Talk: Identity X.0 – Securing the Insecure

René Pfeiffer/ October 10, 2011/ Conference

Identities are important. You might already know this, but in the times of heavily meshed web applications and users moving between different web sites keeping track of a client’s identity can be difficult. Moreover it’s not just about identities but also about transporting account/user attributes by various protocols and standards between various applications. You might remember Microsoft Wallet/Passport which is now Windows Live ID. OpenID defines an open standard about authenticating an user by using a decentralized architecture. OAuth is another open standard, handling authorization and it is widely used by small and large organizations such as Yahoo! and Twitter. So where’s the security? How resilient are these protocols against attacks? Khash Kiani will address these questions in his presentation titled Identity X.0 – Securing the Insecure. His talk focuses on some of these

Read More

Mobile Security and authTokens

René Pfeiffer/ May 17, 2011/ Security

Recently we mentioned the topic of mobile security in this blog since it keeps being addressed by security researchers. Now there’s something that can be combined by networking, defective by design and mobile security. German security researcher from the University of Ulm have explored a flaw in Google’s ClientLogin protocol. The initial idea stems from Dan Wallach, who took a closer look at the transmissions of an Android smartphone. The authentication token is sent via unencrypted HTTP which means it can be seen by attackers on the same network. Since the token is your key to online services and is probably used by apps dealing with your calendar, contacts or private pictures, an attacker has full access to this data (or any other data an app deals with via the network). Reading, manipulating or

Read More

Have an app and share your data!

René Pfeiffer/ May 11, 2011/ Security

Apps are all the fashion. You can download them, and you can add them to web sites (such as your blog) including your favourite social network. Facebook has introduced applications back in 2007. If you want to tie an application to your account, the code needs to have proper credentials in order to connect an action with your profile. This is why most apps ask you to login before they start to work. The idea is to convert your login and password into a token that can be used to grant access, either for a limited time or indefinitely. Symantec’s Nishant Doshi reports that Facebook had a bug in its application framework exposing user access tokens to third parties. This basically means that you can do all the app can do (and possibly more)

Read More