Swedish e-leg fiasco

Since the rather public display of identity fraud via Telia’s e-leg a couple of weeks ago, it is interesting to do some more digging, and what a better place to start than with the Swedish e-leg? Apparently the architecture will be using SAML federation, i.e. they have a relationship that they trust each other. Every ticket includes an identity (a SAML assertion) it is digitally signed but the signing is not embedded in the SAML assertion.  The YouTube video below describes this specific inherent weaknesses in SAML, but clearly (and hopefully) these issues have now been fixed. However according to the speaker (questions at the end) the signature signing standard in SAML is very complex, and there are not many that really understand it fully enough to implement properly. The main problem seems to be the way the signature is separate from the SAML assertion.

If the vulnerabilities mentioned from 2012 have been fixed, there is in any case potentially integrity issues for customers with the Swedish e-leg implementation, namely: You can’t see what you are signing!

  • What you will see in the web-browser has a very weak connection to what you are signing. What this means is that your digital signature is not encapsulated with the text you are signing online, i.e. your signature and text are not married. I could leave the rest to your imagination, but I’ll give you one risk just to start with, and that is a Man-in-the-browser (MitB) trojan changes the content in the browser.

What you do maybe not be exactly what you expect!

  • This is exactly it, the customer… well that could be you, can potentially be ‘lured’ into signing something that you were not expecting to sign.  It is likely that the e-leg service works so that the identification of a user leads to a legitmate transaction. However this could be a logon to a service or digital signing of a transaction. There are other services available today that differentiate a signing transaction from a logon request. Swedish e-leg does not differentiate these two different transactions.

However, now the Myndigheten för samhällsskydd och beredskap (MSB) has published a summary report “Analys av informationssäkerheten i Svensk e-legitimation” (link broken, 2015-05-21). The detailed reports has been labelled as Secret.  However I guess that they are fixing all the potential security flaws, of just a couple I have named above. The thing that bothers me still is that even in the recommendations they are still fixated on using SAML for the infrastructure. Funny that this report came out though in the wake of the Telia e-leg identity fraud fiasco 😉 Have fun reading!

Cloud & Mobility on 5th November in Stockholm

Introduction presentation from Ulf Bergund, M.Sc, CISM, President, Cloud Security Alliance Sweden fro Nordic IT Security 2014. More information http://www.nordicitsecurity.com/

Identity and Trust in a digital world

14:00 Future Trends and Innovation at the Nordic IT Security Conference on 5th November in Stockholm. This is what I am going to talk about…

“I dare to challenge: that what you state as your digital identity today, is not a digital identity at all! This is why information security programs do not work. Your so called ‘digital identity’ is the weakest link in the chain; in a verbose, connected and dynamic digital society. What’s more is that your digital identity can be stolen. Identity fraud is on the rise, even in Sweden. So how did we get into such a mess and what is the future for our digital identities?”

Big data – mapping your whole life

For those of you that missed this program on SVT2 Avsnitt 9: Big data – så kartläggs hela ditt liv here is the link. It was played this evening in Sweden at 20:00. The program is mainly in English with Swedish subtitles.

Let’s talk about merino.se too…..

Following up my previous posts on identity theft/fraud is should give more credit to merinfo.se…….

Merinfo.se is probably one of the best websites for finding an all-round picture of an individual. In here you will find their first 6 digits of their personal number which is their date-of-birth…but what’s new? Also where they live, same as other websites. In addition if you are lucky there is a Google maps picture of their home, and list of where they are sitting in board positions in companies and a timeline for these relationships.

Surprise! 10 more years of PII exposure in Sweden….

It seems that many of the utgivningsbevis that were granted in 2004 are due to expire this year in 2014, and in 2014 it is still legal in Sweden for those holding this exemption certificate can share your personal information, if you are a Swedish resident, or/and Swedish citizen….here is information on this.

So how many companies have been granted an utgivningsbevis, and have the right to publish your personal information public? Well 917 is what I found, and you have not a legal leg to stand on to get your personal information removed.

This includes ratsit.se and birthday.se. Here you can type in the name of the target and search, bingo! Happy hunting!

ratsit