Have you ever heard of the frequency illusion, where once you notice something once, you seem to suddenly notice it everywhere? It’s also called the Baader–Meinhof phenomenon, and it’s been ruling my life since joining NuID.

I’m seeing content & having off the cuff conversations about the woes of logins and credentials more so than I ever would have anticipated. Well Carlyle, you think, that must be because you changed industries – of course you’re going to see and hear about the thing you do for work. That’s a good observation, and a correct one. Naturally the media and conversations I consume will closely align with my area of work. However that doesn’t account for, say, Spotify locking me out of my account moments before a 3 hour flight, or a close college friend spontaneously complaining about the inconvenience of MFA at work.

The truth is, issues with authentication are everywhere, all the time, and people’s complaints are constant (and valid). I’m just recently internalizing and processing these events because they pertain to me and my efforts within NuID. This phenomenon is called the frequency illusion for a reason: the newly perceived frequency has always been there, just lying unnoticed on the periphery of consciousness.

What seemed like one-off annoyances in managing my accounts in the past are actually a systemic issue with threads connecting to every facet of our online identities: forgetting passwords, resetting passwords, being locked out of accounts, maintaining an endless password list, platforms’ customer support being utterly unhelpful; I could go on. If you start to observe, you’ll notice the same thing if you haven’t already. It’s not just you whose Netflix password you swear you typed in correctly but it only works on the third try. It’s not just you who watches warily when another of your Instagram followers gets hacked and starts shilling Bitcoin.

We use the internet constantly. It governs huge portions of our work, our socialization, and our education. Some platforms aim for us to have quasi-lives in it. How is it, then, for something so seemingly sophisticated, so omnipresent in our lives, that it can be so dang hard to access and manage?

Passionate communities and companies want to tackle these issues, which is fantastic, but it can be hard to cut through the noise and the “hype” of what’s being promised. When people start talking about a “decentralized internet” or “web3” it can be easy to lose the thread of what the community is trying to achieve and how it will actually benefit people. Those concepts can get a bit nebulous. What NuID is working toward is Identity Utility on the internet. Let’s unpack that a bit.

For most of us, our utilities provide a crucial function in our daily lives, but we don’t give too much thought to how exactly they work. I have a rudimentary understanding of how power enters my home, but I’m certainly not thinking about it when I flip the lights on in the morning. I flip a switch, they come on as expected, and I proceed about my day. Same goes for the gas that heats my shower, or the water that washes my dishes. My utilities make my life easy, I expect them to work efficiently, and I don’t have to spend too much time thinking about them; even my bills are on autopay.

Identity on the internet should be the same: usable, useful, reliable, portable, and convenient (not to mention secure). If you show up at a bar, you should be able to quickly and easily verify you’re 21+ without also sharing a physical ID with your full name, home address, and full birthday as we do now.

A decentralized web is one in which individuals are the owners of their digital selves; they don’t have to trust platforms with their sensitive data like passwords, and they control who accesses what information. In order to make that a reality, it has to be built for everyone to use. And based on the frequency of complaints about the current model of identity on the internet, everyone should want to use it.

I would love to to never see another “reset password” email in my inbox again. When I move I would love to update my address once and have it propagate across platforms I care about. I would love to never receive a message like the one below that Locke received from Microsoft (how can you not reset a password to your own account when you’re the admin?!).

We have a ways to go before true Identity Utility is implemented, but we have to start somewhere. Fortunately, NuID has been grinding away, head down, building the foundation for such a thing. It started with our trustless authentication protocol, and it’s continuing with the development of the NuWallet & KiiChain. We aim to be the utility company for identity.

Identity Utility on the internet is not just possible, it’s happening, and we’re building it. We hope you’ll join us on the journey to bringing it to fruition. I’m energized and honored to play some small part of this effort, not just for my own benefit, but for the benefit of us all. If you start noticing your own woes with authentication and account management, drop me a line, and we can commiserate together (but rest assured- we’re working to fix it).

To help lighten your analysis paralysis, we’ve put together a “NuID 101” mini-agenda with five RSAC sessions that touch on topics near and dear to us, like password storage, the future of authentication, cryptography, and decentralized identity.

Check out these five sessions to gain a better understanding of some of the challenges and innovations in authentication and digital identity today-and then stop by our booth #20 in the Early Stage Expo to chat about them!

Guidance for Password Management and Securing It in Storage

This may seem like a strange session for a team that gives out t-shirts with “Stop. Storing. Passwords.” on the back to suggest.

While yes, our answer on how to meet the “increased pressure on storing a password securely” is simply not to, in this session Hoyt Kesterson will break down exactly why common password storage practices simply aren’t enough. And if your organization hasn’t yet made the transition to trustless authentication, Keterson’s guidance on password storage is sure to be some of the best available (if you’re reading this Hoyt, we would be honored to contribute to that guidance!).

Follow the Money: The Link between Passwords and Terrorism

After hearing from Keterson about the weaknesses of existing password-based authentication methods, this talk by Trusona founder Ori Eisen and Frank Abagnale of real-life “Catch Me If You Can” fame, will really hammer home the scale and severity of the password-breach problem.

Eisen and Abagnale’s illumination of the national security implications of password breaches is just one aspect of a broader phenomenon that our CTO wrote about last year. Nolan pointed out that passwords are not just a weak link in any particular organization, but are in fact a systemic vulnerability that transcends and interconnects otherwise unrelated organizations-something he coined “Enterprise Overflow.”

Password Strengthening and Secure Computation

Moving on to a talk that is a bit more optimistic, in Topic 1 of this two-part session cryptographers Nigel Smart and John Kelsey will present their Ticket-Mediated Password Strengthening (TMPS) technique, which they published in a paper last year.

TMPS is a creative approach to addressing the risks of server-side password database compromise. With TMPS, rather than sending the user’s password to a server, it is used to derive a cryptographic key on their device and, through interacting with an authentication server, a set of one-time-use “tickets” that must be expended in each authentication attempt.

The server never learns anything about the user’s password, so a server-side breach does not lead to the Enterprise Overflow problem of existing password storage. Furthermore, because authentication attempts (and therefore password guessing attempts by an attacker) must be accompanied by an unused ticket, a would-be attacker is extremely limited in their ability to use common dictionary or brute force guessing strategies.

The practical viability and tradeoffs of TMPS are worth considering. Regardless, we think this is a great talk to attend to get thinking about new cryptographic approaches to password-based authentication.

Managing Self-Sovereign Identities: A Relying Party Perspective

Self-sovereign identity (SSI)-essentially synonymous with decentralized or blockchain-based identity-is the concept of a digital representation of identity which is decoupled from and not controlled by any centralized entity. For a better understanding, check out Christopher Allen’s formative article The Path to Self-Sovereign Identity.

NuID was founded on the mission to return data ownership to the individual. Self-sovereign identity is core to that mission and we have been working, and talking about it from the beginning.

This session with Verizon’s George Fletcher will provide a valuable perspective on the real-world adoption of SSI. Not only is Fletcher a veteran of the identity standards world, he will be able to share learnings from within a large legacy organization-a less common perspective in the cutting-edge space of SSI.

RSAC Launch Pad

This last session is not actually a session, but we still think you should put it on your agenda! Launch Pad is RSA’s early-stage startup pitch event, where the top new security companies pitch their product to VC-judges and the RSA audience.

This event is special to us because last year NuID was selected to participate in the first-ever RSAC Launch Pad! You can see Ethan’s pitch on the Launch Pad event page.

The companies participating in Launch Pad this year may not strictly fit into a NuID 101 curriculum, but there’s no better place to learn about the future of security than from the teams who are out there building it.

Plus, the Launch Pad stage is right next to the Early Stage Expo where our kiosk will be, so you can stop by after the event and graduate to the NuID 200 level course!

If you’re interested in meeting at the event, shoot us an email or visit our contact page.

Originally published at https://blog.nuid.io on February 10, 2020.

Some of you may be aware that we like to write welcome posts whenever someone joins the team. This time, we decided to do it a bit differently and asked BJ to answer a few questions about himself, so you can get to know him from the source.

So, BJ, tell us a little about yourself.

I grew up in Utah and fell in love with the mountains and being active outdoors. My wife and I married 15+ years ago and we have 5 wonderful kids. We sold most of everything we owned in 2017 and traveled to 11 countries. Afterward we moved to Florida for a change of scenery. I fell into software development by accident 17 years ago when the guy next to me at work started teaching me to code. I became totally obsessed with building sites and apps, and that hasn’t really worn off even to this day.

Do you have any hobbies outside of software development?

Too. Many. To. Count. I fell deeply in love with rock climbing in the Utah mountains (I have a rock wall in my garage because Florida doesn’t have any cliffs to speak of). I love travel, hiking, camping, playing soccer, rooting for Real Salt Lake, building and playing guitars, playing piano, skateboarding, snowboarding, surfing, Taekwondo, riding motorcycles, attending musical theater, learning new programming languages, and on and on.

Can you share some of the what and why of your career so far?

I love building products that provide real value to people, something that solves a fundamental problem in their life. I get excited about the process of software development as well, always trying to simplify the process to the most essential parts, while ensuring that the end goal is always improvement in the lives of the people using our software. I have something inside me that pushes me to Make Things™. I have so many hobbies I have to be selective about where I spend my time. In the software world I just gain so much satisfaction out of creating something useful for people to use and enjoy. In my last role I was the Director of Engineering at Bitt, a Barbadian startup building a Central Banking Digital Minting platform backed by blockchain. Before that I was a principal engineer at Kuali, building a next-generation student enrollment platform for higher education. Previously, I built and maintained the most popular Ruby protobuf library used by companies like MX and Square.

How would you explain your role at NuID?

I’m joining the team to iterate on the NuID platform, adding user features alongside platform improvements. We’re currently investigating ways to deeply leverage Clojure’s spec library to provide greater stability, introspection, and auditability of our platform. The potential has me so excited for NuID’s future.

Hit us with some random facts about yourself.

• I once nearly lost an eye playing in the backyard. A few months after the accident the eye that wasn’t damaged changed color from green to brown. The other eye is still green like it was before. ¯\_(ツ)_/¯
• I once placed 3rd in a “dance competition” at a huge youth conference when I was 15. I had not ever danced before that night, and haven’t since. I was also wearing bright purple Adidas tear-away pants, so maybe that’s why the judges loved me.
• I broke my elbow because I ran over a dead cat on my road bike and crashed.
• I’ve broken my skull, elbow, collar bone, several fingers and toes, and torn my ACL.

Anything else you want to add?

It feels like an understatement to say I am so excited to join the NuID team. I’ve been so inspired by the quality of work you’ve been doing in the zero knowledge/trustless authentication space, I can’t wait to dig in!

Interested in joining the team and returning data ownership to the individual? Check out our open positions!

Originally published at blog.nuid.io on February 4, 2020.

That claim is particularly true for Gartner’s market sweet spot of major enterprises. Gartner counts 74% of Fortune 500 companies among its clients, and over half of the IAM Summit attendees represent businesses with over 20,000 employees. The point being: Gartner has the ear of digital identity leaders from many of the world’s largest enterprises.

Which is why it’s exciting and encouraging that one of the five tracks at this year’s event will highlight decentralized identity. Although the topic of decentralized identity has attracted increasing attention in the past several years, its inherent nature as something that is, well, decentralized, has so far meant that the most active proponents have been consortiums and open communities like the Decentralized Identity Foundation and W3C, as well as new startups like NuID (and many others). However, the prominence of decentralized identity at Gartner’s IAM Summit this year marks a new phase of enterprise exploration, which we think will be followed by adoption in the next few years.

The “Multifactor Authentication and Decentralized Identity” track at Gartner IAM will include an “Ask the Expert” session with Gartner analyst David Mahdi, who recently co-authored a 2019 research paper (paywall) on the prospect of enterprise adoption of decentralized identity, which stated that “security and risk management leaders must focus on increasing readiness for future adoption of decentralized identity.”

The “Guidance for Decentralized Identity Adoption” session with analyst Homan Farahmand promises to present three example use-cases of decentralized identity in the enterprise environment. Homan has been researching decentralized technologies, and specifically identity, for several years, and wrote the definitive Gartner report Blockchain: The Dawn of Decentralized Identity (paywall).

This year has already seen the first steps taken towards decentralized identity by old-guard behemoths like Microsoft and Mastercard. And while its unsurprising that companies that see a role for themselves as technology and service providers in a new decentralized landscape have made some of the first moves, Gartner’s research publications and event content are aimed at businesses that will be looking to adopt, consume, and integrate decentralized identity solutions into their line of business applications. And adoption by these services-banks, insurance companies, e-commerce, etc.-would bring decentralized identity to the truly big stage of global adoption.

Of course, (shameless plug warning) there’s no better source to learn about decentralized identity than from people who are working to build the ecosystem! We launched a partnership earlier this year with the DAML enterprise smart contracts team of Digital Asset to make our trustless authentication and decentralized identity solution more easily available to enterprises.

Our team will be at Gartner IAM at booth #431 and would love to hear from you if you have questions or thoughts about decentralized identity. You can also reach out at info@nuid.io to schedule a time to stop by.

You can also use our discount code of IAMSP46 to save $350 off the full registration price.

Originally published at https://blog.nuid.io on November 27, 2019.

Last month we released NebulousAD, a free tool for checking user credentials in Active Directory against more than 2.5 billion unique passwords that have been compromised in data breaches.

The tool was made with system administrators in mind. It’s available as a precompiled executable or can be built from source, it doesn’t require you to download and host terabytes of data, and it was designed to work well with SIEM tools and Windows Task Scheduler. You can watch Robert, our Director of R&D, present NebulousAD at the BSides Las Vegas security event here.

Today we’re happy to announce an update to the NebulousAD tool that brings two important changes: improved documentation for the tool and API that will make getting up and running even easier, and support for the privacy-preserving k-anonymity model of checking password hashes.

k-Anonymity

We’re particularly excited about the k-anon support since privacy is at the core of what we do. Although we don’t log or store the hashes that are sent to the NebulousAD API, we’d much rather not even be able to if we tried. This is what k-anon enables.

We took inspiration from Troy Hunt’s Pwned Passwords service, which has been using k-anon to check breached passwords since early 2018. The model, which is explained in detail by Junade Ali at Cloudflare, is simple in all the best ways.

Rather than sending an entire hash to our API to check if that exact hash shows up in our database, with k-anon only the first few characters of the hash are sent. This “hash prefix” will match not just one, but a set of hashes in our database that all happen to start with those characters (but then differ in their subsequent characters, since the hashes are all unique in full). The entire set of hashes from the database with a matching prefix are then sent to the client, where an offline check is performed to determine if the original hash matches any in the returned set.

Because we never receive the full hash, we don’t know if any of the hashes in the prefix-match set are actually the same as the one being audited by the client. And if there is a match (which we wouldn’t know), we also wouldn’t know which of the hundreds of hashes in the set it is.

NebulousAD uses a hash prefix length of five characters, and returns a minimum of 405 and maximum of 985 results for any valid five-character prefix. The pseudo-random nature of hashes makes it so that while hashes are distributed relatively evenly across all possible prefixes, there are variations which result in that range of response size.

As an example, the text “ilovemydog” has the SHA-2(NTLM) hash of:

be26646e1f96e05eca5ec4a7c1677012ab8cedd0a0704c5531569cb2c39d0dac

The first five bolded characters “ be266” are the prefix. This is what would be sent from the client to our API. Querying this prefix against the Nebulous database results in 856 matches (this number may change as we add more data in the future). As mentioned above, we wouldn’t know which, if any, of the 856 hashes with the be266 prefix match the original full hash (spoiler: in this case “ilovemydog” is definitely in Nebulous). All 856 matching hashes will be returned to the client, where the final check for a full match is made.

Using the k-anon model makes it significantly harder for us, or anyone who may be able to intercept your traffic, from gaining any useful information from monitoring your interactions with the Nebulous API.

Getting started

You can get started using NebulousAD by heading over to our GitHub page. As always, we welcome and encourage any questions or feedback at nebulous@nuid.io. If you have had a chance to try the tool, we would also appreciate if you could take a couple minutes to fill out this feedback form.

Originally published at https://blog.nuid.io on September 11, 2019.

About NuID

NuID is building a next-generation authentication platform intended to simplify writing secure, privacy-preserving applications. Our solution, NuLogin, leverages zero knowledge proofs to eliminate the sharing of authentication secrets, and a distributed ledger to provide persistent, globally unique, and user-owned authentication credentials. NuLogin is the modern login box.

We are a seed-stage startup with backing from 8VC, Jemison Investment, and angel investors. You can see more about our team and advisors here, and check out the rest of our blog to get to know what we’re about.

We’re looking for a Senior Full Stack Engineer to help us drive product development across a broad range of domains. You will be a core part of a small team and play an integral role from ideation to implementation.

The role

You will be working closely with our CTO to design, build, and launch core functionality of the NuLogin product.

Some projects on our roadmap include: multi-factor authentication (mobile, push), enhancing and growing our developer portal, expanding NuLogin integration support to more languages/frameworks, identity-based threat intelligence tools, and privacy preserving features.

The technologies we use include:

• Clojure/ClojureScript
• Datomic
• AWS, Terraform
• Serverless (Lambda, SNS, SQS, …)

Experience is best when it’s shared. Familiarity with these technologies will help in finding your groove quickly, but isn’t a prerequisite for success at NuID. Comfort in both learning and teaching is essential.

What we’re looking for

We are looking for a generalist Senior Full Stack Engineer that will be able to take on a diverse set of challenges.

We are not looking to check boxes. The skills and experiences below should give you an idea of what would prepare you for this role, but aren’t hard requirements.

• 5+ years of engineering
• 2+ years working with Clojure or other functional languages
• Experience building authentication products or systems
• Experience with and a passion for the startup environment
• Familiarity with cryptography and security engineering
• Previous work with privacy-first design

Fit

We love what we do. We believe in craft. We’ve seen most of Rich Hickey’s talks. We’re still unsure whether worse is better. Culturally, we draw a lot of inspiration from Basecamp. Architecturally, we think simple is better than easy and we build for change.

You will be joining a small, distributed team and working on zero-to-one projects. Communication is paramount. We believe it should always be mindful, direct, and kind.

We emphasize strong ownership and collaboration in our day to day operation. You will drive architectural decision-making, inform product roadmap, and exercise initiative to support and improve the NuLogin ecosystem.

More details

We are looking to invest in an individual who is seeking opportunities to grow with NuID as a full-time team member. A contract-to-hire option would also be considered. We are flexible and would jump at the opportunity to bring on a mutually great fit.

Equity will be offered as part of total compensation. Full health, dental, vision, and life insurance are provided.

This role is based in NYC, but we are open to remote from the surrounding areas. Our founders are both in New York, but our team is spread across both coasts.

We always want the best ideas to win. To do that, we need a diverse set of ideas from a diverse team with different personal and professional backgrounds. We value new perspectives and identities that will help us build a stronger community.

To apply, please send your resume and a brief message on why you’re interested and why would be a good fit to: info@nuid.io.

Originally published at https://blog.nuid.io on September 9, 2019.

A formative event in internet history, the Morris worm was also the first real-world exploitation of a software vulnerability that would become ubiquitous in the hacker and computer security communities of the 1990s and early 2000s: the buffer overflow.

A buffer overflow is when a program attempts to write an input that is larger than the space of memory (the buffer) that has been designated for storing that input. The “overflow” portion of the input can spill out of the buffer and into memory that holds other information for the program. When used as a security exploit, that overflow can contain malicious code that changes the function of the program.

Buffer overflows “monopolized the headlines in the security research community” for decades (see a comprehensive timeline put together in 2010), and the closely related term “stack overflow” became the name of one of the most popular online developer communities.

Enterprise Overflow

Fast forward nearly a decade, and today’s mainstream headlines are also monopolized by a growing cyber threat.

Large-scale credential data breaches — when hackers gain access to a company’s database of usernames and passwords — have become commonplace. Notable examples just this year include , and . Even and have been in the headlines for not properly protecting passwords (though there was no evidence of unauthorized access at either company).

Verizon’s annual breach report counted over 2,000 data breaches in 2018, but since many breaches go undetected (or unreported), that number is likely much higher . The same report also found that 81% of breaches involve the use of stolen or weak credentials.

Hackers have learned that because people often choose weak passwords and reuse them in multiple places, large lists of passwords from any particular website or company can prove to be useful at hundreds or thousands of others. John Doe’s password stolen from badsecurity.co might get an attacker into Mr. Doe’s bank account. Companies that are seemingly completely independent share a crucial security dependency: their users.

We have entered a state of “enterprise overflow.” With billions of internet users connecting to hundreds of thousands of websites and applications, the availability of breached passwords has reached a critical mass. The credentials stolen from some enterprises are overflowing into others, leading to a further cascading effect of breaches. Like Morris’s fateful worm, enterprise overflow has become a problem of systemic proportions, where every participant in the system is impacted by the security of its peers.

The comparison here between credential breaches and buffer overflows is, of course, metaphorical — and perhaps a bit of a stretch — but the point is hopefully illustrative of two things. The “overflow” of credential data from its intended domain has become an effective weapon for cybercriminals, and the problem of authentication is a defining security challenge of today.

A Network Perspective

The Morris worm demonstrated that the decentralized nature of the internet required collaborative approaches to security. In the aftermath of the incident, the Computer Incident Response Team Coordination Center ( CERT/CC) was formed as part of a non-profit called the Software Engineering Institute. CERT/CC has since been a crucial venue for research and coordination of internet-scale security across public, private and academic domains.

Today’s enterprise overflow problem will require a similar mindset and response. While the security industry has carried on a great tradition of open collaboration around research and disclosure of the vulnerabilities that may lead to breaches, we need to start viewing the breached data itself in the same way — at least when it comes to identity and authentication data. When passwords or other data are breached from one company that can directly be used to attack others, that data should be shared in a way that allows other companies to protect themselves, without violating individuals’ privacy or empowering would-be cybercriminals.

This is easier said than done. Exactly how this should be achieved is up for debate. The important point now is that we adopt a “network perspective” to credential data breaches. We need to view each new breach as a factor in the threat models of all organizations. Security teams should be asking themselves, “Do we trigger our incident response process when someone else gets hacked?”

Some efforts along this line of thinking have already been made by individuals and a few businesses. Troy Hunt’s Have I Been Pwned (HIBP), and his related Pwned Passwords service, are great examples. Google has taken a similar step with its Password Checkup tool. By collecting breached data and making it available in various privacy-preserving ways, these services are connecting the dots between individual credential breaches and enabling users and business to respond to the changing breached-data landscape.

There are a host of promising technologies in the authentication space that may one day make enterprise overflow obsolete. But solving such large and collective problems take time, and there is still a lot we can do today with technology that is already in place. Recognizing that credential data breaches are in fact a collective problem — adopting that network perspective — is a step that we can take now while we build the solutions of tomorrow.

Originally published at https://www.forbes.com.

Storing passwords is a problem. And while we’re working on eliminating the need for passwords to be shared or stored anywhere, we know this problem isn’t going away overnight.

In the meantime, one of the most effective ways we can break the cycle of hackers using stolen passwords to breach accounts and companies-thereby arming themselves with even more stolen passwords-is to prevent people from using passwords that are already in the hands of attackers.

NIST recommended exactly that in their long-awaited update to their digital identity guidelines. Released in 2017, the 800–63B publication recommends doing away with all complexity rules, and opting instead for just a minimum length requirement (eight characters), and the use of password blacklists.

“When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:

• Passwords obtained from previous breach corpuses.
• Dictionary words.
• Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
• Context-specific words, such as the name of the service, the username, and derivatives thereof.”

Last week we released a beta version of NebulousAD at the BSides Las Vegas security conference. This command line tool is meant to help system administrators implement breached password blacklisting with the most common enterprise user management system: Microsoft’s Active Directory.

NebulousAD makes it easy to securely check AD users’ passwords against a database of over 2.5 billion unique passwords that have been found in data breaches over the past 10 years.

You can watch Robert’s talk at BSides about the problem of breached credentials and the NebulousAD tool here.

NebulousAD

At a high level, NebulousAD has three functions:

1. Extract user passwords from an AD domain in their native NTLM hash format and output them into a csv or json file (for this step we use the popular Impacket tool).
2. Wrap the NTLM hashes in a more secure SHA-2 hash.
3. Submit the SHA-2(NTLM(password)) hashes to our API, which queries our database of breached passwords and returns a YES/NO status for each hash depending on if a match was found.

The result is a list of the users in your domain that are using passwords that have shown up in other data breaches, allowing you to inform those users and/or force a password reset.

We require users to register an account and API key before hitting our API. This is done primarily to enforce rate limiting and to keep an eye on any potentially abusive behavior. While we do collect aggregate performance metrics, we do not store or log the hashed passwords sent to the API.

You can read more about the tool and take a look at the code on GitHub. The current v1.0.0 is a pre-release, but we will be working to further polish up the tool to make it more accessible and expand functionality. We would love to hear feedback and requests from early adopters, so please do go take a look and let us know what you think!

The Nebulous data

NebulousAD was built to take advantage of a breached credential database we have been working on for over a year.

We started collecting breached credentials from public and dark web sources with the intention of conducting research on password usage, and integrating a password blacklisting functionality into our authentication product, NuLogin. Leaning on the offensive security experience of our team, we found that we were able to put together a collection of breached credentials that was larger than any other single source we have encountered.

The database, which we refer to as Nebulous, currently contains over 8 billion records from more than 7,500 individual breaches going back to 2009. There are almost 4 billion individual plaintext passwords in Nebulous, of which about 2.5 billion are unique. There are also around 3 billion hashed passwords that we have not yet attempted to crack.

We continually search for new data as it becomes available and add it to Nebulous. Our approach is to focus on the latest breaches that include new and unique passwords. These credentials are the most valuable to attackers since they are more likely to still be in use, which makes them the most important ones to be blocking.

Why we built this

Other commercial and free tools exist to help filter user credentials, with the most well-known example being Troy Hunt’s Pwned Passwords. These are great options, and we highly encourage people to take advantage of whatever credential blacklisting methods are available to them.

We decided to build our own partly because we found that our Nebulous database far exceeded the record count of other available options. For example, we have about five times more searchable unique passwords than the current Pwned Passwords version. As our CTO explained in a recent Forbes article, we think breached data needs to be more widely shared and used by the security community-a “fight fire with fire” approach. So, naturally we wanted to make our massive Nebulous database useful to people defending enterprise networks.

We also felt that there was room for improvement in credential blacklisting tools built specifically for use with Active Directory. AD system administrators have a different set of threats, priorities, and restrictions compared to developers of consumer-facing applications. Plus, even a single set of compromised employee credentials can have an outsized impact if they lead to an entire network being breached.

NebulousAD is easily integrated with SIEM and syslog tools, and it can be run with Windows Task Scheduler for a “set it and forget it” flow. This would allow a system admin to automate periodic checks with NebulousAD to make sure that employee credentials are not compromised on an on-going basis. And of course since the tool is open source, users can create their own extensions and scripts that expand the usefulness for their company.

Future plans

As mentioned above, the current version of NebulousAD is a pre-release that we made available as part of Robert’s presentation at BSides. It is fully functioning and has been tested by our team for bugs, but it is also in need of further usability testing and feedback, as well as a bit of polish. We encourage people to go take a look, grab a key, and let us know how your experience is-we appreciate any comments or questions! ( info@nuid.io)

Some items on the immediate release plan include comprehensive API and user wiki documentation, the ability to redact specific users or groups from what is sent to the API, and a facelift for our API key registration portal.

Another important update that will be coming is the addition of a more private method for checking credentials with the NebulousAD API. Even though we do not log the contents of requests, we understand that some people may not want to send hashes over the network to us. We plan to adopt the k-anonymity protocol that is used in Troy Hunt’s project so that we never see full hashes. We’ll get into this further with that update, but for now you can also check out a great post from Junade Ali at Cloudflare, who proposed the k-anon system for Pwned Passwords.

Finally, we decided to release this as a free open source tool to help advance the practice of password blacklisting and make our Nebulous database useful to the security community. While we want to preserve that goal, we are leaving open the possibility that a paid version or functionality could be introduced in the future if there is demand for further growth of the tool. This would most likely take the form of a usage cap for the free version, or premium functionality like automated remediation. In any scenario, we are dedicated to making this tool available to as many people as possible, including those who would be unable to pay for it.

Originally published at https://blog.nuid.io on August 14, 2019.

Most people are familiar with biometric security in terms of fingerprint scanning and facial recognition, as these are the most common forms of biometrics available today. While these physical attributes are difficult to replicate and bypass, they are still singular parameters or factors, which means that it’s only a matter of time before the average hacker can get through the basic biometric firewall.

Enter behavioral biometrics: sensors and algorithms calibrated towards consistently analyzing thousands of biometric parameters like your gait, typing habits, and the like, instead of just one-off notifications. Powered by advances in artificial intelligence (AI) and the Internet of Things, behavioral biometrics might just be the next big leap in mainstream digital identity authentication.

Info Security Magazine lists the features of behavioral biometrics available right now in leading banks: cutting-edge detection strategies can recognize hand-eye coordination, pressure, navigation, scrolling, and other movements to create a unique user profile. This allows banks to continuously ascertain whether online activity is expected, irregular, or certain characteristics are linked to malicious activity. At the user end, this translates to a reduction in unnecessary escalations, as they don’t have to worry about being contacted by their bank if it is a false alarm. This ultimately provides both parties a fraud-free and seamless user experience.

Given its potential value to the world’s largest digital networks and vital industries, it should also be noted that behavioral biometrics are still somewhat in their early stages. While consistently analyzing the digital life cycle is a step in the right direction, ThreatPost indicates that there are many other improvements that behavioral biometrics are yet to disrupt. This includes collecting data on mouse movements, keystrokes, scroll feed, and preferred methods of input. When you consider the mobile smartphone’s capabilities, there’s also accelerometer and gyroscope data, as well as touchscreen interaction patterns. The more parameters and data to be analyzed and authenticated, the greater the individual and organizational security.

But at the same time, this can lead to yet another cybersecurity paradox: while more data means more parameters for detecting and stopping malicious activity, increased data collection can all too easily lead to greater vulnerability from all sides. Hackers are constantly sniffing around digital networks for weaknesses, and large-scale biometric databases make for highly profitable potential targets. If behavioral biometrics are to be applied in mainstream networks, the organizations that use them need to be able to ensure the security of their data through both defensive and offensive techniques-not to mention get their customer base to agree to being data-mined.

Privacy-preserving authentication protocols like NuID’s zero knowledge authentication could become an important piece to navigating this security vs. privacy tradeoff presented by behavioral or other biometrics. Today, biometric authentication has to be done entirely on the user’s device, like with Apple’s FaceID, or it involves centralized storage of biometric data. Further research will need to be done to see if the asymmetric cryptography used in zero knowledge authentication can be effectively applied to biometric data, allowing for “remote” biometric authentication without centralized storage of sensitive data. For now, biometrics can be safely used on the user’s device to then unlock a static key that is used in zero knowledge authentication.

Whether or not behavioral biometrics will benefit mainstream digital identity authentication on a mass scale remains to be seen. What’s sure is that this potentially disruptive technology is worth further exploration and experimentation.

Originally published at https://blog.nuid.io on July 15, 2019.

User trust is harder than ever to earn and even easier to lose. Data breaches are commonplace and user privacy is threatened as a result.

How can we put the ownership of users’ digital identities back in their own hands and reduce the risks businesses currently face from centrally managing identities and authentication?

In this post I will outline how we are addressing this problem for the enterprise by integrating our trustless authentication solution, NuLogin, with DAML, the smart contract language created by Digital Asset that will run on multiple blockchain platforms and cloud-native databases.

Authentication today is stuck in the “shared secret” paradigm: users are forced to share their authentication secrets (usually passwords, secret questions, and other information) with the services they use, and those services, in turn, take on the responsibility and liability of keeping those secrets safe. Unfortunately, because password databases are a prime target for cybercriminals, those secrets often don’t stay secret for long.

In addition, there is no way to ensure that security best practices are being implemented in the right way by these services. Nearly 40% of breaches compromise passwords, and over 80% of attacks involve the use of stolen or weak credentials.

This centralized model of password storage also leads to a frustratingly fragmented user experience. With their identities locked in proprietary silos, users end up with dozens of login credentials and tend to make things easier for themselves by choosing easy-to-remember (weak) passwords, or storing them in easy to reach locations such as text files.

Trustless authentication and decentralized identity

At NuID, we are working to solve the shared secret problem by giving enterprises a way to authenticate their users without having to store their passwords, but critically, in a way that places ownership of digital identities with users. Moreover, we want to provide the authentication foundation for a broader identity framework in which user consent and privacy are at the core of our digital economy.

The NuLogin authentication service leverages zero knowledge cryptography to enable users to prove they know their authentication secret (such as a password or a token unlocked by mobile biometrics) without ever sharing it with anyone. By removing the need for users to trust enterprises or any 3rd party to secure their credentials, this “trustless” authentication protocol allows us to break down the siloed identity model.

NuLogin takes advantage of distributed ledger technology (DLT) to anchor the public zero-knowledge proofs derived from authentication secrets. DLT takes the place of centralized silos and eliminates the need for a central authority to store and manage users’ authentication data. This decentralized identity model opens up a whole world of user-centric processes and services such as efficient, reusable KYC or privacy-preserving e-commerce.

Our work with Digital Asset will be key to bringing decentralized identity and trustless authentication to the enterprise world.

DAML + NuID

Digital Asset helps enterprises leverage the power of DLT through a business logic-driven contract language, DAML, that abstracts the persistence layer allowing it to run on platforms such as R3’s Corda, Hyperledger Fabric and Sawtooth, VMware Blockchain and AWS Aurora.

As we began to model our processes with DAML, one of the biggest benefits we realized was that we could focus on writing our workflows without having to figure out the specifics of how the business logic of the use case interacts mechanically with the underlying distributed ledger. By avoiding the tinkering with persistence layer specifics, we are able to actualize a much cleaner architecture that pushes the DLT interaction to the DAML run-time.

We look at DAML as the perfect tool for expressing our extensible zero knowledge model generically. DAML is like LLVM for smart contracts-a target-independent intermediate representation-and equally powerful in nature. We will be able to write and maintain NuID’s authentication data model once, in DAML, and target environments across the use-case spectrum.

To drive adoption of our service, one of our key goals is to make as few changes as possible to the enterprise and user experience. For example, in a typical single sign-on (SSO) workflow, a user registering through one service of an enterprise can leverage the same authentication for other services configured for SSO. DAML inherently allows us to define the parties that can view and access information on the ledger to achieve the cross-domain functionality of SSO. An authentication architecture like this allows us to achieve the same functionality of single sign-on between multiple DAML parties without the traditional prerequisites of coordination and trust between them.

Additional requirements for the NuLogin service to be enterprise-ready are auditability and traceability. We found that DAML provides this capability at both the logical (language) and physical (immutable DLT) layers to our clients. By specifying parties who can be signatories, participants, or observers on DAML contracts, our clients can easily meet their audit requirements without having to engage in expensive and time-consuming customizations for storage and reporting.

Finally, technology change management is a significant factor that influences and often slows down enterprise adoption of new technology. Adopting DAML enables NuLogin to be very flexible when it comes to aligning with the existing technology infrastructures of our clients. The new DAML deployment options coming up with VMware, Hyperledger Sawtooth, R3 Corda, Hyperledger Fabric, and even Amazon Aurora, will allow our service to fully respect and integrate with our client’s underlying technology choices.

These enterprise-focused design decisions made DAML an ideal tool for NuID to extend its reach into industries such as financial services, healthcare, manufacturing, and retail.

Forging ahead

As part of this integration, NuID will release open source Clojure bindings to DAML libraries that will make producing DAML-enabled Clojure applications more convenient. This will allow for seamless interoperability between NuID’s service, DAML’s platform, and user-facing applications.

The synergies between Digital Asset and NuID are best summed up in DA’s first intro series blog post: “Digital Asset’s vision is for value transfer to be simple, efficient and secure, driven by a new distributed ledger paradigm that unleashes web-pace innovation unrestrained by data silos.”

NuLogin’s integration with DAML will extend that silo-wrecking mission to digital identity.

Originally published at https://blog.nuid.io on July 2, 2019.