Six Major Identity & Privacy Trends To Watch

According to Gartner, six major trends will drive identity and access management (IAM) and privacy in 2012.  Businesses will need to increase their focus on projects in that space that can achieve quick value and deliver real benefits to the business.

Organizational boundaries continue to erode due to M&A’s, converging environments, and outsourcing complexities, and IT’s control continues to weaken as mobile devices and cloud services proliferate.  Identity management is becoming more important than ever.

Six IAM Trends:

  • Tactical identity: The scope and budgets for identity management projects will remain constrained.  A major cause of failure for these projects has been an overly broad scope combined with a lack of focus on business value.
  • Identity assurance: Demands for stronger authentication and more mature practices will intensify.  Organizations need to know who they are trusting, why, and for what.
  • Authorization: Authorization requirements will grow more complex and urgent in response to regulatory pressure and more complex IT and business environments. the real magic of IAM lies in authorising access and in the creation of logs used to hold people accountable for their actions. Authorization and enforcement of access control policies is less mature than other processes in many organizations.
  • The identity bridge: Identity management must span the chasm between organizations. A new architectural component will be needed to manage identity information flows between cooperating companies.
  • The sea of ID tokens: Identity information frequently has to be adapted by each domain that receives it, and pass it to downstream domains. Identity information is transmitted via tokens.  These tokens may be carried in protocol headers or in protocol payloads.
  • Policy battles: Concerns over identity theft and privacy are alarming the public, and having a serious impact on operations.  The business community, privacy lobby, law enforcement and national security communities will continue to wrangle over laws and regulations continuing to drive changes in the identity infrastructure.

As usual, gartner is right on the money.  Read the entire article to get the deatils.

Toronto Law Firms Targeted

Here is a lesson to us all about the global reach and intent of internet hackers who have an interest in the information assets that we may hold for our own or clients’ interests.  China-based hackers have homed in recently on the offices of Toronto’s Bay Street law firms handling a $40 billion acquisition of the world’s largest potash producer by an Australian mining giant.  Bloomberg has a great article with all of the details, and outlines discussions undertaken by a group of law firms that got together recently to strategize protective and detective techniques.

The hackers in the Toronto case penetrated and combed through one computer network after another, hitting seven different law firms as well as Canada’s Finance Ministry and Treasury Board, seeking to gather detailed intelligence and potentially undermine the deal.  A law firm involved in the deal detected intrusion indicators, including spoofed emails, malicious websites, and network disruptions.  Investigators found spyware designed to capture confidential documents, compiled on a Chinese-language keyboard, and using servers in China involved in the attack.

The investigation linked the intrusions to a Chinese effort to kill the developing acquisition.  Stolen data of this nature can be worth tens of millions of dollars to those involved on either side of the bargaining table, and gives the possesser an unfair advantage in negotiations.  The deal eventually fell apart when the Canadian government declared it wasn’t in the nation’s interest, but the incident highlights the vulnerability of law firm information resources in particular, and the threat of loss of client trust and future business. Continue reading

Google Won’t Remove CounterClank Apps

Google will not remove the 13 apps reported by Symantec containing “software development tools” that enable the theft of data because they do not violate Google’s terms of service.  Lookout Mobile Security said in a blog post Friday that it doesn’t consider the applications malware, but it does appear to be an “aggresive form” of an ad networking scheme, and should be taken seriously.  I would agree with that assessment, simply because it is a new pin on an old tactic, however I would still consider this malware to the extent that spyware was once considered in a similar light.  It has proven to be a real problem with real impacts, and has been used in a multitude of nefarious endeavors.

See this SC Magazine article for more coverage and details.

Important SolarWinds & HP Vulnerabilities

Digital Defense has posted a couple of vulnerabilities in some pretty popular and common products that customers and colleagues may want to be aware of.  I would recommend assessing the relevance of these disclosures to your environments, and taking mitigating action where appropriate.  Consider the potential of insider as well as external attack.  The information and access that either of these two vulnerabilities offers is just too yummy for a malicious or driven attacker to pass up.

1) SolarWinds Storage Manager Server SQL Injection Authentication Bypass

Severity:  High

Vulnerability Description:  The ‘LoginServlet’ page on port 9000 of the SolarWinds Storage Manager Server is vulnerable to a SQL injection within the ‘loginName’ field.  An attacker can leverage this flaw to bypass authentication to the Storage Manager application or to execute arbitrary SQL commands and extract sensitive information from the backend database using standard SQL exploitation techniques.  Additionally, an attacker may be able to leverage this flaw to compromise the database server host operating system.

SolarWinds has not yet provided a patch to address the issue. Digital Defense, Inc. recommends restricting access to the affected port until an update has been produced by the vendor.

2) HP JetDirect Device Page Directory Traversal  (CVE-2011-4785)

Severity:  High

Vulnerability Description:  The HP-ChaiSOE/1.0 embedded web server on certain HP JetDirect printers allows a potential attacker to gain read only access to directories and files outside of the web root.  An attacker can leverage this flaw to read arbitrary system configuration files, cached documents, etc.  Information obtained from an affected host may facilitate further attacks against the host.  Exploitation of this flaw is trivial using common web server directory traversal techniques.

Known Affected:

  • HP LaserJet 4650
  • HP LaserJet P3015
  • HP LaserJet 2430

At this time, HP has been notified of the vulnerability and has released a patch which addresses the issue for HP LaserJet P3015.