My son is a level 70 mage, and I couldn’t be prouder.  If that sentence makes no sense, you obviously do not play World of Warcraft.  I just started reading Exploiting Online Games, co-authored by my friend Gary McGraw and I highly recommend you check it out.  I just finished chapter 4 and it has already been worth the price of admission.  WoW, Second Life, online gambling, et al., are a preview of how we will be interacting with software and the Internet in the future, and we better figure out how to secure it.  The book is filled with some wonderful examples and sobering Catch 22’s in regards to the vulnerabilities of the MMORPGs.  Now if I could only get my avatar to write this blog without me…

By Jim Reavis

(Editor’s note: This blog entry was originally posted to The Entitlement Management Blog at www.entitlementblog.com.  If you are interested in XACML and more generally understanding how we can deploy enterprise applciations with more sophisticated and granular security controls, please go to The Entitlement Management Blog to learn and contribute.)  

Without a doubt, the best part of my job as a security wonk is to listen to the war stories.  Listening to how one bright but flawed person subverted several layers of security controls and stole information and usually money are very instructive.  Understanding the security gaps that were exploited, how the forensics investigators cracked the case and the resultant control changes are like getting thousands of dollars of free consulting for the price of a single tall latte.  You also sometimes can’t help but admire the ingenuity of a single person who succeeded against a Fortune 500 corporation’s security system, but then I wake up and remember that it could have been my data (and in some cases, probably was).  There are many different lessons to be learned from these incidents, but one thing I can definitely say is that depending on your business application to protect you from a fraudster is foolhardy and hard-coding entitlements into the application is a bad idea.

What follows is one of those war stories.  It is true, names and minor details were changed to protect the embarrassed.  A large consumer products company (let’s call them BigCo) offers rebates on a regular basis as a sales incentive.  I can hear many of your teeth gnashing already.  Rebates lower the price of that gizmo so that it fits your budget, but the DNA sample and book report you have to submit is definitely a disincentive to claim it.  Even when you do submit the forms, you might forget about it and throw away the check with the rest of the junk mail.  As a result, billions of dollars in rebates go unclaimed every year.
(more…)

By Jim Reavis

Ok, summer vacation was great, I was really goofing off, but RB has been neglected and I have a lot to get caught up on.  I have a lot in my inbox I am processing about BlackHat, it was still too crowded, but they fixed the registrations problems so at least I didn’t miss any sessions this year.

 I wanted to post a quick one about the one session that is having the biggest impact on me.  Jon Callas at PGP organized a session called Traffic Analysis: The Most Powerful and Least Understood Attack Method.  Jon assembled a team of experts from industry an academia who basically said that we don’t need to read your files, we can count packets, measure gaps, analyze the traffic patterns and tell you what are in your files anyway.  Ok, that is a gross simplification, but the mathematics of traffic analysis is real, and the amount of information that can be gleaned through inference is breathtaking.  From voice fingerprinting and cracking SSH passwords to identifying redacted text and anonymous Internet postings, the applications of this technology are mind boggling.

Traffic analysis is clearly something that can be used for good and evil, and intensive research into the topic is needed (hopefully by the good guys).  I believe that traffic analysis holds great potential for shedding light on my white whale, click fraud (no, I am not off this topic, it is a big problem - unfortunately everyone is making money off this topic and do not want to “solve” it).  This year’s presentation was very primordial, I look forward to seeing how much we have learned next year.  Thanks Jon, for putting this together.  Articles about the presentation:

Dark Reading

PC World