Application security made easy with IBM Cloud App ID

I recently had to look at an option for user management, authentication, and security. I was aware of what IBM Cloud App ID was but I never dug into the details.

Continue reading

Advertisements

12% Increased conversion with Instart Logic and WebSphere Commerce

Screen Shot 2016-07-21 at 11.50.08 AM

Instart Logic has an amazing solution that will increase your conversion rates and speed up your site greatly. Check out this video where I introduce the solution and then see a quick demonstration of the Instart Logic solution implemented on the WebSphere Commerce starter store.

Will corporations move to fingerprint reading on devices for authentication?

fingerprintWith the launch of the new iPhone 5s I am sure many IT security people are working to figure out whether or not to support fingerprints to get access to the device.

My company has a pretty stringent password policy for my mobile devices and most of my friends and family make fun of me having to enter such a long password every five minutes.  I would love nothing more than to move to a fingerprint reader, however, I have some reservations about the technology.

This is clearly the way to go in my opinion but I am hesitant because I am not 100% it is secure at this point. Some of the early signs of image manipulation and spoofing have caused this concern. I think “spoofing” is going to be the least concern.

The reader on the iPhone is a capacitance finger print reader. Meaning it reads the conductivity of the subdermal layer (just below the dermis) and essentially generates an image from the subtle differences in your print. This in the end would be a very different picture than an actual finger print picture.

Lastly, can this “fingerprint” be used later on by the NSA? Will they simply get a massive collection of fingerprints right out of the gate?  What about apps accessing the finger print image?

Apple went out of its way to explain that your fingerprint data is stored on the A7 ARM chip, not in iCloud, and not anywhere else online. – link

Check out that article which talks about these kinds of threats, I found it very interesting. At the end of the article it clearly eludes to the NSA problem. If there are API’s that have to read and write the finger prints then clearly there will be a way for “someone” to get this data. I will keep researching around for how Apple is preventing such access but if  you find something first please comment here!

 

My site was attacked…here are the details

What you are about to read is arguably the number one problem with PHP and script based sites. I can’t communicate enough the importance of site security both at the HTTP and FTP site protocols. Unlike other technologies, like Domino NSF, script based web sites can easily be hacked by script monkeys. If you don’t care about PHP sites and the different ways it can be hacked then please don’t read this.

Continue reading

Securing your local servlets in Lotus Notes

At this point, everyone knows about the Lotus Notes client and the embedded HTTP stack, or at least most know. If you do not know, here is a little primer: there is an embedded HTTP stack in the Lotus Notes client. 🙂

Just kidding!

The http stack allows for developers to create servlets, host HTML or even run pre-compiled JSP’s. You can learn more about the stack on the Lotus Expeditor Wiki.

Ok, so how can I prevent “other” operating system applications from calling into my servlet?

First off, the Lotus Notes client does a good job in not making it easy to figure out the port number of the embedded server. So the first layer of security is a random port number on each launch of the client. So you might see URL’s that look similar to this:

http://localhost:1436/proxy/viewer.html

The port 1436 is dynamic and switches every time the Notes client starts. But that really is not good enough. A good hacker can most likely figure this out as the number is stored in memory. You may have also read how I can attach any browser on my machine to my servlet to help debug the Attachment Viewer sidebar plugin by enabling the debug option. This allows me to use the debug tools in Chrome and FireFox to assist with debugging my JavaScript and Dojo code.

The problem is, any application outside of Notes can do this if they figure out the port! That means anything your servlet “serves” up can be subjected to attack. So here is what I did to prevent this in the next version of the Attachment Viewer.

I used cookies to protect the servlet so only embedded browsers in the Notes Client can interact with the proxy servlet. While this is not 100% secure yet (stay tuned for the next post), it is a good way to prevent other operating system applications from getting into the Notes client. I simply generated both a unique key and value and set the cookie using the SWT browser API. Here is the code to create the key and value:

static String getNewKey(Object obj){
   return "AT" + (System.currentTimeMillis() * 3) + obj.hashCode();
}
static String getNewValue(Object obj){
   return "AT" + (System.currentTimeMillis() * 2) + obj.hashCode();
}

The object is the Attachment Viewer ViewPart and you can see we get the current time in milliseconds and multiply them by different values. This insures the name and value will be random every time the Notes client launches. Next we have to set the cookie in the browser before we launch the URL:

private void initURL(int port, String host) {
     currentCookieKey = Security.getNewKey(this);
     currentCookieValue = Security.getNewValue(this);
     String url = "http://" + host + ":" + port + "/proxy";
     Browser.setCookie(currentCookieKey + "=" + currentCookieValue, url);

     browser.setUrl(url + "/viewer.html");
 }

So you can see we get a new key and value, store them into some memory where the proxy servlet can do a check against it when a request comes in. You will also notice that the setCookie is a static method, meaning all browser instances will inherit this cookie and can potentially access the servlet. We could even go further and assign an expiration to the cookie if we wanted.

Now in the servlet code, in our doGet() method, we verify the cookie and error out if it is not what we expect:

if (isValidRequest(req) == false){
     OutputStream os = resp.getOutputStream();
     StringBuffer buffer = new StringBuffer();

     buffer.append("<h1>Invalid security token, access to proxy not granted.</h1>");
     os.write(buffer.toString().getBytes());
     os.close();
     return;
 }

In the end, when you attempt to connect to the servlet using FireFox or Chrome you would see something like this:

Click image to see full the image

Is xAuth secure?

I am not a security expert and I am just starting to get into oAuth and the different ways social sites can be cross authenticated with social applications.  I have played with Facebook and Twitter using oAuth which work great for my blog other sites.

xAuth is interesting because it is basically the same thing as oAuth but skips the request_token and authorize steps.

xAuth allows desktop and mobile applications to skip the request_token and authorize steps and jump right to the access_token step. See this for more details. – Twitter Documention

The problem, from what I know is, the “request_token and authorize” steps seem pretty important. This is where the user basically accepts the application requesting access.

Why is this cool? Well, imagine an on premise application (one that is behind the firewall) that wants to integrate with Twitter, LinkedIn or Facebook. It simply won’t work since none of those applications can call back into the site behind the firewall. xAuth would solve this.

Now, if an application is well known and the key is truly kept secret then I guess xAuth could be used. With a world of “leaks” and lack of employee trust, I simply can not see xAuth being a viable way to achieve authentication.

Generating Captcha Security images

After reading this post from PlanetLotus during my lunch break about captcha and the other night I was messing around on my site, which is a WordPress site written in PHP, I wanted to see how captcha like spam protection would work in PHP.  There is a great article with source code over on a site called White Hat.  The article does a good job showing how its done and the code is very legible.  Of course this is in PHP but I think the concepts could easily be moved over to Java or another language.  It also shows a nice tip on redirecting an image url to the php file so it appears as a image in the HTML to the end user (if the source was ever looked at).