I think the issue with *many* credential holders is the fact that Mr Hacker only has to penetrate the security at the one credential holder who is vulnerable to SQL injection and/or stores their details in plain text, and then you've got access to every other service used by the user because they use the same login and password everywhere. There's no real answer to the security issue anywhere, I just thought Google and the like might be able to stand up somewhat longer to an attack than someone who has built their own web store in FrontPage.
I also agree that email accounts are far more valuable than a lot of people give them credit for. Lots of people can use their Google Mail account to charge their debit card. Unfortunately it is no longer "just email". On 27 April 2011 15:39, Crawford, Scott <[email protected]> wrote: > Using Facebook or Google as a repository for single sign-on IS > problematic, but I don’t think single sign-on itself is as big of a problem. > > > > The bigger issue of using some well-known entity is the quantity of > credentials stored there. When a billion people all use the same service to > hold all their credentials, that service becomes a huge target. But, if > there were a billion ID providers, each holding 1 users credentials, attacks > would be much less valuable. > > > > I think there’s a middle ground in there somewhere, but I also think we’re > kind of there right now. Many people use the same email address to receive > forgotten password resets. If someone were to obtain the credentials to that > account, they would in effect have access to all the credentials. > > I would suggest that this hasn’t become a problem yet because those email > providers are so diverse. However, if we reach the point where most people > use one or a few providers as either a forgotten-password-email OR as a SSO > provider, we run the risk of wide spread identity theft. > > > > *From:* Ziots, Edward [mailto:[email protected]] > *Sent:* Wednesday, April 27, 2011 9:33 AM > > *To:* NT System Admin Issues > *Subject:* RE: Massive Databreach of Sony Playstation Database, > > > > IAM Nice idea, but think, when I can trick the user out of their > credentials ( Social Engineering, Malware, Keylogger) then I have 10X more > access to systems on the target network than I would have had before in a > non-IAM type of environment. So how is this a net positive? > > > > I just don’t see strong authentication ( 2X factor) in the initial > authentication mechanisms of SSO/IAM that could help with this, in > implementations, therefore can you really trust a person/entity is who they > claim to be just by a username and password? ( Nope) > > > > Z > > > > Edward E. Ziots > > CISSP, Network +, Security + > > Network Engineer > > Lifespan Organization > > Email:[email protected] > > Cell:401-639-3505 > > > > *From:* Rod Trent [mailto:[email protected]] > *Sent:* Wednesday, April 27, 2011 9:27 AM > > *To:* NT System Admin Issues > *Subject:* RE: Massive Databreach of Sony Playstation Database, > > > > Facebook rules the day already when it comes to single sign-on. They have > quietly taken the lead on that. > > > > *From:* James Rankin [mailto:[email protected]] > *Sent:* Wednesday, April 27, 2011 9:24 AM > > *To:* NT System Admin Issues > *Subject:* Re: Massive Databreach of Sony Playstation Database, > > > > I think these sort of things will power a drive towards more centralised > identity management in general. At the moment, it is nothing but a risk to > store a username and password and possibly financial data on hundreds of > different websites with differing levels of security. Even for the > intelligent, managing these vast arrays of logins and data presents a > challenge which can often only be managed by third-party software. > > > I wouldn't be surprised to see the likes of Google and Facebook trying to > move in on this - using your login for Google, for example, to log on to > myriad different websites, therefore only worrying about whether Google get > hacked or not. Although I also see a move towards more federated ways of > accessing different systems coming out from the likes of Citrix and VMWare > as well, I think things like OpenCloud and Project Horizon also have started > to encompass some form of identity management. > > On 27 April 2011 14:19, Ziots, Edward <[email protected]> wrote: > > More food for thought, I am sure that other devices ( WII, Xbox, etc > etc) could also be exploitable, it underlies a bigger problem with database > security in general. > > If you have provided information from your playstations to Sony to download > content, you might want to be watching your CC Card information and other > accounts very carefully, since your information is probably in the > possession of unauthorized parties atm. > > > http://www.ibtimes.com/articles/138557/20110427/sony-playstation-suffers > -massive-data-breach-criticized.htm > > Sincerely, > EZ > > Edward E. Ziots > CISSP, Network +, Security + > Network Engineer > Lifespan Organization > Email:[email protected] > Cell:401-639-3505 > > > unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > *IMPORTANT: This email is intended for the use of the individual > addressee(s) named above and may contain information that is confidential, > privileged or unsuitable for overly sensitive persons with low self-esteem, > no sense of humour or irrational religious beliefs. If you are not the > intended recipient, any dissemination, distribution or copying of this email > is not authorised (either explicitly or implicitly) and constitutes an > irritating social faux pas. > > Unless the word absquatulation has been used in its correct context > somewhere other than in this warning, it does not have any legal or no > grammatical use and may be ignored. No animals were harmed in the > transmission of this email, although the kelpie next door is living on > borrowed time, let me tell you. Those of you with an overwhelming fear of > the unknown will be gratified to learn that there is no hidden message > revealed by reading this warning backwards, so just ignore that Alert Notice > from Microsoft. > > However, by pouring a complete circle of salt around yourself and your > computer you can ensure that no harm befalls you and your pets. If you have > received this email in error, please add some nutmeg and egg whites, whisk > and place in a warm oven for 40 minutes.* > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." *IMPORTANT: This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour or irrational religious beliefs. If you are not the intended recipient, any dissemination, distribution or copying of this email is not authorised (either explicitly or implicitly) and constitutes an irritating social faux pas. Unless the word absquatulation has been used in its correct context somewhere other than in this warning, it does not have any legal or no grammatical use and may be ignored. No animals were harmed in the transmission of this email, although the kelpie next door is living on borrowed time, let me tell you. Those of you with an overwhelming fear of the unknown will be gratified to learn that there is no hidden message revealed by reading this warning backwards, so just ignore that Alert Notice from Microsoft. However, by pouring a complete circle of salt around yourself and your computer you can ensure that no harm befalls you and your pets. If you have received this email in error, please add some nutmeg and egg whites, whisk and place in a warm oven for 40 minutes.* ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
