Tuesday, October 31, 2006

The DIY Boarding Pass site shut down...

There was a fair amount of blogging about this very concern a while back, and it looks like someone went out to prove a point. Point taken, as was corrective action.

Ripped from http://news.zdnet.com/2100-1009_22-6130875.html?tag=nl.e539

A Web site that let anyone with an Internet connection and a printer create fake airline boarding passes has been shut down after federal agents visited the creator.

FBI agents raided Christopher Soghoian's home over the weekend, seizing computers and other equipment, Soghoian wrote on his blog. They first visited him Friday afternoon with a request to take the site down, but when he got online, he found that the site had already been removed, he wrote.
Soghoian, reached via e-mail on Monday, declined to comment for this story, citing advice from his lawyers to lie low.
Wendy Osborne, a spokeswoman for the FBI's Indianapolis office, confirmed that agents had searched Soghoian's home as part of a joint investigation with the Transportation Security Administration. "We will conduct a thorough and complete investigation," Osborne said. "We are certainly concerned with any potential breach in security, particularly at the airports."
Soghoian, a computer security student at Indiana University Bloomington built the Web site to underscore an airport security weakness, he wrote. The site was spotlighted late last week after Wired News and ABC News reported on it. U.S. Rep. Edward Markey, a Massachusetts Democrat, called for Soghoian's arrest, but then backed off on Sunday.

The FBI will present the findings of its investigation to the U.S. Attorney's Office for the Southern District of Indiana, which will determine whether Soghoian violated any federal laws, she said. At this point, the student has not been charged and he has not been arrested, Osborne said.
Soghoian's "Northwest Airlines Boarding Pass Generator" let people create boarding passes that look virtually identical to the ones printed from the Northwest Airlines Web site. They could be used to get past airport security, but not to get on an airplane, because the airline would have no record of the reservation, Soghoian said.

"I have not flown, or even attempted to enter the airport with one of these fake boarding passes," Soghoian wrote Friday. "I haven't even printed one out. All I have done is create PHP script, which highlights a security hole made public by others before me."
The Web site went online last Wednesday and immediately attracted attention. Bruce Schneier, a noted security expert, linked to it from his blog on Thursday. Schneier highlighted the same issue with the print-at-home boarding passes on his mailing list more than three years ago. U.S. Sen. Charles Schumer, a New York Democrat, warned of the same security issue last year and again in April this year.

Wednesday, October 18, 2006

NAC & Identity Management - Same Difference?

So how are these two areas similar?

Several years ago when Identity Management was emerging as the NBT (Next Big Thing) for helping IT organizations deal with the challenges of being able to identify and better manage users and automate access to resources and applications, what I learned over a short period of time was that Identity Management meant something different to anyone in the space. Vendors, companies, institutions couldn’t define it very well out of the gate but they were going to get it figured out and ultimately deployed – whatever it meant. The one thing that has emerged, and I believe the same is true of NAC, is the intent of a better managed environment. The intent of Identity Management was to manage a users identity and enable and disable access to applications in a faster and more automated way.

When I first started reading about NAC last year, I thought it was pretty straightforward – Network Admission Control, at the time simply meaning the identity of and corresponding health of a machine that connects to your network. Machine health was emerging as a new way to partition networks and access to them. In some ways similar to Identity Management in the sense of a device is another component of identity because machines interact with your organization just as users do. With NAC the idea is healthy machines can get on and stay on my network and unhealthy machines only get to a web page in a quarantined area, vs. full access to assets. In many ways very similar to what Identity Management is designed to do for users. The big difference here is the infrastructure layer where this will happen. IdM is in the app layer, and NAC will happen in the network layer.

We’ve been down this road before with Identity Management, so when I look at the direction of NAC, NAP, TCG and other alternatives that exist today, what my discussions with other peers in this space have uncovered is that these technologies and initiatives are converging, and I believe it will mean better mitigation and control of threats, and putting identity & security professionals in a proactive position for once.

The key concepts of NAC are:

Introduced by Cisco, it is a Framework and also an Appliance

Access Authentication providing port level control (802.1x)

Health Assessment that will determine the health of an endpoint enabling or denying it access to the network

Quarantine/Isolation of unhealthy or compromised endpoints

Remediation to fix an unhealthy or compromised endpoint

I haven’t been able to find a published list anywhere that specifically numbers the deployment’s of 802.1x architected solutions but I have heard the number is about 1000 so there are some NAC/802.1x based deployments out there. Like IdM they have been cumbersome and succesfull in small projects to abysmal failures in larger organizations. Let’s not forget - it’s an IT project.

So What will NAC do for companies? It will provide a way for organizations to keep unhealthy (unpatched, virus filled) machines from connecting to the network. The idea is that if I keep viruses off my network then the cost of an outbreak will drop significantly. I know of one case where a hospital in the Southeast got hit by Sasser and it had to take down the hospitals network until it was fixed. Expensive for the hospital in dollars, lost revenue and most importantly – patient care. This is one example of where NAC may have helped – being able to deny access to an infected machine before it gets to uncontained outbreak level.

There is another alternative that was developed by Microsoft called NAP – Network Access Protection. Since Microsoft is installed at a significant number of endpoints in most environments this seems a natural extension for them. The concept is the same – keep unhealthy machines from doing harm to other machines connected to the network. The NAP version of this consists of different components that are designed to authenticate to remediate an unhealthy machine. From what I understand NAP will be reliant upon Vista and Longhorn, so we may need to wait a bit for this alternative.

There are a myriad of other vendors out there all pitching NAC solutions, which is like the early days of the Identity Management space when it was a bit wild west, but it eventually settled down and acquisitions were made and strategies executed. I believe the same events will unfold with NAC.

One thing I will mention here is that none of the options today that I know of are based on open standards, which may be a concern for the highest levels of an organization’s decision making authority.

My sense is that the large players want us to choose one path or the other and lock us into a religion vs. a denomination. From a business perspective I understand this, however for a CISO who needs to enable ubiquitous access while maintaining a high level of security and needs to work with many components, spend some time thinking about what will work long term since the costs over time may differ greatly as will the requirements to maintain interoperability with current investments.

Bottom line is that NAC will shed some light on the machine's role in our management of identities, and provide some much needed functionality into the market.

Tuesday, October 03, 2006

The C_ripple effect

I hadn’t thought about this element of an Application Layer IdM deployment which is that the network/firewall teams can bring misery to the dance by ratcheting down access to certain apps. The other major issue I see with this is that firewalls and most network devices have absolutely NO idea about identity. They don’t even understand the concept. So while you’re busy plugging away at setting up your dev, test, staging and Production environments you can be at the threshold of a launch and get taken out at the knees.

Yet another case for why Identity in the Network layer is a viable alternative – simpl, powerful, policy based, AND it will work with all of the networking equipment AND the application layers, AND it’s a better place to add infrastructure vs. throwing servers in a farm, and let them drain power, generate heat, and take up space while you fight yet another battle of getting the layers to work together…

email: Identitystuff @ gmail.com