SafeCentral Blog

Boo! Are your employee's computers haunted?

2010-10-29T12:47:00.004-04:00

These are scary times for information security professionals who face increasing demands for protecting sensitive company information and at the same time are supporting more and more employee-owned devices connecting to the corporate network.

In my last posting I mentioned an Information Week article that I will return to this week. The article describes how anti-malware software is not getting the job done. The author was focusing on enterprise IT organizations protecting corporate networks and devices.

But the successful evasion of software defenses that malware authors are enjoying in the enterprise is even more troubling when we look at the Bring Your Own PC model of corporate computing. In this model company employees use their own PCs and laptops to access enterprise resources. Bring Your Own PC could also be called "Bring Your Own Malware." If million dollar enterprise software budgets cannot keep the hackers away, how can we assume an employee-owned PC will be free of infection?

"Bring Your Own PC" could also be called "Bring Your Own Malware"

There are two eye-opening statistics in the Information Week article, derived from a Ponemon Institute survey of IT and IT security practitioners: Nearly 80% of companies report malware evades their antivirus systems, and almost half report malware infections take longer than 30 days to remove. That's a long time for malware-infected computers to continue connecting to corporate networks and accessing sensitive data--and these are fully managed PCs controlled by corporate IT. The numbers must be much worse for employee-owned PCs. Last year Trend Micro reported their results from monitoring 100 million compromised IP addresses: half of the addresses showed signs of infection for over 300 days.

Nearly 80% of companies report malware evades their antivirus systems, and almost half report malware infections take longer than 30 days to remove.

SafeCentral Enterprise delivers secure remote access even from machines that are compromised with malware. SafeCentral blocks the keylogging and other data-stealing techniques of malware, providing focused protection for web, VPN, remote desktop, hosted virtual desktop and other client sessions. You can learn more here.

Protecting Corporate Data on the Edge

2010-10-20T16:23:00.005-04:00

Information is money and modern criminals know how to get their hands on both. Enterprise IT professionals are severely challenged these days to keep corporate data both protected and available to authorized users at the same time.

Going to Sea in a Sieve
Greg Shipley called out security software vendors in this InformationWeek article, pointing out that: "...we've spent billions of dollars on security technologies, and we still can't curb these threats. Intruders trot through firewalls deployed to block them, while malware flourishes on systems that antivirus vendors pledge to immunize."

When it comes to endpoint PCs I have to agree. The problem I see is that the Windows PC is too open, too programmable, with too many APIs and too many extensible applications like web browsers and productivity suites. This creates a rich environment for malware authors to infiltrate and take up permanent, or at least persistent, residence as a malicious ghost haunting the machine. From this position a malware operator can harvest sensitive data, including authentication credentials, customer records, employee data and other sensitive information.

IT teams have the strange mandate to deploy an extremely flexible operating system, but immediately take flexibility away from end users. This creates a tug of war between security and usability.

Benefits of Data Centralization
These facts are inducing a reverse in the swing of the IT pendulum, which is now moving back to centralization. Cloud-based apps, which keep data-at-rest in the data center, are helping to limit the physical spread of data and keep it under tight control behind many layers of physical and network protection. Hosted Virtual Desktops like Citrix XenDesktop do the same thing for entire virtual machines..allowing IT to build, deploy and maintain virtual PCs inside the data center and then deliver them over the Internet to thin client applications like the Citrix Receiver.

Don't Forget the Endpoint
Centralization is good for data, but not for people. The workforce has become more distributed, working from home or the road or a branch office. The point is that data can be stored centrally in the data center but it must be used out on the edge of the network; that's where the users are. In most cases, "the edge" still means a Windows PC or laptop (I exclude call centers from "the edge").

The information security benefits of data centralization are lost when unmanaged or semi-managed endpoint PCs connect to the data center. All the risks that Greg Shiply called out then come into play:

"Walking into the CEO's office and saying that the products you've spent a small fortune on are effective only at stopping novices and for checking off compliance forms? That takes more intestinal fortitude than most can muster."

Centralized Data with Secure Remote Access
I think the pendulum is swinging to a safer place. Centralizing data and functionality, along with endpoint lockdown and secure remote access create a formula that works. Network Access Control (NAC) was an attempt to ensure that only properly secured endpoint computers could connect to a corporate network. But NAC relies on the imperfect Antivirus and Firewalls Greg Shipley called out as ineffective.

Here at SafeCentral we are addressing the risks to data in use on remote endpoints differently. We do not protect the endpoint, we protect the data..while it is in use. We provide a Secure Desktop that protects against keyloggers, screen-scrapers, DNS redirection, code injection and other threats. From the Secure Desktop the user launches their VPN client and logs in, with full anti-keylogger protection for their username and password. Once connected to the VPN and while on the Secure Desktop, the user can only run applications white-listed by the IT administrator. "Thin client applications" like Citrix or Microsoft Remote Desktop are perfect fits for the SafeCentral Secure Desktop (see my earlier posting: Patented Data Loss Protection). Users can switch back and forth between the locked-down Secure Desktop and their normal Windows desktop, multi-tasking throughout the day. This gives them the benefit of extreme lock-down while accessing corporate data, with an option to switch out to the more open environment of the standard Windows desktop when they want. The data on the Secure Desktop remain protected.

Centralizing data and functionality, along with endpoint lockdown and secure remote access create a formula that works.

Examples of White-listed Clients on the SafeCentral Secure Desktop:

Cisco AnyConnect VPN

Juniper Netconnect VPN

Juniper Citrix Services secure proxy

F5 Firepass VPN

Citrix XenDesktop or XenApp

VMWare View 4.5 Client

Microsoft Remote Desktop Client

SafeCentral SafeBrowser (a locked-down web browser)

Attachmate

more on the way...

If you are interested in hearing more, please drop me a line at rdickenson/at/safecentral/dot/com or post a comment here.

$10 Million Stolen in 3 Months by an e-Crime Gang in London

2010-09-28T23:35:00.011-04:00

The London Metropolitan Police Central e-Crime Unit arrested 15 men and women who stole nearly $10 million from online bank accounts in only 3 months. The gang infected the personal computers of unsuspecting Internet users with a mass-market crimeware trojan named "Zeus" and transferred the money out of their victims' online banking accounts.

Police representatives said the total amount of money stolen will likely climb as the investigation proceeds.

The Zeus trojan is a very effective piece of "crimeware," software designed to conduct online crimes, that can be purchased for $300 on black market websites. Willing criminals do not have to be computer experts to operate a Zeus network. The authors of the Zeus trojan have automated most of the details of the crimeware's operation, and even offer guarantees that it will not be detected by antivirus programs.

The Zeus trojan comes with a "Command and Control" server that collects stolen data and can be configured to control hundreds of thousands of infected PCs, issuing instructions on how and where to transfer funds automatically out of online bank accounts.

The Zeus trojan is a top money-earner for online criminals worldwide. We use Zeus in our tests of SafeCentral WebProtection and verify that SafeCentral blocks the trojan's data-stealing features. Below is a screenshot from a control test of the Zeus trojan, showing keystrokes being collected out of a Bank of America online banking session when SafeCentral is not being used.

Stolen Data Report from a Zeus Trojan Server

Patented Data Loss Protection from SafeCentral, Inc.

2010-09-06T17:44:00.011-04:00

It's been a busy summer for SafeCentral and I am eager to share the results of our hard work. We've put out a couple of press releases recently that hint at the action going on behind the scenes: we got the first of 5 patents assigned to our Trusted Security Extensions (TSX) technology and just completed the sale of our antivirus business to Commtouch. First I'd like to say that the Commtouch folks have been a real pleasure to work with over the summer as we put together a deal that makes a ton of sense both to them and us. That transaction allows us to focus on proactive data and application protection powered by TSX and embodied in our SafeCentral product. TSX brings unparalleled protection to sensitive data for consumers and enterprises alike.

There is no better signal of our focus than renaming the entire company to SafeCentral, Inc.! We will be launching a new website in a couple of weeks that takes the wraps off some additional products we are bringing to market.

Our consumer product is going strong--we will be announcing several distribution partnerships for SafeCentral over the next few weeks. We will also be announcing some of the new things we have been working on for enterprise customers. Here is a sneak peek at endpoint data protection for thin client access methods such as Virtual Desktop Infrastructure (VDI), Virtual Applications, and Remote Desktop.

Data Loss Protection for XenApp Clients

SafeCentral featured on AOL.com

2010-04-27T10:58:00.003-04:00

SafeCentral is featured today in one of the lead stories on AOL.com. In a story about phishing, "If You Get This E-Mail, Delete It ASAP," a sidebar focuses on how SafeCentral helps secure your online shopping and banking transactions. SafeCentral is available to AOL subscribers at a 50% discount.

Tax Season Starts with FBI Report on Doubling of Internet Crime

2010-03-17T17:11:00.009-04:00

The IRS refunded $43.5 billion to tax filers last year, 72% of whom filed electronically (GAO report here). That much money and sensitive information flowing over the network attracts the attention of online thieves who move in like grizzly bears during a salmon run. Today I will share a few tips on how you can avoid being snatched up by the bad guys while you do your annual patriotic duty to help fund Uncle Sam.

First it is worth noting that dollars lost to Internet crime doubled from 2008 to 2009, topping half a billion dollars in the US. The 2009 Internet Crime Report released on Friday listed average losses at over $5,000 per incident with a mean loss closer to $500. The report pointed out that prosecution of online crimes is difficult because the victim and perpetrator "may be located anywhere in the world."

The same convenience that electronic tax preparation and filing presents to the tax payer can also work for the criminal. Simply having an electronic copy of your tax return on your computer can expose you to risk. Last August a Seattle man was convicted of fraud when a lucky break allowed authorities to catch him with tax returns, financial aid applications and other documents pilfered over the Internet from family computers across the country. Frederick Wood used file-sharing programs to search for keywords like "tax return" and find documents on personal computers thousands of miles away. He used information in these documents to commit financial fraud.

Tips for Safe Tax Filing

Start with a clean machine: don't use the same computer to prepare your taxes that you use for social networking like Facebook and Twitter. Online criminals use these services to spread malware via links that appear to come from friends, or even through display ads that can infect your computer even if you don't click on them.
Turn on WiFi Encryption: if your home network uses WiFi, make sure it is encrypted with WPA or at least WEP. Consult your wireless router manual or the manufacturer's website for setup instructions. Unencrypted wireless networks can allow thieves to connect to your network and gain access to sensitive documents on your computer even when you are not at home.
Run a full antivirus scan: antivirus can't catch everything, but running a full scan before performing sensitive work like tax filing will give you the best chance for privacy. These scans can take an hour or more to run, so plan ahead and let the scan run overnight before your marathon tax session.
Use unique passwords: if you are signing up for a new online tax filing service, resist the impulse to use that same password you use for everything else. Create a password that is memorable only to you--use something you can see from your computer, like "Green Vase" but mix it up with some punctuation and other characters: "Green--Vase:)" Just don't break the vase!
Remove dangerous programs: if you have a file-sharing program like LimeWire, remove it or carefully review the files it is sharing. Latest versions of LimeWire will no longer share documents by default, but many users do not update software and may be running with an older version. If you want to keep your file sharing program but be really sure you are not sharing sensitive files, ask a friend to connect to your library and see what you are sharing (see LimeWire's "Direct Connect" feature). You should know, however, that file sharing programs are a major source of malware infection.

While the Clean Machine is the best bet for safe filing, you may be planning on using your tax refund to buy your new laptop--this puts you in a bit of a chicken-egg situation. For you, we have SafeCentral. SafeCentral creates a "clean desktop" on your existing computer, shielding you from keyloggers and other nasty programs that try to steal your sensitive information. You can give it a try free for 14 days here on the website. That should be plenty of time to get your taxes filed and decide whether a small piece of your refund is worth the price of protecting you online all year with SafeCentral.

PC Magazine Four-Star Review of SafeCentral 2.6

2010-01-11T11:47:00.008-05:00

We earned 4 stars in the PC Magazine review of SafeCentral 2.6 that review that appeared on Friday. I am very happy to see the review up on the PCMag.com home page.

The reviewer, Neil J. Rubenking, commends our ease-of-use and the real-time feedback we give users on the safety of their web sessions. Our support for 64-bit platforms, including XP, Vista and Windows 7 was also noted.

One of the "Cons" in the review is the closed nature of the SafeCentral browser. We do not allow any and all browser plugins. We see this as a strong positive. On our work computers we are used to the network admins at our companies limiting what we can install and run, and which websites we visit. We understand that these constraints are necessary to protect company assets. Now is the time for us to recognize that we need to exercise the same control over our home PCs and laptops. When we sign into our bank or online retirement account, we should think and act differently--we have more to protect at this moment that when we are watching the latest funny YouTube video or posting a photo to Facebook.

Just like the iPhone is carefully managed by Apple to ensure the quality and security of iPhone applications, we recognize that browser plugins can introduce additional risks into sensitive web sessions and seek to protect users from those risks. Increased security almost always comes with some impact on usability. With SafeCentral, though, you still can use your regular browser and those Digg and Flickr toolbars to do all your fun stuff. Use SafeCentral for serious web stuff like banking, stock trading and tax filing.

Twitter Hack and the Iranian Cyber Army

2009-12-18T06:46:00.013-05:00

(See continuing updates to this story below.)

Earlier this morning a DNS hack took control of Twitter.com traffic and redirected to a website with a splash page proclaiming, "THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY." This hack has a lot in common with the Dr.Hiad website defacement I reported on two weeks ago.

New information
The so-called Iranian Cyber Army has defaced websites in the same manner as Dr.Hiad. At this moment (7:35AM Eastern Time) there is a website displaying the exact image that Twitter users saw earlier today during the Twitter hack event. A screenshot of that web page is shown below. The webpage contains an email link to the Iranian Cyber Army's Gmail account.

It is likely that the Twitter DNS attackers simply pointed "twitter.com" to the IP address of a defaced website like the one below. It would not make sense for them to point Twitter traffic to their own web server: that would allow them to be traced and possibly caught.

When the Twitter attackers realized they could take over Twitter's DNS, they had to decide where to point the traffic. Redirect it to comedycentral.com? Disney.com? Or how about a defaced webpage bearing the image of the Iranian Cyber Army?

There is some chance the Twitter attackers executed both the website defacement and the DNS takeover.

Screenshot of Iranian Cyber Army Website Defacement

DNS is Fundamental
DNS is the Internet service that kicks in when we type a website name into our browser or click a link on a web page. Type "twitter.com" into your browser and DNS will lookup the IP address of the Twitter web server so your browser can connect and download all those tweets. As fundamental as DNS is to our Internet experience, it has virtually no security, particularly on our home computers and Internet connections. Also, the DNS servers "up in the cloud" are rife with vulnerabilities that enable attackers to gain control and carry out pranks like the Twitter redirection this morning.

Updates

December 18, 2009 8:20AM - Update
The defaced website that Twitter users were directed to, shown in the screenshot above, is an online forum for the Green Freedom Wave, an Iranian reform movement.

December 18, 2009 9:08AM - Update
The Green Freedom Wave website was hosted at Netfirms, a managed web server company that is well-known to website defacers who exploit weaknesses in web and database servers. These web hosting companies offer lots of functionality, including web sites, databases and online shops, at very reasonable prices. However, these features also can make them vulnerable to compromise.

The website defacement is the minor part of this story. The DNS takeover is extremely serious, especially since it happened at Twitter.com, which receives over 20 million visitors per month. If the Twitter.com site had been redirected to a web page containing malware, a huge chunk of the Internet population would be infected. Perhaps I should say a "huger" chunk: 35 million computers infected per month with one type of malware.

December 18, 2009 10:35AM - Update
The Green Freedom Wave website was probably hacked using SQL Injection, Remote File Inclusion, or similar techniques that are well-documented on the web. Note the signature line of Dr.Hiad from my earlier post. Remote File Inclusion allows an attacker to exploit a script on the target website to replace the home page of the website.

December 19, 2009 7:49AM - Update
Busy day yesterday speaking to reporters and colleagues about the Twitter DNS compromise. Here are a couple of stories:

eWeek:
http://www.eweek.com/c/a/Security/New-Twitter-Attack-Details-Emerge-175634

Computerworld:
http://www.computerworld.com/s/article/9142485/Twitter_s_own_account_caused_blackout_says_DNS_provider

Securing the Cloud

2009-12-08T18:38:00.002-05:00

I will be a speaker at a free cloud security webinar sponsored by Enterprise Florida on Thursday, December 10 and 2PM Eastern Time. Cloud computing is a topic generating both hype and anti-hype right now. The anti-hype comes mostly from the security community warning that the benefits of fast, easy development and hosting are just what we do not need right now.

Also presenting will be Chris Day, Chief Security Architect at Terremark, and Alex Eckelberry, CEO of Sunbelt Software. The event is moderated by Esther Schindler, author and industry expert.

See you there!

Dr.HiaD: Islamic Terrorist or Teenager Having Fun?

2009-12-01T21:25:00.023-05:00

Click image for expanded view

Let me steal my own thunder and go with Teen Having Fun.

Earlier today the campaign website of Bill Connor, candidate for Lieutenant Governer in South Carolina, was defaced with a graffiti-like image in the typical fashion of juvenile hackers.

Screenshot of the Bill Connor Website Defacement
Source: FITSNews Political Blog (not verified)

Click image for expanded view

The hacked page included a small amount of Arabic text, which got the attention of the candidate and former US Army officer, who served in Afghanistan. A statement on his campaign's Facebook page said, "I do hope this serves as a wakeup call to the continuing danger we face in South Carolina from the threat of radical Islam and shari’a law."

"I do hope this serves as a wakeup call to the continuing danger we face in South Carolina from the threat of radical Islam and shari’a law."

Bill Connor

Was this a political act by Isamic extremists? Examining the facts makes it hard to draw that conclusion. There are many valid threats to our safety on the Internet today, but it is important to isolate the facts and not rush to judgement when it comes to identifying and prosecuting true crime online.

"Hi ADmin your security = 0" Thus reads the graphic that displaced the candidate's home page. That statement is a poke in the eye at the web hosting company that operates the web server (not the candidate) and is typical of widespread pranks conducted by computer savvy kids who enjoy exercising their technical skills to penetrate weak server configurations from far across the Internet and leave their mark.

"Dr.HiaD" in this case is the online nickname used by the hacker. Dr.HiaD has taken credit for over one hundred such website defacements. I have seen lists of URLs of over 4,000 web pages with his signature on them. Other pranksters have perpetrated many more thousands of website hacks and even keep track of their scores. See below a screenshot of one such scorecard showing recent defacements by Dr.HiaD. The score for all "players" on this website is a staggering 43,000 on December 1, 2009 alone.

Website defacement scoresheet of Dr.HiaD
Source: Ray Dickenson

Click image for expanded view

I have blocked out the website names in order to prevent readers from attempting to visit these sites, which may now host malware that can infect PCs. But you can see Dr.HiaD is a prolific defacement artist.

Another site Dr.HiaD hacked, that also contained a short snippet of Arabic script, was the website of a Chinese baby products company. Again, I will withhold the name of the site, but share the graphic that was posted there.

One of many other websites defaced by Dr.HiaD
Source: Ray Dickenson

Click image for expanded view

Who is Dr.HiaD? He appears on an Arabic hacker website with the below signature. Now, when it comes to teenage hackers, it is difficult to believe everything we read. Is Dr.HiaD really 15-years-old? Is Dr.HiaD from Morocco? Hard to say for sure, but I believe he (or she) is. These pranksters must balance two competing goals: (1) not getting caught and (2) claiming and receiving credit for their exploits. For young hackers, recognition normally trumps caution. On the score-keeping website mentioned above, there are hackers from Singapore, Russia, India, Switzerland, Germany and many more countries around the world. So Dr.HiaD really could be from anywhere.

Dr.HiaD Signature on Hacker Website
Source: Ray Dickenson

Click image for expanded view

One last point about the colors used in Bill Connor's website defacement. Some of the English letters appeared in white, green and red with black background. It is true that these are Islamic colors. But they are also the simplest colors to use in web pages. The RGB color codes for these colors are: FF0000, 00FF00, 000000, FFFFFF. Extremely simple for kids making web pages who do not want to be bothered with shades like 0CF1E2, CECE28. They are also stark and strong. Perfect for a prankster.

Let's close with a comment about the first screenshot above (source: Ray Dickenson). That one came from the website of an auto accessories company in China that was hacked by Dr.HiaD. Is this a photo of the real Dr.HiaD? Probably not. But it does convey something about the Dr's personality and the artistic flair of his or her pranks. Many teenagers who crave technical accomplishment and get into trouble pursuing recognition for their talents grow up to be valuable contributors in the computer field. Ask Michael "MafiaBoy" Calce or Kevin Mitnick.

December 2, 2009 - Update
I spoke with Susanne Schafer of the Associated Press about this story, and she wrote an article that appeared here.

December 3, 2009 - Update
The dramatic image in the first screenshot above comes from an Italian photographer, posted here on Flickr: Amegliocchi. One interesting connection is that a large number of Italian language websites were defaced by Dr.Hiad.

Connection to Dr.Hiad splash screen courtesy of TinEye, a pretty effective reverse image search engine. Want to find photos of you on the web? Try TinEye. If you dare :)

SafeCentral: New York Times article says it "protects users even if there’s malware on the computer"

2009-11-18T22:50:00.004-05:00

A few weeks ago I demonstrated SafeCentral to Riva Richmond of the New York Times. She wrote an article appears in Friday's New York Times covering a "new breed of products" that address online identity fraud. The article features SafeCentral alongside other new services that directly address online threats to our identities and bank accounts. Riva Richmond points out that traditional tools like antivirus are struggling to keep up with the flood of high-tech crimeware that invades our computers to install keyloggers or conduct automated phishing.

This article is not an online holiday shopping scare fest. It provides helpful information on tools consumers can use to proactively protect themselves and remain safe and happy through the new year.

Twitter: The Internet is a more dangerous place

2009-11-03T16:29:00.011-05:00

Twitter has made it extremely easy for people to share news and web links and at the same time has created a boon for online criminals. It is hard to find a web service that has done more to make malware distributors' jobs easier.

I don't mean just the explosive growth in the Twitter user base. Microblogging in general, and Twitter specifically, contribute to malware distribution in fundamental ways that must be re-examined and corrected.

Here are the Twitter features that make it so dangerous:

Twitter usernames are easily harvested in vast quantities

Criminals can send tweets to anyone on Twitter

Twitter encourages its users to share without thinking

Twitter and supporting services like bit.ly strip away critical context

Twitter is programmable and can be automated using their published APIs

Twitter features look like an Internet criminal's wish list.

While each of these features has appeared to some degree in other Internet services like email and instant messaging, Twitter has taken them to a new level and -- as icing on the cake -- got celebrities like Ashton Kusher and Miley Cyrus to help fuel the frenzy of massive sharing.

Before describing how these features introduce vulnerabilities hackers can exploit more easily than ever, let's be clear that this is not Twitter bashing. There is a reason Twitter has become so popular: it clearly meets a need shared by many millions of users. On Twitter.com we see people using the best features of the Internet to be more connected and more informed. But just as we think twice about attending large gatherings during a swine flu pandemic, we should also think twice about sharing links on an infected Internet.

Okay, let's look at our hacker wish list in more detail.

Twitter usernames are easily harvested in vast quantities

Compared to email, collecting huge lists of Twitter usernames is incredibly easy. Part of the attraction of Twitter is that anyone can see what all the users are up to, including seeing usernames. Showing everyone what everyone else is saying is a great way to encourage new users to join the fun. It's also a great way to build a list of users to target.

Quality email lists, on the contrary, are harder to build. Malware authors have been very creative in building tools to collect email address lists. The Warezov worm, for example, would scan a PC for email addresses and then send itself to those addresses to continue the process. These worms, however, require a user to open a binary attachment to start the process, and then require the next recipients to do the same.

Warezov and other email worms were pretty darn effective, but gathering lists of Twitter users does not require jumping through such technical and social engineering hoops. The public nature of Twitter usernames, combined with the Twitter API (see below), make it outrageously easy "crawl" across Twitter and build massive lists of users.

Here is an interesting look at a Twitter-crawling app created by some good guys -- repeat Good Guys! -- that demonstrates the concept.

Looking at the image above, it is important to note that not only are lists of usernames easy to build, but relationships between users are also publicly available on Twitter, raising the possibility of targeted attacks against organizations using (seemingly) inside information. ("Harry Reid said you should respond to this: [click here]")

Criminals can send tweets to anyone on Twitter

Now that we have a huge list of usernames that we generated in a couple of hours, our next step will be to send them malicious links to infect their computers. Before the rist of Twitter, there were other methods malware distributors used to get links in front of people. "Spim" is the term of sending spammy links through an Instant Messaging (IM) network. But the Instant Messaging model calls for users to establish relationships by a two-way handshake. I add a new user to my contact list, they see the request and choose to accept the relationship. Then I can send messages. Now, it is true that malware writers can circumvent this requirement for a handshake but, like the email address harvesting example above, it requires malware engineering to get around protection designed into IM systems. On Twitter there is no such requirement.

Twitter has a similar model wherein I follow you and you follow me. But you do not have to choose to follow me in order to see messages from me. I can follow you, see your tweets, and send a reply that you will see in your reply box. The Replies page is labeled "Tweets mentioning [myusername]". And on Twitter, who does NOT want to see tweets mentioning them? (Miley Cyrus aside.) Compared to the effort of hacking an IM system to send unsolicited links, Twitter makes it very easy for anyone to send links to arbitrary users.

So I build a huge list of usernames, follow all the users, wait for them to tweet and then reply with: "You are so right and this proves it: [click here]"
At this point, the only thing keeping my huge list of users from clicking the link is a good dose of caution. And Twitter is not about caution. Read on.

Twitter encourages its users to share without thinking

Stepping out of the technical realm for a moment, let's look at the Twitter social phenomenon. Twitter is not about privacy. Twitter is about massive-scale sharing. The tagline on the Twitter home page is, "Share and discover what's happening right now, anywhere in the world." And, "Join the conversation." THE conversation. Not one on one conversations with your known friends. We're talking about The Big conversation that we crawled through collecting our usernames up in step one.

Twitter does provide Public or Protected accounts. But the default setting is public and the message is clear: don't be shy. Jump in the deep end of the pool.

On top of that, the first step you see after creating an account is "See if your friends are on Twitter" and a web form that asks for your Gmail, Yahoo or AOL email password. Yes, your password. Twitter will log into your email account and retrieve your contact list to see if there are matching Twitter accounts. Doesn't this sound just like our friend Warezov described above?

Of course these are features designed to maximize the number of users and connections between users, and that's the attraction of Twitter. The sunny day scenario is positive one that helps build the Big Conversation. What we are doing here is looking at these features with an eye on how they contribute to the spread of malware across the Internet.

So to recap: we have a huge list of usernames with known relationships between users, we can send any of them a link that includes some apparently familiar context even though they don't know us, and the users are in a hurry. Tweets are short and sweet and meant to be posted and read frequently. This favors the social engineering malware distributor who hopes the users do not spend too much time deciding whether or not to click a link in a tweet.

Twitter and supporting services like bit.ly strip away critical context

Tweets are very short messages that don't leave a lot of room to establish familiar context. "Check this out: [click here]" is a classic line from emails that distribute malware.

The shortened URLs that appear in tweets remove all the warning signs that indicate dangerous links. When a link appears in your email, an IM message or a tweet it is important to inspect the URL and see where it goes before clicking on it. If we receive a message that looks like it is from a friend asking us to look at their vacation pictures, we have a chance to be suspicious if the URL ends in a .ru (Russia) or .cn (China). It's not likely that our friends chose a Russian or Chinese photo hosting service. Or if the link is purportedly from our bank but the URL looks like http://aimee.pl345xxx.ru/scripts/infector/clickit.html, we might be wary about clicking it.

Would you be suspicious of this URL?

http://aimee.pl345xxx.ru/scripts/infector/clickit.html

URL shortening services like bit.ly, tinyurl.com or tweetburner remove all the useful context and turn all URLs into generic nonsense. There is no chance for a user to screen out risky URLs when they are shortened.

How about this one?

http://bit.ly/YTmnD

Then there is the risk of someone penetrating the URL shortening service itself and hijacking previously shortened links to point them to malware sites. Over 2 million shortened links were hijacked this summer at URL shortening service Cligs.

Twitter is programmable and can be automated using their published APIs

As I mentioned above, Twitter provides an Application Programming Interface (API) that lets developers create programs to automatically exercise Twitter features. Features that the API does not support can be accessed by automating web requests as described here: Scripting Twitter with cURL.

Countermeasures

As we have seen, Twitter is a feature-rich malware distribution platform with a ready-to-go user base of 25 million Tweeters who are predisposed to do exactly what the bad guys want: click it fast. Here is a short list of things users can do protect themselves:

Protect your tweets: Go into your Twitter settings and click the "Protect my tweets" checkbox at the bottom. This will remove you from the public timeline and only people you approve can follow your tweets and send you replies.

Check those short links: Network security firm Sucuri provides a free service that scans shortened URLs with McAfee SiteAdvisor and Google's SafeBrowsing service. It's available here: http://sucuri.net/index.php?page=tools&title=check-url. AVG's LinkScanner is also an option that will scan all the links you visit in a supported browser.

Use Twitter security tools: Security tools designed specifically for Twitter are starting to appear on the market. I haven't evaluated them yet, but one recent example is Krab Krawler from Kaspersky.

Windows 7 Security versus Usability: The Beat Goes On

2009-10-15T18:01:00.003-04:00

Usability and security are competing goals: the more secure a computer is, the harder it is to use. The easier a computer is to use, the less secure it is. In my opinion, Windows 7 is easier to use than Vista.

With Vista, Microsoft introduced User Account Control (UAC), which frequently shows pop-ups asking the user to confirm any configuration changes, like changing network settings. UAC was one of the biggest usability problems with Vista and was lampooned by Apple in one of their hilarious "I'm a Mac and I'm a PC" commercials."

With Windows 7, Microsoft backed off on the UAC prompts, which greatly improves usability. My personal observation as a user is that Windows 7 is much more pleasant to use than Vista. This is important, because UAC had the effect of making the entire Vista experience very un-fun and slowed adoption of an operating system that has other important security improvements.

However, as is nearly always the case, increasing operating system usability also increases security risks -- risks of infection and compromise of data and functionality. The changes to Windows 7 UAC have made it easy for malware writers to turn UAC off entirely without the user's knowledge. Microsoft recommends keeping UAC turned on and yet allows malware to turn it off without the user's knowledge. A post on the Windows 7 Engineering Blog explains some of the thinking behind the no-prompt-to-turn-off-UAC issue.

The story gets much more complicated at this point. If malware is on the computer, hasn't the game already been lost? Why worry about UAC if a password-stealing Trojan is on your computer? The answer lies in the difficulties inherent in identifying a program as goodware or malware. If my son downloads a game (goodware) that has been secretly tampered with to introduce malicious capability (malware) that tries to change my system configuration, I will not see a UAC prompt warning me of the configuration change. The first step of this malicious code will be to turn off UAC and avoid warnings. I cannot depend on antivirus to detect the malware, and I cannot depend on UAC to put up a prompt that will make my son say, "Daaaaaaad??!"

Will the Internet be there when you need it?

2009-10-13T17:06:00.002-04:00

I have an article appearing in TechNewsWorld about the reliability of Internet web services. The Twitter outage in August shocked a lot of people and called into question the dependability of Internet-based services. In this article I look back on other notable outages -- eBay, MySpace, and Yahoo have all had their bad days -- and look into the root causes of the failures.

While researching the article I read "Mafiaboy: How I Cracked the Internet and Why It's Still Broken." This is the story of distributed denial of service (DDoS) attacks that took down Yahoo, CNN and other websites in February of 2000. The perpetrator was a 15-year-old high school student from Montreal who had built up his DDoS capabilities by hacking university and corporate servers for many months. If a high school student with no budget can take down top websites, it's clear that politically-motivated adults with even modest funding can do the same or worse.

The Importance of a Good (Consumer) Education

2009-09-17T14:45:00.005-04:00

Vicki Salemi posted an article on SheKnows.com about shopping securely online. Educating consumers about safe online behavior is extremely important, and Vicki is certainly doing her part.

The article highlights ecommerce safety tips I shared with Vicki this summer. These tips are even more important as we head towards the holidays, so I'll recap them briefly here:

It is best to shop on "name brand" websites that are well-known and have a distinctive look and feel. Unfamiliar websites that look cheap and poorly designed are not a wise place to spend money, even if they have eye-popping prices.

Check the address bar in the browser when you are ready to buy, reading from left to right, and be sure it starts with "https://" followed by the name of the website and ".com".

It is best to type the name of your favorite shopping website into the browser to get started. Clicking on links in emails is a risky way to start an online shopping excursion, since the links may be fake.

Don't forget to log out when you have made your purchases. If you remain logged in and then go browsing other sites, it is possible for malware to use that login in surprising ways.

Don't make purchases on public computers. Do you use public computers in libraries or other places? Don't enter your credit card or other information into computers that aren't yours. They may have information-stealing software that can give your credit card number to the bad guys.

Pay attention to what your anti-virus program is telling you. If it says it needs an update, get the update. If it says it expired, renew it.

High-level Attention on the Growing Cyber Crime Threat

2009-09-14T15:27:00.005-04:00

A couple of weeks ago we warned that small businesses and local governments are being ripped off by online thieves who have learned to tap into commercial bank accounts by infecting computers with crimeware.

Yesterday, the Senate Committee on Homeland Security and Governmental Affairs met to hear from government and industry experts on the growing threat of cyber-crime targeting small- and medium-sized businesses. In his opening remarks, Committee Chairman Joseph Lieberman focused the hearing with the question: "What can be done by the public and private sectors to make commercial cyberspace secure, especially for organizations that can’t afford to have large IT staffs on the job 24/7?"

“The latest targets of cybercrime are small- and medium-sized businesses." Senator Joseph Lieberman

He went on to cite the same recent thefts from small businesses and local governments we talked about in this blog a couple of weeks ago. You can check out the hearing yourself: Cyber Attacks: Protecting Industry Against Growing Threats.

How to Protect Your Commercial Bank Account

2009-08-25T11:53:00.018-04:00

Remember in Ferris Bueller's Day Off, when Principal Rooney watched on his computer as Ferris' number of days absent ticked down..down..down? Ferris had hacked into the school computer and was "adjusting" his attendance record right under the nose of the principal.

Online criminals may be doing the same thing to your bank account. Crimeware operators are stealing money right from under the noses of consumer and commercial banking customers who may not be able to recover the stolen funds.

Crimeware - viruses that get onto your computer and steal money from your bank account

Security researcher Joe Stewart of SecureWorks details the workings of a piece of crimeware dubbed "Clampi". "Clampi is operated by a serious and sophisticated organized crime group from Eastern Europe and has been implicated in numerous high-dollar thefts from banking institutions. Any user whose system has been infected by Clampi should immediately change any and all passwords used on that system for any websites, but especially financial credentials." Full report here.

Here are examples of recent thefts from commercial bank accounts:

Bullitt County, Kentucky: $415,000 stolen from the county government bank account by a ZeuS trojan infection. The county was able to recover $105,000 but is still out $310,000. The bank points out that the theft occurred on government computers, not bank computers.
The Western Beaver School District in Pennsylvania had $704,610.35 in school funds transfered out of its bank account to 42 other accounts as far away as Puerto Rico by a virus on a Western Beaver computer system. The bank was able to reverse $263,413.34 of the transfers, leaving the school district with a $441,197.01 loss. The school district is suing the bank to recover the full amount plus interest.
Slack Auto Parts in Gainesville, GA lost almost $75,000 due to fraudulent transfers of funds from its commercial bank account by a Clampi trojan. Once again, the victim was able to get back $14,000 but is still missing over $60,000.

Brian Krebs of the Washington Post Security Fix blog now reports that users of commercial banking accounts are being warned to take extra precautions with the computers they use to do online banking. Brian reports that the Financial Services Information Sharing and Analysis Center is recommending that its members "carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible."

This guidance reflects an important reality about today's Internet-connected computers. If the same computer used for online banking is also used for general web browsing, email and other Internet activities, there is a strong likelihood the computer will become infected with money- and password-stealing crimeware. We cannot assume that our computers are free of this malware that evades detection by even the best antivirus programs.

In fact, my position is that it is better to assume the computer has been compromised and take special steps to perform online banking as safely as possible. At Authentium we have created SafeCentral for just this purpose. SafeCentral creates a separate Secure Desktop that protects passwords, bank accounts and other information from crimeware.

SafeCentral provides the following protection:

Block keyloggers: stops crimeware keyloggers from stealing usernames, passwords and other account information

Blocks screenshots: Prevents crimeware from taking "snaphots" of web pages that display bank account balances and other sensitive details

Secure DNS: Provides its own secure DNS lookups to stop DNS-changing crimeware from sending you to fake banking sites that steal your account credentials.

High-tech Protection: Stops code injection attacks that can snoop on banking session even when they are protected by the familiar "HTTPS" and lock icon appearing in the browser.

Browser Security: Prevents malicious browser plugins from infiltrating the browser and performing real-time fraudulent bank transactions.

As you can see, we built SafeCentral to provide a separate, hardened environment on computers you already own to provide a safer online experience. Even if you buy a separate computer for online banking, we recommend that you also install and use SafeCentral to provide that extra measure of protection.

Update:
September 15, 2009: Replaced links to news stories with new, non-broken links

Give Your PC a Back-to-School Check-up

2009-08-24T13:58:00.010-04:00

While parents are getting their kids to re-focus on math and English, it's also a good time to get the computers in the house ready for school, too.

After a long and busy summer of playing games, downloading music and browsing Facebook, PC's can be out of shape or downright dangerous for serious use. Here is a handy guide for giving your computers that back-to-school check-up.

1. Remove Dangerous Programs
P2P File Sharing programs like Limewire, eMule, or Shareaza are typically used to download pirated music, games and other programs. "Other programs" can include viruses, as I described here. Besides getting a computer infected with viruses, File Sharing programs can also make every document on your computer visible and available to users all around the world--users you don't know (and probably don't want to know). A Seattle man was sentenced earlier this month to over 3 years in prison for stealing tax returns, bank statements and canceled checks from computers all across the country.

2. Free up Disk Space
Windows needs gigabytes of free space to run properly. When important security updates are downloaded by Windows Updates, they may fail to install because of insufficient disk space. Here is a guide from Microsoft on freeing up space on your hard drive. You might ask the kids to find and delete music or videos they know they don't need anymore.

3. Run a Full Virus Scan
You do have antivirus software, don't you? If not, install a security suite immediately. AVG offers a free antivirus program you can get here. Today's antivirus programs are on all the time, watching for badware and blocking what they find. But they don't stop everything the first time they see it. So it's a good idea to pull up a chair, find your antivirus program's "Manual Scan" or "Full Scan" feature and let it run for the hour or more it may take to search the entire computer for badware. Don't worry, you don't have to sit there and watch it. Just check back periodically to see if the scan is complete and review the findings. Choose to "Quarantine" any malware that was found.

4. Set Internet Time Limits
It may have been okay for kids to stay up late on the computer during the summer, but if you want your kids to get a good night's sleep on school nights you'll need to set some limits. First, talk to your kids and agree on an appropriate schedule and the "lights out" policy for computer use. How do you monitor and enforce this policy without watching them every minute? Many security suites include Parental Controls options to set time limits on Internet usage. Wireless routers also have this feature. You can read about Netgear's here . World of Warcraft has an excellent Parental Controls feature that allows parents to create a separate password for managing a time schedule that the game servers will all enforce; the game will log your child out at whatever time you specify. (See screenshot, below) Other online games and most game consoles have at least some ability to control game play.

5. Check Printer Ink and Paper
Okay, this is an easy one. Remember the big lemonade stand banner the kids printed out this summer that used up all the yellow? You won't want any excuses when it comes time to print out that homework. So check for printer paper and get an extra ink cartridge for the printer. That way you'll avoid any "teacher's dirty looks" when your kid hands in their first assignment printed out in magenta.

Settings Play Schedules for World of Warcraft

Are you contributing to the Twitter Denial of Service Attack?

2009-08-06T12:05:00.006-04:00

Twitter has been dealing with a denial of service attack this morning that has resulted in millions of users not receiving or posting tweets.

These days denial of service attacks typically are launched from botnets--large numbers of consumer PCs that have been infected with Trojans that wait to do the bidding of the "bot-herders" who manage them. The users of these machines may not know anything is wrong other than, "Gee, the Internet seems slow today." Their Internet is slow because their computer is sending lots of traffic to the targeted site, in this case twitter.com. The bot-herders collect infected machines and then rent them out. Twitter is such a high profile site, it may be just a bot-herder or one of their customers wanting to show off the power of their bot net.

Is your computer a member of one of these botnets? It's not easy for the average Internet user to find out. Seeing rapidly blinking lights on your cable modem even if you aren't using your computer may suggest something is going on. But it could just be an updater downloading a new Firefox or operating system patch.

You may not be too worried about the state of Twitter. But you should Know that botnets can be told to do many things. They can be instructed, for example, to download keyloggers or other data stealing malware. The stolen data is then shipped off to collection servers where the bad guys can then use your bank username and password to steal money.

Keep your antivirus up to date and perform a full scan if you're a little concerned.

Download and use SafeCentral if you want to bank and shop without the worry. SafeCentral users talk about this stuff here: community.safecentral.com.

Update:

It may be coincidental, but we saw a large increase yesterday in our virus-collection network. We received 200 times the normal average of emails with malicious attachments. One node, for example, went from 10 items to 2000 in a day. These were phony emails telling random recipients that a UPS parcel could not be delivered and asking the reader to "print out the attached invoice". The attachment was not an invoice, it was a trojan.

Example of the email. Do not open the attachments in these emails if you get one!

Four-star review of SafeCentral

2009-06-02T15:48:00.005-04:00

PC Magazine published a review of SafeCentral 2.0 today, giving our latest version 4 stars. You can read the entire review here. Neil Rubenking, the reviewer, looks at a lot of products and has a good eye for what works and what doesn't. This is his second look at SafeCentral.

If you haven't given SafeCentral your first look yet, here is a little flash video to whet your appetite. Visit www.safecentral.com for the full story.

Safe Travels

2009-05-06T16:29:00.005-04:00

I've been on constant travel for the past month, connecting to various hotel, airport and coffee shop wireless networks, and talking with people about information risks while on the go. More and more travelers--business people, vacationers, kids and grandparents--are using laptops, netbooks and smartphones to stay connected, informed and entertained on the road and in the air. Our computers are more susceptible to infection by malicious software when we are on the move, connecting to different networks and dealing with distractions caused by unfamiliar surroundings and fear of missing a connecting flight. We are also far away from our safety net of computer support, whether that is the computer help desk at our company or the "computer guru" friend you can depend on to help you out of a jam.

True Story
I was sitting on an airplane at the Charlotte, NC, airport waiting to return home after visiting a couple of banks. Another business traveler sat down next to me and asked if I connected to the free Wifi the airport provides in the terminal. "I connected to the network and saw a certificate warning page," he said, "I clicked past that page and a few minutes later my McAfee antivirus started alerting me about viruses on my computer." I introduced myself and offered to take a look when we got up to cruising altitude.

We opened his laptop and I reviewed the virus alerts and looked in his browser cache. He said the only thing he did was connect to the network and open his browser, which loaded the Yahoo home page. I saw the file McAfee was complaining about, which was a download triggered by a javascript file downloaded from a server in China about a minute after the Yahoo home page loaded.

A little more reverse engineering and I found that a flash ad on the Yahoo home page had infected the computer and installed a downloader which started downloading all manner of malware. McAfee was not telling him it had blocked the infection, it was telling him he was already infected. The first Flash exploit got right past his antivirus protection with no problem. It wasn't until the second or third install of malware that McAfee finally noticed something was up.

Turns out the guy was general manager of a US company and this was the laptop he used for his corporate computing, commercial banking, everything. I strongly recommended that he rebuild the laptop, reinstall all the software and in the meantime refrain from any banking or other sensitive online use. But he was on the way to important meetings and far away from his IT support group. I invited him to stop by our offices near West Palm Beach, Florida for some cyber-assistance but I never heard from him again. I'm pretty sure he continued to use his compromised laptop, perhaps after trying multiple antivirus scan-and-clean routines.

Preparing for Travel

Given the increased chances for malware infection while traveling, here are a few things we can do to be safer on the road. These steps should be completed the day before you head out on your business trip or vacation.

1. Update Windows - Run Windows Updates and install all updates. This is your chance to let Microsoft close as many holes as possible in your operating system and Microsoft programs.

2. Update Applications - Adobe Flash Player, Apple Quicktime and a few other applications are closely tied to web browsing and are prone to exploitation if they are out of date. In the anecdote above, an out-of-date Flash Player was responsible for the business traveler's infection. Run the vulnerability scan at Secunia for free. It's a great tool that shows you what is out-of-date and gives easy links to click to make it all better (see screenshot below).

3. Update Antivirus - And, of course, make sure your antivirus is updated with the latest definition files.

Secunia Online Scan for Out-of-Date Applications

Making sure your operating system, application programs and antivirus are up-to-date will give you the best chance to stay safe during your travels. Good luck!

Quips and Comments - RSA Conference 2009

2009-04-24T14:13:00.003-04:00

I just returned from the RSA Conference in San Francisco where the focus was on cloud security, identity theft, data protection, and online fraud prevention. The Expo floor was busy, with lots of foot traffic and a higher-than-expected level of energy. Especially from the guy who escaped a straightjacket while balancing atop a high-rise unicycle and pitching a security product. We all have to multi-task.

More than half of my meetings were in hotel suites and other locations away from the Moscone Center. Power-walking between venues, it took me a while to realize that the biz-hipsters in hair gel and rock-star sunglasses were not the new wave in computer security--they were from the AdTech conference in the Moscone Center West. Yes, geeks, infosec is still in our hands.

The "gubment" was there--in the towering National Security Agency booth/condo. They could neither confirm nor deny jamming my iPhone.

More seriously, Defense Secretary Robert Gates was interviewed during the week on CBS News about cyber-spying. It's worth noting that the same basic techniques are used by spies stealing government secrets and crimeware operators stealing consumer identities. If the government cannot stop spies from stealing secret plans for our latest fighter planes or infiltrating presidential campaigns, what chance do ordinary citizens have protecting their bank accounts?

I'd like to thank Neil Rubenking, PC Magazine Lead Analyst and AppScout contributor, for taking the time to meet with us, talk about SafeCentral 2.0 and post his observations on AppScout.

When Websites Attack

2009-03-30T12:22:00.009-04:00

Wouldn't it be crazy if a banking website infected our computer with a virus that steals money from our bank account? If you agree, then get ready for a big dose of crazy. Here's the inside scoop on a banking website we discovered doing just that: infecting its customers' computers with banking malware.

[Quick note: 60 Minutes ran a segment yesterday on infected websites. You can view the segment here. They interviewed a woman who watched her bank account get hacked before her very eyes.]

During a routine scan of banking, shopping and financial services websites, the virus lab here at Authentium discovered malicious code on the website of a credit union in Lousiana. The code, which would have been invisible to us humans, was inserted at the bottom of each web page on the site. Here are some Before and After shots of the site, showing the source code:

Before

After

What does this code do?

Any Internet user who pointed their browser at the site would have the bad code downloaded and run inside their Internet Explorer or other web browser. The web browser would run this code just like all the other "good" code that shows us the text, images and links that make up the web page we're viewing. The bad code is smart. It pulls down more code from various places, jumping from China to the Ukraine and back to China. It's pretty tough for the good guys to track down the bad guys with that kind of world-hopping behavior. Here's a simple view:

During Step 3, the code tries to infect our computer, betting on the fact that our Windows software is not up to date like Microsoft warns here, or we have not updated our Adobe PDF viewer like Adobe warns here and here. In spite of these warnings from software vendors, an alarming percentage of computers remain out-of-date and vulnerable to infection.

The code in Step 3 is identified on http://www.virustotal.com/ as the (variously named) Zbot Trojan. The trojan installs a keylogger, steals sensitive data and enables fraudulent banking transactions. One thing to note in the following screenshot is that only some antivirus products detect the infection. If you were running Trend Micro or McAfee when you visited the site you would not have been protected.

http://www.virustotal.com/ analysis of the infection

So the upshot of the above is: simply browsing to the credit union website can get you infected with a trojan that steals your money.

How did the code get there?

It's likely that the company managing the website did not keep the operating system, database, web server or other software up-to-date, allowing criminals to gain administrative access to the server and insert the bad code. They need to make sure the servers are up-to-date with the latest patches from Microsoft and the other vendors, just like we need to do with our own computers.

Happy Ending?

The malicious code has been removed from the banking website we are profiling here. That doesn't mean it won't be back. Authentium continues to scan banking and shopping websites to make sure that users of our SafeCentral secure browsing service are as protected as possible. SafeCentral is designed to provide safe web transactions even if you've been unlucky enough to visit a website that has infected your computer.

Kids Download the Darnedest Things

2009-02-26T21:33:00.011-05:00

As a kid I loved to hunt wild creatures, trap them and bring them home alive. Snakes were my favorite. My mom still tells the story of my bringing home a four foot reptile during her tea party with neighborhood moms.

These days kids are just as likely to introduce dangerous creatures of the digital kind into the home computer.

An interesting segment appeared on NBC's Today Show this morning that describes the risk. The story focused on kids who downloaded and used a file sharing program to access music online. Unfortunately they were using the same computer that Mom and Dad used to prepare the family tax return and did not realize the completed tax forms were shared for the entire world to see! Any identity thief could simply type "Tax Return" into their own file sharing program's search field and find the family's 1040 form ripe for the picking. The family profiled in the Today Show story had their tax form filed electronically by an online thief who was very happy to receive their $2000 tax refund.

There are more insidious risks to file sharing networks: they are an excellent means for spreading Trojans that quietly infect computers, remain under your antivirus radar, and do more long-term damage than grabbing a tax return. File sharing programs are used by millions of users around the world to download "free" software. Need Photoshop but don't want to spend the money? File sharing programs can deliver you a "cracked" copy (a permanent free trial) or a key generator you can use to generate your own license key. Bogus key generators ("keygens") are the most common form of malware on file sharing networks.

Malware distributors watch for file sharing searches of any and all keywords and immediately offer up files that match the keywords. Searches for "Benjamin Franklin" in a file sharing program will return hits like "Benjamin Franklin keygen" or "Benjamin Franklin Greatest Hits." The files these search results point to can be executable programs or songs and videos that can deliver infections to computers that play them.

Here is an example of a file sharing search this morning. The marked entry, "benjamin franklin KeyGen," is identified by Authentium's Command Anti-Malware as "W32/Trojan2.FXIS." This is a trojan that infects the Windows login service so it runs every time a user logs in. What does it do next? Anything it wants to.

These infections can include Banking Trojans, Keyloggers and DNS Changers that are described elsewhere on this blog.

Kids do download the darndest things. Authentium's SafeCentral provides secure banking and shopping even on computers that may have been infected by the kids.

Now I'm going to call my mom and remind her that none of the snakes, crabs or lizards I brought home ever emptied the family bank account.

Update:
March 16, 2009: A couple of media outlets picked up on this story over the weekend:

Dallas Morning News - Pamela Yip covered the story in Sunday's paper here:
Protect your personal data when filing taxes online

MarketWatch - Andrea Coombes included it in last Friday's Taxing Times and will be following up with more this week in the Market Watch Personal Finance section

The Next Internet..Now

2009-02-17T14:10:00.003-05:00

Internet Security is broken, and the best way to fix it is to start over. This is the idea presented in an excellent article in the New York Times this weekend: Do We Need a New Internet? John Markoff describes "a growing belief among engineers and security experts that Internet security and privacy have become so maddeningly elusive that the only way to fix the problem is to start over."

This is an excellent topic for debate and discussion among Internet technologists and everyday users alike. Technologists can (and will) endlessly debate the merits of a revolutionary approach like the Clean Slate program at Stanford versus a more evolutionary approach to incremental improvements like deploying DNSSEC and IPv6. Whichever approach we take, it is safe to say the solution will take decades to develop and get into mass deployment.

But the fact that stands out clearly is: Something Must Be Done.

Authentium has taken a revolutionary approach to Internet security and developed a solution that gives users access to The Next Internet, now. We recognized the limitations of DNS and the critical impact its compromise can have on Internet transactions. We saw the "maddening" failure of antivirus and firewall suites in their efforts to keep computers clean of infection by identity-stealing malware that allows criminals to "take over someone's computer from half a world away."

So we developed SafeCentral, which has its own Secure DNS and its own hardening against the keyloggers and screen-stealers found in Banker Trojans. Our goal was to create an island of safety on a computer that is otherwise adrift on an unsafe Internet, which is the only Internet we have right now.

Is there Safety in the Cloud?

2009-02-10T15:25:00.008-05:00

Web applications that run in Data Centers can be well-protected with physical, network and system security by applying sufficient people, processes and technology to manage infrastructure that is directly under the control of operations staff.

Unmanaged endpoints, like desktop computers of tele-workers or laptops of mobile users who access these applications, can introduce holes into an otherwise complete security model.

The best efforts of server and network professionals can protect data in the server farm, but data that originates from or is downloaded to compromised endpoints is subject to theft and exploitation.

So, yes, there is safety in the cloud, but the endpoint is another matter.

Authentium's SafeCentral is an endpoint-based solution that creates a secure footprint on an otherwise unmanaged computer to allow it to access sensitive data and applications and block data leakage. Such leakage can result from mass-market or targeted attacks on endpoints that install keyloggers, SSL data hijackers, remote access tools or other malware.

SafeCentral creates a managed session on an otherwise unmanaged computer. SafeCentral applies special, restrictive policies to the unmanaged operating system during web application usage such that data and functions the application makes available can be shielded from monitoring, recording and theft by malware that has infected the endpoint.

Examples of shielding include:

Blocking keyloggers

Blocking screen capture

Preventing code injection that can steal data even out of SSL/TLS-protected web connections

Providing alternate, secure DNS lookups that bypass vulnerable DNS resolvers

Providing browser lockdown that blocks malicious plugins and extensions

Online banking is a good example of extremely sensitive web applications that run on unmanaged clients. Banking trojans are increasingly used by online criminals to take advantage of these access points to create a multi-billion-dollar industry of fraudulent transactions. The largest banks around the world will be deploying SafeCentral to their clients during 2009.

There will be many interesing ways in which remote desktops, virtual machines or virtual browsers on the client side, and other security approaches evolve over the next decade. Given that Citrix Winframe has been available for over a decade, it's clear that these technologies take time to achieve maturity and large-scale deployment.

SafeCentral is available now as a managed service that provides a secure web application client on Windows endpoints that are prone to infection and exploitation even when antivirus, antispyware, firewall and other security software is already installed. Data Center staff cannot also take responsibility for keeping endpoints clean of malware, but they can require use of SafeCentral to access their server-side applications and rest assured that web sessions remain private and protected.

Where Did All the Nice Web Sites Go?

2009-01-22T17:41:00.010-05:00

There is a new report out from Websense that summarizes their research into the status of web-based malicious code in the second half of 2008. The major takeaway for me was: there are no safe web sites anymore. By "safe" I mean not likely to contain malicious code that will infect your browser or your computer.

Here are a some snippets from the report:

77 percent of Web sites with malicious code are legitimate sites that have been compromised.
By "legitimate sites" they mean web sites that Internet users would not expect to be hosting malicious code. Sites like the New York Times, Business Week, and CNET. It's remarkable that Websense numbers show there are more legitimate websites distributing malware than there are malicious websites set up by the bad guys!

70 percent of the top 100 sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.
A large majority of the most-visited web sites on the Internet either had malicious content on them or had links to malicious sites posted by users who exploit social networking features like comments and messages.

39 percent of malicious Web attacks included data-stealing code.
If you regularly visit web sites in the top 100 most-visited sites, chances are you were exposed to malware. You could still be safe if your operating system, web browser and plug-ins like Adobe Viewer and Flash were all the latest versions AND you did not encounter an exploit for an unpatched vulnerability. Secunia's statistics show that less than 2% of computers are fully patched, and over 45% have 11 or more insecure programs.

These numbers show the shocking truth: there is a very high chance an average Internet user will get infected with data stealing malware even if they stay on the well-lit, well-traveled portions of the web.

Dedicate a Computer for Banking and Shopping
My advice is to keep a dedicated computer for banking and shopping. Here is a checklist for this "safe computer:"

Make sure Windows Updates are set to automatic.
Always keep Adobe and Flash plugins up-to-date (make sure you don't click on fake update windows).
On this dedicated computer, never visit any social networking site like MySpace or Facebook.
Do not view any videos.
Do not check your email.
Do not read news sites.
Do not install any programs other than a web browser like Firefox or Safari.
Do not use Internet Explorer.
Wipe the disk and re-install Windows once every three months (more frequently if it starts behaving erratically)
If you are up to it, use Linux rather than Windows

I know this is a large list and it may be easier to lose weight and quit smoking than abide by its rules. I hope you're not reading this list on your dedicated safe computer, because you will have just broken a rule!

Another thing you can do is install SafeCentral and use its secure browser for banking, shopping and financial services. We built SafeCentral knowing that there are too many hoops a user needs to jump through to keep their identity and their money safe online.

The Promiscuous Browser in a Dangerous World

2008-12-18T09:21:00.011-05:00

Microsoft released an urgent patch for a critical Internet Explorer vulnerability yesterday, highlighting the risks our web browsers represent to our online safety. Web browsers in general, and Internet Explorer specifically, are the most promiscuous programs we run on our computers. "Promiscuous" refers to the quantity and diversity of web sites we visit, content we view, programs we download, and sensitive information we exchange when browsing the web. Browser promiscuity also refers to what happens after we type a URL into the address bar. The browser first downloads an HTML page that includes tags and pointers to other content: images, stylesheets, scripts and videos. This content can come from many different web servers operated by many different organizations and can carry harmful data that infect our computers, steal our data or just sit there, undetected, until an online criminal issues remote commands to bring it to life.

Richard Adhikari posted an excellent article on InternetNews.com that describes the Internet Explorer patch, why it was necessary and what it means for online safety going forward. The multitude of exploitable features in Internet Explorer make it an excellent target for online criminals seeking to gain control of our computers and our bank accounts.

Simply put, it is not reasonable to use one browser for everything we do on the Internet. It is important for us to segment our web activities into two basic buckets:

Casual Web Use
Casual use includes reading the news, listening to music, researching recipes, and clicking links to the latest must-see Flash video our friends send us in email.

Sensitive Web Use
Sensitive use includes online banking, shopping, applying for a job, or any other transaction that requires information we would not want everyone to know.

Casual use is where we are most likely to get our computer or browser infected. It's easy to visit hundreds of websites a month, clicking from link to link, moving from reasonably safe websites to a dangerous Internet neighborhood where crimeware infections are likely to occur. Sensitive use is where we are most likely to get our money or identity stolen if we are using an infected computer or browser. Moving from one activity to the other with the same browser is just not smart. I like the excerpt from court-ordered wiretaps of Illinois Gov. Rod R. Blagojevich, quoted here from a Department of Justice press release:

"assume everybody’s listening, the whole world is listening."

That is smart advice for Internet users. If you have casually browsed the web for a few weeks or months on your computer, there is a high likelihood you have been infected through a web browser vulnerability. Infections can include "banker trojans," password- and money-stealing programs that listen in to your online banking sessions. So, when you move from casual use to sensitive use, assume the whole world is listening.

Safe Web Use
A new category of web usage that we are pioneering at Authentium is "Safe Web Use." Safe Web Use means we assume "everybody's listening" and still protect your sensitive online transactions. Our SafeCentral service helps to automatically switch between Casual and Sensitive web use and kicks in extra protection to block crimeware that got past your antivirus software during a casual web browsing session. SafeCentral stops keyloggers, screen-stealers, harmful browser plug-ins and many other crimeware components. We also provide a Secure DNS services that protects against another class of threat: DNS redirection.

So, be sure you get yesterday's Internet Explorer patch. But please understand that yesterday's patch will not protect against tomorrow's exploit. In October Microsoft released an unscheduled, critical update for Windows. Chances are the online criminals are already working on exploits we will only hear about in January or February.

Also be sure to check out SafeCentral and be safe even if everybody's listening.

DNS Changer Learns a New Trick

2008-12-09T17:46:00.007-05:00

SANS, Symantec, McAfee and others have reported on a new trick that malware is using to redirect unsuspecting users from authentic web destinations--the name we type into the browser address bar or pick from our favorites--to a web server operated by the Bad Guys. These guys can set up web sites that look just like the real Citibank or Wachovia but are designed to steal our user ID and password or transfer money out of our account.

The trickiest part of the new trick is that we can follow all of the best security advice and still be susceptible. If one user on a Wifi network is infected with this new DNS Changer, all users who connect to that network can have their DNS settings changed by the one infected computer. So that guy who is halfway through his latte when you sit down in the coffee shop and open your laptop could be a threat to you. Even if you are super careful about the websites you visit and the security software you have installed.

How?
DNS is the Internet-wide system that translates names like "online.mybank.com" into the numerical address our computers need to actually connect to MyBank. If the Bad Guys control your DNS, they control where your web browser really goes when you think it is going to PayPal.

Every time we open our laptop and connect to a new network, a router on that network will send down settings that let us connect, (pay!), and get out on the Internet. The new DNS Changer trick is this: a computer infected with this DNS Changer variant will listen for new computers requesting a connection on the same network (the same coffee shop) and try to answer with Bad Guy settings before the "official" router can send it the "official" settings.

As fundamental as DNS is to the operation of the world-wide web, it's amazingly susceptible to compromise. This new DNS Changer behavior capitalizes on the vulnerability of DNS settings and: (1) leaves no traces, (2) doesn't require your computer to be infected with anything that your antivirus software will complain about.

Now What?
This is why we invented SafeCentral. SafeCentral includes a unique Secure DNS feature that protects against DNS Changer and other threats. SafeCentral uses it's own DNS. It uses Authentium's Secure DNS servers and it does so through an encrypted (HTTPS) connection.

So even if we connect to a Wifi hotspot that is hosting an infected computer, we can happily browse the web, bank and shop safely.

Undetectable data-stealing trojan nabs 500,000 virtual wallets

2008-11-04T10:29:00.002-05:00

RSA issued a report earlier this week confirming the enormous threat posed to all internet users by the "Sinowal" trojan (a.k.a "Torpig" and "Mebroot"). This insidious agent is virtually undetectable, infecting a user's PC regardless of Anti-Virus and other defenses - thanks to a steady stream of variants and a highly-advanced design. Once on your system, it waits for you to visit a banking or any of its other 2,700+ trigger sites, then injects additional information fields designed to capture the necessary personal data for identity theft. The gathered credentials are well organized and sent discretely off to the criminal servers.

[RSA] recently discovered that, dating back as early as February 2006, the Sinowal Trojan has compromised and stolen login credentials from approximately 300,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen.

The trojan is downloaded automatically through websites that exploit vulnerabilities in Windows or 3rd-party applications, and doesn't require any action or 'acceptance' by the user to install. What's worse, is that once installed:

About the only remedy for victims fortunate enough to learn they are contaminated is to reformat their hard drive and reinstall their operating system.

So, here's a trojan that your standard defenses won't catch, and which can't be erradicated short of re-formatting your system. This is exactly the reason we designed SafeCentral as a "Reverse Sandbox" solution. The security industry battles the criminals every day, but no defense system is perfect; nothing is 100% effective at stopping every infection. Also, no one wants to erase all of their data and start from scratch reformatting your drive. So, what is a user to do when presented with an easy to catch, difficult to block, and almost impossible to erase evil bug like this? Use SafeCentral!

SafeCentral keeps the URL's you enter private, thereby eliminating the 'trigger' event for this trojan, and SafeCentral's secure DNS and anti-keylogging/anti-screen-scraping protect your data from exposure. SafeCentral is the only way a PC user who might come in contact with a Sinowal variant can transact safely online.

7 Online Blunders That Invite Identity Theft

2008-10-06T12:38:00.001-04:00

Nothing revolutionary or surprising here; just good common sense tips for avoiding identity theft. Unfortunately, the remedies to these 7 blunders are almost entirely reactionary; forcing the user to duck and dodge a scam rather than avoid it entirely.

read more | digg story

Infection Happens: What then?

2008-10-02T15:31:00.007-04:00

There's been a lot of attention lately to a class of products defined as "sandboxes", which attempt to prevent malware from seeping onto a user's computer by establishing a virtual layer that internet data must traverse before reaching the 'host' machine's OS. These products offer a reasonable level of protection from infection, but don't effectively prevent the activities of malware already present on your machine.

I'll let you in on a little secret: INFECTION HAPPENS. Much like the comical bumper sticker about feces, this is just another fact of life: infection happens. Authentium has been in the anti-malware industry for over 20 years, and makes one of the most effective and efficient AVSDK's in the world. However, no AV engine, no spyware engine, no anti-malware engine has ever proven itself 100% effective at stopping ALL infections. There are simply too many vectors for a piece of malicious code to find its way onto your system. This isn't to suggest you shouldn't be running a good desktop security suite, or following good habits and behaviors when online, but realize that even those with the best intentions and most diligent practices can still become the victim of an infection. In fact, according to Bigfoot Interactive, 55% of online users have been infected with spyware. All these defenses, and yet most people will still get a bug in there machine.

The real question for the security industry, and more importantly consumers, is WHAT THEN? Presuming the inevitability of an infection, what can the user do to protect themselves and their privacy when conducting sensitive transactions online. The answer, of course, is SafeCentral. Which is an entirely new class of product we often describe as a "Reverse Sandbox"; designed to safeguard your activities from the intent of malware even if your PC is already an infected cesspool of malware agents.

INFECTION HAPPENS. And just like the bumper sticker suggests, it's how you deal with it that defines you're outlook on the world. When 'Sh*t Happens', keep your head about you and an even, laid-back attitude. When 'Infection Happens', arm yourself with a tool that can protect your identity and your data, so you can face the internet with confidence and that same laid-back attitude, knowing your safe despite the infection.

Our chairman, John Sharp, offered a great explanation of SafeCentral's approach in his blog. Read that, and our whitepaper on the reverse sandbox approach, to learn how to stay safe even when 'infection happens'.

SafeCentral Updated!

2008-09-18T10:26:00.002-04:00

This week we took the wraps of the biggest update to SafeCentral since launch, and we're thrilled with the results. The new version 1.3 release includes an entirely redesigned interface, from desktop to web, which gives the service a unified and consistent look and feel. In addition, major efforts have been taken to speed up the performance of all aspects of the service, increase compatibility, and to lay the foundation for exciting new features in the near future. You can read the full details in our newsletter.

Existing customers will have the update rolled out to them automatically in the next few days, and all new users to http://www.safecentral.com can download and enjoy version 1.3 immediately.

As always, we welcome your feedback and comments.

I'm your Private Browser...

2008-09-02T08:53:00.002-04:00

Last week Microsoft took the wraps off the latest Beta of Internet Explorer 8; and just yesterday Google announced its own browser, currently named "Chrome". Both of these browsers include a feature already found in Apple's Safari by default and available via a variety of add-ons for Mozilla FireFox - "Private Browsing".

Private Browsing, often referred to as 'porn mode', covers the tracks of the user by not saving or instantly deleting browser history, searches, cache, cookies and more. Essentially, these features ensure that whomever uses your PC/Mac next won't be able to see what you were up to online. This is great functionality and a worthwhile addition to all modern browsers.

However, the name "private browsing" could certainly mislead users into thinking that it provides security against spyware, hackers and identity thieves; which is sadly not the case. This feature does not prevent a keylogger from capturing every keystroke, including the URL's you type, usernames, passwords and more. Nor does it prevent a screen-scraping agent from snapping an image of every click and every page you visit. It also provides no protection from man-in-the-middle spying or DNS-poisoning. In short, "private browsing" isn't really private. Sure, it'll keep your spouse from discovering that you were researching a surprise trip, but it won't protect your money, your accounts, or your identity. I've already been asked by 3 relatively computer-literate friends if the "private browsing" mode in Safari means they're safe.

It's becoming increasingly clear that modern browsers need to be fortified against a variety of attacks, and users have recognized that the browser, the web, and email are simultaneously the most important parts of their PC use, and the most dangerous. I sincerely hope that user's aren't lulled into a false sense of security thanks to these new features. Whether you opt to use SafeCentral, or something else, be sure your gaining REAL privacy when you go online.

SafeCentral Protects Users from Massive DNS Flaw

2008-08-08T08:51:00.002-04:00

In the old days when you made a phone call, your request was routed to an operator who correlated the person you wanted to reach against the circuit they were on, and physically connected the cables to enable your conversation. Despite the wonders of the internet, things still work pretty much the same way. When you make a request to visit "www.paypal.com", that request is interpreted and translated by a DNS (Domain Name Server) that matches "www.paypal.com" with the IP address of the web server before sending you on your way.

One common method for hackers to steal identities, money, and more is to 'poison' or hijack DNS servers and DNS requests, and to have your traffic re-routed to sites that look like the real thing, but exists solely to steal your account credentials. So, when you type "www.paypal.com" into your browser, it's possible that a bad-guy could intercept that request and send you to his web server, which offers up a page that looks IDENTICAL to the real PayPal site. After capturing your login credentials, these hackers are usually kind enough to forward you on to the real site, so you never know the difference - UNTIL YOUR MONEY IS GONE.

In a presentation at the Black Hat security conference, Dan Kaminsky highlighted a massive flaw he'd discovered which affects millions of DNS servers across the internet. This flaw makes these servers vulnerable to these hacker attacks, and puts every web user at risk. Preventing DNS attacks was part of the central premise of the SafeCentral solution, and we're happy to report that our SecureDNS technology (built into SafeCentral) provides an effective defense against these attacks. Read the press release for more detail, and visit Dan Kaminsky's blog for full details and to test if your DNS connections are open to this kind of attack.

Online Threats come faster

2008-07-30T13:27:00.002-04:00

More evidence that a new approach to security is required if user's hope to stave off the threats caused by conventional browsers and PC vulnerabilities...

While the security community has a responsibility to act as a watchdog and report the vulnerabilities that are discovered, these alerts are increasingly becoming a hand-book for even amateur hackers.

...online criminals have latched on in a big way to programs that help them automatically generate attacks based on publicly available information about vulnerabilities. In the past they apparently spent more time finding such holes themselves, but no longer find that as necessary.

In Web browsers — an area heavily targeted by hackers — hacking exploits were available within a day after flaws were discovered 94 percent of the time, up from 79 percent in 2007, IBM's report said.

For all PC vulnerabilities, over 80 percent of the exploit code was released the same day — or even before — the holes were publicly disclosed. That's up from 70 percent last year, according to the IBM study.

It would seem to me that a more private, well-vetted consortium of experts/companies should form a closed reporting system that prevents exploits (as much as possible) from becoming public until after they are addressed. It'll never fully stop the publication of "proof of concept" hacks, but a 'silent whistle' system that is endorsed by all involved could make a dent in the problem.

More importantly, it's clear that security can't be a 'reactive' system, patching exploits and issuing virus signatures in response to hackers. Instead, security should be an active solution that 'allows' the good rather than seeking to prevent the bad. SafeCentral is just one example of this new paradigm in security.

Firstrade Partnership Launches.

2008-07-25T12:13:00.002-04:00

The entire SafeCentral team is thrilled to have announced the formal launch of our partnership with Firstrade this week. Firstrade is providing SafeCentral access to Firstrade accounts free of charge, granting their customers the most secure trading environment available in the world. We are proud to partner with Firstrade's consistently top-rated online brokerage, and to work with them to make trading even safer.

This is significant when you consider the unique risks posed by account compromise in the trading markets. After all, the exposure of your credit card or bank account information typically impacts just you, while the compromise of trading credentials can lead to stock price manipulation that could affect millions, and the very fabric of the market. An example of this occurred recently, with the 'pump and dump' scheme executed using stolen credentials from two other trading firms. The resulting $22 Million in losses could have been prevented if users had been using secure browsing tools like SafeCentral.

PCMag.com Reviews SafeCentral

2008-07-23T08:45:00.003-04:00

In my line of work, you grow accustomed to product reviews and opinions that either praise or punish the monumental efforts of the company. Most reviews are fair, and most are conducted with integrity and impartiality. However, nothing is more rewarding or satisfying than a review or opinion piece that begins by understanding and validating the fundamental purpose of a product or service correctly. Such is this review from PC Mag.com's Neil J. Rubenking; which truly 'gets it' with regard to SafeCentral's raison de etre.

We're already working on a few of the small requests noted in this review (Password Manager coming soon!), while the rest of Neil's analysis captures and validates SafeCentral's revolutionary security promise superbly. Please give it a read and share your comments.

Take the Guided Tour!

2008-07-07T15:16:00.003-04:00

I've posted a 5-part "Guided Tour" on the release version of SafeCentral. This is the most complete and compelling look at the entire service, and should help even SafeCentral veterans understand the service a little better.

http://www.safecentral.com/howitworks/Guided_Tour.html

Your feedback and comments are appreciated.

The Road to Safety

2008-06-25T09:55:00.003-04:00

One of the biggest challenges with any security product is trying to find the proper balance between security and usability. The two goals often seem at odds with one-another; after all, for each thing you make possible, you may open a door for exploitation. We made it a priority at the beginning of the SafeCentral project NOT to sacrifice the security of our solution, so we've been tirelessly seeking ways to provide a seamless experience without softening the security promise. The suspend/resume functionality I previewed earlier (now in the live build), is an example of that. We provided the ability for SafeCentral to seamlessly co-exist with your other applications/activities, without inviting the weaknesses of those applications into our safe environment.

We've achieved similar success with a new browser plug-in feature, that actually INCREASES the security of our product by offering configurable alerts to the user when the site they're trying to visit might warrant the extra safety of SafeCentral. The same framework can be used to prevent phishing, by filtering URL's against known phishing sites. The great thing about this function is that it doesn't alter or weaken the security of the SafeCentral environment in exchange for simplicity, but provides the user with a completely seamless experience that makes SafeCentral a part of their normal workflow. I like to think of SafeCentral as the secure companion to your everyday browsing, and nothing makes that companion easier to access than this plugin feature.

As a self-described technology geek, I'm often asked by friends, neighbors and relatives for advice on what electronics to buy. One of the most common requests is which camera to get. I've read the reviews, tested various units, and formed plenty of opinions about the features that I think matter most. However, I often recommend a camera with lower resolution, fewer features, and other sacrifices. Why? Because "the worst picture you can take is the one you never take". Which is my way of saying that features and image quality are great, but if you don't have your camera with you because you can't stand lugging it around, all of those features aren't going to matter. So, get the small one that fits in your pocket. The same principle applies to security software design; the only security that matters is the security that you use.

So, we've gone to great lengths to provide many 'on-ramps' to the SafeCentral experience: the Programs menu, desktop icons, the taskbar, your normal browser and more all can invoke a SafeCentral session. As a user, that means you'll have the option to enter the safe environment whenever the whim, need, or opportunity arises, without having to remind or retrain yourself to do it. That, more than anything, is the most powerful form of security: security you'll use.
The attached video previews the plugin function; I welcome comments and look forward to its release in our July build.

Testing Confirms SafeCentral Security

2008-06-10T22:53:00.005-04:00

Sometimes you can get so caught up in the work to build, prepare and launch a product into market, that you forget to stop and measure it against your original vision. Does it solve the problem you intended to solve? After all, the rest is just presentation and packaging; if you don't meet the benefit statement you've promised your customer, you've already failed.

With that in mind, we commissioned IRM's world-renowned security testing team to evaluate SafeCentral. We were ecstatic to see that SafeCentral met or exceeded every claim, and indeed is 'certified' to provide true privacy when transacting online. We've outlined the results in a Press Release this morning, but I wanted to take a moment here to elaborate on the report.

There are 3 points of peril when it comes to sharing sensitive information online. First, and most importantly, is the user's PC. A compromised system infested with spyware agents is an identity thief's greatest ally. Second, is the connection to the site, you can't transact safely unless you know who you're transacting with (and know with certainty that it IS the site you intend). And finally, is the authentication of user and site to one-another. With multi-factor authentication, websites have done a pretty good job guarding up #3, but items 1 and 2 have been left open for far too long. SafeCentral was built to sure up these holes.

According to the IRM Report:

In all scenarios, it was observed that SafeCentral adequately protected a user's browsing session by ensuring no keystrokes entered in the secure Firefox web browser were intercepted. Viewing logs from various keyloggers clearly indicated that keystrokes entered in the duration SafeCentral was active were clearly missing. This was true for both user and kernel land keyloggers.

SafeCentral was built to cripple desktop spyware agents, like screen-scrapers and key-loggers, even if they're successfully installed and functional on the user's PC. Every one of the more than 20 spyware agents thrown at SafeCentral was unable to capture the activities during the SafeCentral session. And on item #2:

The first test involved editing the virtual machine's "host" file to contain static entries that would redirect requests for websites supported by SafeCentral to test websites setup by IRM consultants. However, when SafeCentral was launched, the user was not redirected to the static entries and was presented with genuine websites.

SafeCentral identifies the websites your visiting against our known directory of safe sites, and ensures that you can't be re-directed to phishing/pharming sites meant to steal your credentials.

Again, while I'm happy to pat ourselves on the back, the important thing here is that we tested ourselves to ensure that we live up to our security claims, and our promise to our customers. There is too much false information and 'snake oil' already in the identity theft sphere, we need bring real solutions to market.

So, now we'll go back to putting the best possible presentation, polish, and packaging on SafeCentral.

ID Fraud on the rise

2008-06-05T15:50:00.004-04:00

According to leading industry analyst Avivah Litan, and a recent study by Carnegie Mellon sited in this PC World article, Identity Fraud has been on the rise over the last year and a half and is projected to maintain a meteoric rise.

Gartner's Litan offered one more observation that might explain Carnegie Mellon's findings: The fraudsters are also getting better at what they do, she added. "If you talk to the largest banks, they will tell you that fraud has really increased in the past 18 months," she said. "And they project it going up very significantly in the next two years."
"The thieves are just getting better and there's more fraud," she said.

It appears that despite the recent focus on new authentication systems, and stronger data warehouses, the hackers are adjusting their tactics to take advantage of holes in the security chain. As discussed here many times before, the weakest link is likely: You, and your malware infested PC.

ID Theft in the news...

2008-05-21T14:08:00.006-04:00

Infoworld took a look at Check Point Software's ZoneAlarm Forcefield, and ultimately walked away unimpressed.

Unfortunately, although ForceField does offer some real improvements over the other products I've reviewed, it wasn't enough to stop malware from infecting my test systems. In less than a minute, by clicking only my third malicious Web site link, my test system was silently compromised without so much as a chirp out of ForceField.

The writer admits to being skeptical about 'sandbox' security clients,

I've reviewed similar over-marketed and under-effective virtualized or "sandbox" security clients over the years (most notably GreenBorder, subsequently acquired by Google), all of which promised to provide superior protection against all malicious Internet threats.

Ultimately, our outlook is that previously proposed solutions fall short thanks to limited security features beyond 'site classification' (prompting the user that a site is safe or 'risky' based on white-list/black-list rules and inaccurate logic) and rudimentary key-logger defenses. No solution to date has offered network level protection, or a secure DNS/Directory to ensure that the user is going only to safe sites. No solution to date offered kernel-level security and the ability to defend itself from attack. SafeCentral is a different kind of sandbox. I hope we have a chance to get this reviewer and others to take a look at SafeCentral.

In other news, LifeLock is facing a new class-action lawsuit claiming that it has made false and misleading claims about the level of 'protection' it provides.

"While LifeLock has only publicly acknowledged that Davis' identity was compromised on one occasion, there are more than 20 driver's licenses that have been fraudulently obtained [using his personal information]," the suit states.

"Furthermore, a simple background check performed using Davis' Social Security number reveals that his entire personal profile has been compromised to the extent that the birth date associated with his Social Security number is Nov. 2, 1940, which would [inaccurately] make Davis 67 years old."

To be honest, I'm not sure this lawsuit has merit. I don't view the claims of LifeLock and the myriad of other 'identity insurers' to be PREVENTATIVE at all. They claim to help you discover identity fraud quickly, and mitigate the financial losses associated with a breach (though disguising it as protection). They do nothing to actually STOP identity theft from taking place. Ultimately, they're like an alarm system - it only goes off only after a crime has begun. A layered approach is best: start with good defensive measures to protect your identity from theft, and then layer on monitoring/insurance to buffer against a breach.

I'm not sure whether these articles help us by raising the 'noise-level' for the need for greater identity security, or hurt us by defining the problem as 'unsolvable' and establishing a poor reputation for companies associated with Identity Theft/Fraud solutions. Leave a comment and let me know your take.

Pain in the aaS?

2008-05-13T16:56:00.002-04:00

I was forwarded this article from the Economist which outlines the new "as-a-service" model now being adapted by cyber criminals. The article makes an excellent point about the continuing migration of software from boxed discs to online services that we 'rent' or use as necessary, and points out the inevitable migration of that model to include malware. Want to conduct a denial-of-service attack on a website without having to build your own army of zombie PC's, or even having any hacking skills at all? You can. Just rent the access from an established cyber-criminal and you can 'borrow' their hack for your personal mission of destruction.

The tone of the article suggests that "as-a-service" is becoming a dirty word, which may be true. However, I think the term is accurate and that the model actually provides an opportunity for greater security. After all, with services living 'in the cloud' you're less prone to local attacks, and the effects are less likely to impact other applications. What's required is secure access to those 'in the cloud' services, so that each session becomes a trip into a secure portal isolated from everything else...I might know something that's a possible solution for that.

FBI Internet Crime Complaint Center (IC3) Report

2008-05-12T17:21:00.003-04:00

I was reviewing the latest report from the FBI on internet crime, and found that the disturbing trend of skyrocketing losses continues, despite the number of claims holding relatively steady from it's peak in 2005. This confirms that the cyber-thieves are refining their tactics to focus on extracting more money from every breach or scam. The report includes all types of cyber-crime, but only tallies those that are reported to the IC3, so it's safe to presume that the actual numbers are much higher.

The report calculates that the 206,884 claims received via the IC3 website in 2007 resulted in more than $239 Million in losses. While only a small portion of the cases were specifically cited as 'Identity Theft', all were related to conducting business via criminal websites, email, or auctions. This reinforces the notion that email is a broken system, and that people really do fall for the "Nigerian Letter" scam (1.1% of complaints!). It also demonstrates that the general trust of the internet, websites, and email infrastructure is going to continue to decline, as users discover that there is really no way of knowing the origin of a message, or that they can be sure to visit the website they intend.

Perhaps most disappointing, as a current Florida resident, is the state's #2 position among the top homes for perpetrators. Thankfully I work for a security firm and my home Wi-Fi network is secured (as best as possible); you never know who the internet criminals are.

SafeCentral Video Introduction

2008-05-08T14:05:00.005-04:00

Just finished a brief SafeCentral introduction video, you can see it here.

I learned something in making these snippets: trust your instincts. I wanted 3 segments outlining (1) the threats people face when transacting online, (2) the solution SafeCentral provides, and (3) a brief overview of the user experience; I also wanted each segment to be no longer than 1.5 minutes. Trying to fit a complex technical discussion, demonstration, and value proposition into that timeframe forces you to plan a tight script. However, when I actually sat down to record the sessions (which are live screen-captures, not over-dubs), I realized that winging it was a better and more natural way to go.

30 Years of SPAM

2008-05-02T14:16:00.003-04:00

30 Years ago the world got its first taste of SPAM (not the meat product), though the small distribution to 400 recipients is hardly comparable to the BILLIONS of bogus messages sent today. I've often wrestled with the fundamental question of SPAM: "Are there people out there that actually respond to this stuff?", and I always come the same conclusion: "There must be, otherwise why would anyone do it?".

That depressing fact keeps the SPAM growing. However, I think the most profound and unfortunate effect of SPAM is NOT in the people who get scammed, the deluge of bogus mail filling up servers, nor the burden of trash traffic clogging the web. The most profound effect of SPAM is that it broke email. What should be an incredibly efficient, inexpensive and trustworthy tool for communication has been irreparably damaged. As a marketer, I'd love to be able to get a message to my audience via email, but there's virtually no way it will be heard among the noise. More importantly, as a security provider, I often NEED to get a message to my customers that addresses a critical security issue, and yet again the message will be lost in an inbox full of phony Viagra offers.

When you need to get a message to a large audience of people, it's nearly impossible to do it in a cost-effective and timely manner. Print/mail is expensive and slow, telephone calls are equally laborious, and traditional 'advertising' mediums don't allow you to target just your existing customers with an important message.

SPAMMERS have been crying wolf into the email village, and have guaranteed that no one will listen when real danger arises. That is the most unfortunate cost of SPAM.

Finovate 08

2008-04-29T17:51:00.002-04:00

Our CTO, Ray Dickenson, was kind enough to send me a live update on today's proceedings at FinovateStartup '08 in San Francisco. Ray and Doug Brunt, our President & CEO, took the stage at 8:00AM to show off SafeCentral. It's really our first public unveiling, so what better than to be first out of the starting gate.

Ray said:

"The software performed well during our demo and Doug did an excellent job as the spokesmodel for SafeCentral.

Authentium was randomly picked to present first thing in the morning. Any concerns I had that the audience would arrive late and not be alert and tuned in for an early start were dismissed when I peered through the curtains before we went on stage and saw about 260 faces alert and ready to see new stuff.

Doug and I performed our patented 5-minute demo that showed me logging into Paypal and getting my credentials and account details stolen. Then we launched SafeCentral. I used the absolute latest build that launches the secure desktop and browser in about 3 seconds. In SafeCentral, I logged in to my Bank of America account, sharing my wife's sitekey with the world. Closing SafeCentral, we showed the blank keylogger screen that is familiar to all of you.

As I mentioned, we are now sitting in the audience watching all the other presentations. In about 15 minutes we adjourn to the hallway where 20 display screens are set up for each presenter to run additional one-on-one demos for attendees.

There's the realtime update for you. More later.

Ray"

It can be a daunting challenge to attempt to showcase a solution to a problem as complex and multi-faceted as online identity theft in just 5 minutes, but I know Ray and Doug were up to the challenge.

Coverage and Blogs are just starting to come in, including this post from Christophe Langlois. Christophe is one of the most active and respected bloggers in the world of online banking, social media and associated technologies, and there's a wealth of great content over at visible-banking.com.

7 surefire ways to become an ID theft victim

2008-04-28T16:09:00.006-04:00

Rarely do you see highly technical computer security articles address the problem in witty, easy to understand terms. I was happy to discover this post from the Bankrate.com 'News & Advice' section (single-page available here). Sheyna Steiner takes on the topic of Identity Theft with a pragmatic, intelligent, and somewhat comical 'in your face' look at the perils we all willingly expose ourselves to when online. It's a great read, and there's a lot of simple yet informative tips for staying safe.

"Experience the hassles of being defrauded firsthand! If you love bureaucracy and the thrill of waiting in line to talk to government and bank employees again and again, becoming an identity theft victim might be right for you."

Sign me up! I wish every day could be a trip to the DMV.

"For maximum risk, commit the computing equivalent of licking a handrail in a New York City subway station and do some online banking on a public computer -- like the one at the library or a public cafe. Bonus points are added if your Social Security number is your user ID for any transactions."

Who hasn't licked the NYC subway station handrail? I thought that's what they meant by the 'flavor of the city'?

"Secret crushes, long lost friends saying "what's up" or strangers hawking cheap drugs -- you'll never know unless you peek at that e-mail."

Thus shattering my fantasy that I had attracted 43 secret admirers today.

"These days one has to assume that any communication with a business or government entity that hasn't been specifically initiated by the consumer with the appropriate authentication process is a complete swindle."

Unfortunate and true.

Tip of the hat to Sheyna and the Bankrate team for this excellent article.

Preview of Upcoming SafeCentral Features

2008-04-25T16:08:00.007-04:00

The developers have really been cranking out some great work lately, pushing things forward in the areas we get the most feedback on. Two things at the top of the priority list will be addressed in an upcoming release:

Faster Launching
Simple suspend/resume and integration into standard Windows environment.

Have a peek at this video for a brief look at these enhancements.
(Looks like YouTube 'chewed' the beginning of the video a bit, but it comes in fine after a moment - apologies)

I'm sometimes blown away but what the coders can do in astonishingly short periods of time.

Bitten when browsing

2008-04-23T17:13:00.002-04:00

Yesterday's technology blog post at the WallStreetJournal.com is a prime example of how hackers stay ahead of conventional security measures. In the article, Ben Worthen, notes that hackers have migrated their focus from traditional email-based proliferation to more sophisticated and 'silent' means of malware distribution. Just visiting a website can lead to a security breach, as hackers exploit the weaknesses of your web browser and install their nefarious agents on your machine.

This only strengthens our belief that a new paradigm, which breaks away from the reliance on the traditional 'dirty' browser, is required to achieve any semblance of real safety online.

What's most frustrating, as a marketer and someone passionate about our new service, is the summation of Worthen's post - which probably sums up how most people react to news like this:

"The bad news is that there isn’t much individuals can do to protect themselves from these attacks besides using the most recent version of a Web browser and hoping that the attacker’s code is designed to take advantage of an older browser."

Actually, there is something individuals can do. You guessed it: SafeCentral. Since we restrict all untrusted operations, and run our own protected browser, you're vastly more secure when visiting any site from within SafeCentral. More importantly, you're protected from the bugs, viruses, spyware, and other hacker tidbits you picked up while casually surfing in IE or Firefox; so even if the malware is on your machine, it can't be used to steal your identity when using SafeCentral.

How do we get the word out that there is an answer? Feel free to add a comment with suggestions on better communicating the SafeCentral message.

A Key to Everything

2008-04-22T10:29:00.005-04:00

There's nothing new in the latest survey findings from Accenture; the repeated use of a single password for all online accounts is human nature; who wants to try to remember 17 different username/password combinations in a world as busy and hectic as the high-tech one we live in today?

Nonetheless, it emphasizes how easy we make it for hackers to gain access to our entire life online. Every mail account, forum, banking site, shopping site, easily accessed with that one 'golden key' of a password we use repeatedly. I admit, even as a member of the 'security community', I often repeat my favorite password, or some derivative thereof, on multiple sites. It's just too hard and time-consuming to come up with 15 passwords I know I'll never remember.

We're working on methods to aggregate your passwords into a single, manageable, and encrypted tool within the SafeCentral experience. There are several very useful, encrypted 'password managers' or 'digital wallet' systems available, (as a frequent Mac user, I use the aptly named Wallet; or Roboform when on my PC) and taking the time to incorporate one into your personal data management routine is a great way to improve your personal security, and still keep critical data at your fingertips. Still, gaining access to these encrypted databases is usually accomplished with one 'golden password'. The best protection remains preventing the interception of your password(s) by using a secure, encrypted browser whenever you log on to financial services. All passwords are only as secure as the number of people who know them; we aim to keep that number to just one - YOU - with SafeCentral.

We need more than a seat belt.

2008-04-21T15:38:00.005-04:00

PayPal made news at RSA with the publication of a paper that spells out a plan to eventually block older and otherwise "unsafe browsers" from accessing its services. Unfortunately, "unsafe browser" could be an apt description of every standard browser currently in use.

PayPal's plan calls for shutting off access from older versions of Internet Explorer, Firefox (and possibly Apple's Safari, should Apple fail to add the requested features) which don't support the new Extended Validation SSL certificate system. EV SSL certified sites display a green address bar and company name in an attempt to prevent phishing attacks by visually confirming to the user the validity of the site.

It's certainly a better system and a worthwhile addition to the layered security model, but it doesn't solve several underlying issues:

The world's been using SSL certification (those little locks at the bottom of your browser), and other tools for years in an effort to keep users from entering their personal data at falsified sites - and it hasn't stopped the problem from expanding. These visual cues can be spoofed by hackers, and most users simply don't know what they mean, nor pay attention to their existence.
Even if a user could be certain that they're on the actual PayPal site, there's nothing to prevent spyware and other agents from capturing every detail, password, keystroke and screen from that session. The hacker then logs on with the stolen credentials, gets the same reassuring green address bar, and cleans out your account.

The latest browsers, including Internet Explorer 7, and Firefox beta 3, provide no protection against desktop spyware and other tools for 'listening in'. As long as desktop agents are allowed to run unchecked, identity theft - and the resulting fraud - will continue to grow unabated. As long is the industry relies on users to recognize a combination of cues, accept a barrage of alert pop-ups, and navigate the dirty minefield of traditional browsing, the problem will continue to grow. We need a new paradigm, one that separates 'standard' browsing from activities that require real security.

I applaud PayPal's effort to raise the security level on their site by locking out "unsafe browsers", but if it's security they seek, perhaps they should consider locking out all standard browsers and requiring SafeCentral, which supports EV SSL while providing DNS security and desktop malware defense.

PayPal said that allowing unsafe browsers to access its site

"is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts."

True. However, seat belts have been standard in cars since the early 60's; perhaps requiring air-bags, and even accident avoidance systems would be a more appropriate goal in 2008. Our goal in developing SafeCentral is to be ahead of the hackers, responding in advance to tomorrow's threats.

An ounce of prevention...

2008-04-18T14:54:00.004-04:00

The old adage says that "an ounce of prevention is worth a pound of cure"; and nowhere is that more true than in the world of Identity Crime. I was encouraged to see that Peter Piazza of NewsFactor pressed this point in his first look at SafeCentral.

There are two terms used seemingly interchangeably to describe the problem: 'Identity Theft', and 'Identity Fraud', but these terms describe two distinctly different events. The difference between these events highlights the reason we created SafeCentral, and why it is such an important factor in the defense of your identity and your money. An ounce of identity theft prevention is worth a pound of identity fraud cure.

According to Webster's Dictionary, theft is "the action or crime of stealing"; fraud is "wrongful or criminal deception intended to result in financial or personal gain". You can't commit identity fraud without first having committed identity theft. It is therefore paramount to one's personal security to safeguard the data that can lead to identity fraud. SafeCentral aims to provide just such protection, isolating your online activities from prying eyes and assuring that your usernames, passwords, and personal credentials remain secure.

The importance of prevention becomes evident when you look at the true cost of a cure. There are several prominent (worthwhile, I might add) services that can monitor your credit and raise an alarm should someone try to conduct a fraudulent transaction or application in your name. In addition, many of these services will go the extra mile and insure you against disastrous financial loss. Unfortunately, they cant make the clean-up after an identity breach any easier. You're still going to spend as long as a year getting all new credit cards, perhaps a new social security number, closing out or migrating at-risk accounts, cleaning your dirtied credit, and realigning all of the payments and pay services that were auto-billing to your various accounts. In short, you're going to pay in sweat and tears what you don't pay in plain cash.

As with all security, a layered approach is best; but nothing can substitute for a SOLID first line of defense. In the case of online identity crimes, that means prevention - which means SafeCentral. Combined with an up-to-date desktop security suite, and adequate credit monitoring or fraud prevention services, SafeCentral can sure up your identity and give you the freedom and confidence to transact online at your leisure, and save you from ever having to fight to recover a stolen identity.

Peter's article is one of the first I've read that accurately differentiates the actions of theft and fraud in the internet age. We at SafeCentral, and the entire team at parent-company Authentium, are excited to be bringing to market the first truly end-to-end identity theft prevention service.

Launch Day Recap

2008-04-17T17:06:00.003-04:00

Wow, what a day.

Fortunately our press release was well-received, which led to a full day discussing SafeCentral's revolutionary approach with press and analysts from across the country. I'm impressed with how quickly people seem to grasp the concept, and how many say they have been waiting for a solution like SafeCentral. Even the most security-conscious and diligent analysts I spoke to said they were going to install SafeCentral for their personal use; which is a reassuring testament to the value of our new service.

Allan Maurer, from TechJournal South, inquired about SafeCentral, offered superb feedback, and had this article up in a flash.

David Utter, from SecurityProNews, has always provided excellent analysis of online security, and took a fresh look at SafeCentral in his recent article.

I'm thrilled to finally have the opportunity to discuss SafeCentral with the public and press, and excited about the opportunities in the days and weeks to come to continue to share our message.

SafeCentral Arrives!

2008-04-17T08:14:00.009-04:00

Welcome to SafeCentral!

We officially launched our secure Internet portal a few minutes ago: http://tinyurl.com/3jeh47, and I must say that after over a year of work, it’s great to finally go live.

The main question we get asked by family, friends, and colleagues is:

"What is SafeCentral and why do I need it?"

It’s simple, we created SafeCentral to give users the freedom to surf the Internet in complete privacy and safety. Over 50 percent of PCs are already infected with spyware, even though most have antivirus, anti-spyware, and firewall software installed. Clearly, traditional security products are not enough anymore. By creating this secure portal, we are hoping to restore users’ confidence in shopping, banking, or even filing taxes online and to actually prevent ID theft.

So, how do we do it?

SafeCentral prevents cyber crime and identity theft by locking down PCs, launching a secure browser, and connecting users to a trusted portal of their favorite destinations. We use our patent-pending TSX technology to create what we call a virtual “concrete bunker” that safeguards users from viruses, spyware, Trojan horses, keyloggers, phishers, man-in-the-middle attacks, screen scrapers, DNS poisoning, Wi-Fi interception – you name it. We eliminate the confusing avalanche of threats and free you to use the internet the way you want.

What we love about SafeCentral is users don’t have to change the way they work or waste hours scanning for threats that have already compromised their computers – SafeCentral takes care of your privacy with a single click. Our portal shields desktops from all the nastiest threats without limiting flexibility, functionality, or usability. We believe it is the only answer to preventing ID theft. I'll be blogging more soon about the often confused terms of 'identity theft' and 'identity fraud', because so many other approaches focus on the wrong side of these distinct problems.

Give it a try http://www.safecentral.com. We hope you like it. Let us know if you have any questions or suggestions on how to make it better. We’ll listen and get back to you ASAP.