Tuesday, June 10, 2008

Testing Confirms SafeCentral Security

Sometimes you can get so caught up in the work to build, prepare and launch a product into market, that you forget to stop and measure it against your original vision. Does it solve the problem you intended to solve? After all, the rest is just presentation and packaging; if you don't meet the benefit statement you've promised your customer, you've already failed.

With that in mind, we commissioned IRM's world-renowned security testing team to evaluate SafeCentral. We were ecstatic to see that SafeCentral met or exceeded every claim, and indeed is 'certified' to provide true privacy when transacting online. We've outlined the results in a Press Release this morning, but I wanted to take a moment here to elaborate on the report.

There are 3 points of peril when it comes to sharing sensitive information online. First, and most importantly, is the user's PC. A compromised system infested with spyware agents is an identity thief's greatest ally. Second, is the connection to the site, you can't transact safely unless you know who you're transacting with (and know with certainty that it IS the site you intend). And finally, is the authentication of user and site to one-another. With multi-factor authentication, websites have done a pretty good job guarding up #3, but items 1 and 2 have been left open for far too long. SafeCentral was built to sure up these holes.

According to the IRM Report:

In all scenarios, it was observed that SafeCentral adequately protected a user's browsing session by ensuring no keystrokes entered in the secure Firefox web browser were intercepted. Viewing logs from various keyloggers clearly indicated that keystrokes entered in the duration SafeCentral was active were clearly missing. This was true for both user and kernel land keyloggers.
SafeCentral was built to cripple desktop spyware agents, like screen-scrapers and key-loggers, even if they're successfully installed and functional on the user's PC. Every one of the more than 20 spyware agents thrown at SafeCentral was unable to capture the activities during the SafeCentral session. And on item #2:

The first test involved editing the virtual machine's "host" file to contain static entries that would redirect requests for websites supported by SafeCentral to test websites setup by IRM consultants. However, when SafeCentral was launched, the user was not redirected to the static entries and was presented with genuine websites.

SafeCentral identifies the websites your visiting against our known directory of safe sites, and ensures that you can't be re-directed to phishing/pharming sites meant to steal your credentials.

Again, while I'm happy to pat ourselves on the back, the important thing here is that we tested ourselves to ensure that we live up to our security claims, and our promise to our customers. There is too much false information and 'snake oil' already in the identity theft sphere, we need bring real solutions to market.

So, now we'll go back to putting the best possible presentation, polish, and packaging on SafeCentral.

1 comment:

Anonymous said...

so I'm curious... I'm looking at safecentral as a personal 'secure sandbox' implementation, which is good.

A couple questions:
- How do you protect against even lower threats, ie rootkits that may intercept below the windows calling layer?
- Is there any bi-directional authentication for DNS or other central services, to prevent MitM attacks?
- Our site uses 'fingerprinting' to validate the browser... how does your browser look in HTTP request headers?