Tag Archives: Identity

LifeLock vulnerability exposed user email addresses to public

Symantec’s identity theft protection service, LifeLock, exposed millions of customers’ email addresses.

According to security journalist Brian Krebs, the LifeLock vulnerability was in the company’s website, and it enabled unauthorized third parties to collect email addresses associated with LifeLock user accounts or unsubscribe users from communications from the company. Account numbers, called subscriber keys, appear in the URL of the unsubscribe page on the LifeLock website that correspond to a customer record and appear to be sequential, according to Krebs, and that lends itself to writing a simple script to collect the email address of every subscriber.

The biggest threat with this LifeLock vulnerability is attackers could launch a targeted phishing scheme — and the company boasted more than 4.5 million users as of January 2017.

“The upshot of this weakness is that cyber criminals could harvest the data and use it in targeted phishing campaigns that spoof LifeLock’s brand,” Krebs wrote. “Of course, phishers could spam the entire world looking for LifeLock customers without the aid of this flaw, but nevertheless the design of the company’s site suggests that whoever put it together lacked a basic understanding of web site authentication and security.”

Krebs notified Symantec of the LifeLock vulnerability, and the security company took the affected webpage offline shortly thereafter. Krebs said he was alerted to the issue by Atlanta-based independent security researcher Nathan Reese, a former LifeLock subscriber who received an email offering him a discount if he renewed his membership. Reese then wrote a proof of concept and was able to collect 70 email addresses — enough to prove the LifeLock vulnerability worked.

Reese emphasized to Krebs how easy it would be for a malicious actor to use the two things he knows about the LifeLock customers — their email addresses and the fact that they use an identity theft protection service — to create a “sharp spear” for a spear phishing campaign, particularly because LifeLock customers are already concerned about cybersecurity.

Symantec, which acquired the identity theft protection company in 2016, issued a statement after Krebs published his report on the LifeLock vulnerability:

This issue was not a vulnerability in the LifeLock member portal. The issue has been fixed and was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails. Based on our investigation, aside from the 70 email address accesses reported by the researcher, we have no indication at this time of any further suspicious activity on the marketing opt-out page.

LifeLock has faced problems in the past with customer data. In 2015, the company paid out $100 million to the Federal Trade Commission to settle charges that it allegedly failed to secure customers’ personal data and ran deception advertising.

In other news:

  • The American Civil Liberties Union (ACLU) of Northern California said Amazon’s facial recognition program, Rekognition, falsely identified 28 members of Congress as people who were arrested for a crime in its recent test. The ACLU put together a database of 25,000 publicly available mugshots and ran the database against every current member of the House and Senate using the default Rekognition settings. The false matches represented a disproportionate amount of people of color — 40% of the false matches, while only 20% of Congress members are people of color — and spanned both Democrats and Republicans and men and women of all ages. One of the falsely identified individuals was Rep. John Lewis (D-Ga.), who is a member of the Congressional Black Caucus; Lewis previously wrote a letter to Amazon’s CEO, Jeff Bezos, expressing concern for the potential implications of the inaccuracy of Rekognition and how it could affect law enforcement and, particularly, people of color.
  • Researchers have discovered another Spectre vulnerability variant that enables attackers to access sensitive data. The new exploit, called SpectreRSB, was detailed by researchers at the University of California, Riverside, in a paper titled, “Spectre Returns! Speculation Attacks using the Return Stack Buffer.” “Rather than exploiting the branch predictor unit, SpectreRSB exploits the return stack buffer (RSB), a common predictor structure in modern CPUs used to predict return addresses,” the research team wrote. The RSB aspect of the exploit is what’s new, compared with Spectre and its other variants. It’s also why it is, so far, unfixed by any of the mitigations put in place by Intel, Google and others. The researchers tested SpectreRSB on Intel Haswell and Skylake processors and the SGX2 secure enclave in Core i7 Skylake chips.
  • Google Chrome implemented its new policy this week that any website not using HTTPS with a valid TLS certificate will be marked as “not secure.” In the latest version of the browser, Google Chrome version 68, users will see a warning message stating that the site in not secure. Google first announced the policy in February. “Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default,” Emily Schechter, Chrome Security product manager, wrote in the announcement. “HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP.”

Microsoft launches identity bounty program, offers up to $100,000

Microsoft this week expanded its bug bounty program to include security vulnerabilities in its identity services.

The software giant launched the Microsoft Identity Bounty Program, which offers payouts between $500 and $100,000 for vulnerabilities reported in Microsoft’s identity services. The scope of the identity bounty includes both consumer and enterprise services — Microsoft Accounts and Azure Active Directory, respectively — as well as login tools such as login.live.com, account.windowsazure.com, portal.office.com and the Microsoft Authenticator for iOS and Android applications.

In addition, Microsoft said the identity bounty will be available for bugs reported in the company’s implementations of specific OpenID standards.

“If you are a security researcher and have discovered a security vulnerability in the Identity services, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details,” wrote Phillip Misner, principal security group manager for the Microsoft Security Response Center, in a blog post. “Further in our commitment to the industry identity standards work that we have worked hard with the community to define, we are extending our bounty to cover those certified implementations of select OpenID standards.”

The expanded bug bounty program will pay up to $100,000 for the most serious vulnerabilities, including design vulnerabilities in identity standards and bypasses for multifactor authentication. Standards-based implementation flaws will pay a maximum of $75,000, while “significant” authentication bypasses will pay a maximum of $40,000.

The identity bounty program is the latest expansion of Microsoft’s bug bounty efforts. In 2015, the company announced a major expansion of its bug bounty program that included Microsoft’s Azure platform as well as specific vulnerabilities for its Hyper-V virtualization software.

IAM engineer roles require training and flexibility

BOSTON — As identity and access management become more critical to security strategies, organizations must be on the lookout for good identity engineers — and there are a few different ways IT can approach this staffing.

Identity and access management (IAM) is increasingly essential as mobile devices add new access points for employees and fresh ways to leak corporate data. But the job market still lacks skilled IAM engineer candidates, so organizations may be better off training existing IT staff or hiring general security engineers to educate on IAM expertise, experts said here at this week’s Identiverse conference.

“Focus on general IT skills and roles [when you] hire engineers,” said Olaf Grewe, director of access certification services at Deutsche Bank, in a session. “Don’t wait for this elusive candidate that has all of this baked in. Bring them up to where you need to be.”

IAM job market landscape

Job growth in IAM has surged in the past year, with about 1,500 IAM engineer openings currently in the Boston area, 4,800 in the D.C. area and 3,320 in Silicon Valley, according to a presentation by Dave Shields, a senior security architect for IAM at DST Systems, a financial technology company in Kansas City.

“It is finally reaching a state where people see that it’s a viable place to have [a career],” said Shields, who was also recently the managing director of IT and ran IAM at the University of Oklahoma. “There are so many things you can do with it.”

There aren’t enough people already skilled in IAM to fill these roles, however, and ones that are may not live nearby. Instead, IT departments can train up existing staff on IAM — but the key is to choose the right people.

“The best engineers you’re going to find are the people who aren’t afraid to break stuff,” Shields said. “Maybe you have a sysadmin who gets into systems and was able to make them do things they were never able to do before. Talk to that person.”

The person should also be flexible, adaptable to change and willing to ask questions others don’t want to hear, he said. Other desirable qualities for an IAM engineer are creativity and an ability to understand the business’ functions and the technology in use.

“Find someone who can look at something and say, ‘I can make that better,'” Shields said. “There are some things that simply cannot be taught.”

IAM and security go hand in hand

Deutsche Bank is currently building up an IAM team that includes existing IT staff and external hires, which the company then trains on IAM skills. That involves four major steps: baseline IAM training, then vendor-specific education, then CISSP, followed by continuous learning over time via conferences, lunch and learns, and updated vendor training.

We need to make sure people have access to the right resources.
Olaf Grewedirector of access certification services, Deutsche Bank

“We need to make sure people have access to the right resources,” Grewe said. “We want to have people who are continuously developing.”

General security skills are especially important for IAM engineer candidates, experts said. Sarah Squire, a senior technical architect at Ping Identity, started out by learning the important security specs and standards as a way toward training up on identity management.

“It’s a lot of on-the-job training,” Squire said. “We’re starting to realize that we really need a base body of knowledge for the entire field.”

For that reason, Squire along with Ian Glazer, vice president for identity product management at Salesforce, founded IDPro, a community for IAM professionals. Launched at last year’s Identiverse (then Cloud Identity Summit), IDPro is currently forming the body of knowledge that an IAM engineer must know, and plans to offer a certification in the future, Squire said.

“It’s really important that people who come in not only understand IAM but also really understand security,” Grewe said.

It’s also important to determine where within the organization those IAM professionals will live. Is it operations? Development? Security?

“A lot of people just don’t know where that fits,” Shields said. “There is nowhere better for them to be in my opinion than on the IT security team.”

Grewe’s team at Deutsche Bank, for instance, works under the chief security officer, which has a lot of budget to work with, he said. At IBM, the team that handles internal identity management works closely with HR and other groups that are involved in employees’ access rights, said Heather Hinton, vice president and chief information security officer for IBM Hybrid Cloud.

“[Organizations] need to figure out how to be less siloed,” she said.

Ping adds AI-driven API protection with Elastic Beam acquisition

BOSTON — Ping Identity is moving beyond single sign-on and further into API security with its latest acquisition.

At the Identiverse 2018 conference on Tuesday, the Denver-based identity and access management (IAM) provider announced the acquisition of Elastic Beam, a Redwood City, Calif., cybersecurity startup that uses artificial intelligence to monitor and protect APIs. Terms of the deal were not disclosed.

Ping CEO Andre Durand discussed the importance of API protection in the past as part of the company’s “intelligent identity” strategy. The company, which specializes in IAM services such as single sign-on, had previously introduced PingAccess for API management and security.

Elastic Beam, which was founded in 2014, will become part of Ping’s new API protection offering, dubbed PingIntelligence for APIs. Elastic Beam’s API Behavioral Security (ABS) automatically discovers an organization’s APIs and monitors the activity using AI-driven behavioral analysis.

“The moment it detects abnormal activity on an API, it automatically blocks that API,” said Bernard Harguindeguy, founder of Elastic Beam.

Harguindeguy, who joined Ping as its new senior vice president of intelligence, said ABS’ use of AI is ideal for API monitoring and defense, because there are simply too many APIs and too much data around them for human security professionals to effectively track and analyze on their own.

“API security is a very hard problem. You cannot rely on roles and policies and attacker patterns,” he said. “We had to use AI in a very smart way.”

Durand said the explosion of APIs in both cloud services and mobile applications has expanded the attack surface for enterprises and demanded a new approach to managing and securing APIs. While Durand acknowledged the potential for AI systems to make mistakes, he said improving API protection can’t be done without the help of machine learning and AI technology.

“We’re in the early stages of applying AI to the enormity of traffic that we have access to today,” he said. “We want to limit the space and time that users have access to, but there’s no policy that can do that. I don’t think there’s a way to have that breakthrough without machine learning, big data and AI.”

PingIntelligence for APIs is currently in private preview, and it will be generally available in the third quarter this year.

Blockchain identity management simplifies personal security

Identity management is a pain point for many companies and individuals, but blockchain could help solve some of the challenges.

When banking, traveling, providing proof of age or accessing corporate data, individuals must prove their identity. But it can be difficult for users to keep track of all the different pieces of identification they must present to do so. ShoCard, a software provider in Cupertino, Calif., aims to eliminate the need for multiple forms of identification, usernames and passwords, and give users more control through the use of its blockchain identity management tool.

“Since it is your data, really, you have the right to hold it, to operate it as you wish,” said Alexander Novoselov, the head of innovation at Creditinfo Group, a ShoCard customer headquartered in Iceland.

How blockchain identity management works

ShoCard offers an identity management tool that uses a blockchain-based digital verification and authentication process. Blockchain is a type of database that is secured using cryptography and encryption key techniques. A user’s identity information is stored on the blockchain to a hashed version of what’s called the public key. Each user also has a private key, which allows them to safeguard their personal data and prove to those with whom they share the data that it belongs only to the person sharing it.

The idea with blockchain identity management is to store and encrypt data on users’ mobile devices, rather than in a central database. Since credentials are stored on the device, an attacker would have to hack phone by phone and wouldn’t be able to compromise many identities at once.

Although the mass appeal of blockchain identity management remains to be seen, there is potential in very strict compliance-oriented fields, said Eric Klein, director of mobile software at VDC Research in Natick, Mass.

“They are definitely unique in the market for doing something that hadn’t occurred to me as a means of enhancing your security,” Klein said.

Customers can use ShoCard software development kits to integrate the technology into their mobile applications and servers. The client app then prompts users to take pictures of their valid government IDs, and ShoCard extracts the personal information. The user then sets up a passcode or fingerprint verification as an added security measure. When a user decides to share the data with a third party, the information is placed in an encrypted container on the blockchain, which no one — including ShoCard — can access, except the party with whom the user is sharing it.

Blockchain pays off

Creditinfo adopted ShoCard for a few of its customers. It needed to allow customers to not only have control over their own credit data, but also be able to securely transfer data between different countries, Novoselov said.

For example, if a person from India goes to a U.S. bank and tries to get a credit card, it brings complications. Creditinfo cannot share data from India in the U.S. because of a difference in privacy laws between the two countries. Creditinfo needed a tool to allow people to bring their credit histories with them anywhere.

This is a new way of bringing confidence that the data is in safe hands.
Alexander Novoselovhead of innovation at Creditinfo

Customers can now download the Creditinfo app, which incorporates ShoCard technology via the vendor’s software development kit, and securely access and share their credit score data on their mobile devices.

“This is a new way of bringing confidence that the data is in safe hands,” Novoselov said.

Based on this same blockchain identity management technology, ShoCard also offers ShoBadge, an app that allows employees to hold their encrypted ID information on their mobile devices. Unlike with ShoCard, customers don’t have to write any code; instead, they just use the app directly.

ShoBadge allows employees to access all of their corporate apps by authenticating through the app, rather than requiring different logins to different applications or devices. It also allows them to securely share their identities at the workplace — with human resources, for example. There is no longer a central database at the company where all the users’ sensitive personal information is stored. Thus, employees bring their own identity, and there is no username and password management in the hands of a third party.

The identity management market remains fragmented, with some existing vendors who have the benefit of being in the game for a long time, Klein said. But this does not mean that all customers have decided on which technology to adopt, which is why a new company like ShoCard has been attracting some pretty serious venture funding, he said.

“There are people betting on other technologies maybe surpassing what we have today,” he added. “Integrating sophisticated blockchain capabilities as a path certainly has potential.”

How we secure your data in Azure AD

Howdy folks,

With all the breaches of cloud identity services over the last few years, we get a lot of questions about how we secure customer data. So today’s blog is a dive into the details of how we protect customer data in Azure AD.

Datacenter and Service Security

Let’s start with our datacenters. First, all of Microsoft’s datacenter personnel must pass a background check. All access to our datacenters is strictly regulated and every entry and exit are monitored. Within these datacenters, the critical Azure AD services that store customer data are located in special locked racks—their physical access is highly restricted and camera-monitored 24 hours a day. Furthermore, if one of these servers is decommissioned, all disks are logically and physically destroyed to avoid data leakage.

Next, we limit the number of people who can access the Azure AD services, and even those who do have access permissions operate without these privileges day-to-day when they sign in. When they do need privileges to access the service, they need to pass a multi-factor authentication challenge using a smartcard to confirm their identity and submit a request. Once the request is approved, the users privileges are provisioned “just-in-time”. These privileges are also automatically removed after a fixed period of time and anyone needing more time must go through the request and approval process again.

Once these privileges are granted, all access is performed using a managed admin workstation (consistent with published Privileged Access Workstation guidance). This is required by policy, and compliance is closely monitored. These workstations use a fixed image and all software on the machine is fully managed. To minimize the surface area of risks, only selected activities are allowed, and users cannot accidentally circumvent the design of the admin workstation since they don’t have admin privileges on the box. To further protect the workstations, any access must be done with a smartcard and access to each one is limited to specific set of users.

Finally we maintain a small number (fewer than five) of “break glass” accounts. These accounts are reserved for emergencies only and secured by multi-step “break glass” procedures. Any use of those accounts is monitored, and triggers alerts.

Threat detection

There are several automatic checks we do regularly, every few minutes to ensure things are operating as we expect, even as we are adding new functionality required by our customers:

  • Breach detection: We check for patterns that indicate breach. We keep adding to this set of detections regularly. We also use automated tests that trigger these patterns, so we are also checking if our breach detection logic is working correctly!
  • Penetration tests: These tests run all the time. These tests try to do all sorts of things to compromise our service, and we expect these tests to fail all the time. If they succeed, we know there is something wrong and can correct it immediately.
  • Audit: All administrative activity is logged. Any activity that is not anticipated (such as an admin creating accounts with privileges) causes alerts to be triggered that cause us to do deep inspection on that action to make sure it not abnormal.

And did we say we encrypt all your data in Azure AD? Yes, we do – we use BitLocker to encrypt all Azure AD identity data at rest. What about on the wire? We do that as well! All Azure AD APIs are web-based using SSL through HTTPS to encrypt the data. Access to information is restricted through token-based authorization and each tenant’s data is only accessible to accounts permitted in that tenant. In addition, our internal APIs have the added requirement to use SSL client/server authentication on trusted certificates and issuance chains.

A final note

Azure AD is delivered in two ways, and this post described security and encryption for the public service delivered and operated by Microsoft. For similar questions about our National Cloud instances operated by trusted partners, we welcome you to reach out to your account teams.

(Note: As a simple rule of thumb, if you manage or access your Microsoft Online services through URLs ending with .com, this post describes how we protect and encrypt your data.)

The security of your data is a top priority for us and we take it VERY seriously. I hope you found this overview of our data encryption and security protocol reassuring and useful.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

Microsoft acquires Adallom to advance identity and security in the cloud

I’m pleased to announce today that Microsoft has acquired Adallom, an innovator in cloud security and a leader in helping customers protect their critical assets across cloud applications. This acquisition is the latest example of Microsoft’s commitment to delivering innovative identity and security capabilities to our customers, across both on-premises and multiple clouds.

OMB_8_9With more frequent and advanced cybersecurity attacks continuing to make headlines, customer concerns around security remain top of mind. These concerns pose real challenges for IT, who are charged with protecting company data in this rapidly evolving mobile-first, cloud-first world. In this world, identity is a critical control plane for managing and protecting access to applications and data.

Adallom expands on Microsoft’s existing identity assets, and delivers a cloud access security broker, to give customers visibility and control over application access as well as their critical company data stored across cloud services. Adallom works with popular cloud applications including Salesforce, Box, Dropbox, ServiceNow, Ariba, and of course Office 365. As a cloud-delivered, security-as-a-service solution, Adallom will complement existing offerings that Microsoft makes available today as part of Office 365 and the Enterprise Mobility Suite (EMS), including our recent Microsoft Advanced Threat Analytics release.

Adallom, cofounded in 2012 by Assaf Rappaport, Ami Luttwak and Roy Reznik, has assembled a world-class team with a dedicated focus on making it easier to enhance data security in the cloud.  The team will continue to evolve, build technology, sell solutions and work with customers as we complete the integration into Microsoft.

Once again, we are thrilled to welcome the Adallom team into the Microsoft family. Advanced threats and cybercrime will persist in this mobile-first, cloud-first era, but at Microsoft we remain committed to helping our customers protect their data with new and innovative identity and security capabilities.  We encourage our customers to evaluate and use this offering starting today, to learn more visit http://www.adallom.com.

Business Ready Holiday Devices

Lately we’ve been focused on providing you with key information on Windows 10 and you’ve had the opportunity to hear from Jim Alkove about several areas of investment for Windows 10 for business – including security and identity, deployment, manageability and enterprise Store capabilities. While we look forward to sharing more on Windows 10 early next year, we wanted to take this opportunity to talk about some of the exciting business ready Windows devices in stores this holiday season. We realize that PC shopping is a year-round exercise for businesses, but among the many devices highlighted for the holiday season this year, there are some great stand-outs for business – here are just a few

ThinkPad-Helix

Announced at IFA Berlin in September, as a refresh to its ever popular ThinkPad Helix, the Lenovo Helix 2nd Gen. – a detachable 2-in-1, that is even thinner, lighter and has a better battery life than the previous model. Powered by Windows 8.1 Pro, it offers business-grade security, the ability to join a domain, and more. The Helix also has a detachable keyboard, providing options for an on-the-go tablet or use as a traditional laptop, and an active stylus for quick notes using the handwriting recognition feature, adding to your productivity, wherever you are.

ThinkCentre-TIO

Another device announced at IFA Berlin this year, the Lenovo ThinkCentre Tiny-in-One 23, a modular all-in-one desktop offering easy setup for public and private enterprises. The Tiny-in-One monitor allows IT managers to refresh the CPU and monitor separately without having to replace the entire system. The Kensington lock secures both the monitor and the device itself, and is also compatible with other data security features such as Smart USB Protection and Bluetooth lock.

Dell Latitude 13 7000 Series 2 in 1

The Dell Latitude 13 7000 Series 2-in-1 is designed to keep you productive – on the road or at the office – with powerful business-class features and security built right in to keep your data protected. Use the device as a detachable 13-inch tablet with six hours of all day battery life, plus four additional hours in the keyboard. The device also touts a full-size business-class single point ISO keyboard with standard backlight and the convenience of two USB 3.0 ports on the keyboard base.

HP Pro X2

Last but certainly not least, the HP Pro x2 612 is HP’s thin, light and powerful computing alternative for business. Like the Dell Latitude, the HP Pro x2 612 has a battery in the tablet and one in the Power Keyboard, allowing business customers to benefit from the dual batteries with up to 14 hours of battery life. And the HP Pro x2 612 also comes with an optional battery-free Wacom pen with built-in holder. It also offers HP BIOSphere, HP Client Security, and option fingerprint reader to help keep devices safe and secure.

As mentioned, we are working hard to ensure that compatibility between Windows 7, Windows 8 and Windows 10 is excellent. This also applies to hardware: we are designing Windows 10 to have the same overall hardware requirements as Windows 7 and Windows 8, making it possible to run Windows 10 on a vast majority of existing devices. For that reason, we see device purchases today as a great investment toward the future. We look forward to sharing more details about the upgrade path soon. And, in the meantime, we welcome your participation in the Windows Insider Program where you can experience new builds as soon as they’re available and have an opportunity to influence product development decisions through the Windows Feedback app directly within the product.