Security Quest #4: OpenID and Weekly Update

Back in Security Quest #2 I talked about the PayPal Security Key. The PayPal Security Key can also be registered and used with OpenID through Verisign’s Personal Identity Provider (PIP) program.

OpenID is a URL that serves as an ID to establish your identity although it doesn’t establish trust. OpenID is still in it’s infancy and there’s not a lot of sites I use (read that as none – at least that promote it) that use OpenID. Still, it’s interesting to think about where OpenID fits into the authentication scheme.

Some of the benefits of OpenID:

  1. Can easily maintain multiple online personas (IDs). For example, one for forums, one for blogs you author, etc…
  2. Makes online IDs easier to manage
  3. Can be more secure if properly managed. You can have multiple OpenIDs for different levels of security. It’s also easier to change one OpenID password regularly instead of multiple online accounts.
  4. It’s decentralized with multiple providers.

There are some potential drawbacks:

  1. OpenID uses the web browser so it’s only as secure as your browser and your surfing habits. OpenID is based upon redirection so there’s the risk of phishing and redirecting you to a bad site. You just need to be aware of your URLs and be sure they’re using https. Verisign has also put out a Firefox add-in called Seatbelt which helps to manage and protect OpenID. Still, by it’s nature, the loss of a single OpenID password would allow access to multiple accounts.
  2. OpenID is a potential privacy concern. Your OpenID provider knows what sites you visit and use. But so does Google and Yahoo.
  3. OpenID is still confusing and support is limited. A number of 5,000 sites is tossed about. But a look at the OpenID page makes it apparent a typical user isn’t going to wade through all that.

OpenID’s place in my world

OpenID supports delegation so I can use my website as an OpenID (which is just a URL). So my first step will be to enable my site to do this. This makes it easier to change OpenID providers if I want to. It’s also a much shorter URL than Verisign provides.

I’ll start looking for OpenID support at various sites I used. I’m not going to use it for any sites I really want to be secure (online banking and similar sites). I already use unique IDs and passwords for them. But I’ll start using it for other sites when it’s available.

Additional Info

There’s a 50 minute video of Simon Willison’s OpenID presentation at Google about open ID available on Google Video.

Vulnerabilities

There was news of a vulnerability in GMail although the hole has now been plugged. Check your filters if you use Gmail.

Security Software

Spyware Terminator (freeware) has been updated to version 2.0.1.224.

Lavasoft Ad-Aware (freeware) has been updated to version 7.0.2.3.

News & Information

Tech.Blorge about Carnegie Mellon University developing a game to teach Anti-Phishing to web users.

TUAW brings some links with information about running a Mac on an untrusted network.

There’s a company out there that’s asking ISP to provide click-stream and personal (like location) data so they can target ads to you. AlarmClock has the details along with TechDirt.

Spammer collecting e-mail addresses or file conversion service? Their current privacy policy would mean it really is a file conversion service. But would spammers lie? Here’s the link.

Security Quest #2: PayPal Security Key & Weekly Update

PayPal is piloting a new feature that more financial institutions should consider and every PayPal client should use. They are making Verisign security key fobs available to PayPal users for a nominal cost of $5 each. The cost includes shipping.

The key fob generates a new six digit password every thirty seconds. You enter this, along with your password, when signing onto PayPal. Even if someone gets your password they cannot access the account without the key fob (well, there is an exception).

PayPal’s Security Key FAQ sums up it’s benefits:

Because it gives you an extra layer of security when you log in to your PayPal or eBay account. Most websites keep your online account safe by only asking for your user name and password to verify your identity. The PayPal Security Key gives you an additional security code that only you know about. That makes your account more resistant to intrusion. Plus, the Security Key’s easy to use.

PayPal does allow access if you lose the key or it breaks. The FAQ states they’ll ask you to confirm account ownership. After entering your password you’ll be asked to verify account information (by providing the full account numbers) or by answering your security questions. This method can be used to access your account when you don’t have your security key or to deactivate the key if it’s lost or broken.

Since PayPal is owned by eBay it’s no surprise that the key can also be used with eBay. While key fobs are a great security idea, one key fob per account isn’t feasible. The key fob is issued by Verisign and can be used their Personal Identity Provider (PIP) service which is in beta. PIP is OpenID enabled and can be used at sites that are OpenID enabled.

For information about the PayPal security key logon to your PayPal account and go to http://www.paypal.com/securitykey.

Security Updates

Firefox 2.0.0.7 has been released. The only patch in the update is to fix a critical security vulnerability when dealing with Quicktime media files. The vulnerability bulletin only mentions Windows as an affected OS but the update is for all platforms. The update is being sent through Firefox update and is available for direct download.

Security Software

AVG Antivirus Free Edition has been upgraded to version 7.5.487

Security News, Information & Discussion

The Unofficial Apple Weblog has a good article on using the OS X keychain application to store and locate passwords.

Ars Technica, among others, is reporting that spammers seem to be turning their botnets against anti-spam sites. Speculation is the attacks are from those controlling the Storm worm botnets although it may be customers paying for the attacks.

The Washington Post Security Fix blog is reporting that the RightMedia ad network was serving banner ads trojans. Rightmedia has banned the ads which were served by Photobucket, MySpace and others. RightMedia was recently purchased by Yahoo.

The Spyware Guide brings an update of spammers use Skype for a rogue anti-spyware scam.

There were a couple recent articles about managing spam comments in WordPress blogs:

  • Internet Duct Tape talks about use Akismet Auntie Spam, a Greasemonkey script for Firefox, to manage spam in WordPress.

TD Ameritrade issued a press release concerning an internal audit of their systems. They were investigating stock-related spam and found “unauthorized code” in their systems which has now been removed. They say only contact information was stolen. Ameritrade customers might want to think about new email addresses – and a new broker.

Media Defender, an anti-P2P company, made news recently after over 700MB of their emails were made public. The emails directly contracted the companies public statements over questionable tactics the company was accused of using. Media Defender employee Jay Mars forwarded all his company email to a GMail account. The GMail account was used as the conduit to get the emails. The lesson here is no matter how secure a company tries to make it’s systems employee actions are always the weakest link.