The recent breach suffered by Buffer demonstrated the security value of a client app, in this case the Buffer servers, not storing the user credentials for a service like Twitter. Think how much worse it could have been - OAuth saves the day!
John Bradley: OAuth Protects Users in Compromise of Social Site Buffer I want to reiterate that given the security lapses it is good Buffer was using OAuth and not storing passwords for Facebook and Twitter. The tokens were revoked in the Twitter case and the client secret changed (and used) in the Facebook case to remedy the situation with much less user impact than there might have been. [Correction: I incorrectly attributed this to David Berlind, when in reality it was Ping's own John Bradley. My apologies to both.]
David Berlind has a blog entry about the breach itself listed in the articles that follow.
Phil Hunt: Standards Corner: OAuth WG Client Registration Problem But what happens when the API is for an open source project where there may be 1000s of deployed copies of the API (e.g. such as wordpress). In these cases, the authors of the API are not the people running the API. In these scenarios, how does the developer obtain a client_id?
Tim Bray: Security in Internet Protocols I'm starting with a report from something called the Apps Area Working Group. Monday's meeting took a very useful, methodical walk-through of the state of the security/encryption art in each of the major application Internet protocols.
Tim Bray: HTTP Encryption Live-blog The IETF HTTP Working Group is in a special place right now. It held a meeting this morning at IETF 88 on encryption and privacy; the room was packed and, just possibly, needles that matter were moved.
Dave Kearns: BYOI Revisited Some time ago, in the wake of Wired journalist Mat Honan's story of his account compromise ("How Apple and Amazon Security Flaws Led to My Epic Hacking"), I wrote about BYOI - Bring Your Own Identity - and how "In the enterprise, there's even less reason to support today's BYOI." Some time before that, my colleague Martin Kuppinger had also addressed this issue ("Bring Your Own Identity? Yes. And No"), dismissing the BYOI idea as simply a small piece of a much larger system. But I think we need to re-address this issue.
John Fontana: Identity claiming spot in digital economy Identity is shaping up as a convergence point in the digital economy and a central focus in the future of technology, economics, politics and law, according to Ray Wang, co-founder of Constellation Research and the opening speaker at this year's Defrag Conference.
David Schnacht, Identropy: When it Comes to Roles, KISS* In fact, in my experience successful Access Governance implementations need not be excessively complicated in order to succeed. In fact, the more conceptually complicated the proposed solution, the more likely it is that the implementation will not be successful. Additionally, even if the solution does 'go live', the end users won't understand it and the business-buy-in won't be there to maintain it.
Mark Diodati: Five Things You Gotta Know About Modern Identity This presentation talks about five things you need to know about modern identity. Modern identity supports the new world built on device-independent, location-anywhere access. New-school provisioning and authentication are required. Its protocols are increasingly built upon frameworks like REST and JSON; examples include SCIM, OAuth OpenID Connect and FIDO. It leverages IDaaS and identity bridges to manage users and applications across the hybrid cloud.
What is a malicious insider? Also, according to the CERT Insider Threat Center, the employees that pose the greatest risk for insider threat/theft include:
Tim Bray: Nifty refresh-token trick What happened was, HR wanted to set up a partner to offer benefits for active Googlers only, and thus we discovered an OAuth 2-based trick that I bet will work in lots of other situations, too.
Smartphone cameras can give away PIN codes, researchers warn Researchers at the University of Cambridge have demonstrated an attack that can reveal the PIN codes for sensitive apps, such as those for banking, by tapping into the device's microphone and camera. [Mobile biometrics as the anti-security feature!]
Dave Birch: The internet of things needs some thinking through There was a story in the British newspapers recently about an Italian criminal family (literally, a father and son) who were arrested for selling fake Romanée-Conti wine (a Burgundy that is one of the most expensive in the world at £14,000 a bottle). The police say that the fake labels applied to the bottles of plonk were "near perfect". Aha. My eyes pricked up at this. A genuine problem, for which there may be a technological solution that some of our clients could benefit from supplying.
Berk Veral, RSA: The Digital Construct #NCAM The internet-of-things enters our lives and silently the virtual world infiltrates our physical world via our appliances. Remember the 1990's, the era of crude websites and dial-up modems? It was an exciting time as many of us were exploring the new world; the internet; the new digital construct. It was exciting, full of potential, and almost limitless in many ways and the borders between our actual world and the new one felt very well defined. Now fast forward a couple of decades, and think of the now-common digital components in our daily lives; smartphones, smart meters, social media platforms, with soon-to-be common components; digital currency, smart watches, smart eyeglasses.
Leif Bildoy, Layer 7: Thoughts on Trends in IoT & Mobile Security Recently, I read an article about predicted growth in the Internet of Things (IoT). Extrapolating a previous estimation from Cisco, Morgan Stanley is predicting there will be 75 billion connected devices by 2020. This sort of math exercise is entertaining and has a real "wow" factor but the real question here is: What does this mean for consumers and enterprises?
Phil Windley: Persistent Compute Objects and the Fabric of Cyberspace Persistent Computer Objects, or picos, give rise to a new way to build internet-based applications to separate app and user data. Users control their own picos and thus the data and processing on them. This presentation describes what picos are, the new programming model they support, and shows Fuse, a sample application built using this new model.
Andrew Tarantola, Gizmodo: How to Erase Yourself From the Internet If your growing weariness of being constantly tethered to the internet has become overwhelming, it might be time to scrub yourself from the social media sphere altogether. Here's how you can become a ghost on the Internet, by tracking down and eliminating your digital past.
Bruce Schneier: Power in the Age of the Feudal Internet We're in the middle of an epic battle for power in cyberspace. On one side are the nimble, unorganized, distributed powers such as dissident groups, criminals, and hackers. On the other side are the traditional, organized, institutional powers such as governments and large multinational corporations.
Mark Dixon: Protect Privacy to Build Trust in the Age of Context My recent post about the book, "Age of Context: Mobile, Sensors, Data and the Future of Privacy," by Robert Scoble and Shel Israel, began to explore the benefits that might accrue from converging technologies of the "perfect storm" of mobile devices, social media, big data, sensors and location-based services. But what effect will this have on personal privacy?
Stephen Wilson: Measuring anonymity As we head towards 2014, de-identification of personal data sets is going to be a hot issue. I saw several things at last week's Constellation Connected Enterprise conference (CCE) that will make sure of this!
Jeremy Grant, NSTIC: Interim Identity Ecosystem: "Are we there yet?" We believe that ongoing discussions of the Identity Ecosystem and its Framework, interim or not, should be firmly grounded in the guiding principles. We also note that, despite the many rich debates within the IDESG since its inception a little over a year ago, no one has taken a position that the guiding principles were, well...misguided.
Identity Woman: Interesting events in 2013 This is a calendar of events that I know in 2013 (and beyond). I think they're interesting, I'm currently planning on attending all the events in BLACK, I'm helping co-organize all the events with RED headlines. Some events will change from interesting to attending as they approach.
InCommon: CAMP Cloud: Identity and Access in an Era of Outsourced Services Nov. 14-15, 2013 - San Jose, CA. Part of the 2013 Identity Week (www.incommon.org/idweek) Are your campus stakeholders looking at cloud-based solutions? Are you experiencing challenges or do you have concerns with outsourcing email, storage, or other essential services? Are you concerned about the management and maintenance of an accurate, accountable identity inventory?
Gartner Identity & Access Management Summit 18 - 20 Nov. 2013 | Los Angeles, CA. Gartner Identity & Access Management Summit 2013 shows you how to develop your IAM strategy while advising on tactical IAM issues, challenges by BYOD or SaaS adoption, integration of social platforms, and more.
KuppingerCole Information Risk & Security Summit 2014 Nov. 27-28, 2013, Frankfurt, Germany The Information Risk & Security Summit at the Frankfurter Innovationszentrum FIZ Conference Lab, offers an unseen combination of thought leadership and interactive session formats, tackling the most demanding questions IT professionals are confronted with: How to support the extended & connected enterprise with brilliant services without taking too many big risks.
ThingMonk Dec 3, 2013; Shoreditch Works Village Hall, London The event will bridge Web Startup Internet of Things communities with their peers in the Industrial Internet/Machine to Machine To Machine space. We will bring elite developers and practitioners together, fostering cross-sector collaboration.
Cloud Security Alliance Congress Dec. 4-5, The Rosen Centre Hotel, Orlando, FL The CSA Congress is the industry's premier gathering for IT security professionals and executives who must further educate themselves on the rapidly evolving subject of cloud security.