Thursday, December 18, 2008

The Promiscuous Browser in a Dangerous World

Microsoft released an urgent patch for a critical Internet Explorer vulnerability yesterday, highlighting the risks our web browsers represent to our online safety. Web browsers in general, and Internet Explorer specifically, are the most promiscuous programs we run on our computers. "Promiscuous" refers to the quantity and diversity of web sites we visit, content we view, programs we download, and sensitive information we exchange when browsing the web. Browser promiscuity also refers to what happens after we type a URL into the address bar. The browser first downloads an HTML page that includes tags and pointers to other content: images, stylesheets, scripts and videos. This content can come from many different web servers operated by many different organizations and can carry harmful data that infect our computers, steal our data or just sit there, undetected, until an online criminal issues remote commands to bring it to life.

Richard Adhikari posted an excellent article on InternetNews.com that describes the Internet Explorer patch, why it was necessary and what it means for online safety going forward. The multitude of exploitable features in Internet Explorer make it an excellent target for online criminals seeking to gain control of our computers and our bank accounts.

Simply put, it is not reasonable to use one browser for everything we do on the Internet. It is important for us to segment our web activities into two basic buckets:

Casual Web Use
Casual use includes reading the news, listening to music, researching recipes, and clicking links to the latest must-see Flash video our friends send us in email.

Sensitive Web Use
Sensitive use includes online banking, shopping, applying for a job, or any other transaction that requires information we would not want everyone to know.

Casual use is where we are most likely to get our computer or browser infected. It's easy to visit hundreds of websites a month, clicking from link to link, moving from reasonably safe websites to a dangerous Internet neighborhood where crimeware infections are likely to occur. Sensitive use is where we are most likely to get our money or identity stolen if we are using an infected computer or browser. Moving from one activity to the other with the same browser is just not smart. I like the excerpt from court-ordered wiretaps of Illinois Gov. Rod R. Blagojevich, quoted here from a Department of Justice press release:

"assume everybody’s listening, the whole world is listening."

That is smart advice for Internet users. If you have casually browsed the web for a few weeks or months on your computer, there is a high likelihood you have been infected through a web browser vulnerability. Infections can include "banker trojans," password- and money-stealing programs that listen in to your online banking sessions. So, when you move from casual use to sensitive use, assume the whole world is listening.

Safe Web Use
A new category of web usage that we are pioneering at Authentium is "Safe Web Use." Safe Web Use means we assume "everybody's listening" and still protect your sensitive online transactions. Our SafeCentral service helps to automatically switch between Casual and Sensitive web use and kicks in extra protection to block crimeware that got past your antivirus software during a casual web browsing session. SafeCentral stops keyloggers, screen-stealers, harmful browser plug-ins and many other crimeware components. We also provide a Secure DNS services that protects against another class of threat: DNS redirection.

So, be sure you get yesterday's Internet Explorer patch. But please understand that yesterday's patch will not protect against tomorrow's exploit. In October Microsoft released an unscheduled, critical update for Windows. Chances are the online criminals are already working on exploits we will only hear about in January or February.

Also be sure to check out SafeCentral and be safe even if everybody's listening.

Tuesday, December 9, 2008

DNS Changer Learns a New Trick

SANS, Symantec, McAfee and others have reported on a new trick that malware is using to redirect unsuspecting users from authentic web destinations--the name we type into the browser address bar or pick from our favorites--to a web server operated by the Bad Guys. These guys can set up web sites that look just like the real Citibank or Wachovia but are designed to steal our user ID and password or transfer money out of our account.

The trickiest part of the new trick is that we can follow all of the best security advice and still be susceptible. If one user on a Wifi network is infected with this new DNS Changer, all users who connect to that network can have their DNS settings changed by the one infected computer. So that guy who is halfway through his latte when you sit down in the coffee shop and open your laptop could be a threat to you. Even if you are super careful about the websites you visit and the security software you have installed.

How?
DNS is the Internet-wide system that translates names like "online.mybank.com" into the numerical address our computers need to actually connect to MyBank. If the Bad Guys control your DNS, they control where your web browser really goes when you think it is going to PayPal.

Every time we open our laptop and connect to a new network, a router on that network will send down settings that let us connect, (pay!), and get out on the Internet. The new DNS Changer trick is this: a computer infected with this DNS Changer variant will listen for new computers requesting a connection on the same network (the same coffee shop) and try to answer with Bad Guy settings before the "official" router can send it the "official" settings.

As fundamental as DNS is to the operation of the world-wide web, it's amazingly susceptible to compromise. This new DNS Changer behavior capitalizes on the vulnerability of DNS settings and: (1) leaves no traces, (2) doesn't require your computer to be infected with anything that your antivirus software will complain about.

Now What?
This is why we invented SafeCentral. SafeCentral includes a unique Secure DNS feature that protects against DNS Changer and other threats. SafeCentral uses it's own DNS. It uses Authentium's Secure DNS servers and it does so through an encrypted (HTTPS) connection.

So even if we connect to a Wifi hotspot that is hosting an infected computer, we can happily browse the web, bank and shop safely.

Tuesday, November 4, 2008

Undetectable data-stealing trojan nabs 500,000 virtual wallets

RSA issued a report earlier this week confirming the enormous threat posed to all internet users by the "Sinowal" trojan (a.k.a "Torpig" and "Mebroot"). This insidious agent is virtually undetectable, infecting a user's PC regardless of Anti-Virus and other defenses - thanks to a steady stream of variants and a highly-advanced design. Once on your system, it waits for you to visit a banking or any of its other 2,700+ trigger sites, then injects additional information fields designed to capture the necessary personal data for identity theft. The gathered credentials are well organized and sent discretely off to the criminal servers.

[RSA] recently discovered that, dating back as early as February 2006, the Sinowal Trojan has compromised and stolen login credentials from approximately 300,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen.

The trojan is downloaded automatically through websites that exploit vulnerabilities in Windows or 3rd-party applications, and doesn't require any action or 'acceptance' by the user to install. What's worse, is that once installed:

About the only remedy for victims fortunate enough to learn they are contaminated is to reformat their hard drive and reinstall their operating system.

So, here's a trojan that your standard defenses won't catch, and which can't be erradicated short of re-formatting your system. This is exactly the reason we designed SafeCentral as a "Reverse Sandbox" solution. The security industry battles the criminals every day, but no defense system is perfect; nothing is 100% effective at stopping every infection. Also, no one wants to erase all of their data and start from scratch reformatting your drive. So, what is a user to do when presented with an easy to catch, difficult to block, and almost impossible to erase evil bug like this? Use SafeCentral!

SafeCentral keeps the URL's you enter private, thereby eliminating the 'trigger' event for this trojan, and SafeCentral's secure DNS and anti-keylogging/anti-screen-scraping protect your data from exposure. SafeCentral is the only way a PC user who might come in contact with a Sinowal variant can transact safely online.

Monday, October 6, 2008

7 Online Blunders That Invite Identity Theft

Nothing revolutionary or surprising here; just good common sense tips for avoiding identity theft. Unfortunately, the remedies to these 7 blunders are almost entirely reactionary; forcing the user to duck and dodge a scam rather than avoid it entirely.

read more | digg story

Thursday, October 2, 2008

Infection Happens: What then?

There's been a lot of attention lately to a class of products defined as "sandboxes", which attempt to prevent malware from seeping onto a user's computer by establishing a virtual layer that internet data must traverse before reaching the 'host' machine's OS. These products offer a reasonable level of protection from infection, but don't effectively prevent the activities of malware already present on your machine.

I'll let you in on a little secret: INFECTION HAPPENS. Much like the comical bumper sticker about feces, this is just another fact of life: infection happens. Authentium has been in the anti-malware industry for over 20 years, and makes one of the most effective and efficient AVSDK's in the world. However, no AV engine, no spyware engine, no anti-malware engine has ever proven itself 100% effective at stopping ALL infections. There are simply too many vectors for a piece of malicious code to find its way onto your system. This isn't to suggest you shouldn't be running a good desktop security suite, or following good habits and behaviors when online, but realize that even those with the best intentions and most diligent practices can still become the victim of an infection. In fact, according to Bigfoot Interactive, 55% of online users have been infected with spyware. All these defenses, and yet most people will still get a bug in there machine.

The real question for the security industry, and more importantly consumers, is WHAT THEN? Presuming the inevitability of an infection, what can the user do to protect themselves and their privacy when conducting sensitive transactions online. The answer, of course, is SafeCentral. Which is an entirely new class of product we often describe as a "Reverse Sandbox"; designed to safeguard your activities from the intent of malware even if your PC is already an infected cesspool of malware agents.


INFECTION HAPPENS. And just like the bumper sticker suggests, it's how you deal with it that defines you're outlook on the world. When 'Sh*t Happens', keep your head about you and an even, laid-back attitude. When 'Infection Happens', arm yourself with a tool that can protect your identity and your data, so you can face the internet with confidence and that same laid-back attitude, knowing your safe despite the infection.

Our chairman, John Sharp, offered a great explanation of SafeCentral's approach in his blog. Read that, and our whitepaper on the reverse sandbox approach, to learn how to stay safe even when 'infection happens'.

Thursday, September 18, 2008

SafeCentral Updated!

This week we took the wraps of the biggest update to SafeCentral since launch, and we're thrilled with the results. The new version 1.3 release includes an entirely redesigned interface, from desktop to web, which gives the service a unified and consistent look and feel. In addition, major efforts have been taken to speed up the performance of all aspects of the service, increase compatibility, and to lay the foundation for exciting new features in the near future. You can read the full details in our newsletter.

Existing customers will have the update rolled out to them automatically in the next few days, and all new users to http://www.safecentral.com can download and enjoy version 1.3 immediately.

As always, we welcome your feedback and comments.

Tuesday, September 2, 2008

I'm your Private Browser...

Last week Microsoft took the wraps off the latest Beta of Internet Explorer 8; and just yesterday Google announced its own browser, currently named "Chrome". Both of these browsers include a feature already found in Apple's Safari by default and available via a variety of add-ons for Mozilla FireFox - "Private Browsing".

Private Browsing, often referred to as 'porn mode', covers the tracks of the user by not saving or instantly deleting browser history, searches, cache, cookies and more. Essentially, these features ensure that whomever uses your PC/Mac next won't be able to see what you were up to online. This is great functionality and a worthwhile addition to all modern browsers.

However, the name "private browsing" could certainly mislead users into thinking that it provides security against spyware, hackers and identity thieves; which is sadly not the case. This feature does not prevent a keylogger from capturing every keystroke, including the URL's you type, usernames, passwords and more. Nor does it prevent a screen-scraping agent from snapping an image of every click and every page you visit. It also provides no protection from man-in-the-middle spying or DNS-poisoning. In short, "private browsing" isn't really private. Sure, it'll keep your spouse from discovering that you were researching a surprise trip, but it won't protect your money, your accounts, or your identity. I've already been asked by 3 relatively computer-literate friends if the "private browsing" mode in Safari means they're safe.

It's becoming increasingly clear that modern browsers need to be fortified against a variety of attacks, and users have recognized that the browser, the web, and email are simultaneously the most important parts of their PC use, and the most dangerous. I sincerely hope that user's aren't lulled into a false sense of security thanks to these new features. Whether you opt to use SafeCentral, or something else, be sure your gaining REAL privacy when you go online.

Friday, August 8, 2008

SafeCentral Protects Users from Massive DNS Flaw

In the old days when you made a phone call, your request was routed to an operator who correlated the person you wanted to reach against the circuit they were on, and physically connected the cables to enable your conversation. Despite the wonders of the internet, things still work pretty much the same way. When you make a request to visit "www.paypal.com", that request is interpreted and translated by a DNS (Domain Name Server) that matches "www.paypal.com" with the IP address of the web server before sending you on your way.

One common method for hackers to steal identities, money, and more is to 'poison' or hijack DNS servers and DNS requests, and to have your traffic re-routed to sites that look like the real thing, but exists solely to steal your account credentials. So, when you type "www.paypal.com" into your browser, it's possible that a bad-guy could intercept that request and send you to his web server, which offers up a page that looks IDENTICAL to the real PayPal site. After capturing your login credentials, these hackers are usually kind enough to forward you on to the real site, so you never know the difference - UNTIL YOUR MONEY IS GONE.

In a presentation at the Black Hat security conference, Dan Kaminsky highlighted a massive flaw he'd discovered which affects millions of DNS servers across the internet. This flaw makes these servers vulnerable to these hacker attacks, and puts every web user at risk. Preventing DNS attacks was part of the central premise of the SafeCentral solution, and we're happy to report that our SecureDNS technology (built into SafeCentral) provides an effective defense against these attacks. Read the press release for more detail, and visit Dan Kaminsky's blog for full details and to test if your DNS connections are open to this kind of attack.

Wednesday, July 30, 2008

Online Threats come faster

More evidence that a new approach to security is required if user's hope to stave off the threats caused by conventional browsers and PC vulnerabilities...

While the security community has a responsibility to act as a watchdog and report the vulnerabilities that are discovered, these alerts are increasingly becoming a hand-book for even amateur hackers.

...online criminals have latched on in a big way to programs that help them automatically generate attacks based on publicly available information about vulnerabilities. In the past they apparently spent more time finding such holes themselves, but no longer find that as necessary.

In Web browsers — an area heavily targeted by hackers — hacking exploits were available within a day after flaws were discovered 94 percent of the time, up from 79 percent in 2007, IBM's report said.

For all PC vulnerabilities, over 80 percent of the exploit code was released the same day — or even before — the holes were publicly disclosed. That's up from 70 percent last year, according to the IBM study.


It would seem to me that a more private, well-vetted consortium of experts/companies should form a closed reporting system that prevents exploits (as much as possible) from becoming public until after they are addressed. It'll never fully stop the publication of "proof of concept" hacks, but a 'silent whistle' system that is endorsed by all involved could make a dent in the problem.

More importantly, it's clear that security can't be a 'reactive' system, patching exploits and issuing virus signatures in response to hackers. Instead, security should be an active solution that 'allows' the good rather than seeking to prevent the bad. SafeCentral is just one example of this new paradigm in security.

Friday, July 25, 2008

Firstrade Partnership Launches.

The entire SafeCentral team is thrilled to have announced the formal launch of our partnership with Firstrade this week. Firstrade is providing SafeCentral access to Firstrade accounts free of charge, granting their customers the most secure trading environment available in the world. We are proud to partner with Firstrade's consistently top-rated online brokerage, and to work with them to make trading even safer.

This is significant when you consider the unique risks posed by account compromise in the trading markets. After all, the exposure of your credit card or bank account information typically impacts just you, while the compromise of trading credentials can lead to stock price manipulation that could affect millions, and the very fabric of the market. An example of this occurred recently, with the 'pump and dump' scheme executed using stolen credentials from two other trading firms. The resulting $22 Million in losses could have been prevented if users had been using secure browsing tools like SafeCentral.

Wednesday, July 23, 2008

PCMag.com Reviews SafeCentral

In my line of work, you grow accustomed to product reviews and opinions that either praise or punish the monumental efforts of the company. Most reviews are fair, and most are conducted with integrity and impartiality. However, nothing is more rewarding or satisfying than a review or opinion piece that begins by understanding and validating the fundamental purpose of a product or service correctly. Such is this review from PC Mag.com's Neil J. Rubenking; which truly 'gets it' with regard to SafeCentral's raison de etre.

We're already working on a few of the small requests noted in this review (Password Manager coming soon!), while the rest of Neil's analysis captures and validates SafeCentral's revolutionary security promise superbly. Please give it a read and share your comments.

Monday, July 7, 2008

Take the Guided Tour!

I've posted a 5-part "Guided Tour" on the release version of SafeCentral. This is the most complete and compelling look at the entire service, and should help even SafeCentral veterans understand the service a little better.

http://www.safecentral.com/howitworks/Guided_Tour.html


Your feedback and comments are appreciated.

Wednesday, June 25, 2008

The Road to Safety

One of the biggest challenges with any security product is trying to find the proper balance between security and usability. The two goals often seem at odds with one-another; after all, for each thing you make possible, you may open a door for exploitation. We made it a priority at the beginning of the SafeCentral project NOT to sacrifice the security of our solution, so we've been tirelessly seeking ways to provide a seamless experience without softening the security promise. The suspend/resume functionality I previewed earlier (now in the live build), is an example of that. We provided the ability for SafeCentral to seamlessly co-exist with your other applications/activities, without inviting the weaknesses of those applications into our safe environment.

We've achieved similar success with a new browser plug-in feature, that actually INCREASES the security of our product by offering configurable alerts to the user when the site they're trying to visit might warrant the extra safety of SafeCentral. The same framework can be used to prevent phishing, by filtering URL's against known phishing sites. The great thing about this function is that it doesn't alter or weaken the security of the SafeCentral environment in exchange for simplicity, but provides the user with a completely seamless experience that makes SafeCentral a part of their normal workflow. I like to think of SafeCentral as the secure companion to your everyday browsing, and nothing makes that companion easier to access than this plugin feature.



As a self-described technology geek, I'm often asked by friends, neighbors and relatives for advice on what electronics to buy. One of the most common requests is which camera to get. I've read the reviews, tested various units, and formed plenty of opinions about the features that I think matter most. However, I often recommend a camera with lower resolution, fewer features, and other sacrifices. Why? Because "the worst picture you can take is the one you never take". Which is my way of saying that features and image quality are great, but if you don't have your camera with you because you can't stand lugging it around, all of those features aren't going to matter. So, get the small one that fits in your pocket. The same principle applies to security software design; the only security that matters is the security that you use.

So, we've gone to great lengths to provide many 'on-ramps' to the SafeCentral experience: the Programs menu, desktop icons, the taskbar, your normal browser and more all can invoke a SafeCentral session. As a user, that means you'll have the option to enter the safe environment whenever the whim, need, or opportunity arises, without having to remind or retrain yourself to do it. That, more than anything, is the most powerful form of security: security you'll use.
The attached video previews the plugin function; I welcome comments and look forward to its release in our July build.

Tuesday, June 10, 2008

Testing Confirms SafeCentral Security

Sometimes you can get so caught up in the work to build, prepare and launch a product into market, that you forget to stop and measure it against your original vision. Does it solve the problem you intended to solve? After all, the rest is just presentation and packaging; if you don't meet the benefit statement you've promised your customer, you've already failed.

With that in mind, we commissioned IRM's world-renowned security testing team to evaluate SafeCentral. We were ecstatic to see that SafeCentral met or exceeded every claim, and indeed is 'certified' to provide true privacy when transacting online. We've outlined the results in a Press Release this morning, but I wanted to take a moment here to elaborate on the report.

There are 3 points of peril when it comes to sharing sensitive information online. First, and most importantly, is the user's PC. A compromised system infested with spyware agents is an identity thief's greatest ally. Second, is the connection to the site, you can't transact safely unless you know who you're transacting with (and know with certainty that it IS the site you intend). And finally, is the authentication of user and site to one-another. With multi-factor authentication, websites have done a pretty good job guarding up #3, but items 1 and 2 have been left open for far too long. SafeCentral was built to sure up these holes.

According to the IRM Report:

In all scenarios, it was observed that SafeCentral adequately protected a user's browsing session by ensuring no keystrokes entered in the secure Firefox web browser were intercepted. Viewing logs from various keyloggers clearly indicated that keystrokes entered in the duration SafeCentral was active were clearly missing. This was true for both user and kernel land keyloggers.
SafeCentral was built to cripple desktop spyware agents, like screen-scrapers and key-loggers, even if they're successfully installed and functional on the user's PC. Every one of the more than 20 spyware agents thrown at SafeCentral was unable to capture the activities during the SafeCentral session. And on item #2:

The first test involved editing the virtual machine's "host" file to contain static entries that would redirect requests for websites supported by SafeCentral to test websites setup by IRM consultants. However, when SafeCentral was launched, the user was not redirected to the static entries and was presented with genuine websites.

SafeCentral identifies the websites your visiting against our known directory of safe sites, and ensures that you can't be re-directed to phishing/pharming sites meant to steal your credentials.

Again, while I'm happy to pat ourselves on the back, the important thing here is that we tested ourselves to ensure that we live up to our security claims, and our promise to our customers. There is too much false information and 'snake oil' already in the identity theft sphere, we need bring real solutions to market.

So, now we'll go back to putting the best possible presentation, polish, and packaging on SafeCentral.

Thursday, June 5, 2008

ID Fraud on the rise

According to leading industry analyst Avivah Litan, and a recent study by Carnegie Mellon sited in this PC World article, Identity Fraud has been on the rise over the last year and a half and is projected to maintain a meteoric rise.

Gartner's Litan offered one more observation that might explain Carnegie Mellon's findings: The fraudsters are also getting better at what they do, she added. "If you talk to the largest banks, they will tell you that fraud has really increased in the past 18 months," she said. "And they project it going up very significantly in the next two years."

"The thieves are just getting better and there's more fraud," she said.

It appears that despite the recent focus on new authentication systems, and stronger data warehouses, the hackers are adjusting their tactics to take advantage of holes in the security chain. As discussed here many times before, the weakest link is likely: You, and your malware infested PC.

Wednesday, May 21, 2008

ID Theft in the news...

Infoworld took a look at Check Point Software's ZoneAlarm Forcefield, and ultimately walked away unimpressed.

Unfortunately, although ForceField does offer some real improvements over the other products I've reviewed, it wasn't enough to stop malware from infecting my test systems. In less than a minute, by clicking only my third malicious Web site link, my test system was silently compromised without so much as a chirp out of ForceField.
The writer admits to being skeptical about 'sandbox' security clients,

I've reviewed similar over-marketed and under-effective virtualized or "sandbox" security clients over the years (most notably GreenBorder, subsequently acquired by Google), all of which promised to provide superior protection against all malicious Internet threats.
Ultimately, our outlook is that previously proposed solutions fall short thanks to limited security features beyond 'site classification' (prompting the user that a site is safe or 'risky' based on white-list/black-list rules and inaccurate logic) and rudimentary key-logger defenses. No solution to date has offered network level protection, or a secure DNS/Directory to ensure that the user is going only to safe sites. No solution to date offered kernel-level security and the ability to defend itself from attack. SafeCentral is a different kind of sandbox. I hope we have a chance to get this reviewer and others to take a look at SafeCentral.

In other news, LifeLock is facing a new class-action lawsuit claiming that it has made false and misleading claims about the level of 'protection' it provides.

"While LifeLock has only publicly acknowledged that Davis' identity was compromised on one occasion, there are more than 20 driver's licenses that have been fraudulently obtained [using his personal information]," the suit states.

"Furthermore, a simple background check performed using Davis' Social Security number reveals that his entire personal profile has been compromised to the extent that the birth date associated with his Social Security number is Nov. 2, 1940, which would [inaccurately] make Davis 67 years old."
To be honest, I'm not sure this lawsuit has merit. I don't view the claims of LifeLock and the myriad of other 'identity insurers' to be PREVENTATIVE at all. They claim to help you discover identity fraud quickly, and mitigate the financial losses associated with a breach (though disguising it as protection). They do nothing to actually STOP identity theft from taking place. Ultimately, they're like an alarm system - it only goes off only after a crime has begun. A layered approach is best: start with good defensive measures to protect your identity from theft, and then layer on monitoring/insurance to buffer against a breach.

I'm not sure whether these articles help us by raising the 'noise-level' for the need for greater identity security, or hurt us by defining the problem as 'unsolvable' and establishing a poor reputation for companies associated with Identity Theft/Fraud solutions. Leave a comment and let me know your take.

Tuesday, May 13, 2008

Pain in the aaS?

I was forwarded this article from the Economist which outlines the new "as-a-service" model now being adapted by cyber criminals. The article makes an excellent point about the continuing migration of software from boxed discs to online services that we 'rent' or use as necessary, and points out the inevitable migration of that model to include malware. Want to conduct a denial-of-service attack on a website without having to build your own army of zombie PC's, or even having any hacking skills at all? You can. Just rent the access from an established cyber-criminal and you can 'borrow' their hack for your personal mission of destruction.

The tone of the article suggests that "as-a-service" is becoming a dirty word, which may be true. However, I think the term is accurate and that the model actually provides an opportunity for greater security. After all, with services living 'in the cloud' you're less prone to local attacks, and the effects are less likely to impact other applications. What's required is secure access to those 'in the cloud' services, so that each session becomes a trip into a secure portal isolated from everything else...I might know something that's a possible solution for that.

Monday, May 12, 2008

FBI Internet Crime Complaint Center (IC3) Report

I was reviewing the latest report from the FBI on internet crime, and found that the disturbing trend of skyrocketing losses continues, despite the number of claims holding relatively steady from it's peak in 2005. This confirms that the cyber-thieves are refining their tactics to focus on extracting more money from every breach or scam. The report includes all types of cyber-crime, but only tallies those that are reported to the IC3, so it's safe to presume that the actual numbers are much higher.

The report calculates that the 206,884 claims received via the IC3 website in 2007 resulted in more than $239 Million in losses. While only a small portion of the cases were specifically cited as 'Identity Theft', all were related to conducting business via criminal websites, email, or auctions. This reinforces the notion that email is a broken system, and that people really do fall for the "Nigerian Letter" scam (1.1% of complaints!). It also demonstrates that the general trust of the internet, websites, and email infrastructure is going to continue to decline, as users discover that there is really no way of knowing the origin of a message, or that they can be sure to visit the website they intend.

Perhaps most disappointing, as a current Florida resident, is the state's #2 position among the top homes for perpetrators. Thankfully I work for a security firm and my home Wi-Fi network is secured (as best as possible); you never know who the internet criminals are.

Thursday, May 8, 2008

SafeCentral Video Introduction

Just finished a brief SafeCentral introduction video, you can see it here.



I learned something in making these snippets: trust your instincts.  I wanted 3 segments outlining (1) the threats people face when transacting online, (2) the solution SafeCentral provides, and (3) a brief overview of the user experience; I also wanted each segment to be no longer than 1.5 minutes.  Trying to fit a complex technical discussion, demonstration, and value proposition into that timeframe forces you to plan a tight script.  However, when I actually sat down to record the sessions (which are live screen-captures, not over-dubs), I realized that winging it was a better and more natural way to go.


Friday, May 2, 2008

30 Years of SPAM

30 Years ago the world got its first taste of SPAM (not the meat product), though the small distribution to 400 recipients is hardly comparable to the BILLIONS of bogus messages sent today. I've often wrestled with the fundamental question of SPAM: "Are there people out there that actually respond to this stuff?", and I always come the same conclusion: "There must be, otherwise why would anyone do it?".

That depressing fact keeps the SPAM growing. However, I think the most profound and unfortunate effect of SPAM is NOT in the people who get scammed, the deluge of bogus mail filling up servers, nor the burden of trash traffic clogging the web. The most profound effect of SPAM is that it broke email. What should be an incredibly efficient, inexpensive and trustworthy tool for communication has been irreparably damaged. As a marketer, I'd love to be able to get a message to my audience via email, but there's virtually no way it will be heard among the noise. More importantly, as a security provider, I often NEED to get a message to my customers that addresses a critical security issue, and yet again the message will be lost in an inbox full of phony Viagra offers.

When you need to get a message to a large audience of people, it's nearly impossible to do it in a cost-effective and timely manner. Print/mail is expensive and slow, telephone calls are equally laborious, and traditional 'advertising' mediums don't allow you to target just your existing customers with an important message.

SPAMMERS have been crying wolf into the email village, and have guaranteed that no one will listen when real danger arises. That is the most unfortunate cost of SPAM.

Tuesday, April 29, 2008

Finovate 08

Our CTO, Ray Dickenson, was kind enough to send me a live update on today's proceedings at FinovateStartup '08 in San Francisco. Ray and Doug Brunt, our President & CEO, took the stage at 8:00AM to show off SafeCentral. It's really our first public unveiling, so what better than to be first out of the starting gate.

Ray said:

"The software performed well during our demo and Doug did an excellent job as the spokesmodel for SafeCentral.

Authentium was randomly picked to present first thing in the morning. Any concerns I had that the audience would arrive late and not be alert and tuned in for an early start were dismissed when I peered through the curtains before we went on stage and saw about 260 faces alert and ready to see new stuff.

Doug and I performed our patented 5-minute demo that showed me logging into Paypal and getting my credentials and account details stolen. Then we launched SafeCentral. I used the absolute latest build that launches the secure desktop and browser in about 3 seconds. In SafeCentral, I logged in to my Bank of America account, sharing my wife's sitekey with the world. Closing SafeCentral, we showed the blank keylogger screen that is familiar to all of you.

As I mentioned, we are now sitting in the audience watching all the other presentations. In about 15 minutes we adjourn to the hallway where 20 display screens are set up for each presenter to run additional one-on-one demos for attendees.

There's the realtime update for you. More later.

Ray"
It can be a daunting challenge to attempt to showcase a solution to a problem as complex and multi-faceted as online identity theft in just 5 minutes, but I know Ray and Doug were up to the challenge.

Coverage and Blogs are just starting to come in, including this post from Christophe Langlois. Christophe is one of the most active and respected bloggers in the world of online banking, social media and associated technologies, and there's a wealth of great content over at visible-banking.com.

Monday, April 28, 2008

7 surefire ways to become an ID theft victim

Rarely do you see highly technical computer security articles address the problem in witty, easy to understand terms. I was happy to discover this post from the Bankrate.com 'News & Advice' section (single-page available here). Sheyna Steiner takes on the topic of Identity Theft with a pragmatic, intelligent, and somewhat comical 'in your face' look at the perils we all willingly expose ourselves to when online. It's a great read, and there's a lot of simple yet informative tips for staying safe.

"Experience the hassles of being defrauded firsthand! If you love bureaucracy and the thrill of waiting in line to talk to government and bank employees again and again, becoming an identity theft victim might be right for you."
Sign me up! I wish every day could be a trip to the DMV.
"For maximum risk, commit the computing equivalent of licking a handrail in a New York City subway station and do some online banking on a public computer -- like the one at the library or a public cafe. Bonus points are added if your Social Security number is your user ID for any transactions."
Who hasn't licked the NYC subway station handrail? I thought that's what they meant by the 'flavor of the city'?
"Secret crushes, long lost friends saying "what's up" or strangers hawking cheap drugs -- you'll never know unless you peek at that e-mail."
Thus shattering my fantasy that I had attracted 43 secret admirers today.
"These days one has to assume that any communication with a business or government entity that hasn't been specifically initiated by the consumer with the appropriate authentication process is a complete swindle."
Unfortunate and true.

Tip of the hat to Sheyna and the Bankrate team for this excellent article.

Friday, April 25, 2008

Preview of Upcoming SafeCentral Features

The developers have really been cranking out some great work lately, pushing things forward in the areas we get the most feedback on. Two things at the top of the priority list will be addressed in an upcoming release:

  • Faster Launching
  • Simple suspend/resume and integration into standard Windows environment.
Have a peek at this video for a brief look at these enhancements.
(Looks like YouTube 'chewed' the beginning of the video a bit, but it comes in fine after a moment - apologies)


I'm sometimes blown away but what the coders can do in astonishingly short periods of time.

Wednesday, April 23, 2008

Bitten when browsing

Yesterday's technology blog post at the WallStreetJournal.com is a prime example of how hackers stay ahead of conventional security measures. In the article, Ben Worthen, notes that hackers have migrated their focus from traditional email-based proliferation to more sophisticated and 'silent' means of malware distribution. Just visiting a website can lead to a security breach, as hackers exploit the weaknesses of your web browser and install their nefarious agents on your machine.

This only strengthens our belief that a new paradigm, which breaks away from the reliance on the traditional 'dirty' browser, is required to achieve any semblance of real safety online.

What's most frustrating, as a marketer and someone passionate about our new service, is the summation of Worthen's post - which probably sums up how most people react to news like this:


"The bad news is that there isn’t much individuals can do to protect themselves from these attacks besides using the most recent version of a Web browser and hoping that the attacker’s code is designed to take advantage of an older browser."

Actually, there is something individuals can do. You guessed it: SafeCentral. Since we restrict all untrusted operations, and run our own protected browser, you're vastly more secure when visiting any site from within SafeCentral. More importantly, you're protected from the bugs, viruses, spyware, and other hacker tidbits you picked up while casually surfing in IE or Firefox; so even if the malware is on your machine, it can't be used to steal your identity when using SafeCentral.

How do we get the word out that there is an answer? Feel free to add a comment with suggestions on better communicating the SafeCentral message.

Tuesday, April 22, 2008

A Key to Everything

There's nothing new in the latest survey findings from Accenture; the repeated use of a single password for all online accounts is human nature; who wants to try to remember 17 different username/password combinations in a world as busy and hectic as the high-tech one we live in today?

Nonetheless, it emphasizes how easy we make it for hackers to gain access to our entire life online. Every mail account, forum, banking site, shopping site, easily accessed with that one 'golden key' of a password we use repeatedly. I admit, even as a member of the 'security community', I often repeat my favorite password, or some derivative thereof, on multiple sites. It's just too hard and time-consuming to come up with 15 passwords I know I'll never remember.

We're working on methods to aggregate your passwords into a single, manageable, and encrypted tool within the SafeCentral experience. There are several very useful, encrypted 'password managers' or 'digital wallet' systems available, (as a frequent Mac user, I use the aptly named Wallet; or Roboform when on my PC) and taking the time to incorporate one into your personal data management routine is a great way to improve your personal security, and still keep critical data at your fingertips. Still, gaining access to these encrypted databases is usually accomplished with one 'golden password'. The best protection remains preventing the interception of your password(s) by using a secure, encrypted browser whenever you log on to financial services. All passwords are only as secure as the number of people who know them; we aim to keep that number to just one - YOU - with SafeCentral.

Monday, April 21, 2008

We need more than a seat belt.

PayPal made news at RSA with the publication of a paper that spells out a plan to eventually block older and otherwise "unsafe browsers" from accessing its services. Unfortunately, "unsafe browser" could be an apt description of every standard browser currently in use.

PayPal's plan calls for shutting off access from older versions of Internet Explorer, Firefox (and possibly Apple's Safari, should Apple fail to add the requested features) which don't support the new Extended Validation SSL certificate system. EV SSL certified sites display a green address bar and company name in an attempt to prevent phishing attacks by visually confirming to the user the validity of the site.


It's certainly a better system and a worthwhile addition to the layered security model, but it doesn't solve several underlying issues:

  1. The world's been using SSL certification (those little locks at the bottom of your browser), and other tools for years in an effort to keep users from entering their personal data at falsified sites - and it hasn't stopped the problem from expanding. These visual cues can be spoofed by hackers, and most users simply don't know what they mean, nor pay attention to their existence.

  2. Even if a user could be certain that they're on the actual PayPal site, there's nothing to prevent spyware and other agents from capturing every detail, password, keystroke and screen from that session. The hacker then logs on with the stolen credentials, gets the same reassuring green address bar, and cleans out your account.

The latest browsers, including Internet Explorer 7, and Firefox beta 3, provide no protection against desktop spyware and other tools for 'listening in'. As long as desktop agents are allowed to run unchecked, identity theft - and the resulting fraud - will continue to grow unabated. As long is the industry relies on users to recognize a combination of cues, accept a barrage of alert pop-ups, and navigate the dirty minefield of traditional browsing, the problem will continue to grow. We need a new paradigm, one that separates 'standard' browsing from activities that require real security.

I applaud PayPal's effort to raise the security level on their site by locking out "unsafe browsers", but if it's security they seek, perhaps they should consider locking out all standard browsers and requiring SafeCentral, which supports EV SSL while providing DNS security and desktop malware defense.

PayPal said that allowing unsafe browsers to access its site
"is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts."
True. However, seat belts have been standard in cars since the early 60's; perhaps requiring air-bags, and even accident avoidance systems would be a more appropriate goal in 2008. Our goal in developing SafeCentral is to be ahead of the hackers, responding in advance to tomorrow's threats.

Friday, April 18, 2008

An ounce of prevention...

The old adage says that "an ounce of prevention is worth a pound of cure"; and nowhere is that more true than in the world of Identity Crime. I was encouraged to see that Peter Piazza of NewsFactor pressed this point in his first look at SafeCentral.

There are two terms used seemingly interchangeably to describe the problem: 'Identity Theft', and 'Identity Fraud', but these terms describe two distinctly different events. The difference between these events highlights the reason we created SafeCentral, and why it is such an important factor in the defense of your identity and your money. An ounce of identity theft prevention is worth a pound of identity fraud cure.

According to Webster's Dictionary, theft is "the action or crime of stealing"; fraud is "wrongful or criminal deception intended to result in financial or personal gain". You can't commit identity fraud without first having committed identity theft. It is therefore paramount to one's personal security to safeguard the data that can lead to identity fraud. SafeCentral aims to provide just such protection, isolating your online activities from prying eyes and assuring that your usernames, passwords, and personal credentials remain secure.

The importance of prevention becomes evident when you look at the true cost of a cure. There are several prominent (worthwhile, I might add) services that can monitor your credit and raise an alarm should someone try to conduct a fraudulent transaction or application in your name. In addition, many of these services will go the extra mile and insure you against disastrous financial loss. Unfortunately, they cant make the clean-up after an identity breach any easier. You're still going to spend as long as a year getting all new credit cards, perhaps a new social security number, closing out or migrating at-risk accounts, cleaning your dirtied credit, and realigning all of the payments and pay services that were auto-billing to your various accounts. In short, you're going to pay in sweat and tears what you don't pay in plain cash.

As with all security, a layered approach is best; but nothing can substitute for a SOLID first line of defense. In the case of online identity crimes, that means prevention - which means SafeCentral. Combined with an up-to-date desktop security suite, and adequate credit monitoring or fraud prevention services, SafeCentral can sure up your identity and give you the freedom and confidence to transact online at your leisure, and save you from ever having to fight to recover a stolen identity.

Peter's article is one of the first I've read that accurately differentiates the actions of theft and fraud in the internet age. We at SafeCentral, and the entire team at parent-company Authentium, are excited to be bringing to market the first truly end-to-end identity theft prevention service.

Thursday, April 17, 2008

Launch Day Recap

Wow, what a day.

Fortunately our press release was well-received, which led to a full day discussing SafeCentral's revolutionary approach with press and analysts from across the country. I'm impressed with how quickly people seem to grasp the concept, and how many say they have been waiting for a solution like SafeCentral. Even the most security-conscious and diligent analysts I spoke to said they were going to install SafeCentral for their personal use; which is a reassuring testament to the value of our new service.

Allan Maurer, from TechJournal South, inquired about SafeCentral, offered superb feedback, and had this article up in a flash.

David Utter, from SecurityProNews, has always provided excellent analysis of online security, and took a fresh look at SafeCentral in his recent article.

I'm thrilled to finally have the opportunity to discuss SafeCentral with the public and press, and excited about the opportunities in the days and weeks to come to continue to share our message.

SafeCentral Arrives!

Welcome to SafeCentral!

We officially launched our secure Internet portal a few minutes ago: http://tinyurl.com/3jeh47, and I must say that after over a year of work, it’s great to finally go live.

The main question we get asked by family, friends, and colleagues is:

"What is SafeCentral and why do I need it?"

It’s simple, we created SafeCentral to give users the freedom to surf the Internet in complete privacy and safety. Over 50 percent of PCs are already infected with spyware, even though most have antivirus, anti-spyware, and firewall software installed. Clearly, traditional security products are not enough anymore. By creating this secure portal, we are hoping to restore users’ confidence in shopping, banking, or even filing taxes online and to actually prevent ID theft.

So, how do we do it?

SafeCentral prevents cyber crime and identity theft by locking down PCs, launching a secure browser, and connecting users to a trusted portal of their favorite destinations. We use our patent-pending TSX technology to create what we call a virtual “concrete bunker” that safeguards users from viruses, spyware, Trojan horses, keyloggers, phishers, man-in-the-middle attacks, screen scrapers, DNS poisoning, Wi-Fi interception – you name it. We eliminate the confusing avalanche of threats and free you to use the internet the way you want.

What we love about SafeCentral is users don’t have to change the way they work or waste hours scanning for threats that have already compromised their computers – SafeCentral takes care of your privacy with a single click. Our portal shields desktops from all the nastiest threats without limiting flexibility, functionality, or usability. We believe it is the only answer to preventing ID theft. I'll be blogging more soon about the often confused terms of 'identity theft' and 'identity fraud', because so many other approaches focus on the wrong side of these distinct problems.

Give it a try http://www.safecentral.com. We hope you like it. Let us know if you have any questions or suggestions on how to make it better. We’ll listen and get back to you ASAP.