[ISN] Thinking Outside the Security Box

InfoSec News isn at c4i.org
Tue Feb 22 09:13:55 EST 2005


By Ryan Singel
Feb. 18, 2005 

SAN FRANCISCO -- The 2005 version of the nation's pre-eminent
cybersecurity conference features hundreds of speakers and 275
exhibitors bombarding the estimated 13,000 attendees with PowerPoint
presentations and free USB memory keys in an effort to sell their
particular firewall, smart card or fingerprint reader.

To find some of the most interesting offerings on the floor, Wired
News met up with cryptography expert Jonathan Callas, who has been
attending the RSA Conference since 1993, when the show had fewer
attendees than there are exhibitors in 2005.

Callas currently serves as the CTO of PGP, a company that sells
encryption software to corporations and government and is now working
to make e-mail encryption easy for almost anyone with a computer.

Callas took time from working the floor to give Wired News a
kick-the-tire tour of the expo, where vendors vie to scan the
high-tech conference badges of potential clients or partners.

Here are three companies that Callas thought were interesting enough
to turn over his badge to for scanning -- not the best or worst of
show, just a few he found innovative and clever, or worth a further

As usual, RSA included a slew of biometric applications, from iris
readers to fingerprint scanners.

Though Callas started the tour expressing skepticism about previous
years' biometric offerings, he turned over the badge to at least one
company selling a fingerprint reader.

Privaris is a small Fairfax, Virginia-based startup that makes a
key-chain-size fingerprint fob that can be used to log on to a
computer, open a garage door or enter a building.

The reader, which has 300 Kb worth of memory, matches a person's
fingerprint to a template stored on the device, and then sends an
encrypted security code to any remote reader, using either Bluetooth
or low-frequency RFID (without being vulnerable to bluesnarfing).

The $179 fob, which has been on the market for just eight months, has
already been tested by North Carolina law enforcement to verify the
identities of truck drivers who haul hazardous materials, and is one
of two fingerprint-based technologies in a Transportation Security
Administration-funded pilot program to tighten airport worker
security, according to Megan Prosser, product manager for Privaris.

Though the mention of biometrics often invokes worries of Big Brother,
privacy should not be a concern, according to Prosser.

"The fingerprint template never leaves the device, so there's no need
for a biometric database, which eliminates privacy concerns," Prosser

Callas likes the idea since it takes something like a secure parking
access card that works well enough and makes it better, by adding a
layer of authentication.

"They are one-plussing it," Callas said.

Callas also counts himself a fan of WholeSecurity, a company that
works to prevent spoofing, worms, key logging and phishing attacks.  
But the company's software eschews the typical strategy of relying on
blacklists of virus names or of websites pretending to be PayPal.

Instead, the company's software looks for behaviors or signs that a
website with the Citibank logo is fake or that a computer on a
corporate network is trying to send out information in a sneaky

Callas prefers this approach to relying on lists that might only get
updated after attacks have been reported elsewhere.

"WholeSecurity is cool because they are behavior-based," Callas said.  
"Their rules are that nobody should be e-mailing this information or
that this application should not be sniffing and that you should not
be going to an unknown website with Citibank's logo and entering
password information."

While most computer users won't find themselves using the full,
always-on power of WholeSecurity's software -- which is sold only as
enterprise software -- many already use the company's technology
without even knowing it.

For example, eBay included the company's anti-phishing algorithms in
its Internet Explorer toolbar.

Though Callas is a technologist through and through, he also likes the
simplicity of a service called Authentify, which helps cut down on
online fraud using an antique technology known as the telephone.

Companies use Authentify to verify a customer's ID when a person first
signs on to their bank account or if an account primarily used for
checking balances is used at 4 a.m. to transfer $10,000 to an account
in the Ukraine, according to CEO Peter Tapling.

The software pops up a screen that informs the user that a quick phone
call to one of the phone numbers associated with the account is
necessary to complete the transaction.

The company then calls the number and asks for some authentication
information or records the person's voice.

Though two years ago Authentify executives were wondering whether they
had a decent business model, last year the company handled 4 million
transactions and called 165 countries using voice recordings in 30
different languages.

One ISP, which found itself battling to keep spammers from signing up
for accounts and then sending millions of e-mails before the new
accounts got terminated, has eradicated the problem by using
Authentify and simply requiring new customers to have their responses

"For real customers, it is very easy. For phishers, it's game over,"  
Tapling said.

Callas loves the simplicity of the solution, which he compared to the
days of bulletin board systems, when administrators concerned about
unknown people dialing into their modem bank would call the
prospective user back on a regular phone line.

"Spammers don't want to have their voice recorded on tape," Callas
said. "This is a great deterrent factor. It gets rid of untraceablity,
which a lot of network attacks rely on."

More information about the ISN mailing list