Anti-phishing Mashup

Here's a site dedicated to phishing control that has produced a bizarre mashup that I find fascinating – Web 2.0 meets Magnum PI.  It combines information from the Anti-Phishing Working Group with novel visualization techniques and animation so you can analyse the topologies of phishing trips over time.

A phishing message arrives in your mailbox, pretending to be from a bank, or from an etailer such as eBay or Paypal. It directs you to a web page and asks you to enter your password or social security number to verify your identity, but the web page is not one actually associated with the bank; it's on some other server.

InternetPerils has discovered that those phishing servers cluster, and infest ISPs at the same locations for weeks or months.

Here's an example of a phishing cluster in Germany, ever-changing yet persistent for four months, according to path data collected and processed by InternetPerils, using phishing server addresses from the Anti-Phishing Working Group (APWG) repository.

Phishing Cluster over Time

Figure 1: A Persistent Phishing Cluster

The ellipses in this animation represent servers; the boxes represent routers; and the arrows show the varying connectivity among them. Colors of boxes reflect ownership of parts of the network. Times are GMT.

The animation demonstrates a persistent phishing cluster detected and analyzed by InternetPerils using server addresses from 20 dumps of the APWG repository, the earliest shown 17 May and the latest 20 September. This phishing cluster continues to persist after the dates depicted, and InternetPerils continues to track it.

Graphs were produced using PerilScopeâ„¢, which is InternetPerils‘ interactive topology examination interface, based upon the GAIN platform.

Go to their site to see the actual animated mashup.

Serious cardmaking

Kevin Hammond ups the ante on how to put a graphic on your infocard.  His reference to my card makes me blush – I just “borrowed” a graphic that had been assembled by one of the computer journals, not having any idea of how one would make it.  One day I'll find the time to play with the cool technology he is talking about.

There's a lesson here though.  When people start hand-tailor their cards, it becomes impossible for “phishing software” to successfully perform social engineering attacks that trick people into thinking a fake CardSpace interface is real.  The phisher has no idea of what kind of graphic or what kind of photo the user has created – so it just can't do a believable impersonation.  The result is that the user immediately recognizes something is very wrong.

I've been getting my feet wet with Windows CardSpace and my self-issued card. In watching Kim Cameron's demonstration of how he integrated CardSpace with WordPress, I saw his nifty looking card with his portrait on it. Right then and there I decided I too must have one. What do you think of the results? Here's how I did it.

I made a self portrait with my Canon EOS 20D and an EF 50mm f/1.8 II lens.  I extracted the headshot with Photoshop CS2’s Extract filter, did some complexion touch up and resized it to what you see here, about 60×64 at the shoulder. I created a new 120×80 image according to the guidance provided by Vittorio Bertocci in his great article about how images are mapped onto cards. From here, it's all a composite. There's a layer for the black rectangle across the bottom, a layer for the gradient background, a layer for my portrait, and a layer each for the text. It took some experimenting with fonts and text transformation to arrive at the setting you see here – by far the largest part of this entire exercise. My Layers palette is reproduced here for your reference. Frankly, I'm surprised by the result because I'm by no means a Photoshop guru. But I think I now have something cool to liven up with!

Vista does one annoying little thing in the reflection it places on the top third of the card when it renders it within the Windows CardSpace UI. I can see how they're trying to be cool, but I think it detracts rather than adds to the overall experience.

ARCAST adds transcripts

I got a note recently from Ron Jacobs, host of Channel 9’s ARCast, telling me that they have added transcripts to their “more popular” ARCasts.  Somehow that included a very early one on the Laws of Identity. Ron is great fun, and has a cave of a studio that really makes you feel like you're “on the air” – though being digital, he is of course post-air…

Let me be the one to say it:  Reading the transcripts I wish a) I were more articulate, and the transcriber a bit more tuned into my perhaps overly informal style; and b) everything published on the internet wasn't going to be around forever.  But I'm not, and it will, and so we all soldier on.


Hi this is Ron Jacobs and welcome to our talk today. I’m joined by Kim Cameron who is an architect in Windows Identity and access management area. I guess I’d say how’s it going Kim?


Kim Cameron

It’s just great.



And and so, that’s really interesting. I didn’t realize that we had a whole group that is focused around identity and access management in Windows.



Oh sure, because we have things like Active directory, you know meta directory integration services and all that sort of stuff. So different ways of being able to find out who you are dealing with inside windows environment. So when you for example login to windows, you know, somebody is got to write that stuff



Yeah oh yeah, I’m glad you are because you know



It’s not me though



OK well (laughs)



It’s our, it’s our group



Your group… yes, but you are the architect. You’re the guy that like in Matrix who wheels around and says I’m the Architect



Yeah, Yeah, I’m responsible for what's wrong and what's bad about it,



Okay… Now you’ve come up with this real interesting thing that we are going to talk about today called the Laws of Identity. And I love; I love these kind of things. There are seven laws of Identity that you’ve written down on your, on your wonderful blog which I’ve to plug it’s



I love you…



Well you can return the favor and plug this show later



I’ll I’ll



I love concise list like this because it kind of formalize a lot of random thinking that goes on. How did you come up with this list



Well you know I was … Have you been ever to one conference too many?



I have … yeah



So you know I was there and I just was listening to the way the discussion was going and it occurred to me that we don’t really have a framework that allows us to restart the discussion about identity anywhere except from the beginning each time we have it. Sort of like back to the beginning, rewind, and we start again. And all the words mean different things to different people and basically there is… so as a result everybody ends up discussing little technical nits instead of the real concepts that are behind these things. So I figured … is there some way that I can actually reset the conversation or or… well the same time I was just starting to blog and I didn’t really know anything about it … which was a good thing… and I didn’t have anything to write about so I was going … you know… I wondered what would happen if I started this discussion in about. How we get a real … you know… a set of concepts that we can reuse so we don’t always have to go back to square one. And do that with the web… so… it was kind of … it was just a … sort of… experimental, trying to figure it out kind of thing.



Yeah and I guess a few people have noticed this now and so started showing up in various conferences and slide decks and that sort of a thing right?



Yeah it’s really bizarre because first of all I was thinking that I’ll start a blog and then maybe a year from now or something people will start to read it.

Lots more where this came from…

What I really like about this is that podcasts become searchable within text engines.  So thanks, Ron.

Ontario Privacy Commissioner extends the Laws of Identity

Here is a post from the Toronto Globe and Mail's Jack Kapica on a development I'll be writing about over the next couple of days – the Ontario Privacy Commissioner's active support for those of us in the industry building an identity metasystem with “embedded” privacy.  This is a remarkable turn of events.

Dr. Cavoukian is one of the preeminent voices for privacy world-wide, and her early and active involvement will help ensure we technologists continue to go in the right direction.  I'll be podcasting her press conference and address to the International Association of Privacy Professionals (IAPP) Conference being held this week in Toronto, Canada.  She has also agreed to share the remarkable documents she and her colleagues have produced to tease out the privacy implications of the Laws of Identity.

Anne Cavoukian's work extends the conversation into a whole new milieu.  And what could be a more auspicious beginning than the vote of support from Jack Kapica, widely known and respected for his careful vetting of all things technological.

Ann Cavoukian, Ontario’s clear-eyed Information and Privacy Commissioner, is onto something very big after endorsing the Seven Laws of Identity, developed under an initiative headed by Microsoft, which she did at a press conference this morning. Using a form of Microsoft’s own strategy, she has embraced and extended those laws in a way that might change tame Internet forever, and maybe even help stop spam.

The seven laws of identity were formulated through a global dialogue among security and privacy experts, headed by Kim Cameron, Microsoft’s Chief Identity Architect. With Cavoukian’s spin, they describe a system in which a set of digital identity cards would keep personal information distinct from information needed for verification.

And no, the seven laws are not Microsoft’s property — anyone can use them. But a form of them will ship with Microsoft’s Vista, its next version of Windows, due for release in January.

Cavoukian and Cameron hint that the system ought to provide the best defence against spam I’ve yet seen. The idea is that while on-line, users can control their personal information, minimize the amount of identifying data they reveal, minimize the links between different identities and actions and detect fraudulent messages and websites, thereby minimizing the incidence of phishing and pharming.

While Cavoukian’s proposal, called Seven  Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age, is primarily intended to protect privacy and make on-line commerce safer, it could also kill e-mail from those villains who sell snake oil and pump penny stocks by sending you e-mail from  fraudulent return addresses.

Cavoukian was one of the first non-technologists to grasp the link between on-line identity management and privacy, and has a better understanding of technology than most people do. Kim Cameron, a former Torontonian who has been a personal friend for almost 30 years (he wrote the software that ran the original Globe and Mail books bestseller list), is another great visionary. The combination of the two should make an enormous impact on  technology and commerce if the world takes notice.

With uncharacteristic overstatement, Cavoukian says that once a universal method to connect identity systems and ensure user privacy is developed, there will be an “Identity Big Bang.”

I wish them both the best of luck.

Reading Jack's piece I remember the old days we spent together – and how hard we worked to make sure the Bestseller List was scrupulously scientific and objective.  That's the kind of guy Jack is.  There's real honor there.



Via Rajesh has this list of links from MSDN that should help most people who want to find out more about CardSpace: 
Introducing Windows CardSpace   This article introduces the set of new Windows capabilities called Windows CardSpace (formerly “InfoCard”), which provides a  standards-based solution for working with and managing diverse digital identities.
A Deeper Look at Windows CardSpace In this Security Briefs, Keith Brown drills into Windows CardSpace (formerly “InfoCard”) and demonstrates how to create a relying party and a client.
Video: Windows CardSpace Explained Ever wonder what Windows CardSpace (formerly “InfoCard”) is all about? Nigel Watling (Technical Evangelist) and Andy Harjanto (Program Manager) explain it in this Channel 9 video with a lot of time spent on the whiteboard.
Getting started with Windows CardSpace Step by step instruction on how to build federated identity applications using Windows Communication Foundation and Windows CardSpace (formerly “InfoCard”). In addition, this new Federated Identity & Access Resource Kit for Sept 2005 CTP includes samples to build Security Token Services (STS). (Link currently broken – Kim)
Introduction to Information Cards and Internet Explorer 7.0 (in C#) This sample contains 4 exercises demonstrating how to use CardSpace to get a digital identity from a user via Internet Explorer, updated for RC1 and beyond. Included in this sample is the code to the TokenHelper class, which allows relying party websites to decrypt security tokens.
The Laws of Identity Defining a set of fundamental principles to which any universally adopted, sustainable identity architecture must conform, the “Laws of Identity” were proposed, debated, and refined through an open and continuing dialogue on the Internet.
Microsoft's Vision for an Identity Metasystem The Identity Metasystem is an interoperable architecture for digital identity that assumes people will have several digital identities based on multiple underlying technologies, implementations, and providers.
Channel 9 Interviews Kim Cameron The folks from Channel 9 talk to Kim Cameron about identity.
The Identity Blog Check out Kim Cameron's Identity Weblog where he discusses the Laws of Identity and other topics around Web services and identification.
A Guide to Integrating with Windows CardSpace v1.0 Learn how digital identities can be integrated into a user-centric identity framework, based on the concept of an Identity Metasystem, which promotes interoperability between identity providers and relying parties with the user in control.
A Technical Reference for Windows CardSpace v1.0 in Windows A technical reference for the schema employed by and the mechanisms implemented in the Windows client Windows CardSpace (formerly “InfoCard”) system.
A Guide to Supporting Windows CardSpace v1.0 within Web Applications and Browsers Learn about the web interfaces utilized by browsers and web applications that support the Identity Metasystem. The information in this document is not specific to any one browser or platform.

Seems we agree

I have to answer Kveton's response to my last posting just because he answered my answer as fast as I answered his! 

Kim: you’re officially the fastest person in the world at responding to blog posts … 🙂

Yes, could this be a problem you create when it gets too easy to log in?

But wait, Kveton continues:

I’ve always said I’m for interoperability … heck, I’ve made a living at it. Choice for the user is always a good thing.

My answer? You build interfaces and test them. You look at the numbers. You test phishing approaches on a wide assortment of people. You find out what works and doesn’t, and keep evolving the interface. If we take this as a starting point, we’ll all end up agreeing.   

The problem with redirection within the conventional browser is there is no way to know for sure where you’ve ended up – especially if you aren’t a network engineer.

I actually think we’re in agreement here; we both want to find the best experience for end-users and its going to require their involvement to make that happen. Just as InfoCard may not be the end-all-be-all, so too could be the same for OpenID. Either way, both move the ball forward and conversations are happening to make sure interoperability occurs.

There is wisdom in this. But if Kvelton is against giving the InfoCard visual metaphor a try, then I don’t get it. It does nothing to undermine OpenID.

I’m all for trying InfoCard visual metaphor. I’m just trying to figure out how you drive adoption of such a different paradigm, hence my comments on iterative development and the OpenID process.

Those are all legitimate concerns.  I'm trying to do a lot in one go.  I realize it is “somewhat ambitious”.  But what have personal computers been about since the get-go?  Haven't they always seemed ambitious?

Meanwhile Pamela Dingle posted another comment to which I subscribe as well:

Heaven forbid we ever end up with only one solution anyways — how dead boring would that be?

I’m glad there is choice & competition in this area – it means that nothing is being shoved down anyone’s throat, and that the field is still open for further improvement. It also means that nobody is taking the direction for granted, which I think is a healthy thing. Not to mention, it makes identity conferences ever so much more exciting :)

Agreed.  And there's lots of room to keep innovating for a long time.

My friend Marc Canter

marc-canter.jpgMarc Canter at Broadband Mechanics/People Aggregator really threw me for a loop today

What can I say? He has a fantastic blog, that seems to be getting more and more concise.  And unlike most people who blog about their work, he has a “Marc Canter's friends” pane.  I'm pretty sure these are personal friends, not professional ones.  But just as a joke, I wrote, “I was hurt not to be listed as one of your friends. I guess I need to arrange some more seafood chowder?”

But be careful what you say to Marc Canter.  I don't know what happened – my words sent Marc into a long remeniscence.  I don't think I know anyone so full of positive energy – and he wears it close to the surface too – where it belongs.

I'm sure everyone knows that the things people give me credit for accomplishing are the product of lots of people pushing in the same direction, both inside Microsoft and out.  Marc is one of them, and I really value his friendship  Here's what he wrote:.

Somewhere along the way – I wrote up a list of friends – and I did not (apparently) include Kim Cameron’s name on the list.

First of all – I’m sure Kim understands – as I’ve made a lot of friends along the way – in my travels and dealings.  But most of these relationships are personal and not business oriented as well.  That fateful 1-2 punch is something both powerful and frightening.  Cause if you can influence someone to do the right thing AND he wants to do it anyway – well then you got a force of nature that can’t be stopped.

Over 2.5 years ago Kim came to us (me, Dick Hardt, Phil Windley, Doc and a few others) and told us of his dream.  A world where Microsoft would GIVE the world key technology to enable disparate Identity systems to inter-connect together.  A world where a theoretical backplane for Identity systems – would enable any all to come along and play in the same park.

Needless to say this has been incredibly influential in my thinking since then.  I owe a debt of thanks to Kim for instilling in me the belief that this sort of idealistic world can exist in our future.

OpenID is perfect for this sort of world, as is the Liberty Alliance and Shiboleth.  It now looks like Yahoo’s BB Auth is also perfect for this sort of distributed federated world of tomorrow.  And needless to say Microsoft’s Infocards system is also perfect for this – and is baked into every copy of Vista.

Kim blogs at the Identity Blog and came up with the 7 Laws of Identity – which are a litmus for quality and honesty in the world of Identity.

The guy has an air of grace, humility and honesty to him.  After hearing him give his pitch I decided to give him the benefit of the doubt and support his efforts.  If indeed Microsoft could achieve all the things Kim claims they were gonna do, then indeed that would prove that Microsoft was changing and that we should support them in their attempts at inter-connecting all identity systems together.

So last month Kim goes and gets MIcrosoft to release 35 pieces of IP – “into the public domain” (well OK – it wasn’t the public domain – but they are “promising to never charge for it” – which is better than Google’s GData.)

He actually got it done. He did what he said he was gonna do!

So from where I’m sitting – my entire future and all of our futures – owes some debt of thanks to Kim.  He’s the fucking man!

So I just wanna shout out to my FRIEND Kim Cameron.  “Wassup homeboy?”

“Let’s go have some fine Istrian cucine when you’re here for Web 2.0.”

He really gets what I'm trying to do.

BBAuth and OpenID move identity forward

I read this piece by Scott Kvelton and wanted to make it clear that my concerns about user experience when using protocols that redirect you from site to site to site were not meant to put down the positives that both those technologies represent. 

I think BBAuth and OpenID both move identity forward.  Count me in as a supporting that.

I‘m just saying that I think we should co-operate to fix the redirection user experience, and replace it with something that is way less phishable. 

Scott says:

Lots and lots and lots and lots of discussion going on regarding BBauth and OpenID 

Kim Cameron had an interesting post today concerning the interface issues with BBauth as well as OpenID:

My concerns really originate with the user interface issues. And OpenID has the same problems to the extent that people end up with multiple identity providers (which they will).

I appreciate Kim’s passion about InfoCards and the concept of a consistent user interface. I think its a fantastic idea. So let’s be pragmatic about it. We’re here today: no consistent user interface, lots of usernames and passwords and phishing is a huge problem. We want to get here: consistent user interface, one username and password and phishing becomes a thing of the past. Great. Where do we start? I don’t think InfoCard is the answer. Let me explain.

How do we know InfoCard provides a great interface for users? When I first saw and used an InfoCard it freaked me out. “What the heck is popping onto my screen?!” Talk about a paradigm shift. Answering the this-is-a-great-user-interface question is an iterative process. It takes time and lots and lots of user input.

My answer?  You build interfaces and test them.  You look at the numbers.  You test phishing approaches on a wide assortment of people.  You find out what works and doesn't, and keep evolving the interface.  If we take this as a starting point, we'll all end up agreeing.

The problem with redirection within the conventional browser is there is no way to know for sure where you've ended up – especially if you aren't a network engineer. 

The fact is we have no idea how users are going to use user-centric identity so how can we make assumptions about the user interface today that aren’t iterative?

But if this type of SSO were to become a massive success, that success would bring about its downfall. For it would then be worth attacking and very vulnerable at the same time.

If something like OpenID or BBAuth takes off, there won’t be a downfall. The platform will continue to evolve and get better. Is InfoCard the final and complete answer? We have no idea. The real question is which platform is best suited to constant evolution? Like Kim is a broken record about InfoCards (his words, not mine), I’m the same way about OpenID … 🙂 I believe OpenID is best suited to this kind of evolution.

Sorry – the redirection aspect of the incremental UI is still, in my view, vulnerable.  None the less it's a step forward from where we are today.  I'm not arguing that InfoCard is the final word on anything.  I'm arguing that it helps you deal with multiple identity providers, eliminates “redirection attacks”, prevents the evil site from being in control of the user experience.  Surely these can't be seen as bad things?  OpenID could take advantage of them by including support for that interface.

Kvelton concludes: 

OpenID is incremental by its nature. Its not a quantum leap. Its a URL. Users today are starting to think more and more in terms of URL’s … just ask a MySpace or blog user (I have cold hard data on this one; my babysitter is a MySpace user). Its iterative. We’re not trying to boil the ocean in the first go at this. We don’t know how users are going to use this thing. So let’s make the fewest number of assumptions for the users before we deliver something. Watch how they use it, find out what makes sense. Repeat.

A lot of users will be fine with URLs for their public personas.  But I fear they can still be phished during redirection.

Is BBauth, CardSpace or OpenID the end-all-be-all solutions for single sign-on? Definitely not today. One thing is clear though; companies and users alike are seeing the value of user-centric identity and its slowly but surely happening; CardSpace, OpenID and BBauth are clear indications of this. This stuff doesn’t happen overnight but the ship is slowly turning in the right direction.

There is wisdom in this.  But if Kvelton is against giving the InfoCard visual metaphor a try, then I don't get it.  It does nothing to undermine OpenID.


Hans gets more specific about Yahoo BBAuth

Several readers have asked me to comment on the recent post by Verisign's Hans Granqvist about “security problems in BBAuth”.  He writes:

I have had concerns about Yahoo!’s choice of security of BBAuth. Jeremy Zawodny responds to my posting to ydn-auth list:

“While I can’t comment on the choice of algorithm, I can say that some of the technology used in BBAuth was not developed solely for use with BBAuth.

Okay, fair enough.

But then he continues:

“In other words, we’re reusing some existing stuff that’s been tested in the field and proven to work well for our needs.”

Now, this doesn’t sound right. Not at all.

MD5 has been broken for a few years now. According to Ferguson’s and Schneier’s Practical Cryptography it’s possible to find MD5 collisions in 2**64 evaluations (using the birthday paradox). This was too easy 2003, and it sure is not more difficult now.

Be that as it may. Perhaps these collisions are purely academic.

What’s worse is the lack of a proper HMAC. In Yahoo!’s BBAuth, the MAC is created by hash(text + key) where ‘+’ denotes string concatenation.

This simplistic way of building a pseudo HMAC scheme is not secure. Readers of Practical Cryptography may want to turn to section 7.5 for more information. In short, tacking the key on to the end leads to key recovery attacks that are much easier to execute than they should be.

What scares me is that this broken scheme apparently is used in plenty of other Yahoo! products. I would not be surprised if there are attackers trying to exploit this weakness at this very moment.

My advice to Yahoo! is to change this to a proper HMAC right now. Other identity protocols, like OpenID manages to require HMAC-SHA1 or HMAC-SHA256. There are OpenID libraries for all major programming languages available, so it’s definitely not too hard to implement.

My thinking?

I believe that when it comes to security, it's better to use an algorithm that has been widely vetted (like HMAC-SHA256), and to avoid creating new ones unless you really need to – or have a long runway to test them on.  I also think protocols should use algorithm identifiers.  With security, it may become necessary to migrate to new algorithms when we least want to, without blowing all the downlevel clients out of the water. 

But despite my “high-minded principles”, if you look at the actual content of what Hans calls “text” in the BBAuth protocol, it looks to me like it is full of entropy (a good thing): although it contains some fixed information, it also contains a token, which is variable and not calculable by an evesdropper; a timestamp, which makes long-running attacks impossible; and a shared secret, which makes multi-site catalog attacks impossible.  So this is not toy cryptography given Yahoo's purposes.  That isn't to say Hans doesn't make some good points.

My concerns really originate with the user interface issues.  And OpenID has the same problems to the extent that people end up with multiple identity providers (which they will).

I'm talking about the fact that users are redirected from one context to another quite different one.  We have found that systems that work this way introduce a lot of “noise” – let's call it ambiguity – into the channel between the system and the user. 

The user can be confused – by accident or, worse, on purpose. 

It's the “I'm-buying-a movie-from-someone-but-now-I'm-at-Yahoo-and-now-I'm-not” problem.  In the midst of the redirections, the user can potentially be redirected to a wolf-in-sheep's-clothing, who can relieve her of her secrets and employ them for other purposes. 

Suppose that Google and MSN and AOL and eBay all do the same thing as Yahoo.  Then things would get really confusing for the user, wouldn't they?  As she visits different sites she would find herself redirected to a bunch of different home pages…  MSN here, AOL there, and who knows what else.  This kind of redirection is just not good from the point of view of users being certain about what's happening.  It's similar to getting a URL in an email.  This is one of the main reasons I think that a strong, consistent visual experience like InfoCards is key to building something safe, and why I want to see all of this converge.  But of course, everyone knows I'm like a broken record on this.

Some of my concerns may not matter much when it comes to controlling access to your photos.  But if this type of SSO were to become a massive success, that success would bring about its downfall.  For it would then be worth attacking and very vulnerable at the same time.  That's why I think it is best to combine it with the type of experiential system I've been talking about before any of these problems arise.