Using Facebook or Google as a repository for single sign-on IS problematic, but I don't think single sign-on itself is as big of a problem.
The bigger issue of using some well-known entity is the quantity of credentials stored there. When a billion people all use the same service to hold all their credentials, that service becomes a huge target. But, if there were a billion ID providers, each holding 1 users credentials, attacks would be much less valuable. I think there's a middle ground in there somewhere, but I also think we're kind of there right now. Many people use the same email address to receive forgotten password resets. If someone were to obtain the credentials to that account, they would in effect have access to all the credentials. I would suggest that this hasn't become a problem yet because those email providers are so diverse. However, if we reach the point where most people use one or a few providers as either a forgotten-password-email OR as a SSO provider, we run the risk of wide spread identity theft. From: Ziots, Edward [mailto:[email protected]] Sent: Wednesday, April 27, 2011 9:33 AM To: NT System Admin Issues Subject: RE: Massive Databreach of Sony Playstation Database, IAM Nice idea, but think, when I can trick the user out of their credentials ( Social Engineering, Malware, Keylogger) then I have 10X more access to systems on the target network than I would have had before in a non-IAM type of environment. So how is this a net positive? I just don't see strong authentication ( 2X factor) in the initial authentication mechanisms of SSO/IAM that could help with this, in implementations, therefore can you really trust a person/entity is who they claim to be just by a username and password? ( Nope) Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Rod Trent [mailto:[email protected]] Sent: Wednesday, April 27, 2011 9:27 AM To: NT System Admin Issues Subject: RE: Massive Databreach of Sony Playstation Database, Facebook rules the day already when it comes to single sign-on. They have quietly taken the lead on that. From: James Rankin [mailto:[email protected]] Sent: Wednesday, April 27, 2011 9:24 AM To: NT System Admin Issues Subject: Re: Massive Databreach of Sony Playstation Database, I think these sort of things will power a drive towards more centralised identity management in general. At the moment, it is nothing but a risk to store a username and password and possibly financial data on hundreds of different websites with differing levels of security. Even for the intelligent, managing these vast arrays of logins and data presents a challenge which can often only be managed by third-party software. I wouldn't be surprised to see the likes of Google and Facebook trying to move in on this - using your login for Google, for example, to log on to myriad different websites, therefore only worrying about whether Google get hacked or not. Although I also see a move towards more federated ways of accessing different systems coming out from the likes of Citrix and VMWare as well, I think things like OpenCloud and Project Horizon also have started to encompass some form of identity management. On 27 April 2011 14:19, Ziots, Edward <[email protected]<mailto:[email protected]>> wrote: More food for thought, I am sure that other devices ( WII, Xbox, etc etc) could also be exploitable, it underlies a bigger problem with database security in general. If you have provided information from your playstations to Sony to download content, you might want to be watching your CC Card information and other accounts very carefully, since your information is probably in the possession of unauthorized parties atm. http://www.ibtimes.com/articles/138557/20110427/sony-playstation-suffers -massive-data-breach-criticized.htm<http://www.ibtimes.com/articles/138557/20110427/sony-playstation-suffers%0A-massive-data-breach-criticized.htm> Sincerely, EZ Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected]<mailto:email%[email protected]> Cell:401-639-3505 unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." IMPORTANT: This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour or irrational religious beliefs. If you are not the intended recipient, any dissemination, distribution or copying of this email is not authorised (either explicitly or implicitly) and constitutes an irritating social faux pas. Unless the word absquatulation has been used in its correct context somewhere other than in this warning, it does not have any legal or no grammatical use and may be ignored. No animals were harmed in the transmission of this email, although the kelpie next door is living on borrowed time, let me tell you. Those of you with an overwhelming fear of the unknown will be gratified to learn that there is no hidden message revealed by reading this warning backwards, so just ignore that Alert Notice from Microsoft. However, by pouring a complete circle of salt around yourself and your computer you can ensure that no harm befalls you and your pets. If you have received this email in error, please add some nutmeg and egg whites, whisk and place in a warm oven for 40 minutes. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
