Lloyds TSB recently informed some of its on-line banking
customers that their home computers had been infected with a virus
which stole passwords.The bank warned customers, including
one with protection software installed, that the virus was
difficult to detect and could have been downloaded
unknowingly.
The case showed the problem that providers of web services such
as
internet banking face to ensure that the client's access device
- the home computer - are free from the types of
viruses
which can take and relay screenshots of login details and pass them
on.
The problem will persist so long as providers lack the means to
trust a computer they themselves do not manage, but which their
customers or employees might use to access their network remotely,
according to Dr Bernard Parsons, CTO of
BeCrypt, a
UK software security company founded in 2001.
BeCrypt works with government departments and banks which are
using its trusted client product to overcome threats from
unmanaged PCs - computers which are not controlled by the
service provider - when working remotely.
A trusted client is a device controlled by the user of a web
service, but with restrictions designed to prevent its use in ways
not authorised by the provider of the service. That is, the client
is a device that vendors trust and then issue to the users they
don't or can't trust.
It builds on the ideas put forward by IT security group the
Jericho Forum, which advocates defending sensitive corporate
data and data flows more, and protecting individual items of
equipment, less.
If you think of an armoured car delivering cases of money to a
bank, it is the cases of money and not the car which should be
armoured, since it is the money and not the car that need
protecting. Trusted client computing is a step up from traditional
methods of security controls, says Parsons.
"Encryption technologies such as
Secure
Sockets Layer (SSL) and
virtual
private networks (VPNs) can be used to protect data in transit
and
network
access control (NAC) software can check that virus definitions
are current. But you have no trust in the end point [the user's
computer]. If you allow the OS to run you can't be guaranteed safe
from the malicious software within in it," he said.
BeCrypt has developed a bootable USB device with an operating
system - a security modified version of
Linux Debian. The entire
stick, including the operating system, is encrypted, so when a user
plugs the stick into an unmanaged machine the first thing they see
is an authentication screen. After providing a username and
password the operating system is then decrypted and loaded from the
USB device.
"This way, nothing on the computer you're using is allowed to
run. It doesn't matter how compromised the operating system is or
what malicious applications are on there. The user is not exposed
to any vulnerability," said Parsons.
He said the notion of trusted computing has two main
applications, in
business continuity and
mobile working. Business continuity is high on the government's
agenda and is something it is keen to promote, said Parsons
"If a company wanted to put a business continuity plan in place,
it would need to put in an infrastructure that allows someone to
access corporate resources when they can't get into the office.
In this case they are more likely to be using their home machine
or any machine they can gain access to. But whichever they use, I
don't manage that machine, so I have no confidence of the level of
security."
Mobile working and collaboration can also pose challenges that
warrant a form of trusted client computing. Law firms often work on
a project collaborating with other organisations, but they cannot
connect to their own systems when they're on site at a different
location. "They don't have the same level of trust and even when
working abroad, they can't be sure that international offices have
the same level of security as UK departments,"
Parsons believes the trend towards trusted computing will become
more common among companies as attacks become surreptitious and
businesses begin taking hits. "Banks set their own limit over how
much money they're prepared to lose each year from maclious
software. When that reaches a certain threshold they have to change
their approach to security."