QCon - New York. New York 18th June 2012 (June 18th for Americans)
|
|
- Daisy O’Brien’
- 6 years ago
- Views:
Transcription
1 QCon - New York New York 18th June 2012 (June 18th for Americans) 1
2 John Davies An ageing Über-geek Hardware, Assembler, C, Objective-C, C++, OCCAM, SmallTalk, Java Worked mostly in trading systems, FX & Derivatives Head of trading systems at Paribas, head of architecture at BNP Paribas, global head of architecture at JP Morgan Author of Learning Trees Enterprise Java courses & co-author of several Java & architecture books Co-founder of C24 Solution in 2000 Sold to Nasdaq s Iona Technologies in 2007, Iona sold to Progress Software in 2008, Technical Director of both companies Co-founded Incept5 in 2008, re-acquired C24 from Progress in April 2011 CTO of Incept5 & C24 Original technical architect behind Visa s V.me (pre-public release) 2
3 I m a Hacker Why am I talking about Social Media OAuth in a Security track? I work in banking and payments, security is top, TOP priority Understanding how security works (or doesn t) is key to being able to provide better measures against malicious hackers Only by understanding how malicious hackers do their dirty work can we hope to protect our application and systems So yes, I hack in the exploratory sense of the word OAuth is an important tool in today s increasingly mobile and social world 3
4 Agenda Signup and Password Hell Passwords, Hashes and Leaks Pass phrases OAuth Hooking up an app with Facebook OAuth & Security 4
5 One password or multiple? One single username and password would make our lives a lot easier Assuming it s a good password of course But then if it were breached, the hacker gets access to everything :-( If you add better security it might work Something you own perhaps, a phone? Access from a specific IP address etc. But then when you lose it, you re locked out of everything And in practice they re not really that secure 5
6 Multiple Passwords So we re back to unique passwords for every single system we use Every new app seems to want you to provide new credentials, first the username... You enter you username jdoe, immediately you re told it s not free You try johndoe, taken, why not try johndoe367? You settle with bigjohndoe Then the password... xxxxxx - Password must be minimum 8 chars xxxxxxxx - Password must contain a number xxxnxxxx - Password must contain at least one uppercase character XxxNxxxx - Password must contain a punctuation character 6
7 Password Hell Finally you find a password that works in most places John1985! Then you have to change it a month later OK, you can t change your name or date of birth so now what? You end up writing it down or entering it into your phone s notes Not very secure! Don t fight it, you need multiple passwords 7
8 Password security Most people use common words as passwords, names, numbers, combinations of the two, letter/number substitutes These are incredibly easy to hack John, BigJohn, John1234, J0hni234, B1gJ0hn Take almost any combination of 6-8 characters, any word (in any language), any two words, any word with a number Someone will have hashed it and added it to a rainbow list Try it, take your password, hash it with MD5 and SHA and then google the result If you find it, you might as well not have a password (almost) 8
9 Getting the hash... Some easy methods... perl -e 'print qw(password)' shasum > 8be3c943b1609fffbfc51aad666d0a04adf83c9d perl -e 'use Digest::MD5 qw(md5_hex); print md5_hex('password'), "\n";' > dc647eb65e6711e b3964 In Java/Scala use java.security. MessageDigest.getInstance("MD5"); java.security.messagedigest.getinstance("sha-1"); Now Google the hashes or paste them into something like
10 Was your password leaked by LinkedIn? Two weeks ago it was announced that someone had released 6.4 million passwords from LinkedIn Then is was eharmony, Last.fm and others It doesn t matter how well you guard your 8 character password, if some idiot at LinkedIn stores it unsalted and that gets out, you re hacked You MUST have a secure password with NO words Use a generator 1Password is a good solution 10
11 Nepephemeral An open-source password manager Inspired (accelerated) after the LinkedIn leak First public release in the next few days - OS-X and then Windoze iphone & Android in the near future Most password managers store everything in a database encrypted by a master password/phrase e.g. 1Password, LastPass etc. Disadvantage is that you re only one password from everything falling into the hands of a hacker Not just your Facebook login but your bank account and card pins 11
12 Nepephemeral Nepephemeral does not store passwords It automates the generation of strong passwords from pass phrases It also manages common password rotation tasks Allowing multiple unique passwords from a single pass phrase No need to memorise a new password every 30 days A pass phrase is a sequence of words or prose that is easy for you to remember and hard for someone else to guess Statistically even a short pass phrase is much harder to guess than the average 8 character password 12
13 Pass phrases First the password: Tr0ub4dor&3 Roughly 28 bits of entropy (228 =268,435,456) at 10k/sec that s 7 hours Difficulty to crack: EASY Difficulty to remember: DIFFICULT Now a pass phrase: correct horse battery staple About 44 bits of entropy (244 =over 17 trillion) at 1m/sec that s over 200 days! Difficulty to crack: HARD Difficulty to remember: You already have 13
14 If you re interested... Nepephemeral uses this fact to create passwords that can pass the Draconian passwords that most sites use While giving you a simple pass phrase that is easy to remember without compromising on security 14
15 Authorisation or Authentication? Authentication validates who you are, it can be in several levels. Just a name, a name and a password, a name, password and something secure, all of the above, a retina scan and a DNA sample Authorisation dictates what you can do, the higher levels may require a better level of authentication Access to your QCon badge, your hotel key, a seat on a plane or access into the Federal Reserve Bank or Fort Knox Both are interlinked, there s little point in a retina scan and DNA sample to get your QCon badge 15
16 OpenID OpenID is an open standard for decentralised authentication A user can signup with an OpenID provider (OP) and then use that provider as an authority for any web site (relying party or RP) participating in OpenID authentication Web Site / App (RP) User OpenID Provider (OP) 16
17 OpenID OpenID is an open standard for decentralised authentication A user can signup with an OpenID provider (OP) and then use that provider as an authority for any web site (relying party or RP) participating in OpenID authentication Web Site / App (RP) User OpenID Provider (OP) 1 RP asks user for OpenID 16
18 OpenID OpenID is an open standard for decentralised authentication A user can signup with an OpenID provider (OP) and then use that provider as an authority for any web site (relying party or RP) participating in OpenID authentication Web Site / App (RP) User OpenID Provider (OP) 1 RP asks user for OpenID User returns OpenID 2 16
19 OpenID OpenID is an open standard for decentralised authentication A user can signup with an OpenID provider (OP) and then use that provider as an authority for any web site (relying party or RP) participating in OpenID authentication Web Site / App (RP) User OpenID Provider (OP) 1 RP asks user for OpenID User returns OpenID 2 3 User is redirected to OP where he/she authenticates (usually a password) 16
20 OpenID OpenID is an open standard for decentralised authentication A user can signup with an OpenID provider (OP) and then use that provider as an authority for any web site (relying party or RP) participating in OpenID authentication Web Site / App (RP) User OpenID Provider (OP) 1 RP asks user for OpenID User returns OpenID 2 3 User is redirected to OP where he/she authenticates (usually a password) OP redirects back to RP and user is authenticated 4 16
21 OpenID OpenID is an open standard for decentralised authentication A user can signup with an OpenID provider (OP) and then use that provider as an authority for any web site (relying party or RP) participating in OpenID authentication Web Site / App (RP) User OpenID Provider (OP) 1 RP asks user for OpenID User returns OpenID 2 3 User is redirected to OP where he/she authenticates (usually a password) OP redirects back to RP and user is authenticated 4 OpenID says who you are not what you can do 16
22 OAuth "OAuth provides a way to grant access to your data on some website to a third website, without needing to provide this third website with your authentication information for the original website." What this means for example is that you could grant me access to some of your Facebook / Twitter / Google account without me having to know your username and password You can limit my access to certain parts of you account A good example would be a third party Facebook, Twitter or Google+ reader Normally you wouldn t want to trust the app developer with your username and password 17
23 OAuth 1.0 & 2.0 OAuth 2.0 was a replacement of OAuth 1.0, the latter was overly complex and difficult to implement due to the need for certificates etc. The spec can be found here... OAuth 2.0 does not require certificates, only SSL/TLS This makes it more flexible, i.e. the token can be portable Used wrongly though it can create a security issue 18
24 Authentication In theory you can use OAuth to authenticate a user, you don t necessarily need to get data from the authoriser s site This is authentication, NOT authorisation, it just confirms that you are who you say you are, as far as Facebook/Twitter etc. knows you It is very similar to the way OpenID works in this case You might want this to provide a common login across multiple apps Helps the user create an account without a new username/password Facilitates Identity management Authorisation, i.e. what the user can/can t do is still your problem 19
25 OAuth 2.0 User logs into game / application via Facebook or Twitter Game / Application Game / application can access data on Facebook or Twitter Facebook, Twitter, Google etc. 20
26 OAuth 2.0 Initial Login User Browser or App Your Server Twitter, Facebook or Google etc. User Data 21
27 OAuth 2.0 Initial Login User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup 21
28 OAuth 2.0 Initial Login User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook 2 21
29 OAuth 2.0 Initial Login User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook 2 3 User directed to Facebook login 21
30 OAuth 2.0 Initial Login User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook 2 3 User directed to Facebook login Facebook redirects to your redirect URI with authentication code 4 21
31 OAuth 2.0 Initial Login User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook 2 3 User directed to Facebook login Facebook redirects to your redirect URI with authentication code 4 5 Browser redirects to redirect URI 21
32 OAuth 2.0 Initial Login User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook 2 3 User directed to Facebook login Facebook redirects to your redirect URI with authentication code 4 5 Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret 21
33 OAuth 2.0 Initial Login User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook 2 3 User directed to Facebook login Facebook redirects to your redirect URI with authentication code 4 5 Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret Returns access token 7 21
34 OAuth 2.0 Initial Login User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook 2 3 User directed to Facebook login Facebook redirects to your redirect URI with authentication code 4 5 Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret Returns access token 7 8 User is now logged in 21
35 OAuth 2.0 Data Request User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook User directed to Facebook login Facebook redirects to your redirect URI with authentication code Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret Returns access token 8 User is now logged in
36 OAuth 2.0 Data Request User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook User directed to Facebook login Facebook redirects to your redirect URI with authentication code Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret Returns access token 8 User is now logged in User requests data via app / browser 22
37 OAuth 2.0 Data Request User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook User directed to Facebook login Facebook redirects to your redirect URI with authentication code Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret Returns access token 8 User is now logged in User requests data via app / browser 10 Server requests data with token 22
38 OAuth 2.0 Data Request User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook User directed to Facebook login Facebook redirects to your redirect URI with authentication code Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret Returns access token 8 User is now logged in User requests data via app / browser 10 Server requests data with token 11 Facebook accesses data 22
39 OAuth 2.0 Data Request User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook User directed to Facebook login Facebook redirects to your redirect URI with authentication code Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret Returns access token 8 User is now logged in User requests data via app / browser 10 Server requests data with token 11 Facebook accesses data Data accessed 12 22
40 OAuth 2.0 Data Request User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook User directed to Facebook login Facebook redirects to your redirect URI with authentication code Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret Returns access token 8 User is now logged in User requests data via app / browser 10 Server requests data with token 11 Facebook accesses data Data accessed 12 Facebook returns requested data 13 22
41 OAuth 2.0 Data Request User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook User directed to Facebook login Facebook redirects to your redirect URI with authentication code Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret Returns access token 8 User is now logged in User requests data via app / browser 10 Server requests data with token 11 Facebook accesses data Data accessed 12 Facebook returns requested data 13 User sees data 14 22
42 OAuth in Facebook is very easy Compared to the complexity of OAuth 1.0 on iphone using Facebook is wonderfully easy Facebook has provided open libraries you can link in to your code git://github.com/facebook/facebook-ios-sdk.git It effectively does all the OAuth stuff for you, all you need to do is create (register) an app on Facebook... and write a few callbacks / delegate methods 23
43 Registering the app You just need the App ID and App Secret You can then use this in your application for authentication Once your client has authed you can use the token on the phone or a server 24
44 XCode... 25
45 The Login callback When the Facebook web/app login returns it calls our fbdidlogin method 26
46 Server Delegation It s easy to authenticate and login from the phone but the we may want our own server in the loop We could run everything though the phone and back to the server but that s unnecessary bandwidth (cost and latency) So ideally we would want the server to communicate with Facebook The token is portable We can send it to the server which can become a proxy for our mobile app. Effectively we can transfer privileges Useful but how safe is this? The token is now a new (portable) key to Facebook It s worth noting that Twitter doesn t allow this 27
47 In a nutshell then You need unique and good passwords Ideally generated and ideally will over 8 characters in length While password management tools are a good start they present a new risk One you may be happy with but not one a company should accept OAuth on Facebook, Google, Twitter etc. is becoming a defacto tool for SSO Not just for the data they contain but also just authentication OAuth creates a whole new realm of security issues 28
48 Thank you Thank you 29
Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation
Enhancing cloud applications by using external authentication services After you complete this section, you should understand: Terminology such as authentication, identity, and ID token The benefits of
More informationMulti-Factor Authentication (MFA)
10.10.18 1 Multi-Factor Authentication (MFA) What is it? Why should I use it? CYBERSECURITY Tech Fair 2018 10.10.18 2 Recent Password Hacks PlayStation Network (2011) 77 Million accounts hacked Adobe (2013)
More informationAuthentication in the Cloud. Stefan Seelmann
Authentication in the Cloud Stefan Seelmann Agenda Use Cases View Points Existing Solutions Upcoming Solutions Use Cases End user needs login to a site or service End user wants to share access to resources
More informationPersonal Internet Security Basics. Dan Ficker Twin Cities DrupalCamp 2018
Personal Internet Security Basics Dan Ficker Twin Cities DrupalCamp 2018 Overview Security is an aspiration, not a state. Encryption is your friend. Passwords are very important. Make a back-up plan. About
More informationWhat is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.
P1L4 Authentication What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource. Authentication: Who are you? Prove it.
More informationStep by step guide to two-factor authentication in MYOB Advanced
Step by step guide to two-factor authentication in MYOB Advanced September 2018 Version no. 1.0 Table of Contents Introduction... 3 Registration... 4 Standard registration process... 4 Two-factor authentication
More informationSECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA
SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA CTO Office www.digi.me another Engineering Briefing digi.me keeping your data secure at all times ALL YOUR DATA IN ONE PLACE TO SHARE WITH PEOPLE WHO
More informationAuthentication. Katarina
Authentication Katarina Valalikova @KValalikova k.valalikova@evolveum.com 1 Agenda History Multi-factor, adaptive authentication SSO, SAML, OAuth, OpenID Connect Federation 2 Who am I? Ing. Katarina Valaliková
More informationSalesforce1 Mobile Security White Paper. Revised: April 2014
Salesforce1 Mobile Security White Paper Revised: April 2014 Table of Contents Introduction Salesforce1 Architecture Overview Authorization and Permissions Communication Security Authentication OAuth Pairing
More informationEric Sachs Director of Product Management Identity, Google. Pam Dingle Senior Technical Architect Office of the CTO, Ping Identity
SESSION ID: IDY-R05R Identity Standards at Work in Google's Mobile-Focused Future Eric Sachs Director of Product Management Identity, Google Pam Dingle Senior Technical Architect Office of the CTO, Ping
More informationAttacking Your Two-Factor Authentication (PS: Use Two-Factor Authentication)
Attacking Your Two-Factor Authentication (PS: Use Two-Factor Authentication) 08 Jun 2017 K-LUG Technical Meeting Rochester, MN Presented by: Vi Grey Independent Security Researcher https://vigrey.com Who
More informationBest Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,
Best Practices: Authentication & Authorization Infrastructure Massimo Benini HPCAC - April, 03 2019 Agenda - Common Vocabulary - Keycloak Overview - OAUTH2 and OIDC - Microservices Auth/Authz techniques
More informationSingle Sign-On Showdown
Single Sign-On Showdown ADFS vs Pass-Through Authentication Max Fritz Solutions Architect SADA Systems #ITDEVCONNECTIONS Azure AD Identity Sync & Auth Timeline 2009 2012 DirSync becomes Azure AD Sync 2013
More informationKeep the Door Open for Users and Closed to Hackers
Keep the Door Open for Users and Closed to Hackers A Shift in Criminal Your Web site serves as the front door to your enterprise for many customers, but it has also become a back door for fraudsters. According
More informationReal-world security analyses of OAuth 2.0 and OpenID Connect
Real-world security analyses of OAuth 2.0 and OpenID Connect Wanpeng Li and Chris J Mitchell 1 Agenda Single sign-on and identity management OAuth 2.0 Two case studies Security analyses OpenID Connect
More informationpenelope case management software AUTHENTICATION GUIDE v4.4 and higher
penelope case management software AUTHENTICATION GUIDE v4.4 and higher Last modified: August 9, 2016 TABLE OF CONTENTS Authentication: The basics... 4 About authentication... 4 SSO authentication... 4
More informationTake Control of Your Passwords
Take Control of Your Passwords Joe Kissell Publisher, Take Control Books @joekissell takecontrolbooks.com The Password Problem Passwords are annoying! It s tempting to take the easy way out. There is an
More informationLecture 14 Passwords and Authentication
Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422 Major Portions Courtesy Ryan Cunningham AUTHENTICATION Authentication
More informationGoogle Identity Services for work
INTRODUCING Google Identity Services for work One account. All of Google Enter your email Next Online safety made easy We all care about keeping our data safe and private. Google Identity brings a new
More informationCOMPUTING FUNDAMENTALS I
FALL 2017 / COMPUTER SCIENCE 105 COMPUTING FUNDAMENTALS I DAY 2 27 SEPTEMBER 2017 COURSE ADMIN COURSE ADMIN NOTECARDS - ATTENDANCE & FEEDBACK Name Student ID One of: What did you learn or find most interesting?
More informationProf. Christos Xenakis
From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control Device-Centric Authentication for Future Internet Prof. Christos Xenakis H2020 Clustering
More information6 TIPS FOR IMPROVING YOUR WEB PRESENCE
6 TIPS FOR IMPROVING YOUR WEB PRESENCE 6 TIPS FOR IMPROVING YOUR WEB PRESENCE We all want to get noticed on the web. If you are running a business you want to be on the first page in Google via organic
More informationProf. Christos Xenakis
From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control Device-Centric Authentication for Future Internet Prof. Christos Xenakis SAINT Workshop
More informationHow to Secure SSH with Google Two-Factor Authentication
How to Secure SSH with Google Two-Factor Authentication WELL, SINCE IT IS QUITE COMPLEX TO SET UP, WE VE DECIDED TO DEDICATE A WHOLE BLOG TO THAT PARTICULAR STEP! A few weeks ago we took a look at how
More informationOAuth 2 and Native Apps
OAuth 2 and Native Apps Flows While all OAuth 2 flows can be used by native apps, only the user delegation flows will be considered in this document: Web Server, User-Agent and Device flows. The Web Server
More informationAccounts and Passwords
Accounts and Passwords Hello, I m Kate and we re here to learn how to set up an account on a website. Many websites allow you to create a personal account. Your account will have its own username and password.
More informationYour Auth is open! Oversharing with OpenAuth & SAML
Your Auth is open! Oversharing with OpenAuth & SAML Andrew Pollack Northern Collaborative Technologies 2013 by the individual speaker Sponsors 2013 by the individual speaker Who Am I? Andrew Pollack President
More informationDistributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018
Distributed Systems 25. Authentication Paul Krzyzanowski Rutgers University Fall 2018 2018 Paul Krzyzanowski 1 Authentication For a user (or process): Establish & verify identity Then decide whether to
More informationHow to Build a Culture of Security
How to Build a Culture of Security March 2016 Table of Contents You are the target... 3 Social Engineering & Phishing and Spear-Phishing... 4 Browsing the Internet & Social Networking... 5 Bringing Your
More informationCS November 2018
Authentication Distributed Systems 25. Authentication For a user (or process): Establish & verify identity Then decide whether to allow access to resources (= authorization) Paul Krzyzanowski Rutgers University
More informationSecurity. SWE 432, Fall 2017 Design and Implementation of Software for the Web
Security SWE 432, Fall 2017 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Authorization oauth 2 Security Why is it important? Users data is
More informationAuthentication CHAPTER 17
Authentication CHAPTER 17 Authentication Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources. getting entrance
More informationPassword Management. Eugene Davis UAH Information Security Club January 10, 2013
Password Management Eugene Davis UAH Information Security Club January 10, 2013 Password Basics Passwords perform service across a broad range of applications Can act as a way to authenticate a user to
More information1000 Ways to Die in Mobile OAuth. Eric Chen, Yutong Pei, Yuan Tian, Shuo Chen,Robert Kotcher and Patrick Tague
1000 Ways to Die in Mobile OAuth Eric Chen, Yutong Pei, Yuan Tian, Shuo Chen,Robert Kotcher and Patrick Tague What is this work about? In 2014, Studied OAuth usage in 200 Android/iOS OAuth applications.
More informationSeamless Upgrades for Credential Security in Apache Tomcat
Seamless Upgrades for Credential Security in Apache Tomcat Christopher Schultz Chief Technology Officer Total Child Health, Inc. * Slides available on the Linux Foundation / ApacheCon2017 web site and
More informationAuthentication Technology for a Smart eid Infrastructure.
Authentication Technology for a Smart eid Infrastructure. www.aducid.com One app to access all public and private sector online services. One registration allows users to access all their online accounts
More informationInformation Sharing and User Privacy in the Third-party Identity Management Landscape
Information Sharing and User Privacy in the Third-party Identity Management Landscape Anna Vapen¹, Niklas Carlsson¹, Anirban Mahanti², Nahid Shahmehri¹ ¹Linköping University, Sweden ²NICTA, Australia 2
More informationDeprecating the Password: A Progress Report. Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018
Deprecating the Password: A Progress Report Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018 The password problem Alpha-numeric passwords are hard for humans to remember and easy
More informationArchitecture Assessment Case Study. Single Sign on Approach Document PROBLEM: Technology for a Changing World
Technology for a Changing World Architecture Assessment Case Study Single Sign on Approach Document PROBLEM: Existing portal has Sign on Capabilities based on the SQL Server database and it s not having
More informationHow NOT To Get Hacked
How NOT To Get Hacked The right things to do so the bad guys can t do the wrong ones Mark Burnette Partner, LBMC -Risk Services October 25, 2016 Today s Agenda Protecting Against A Hack How should I start?
More informationWarm Up to Identity Protocol Soup
Warm Up to Identity Protocol Soup David Waite Principal Technical Architect 1 Topics What is Digital Identity? What are the different technologies? How are they useful? Where is this space going? 2 Digital
More informationSecurity for an age of zero trust
Security for an age of zero trust A Two-factor authentication: Security for an age of zero trust shift in the information security paradigm is well underway. In 2010, Forrester Research proposed the idea
More informationCybersecurity in 2016 and Lessons learned
Cybersecurity in 2016 and Lessons learned Dr. Yu Cai Associate Professor Program Chair, Computer Network & System Administration School of Technology Michigan Technological University cai@mtu.edu A Quick
More informationI made a 5 minute introductory video screencast. Go ahead and watch it. Copyright(c) 2011 by Steven Shank
Introduction to KeePass What is KeePass? KeePass is a safe place for all your usernames, passwords, software licenses, confirmations from vendors and even credit card information. Why Use a Password Safe?
More informationLecture 3 - Passwords and Authentication
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 3 - Passwords and Authentication CSE497b - Spring 2007 Introduction Computer and Network Security Professor
More informationSOCIAL NETWORKING'S EFFECT ON BUSINESS SECURITY CONTROLS
SOCIAL NETWORKING'S EFFECT ON BUSINESS SECURITY CONTROLS Jon Hanny Director of Information Security and Assurance, Buckley Sandler LLP Gaurav Chikara Senior Security Engineer, Cooley LLP AGENDA Social
More informationThe LinkedIn Hack: Understanding Why It Was So Easy to Crack the Passwords
The LinkedIn Hack: Understanding Why It Was So Easy to Crack the Passwords LinkedIn was breached in 2012 with a reported 6.5 million user accounts compromised. LinkedIn sent a request to known hacked users
More informationPatients' FAQs. Patient Portal Version 2.7 NEXTMD.COM
Patients' FAQs Patient Portal Version 2.7 NEXTMD.COM November 2018 Enrollment How do I enroll in the NextGen Patient Portal website? Your practice can enroll you in NextGen Patient Portal in one of the
More informationEnabling Distributed Authentication and Access Control Using Researcher Profile Systems
Enabling Distributed Authentication and Access Control Using Researcher Profile Systems Nick Benik, Harvard Medical School nbenik@gmail.com http://hackerceo.org 10.6084/m9.figshare.735903 Semantic Web
More informationADDRESSING TODAY S VULNERABILITIES
E-Guide ADDRESSING TODAY S VULNERABILITIES SearchSecurity E ven if your firm has no legal or contractual obligation to perform them, authenticated scans should be an essential part of your security program.
More informationPasswords. Secure Software Systems
1 Passwords 2 Password Lifecycle Change/Reset Password Create Password (user choice) Use Password (user supplies for auth) Store Password (with user identifier) 3 Password Creation 4 Password Creation
More informationAttributes for Apps How mobile Apps can use SAML Authentication and Attributes
Attributes for Apps How mobile Apps can use SAML Authentication and Attributes Lukas Hämmerle lukas.haemmerle@switch.ch TNC 2013, Maastricht Introduction App by University of St. Gallen Universities offer
More informationOutline Key Management CS 239 Computer Security February 9, 2004
Outline Key Management CS 239 Computer Security February 9, 2004 Properties of keys Key management Key servers Certificates Page 1 Page 2 Introduction Properties of Keys It doesn t matter how strong your
More informationWorksheet - Reading Guide for Keys and Passwords
Unit 2 Lesson 15 Name(s) Period Date Worksheet - Reading Guide for Keys and Passwords Background Algorithms vs. Keys. An algorithm is how to execute the encryption and decryption and key is the secret
More informationAuthentication SPRING 2018: GANG WANG. Slides credit: Michelle Mazurek (U-Maryland) and Blase Ur (CMU)
Authentication SPRING 2018: GANG WANG Slides credit: Michelle Mazurek (U-Maryland) and Blase Ur (CMU) Passwords, Hashes, Salt Password database Username Plaintext Password Not a good idea to store plaintext
More informationAuthentication Methods
CERT-EU Security Whitepaper 16-003 Authentication Methods D.Antoniou, K.Socha ver. 1.0 20/12/2016 TLP: WHITE 1 Authentication Lately, protecting data has become increasingly difficult task. Cyber-attacks
More informationValidations vs. Filters
Validations vs. Filters Advice (DRYness) Validation Filter Check invariants on model Check conditions for allowing controller action to run Pointcut AR model lifecycle hooks Before and/or after any public
More informationIdentity and Data Access: OpenID & OAuth
Feedback: http://goo.gl/dpubh #io2011 #TechTalk Identity and Data Access: OpenID & OAuth Ryan Boyd @ryguyrg https://profiles.google.com/ryanboyd May 11th 2011 Agenda Feedback: http://goo.gl/dpubh #io2011
More informationRadius, LDAP, Radius, Kerberos used in Authenticating Users
CSCD 303 Lecture 5 Fall 2018 Radius, LDAP, Radius, Kerberos used in Authenticating Users Kerberos Authentication and Authorization Previously Said that identification, authentication and authorization
More informationThe Current State of OAuth 2. Aaron Open Source Bridge Portland, June 2011
The Current State of OAuth 2 Aaron Parecki Open Source Bridge Portland, June 2011 A Brief History Before OAuth aka the Dark Ages If a third party wanted access to an account, you d give them your password.
More informationOAuth securing the insecure
Black Hat US 2011 khash kiani khash@thinksec.com OAuth securing the insecure roadmap OAuth flow malicious sample applications mobile OAuth google app web-based OAuth facebook app insecure implementation
More informationProtect Yourself Against VPN-Based Attacks: Five Do s and Don ts
White Paper Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts Don t let stolen VPN credentials jeopardize your security March 2015 A TECHTARGET WHITE PAPER Most IT professionals take for
More informationDeploying OAuth with Cisco Collaboration Solution Release 12.0
White Paper Deploying OAuth with Cisco Collaboration Solution Release 12.0 Authors: Bryan Morris, Kevin Roarty (Collaboration Technical Marketing) Last Updated: December 2017 This document describes the
More informationBerner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2
Table of Contents Hacking Web Sites Broken Authentication Emmanuel Benoist Spring Term 2018 Introduction Examples of Attacks Brute Force Session Spotting Replay Attack Session Fixation Attack Session Hijacking
More informationA team-oriented open source password manager with a focus on transparency, usability and security.
A team-oriented open source password manager with a focus on transparency, usability and security. SCRT Who am I? Florian Gaultier Security engineer in charge of SCRT France I break things for a living,
More informationIntroduction to application management
Introduction to application management To deploy web and mobile applications, add the application from the Centrify App Catalog, modify the application settings, and assign roles to the application to
More informationControlling Website Account Information. A recent survey done by Privacy Rights Clearinghouse shows that in the past five years
Colson 1 Alex Colson Dr. Lunsford Information Security Management 10 July 2007 Controlling Website Account Information A recent survey done by Privacy Rights Clearinghouse shows that in the past five years
More information5 OAuth Essentials for API Access Control
5 OAuth Essentials for API Access Control Introduction: How a Web Standard Enters the Enterprise OAuth s Roots in the Social Web OAuth puts the user in control of delegating access to an API. This allows
More informationAccess Management Handbook
Access Management Handbook Contents An Introduction 3 Glossary of Access Management Terms 4 Identity and Access Management (IAM) 4 Access Management 5 IDaaS 6 Identity Governance and Administration (IGA)
More informationFAQ: Privacy, Security, and Data Protection at Libraries
FAQ: Privacy, Security, and Data Protection at Libraries This FAQ was developed out of workshops and meetings connected to the Digital Privacy and Data Literacy Project (DPDL) and Brooklyn Public Library
More informationAuthentication KAMI VANIEA 1
Authentication KAMI VANIEA FEBRUARY 1ST KAMI VANIEA 1 First, the news KAMI VANIEA 2 Today Basics of authentication Something you know passwords Something you have Something you are KAMI VANIEA 3 Most recommended
More informationUser Directories. Overview, Pros and Cons
User Directories Overview, Pros and Cons Overview Secure ISMS can operate with one or more of the following user directories. Secure ISMS Users (ISMS) Internal users local to the Secure ISMS application
More informationOATH : An Initiative for Open AuTHentication
OATH : An Initiative for Open AuTHentication Who Are You Really Doing Business With? 2 Oath Proprietary Confidential The New York Magazine, July 5, 1993, Peter Steiner, The Economic Promise of e-business
More informationUnlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.
Unlocking Office 365 without a password How to Secure Access to Your Business Information in the Cloud without needing to remember another password. Introduction It is highly likely that if you have downloaded
More informationOffice 365 and Azure Active Directory Identities In-depth
Office 365 and Azure Active Directory Identities In-depth Jethro Seghers Program Director SkySync #ITDEVCONNECTIONS ITDEVCONNECTIONS.COM Agenda Introduction Identities Different forms of authentication
More informationWelcome to Parkview MyChart!
Patient Guide Welcome to Parkview MyChart! Welcome to your one story of care. As a patient of Parkview, you now have access to your health information from the convenience of your home, or even from the
More informationSINGLE SIGN ON SOLUTIONS FOR ICS PRODUCTS
SINGLE SIGN ON SOLUTIONS FOR ICS PRODUCTS Gabriella Davis - gabriella@turtlepartnership.com IBM Lifetime Champion for Social Business The Turtle Partnership 1 Admin of all things and especially quite complicated
More informationIdentity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014
Identity management Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014 Outline 1. Single sign-on 2. SAML and Shibboleth 3. OpenId 4. OAuth 5. (Corporate IAM) 6. Strong identity 2
More informationWould you bet your business on the strength of every employee s password?
Would you bet your business on the strength of every employee s password? Table of Contents You re only one weak password away from a breach... 3 Think your passwords are strong? That won t stop hackers...
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationUser Guide NRC Research Press Journals Published by
RP Mobile User Guide NRC Research Press Journals Published by ACCESS Accessing RP Mobile Open the browser on a compatible device and enter the URL www.nrcresearchpress.com. As you are accessing the site
More informationMQ Jumping... Or, move to the front of the queue, pass go and collect 200
MQ Jumping.... Or, move to the front of the queue, pass go and collect 200 Martyn Ruks DEFCON 15 2007-08-03 One Year Ago Last year I talked about IBM Networking attacks and said I was going to continue
More informationTABLE OF CONTENTS. Lakehead University Password Maintenance Standard Operating Procedure
TABLE OF CONTENTS 1.0 General Statement... 3 2.0 Purpose... 3 3.0 Scope... 3 4.0 Procedure... 3 4.1 General... 3 4.2 Requirements... 4 4.3 Guidelines... 4 5.0 Failure to comply... 6 2 1.0 GENERAL STATEMENT
More informationArchitecture. Steven M. Bellovin October 31,
Architecture Steven M. Bellovin October 31, 2016 1 Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market Apache
More informationOpenID: From Geek to Chic. Greg Keegstra OpenID Summit Tokyo Dec 1, 2011
OpenID: From Geek to Chic Greg Keegstra OpenID Summit Tokyo Dec 1, 2011 Why OpenID? Time for a poll Who has reused their same password when logging into a new website? Who has forgotten their password
More informationThe Problem with Privileged Users
Flash Point Paper Enforce Access Control The Problem with Privileged Users Four Steps to Reducing Breach Risk: What You Don t Know CAN Hurt You Today s users need easy anytime, anywhere access to information
More informationSTEAM Clown Production. Passwords. STEAM Clown & Productions Copyright 2016 STEAM Clown. Page 1 - Cyber Security Class
Production Passwords Page 1 - Cyber Security Class Copyright 2016 Does It Matter? Is your email password the same as your Facebook password? Is that Good? Bad? Why? Page 2 - Cyber Security Class Copyright
More informationSalesforce Mobile App Security Guide
Salesforce Mobile App Security Guide Version 3, 0 @salesforcedocs Last updated: October 11, 2018 Copyright 2000 2018 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
More informationCSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Entity Authentication Professor Lisa Luo Spring 2018 Previous Class Important Applications of Crypto User Authentication verify the identity based on something you know
More informationLecture 3 - Passwords and Authentication
Lecture 3 - Passwords and Authentication CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12 What is authentication? Reliably verifying
More informationBits and Bytes August 2014
Bits and Bytes August 2014 Arkansas Premier Computer Club Bella Vista Computer Club - John Ruehle Center Highlands Crossing Center, 1801 Forest Hills Blvd, Suite 208, Bella Vista, AR 72715 Web Site: www.bvcompclub.org
More informationHow To Change My Wordpress Database
How To Change My Wordpress Database Password On Instagram Account Built by one of the world's largest Instagram browsers INK361, this comprehensive widget that can showcase your Instagram account in the
More informationTrusted Profile Identification and Validation Model
International Journal of Engineering Research and Development e-issn: 2278-067X, p-issn: 2278-800X, www.ijerd.com Volume 7, Issue 1 (May 2013), PP. 01-05 Himanshu Gupta 1, A Arokiaraj Jovith 2 1, 2 Dept.
More informationKeeping Your PC Safe. Tips on Safe Computing from Doug Copley
Keeping Your PC Safe Tips on Safe Computing from Doug Copley Don t be an Administrator Administrator is an account that can do ANYTHING on the PC Most computers start with 1 account with administrator
More informationMain area: Security Additional areas: Digital Access, Information Literacy, Privacy and Reputation
Public Wi Fi Created: March 2016 Last Updated: July 2018 Estimated time: Group or individual activity: Ages: 60 minutes [10 minutes] Activity #1 [15 minutes] Activity #2 [10 minutes] Activity #3 [10 minutes]
More informationmaxecurity Product Suite
maxecurity Product Suite Domain Administrator s Manual Firmware v2.2 ii Table of Contents BASICS... 1 Understanding how maxecurity products work in your company... 1 Getting started as a Domain Administrator...
More informationUser Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017
User Management Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017 Agenda Introduction User Management Federation Objectives 1 Introduction NextGEOSS High-Level Architecture DataHub harvest
More informationCLIENT ONBOARDING PLAN & SCRIPT
CLIENT ONBOARDING PLAN & SCRIPT FIRST STEPS Receive Order form from Sales Representative. This may come in the form of a BPQ from client Ensure the client has an account in Reputation Management and in
More information1.1. HOW TO START? 1.2. ACCESS THE APP
Table of Contents 1. Get Started 1.1. How to start? 1.2. Access the app 1.3. Username and password 2. Mobile Banking features 3. Security 4. Accounts and inquiries 5. Transfers and beneficiaries 6. Charges
More informationEXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK
EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS 03 EXECUTIVE OVERVIEW 05 INTRODUCTION 07 MORE CLOUD DEPLOYMENTS MEANS MORE ACCESS 09 IDENTITY FEDERATION IN
More information