CAN SORT OUT strong authentication phishing and fraud?

Organized criminals have realized (because they are

organizations) that phishing and identity theft can be done

for a long time, to unite the fragments of

information from the various attacks a final bite. For

example, logging on using an authentication token

neutralize password stealers, but the mere presence a symbol

authentication request can make an ideal trigger for spyware,

especially if your goal is to build a model of online

behavior by monitoring their financial transactions.

This paper traces the recent evolution of malware techniques

in response to technological changes in our security systems,

and demonstrates once more the old cliché that the price of freedom

is eternal vigilance. The bad guys are out to get us, and if

can convert our defenses against us, even in the least

then surely.

P. Strong authentication can sort out phishing and fraud?

R. No.

P. Hmm. That makes for a rather short paper, do not you think?

R. Yes.

P. Could you go into more detail a little?

A. Today, a large number of "phishing" is orchestrated, or at least

assisted by malicious code somewhere on the network. This

means that the solution to the problem of malware is actually a

necessary part of solving the problems of phishing and fraud.

(When say 'fraud' in this document, we mean on-line fraud

against doing business users through their PC. Not

means other types of financial fraud, and abuse of credit cards

kite.)

But solving the problem of malware is difficult – in fact,

undecidable. After all, the halting problem tells us that

Can not write a program to determine how reliable

behavior of all other possible programs:

"No program can say what another is doing.

But not just say that, I will show you: I will prove

Although that might work until fall, can not be predicted

if a program stops.

[. . .]

You can never discover mechanical means for predicting

made calculating machines.

This can not be done. Therefore, users must find

our mistakes, our computers are losers! [1]

This general result can be cast in concrete terms to show that

a program that will distinguish between malware inevitably

and non-malware is not allowed. Malware authors always

a "next opportunity" to circumvent the protection that we currently have

instead [2].

P. However, that does not mean it is always easy for malware

authors, or by phishers, to go to the next level, right?

R. No. I was just being dramatic. Nothing, if

authentication or anything else, can actually solve the

problem of phishing, in a mathematical sense to solve it. But

We can do much more difficult "phishing", and authentication is

in fact one of the tools we can use.

P. "Staying on the subject of malware detection for a moment

Is it difficult to produce malicious software – a new banking Trojan,

example – that evades detection?

A. On the one hand, it is becoming more difficult. In modern equipment,

anti-virus software can be much more computationally

aggressive than it was in the past. Generic detection techniques

end up with a lot of new Trojans proactively. On the other hand,

increasingly easy. You can even be able to precompute if

his new malware will succeed.

One way is through an objective attack, in which

write a Trojan and point to a specific part of the Internet, such

as one company, whose position is known defense.

Targeted attacks are not especially difficult to organize, and

There is a paper at this congress investigating this

phenomenon [3].

Another way is to use on-line service where you can

send samples of malware and you will receive

automated response saying that products that detect and

what they called it.

P. What online services to help you improve your "phishing"

Trojans?

R. That s not the way that fall, of course. Several

such services exist, and some are strongly supported by the

security industry. VirusTotal [4], for example, has permission

to use about 25 different products for scanning incoming files.

In turn, the samples are sent to the foreign vendors, thus

helping to improve detection and response.

Unfortunately, VirusTotal allows you to hold presentations

vendors (though this is not the default), which could be

says the game to organized crime and

counterculture.

P. So let's assume that you can create a new Trojan and phishing

mess with me and my company the same. How can the authentication, or

anything else, it helps me then?

A. When are conducting a financial transaction online

There are several things that you pay (literally and

figuratively) to check:

• reliable software that is orchestrating the transaction,

• that what you really are carrying out the transaction,

• that are actually negotiating with the person or service

expected,

• that details of the transaction is successful.

Authentication, clearly, can help you with this.

Q. How? Can I start by giving me an example of the type of

authentication technology that can help each item above?

A. Of course. We will ask the questions that we answer a

by one.

• Is it appropriate to make the program work? Some extreme

Firewalls can help with this, for example through use

cryptographic checksums to regulate applications

can do what type of connection to servers.

• Is it really kicking off the transaction? A hand

authenticator can make sure you use a new password

each time you connect, to help prevent reproduction

attacks in the previously stolen credentials are reused

by another person.

• Are you connecting the right service? Digital

certificates can help assure that you are not

talking to an imposter at the other end.

• If you carry out the transaction that is intended?

The encryption and digital signatures provide protection

against exposing the details of the transaction, and help

prevent the transaction being altered in transit.

P. Do firewalls, tokens, certificates and encryption. Did not are these

old technologies we have been using for centuries? Are

not us?

R. Yes and no. There are three main ways in which

safety-related systems fail, and these are reflected in the

main ways in which systems cryptographic not. It

surprising, since computer security is highly dependent on

cryptography. Things can go wrong because:

• the underlying design is flawed (for example, a faulty cipher)

• the application is wrong (eg insufficient key

material is used)

• the system is used improperly (for example, users write their

PIN).

In a seminal work on the failure of cryptography [5]

Ross Anderson shows that problems in implementation and

seems to mainly use reasons for failure, rather than weak

cryptography.

With hindsight, this is perhaps obvious, as are the two

aspects in which human error is more likely and in which

rigorous peer review is the most difficult. In the latter case, human error

in fact can be guaranteed by deception or misleading users.

Of course, what this means is that systems can work

correct we provide security in online commerce may fail

unexpected ways.

P. But if a system is vulnerable, because they do not deal well

with unexpected or inadvertent use, does not mean that

design is wrong?

A. Maybe so. However, the PC and operating system is

designed to be a flexible tool and can be used

adapted to many tasks such as word processing, browsing the

Internet movies, watch, making art, building design

and the search for extraterrestrial life. Users are generally free

to add and remove software that they like at any time to

to enjoy this flexibility.

When you conduct online commerce, for example, when

Clicking a [Buy Now] link, you need to convert your PC –

temporarily, and on short notice – In a secure encryption

device that acts as an important component of

transaction.

So it is not surprising that the design of a system

makes certain assumptions about the state of the PC, and

awareness user. And no wonder the PC,

or the user, or both, sometimes leaves the system.

P. Is this really surprising? Did the banks owe it to us

do better?

A. This document is not really about the social contract

banks or not have with their customers, so we'll just look

very quickly on both sides of the argument.

Critics say banks banks are not doing enough.

They say it is the banks that have the greatest interest in

Internet commerce, allowing them to close branches

dismiss cashiers and counter staff of the house, and thus to save a

large amount of money. This money, they say, should

have been used to make online banking much safer than it is.

The banks, however, arguably at least as reasonably

the popularity of online commerce is driving the need

for Internet banking (EBay, QED). They can also draw

not only its younger customers prefer the Internet

banking, but that they hope will be cheap and easy, and

accessible from any place. If the bank takes away their Internet

bank interest of safety, and requires to see a

Able to solve possible problems (a reasonable

security measure, you might think), this is viewed as an error

in the system, not a feature.

Uri Rivne RSA that manufactures and sells cryptographic

solutions, including handheld authenticators, agrees:

'…[ I] n the consumer market online authentication, user

is often more important than security. It

true that some [people] would like view changes

procedures of banks and security [] would be grateful

were given financial institution authentication devices or

came up with other visible security measures.

However, other customers do not really care all that, that

the security demands of the bank, but all I really want

access your account, pay bills and transfer money

without any delay or additional problem … [6]

P. Well, let's go back to the points of failure above. Can you give

historical examples of each situation, to paint a picture

the kind of thing that can go wrong? Let's start with the

more sounds exciting one: a cipher that has cracks.

A. One example that many people probably your cable connection

Equivalent Privacy (WEP) encryption and authentication

system originally proposed for wireless networks. WEP

is based on a secret key, either 40 or 108 bits long, for access

and use of the network, you need to know the key. (This, in turn,

means that you can read all traffic on the network, as if

that was a LAN.)

As it happens, the encryption algorithm used by WEP is flawed statistical

Affected the randomness of its first output byte.

Interestingly, the RC4 encryption algorithm, also used in SSL (which

discussed later), but in a way that does not cause

Problems seen in WEP. However, the existing fault in the

RC4 is cryptosystem, or at least its key scheduling

algorithm (KSA) [7], and not just WEP

implementation.

This statistical error, allowing an attacker to recover WEP key

by capturing and analysis of a few million wireless packets. So

There is no way to fix WEP without changing anything

different. WEP is irretrievably broken.

P. How about a system that was based on sound

cryptography, but implemented dangerously?

A simple example of an implementation flaw – a

was determined by the development of an alternative, but consistent approach

– It's how the first Unix systems store your password file. All

users and programs need read access this file because it is

(Among other things) a database that maps user names,

such as 'fp' in real names, as Ford Prefect. "

However, early implementations of Unix are also stored for each user

password algorithm hash in this file, so anyone could recover

hashes and perform a dictionary attack against them offline.

This meant that weak passwords could recover quickly

without leaving evidence of the dictionary attack

the target system.

The backward-compatible solution, used in Linux for this

day, was to double the password file, replacing

hash-readable file with an entry without funds, such as 'x',

protection and to read against the second copy of the file, called

shadow file.

User programs work exactly as before, except that they saw

information without funds for the hashes the password, not

need anyway. Only the input program change is necessary to use

the shadow file instead.

P. And what about a case where security was used wrongly

and paid the price?

Maybe Understandably, many of us are willing to assume that

anyone willing to confirm your identity must, ipso

in fact, be worth confidence. So when we meet a stranger

program that is digitally signed, sometimes assume that

the firm says something about the moral and

character of the signatory, and not just by name.

For example, in late 2002, many people willingly

discharged and installed software known as FriendGreetings

of a company that was identified as permission media [8].

These discharges are made in response to an e-mail, usually

received from a friend or acquaintance, who promised a

e-card greetings.

FriendGreetings shows two Agreements End User License

(EULA) in the second of which claimed permission to

email to everyone in your Outlook address book. Which,

Of course, they did quickly.

For system administrators and for your address book

side effects were little different from a mass-mailing virus

as LoveBug (VBS / LoveLet-A). The signatories of

Of course, argued that the behavior of software and its virus

was completely legal, as it asked for permission before sending

any mail mail.

But who had heard of permission of Sun Media Inc.

Torres, First Floor Office # 39, Avenida. Ricardo J. Alfaro,

Panama City, Zone 6 of El Dorado, Panama? And why did

unknown trust this company with his book e-mail address?

Q. That was in 2002. Be smarter users since then?

FriendGreetings A. was a problem for system administrators,

by spam generated. It was a

nuisance to users, for the same reason. The application also

had the annoying side effect of preventing program

that appears in the taskbar, which interfered with the proper use

of an affected PC until it was properly cleaned up. But

FriendGreetings not established to steal information that could

be used to plunder your bank account or to perform

fraudulent transactions.

Phishing has increased the bar in terms of risk of each user,

and organization of each user, faces from malicious code. This

in turn, has raised concerns both malware and knowledge

and the importance of prevention. If this is considered a

silver lining to the cloud that organized crime has brought

at the scene of malware is not clear, but an optimist would say

you have.

P. "That s an interesting observation, but I realize you

skirted the issue. Be smarter users since 2002?

A. Security experts are always a slippery slope when

commenting on the knowledge, or lack thereof, shown by

users. To fall too hard against the users of the sounds arrogant,

but that disclaims any responsibility for their own

PC is to assume that technology can solve all security

problems, which, as we shown with light in the

First of all, you can not.

However, recent research conducted in the U.S. [9] paints a

more rather bleak picture of the levels of common sense among

users. (More accurately, it paints a depressing picture of a very

small sample of academic staff and students of a prestigious

American university. The rest of us can return to

do something better, but results are interesting, though.)

In this study, 22 participants were sent to 19 different

Web sites that allegedly belonged to a known number of banks

and other companies associated with online financial

transactions. Of these, seven were real and 12 were distorted.

The objective was to identify which were false. Only

site (true) was correctly identified by 22 participants.

All other sites true and false, has a mix of responses.

Eight of the sites (including six false) were

blend at 11 (50%) or more participants. In the

two worst results, over 80% of participants said

a fake Web site was real.

The study explains these results very clearly. Worthwhile

repeating the explanation (or, more study

conservative calls it a hypothesis) because it emphasizes

how difficult it is for us to be aware of all we need to take

into account when making value judgments online, and

sample how easy it is for phishers and other online fraud

To get this:

"… Participants incorrect [Awards and] cough because

lacked an understanding of how computer systems and worked

had no understanding of security systems and

indicators. More experienced participants were tripping

visual by deception, for example, when the address was false or

when images] [browser security UI

indicators have been copied to website content. The study also

revealed that the issues do not anticipate [...]:

• Some users do not know which websites spoofing is

possible. Without awareness [that] "phishing" possible

some users simply do not question legitimate website.

• Some users have misconceptions about what web site

features indicate safety. For example, participants

assumes that if websites contained professional-looking

images animations, and advertisements, [then] the sites were

legitimate … "

Thus users may be getting smarter, but still there is much to

who need to learn and know.

P. If we realize what this "study of security is

indicators and can be used reliably, we will be safe? Can

SSL padlock save the day?

A. Secure Sockets Layer (SSL) is by far the fabric of

online trading today. But most people assume it is

simply says: sure, it means that too much confidence

often placed in the lock that most browsers display

when the SSL protocol is in use. After all, it means a lock

SSL and SSL secure means.

In fact, there are plenty of problems with SSL, but

Fortunately, these do not seem to be the "poor

cryptography 'type. The problems are a little to do with

application (or at least with the deployment) and everything to do

with use.

Overall, SSL provides three main facilities for

ensure Web communications:

• exchange of digital certificates, allowing each end

Link to establish something about the identity of

the other extreme,

• the secure exchange of session keys that allow

encryption without the need to share key material

by advance

• The encryption of data in each session, using the keys

exchanged.

When we are on-line banking, encryption is important

we do not want others to be able to sniff our own

numbers, or to find out how much money they are spending with

whom. But the first phase, mutual authentication, is in many

important ways. Without it, we can easily fall into the trap

to participate in a conversation with a complete encrypted

strange.

Unfortunately, there are many ways this

authentication can be subverted, or you can go wrong. Phishers

know, and so are able to succeed despite or even because

of the presence of SSL and the padlock on your

browser.

P. But if the connection is secure and authenticated, how

subversion?

R. There are several ways you can be

deceived or misled when making SSL connections, for example:

• On the counterfeit safety indicators. A fake website can serve

pages to do on your browser to

suggest a secure connection. Counterfeiting can vary

the trivial, such as an image of a padlock

somewhere on the page, to the sophisticated, where

scripts on the page to rewrite elements of the browser user

interface to simulate an encrypted site.

• By the use of a certificate acquired illegally. It

rare but not unknown. For example, in 2001,

world's largest emitter of SSL certificates, Verisign,

issued and signed a certificate in the name of 'Microsoft' to

a person not associated with software giant [10].

• Through a worthless certificate. It is easy to produce a

signed SSL certificate. In this case, act as its

own certification authority, instead of paying a well-known

third party to do this job for you.

• in a certificate low quality. Some certification

authorities (CAs) issue certificates for low cost, or trial

certificates, which make it easy for smaller merchants

enter the market. In some cases the identity checks

carried out before issuing these certificates are superficial

and almost instantaneously, so that the certificates have little

value for authentication.

• For active malware on your PC. Malware can suppress

security flaws, create false security indicators, painting

on entry forms to capture or modify your entry

before it is encrypted with SSL, or otherwise mislead you

the way your PC or your browser behaves.

• On the basis of connections used to safe

insecure pages. Many legitimate online

financial sites [11] inviting main entrance aa

(Http) page, then taking you through some of their scripts

secure (https) site. In many cases, these insecure pages

include Lock images, giving credence to the false

sites that do the same.

Q: So how can you get out-trick trick similar?

A. Fortunately, many phishing tricks are obvious once

know what to look. In particular, you should familiarize

same with SSL certificates and how to check. If you

know how your bank usually identifies you, for

example, then it will be easy to carry out

"Authentication negative" when necessary.

The http://whichssl.com/ site, although not as independent its

name might imply (which is headed by a CA)

offers a practical test means that the site has now the link. This will bring

https site of your choice while explaining, on one side

browser window, how to use your browser to verify SSL

certificate issued by that site.

Most browsers make an effort to notify you when doubtful

certificates have been presented, but (as [9] suggests) many

users click through these warnings, without giving

attention deserve. It does not help the legitimate sites

usually permit licenses expire, or publish certificates

on a website published in the name another, or use

browser certificates causing warnings can safely

be ignored. This only reinforces risky behavior.

P. You spoke of "negative authentication. that can not run

community-based databases, such as lists real-time blocking (RBL)

for spam, we help identify fraudsters online?

A. Several such schemes exist. Netcraft, for example [12]

offers a browser toolbar add-on through which you can report

and identify Online phishers. Netcraft allows ISPs,

and organizations such as using its database of known

questionable sites on the Internet.

This can be useful in reducing incoming communications

that refer to these sites, such as email is of

persuaded to visit a fake website, or to download a

piece of malware that the phisher can turn against you later.

Also is useful in blocking outbound connections that are

aimed at these sites. The blockage can be done by a web filter,

a firewall end point, a router on the edge of the organization,

the user or browser.

Microsoft has offered a complementary filter phishing [13] for some

time, which has become an integrated feature in Internet Explorer 7

currently Beta 2 version.

So block lists based on the community can help, and suggests

which could be highly sensitive, if the community is great

and widespread. (If only one person in the world

reports of a phishing site, everyone else can benefit from this

knowledge.)

But criminals can react with agility phishing, too. For

example, using a botnet network of infected PCs, it would

a simple matter of "report" that a large number of legitimate sites are

false. Correction of errors of this type could adopt

parties respect the law of the community for a long time, and make

block list unusable until it is resolved. Alternatively, the

community may need to make it more difficult to get an Internet

site added to the list, to resist the false positives. This

have served less sensitive.

P. You mentioned earlier botnets, which brings to mind

keylogging and other common tricks used by malware.

How are we doing against these threats?

A. A trojan on your PC may have without subverting its success

connection to an on-line. In fact, many

Trojans related specifically to look out for you do

legitimate connection to your bank. (In this case, may,

ironically, the benefit of trojans that you check out to

SSL certificate close bank, which guarantees that you are

connected correctly. If a trojan intended to manipulate the

content of a transaction, do not make sense when

the victim is not connected to the bank but a "service"

operated by a concern rival criminal!)

Initially, the attack against common PC based banking

was indeed the keylogger. The concept is simple: a clock for

banking transactions, record typed keys in (hopefully

including account number, password or personally

identifiable information) and then pass the keystrokes to

outsider.

An early response was the so-called virtual keyloggers

keyboard, writing system based or based on images

requires you to click on the images with the mouse buttons.

Often, the letters or numbers on the keypad move virtual

around at random each time you visit, so that the

location of mouse movements can not be played. Many

banks still use this system, believing that provides

security.

Malware creators are quick to respond, painting entry

forms and appearing in keyboard simulators

captured data before transmitting them to the bank (or,

to simplify programming, before forging a mistake and

forces you to start again, this time with the Trojan that allows

connection to proceed normally.)

We can expect this kind of arms race to continue.

Unfortunately, phishers are more flexible than banks. It

could have a bank over a year to introduce the brand new

Web programming and access control on their on-line

systems. After all, the exchange control, correction and quality are

an important part of the ethos of IT from a bank.

Criminals do not have these limitations – and not

particular attention if your first, tenth or one hundredth Trojan

of any new type that is successful. The cost of 99 programs

failures is irrelevant to them; the bank, other

hand, must succeed on the first try.

P. Will you describe above malware is based on the capture

information that can be reused. Does hand

authenticator, or token, make this impossible?

R. No. Or, more accurately, not quite. What are tabs

intend to do is enter a value of variable unpredictable

in the authentication process, rather than a conventional

password. This means that any passwords captured by a Trojan

can not be reused, since each password is designed to be

used once and only once.

This Actually make a lot of current malware impotent.

Under certain circumstances, however, a Trojan horse, enjoy

capture a password only once, for example, if you can

capture the password before being used. This may be possible

with what is called an attack "Man-in-the-middle. The practical

pictorial summary of a series of such attacks can be found

in [14].

P. Can you give a quick overview of how this type of attack

works?

A. Imagine that you have to play chess against two

Grand Masters. (This assumes that you are not a top chess game

player yourself.) There is a way we can ensure

not to get beaten by both players, as long as you play

the two at the same time, and are allowed to play

White in a game, and Black on the other.

Everything we do is wait for his white opponent to move. Then

make this move against his opponent's Black. When the Black

opponent responds, repeat this movement against the white player.

The two Grand Masters are actually playing each other. You,

the man moves in the middle "are simply relaying between

them, even though these movements are turning in what appears

as two separate games.

A similar principle applies with a Trojan "man-in-the-middle.

The idea is simple, but implementation can be

complex. The Trojan hopes to begin what you think

as a transaction with the bank, but you really are

transactions with trojan. This means that for error

authenticate against the Trojan and the Trojan uses

information you supply – including one time password

carefully the type from your record – authenticate itself

with the bank.

The Trojan is free (at least within certain parameters) for

alter various aspects of the transaction, such as quantity,

the destination account, or any other details of your choice.

P. Is there and Trojans that can perform this type of

attack?

R. Not yet. The main reason is almost certainly that signal

Authentication is not very common in Internet banking

world. This is partly because the expense and complexity of

introduction each customer is not attractive to banks,

and partly because the need to carry and use a token is still

unpopular with many customers. So there has been little need

for organized crime to take on the task of writing more

Trojan difficult species.

P. When criminals are forced to face strong

authentication, how difficult they will find?

Criminals do not have to subvert the authentication

process at all. Instead, they may simply create new

ways to cheat you of your money. Spammers,

example, you know how to carry out online fraud without

grab your account number or password. Many

spammers operate to persuade a transaction

willingly and openly, using your hand if authenticator

have one, and then a supply of goods of inferior quality, or

absolutely nothing in return.

Now imagine how much easier it would be for criminals

seduce in bogus transactions if they had a complete

picture of your spending habits. For example, if I knew

you pay your rent in the seventh day of each month, and that

agency to pay it might try to Phish

payment in a different account. And before you respond by

saying, "but it is a big step to start paying bills on a new

receptor, so just do not work, "remember that

sounds so unreasonable to believe that users would willingly

go and type in your personal life in a data bank

Website Known in the assertion of an e mail that could be

come from anywhere, and it probably did.

The technology to allow outsiders to keep a detailed record of

its secure on-line activities, including everything you buy,

and when, and where, already exists.

One example is the Marketscore application, created by

Market research firm comScore Networks, Inc. Instead

for the payment of the modest, users joined the

"Marketscore Panel 'and installed the Marketscore

application. Among other features, Marketscore

incorporates what is effectively a "man-in-the-middle SSL

proxy that is designed to open and supervise all

secure online transactions, sending data on everything

purchased and how much you paid for it, back to comScore.

P. Clearly a legitimate application would not go that far?

A. ComScore has stopped distributing Marketscore, perhaps

because of the publicity he received when some countries in Latin

university decided to block directly, despite strong

tradition meeting of academic freedom in their networks [15].

But this is what comScore [16] have published

about their behavior:

'…[ OmScore C] has recruited for the Panel on Marketscore

and half a million opt-in members that have accepted

have their Internet behavio u] [r confidential monitoring

and captured in complete anonymity. These members

given comScore explicit permission to opt-in confidential

monitor their online activities in exchange for valuable benefits

[...].

People who choose to be part of the Marketscore

[...] Download comScore panel technology into their

discreetly browser in which member country routes

Internet connection through comScore Network

servers [...]. The technology allows comScore to capture

complete details of all communications to and from

each individual computer – into a specific site,

specific individual. The information captured in a

individual members include all sites visited, the page

viewed, ad seen, promotion used, product or service

purchased and the price paid.

[...]

It is extremely difficult, even with opt-in consumption

permission, to capture the information and

from a browser in a secure session (eg, any purchase

transaction). To do this successfully, the technology is

requires that "so sure monitors a secure connection. "

patent-pending technology [C omScore] do this without

comScore incremental cost or risk to the panelists … "

As doubtful as it may seem, remember that a certain security

products provide tools based on the gateway to open and examine

SSL network connections. While this is culturally

quite different from doing market research oriented SSL

proxy in each PC, it is technically and functionally similar.

Like many technologies, whether it is good or bad depends on

how to use and who is using.

Q. Let 's return Where do we start, that is, the subversion of

endpoint through malware and potentially unwanted

applications. Will improvements in the operating system security

help prevent users' Marketscore "by criminals?

R. No longer is a response to that, which could look

some of the new features of Windows Vista, such as user

Access Control, which seeks to restrict the use subversive

administrator account, and the characteristics of SELinux

just with the idea of a powerful mind

completely.

Short-answer items that operating systems are

increasingly resistant to exploitation trivial, but it reminds us

all still There are two major risk vectors:

• Users and administrators who make errors of opinion,

and carrying out installations fully authenticated of

Software or inappropriate risk. Vista 's warning that "this

operation requires elevation ", and carefully screen

digital certificate program (or lack thereof), for example,

can be undone with a single mouse click to authorize the

offending operation.

• Organized crime and the counterculture, which have shown

a willingness to invest significant amounts of time

probing, even the most secure systems for small cracks

that can open a gap subversive. In addition,

are nimble enough to respond to technological changes

changes, such as the subversion of the Virtual Keyboard

weeks or even days, a luxury that security

professionals can not afford.

P. So, can we win? And it is the authentication key component for

Always ahead of the phishers, although it can not resolve the

whole problem?

A. Some say we can, and it is. For example, researchers

Swiss financial institution and [IBM 17] have

proposed an on-line banking system authentication

sounds very safe.

In short, the system is based on a stylish exterior

card reader with a keypad and a small screen. The

cryptographic calculations for authentication and security

between the user's browser and the bank are discharged the

smart cards (which is resistant to tampering and contains a

operating system and software of their own country), the input

passwords and codes at one time is offloaded to the card

keyboard player (if you can not be intercepted or altered), and

each transaction cryptographically confirmed after

details are displayed in the card reader screen (where

not subject to manipulation malware writing at the top of the data

on the screen).

Of course, this system is complex, which means that

difficult to implement properly, it is comparatively expensive,

will delay its adoption by the banks and that is

inconvenient, will delay its acceptance by users.

In addition, phishers target present our credentials so that bank

them more Later we can pretend to be acquiescence to our accounts.

They do it because they can, because it is easy, and because

work. As we have seen, what makes this more difficult, or even

impossible, is unlikely to stop phishing. The phishers

respond to attack and subvert other parts of our on-line

lifestyle.

This does not mean we should ignore technological

advances in computer security, more than they should

expel the seat belts, airbags and crumple zones

the modern automobile. But it does mean we

to keep us informed and vigilant when we

money online, as we are encouraged to be safer and

drivers more responsible on the road.

About the Author

This article was provided by Sophos and is reproduced here with their full permission. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware.

The Alex Jones Show Sun 02.07.2010 (TV) part-4

Roku HD-XR Player $99.99 Now featuring extended-range wireless, Roku is the easiest way to stream instant movies and shows directly to your TV – over 50,000 and counting, from Netflix, Amazon Video On Demand, and more. The top-of-the-line HD-XR model uses the latest wireless standard (Wi-Fi “N”) to deliver the best quality video virtually anywhere in your home. It’s so easy and powerful; no wonder Roku is Netflix members’…