Social Login on SCN (and elsewhere) – a few reminders
I saw Charles Carney ‘s post this morning (through a tweet by Gali Kling Schneider ) which talks about LinkedIn now being the third available Social Login option on SCN (after Twitter and Facebook).
Being the security scarecrow here this reminded me of LinkedIn being hacked and having all their passwords exposed, but that was a while ago and I’m sure that has been properly fixed by now. Still, it’s a good time to reflect on trust and security in social networks.
Every time you chose to login to a site you’re handing over trust to a third party to use your identity to do stuff on your behalf, sometimes even without you being actively involved in the process. You usually want that, stuff like sending off a tweet every time you post a new image to InstaGram.
By the way, the authorizations work both ways – you allow the target application to be accessed with your social network credentials, but you also allow the host application to use your social network information. These authorizations are part of the initial account linking process.
Examples:
That’s usually just fine, i.e. you want that, but we tend to forget what we granted after a while, and sometimes this leads to surprises. As a little awareness excercise, you can see which authorizations you already granted. Please go to each of the following links (provide you use that social network) and look at the apps, and consider if you still use the app, or if you even were aware you granted those privileges:
- LinkedIn https://www.linkedin.com/secure/settings?userAgree=&goback=%2Enas_*1_*1_*1
- Twitter https://twitter.com/settings/applications
- Facebook https://www.facebook.com/settings?tab=applications
Interesting, isn’t it?
Next critical question: Are you using different passwords on each of your social networks? Because if you don’t, if one gets exposed someone might use it to log on to another social network which in turn you may be using as a login to SCN or elsewhere.
Using different passwords may sound cumbersome (and it is), but it’s well worth it. I recommend using a password manager that integrates into your browser like LastPass or 1Password to make it easier; they will also assist you in generating secure passwords.
In an SAP context, similar questions arise when you link your AS Java to Windows login. We did this for many customers with GRC AccessControl 5.3 scenarios. It’s incredibly simple to set up, but it needs follow-up activities in the organisation:
- Your Windows password now works as an SAP logon. Do your password rules take that into account (i.e. are your Windows passwords strong enough)?
- People may share Windows passwords for whatever purpose – this is no longer acceptable if it suddenly also grants you access to, say, ESS scenarios.
- Password reset procedures may be rather lax for Windows passwords, which will need to change. I’ve seen many organisations where you could get your Windows password reset to a (well known) generic one by calling a help desk. Help desk staff needs to be made aware of the extended usage of Windows passwords.
So, to summarize: Social Login and identity federation are good and useful, but they need raised awareness also (or specifically) by the average user about the security side effects.
Related Posts:
http://scn.sap.com/community/security/blog/2012/06/07/on-passwords
http://scn.sap.com/community/security/blog/2012/08/08/initial1
Feel free to share your biggest AHA-moments when you looked at the list of linked applications in your social networks n the comments!
This is one which has personally always scared me quite a bit. A number of years ago I was involved in a pen test in a large, global company. Basically a few guys turned up with some PCs, and were directed to a meeting room. Less than 24 hours later, they had full domain admin rights in ActiveDirectory. If your SAP systems delegate authentication to AD, or worse delegate authorisations, it's pretty much game over at that point. If you're putting all eggs in one basket it had better be a good basket...
Which reminds me, I'd like to add PasswordSafe to the list of password managers. I have been using it for years because it's one of the few which are entirely open source. If I entrust all my passwords to a piece of software, I'd want to make sure it's possible (for others) to see what the tools does under the covers.
Hi Frank,
Thanks for the blog - I have been more interested in not linking accounts than ever before, mostly because of LI being hacked. I get a irritated when I try to read an article, and FB wants to post it to my timeline, and I certainly don't want to subject FB people to the stuff I do on Twitter or SCN.
As for a password manager, it would certainly be helpful - but how secure are they?
At least the yellow post-its can be locked in a drawer 😉
Great words on a huge and largely disregarded threat. As a non-security person, this makes me want to read up on OAuth (I think that's the technology) to know the details of how I sign-on with Twitter, and which party gets access to what data.
Not to forget the data leak of FaceBook.
Looks like security and privacy is becoming nothing more than a wonderful fantasy. (*cough* Prism)
I used LastPass for a while, but it didn't quite do the trick for me. Especially on service.sap.com where you have many different domains to log into, Lastpass kinda fails. When you then finally managed to store your OSS Pass on all domains in Lastpass and you change your password, the fun starts all over.
(mind you, letting google chrome remember my passwords doesn't cut it either)
So instead of being paranoid about my passwords, I just stick to a couple of pretty strong passwords (16 tokens, caps, special tokens, numbers, and nonsense) and I became more paranoid of whatever I put online.
+ I only link few applications together with social sign in.
I keep most of my vital info on an external drive, which is encrypted.
There really is no substitute for paranoia 😉
Excellent post Frank! Thanks for the reminders and keeping us grounded in the real world of hacking, identity theft, and good PW practices.
Is anyone facing issues with login in using Facebook or it's just me?