Browse by Tags

• .NET 3.5
• .net3.5
• AT&T
• browser
• browsers
• CardSpace
• CardSpace 1.5
• controls
• FAT
• firefox
• Geek talk
• General
• Identity
• Information Card Foundation
• Internet Explorer
• KeeLoq
• LINQ
• OAuth
• OpenID
• opensocial
• owasp
• reputation
• Speaking/Events
• SSL
• Trust
• WCF

• Information Cards: Unused (Security) Information

  It seems that I have to make up for not posting while my new house was build... Here is another post for today in the series ( 1 , 2 , 3 ) of posts around things you always wanted to know about Information Cards but never had the heart to ask. Did you know that CardSpace does not use the Identity information in an identity enabled EndpointReference? Shocking. Here is what I heard... When you import a managed card from a .crd file there is something inside the file that is called the TokenServiceList Read More... Posted Thursday, August 21, 2008 11:44 AM from ignisvulpis | 1 Comments Filed under: CardSpace, Security

• XKCD measures and controls

  There should be controls in place that the Anti-Virus SW is not interfering with the voting SW. There should be controls in place that there are no holes in the AV-SW that lets Viruses slip through. The voting machines should be regularly checked that they were not harmed by the AV-SW. Now for the analogy... As a parent I don't like the analogy... Read More... Posted Friday, August 15, 2008 4:38 AM from ignisvulpis | 1 Comments Filed under: Security, Trust, controls

• Securing OpenID@Work - Again

  Last year we announced an experiment at Sun: in order to gather more information about the operational characteristics of "user-centric" identity technologies, we decided to roll out an OpenID provider for Sun employees. This OpenID provider was intended to be used by Sun employees for personal usage at various OpenID sites that have been popping up at some places. This experiment involved various parts of the company, including field people, products folks, the security team, and our Chief Privacy Read More... Posted Monday, August 11, 2008 11:06 AM from Web Services Contraptions | 1 Comments Filed under: Security, OpenID, Identity

• Some security advice for our OpenID users

  With the recent news about the DNS cache vulnerability, users are more exposed than ever to potential security attacks, including phishing or pharming attacks, that apply to OpenID as well as other network systems. For example, the ability to redirect DNS requests through cache poisoning opens the door to a significant OpenID security risk: if the OpenID provider is not employing TLS with server-side authentication — preferably mutual authentication — any affected DNS server could redirect the client Read More... Posted Thursday, August 07, 2008 11:18 AM from Web Services Contraptions | 1 Comments Filed under: Security, OpenID

• Where to get Password Minder

  We recently updated our website and some links have broken as a result. Here's the place you should go to get the latest version of Password Minder: http://mercury.pluralsight.com/tools.aspx Sorry for any inconvenience! Read More... Posted Tuesday, August 05, 2008 1:00 PM from Security Briefs | 1 Comments Filed under: Security, Identity, Geek talk

• Introducing Microsoft Code Name Zermatt

  For a couple of years now, I've been giving talks about "claims-based identity", and "claims-aware applications". The most concrete example of a claims-based identity architecture that I've been able to show so far is Active Directory Federation Services v1 (ADFS) and Windows CardSpace. And the claims programming model I've been using is the one that shipped with WCF in the System.IdentityModel assembly. But today I'm happy to announce that there's a new path Read More... Posted Wednesday, July 09, 2008 4:27 PM from Security Briefs | 1 Comments Filed under: Security, Identity, Geek talk

• Carnards Die Hard

  A while ago two students, Xuan Chen and Christoph Löhr, from Ruhr University Bochum claimed to have "broken" CardSpace. There were some blog reactions to this claim. The authoritative one of course is from Kim . Today I browsed through a magazine lying on the desk of a colleague of mine. This magazine with the promising title "IT-Security" repeats the false claim and reports that the students proved that CardSpace has severe security flaws... Well, when you switch off all security mechanism Read More... Posted Tuesday, July 08, 2008 5:39 AM from ignisvulpis | 1 Comments Filed under: CardSpace, Security, Information Card Foundation

• Firefox 3.0

  I've been using the new Firefox 3.0 browser for several days now and I have to say that I am very impressed with it. The browser certainly feels substantially faster at loading the same pages that I frequently visited before with Firefox 2 and with Internet Explorer 7 -- though I have to admit that this is very subjective and that server and ISP performance come into play. I was a bit concerned that the browser address bar no longer indicates the SSL status of the site I'm visiting. This was a conscious Read More... Posted Sunday, June 22, 2008 7:27 AM from Conor's Web Log of Esoterica | 1 Comments Filed under: Security, firefox, SSL, browser, browsers, AT&T, Internet Explorer

• OWASP Bay Area Meeting - June 25th 2008

  Prompted by James , I signed up a little while ago to the OWASP Bay Area chapter, keen to learn more about application security , both in hardening OpenSSO and Access Manager and in how those projects/products can contribute to securing applications. Well, whaddya know, the next meeting is a half day Application Security Summit at the Microsoft facility in Mountain View next Wednesday, when I'll be out of town. Keen as I am to attend OWASP, I think the Jazoon folks would be a little upset if I didn't Read More... Posted Tuesday, June 17, 2008 11:29 PM from Superpatterns | 1 Comments Filed under: Security, General, owasp

• Stealing the Security Token

  The Ruhr Uni Bochum claims that they can steal the security token in a CardSpace scenario.... The experts from the German computer magazine c't could not verify the attack... After reading the paper that describes the attack I must say that I find it very unrealistic. The attack is described for managed cards. The browser is tricked to load malicious code and then the real RP's code is loaded and presented to the user. The malicious code then loads the root certificate for the malicious RP's SSL Read More... Posted Wednesday, May 28, 2008 3:14 PM from ignisvulpis | 1 Comments Filed under: CardSpace, Security

• OWASP

  I attended a meeting of the Hartford, CT, chapter of OWASP yesterday - James McGovern was so nice of inviting me there. OWASP is a group focusing on web application security, with a heavy emphasis on "application" (in contrast to "infrastructure"). Most of the attendees were either directly working in the financial industry or closely working with them - at the end of the day, it was Hartford. To me it was a very interesting event - especially since I have mostly been thinking about platform and Read More... Posted Thursday, May 01, 2008 3:19 PM from Web Services Contraptions | 1 Comments Filed under: Security, General

• Disposable Temporary E-Mail Address

  While musing about reputation and trustworthyness of information I came across http://www.trustme.com/. They provide you with a disposable temporary email address that is valid for 15 minutes. This seems quite usefull if some RP requires to know your email address before it serves out some information like e.g. a whitepaper. Now you can receive that one-time-link from the RP, use it for email-verified-login, download that paper and forget the RP again. But why is trustme.com doing this? Altruism? Read More... Posted Monday, April 28, 2008 5:21 AM from ignisvulpis | 1 Comments Filed under: Security, Trust, reputation

• KeeLoq Broken

  KeeLoq, the major remote keyless entry system for cars and buildings is hacked - again. The CryptoLab of Ruhr University Bochum published an attack on the most widely used remote keyless entry system. The researches used a differential power analysis to recover the manufacturer key. With that key all you need is two messages between the key and the door/car. These messages can be picked up from 100m away. Knowing the manufacturer key allows for creating an arbitrary number of valid new keys and generating Read More... Posted Monday, April 21, 2008 3:46 AM from ignisvulpis | 1 Comments Filed under: Security, KeeLoq

• CardSpace getting FAT

  The CardSpace team blogged about a new "feature" of .net 3.5. You can now work with CardSpace on a windows system that has its system drive formatted with the FAT filesystem... They write: We’ve received a surprising amount of feedback (some of the earliest from Pamela Dingle ) that customers are still using FAT file systems and this is causing problems. I am surprised too. What will be next? CardSpace running on windows95? Help! Sure, the cardstore is still encrypted twice... but still... I believe Read More... Posted Wednesday, December 12, 2007 11:06 AM from ignisvulpis | 0 Comments Filed under: CardSpace, Security, FAT, CardSpace 1.5, .net3.5

• Google responds quickly on _IG_Fetch issue

  Google appears pretty serious about making OpenSocial work. They've already posted a proposal to address the security "issue" I blogged about yesterday (though I certainly wasn't the first or only person to discuss the issue): We've been getting great feedback... Read More... Posted Wednesday, November 21, 2007 1:47 AM from Gabe Wachob | 0 Comments Filed under: Security, opensocial, OAuth