that with relatively inexpensive equipment, researchers from up to 120 feet away could obtain wireless data from the sensors, spoof it, and then send it back to the car with inaccurate data while traveling 65 MPH. While the data that was spoofed was merely enough to make the tire pressure light on the car's dashboard display incorrectly, it signals a potential foothold for wireless attacks by nefarious individuals. At, once again, it shows a serious lack of foresight by product manufacturers to account for ways that their systems could be gamed.

Each and of themselves, the threats have limited play. However, when they become combined (and what would make anyone think otherwise?), the results could be extremely dangerous. Automakers need to review how they approach the security architecture of our vehicle's internal devices now, before a flashing light on your dashboard turns into a stuck accelerator or worse…

Intelligence Analyst poking around gets the shaft

2009-09-16T13:56:26-05:00

If you’re going to have security clearance at the National Geospatial-Intelligence Agency, then you should know that anytime you step out of your designated dataset, someone is going to know. That’s why it is hard to believe that Brian Keith Montgomery, an intelligence analyst at the NGIA, unwittingly viewed information regarding a classified operation that he did not have authorization to view. Even though it was within his security clearance, there was a warning that “only officials participating in the operation were allowed to use the password” to view this particular data. Even though he was authorized to use that same password to view other data, he apparently did not see the warning informing him who could and could not view THIS operation’s information.

While motive may be that he was just being a curious geek, he will no doubt learn a harsh lesson about being nosey.

From wired.com, Kevin Poulsen writes:

An analyst at a Defense Department spy satellite agency faces federal hacking charges after allegedly poking around in a top-secret system used in a classified terrorism investigation involving the FBI and the U.S. Army.

Brian Keith Montgomery worked on a covert program for the National Geospatial-Intelligence Agency — the spy agency in charge of satellite and aerial image collection. On April 9, he was carrying out his duties when he saw a message that “provided significant detail about a classified operation” that was unrelated to his job, according to an affidavit filed by a Pentagon investigator.

The operation is not detailed in the affidavit (.pdf), but there is a reference to the 902nd Military Intelligence Battalion, an Army counterintelligence unit based at Fort Meade in Maryland, with a presence at more than 50 other locations inside and outside the United States. The 902nd faced controversy in 2005, when NBC News published documents showing the the unit had been spying on American anti-war protesters. Under the guise of fighting terrorism, the group had filed intelligence reports on legal demonstrations, including a weekly protest at an Atlanta recruiting station, and a protest at the University of California at Santa Cruz.

According to the government, Montgomery ignored a security warning in the message he saw, and twice logged in to a classified system used in the terrorism investigation: first on April 9, when he stayed on for two hours, and then on April 14. He’d gotten the password from another classified message to which he also had legitimate access.

Curiously, just by accessing the system, Montgomery endangered the terrorism investigation, and “caused harm to the U.S. Army and the FBI,” according to the affidavit by Dexter Wells, an agent with the Defense Criminal Investigative Service.

Montgomery’s alleged motives are unclear, but he told DCIS that he was very interested in the information in the program, Wells wrote. Montgomery also told investigators that he thought he was allowed to log in to the system, and hadn’t noticed a warning saying that only officials participating in the operation were allowed to use the password.

“It was not until I was called on the carpet, that I went back and read the warning notice in the message traffic,” Montgomery allegedly told DCIS.

The nature of the system at issue is not clear, but it was used from all around the United States as part of the terrorism investigation, and was being monitored by the FBI at the time of his alleged access. That’s evidently what led to the probe of Montgomery, who worked at a National Geospatial-Intelligence Agency facility at Fort Belvoir in northern Virginia.

There are no allegations that Montgomery did anything with the information he obtained.

He’s charged with a single count of gaining unauthorized access to a protected computer or exceeding authorized access, and obtaining classified information. Prosecutors in the Eastern District of Virginia, where Montgomery was charged Friday, did not return a phone call.

Michael Mongold

Technorati Tags: Intelligence Analyst,Brian Keith Montgomery,National Geospatial-Intelligence Agency,NGIA,902nd Military Intelligence Battalion,Fort Mead,michael mongold

US Government moves towards OpenID

2009-09-16T13:09:13-05:00

Jason Miller reports for Federal News Radio about the US government’s attempts to consolidate logins and potentially integrate current PIV card holders into a unified authentication and identity repository for accessing government services. It will be interesting to see where this goes but I have the feeling that this is a step closer to what a number of other countries are attempting. In one corner, you have cost saving measures by reducing redundancy and in the other, you have the paranoia and potential misuse of having just one repository of your federal identity. Of course, having numerous repositories of your identity spread amongst different government agencies is no more secure…

From the article:

The National Institutes of Health will kick off a pilot in the next few weeks to test how it would use commercial applications, such as Yahoo or Google, to let employees and citizens sign up for services.

Federal chief information officer Vivek Kundra says the goal is to show how the government could do away with the need for multiple usernames and passwords for government services and use existing commercial infrastructure.

"One of things we have to recognize is the U.S. government continues to invest in platforms we shouldn't be investing in," says Kundra today at the Gov 2.0 Summit in Washington sponsored by O'Reilly Media and TechWeb.

"If you wanted to go out there today and make a reservation for a camping site, the Department of Interior, through Recreation.gov, would force you to create an account and you would use once or a couple of times, and you would never use it again. The same thing if you went to the NIH, GSA and every other agency. It leads to poor service and higher costs because a lot of that infrastructure is disposable."

Kundra says the goal is to use existing platforms for services that are not sensitive.

"We've been working with the OpenID foundation to look at how we could create a trust framework across the federal government with the providers of Open ID to be able to authenticate and allow people to have access to some of the government services," he says.

"What this will allow to do is move from Web sites on the federal government's end that are brochureware to actually be very interactive, service driven sites that American people can use within their own context."

Kundra says one of the biggest issues for the pilot is the security and privacy issues.

"We want to make sure that if you signed up for those accounts that you as the consumer have full consent of what is happening with the data, how you authenticate and opting in," he says.

"At the NIH level, if you want to sign up for a conference, why not use one of those platforms instead of building an entire new infrastructure. Most people have accounts that could be used."

Don Thibeau, executive director of the OpenID Foundation, says the NIH pilot will show how interactions with researchers and scientists worldwide can be easier.

"If you are looking for information on the latest information on cancer research, OpenID is an onramp to engage NIH so they can remember who you are," he says.

"It also allows you to on your choice give permissions for NIH to know more about you. It begins that relationship so they can tailor the kind of content that you have access to or the kind of information they would like to recommend to you at a level of assurance that the citizen is comfortable with."

Judy Spencer, the chairwoman of the Federal Public Key Infrastructure Policy Authority, says the CIO Council and Federal Identity Credentialing Committee are trying to allay some security and privacy concerns about using commercial sites.

She says they have adopted six privacy principles for this and other pilots:

The user only can opt in;
The government will accept only a minimal amount of personal information;
The government will not track the user's activity online;
The government will not accept any personal identifiable information;
Users will receive adequate notice that the government is collecting certain information;
If the service is terminated, the data remains protected.

Kundra says this concept could be extended to the internal government operations.

He says because more and more federal employees, and contractors, have secure identity cards under Homeland Security Presidential Directive 12, there are opportunities there as well.

As of June 1, almost 2.7 million federal employees and 745,000 contractors have HSPD-12 compliant cards.

The NIH pilot is part of a broader initiative by the Obama administration to better integrate federal identity management, which includes the federal public key infrastructure efforts, HSPD-12 and the E-Authentication initiative.

The CIO Council's Information Security and Identity Management Committee is updating the federal ID management handbook.

"We are trying to develop a government-wide credential and access management framework or landscape that all of these other initiatives will be able to take advantage of," Spencer says.

"If we do our job right, then these other entities will be able to leverage that and not have to silo or reinvent these things."

Spencer, who also spoke at the Gov 2.0 Summit, says the government's success in tackling identity management has been mixed. She says since the early 2000s, initiatives such as e-authentication and HSPD-12 have made identity management easier.

"We have been stymied in reaching the 300 million American citizens who want to do business with the government," she says.

"That is why we have started to look at open solutions and leverage those companies that already are doing business with the government."

The OpenID Foundation says this includes 10 companies, including Yahoo!, PayPal, Google, Equifax and AOL.

Thibeau says this initiative builds on past strategies.

"This time the government has deliberately reached out to the private sector for [several] things: to meet citizens where they are today, this opportunity brings the citizen identity to the government so unlike previous accounts this doesn't require the citizen or user to do anything new," Thibeau says.

"It says you will have access to government sites with the identity you have today through the identity provider you have chosen."

Thibeau says the open ID standard is not owned by any one company, but it is a set of protocols many companies have agreed to follow.

Spencer says from this pilot citizens will grow more comfortable with using federal services online, and more complex transactions can happen once that trust is establish.

Michael Mongold

Technorati Tags: National Institute of Health,Yahoo,Google,Paypal,AOL,Equifax,Vivek Kundra,Chief Information Officer,O'Reilly,Technweb,Department of Interior,Gov 2.0 Summit,OpenID,Federal Public Key Infrastructure Policy Authority,CIO Council,Federal Identity Credentialing Committee,HSPD-12,E-Authentication,michael mongold

Implementing Identity Management? What to ask

2009-09-14T11:16:03-05:00

This is a nice primer for those who don’t know where to start when contemplating an identity management solution. As with most things in technology security, knowing the right questions at the beginning and formulating the right policies is 90% of the process.

From GCN:

“Here are 12 questions to ask before implementing an identity management and access control system.

What non-information technology departments and systems need to work with the identity management system? For example, human resources, physical security, finance? Do they already have information or systems in place that will help the initiative?
What business processes need to be put in place to support identity management? Who will create, implement and manage the processes?
Is a suite or best-of-breed approach best for your organization? Does the suite have everything you need, or will you still need additional components from other vendors? Can you purchase just one part of the suite and add other components later?
What existing systems will need to integrate with the identity management system? Identity management software typically works well with Web-based or commercial applications but not with custom applications. Who will do the integration?
What expertise do you have in-house for implementing the system? What outside help is required?
Which features of identity management will you implement first — single sign-on, provisioning, identity life cycle management, role-based access control?
How will users be de-provisioned so there are no orphan accounts?
Who is responsible for defining roles and access rights and assigning those to users?
Besides agency employees, who else needs access — general public, vendors, contractors, state and local agencies? How will you manage and control them?
What types of physical components need to be integrated — Homeland Security Presidential Directive 12 smart cards, fingerprint readers, door locks, radio frequency identification chips and sensors?
What cultural barriers will you have to overcome? How?
How will you balance security needs with usability? You don't want users using Post-it Notes to keep track of passwords that are too difficult to remember or have excessive help-desk calls for password resets.”

Michael Mongold

Technorati Tags: Identity Management,Michael Mongold

Legal Hazards of Federated Identity

2009-09-14T05:10:50-05:00

Beyond the technical complexities of Identity Federation, Thomas Smedinghoff explains what is truly holding back wider-spread adoption of federated identification models.

“’Who are you?’ is a fundamental question for all online business activities. Whether a company wants to allow employees, contractors or business partners to remotely access its networks, or engage in online commercial transactions, the need to authenticate the identity of the remote party is a critical one.

Moreover, in today's security-conscious environment, authentication is a legal issue. A company's legal obligation to provide information security clearly includes a duty to properly authenticate persons seeking access to the company's computer systems or services. For example, in a recent case brought by the victim of identity theft, the issuer of a credit card was held liable for failing to properly authenticate the identity of the applicant/imposter.

Enter federated identity management, a promising approach to dealing with the cost and complexity of addressing this often-difficult identity problem. Much work is being done by groups such as Liberty Alliance, WS-Federation and others to develop technical specifications that allow a business to verify the identity of a person seeking to access its systems by obtaining a digital credential issued by a third party. Yet the concept of federated identity management raises critical legal issues that often get overlooked in the struggle to develop appropriate specifications. And failure to recognize and address these legal issues will delay the widespread implementation of federated identity options.

At its essence, identity management has two components. First, individuals (or businesses or devices) must be properly identified (e.g., this is John Smith, an employee of ABC company who works in accounting). Second, a mechanism must be devised to verify that someone claiming to be a particular person and seeking remote access is, in fact, the same person as the one previously identified (e.g., the person claiming to be John Smith and seeking remote access to the accounting database is really John Smith because he has presented the shared secret we gave to the person we previously identified as John Smith).

Traditionally, each business has handled its own identity management. That is, a company identified its own employees and customers and then set up a mechanism, such as a system of shared secrets or passwords, by which those persons could be authenticated for remote network access. Today, however, businesses and government agencies are increasingly looking to third parties to handle the difficult—and often expensive—task of identification. And users, overloaded with passwords, are looking for a one-stop option.

Federated identity has emerged as a promising solution. A federated identity model enables the portability of identity information or identity tokens across different systems and entities. Thus, for example, one organization (e.g., the Social Security Administration) can authenticate a person by relying on an identity assertion made by a separate organization (e.g., a bank) that previously identified the person when he opened an account. So long as a protocol exists for sharing the identity data between the bank and SSA, that person can do business with SSA using the user ID and password issued by his bank.

That assumes, of course, that SSA trusts the identity verification process used by the bank, and that the bank can appropriately limit its liability risk should it make a mistake. These issues, among many others, are some of the key legal problems that must be addressed before the process will scale.

While the technical details and specifications of a federated identity system can become quite complex, the legal issues are readily apparent by looking at an oversimplified summary of what actually happens:

Someone (a relying party) wants to know something about the identity of a particular person (the subject). The subject may, for example, be an individual seeking access to the relying party's network, a person seeking to enter into an online contract with the relying party or someone seeking to access an account with the relying party.
To provide the required identity information, a third party that has previously identified the subject (the identity provider) issues a digital credential or token to make an assertion about the identity of the subject to the relying party.
The token is communicated to the relying party (by either the subject or the identity provider, depending on the system involved) and the relying party validates the token, and then relies on the associated identity assertion from the identity provider in order to grant access to the subject or proceed with the proposed transaction.

There are, of course, many ways to accomplish the foregoing, ranging from relatively simple user ID and password systems to very complex public key infrastructures. But in all cases there are some very basic questions that need to be asked, all of which raise potentially significant legal issues.

Identification Process First and foremost, what is the process that the identity provider uses to establish the identity of the subject? That process is critical to the reliability of an identity assertion. For example, does the identity provider do an in-person interview of the subject and examine multiple government-issued photo identification documents, or does it simply rely on the subject's self-asserted claims made over the Internet? And what mechanisms are in place to ensure that the identity provider has actually complied with that process? For example, is there a requirement for an external audit?

Personal Information What are the rules that govern the privacy and security of the personal information about the subject that is collected by the identity provider? Since the subject must provide the identity provider with certain personal information to establish his or her identity, the protection of that information becomes critical. Likewise, if the identity provider will be communicating some of that information to a relying party as part of an identity assertion, the subject needs to know what rights the relying party has to use and further communicate, and what obligations it has to protect, that information.

Scope of Assertion What is the scope of the identity assertion? For example, does an assertion that someone is "Bill Gates" mean that this person is Bill Gates of Microsoft, Bill Gates of Peoria, Illinois, or some other random person with that name? Does it mean that this person has a bank account in the name of Bill Gates? Or does it simply mean that this person claims to be Bill Gates? The answer to this type of question will have a significant impact on the willingness of the relying party to proceed with different types of transactions on the basis of the identity assertion. And it will also affect the liability of the identity provider in the event the assertion is incorrect.

Use of Assertion What type of transaction is appropriate for use of the identity assertion? The level of identity checking required to make an identity assertion for accessing the control processes of a nuclear reactor is presumably much greater than the identity verification necessary to justify access to the local garden club website. The identity provider will want to limit the scope of the use of an identity assertion.

Liability The potential liability of the each of the parties is also important to consider. Specifically, what is the liability of the subject for providing false identity information, or for failing to protect the password or key necessary to initiate an identity assertion? What is the liability of the identity provider for failing to follow proper identification procedures that result in an incorrect identity assertion? What is the liability of the relying party for trusting a fraudulent assertion (e.g., in the case of identity theft), especially in a case where it could have determined that the assertion was false?

There are a variety of possible approaches to developing a legal infrastructure to address questions like these. They include enacting legislation or regulations (such as those we see in some other countries), establishing a set of private system rules that all parties contractually agree to (such as used by funds transfer systems and in the credit card industry), establishing public standards that parties publicly agree to and are audited against as a condition of participating (as in the case of Extended Validation SSL certificates), entering into a series of one-on-one contractual relationships (such as the federal government has been doing with selected identity providers), and relying on public disclosures of practices (such as with the traditional PKI approach). Each of these approaches has positive and negative attributes.

Without some type of a legal framework to address these issues, however, a federated identity model will likely not scale. At least in the case of economically significant transactions, the risks to each of the parties of such unresolved issues are simply too great to justify reliance on the federated process. These questions, and others like them, are the legal land mines that stand in the way of a viable federated identity management infrastructure.”

Michael Mongold

Technorati Tags: Federated Identity,Identification Process,Personal Information,Scope of Assertion,Use of Assertion,Liability,Federation,Identity,michael mongold

The breadth and complexities of identity management

2009-09-11T16:33:36-05:00

From multi-factor authentication to single sign-on to user provisioning: identity management can be an incredibly broad and complex endeavor. In a great article, Drew Robb writing for GCN gives a high level example of why this industry is so nebulous yet so necessary…

“Identity management and access control systems have a simple purpose: ensure that users can access only the data and applications they need. However, getting to that point is not so simple.

Many large organizations have a variety of systems in operation. Different parts of the organization might manage those systems, and they might have a range of processes to acquire user information and approvals.

“When a large government organization takes on a project to automate provisioning, it must include the request process, the approval process, the routing, and, ultimately, the provisioning of credentials and entitlements into the target systems,” said Gregg Kreizman, Gartner’s research director. “Many user provisioning projects have failed because organizations didn't take into account the amount of business process change involved.”

Although some organizations have failed to implement identity management systems, there also have been successful deployments. And integrated identity management and access control suites are making it easier to achieve the desired result.

“The issue here is balancing privacy, security and ease of use for the user,” said Jon Oltsik, principal analyst at Enterprise Strategy Group.

Define the scope

Implementing an identity management system goes beyond just making sure people have their Homeland Security Presidential Directive 12 Personal Identity Verification cards and can remember their passwords.

“What we consider to be identity and access management is really a combination of at least a dozen different technologies,” said Bill Nagel, an analyst at Forrester Research.

Forrester Research evaluates identity management vendors based on 14 different technologies: directories, enterprise single sign-on, entitlement management, federation, identity audit, metadirectories, multifactor authentication, password management, privileged user and password management, provisioning, role management, user-centric identity, virtual directories, and Web single sign-on.

Gartner tracks vendors in three different categories related to identity management: single sign-on, user provisioning and Web access management.

When implementing an identity management system, organizations need to agree on what is necessary to meet business needs, a process that starts with determining what you have in place. That review should include policies, procedures, workflows, hardware, data sources and software, and it must include all departments.

“A lot of people are coming to realize that ID management is, first and foremost, not a technology problem,” said Paul Donfried, vice president of identity and access management at Science Applications International Corp. “It is an issue that permeates organizations, and you tend to find certain functions that had to historically manage identities.”

A human resources department typically will run an employment eligibility check on applicants before hiring them and might already have the organizational structure, chain of command and employee roles loaded into a human resources management system. That data can serve as a basis for creating the identities, roles and authorizations in the system.

For example, when the Agriculture Department needed to implement HSPD-12, it used the department's PeopleSoft EmpowHR system as the authoritative starting point for employment status and then expanded it to cover contractors and state and local government employees who also needed access. Procurement employees know what vendors should be included. Payroll and security staff members can contribute other information that the system should incorporate.

Next, find out the business needs of the stakeholders. In addition to IT access, be sure to consider additional functions that might be needed, such as verification of electronic signatures. From there, design an implementation project that meets those needs and will engender support.

“You need to think about the business needs of agencies and not think of it as purely an exercise in deploying technology,” said Gerry Gebel, vice president and service director of Burton Group’s Identity and Privacy Strategies. “This will result in a more successful deployment, happy customers and increased likelihood that they will invest in future identity management improvements.”

Selecting products

After determining the business needs, you can start looking at the software available to automate the processes. As with other types of enterprise software, the initial choice is between buying an identity management suite and taking a best-of-breed approach. However, with identity management software, software packages could be composed of products that other vendors recently acquired because the market is rapidly consolidating.

“Sometimes, these products have been integrated seamlessly, but with others, it is an ongoing process,” Nagel said.

There are five main vendors in the identity management field: CA, IBM, Novell, Oracle and Sun Microsystems. Although Oracle recently acquired Sun, Nagel said there is significant redundancy between the two companies’ identity management offerings. It isn't known yet whether Sun's suite will be able to improve the strength of Oracle's offering, which is already ranked No. 1 by Forrester and Gartner.

In addition to those five vendors, dozens of other large and small companies offer niche products. Donfried said that when selecting a product — whether it's a suite or best of breed — the first thing to look for is flexibility.

“More than anything, you want to avoid locking in to any single vendor or any type of proprietary solution,” he said. “Whatever we view as the right standard and the right solution today, by the time we have it installed, configured and operational, it is outdated.”

Oltsik recommended keeping an eye on the emergence of what he calls Identity 2.0 technologies, such as the open-source, Web-based single-sign-on systems OpenID and the Shibboleth System, in addition to Microsoft's CardSpace. Those technologies provide users with claims-based authentication, single sign-on and data privacy.

“It is too early for agencies to 'buy' an Identity 2.0 solution, but they should be paying attention to and supporting standards and product development,” Oltsik said. “Since ID 2.0 is built to support anonymity and privacy, it may be a perfect fit for e-government initiatives like online voting and health care reform, enabling cost-saving e-government initiatives without violating the legislative or regulatory requirements around privacy.”

Gradual implementation

Fully implementing an identity management system is a multiyear project involving more than just IT.

“The biggest mistake is not having a vision of the end state right at the beginning and not having full commitment to go through the process,” Forrester’s Nagel said.

After agreeing on a vision, it is a matter of selecting which aspect to implement first and carrying that through to completion so there is an observable improvement and return on investment. Targeting commercial and Web-based products will make for quick success before tackling the more complex problems of integrating existing applications.

“When we look at the larger agencies, it tends to be their legacy applications and their legacy environment that becomes very complex,” Donfried said.”

Michael Mongold

Technorati Tags: Identity Management,GCN,CA,IBM,Sun,Oracle,Forrester Research,Gartner,SIAC,Enterprise Strategy Group,HSPD-12,PIV,single sign-on,entitlement management,federation,identity audit,metadirectories,multi-factor authentication,password management,privileged user,user-centric identity,role management,virtual directories,user provisioning,web access management,Science Applications International Corp.,Peoplesoft EmpowHR,Burton Group,Identity and Privacy Strategies,Novell,OpenID,Shibboleth System,OpenCard,Microsoft,Michael Mongold

Bio-Key wins with FBI

2009-09-11T14:03:10-05:00

After shedding their law enforcement division last month, it looks like Bio-Key's focus on straight biometrics is proving fruitful.

From Bio-key:

BIO-key Biometric Technology Selected as Part of the Next Generation FBI AFIS System

“FBI Next Generation Identification Automated Finger Identification System Based on Fusion of BIO-key and MorphoTrak Biometric Algorithms

Wall, NJ, September 10, 2009 - BIO-key International, a leader in finger-based biometric identification and wireless public safety solutions, announced today that the contract recently awarded by Lockheed Martin to provide fingerprint identification technology for the FBI's Next Generation Identification (NGI) system is based on the fusion of BIO-key and MorphoTrak biometric algorithms. The fusion of the algorithms of these two powerful biometric providers was a key component to delivering the speed, accuracy and reliability of the solution that was selected.

"This is the most important award the company has ever received and it may be the most important biometric contract ever awarded," said Mike DePasquale, BIO-key's CEO.

It is no exaggeration to say that the U.S. FBI is the most discerning and most demanding fingerprint user in the world. The award of the contract for the FBI's NGI system was the result of a competitive trade study process that rigorously and objectively evaluated vendors' solutions. BIO-key and MorphoTrak were able to fuse their two fingerprint biometric algorithms to deliver unsurpassed speed and accuracy results from a single fingerprint sample. This innovative technology achievement advances the finger matching process beyond what has been previously been available.

"We appreciate the privilege of being selected to be part of this vital national identification project along with MorphoTrak and we look forward to working with the FBI and its contractors including Lockheed Martin to successfully implement and support the most advanced biometric system ever deployed," Mr. DePasquale added.

"The results we have been able to achieve are extraordinary," stated Mira LaCous, Vice President of Technology and Development. "BIO-key's core algorithm accuracy and image enhancement/correction solutions provided major improvements to the FBI's current system, and we believe surpassed all other competing technologies. The BIO-key technology provided to MorphoTrak has been developed in the United States and is being used today by our customers in commercial applications, as well as other major large scale civil ID programs..”

"The selection of BIO-key technology by the FBI, through their contractors Lockheed Martin and MorphoTrak, to be part of the NGI system, validates that BIO-key has some of the industry's most accurate and scalable fingerprint matching technology,” CEO DePasquale observed. “Other agencies and commercial customers, looking to take advantage of the research, testing and decision by the FBI may now reasonably conclude: ’If it is good enough for the FBI, it's certainly good enough for our organization’." Mr. DePasquale concluded that ‘We are thrilled with how well BIO-key is positioned and with the quality of our references as we look to our future biometric business potential.’”

Michael Mongold

Lenovo facial recognition = fail

2009-09-11T13:47:25-05:00

Well, sort of. It did recognize the face but unfortunately it was a picture of the face on a phone.

Again, we have some not-so-great press for facial recognition. And sadly, this will only help confuse more potential customers of biometrics about the difference between identification products and authentication products...

From a Computer Shopper review…

”Lenovo's VeriFace application uses your laptop's webcam to automatically unlock your computer when your face is in front of it. Well, that's the theory. When we tested it, we found that a photo of the laptop's owner worked just as well.

Taking a picture on an HTC Hero and waving the phone's screen in front of our G550 laptop's webcam caused the system to unlock. All it required was a judicious bit of phone waving to minimize reflections. There seems to be no built-in mechanism to tell a live face from a photo of one.

The other problem with the system is that while it's running and hunting for a face it's hammering the computer's hard disk, as we could tell from the drive activity light. That's not something we like to see on a laptop, particularly when it's running on battery power.

It's a nice idea in theory, but the poor security it offers means that we'd rather stick with entering a password or using a fingerprint scanner.”

Michael Mongold

Technorati Tags: Lenovo,VeriFace,biometric,mobile phone,HTC,facial recognition,G550,webcam,michael mongold

Biometric surveillance forecast to surge

2009-09-10T10:07:45-05:00

In a forecast from Acuity Market Intelligence, the market share of biometric surveillance applications within the biometric industry will reach $872 million in annual revenue by 2017.

According to new forecasts from Acuity Market Intelligence, Surveillance posts the strongest market share gain of all biometric applications from 2009 to 2017 growing from less than 1% to nearly 8% of total market revenue and representing a CAGR over the forecast period of 60.99%.

Louisville, CO - September 9, 2009 -- Acuity Market Intelligence of Louisville, Colorado, an emerging technology strategy and research consultancy with a proven record of accurately anticipating biometrics market trends, today announced that Acuity's new research report "The Future of Biometrics" reveals that the market for Biometric Surveillance is expected to grow at an astounding compound annual growth rate (CAGR) of 60.99% from 2009 through 2017. Surveillance is projected to post the strongest market share gain of all biometric applications from less than 1% to nearly 8% of total market value representing growth from $19 million to $872 million in annual revenue.

"Biometric Surveillance is the ultimate dream application of intelligence and defense communities and the waking nightmare of privacy and civil liberty advocates", says Acuity Principal C. Maxine Most. "Until now the conflict and debate have been largely academic. However, today, there are biometric technologies providing distance-based, real-time, non-cooperative image capture i.e. surveillance. Both Face and Iris recognition are commercially available in the two-meter range and are on the verge of operating in the ten-meter range. Another emerging biometric of interest in the surveillance arena is gait recognition. This is particularly useful when trying to identify an individual whose face and/or iris are not visible".

These finding are part of the wealth of industry insight available in the "The Future of Biometrics" market research report published in August 2009. This report offers Acuity's trademark brand of hype-free analysis into the trends, drivers, and opportunities that will shape the biometrics industry and presents detailed market forecasts for 2009 through 2017.

Key Forecasts from "The Future of Biometrics":

- Commercial deployment revenues match Public Sector revenues by 2014 and then surpass Public Sector revenues by 2017 representing growth form nearly 41% to just over 55% of the total global market for biometrics core technology.

- Revenue growth rates vary significantly across regions. The Central and South American region will experience the highest CAGR over the forecast period of 39.46% while growing from nearly 4% to nearly 13% of total global revenues. Overall market dominance will shift from Europe and the US to Asia. North America and EMEA's percentages of total global revenues will decrease over the forecast period form 37% to 26% and 38% to 29% respectively. By 2017, the Asia Pacific Region will generate the greatest percent of revenues for the biometrics industry with more than 32% of global revenues.

- The dominance of AFIS/Livescan and Fingerprint continues thorough the forecast period. However, by 2017 Iris and Face recognition begin to rival their dominance together accounting for more than 33% of global revenues. Vein, Voice, and Signature will experience modest growth from 3% to 6%, 2% to 5%, and 0.7% to 1.6% respectively over the forecast period.

- Transactions will ultimately provide the majority of industry revenue. Information and Financial Transactions for the Commercial sector by 2012 and eGoverment for the Public Sector by 2017. By 2017, Information Transactions will represent 12.21% of the global market, Financial Services 18.22% of the global market, and eGovernment will represent 14.23% of the global market.

- The percent of revenue from Identification Services declines over the forecast period but only from 65% to 47%. Surveillance and Monitoring posts the strongest percentage gain growing from less than 1% to nearly 8% of total market revenue representing a CAGR over the forecast period of a startling 60.99%.

About Acuity Market Intelligence
Acuity Market Intelligence (www.acuity-mi.com) is an emerging technology strategy and research consultancy with a proven record of accurately anticipating biometric and associated identification solutions market trends. The company provides strategic planning, market research and analysis, sector tracking, opportunity sizing, solution and deployment analysis, due diligence, executive briefings, and customized consulting. Acuity publishes the industry leading biometrics market analysis newsletter, the Biometrics Market Intelligence eUpdate. Qualified readers can subscribe at www.biometricsmi.com . Founded in October 2001, Acuity is headquartered in Louisville, Colorado, USA with clients in the United States, Asia and Europe.

Michael Mongold

Technorati Tags: Biometric,forecast,surveillance,monitoring,acuity market intelligence,biometric market intelligence,applications,fingerprint,voice,vein,iris,signature,AFIS,Livescan,recognition,face,michael mongold

Potential chaos looms for Philippine elections and biometric enrollment

2009-09-09T13:25:47-05:00

MANILA, Philippines—The Commission on Elections (Comelec) has urged voters to verify before October 31 the status of their registration to know if they need to enroll their biometrics or reactivate their registration to vote in the 2010 polls, an official said.

Comelec spokesman James Jimenez said verification of registration status can be done in two ways: by asking the election officer in the district where he or she is enlisted and through Comelec's Online Find Precinct page.

“The poll body encourages every Filipino voter to check the status of their registration and avail of our Find Precinct online service. Right now, we have updated the database to include approved registration records until June 2009 so those who registered before June can check their registration. Or they can call or visit their local Comelec offices,” said Jimenez.

Apart from failure to vote in at least two elections, records of a voter will be deactivated and removed from the computerized voters' list (CVL) if he or she has been imprisoned, convicted for crimes against national security, declared insane and lost Filipino citizenship, said Jimenez.

To vote in the next elections, a deactivated voter should file a sworn application for reactivation of registration.

For records with wrong, misspelled or typographical errors in name, birth date or birth place, a voter should:

• File an application for correction of entries with the election officer
• File an application for change of name if his name is changed by reason of marriage (common for women), by court order and by order of the Civil Registrar or Consul General.

A voter seeking transfer of registration after a change in residence can apply for transfer of registration to the election office of his new residence. Even if the transfer of residence is within the same city or municipality but will result in change of precinct, a voter must file transfer of registration, said Jimenez.

“Voters are responsible for making sure that their registration record is active and that their names are included and their records correct in the CVL so they can act on it before the end of registration period on October 31,” said Jimenez.

Jimenez urged registered voters included in the June hearing of the Registration Election Board to visit the Find Precinct website, fill up their full names and birth dates on the required fields and gain access to the status of their record, biometrics and even find their precinct number.

If the database shows the record is deactivated, a voter needs to file an application reactivation so that his records will be included in the computerized voter's list (CVL) for the next elections, said Jimenez.

If a voter has an active registration record but has no biometrics, he or she should proceed to the election office of the district where he or she is registered to complete the voter information by enrolling biometrics comprising of digital signature, photo and finger print specimens, he added.

Voters who filed an application for transfer of registration can also check if their record reflects their new address, after the quarterly REB hearing where their application was approved.

As of July, there are 2.7 million new voters approved by Comelec and six million records delisted from the CVL, making the total number of voters at 45,487,634.

Technorati Tags: Philippine,vote,registration,biometric,enroll,cvl,comelec,commission on elections,2010 polls,michael mongold

Multi-Spectral imaging biometrics

2009-09-09T13:18:20-05:00

In this week’s podcast at SecureIDNews, Phil Scarfo of Lumidigm and Zack Martin of Regarding ID discuss new fronts in biometric authentication methodologies. Check it out…

Technorati Tags: multi-spectral,imaging,biometrics,secureidnews,lumidigm,regarding id,biometric,authentication,michael mongold

CompletelyOnline.com - Biometrics Shaking Up Internet Defensive Driving in NY

2009-09-09T13:12:07-05:00

NEW YORK, Sept. 8 -- The New York State Department of MotorVehicles has approved the CompletelyOnline biometric face recognition methodfor student ID validation for use in its Internet defensive driving pilotprogram. Unlike other biometric methods also approved for the pilot,CompletelyOnline has the unique ability to authenticate a student's identitymuch the same way his identity would be authenticated in a classroom course. This distinction has already made a big change to New York's online defensivedriving industry: The first course sponsor to use CompletelyOnline has beenapproved to deliver an online course with no graded exams - a first in thenation.

By submitting an image of the driver's license along with the biometric sampleof his face, the student is proving his identity over the Internet the sameway he would be proving his identity in person. "Face recognition is theideal solution for distance learning applications for several reasons," saysArmen GeoSimonian, President and CEO of CompletelyOnline.com(R). "The face isboth the only human-readable biometric characteristic and the only biometric characteristic that can be authenticated against a driver's license. It istruly the closest thing to being in the classroom."

The New York Safety Program (NYSP), is the first course sponsor in New York touse CompletelyOnline, and is launching their "no graded exams" Internet coursethis week. According to President and CEO of NYSP Anthony Perlongo, "With thehelp of the CompletelyOnline technology, NYSP has developed an onlinepresentation that we believe comes as close as possible to our classroomdelivery. We believe that the combination of NYSP's hard earned reputationand the superior face recognition methodology offered byCompletelyOnline.com(R) is the reason that the NYS DMV has set this remarkableprecedent."

Benefits of taking a DMV approved defensive driving course include both apoint reduction from a driver's record and an insurance discount. The ideabehind the pilot program was to make these courses, which were previously onlyavailable in a classroom, more accessible to busy drivers who would nototherwise be able to attend in person. Student ID validation is a requirementfor all defensive driving courses in the pilot program. According to the NYSDMV 650,000 drivers attend an approved classroom course every year. Theyexpect 100,000 drivers to take the course over the Internet in the first yearof the pilot.

About CompletelyOnline.com

CompletelyOnline.com was established in 2004 and provides its uniquepatented CompletelyOnline biometric face recognition methodology to Internetdefensive driving courses in California, Texas, Nevada and Idaho. CompletelyOnline.com continues to expand its reach in the defensive drivingindustry and in other e-learning markets.

www.completelyonline.com

About New York Safety Program

The New York Safety Program has been educating drivers in New York since 1980. Founder Anthony Perlongo, has been a nationally prominent leader in the fieldof driver safety. His accomplishments as a State and National President ofthe Driver Education Guild among others have brought him recognition as adriving safety expert throughout the country. www.nysponline.com

Technorati Tags: New York Safety Online,CompletelyOnline.com,completelyonline,New York State Department of Motor Vehicles,Michael Mongold

Smartmatic and NEC Argentina Join Forces in a Strategic Alliance

2009-09-09T13:03:08-05:00

LA PAZ, Bolivia--

NEC Argentina, a subsidiary of giant Japanese IT multinational NEC Corporation, announced it has selected Smartmatic as strategic partner to develop a biometric registration system for the Bolivian National Electoral Court (known as the CNE). NEC Argentina`s selection of Smartmatic is aimed at adding still more technical prowess to help in its commitment to completely revamp Bolivia`s voter registration system.

"It is gratifying that a world leader in biometric registration like NEC has chosen Smartmatic for its technology and support capabilities, toward achieving a transparent biometric register in record time. We are honored to take part in this historic enhancement of the Bolivian voting system", said Antonio Mugica, CEO, Smartmatic.

THE CNE`S VOTER REGISTRATION GOALS

The Bolivian CNE has set an important and dramatic voter registration goal. Over a period of three months (August to October 2009), the CNE hopes to register approximately 4 million Bolivian voters, including Bolivians living abroad in Argentina, the United States, Spain and Brazil.

A new electoral law, recently approved by the Congress of Bolivia, mandates the use of biometric registration to increase security and protect the rights of voters. The new registration, which will include digital data such as citizens` fingerprints, pictures and signatures, will first prove its usefulness in the December 2009 Bolivian general elections.

To implement the new registration process, the CNE is expected to use 3.000 new registration stations, comprised of 1,700 stationary and 1,300 mobile stations.

DAILY REGISTRATION: POTENTIAL OF 60,000 PLUS VOTERS

To support a potential daily registration of 60.000 people, NEC Argentina and Smartmatic will work together as follows:

-- As project leader, NEC Argentina will provide the equipment to be used in the data capture stations, such as computers and fingerprint scanners.

-- In addition, NEC will supply its cutting-edge recognition and fingerprint duplicate detection software (AFIS).

-- Smartmatic will be in charge of supplying peripheral equipment and technical staff training; and of the logistics of the whole event, including equipment allocation and staff to the various CNE offices in the country.

WHY SMARTMATIC?

NEC turned to Smartmatic due to its experience in managing elections in countries with complex geographies, such as Venezuela and the Philippines, under intense time pressure. Bolivia`s geography, including high elevation sites and steep mountainous landscapes, presents an added degree of difficulty for equipment distribution and deployment.

"NEC selected Smartmatic for three powerful reasons: its successful experience in mission-critical projects, its cutting-edge technology and its team, one of the most qualified worldwide to deal with this kind of project", said Jorge Vargas, Marketing & International Business Director, NEC Argentina.

About Smartmatic

Smartmatic is a multinational company that designs and deploys technological solutions aimed at helping governments fulfill, in the most efficient way, their commitments with their citizens. It is one of the largest cutting-edge technology suppliers, with a wide and proven experience in the United States, Asia, Latin America and the Caribbean.

Smartmatic aims to help societies become more efficient and transparent, through technological innovations and it is responsible for several top and advanced innovations available in the market around three business areas: electronic auditable voting systems, intelligent and integrated security platforms, and advanced solutions for people registration and authentication for a wide range of government applications.

About NEC Argentina

NEC Argentina operates as a wholly-owned subsidiary of NEC Corporation. A pioneer in the integration of computer systems and communications, NEC Argentina offers solutions to different vertical segments, being today a Technological Development Center in government integrated solutions for Latin-America.

Established in Buenos Aires since 1978, NEC Argentina is one of the leader suppliers of the technological area with a vast experience in the development and setting up of integral solutions like e-gov, healthcare, education, biometrics, security and convergent solutions. The company has set up successful projects in Argentina, Bolivia, Brazil, Chile, Ecuador, Venezuela, El Salvador, Costa Rica, Mexico as well as in different parts of the world, through NEC Corporation.

Smartmatic

Samira Saba, Marketing/Communications Manager +582127062500 ssaba@smartmatic.com or NEC Argentina Gabriela Romero, Marketing/Communications +54-1140106000 (int. 6016) info@nec.com.ar

Technorati Tags: Smartmatic,NEC Argentina,Bolivian National Electoral Court,CNE,Michael Mongold

Brazil votes on biometrics

2009-09-09T12:51:43-05:00

Brazil votes on biometrics
Security Document World (press release)

Brazil votes on biometrics

08 September 2009

Brazil’s Superior Electoral Court (TSE) has selected Suprema’s RealScan-D live scanner for nationwide biometric voter registration.

The RealScan-D live scanner is a portable, USB-powered device designed for bundling with mobile jump-kits when used at voter registration and voting sites.

Suprema says TSE’s voter biometric identification programme aims to protect citizen’s voting rights by preventing any possible frauds.

According to TSE, the Brazilian government aims to implement biometric voting system to all states to enhance its consolidation of citizens’ rights.

“We are very proud of the order from TSE as it is the world’s largest fingerprint registration system for voting,” says Ismael Akiyama, CEO at Akiyama Technologia, Suprema’s local partner in Brazil.

Suprema has also recently won government projects in Slovenia, Japan and Mexico for criminal and public ID applications.

Technorati Tags: Brazil,Superior Electoral Court,TSE,Suprema,RealScan-D,Michael Mongold

I see youre gangsta tattoos, biometrics, and the police

2009-06-18T12:20:23-05:00

A gangster's main method of creativity and self-expression is becoming increasingly detrimental to their freedom.

Law enforcement agencies have long used any means of verifiable markings to link a suspect to eyewitness accounts of crimes. As a fairly permanent and distinct marker in identifying an individual, tattoos have been an invaluable tool in pursuing “persons of interest” over the years.

Now, science has brought us a tool to help the process of searching through databases of thousands of tattoos to find that special someone, that much easier and quicker.

Enter Tattoo-ID.

Anil Jain and Jung-Eun Lee of Michigan State University’s Department of Computer Science and Engineering have developed a new methodology to categorizing and identifying scars, marks, and tattoos (SMTs). They have labeled the new process Tattoo-ID and believe that it will help law enforcement agencies more accurately and quickly link an SMT with the individual they are interested in.

Currently, law enforcement agencies use the standards for SMT classification as stated by ANSI/NIST-ITL 1-2007. Which, according to Mr. Jain and Mr. Lee, is subjective, time-consuming, and is not scalable to meet the rapid growth in tattoo design.

With Tattoo-ID, the researchers believe their method can meet the needs of SMT identification as the needs of law enforcement grows.

Our approach is one of content-based image retrieval using features (e.g., color, shape, and texture), instead of labels or keywords, to compute the similarity between two images.

Currently the program is seeing 835 out of 1000 images correctly identified with the first attempt out of a database of 64,000.

Although blurred images and low quality image sources create lower success rates, Mr. Jain and Mr. Lee feel that by tweaking their current process and with the addition of new algorithms in their software, the tool will be able to resolve a larger number of SMTs quicker and more accurately, with even larger image databases.

Michael Mongold

Technorati Tags: Gangster,tattoo,police,law enforcement,agencies,michael mongold,SMT,michigan state university,anil jain,jung-eun lee,scar,mark,biometric,identification,suspect,victim,ANSI,NIST,ITL,1-2007

Lxlabs head commits suicide

2009-06-10T12:05:03-05:00

Sadly, the CTO and founder of Lxlabs was discovered dead in his home in Bangalore Monday morning, from an apparent suicide. As reported in The Times of India, K T Ligesh,32, was found by a friend, hanging in his room.

As I discussed yesterday, up to 100,000 websites had been erased due to a vulnerability in Lxlabs’ software at webhost provider, VAServ.

According to various reports, Mr. Ligesh was deeply agitated over recently losing a project to another company, as well as living with the loss of both his sister and mother a few years ago to suicide by hanging.

Despite what other contributing factors may be at play in Mr. Ligesh’s decision to take his own life, it cannot be clearer that the actions of the hackers that attacked VAServ’s websites played a significant role in this tragedy.

I assume the criminals that infiltrated VAServ’s infrastructure and destroyed the efforts of so many; that created so much anxiety and distress and then caused untold financial damages – that they never really MEANT for someone to die either directly or indirectly from their actions. But it doesn’t really matter, the results of unintended consequences are always just as bad as as the results of those that are intended. They are still a product of someone’s actions or inactions and they are still responsible (if even just partially).

Unfortunately, knowing how often hackers are brought to justice, we can also assume that this wrong will never be righted. RIP K T Ligesh

Webhost hacked VM vulnerability blamed

2009-06-09T09:58:48-05:00

According to the Register, a hacker attacked a Webhosting company’s virtual server infrastructure on Sunday and erased up to 100,000 sites.

Vaserv.com was hit by a calculated attack on its virtualization application which left roughly half of Vaserv’s customer without a website.

Rus Foster, a director at Vaserv, stated that LXLabs’s HyperVM had been compromised during a zero-day exploit. They are currently trying to reach LXLabs to find a solution.

Visiting Vaserv’s website show’s an organization in full triage/crisis mode.

At the time of this writing, Vaserv’s site is just a text document showing the status of their server recovery progress (or lack thereof).

Pretty tough times as an administrator (both for a system and web admin).

A very thin but important silver lining is the encryption Vaserv implemented that allowed them to keep the actual data from being usable by the hacker(s).

Ultimately, this shows me two things:

1) How organizations’ reliances on VMs have created a keystone in the arch where a hacker can pinpoint their attacks to reach maximum destructiveness. If a hacker wants to access data for the sake of profit, they go after the database. Alternatively, if they want to go for destructiveness, they can vector in on the VM infrastructure.

VMs are a business reality for large organizations which must rely on fewer physical machines that hold far more virtual servers running many more services. Ultimately this allows enterprises to leverage their rack space more efficiently, but creates a more appealing and concentrated target for people bent on mayhem. Thus, as this VM-reality matures in the TecSec community, the strength and security of the VM infrastructure itself becomes exponentially more important.

In the past, we’ve had to worry about the OS and the applications within it but now we must be concerned with the layer that manages the operating systems themselves. No doubt all webhosting companies are going to re-evaluate their VM security posture as news of this spreads. As for the TecSec community at large, we will need to pay closer attention to what risks VMs pose from motivated individuals.

and 2) How incredibly malicious hackers can be. At one time, there was the idea that someone would deface a site to make a statement or to show a webmaster his site was vulnerable. Wiping out 100,000 websites, however, is beyond explanation.

Michael Mongold

del.icio.us Tags: Rus Foster,LXLabs,HyperVM,webhosting,hacker,attack,virtual machine,vm,tecsec,michael mongold,website,Register

Technorati Tags: Rus Foster,LXLabs,HyperVM,webhosting,hacker,attack,virtual machine,vm,tecsec,michael mongold,website,Register

Virginia Patients at Risk

2009-06-08T18:29:47-05:00

Known: a hacker gained access to the Virginia Prescription Monitoring Program and then asked for a ransom of $10 million. According to The Virginian-Pilot, the following is also known:

The database contains records of more than 35 million prescriptions dispensed since 2006 for certain federally controlled drugs with a high potential for abuse, such as OxyContin, Vicodin and Xanax.

The records include patients' name, address and date of birth, the name and quantity of the drug prescribed, and identifying numbers for the doctor and pharmacist.

What is unknown, is if the hacker gained access to the customer’s social security numbers which were placed along side many of the customer’s pharmacy records. Throw in 1,400 or so doctors and pharmacists that entered their social security numbers and you have the potential for a real mess.

Also, unknown is if the database was encrypted. The hacker stated that he had copied the database and deleted the commonwealth’s backups of the database although Virginia claims to still have access to its backups

One thing is for certain, some administrator is hating their life right now while they have to explain why 530,000 patients must now watch their credit report and bank accounts more diligently than ever.

Finally, there is the irony where the Roanoke Times reports that:

…lawmakers were told that the VDHP ranked in the top 5 percent of state agencies in an audit of information security.

Not the most confidence-inspiring statement the state could make.

Databases are ultimately one of the great prizes for hackers. In one fell swoop they can acquire more data than if they stole 100,000 laptops. This is an excellent example why database security and encryption should be paramount for any organization that stores sensitive information. Way to learn one the hard way, Virginia.

Michael Mongold

del.icio.us Tags: Virginia Department of Health Professions,hacker,Virginia Prescription Monitoring Program,Michael Mongold,theft,data,encryption,database

Technorati Tags: Virginia Department of Health Professions,hacker,Virginia Prescription Monitoring Program,Michael Mongold,theft,data,encryption,database

Security enhancement for iPhone = Find My iPhone

2009-06-08T13:54:26-05:00

For those who have been pushing their company to adopt the iPhone as a business device, at least now you can present the security argument as a little stronger.

A few minutes ago, Apple unveiled at WWDC a remote wipe feature through its new ‘Find My iPhone” application.

In addition to allowing you to remotely erase your iPhone (something available on other devices for some time now), you can also view where your iPhone is on a map, make your iPhone beep so that you can locate it (even if it is in ‘silent mode’), AND display a message to the person who ~~stole~~ found your phone. Perhaps something like “I know you have my iPhone, I know where you’re at – I’m coming to get it”.

The catch? You must subscribe to Apple’s MobileMe service to have access to the ‘Find My iPhone” features. Still, for companies who have potentially sensitive data stored on their iPhone, this becomes a no-brainer.

Michael Mongold

del.icio.us Tags: Apple,iPhone,Find My iPhone,MobileMe,Michael Mongold,WWDC,application,remote wipe

Technorati Tags: Apple,iPhone,Find My iPhone,MobileMe,Michael Mongold,WWDC,application,remote wipe

Worst ISP in the US = Pricewert

2009-06-08T13:12:31-05:00

Well, that’s according to the FTC who shut their connectivity off late last week. And if their claims are accurate, I believe they have a pretty good case for giving Pricewert the title.

According to the FTC’s press release, Pricewert (AKA 3FN, APS Telecom, among others), knowingly hosted child pornography, malware, and spam servers which were responsible for depositing trojan horses, viruses, spyware, phishing attacks, botnet cnc servers, as well as numerous additional web sites with illegal material on them.

If you have ever wondered why a website can exist that can do so much damage or why spam servers can clog your e-mail with so much time/money wasting data or where the truly bad/sick people on the web go for their disease, this is it.

The claim states that by ignoring security groups’ notices to disconnect the offending sites and by frequently changing the source IP address of the servers, Pricewert was able to provide criminals a safe haven on the web.

If the allegations are true, let’s hope that the government doesn’t wait so long next time to find organizations like this on the web and shut down this conduit of crime and filth.

Michael Mongold

Technorati Tags: FTC,Pricewert,3FN,APS Telecom,IPS,trojan,viruses,botnet,phishing,spyware,illegal,Federal Trade Commission,Michael Mongold

del.icio.us Tags: FTC,Pricewert,3FN,APS Telecom,IPS,trojan,viruses,botnet,phishing,spyware,illegal,Federal Trade Commission,Michael Mongold

Smart Cards are not rocket science

2009-06-04T08:53:09-05:00

NASA may have to reissue more than 70,000 smart cards that have been provided to NASA employees over the past three years due to security concerns.

Prior to the Homeland Security Presidential Directive 12 (HSPD-12) mandate for a Personal Identity Verification (PIV) card, NASA was in the process of deploying their own common badging and access control system (CBACS) - as were a number of other agencies. However, according to a report filed by NASA’s Inspector General, they did not follow federal guidelines for insuring the proper transition and oversight from their own card implementation to the new PIV standards.

Although the Inspector General’s office did not find that any cards had been distributed to individuals with inappropriate access, it leaves the door open for that possibility.

At the heart of the issue is this:

“While NASA properly assessed the PIV card issuer for satisfaction of Federal requirements at both organization and facility levels, found deficiencies, and developed a corrective action plan in accordance with Federal guidance, the Agency did not monitor corrective actions to ensure that identified deficiencies were corrected nor initiate timely reassessment. If the reassessment of the PIV card issuer reveals that significant deficiencies continue to exist and those deficiencies affect the integrity of the PIV cards, NASA could be required to discontinue PIV card issuer operations and reissue its PIV cards, which we estimate could cost a minimum of $1 million.”

Ouch. And the audit did not even include Jet Propulsion Laboratories due to their own PIV issues.

Ultimately, if the Inspector General’s office is able to confirm that the credential provider’s failings persisted after NASA’s knowledge of them AND if it resulted in any inappropriate issuance – 98% of NASA’s employees will have to undergo the badging process again.

For the Inspector General’s full report, click here

Michael Mongold

del.icio.us Tags: NASA,PIV,HSPD-12,JPL,Inspector General,Michael Mongold,CBAC,Homeland Security Presidential Directive,Personal Identity Verification

Technorati Tags: NASA,PIV,HSPD-12,JPL,Inspector General,CBAC,Michael Mongold,Homeland Security Presidential Directive,Personal Identity Verification

Congress set to impose biometric competition in airports

2009-06-04T00:50:02-05:00

If it isn’t broke, don’t fix it – even if it could possibly save money. That’s what the airports are saying to congress now that legislation is before the House to revamp the biometric technology selection process at airports

around the country. I feel for the airports, since they seem to have a system in place that they like and on the face of it, is relatively inexpensive. However, I’m sure there is a number of access solution providers that are eager to take a stab at winning the business. Here’s the whole story… {via Washington Technology}

Technorati Tags: tsa,airport,biometric,technology,michael mongold

Clean Security Bill of Health?

2009-06-03T18:31:35-05:00

What if a doctor told you that you had a clean bill of health, only to find that he missed a dangerous growth which later caused significant damage because it was not treated earlier?

This is basically the gist of a lawsuit that Merrick Bank has brought against Savvis in a federal complaint.

The short-term affects of this lawsuit will no doubt have a chilling effect on the compliance-service industry as they recognize their own vulnerability in signing off on an audit.

It has always been critical that if you are giving someone a stamp of approval, that they truly meet the standard that has been defined. It’s important that your beef has been properly approved by the USDA and it’s important that your compliance with a security standard (Visa’s Cardholder Information Security Program or CISP, in this case) has been thoroughly vetted and approved.

No doubt, there have been security “stamps of approval” that have been given out to organizations in the past that might not have been deserving and we’ll never hear about them. And this might not be one of those times since we’ll have to wait until Savvis has had an opportunity defend itself and we hear the ruling by the court. However, it is inevitable that we would see a lawsuit occur at some point.

If you tell me, or rather, guarantee me that I am compliant with a regulation or meet a certain standard or criteria and then I am fined a significant amount of money ($16 million in this case) because I am not, you can rest assured I will come to you for some answers and some compensation.

What can be done to avoid this? This certainly invokes a number of questions. After all, companies are paying these auditors to insure they can bypass this whole mess. Ultimately, it will require more transparency of the actions performed by the auditing organization and the certifications of each individual auditor. If an auditor has passed a certification and his actions (or inactions) lead to a failure like this, should his certification be revoked? For my two cents, I believe this moves us a step closer to requiring a license-like structure for data security auditors that could have a better mechanism for granting and revoking its credentials. Ultimately, passing a test and receiving a certificate has limited if any accountability on an individual level.

However, the question that will be addressed first is what culpability an auditing organization has when damages occur to a customer they have certified as compliant. For this, we will have to stay tuned to how the court rules. One thing we know for sure, companies that perform audits will take another look at how their contracts are worded and review carefully how they perform their contracts.

Michael Mongold

del.icio.us Tags: savvus,Merrick,Visa,CISP,Cardholder Information Security Program,CardSystems,pay by touch,Michael Mongold,audit,security,technology,compliance

Technorati Tags: savvus,Merrick,Visa,CISP,Cardholder Information Security Program,CardSystems,pay by touch,Michael Mongold,audit,security,technology,compliance

VA vs USB

2007-06-26T08:25:49-05:00

This is a little stale but I wanted to talk about it anyway. With their latest actions, I believe the Department of Veterans Affairs is quickly becoming the poster child for reformed data loss victims.

(important to note that, in this case, the data was eventually recovered)

The VA announced a few weeks ago that they have purchased 25,000 USB drives with built-in encryption from Kanguru.

The built-in AES-256 encryption will help insure that only authorized users can gain access to the USB drive and will prevent another major meltdown if lost or stolen.

Also, it should be noted that Kanguru says that they can prevent users from attaching the devices to the network based on a device identification number.

I believe that this is a great step but one that must be accompanied by some level of control. I have stated in this blog a number of times that a policy without the means to enforce it, is just window dressing.

So, kudos to the VA on a positive step and showing corporate America the direction to move in. Just make sure that you keep the momentum going and block access to the unauthorized USB devices out there.

Michael Mongold

Technorati tags: Michael Mongold, Data encryption, Kanguru, VA, Veterans Affairs, USB encryption

LiveJournal tags: Michael Mongold, Data encryption, Kanguru, VA, Veterans Affairs, USB encryption

IceRocket tags: Michael Mongold, Data encryption, Kanguru, VA, Veterans Affairs, USB encryption

Flickr tags: Michael Mongold, Data encryption, Kanguru, VA, Veterans Affairs, USB encryption

del.icio.us tags: Michael Mongold, Data encryption, Kanguru, VA, Veterans Affairs, USB encryption

BuzzNet tags: Michael Mongold, Data encryption, Kanguru, VA, Veterans Affairs, USB encryption

43 Things tags: Michael Mongold, Data encryption, Kanguru, VA, Veterans Affairs, USB encryption

Shameless Self-Promotion

2007-06-25T14:07:52-05:00

Since I only do this blog for my own narcissistic pleasure, won't you please go to Austin's "Best of" poll and vote for me as the best blogger? Many humble thanks, my friends!

http://www.austinchronicle.com/feedback/bestof/07/

Michael Mongold

Technorati tags: Michael Mongold, Austin, Best of, narcissism

LiveJournal tags: Michael Mongold, Austin, Best of, narcissism

IceRocket tags: Michael Mongold, Austin, Best of, narcissism

Flickr tags: Michael Mongold, Austin, Best of, narcissism

del.icio.us tags: Michael Mongold, Austin, Best of, narcissism

BuzzNet tags: Michael Mongold, Austin, Best of, narcissism

43 Things tags: Michael Mongold, Austin, Best of, narcissism