A trio of computer security researchers say they've successfully compromised Microsoft's CardSpace, a technology intended to strengthen the security of personal information on the Internet.
CardSpace ships with the Windows Vista operating system. It works in concert with a browser when someone uses a Web site that asks for information such as an address or a credit card number. That personal information can be stored on the user's computer or with a third-party identity provider.
CardSpace keeps a set of virtual ID cards on the user's computer. When a Web site asks for information, the user picks one of the cards. "Self-issued" cards store identity information on a user's PC, while "managed" cards are stored by an identity provider.
When logging into a Web site, the user can ask the identity provider to vouch for them, which saves having to remember a slew of different passwords, a concept known as single sign-on. Rather than directly receiving the personal information, the Web site gets a token from the identity provider, adding an additional layer of security to a Web transaction beyond SSL (Secure Sockets Layer) browser encryption.
The researchers, from the Horst Gortz Institute for IT Security at Ruhr University in Bochum, Germany, have shown it is possible to intercept the authentication token from CardSpace. The hacker could then use the token to gain access to the other site or transmit sensitive information to that site.
Microsoft is hoping CardSpace will reduce problems plaguing Internet users such as identity theft. The company has also pledged to integrate CardSpace with OpenID, an open-source standard with the same goals that has been implemented in part by companies such as Yahoo. However, Web sites have to be designed to work with CardSpace and OpenID, and so far, neither is widely used.
The attack against CardSpace involves directing a user to a malicious Web server. In their explanation, the attack involves modifying the victim's DNS (Domain Name Server) settings -- another trick known as "pharming" -- and direct the person to the malicious Web server, which is then able to grab the authentication token.
So far, the method remains proof-of-concept and has not been used to attack people. But that could change, the researchers said.
The attack can be easily replicated, according to the Horst Gortz Institute. The researchers "conclude that it is realistic to expect attacks against CardSpace soon in the wild."
Microsoft officials said they are looking into the research.
The research was done by two IT security students, Sebastian Gajek and Xuan Chen, and Jorg Schwenk, a professor and chairman of Network and Data Security at the institute.
- +
Understanding the Project Management Office 05/02/2008 12:59:53
Excellence in project management is essential, but PMOs can do as much harm as good. Here we examine the fundamentals and scope a proper role for a PMOExcellence in project management is essential, but PMOs can do as much harm as good. Here we examine the fundamentals and scope a proper role for a PMO - +
Clouding the Future 04/02/2008 13:16:21
Outlook: mostly fine, with clouds increasing later and the chance of jargon rain likelyI was just beginning to contemplate the formulation of the thought to back up my files when my desktop suddenly died. While waiting for it to rebuild, I read an article telling me that the desktop computer was dead - +
Strategy with Oomph 04/02/2008 13:11:04
Rule One: Never approach strategy making as a purely analytical exerciseIf you had to, which would you choose: to be a great strategic thinker or a great strategy maker? The answer follows the same logic as the question: "Would you rather be smart or rich?" - +
P&L Management 101 04/02/2008 13:09:05
Now that you find yourself in charge of a revenue line, it’s time to start thinking about how to manage your new businessCIOs often yearn for new worlds to conquer. For many, the first step on that journey is to earn the right to manage a P&L. In order to achieve that goal, executives listen to their external customers, engage with the business, focus on innovation and look for new revenue opportunities. These CIOs build new business models and sell them to their CEOs. In return, they receive the keys to P&L management - +
Process Trip 04/02/2008 13:07:03
Why Maritz Travel revamped key business processes — and how business and IT came together to make it workWhen Rich Phillips became COO OF Maritz Travel about two and-a-half years ago, he sat down and took a hard look at the big industry picture
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Security Inside Out
Delivering the Power of Choice with Microsoft Dynamics CRM
Wireless LANs: Is my enterprise at risk?
Refresh your AUP: Top tips to ensure your acceptable use policy is fit for purpose
Strategies for Eliminating .PST Files
Taking On Demand CRM Integration to the Next Level
Business Intelligence and Enterprise Performance Management: Trends for Emerging Businesses
Best Practice in Building an Integrated Information Management Strategy
Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
Vignette Announces 2008 Excellence Awards 2008-11-21 10:50:00+11
PGP and Ponemon Institute Unveil Inaugural Australian Data Breach Study 2008 2008-11-20 17:34:00+11
Symantec Cloud Services Transform Data Centre Operations Through Proactive Management 2008-11-20 12:06:00+11
Verizon Business Offers Tips to Building a Successful Unified Communications and Collaboration Plan 2008-11-20 12:04:00+11
AARNet Brings 4K Digital Cinema to Australia: First 4K HD Video Signal delivered into Australia by AARNet 2008-11-20 12:02:00+11
Best Practice in Building an Integrated Information Management Strategy
Discover the business value that creating an integrated information platform can bring. Learn how to provide consistent, accurate information to all stakeholders within your business network. Integrate vital data from disparate sources and deliver a trusted information foundation. Read on to uncover the stepping-stones to your new information management strategy.
Buying Guides
Buying Guides
