Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

Robot attack on SAML

(Shannon Roddy)

Roddy: Robot related incidents are an issue recently in identity federation. It was a potential attack recently where we realized the threat soon after the robot paper went out. Beginning of January we realized it was no longer theoretical and it brought on a more regimented appraisal of what was out there. Main question for the session: Is it ok for us to scan everything coming in? And if we all agree that scanning is okay we should then be more focused on the notification process: who should be notified and in what capacity? TLS problems are much wider than decryption. You can convince the server to sign an arbitrary bit of SAML with a SAML random generated key. We found there were three IDPs actually vulnerable within the university realm

Barton: What measures were taken?

Roddy: The vendor provided a patch or they somehow overcame the problem without sending a response back.

Heinzl: Federation is about trust and it is better to catch mistakes the members are making. Humans are prone to mistakes after all.

Roddy: There are many IDPs so it is hard to scan for all kinds of robot attacks. People operating different IDPs also leave and change all the time so there is no clear pattern here. It is difficult to have communication with universities themselves because there is a full spectrum of different behaviours and replies from them. They sometimes hide the fact that they are vulnerable or rely on chance for those issues.

Pichler: In the Austrian gov federation we scan always what is in the security requirements for our federation policies. It is a problem that there are sometimes not the required resources for the needed amount of work.

Q: Do you have consent to do this scan for the IDPs?

Pichler: It is obligated for everyone since it is defined in the working groups.

Q: For us we are obliged to respond to federation incidents.

Big question: Can you kick out institutions/ governments if they do not fully cooperate with the response giving? Federations can actually do that.

Groep: Peer pressure works in this case. You flag them into a group of institutions that are not cooperative. You flag them into certain naming groups that pushes them to response immediately, from experience. Who do you inform from my security mistakes? Should I trust the results of this scan? Notifications are important more than the process itself.

Rodd: We have been turning to REN-ISAC recently. The REN-ISAC is a national security organization for higher education in the US as an industry of its own and that is being approached lately as a source for resolving security issues.

Heinzl: Time is not a thing you have in those cases. There are millions of clients when we are talking from the point of view of the government and we had long discussions if it is ok to switch off T 1.1 or similar. Austria has an organization in particular that informs all government departments for big problems/ big impact issues that is very reliable and it is always very filtered information: GovCERT (exploit sensors)

Groep: There is an analogue version in the Netherlands, relating cyber security problems.

Heinzl: It is an ongoing discussion if we need to bring the big security providers with federations in different countries. It depends strongly on the structure of the federation itself.

Roddy: In the US there is the FBI that sends out informative directives regarding these issues. Nowadays they give you actual IP addresses.

Heinzl: If I am an internet provider and the competition is being threatened more and more often from security issues it also presents a financial advantage

Burton: Is there an incident response policy in play within your federations in different countries? Not that there can be an anticipated response each time but are there communication steps, solutions to different issues or compromitations with security levels? In the US the purpose is to make sure that the decision making authority is compliant not with the possible problems itself but mostly with the process of responding.

Heinzl: Austria has none. For example the Heartbleed attack there was mostly phone calls, emails, point to point conversations and bilateral exchanges. Everyone did what they thought it was right at that moment. There is always the chance of overreacting and “burning the house down” for one minor issue.

Burton: Where do you draw the line while doing scanning about managing expectations?

Roddy: There needs to be a better managing at having better contact points for both entities and federations.