Wednesday, June 25, 2008

The Road to Safety

One of the biggest challenges with any security product is trying to find the proper balance between security and usability. The two goals often seem at odds with one-another; after all, for each thing you make possible, you may open a door for exploitation. We made it a priority at the beginning of the SafeCentral project NOT to sacrifice the security of our solution, so we've been tirelessly seeking ways to provide a seamless experience without softening the security promise. The suspend/resume functionality I previewed earlier (now in the live build), is an example of that. We provided the ability for SafeCentral to seamlessly co-exist with your other applications/activities, without inviting the weaknesses of those applications into our safe environment.

We've achieved similar success with a new browser plug-in feature, that actually INCREASES the security of our product by offering configurable alerts to the user when the site they're trying to visit might warrant the extra safety of SafeCentral. The same framework can be used to prevent phishing, by filtering URL's against known phishing sites. The great thing about this function is that it doesn't alter or weaken the security of the SafeCentral environment in exchange for simplicity, but provides the user with a completely seamless experience that makes SafeCentral a part of their normal workflow. I like to think of SafeCentral as the secure companion to your everyday browsing, and nothing makes that companion easier to access than this plugin feature.

As a self-described technology geek, I'm often asked by friends, neighbors and relatives for advice on what electronics to buy. One of the most common requests is which camera to get. I've read the reviews, tested various units, and formed plenty of opinions about the features that I think matter most. However, I often recommend a camera with lower resolution, fewer features, and other sacrifices. Why? Because "the worst picture you can take is the one you never take". Which is my way of saying that features and image quality are great, but if you don't have your camera with you because you can't stand lugging it around, all of those features aren't going to matter. So, get the small one that fits in your pocket. The same principle applies to security software design; the only security that matters is the security that you use.

So, we've gone to great lengths to provide many 'on-ramps' to the SafeCentral experience: the Programs menu, desktop icons, the taskbar, your normal browser and more all can invoke a SafeCentral session. As a user, that means you'll have the option to enter the safe environment whenever the whim, need, or opportunity arises, without having to remind or retrain yourself to do it. That, more than anything, is the most powerful form of security: security you'll use.
The attached video previews the plugin function; I welcome comments and look forward to its release in our July build.

Tuesday, June 10, 2008

Testing Confirms SafeCentral Security

Sometimes you can get so caught up in the work to build, prepare and launch a product into market, that you forget to stop and measure it against your original vision. Does it solve the problem you intended to solve? After all, the rest is just presentation and packaging; if you don't meet the benefit statement you've promised your customer, you've already failed.

With that in mind, we commissioned IRM's world-renowned security testing team to evaluate SafeCentral. We were ecstatic to see that SafeCentral met or exceeded every claim, and indeed is 'certified' to provide true privacy when transacting online. We've outlined the results in a Press Release this morning, but I wanted to take a moment here to elaborate on the report.

There are 3 points of peril when it comes to sharing sensitive information online. First, and most importantly, is the user's PC. A compromised system infested with spyware agents is an identity thief's greatest ally. Second, is the connection to the site, you can't transact safely unless you know who you're transacting with (and know with certainty that it IS the site you intend). And finally, is the authentication of user and site to one-another. With multi-factor authentication, websites have done a pretty good job guarding up #3, but items 1 and 2 have been left open for far too long. SafeCentral was built to sure up these holes.

According to the IRM Report:

In all scenarios, it was observed that SafeCentral adequately protected a user's browsing session by ensuring no keystrokes entered in the secure Firefox web browser were intercepted. Viewing logs from various keyloggers clearly indicated that keystrokes entered in the duration SafeCentral was active were clearly missing. This was true for both user and kernel land keyloggers.
SafeCentral was built to cripple desktop spyware agents, like screen-scrapers and key-loggers, even if they're successfully installed and functional on the user's PC. Every one of the more than 20 spyware agents thrown at SafeCentral was unable to capture the activities during the SafeCentral session. And on item #2:

The first test involved editing the virtual machine's "host" file to contain static entries that would redirect requests for websites supported by SafeCentral to test websites setup by IRM consultants. However, when SafeCentral was launched, the user was not redirected to the static entries and was presented with genuine websites.

SafeCentral identifies the websites your visiting against our known directory of safe sites, and ensures that you can't be re-directed to phishing/pharming sites meant to steal your credentials.

Again, while I'm happy to pat ourselves on the back, the important thing here is that we tested ourselves to ensure that we live up to our security claims, and our promise to our customers. There is too much false information and 'snake oil' already in the identity theft sphere, we need bring real solutions to market.

So, now we'll go back to putting the best possible presentation, polish, and packaging on SafeCentral.

Thursday, June 5, 2008

ID Fraud on the rise

According to leading industry analyst Avivah Litan, and a recent study by Carnegie Mellon sited in this PC World article, Identity Fraud has been on the rise over the last year and a half and is projected to maintain a meteoric rise.

Gartner's Litan offered one more observation that might explain Carnegie Mellon's findings: The fraudsters are also getting better at what they do, she added. "If you talk to the largest banks, they will tell you that fraud has really increased in the past 18 months," she said. "And they project it going up very significantly in the next two years."

"The thieves are just getting better and there's more fraud," she said.

It appears that despite the recent focus on new authentication systems, and stronger data warehouses, the hackers are adjusting their tactics to take advantage of holes in the security chain. As discussed here many times before, the weakest link is likely: You, and your malware infested PC.