Recomendados
Recomendados
Más contenido relacionado
Destacado
Destacado (20)
Más de Condiminds
Más de Condiminds (8)
Último
Último (20)
Elgg Email Integration Security Approaches
- 1. © Elgg Email Integration Michael Jett <mjett@mitre.org> Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 2. © Handshake Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 3. © What is Handshake? business net working prototype built on top of the elgg platform created to support relationships bet ween current employees, industry, vendors, academia, sponsors, former employees, and other FFRDCs Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 4. © Email Integration? A feature which allows users to communicate directly with the elgg platform from their email client Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 5. © Why? Increased accessibility (mobile, box-top) Familiar ground for veteran users List-ser v transition Convenience Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 6. © Not a new concept facebook moodle WordPress Blogger Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 7. © Basic Flow System issues a user a my.special.email@domain.com special email address User sends an email to this special address System receives email and performs an action Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 8. © Concerns Security Server resource consumption Maintenance Storage Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 9. © Security Threats Email address spoofing Unintentional for warding of email secrets Maliciously flooding ser ver with email traffic Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 10. © Security Specifics? Where do we Embed, Issue, or Store them? Do they expire? Tokens, Keys, Specials Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 11. © Security Approaches Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 12. © User Expired User is issued a special email address to perform an action User may regenerate a new email address if they feel it has been compromised eg (my.silly.email@elggbook.com) Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 13. © User Expired Advantages Disadvantages Manageable Requires IP Monitoring Usable Requires Extensive logging silly.email.address@elggbook.com Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 14. © System Expired System automatically expires email address within a specific time frame. valid.for.30.days@elggbook.com Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 15. © System Expired Advantages Disadvantages Security is more Requires extra system centralized resources to validate expired emails Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 16. © Our Approach Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 17. © Our Approach System Expired Signature embedding to thwart spoofing attempts Action embedding Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 18. © Huh? Example Please!? create.comment.123+8vFBxhiU@elggbook.com Do? Where? Security! What? Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 19. © Acquisition How does a user obtain one of these “special” email addresses? Automatically embedded in notifications To: billy@bob.com From: no.reply@elggbook.com Someone commented on your discussion topic Email a reply href=”mailto:create... Approved for Public Release: 12-‐1298 Thursday, April 12, 2012
- 20. © Conclusion Approved for Public Release: 12-‐1298 Thursday, April 12, 2012