Friday, July 24, 2009

The Twitter Attack And Improving Application IDM

TechCrunch posted an article: "The Anatomy of the Twitter Attack" that details how an attacker leveraged use of search, social, and public email services to hack the Twitter corporate services.
...modern web applications have built out their own systems and policies that require a user to register and then manage their identities separately with each app. The identifier that most applications use is an email address, and it is this common factor that creates a de facto trust relationship between a user’s applications. The second factor is a password: a random string that only the user knows, is unique to each application, and in theory should take even a computer months or years to figure out if it started guessing. These two elements would work well enough for most cases, were it not for what is often the single weakest factor: human habit.
If you were looking for an example of why web applications should move towards supporting federated identity and identity management services rather than rolling their own identity management systems, well, this is the poster-child case.
Look at the front page of almost any web application and you will see hints at just how hopeless and helpless we are in managing our digital lives: “forgot my password”, “forgot my username”, “keep me logged in”, “do not keep me logged in”, “forgot my name”, “who am i?”. Features that were designed and built as a compromise since we are often unable to remember and recall a single four-digit PIN number, let alone a unique password for every application we ever sign up for. Each new service that a user signs up for creates a management overhead that collapses quickly into a common dirty habit of using simple passwords, everywhere. At that point, the security of that user’s entire online identity is only as strong as the weakest application they use - which often is to say, very weak.
The article is quite long, but is very worth while reading. It shows how one weak application can be used to weaken the security of another (directly and indirectly). In this case, password recovery at an unrelated email service was the vector that unlocked valuable information at Twitter according to TechCrunch. To be fair to the web sites mentioned in the article, this identity management (IDM) stuff is hard. Many have done a pleasing job that works well on their own for their user constituencies. But this article shows how hackers can use social attacks to leverage multiple sites together to gain an advantage.

As you may know Oracle's approach to IDM is to be application-centric, to focus in on the issues relevant to making secure applications. Products like Oracle Adaptive Access Manager, OAM, Oracle Identity Manager, (not the mention the entire suite) really go a long way to provide the tools needed for secure IDM infrastructure.

But Oracle, and the members of Liberty Alliance, and now Kantara are going much further to figure out a way to recruit more application developers to leverage identity services through a common set of secure middleware components and technologies that lowers development costs, improves privacy, and ultimately the security of applications and their users. To broaden this industry effort, Oracle and many others initiated a standardization effort called the Identity Governance Framework with Liberty Alliance. Together we also initiated development of a free and open-source API called "Project Aristotle" under This work is still in development, new participation and input are greatly welcomed!

No comments:

Post a Comment