Lloyds TSB recently informed some of its on-line banking customers that their home computers had been infected with a virus which stole passwords. The bank warned customers, including one with protection software installed, that the virus was difficult to detect and could have been downloaded unknowingly.
The case showed the problem that providers of web services such as internet banking face to ensure that the client's access device - the home computer - are free from the types of viruses which can take and relay screenshots of login details and pass them on.
The problem will persist so long as providers lack the means to trust a computer they themselves do not manage, but which their customers or employees might use to access their network remotely, according to Dr Bernard Parsons, CTO of BeCrypt, a UK software security company founded in 2001.
BeCrypt works with government departments and banks which are using its trusted client product to overcome threats from unmanaged PCs - computers which are not controlled by the service provider - when working remotely.
A trusted client is a device controlled by the user of a web service, but with restrictions designed to prevent its use in ways not authorised by the provider of the service. That is, the client is a device that vendors trust and then issue to the users they don't or can't trust.
It builds on the ideas put forward by IT security group the Jericho Forum, which advocates defending sensitive corporate data and data flows more, and protecting individual items of equipment, less.
If you think of an armoured car delivering cases of money to a bank, it is the cases of money and not the car which should be armoured, since it is the money and not the car that need protecting. Trusted client computing is a step up from traditional methods of security controls, says Parsons.
"Encryption technologies such as Secure Sockets Layer (SSL) and virtual private networks (VPNs) can be used to protect data in transit and network access control (NAC) software can check that virus definitions are current. But you have no trust in the end point [the user's computer]. If you allow the OS to run you can't be guaranteed safe from the malicious software within in it," he said.
BeCrypt has developed a bootable USB device with an operating system - a security modified version of Linux Debian. The entire stick, including the operating system, is encrypted, so when a user plugs the stick into an unmanaged machine the first thing they see is an authentication screen. After providing a username and password the operating system is then decrypted and loaded from the USB device.
"This way, nothing on the computer you're using is allowed to run. It doesn't matter how compromised the operating system is or what malicious applications are on there. The user is not exposed to any vulnerability," said Parsons.
He said the notion of trusted computing has two main applications, in business continuity and mobile working. Business continuity is high on the government's agenda and is something it is keen to promote, said Parsons
"If a company wanted to put a business continuity plan in place, it would need to put in an infrastructure that allows someone to access corporate resources when they can't get into the office.
In this case they are more likely to be using their home machine or any machine they can gain access to. But whichever they use, I don't manage that machine, so I have no confidence of the level of security."
Mobile working and collaboration can also pose challenges that warrant a form of trusted client computing. Law firms often work on a project collaborating with other organisations, but they cannot connect to their own systems when they're on site at a different location. "They don't have the same level of trust and even when working abroad, they can't be sure that international offices have the same level of security as UK departments,"
Parsons believes the trend towards trusted computing will become more common among companies as attacks become surreptitious and businesses begin taking hits. "Banks set their own limit over how much money they're prepared to lose each year from maclious software. When that reaches a certain threshold they have to change their approach to security."
This was first published in February 2008