Research

If you are thinking about skipping this post because you are not a developer, or think APIs are irrelevant to you, stop! You are missing the point of an important trend in both security and development. Today we launch our research paper on API gateways. It includes a ton of information about what these gateways are, how they work, and how best to take advantage of them. Additionally, we describe this industry trend and how it bakes security into the services. Even non-developers will be seeing these and working with one in the near future. On a more personal note, I need to say that this was one of the more fun projects I have worked on recently. The best research projects are the ones where you learn a lot. A full third of the content in this paper either was previously unknown to me, or I had not connected the dots to fully realize the picture they create, before Gunnar Peterson and I started the project. And for you jaded security and IT practitioners who have seen it all, I am willing to bet there is a lot going on here you were not aware of either. Going into the project I did not understand a few key things, such as: That lumbering health care company exposed back-office services to the public. Via the Internet? They can’t get out of their own way on simple IT projects, so how did they do that? I understand what OAuth is, but why is it so popular? It doesn’t make sense! How did that old school brick and mortar shop deliver Android and iOS apps? They don’t develop software! Someone is making money with apps? Bull$!^&: That’s ‘labor of love’ stuff. Show me how, or I don’t buy it! The word ‘enablement’ is one of those optimistic, feel-good words product vendors love. I stopped using it when I started working at Securosis because we hear a poop-storm of bloated, inappropriate, and self-congratulatory terms without any relevance to reality. When I am feeling generous I call it ‘market-leading’ optimism. So when Gunnar wanted the word ‘enablement’ in the title of the paper I let out a stream of curse words. “Are you crazy? That has got to be the dumbest idea I’ve ever heard. Security tech does not enable. Worse, we’ll lose credibility because it will sound like a vendor paper!” But by the end of the project I had caved. Sure enough, Gunnar was right. Not purely from a technical perspective, but also operationally. Security, application development, and infrastructure have evolved with a certain degree of isolation, which enables companies to provide external services while satisfying compliance requirements, often despite lacking in-house development skills. Anyway, this has been one of the more interesting research projects I have worked on. Gunnar and I worked hard to capture the essence of this trend, so I hope you find it as educational as I did. We would like to heartily thank Intel for licensing this content- they have an API Management solution and you can download the report from Intel’s API Gateway resource center that has tutorials and other related technical papers. We’ll have an upcoming webcast with Intel so I encourage you to register with them if you want more details. You can also download a free copy from our library : API Gateway research. Share:

As much as it pained me, Friday morning I slipped out of my house at 3:30am, drove to the nearest Apple Store, set up my folding chair, and waited patiently to acquire an iPhone 5s. I was about number 150 in line, and it was a good thing I didn’t want a gold or silver model. This wasn’t my first time in a release line, but it is most definitely the first time I have stood in line since having children and truly appreciated the value of sleep. It wasn’t that I felt I must have new shiny object, but because, as someone who writes extensively on Apple security, I felt it was important to get my hands on a Touch ID equipped phone as quickly as possible, to really understand how it works. I learned even more than I expected. The training process is straightforward and rapid. Once you enable Touch ID you press and lift your finger, and if you don’t move it around at all the iPhone prompts you to slightly change positioning for a better profile. Then there is a second round of sensing the fringes of your finger. You can register up to five fingers, and they don’t have to all be your own. What does this tell me from a security perspective? Touch ID is clearly storing an encrypted fingerprint template, not a hashed one. The template is modified over time as you use it (according to Apple statements). Apple also, in their Touch ID support note, mentions that there is a 1 in 50,000 chance of a match of the section of fingerprint. So I believe they aren’t doing a full match of the entire template, but of a certain number of registered data points. There are some assumptions here, and some of my earlier assumptions about Touch ID were wrong. Apple has stated from the start that the fingerprint data is encrypted and stored in the Secure Enclave of the A7 chip. In my earlier Macworld and TidBITS articles I explained that I thought they really meant hashed, like a passcode, but I now believe not only that I was wrong, but that there is even more to it. Touch ID itself is insanely responsive. As someone who has used many fingerprint scanners before, I was stunned by how quickly it works, from so many different angles. The only failures I have are when my finger is really wet (it still worked fine during a sweaty workout). My wife had more misreads after a long bath when her skin was saturated and swollen. This is the future of unlocking your phone – if you want. I already love it. I mentioned that the fingerprint template (Apple prefers to call it a “mathematical representation”, but I am sticking with standard terms) is encrypted and stored. I believe that Touch ID also stores your device passcode in the Secure Enclave. When you perform a normal swipe to unlock, then use Touch ID, it clearly fills in your passcode (or Apple is visually faking it). Also, during the registration process you must enter your passcode (and Apple ID passwords, if you intend to use Touch ID for Apple purchases). Again, we won’t know until Apple confirms or denies, but it seems that your iPhone works just like normal, using standard passcode hashing to unlock and encrypt the device. Touch ID stores this in the Secure Enclave, which Apple states is walled off from everything else. When you successfully match an enrolled finger, your passcode is loaded and filled in for you. Again, assumptions abound here, but they are educated. The key implication is that you should still use a long and complicated passcode. Touch ID does not prevent brute-force passcode cracking! The big question is now how the Secure Enclave works, and how secure it really is. Based on a pointer provided by James Arlen in our Securosis chat room, and information released from various sources, I believe Apple is using ARM TrustZone technology. That page offers a white paper in case you want to dig deeper than the overview provides, and I read all 108 pages. The security of the system is achieved by partitioning all of the SoC hardware and software resources so that they exist in one of two worlds – the Secure world for the security subsystem, and the Normal world for everything else. Hardware logic present in the TrustZone-enabled AMBA3 AXI(TM) bus fabric ensures that Normal world components do not access Secure world resources, enabling construction of a strong perimeter boundary between the two. A design that places the sensitive resources in the Secure world, and implements robust software running on the secure processor cores, can protect assets against many possible attacks, including those which are normally difficult to secure, such as passwords entered using a keyboard or touch-screen. By separating security sensitive peripherals through hardware, a designer can limit the number of sub-systems that need to go through security evaluation and therefore save costs when submitting a device for security certification. Seems pretty clear. We still don’t know exactly what Apple is up to. TrustZone is very flexible and can be implemented in a number of different ways. At the hardware level, this might or might not include ‘extra’ RAM and resources integrated into the System on a Chip. Apple may have some dedicated resources embedded in the A7 for handling Touch ID and passcodes, which would be consistent with their statements and diagrams. Secure operations probably still run on the main A7 processor, in restricted Secure mode so regular user processes (apps) cannot access the Secure Enclave. That is how TrustZone handles secure and non-secure functions sharing the same hardware. So, for the less technical, part of the A7 chip is apparently dedicated to the Secure Enclave and only accessible when running in secure mode. It is also possible that Apple has processing resources dedicated only to the Secure Enclave, but either option still looks pretty darn secure. The next piece is the hardware. The Touch ID sensor itself may be

Dennis Fisher writes what many of us have been feeling for a while in The Sky is Not Falling–It’s Fallen. He argues that the fundamental underpinnings of security are being whittled away – slowly but surely. And the fact that it’s a cynical view doesn’t make it wrong. …the steady accumulation of evidence over the last three months makes it difficult to come to any conclusion other than this: nothing can be trusted. Security folks have talked about trusting no one – basically since the beginning of time. But really trusting nothing appears to present a mental barrier that many people are either unable or unwilling to jump. So we’ve come to the point now where the most paranoid and conspiracy minded among us are the reasonable ones. Now the crazy ones are the people saying that it’s not as bad as you think, calm down, the sky isn’t falling. In one sense, they’re right. The sky isn’t falling. It’s already fallen. I am no government apologist, and I think some activities definitely cross the line – including using the specter of terrorism to do whatever they want. We have evidence that the “powers that be” have manipulated the truth, painted dissenters as traitors, and continue to hide behind layers and layers of national security rhetoric and fear of terrorism to obfuscate the truth. But I wonder whether all this is really new. If I remember correctly, McCarthy used many of the same tactics to squelch dissent about clear violations of the rights of good, upstanding citizens, and to wage a witch hunt. Now they have automated tools to search for witches, and we’re surprised they are using them? We have worried about foreign governments (regardless of which particular governments you are most concerned about) putting back doors in imported products for a long time. Why would anyone assume our own government wouldn’t be doing the same? I guess the outrage comes from the realization that the emperor hasn’t changed his clothes since the 1950’s. I suppose it’s much more comfortable to go through life blissfully unaware of what’s really happening. I can’t really say that my life is better now that I know for a fact what I always suspected. Actually, now that I think about it, my life is the same. Am I going to do things differently because someone is watching? Nope. That doesn’t mean we should accept a surveillance society. But at the end of the day I am a realist, and perhaps a crazy one, because even if it’s “as bad as you think,” I am pretty sure life will go on. It will be different, but change is inevitable – the increasing pace of communications and automation continue to disrupt how we do things, in security and everywhere else. The question we each need to ask is: how much will we let this stuff impact our daily lives? Will you start wearing a tinfoil hat and embrace your own personal paranoia to the point of distraction? Or will you move forward, knowing the world is different, society has overcome lots of bad behavior in the past, and will do so in the future. That is a decision each of us needs to make, and we all need to live with the consequences of our decisions. For better and worse. And somewhere along the line I have become a borderline optimist. I guess it’s time to leave security. Share: