The entire SafeCentral team is thrilled to have announced the formal launch of our partnership with Firstrade this week. Firstrade is providing SafeCentral access to Firstrade accounts free of charge, granting their customers the most secure trading environment available in the world. We are proud to partner with Firstrade's consistently top-rated online brokerage, and to work with them to make trading even safer.
This is significant when you consider the unique risks posed by account compromise in the trading markets. After all, the exposure of your credit card or bank account information typically impacts just you, while the compromise of trading credentials can lead to stock price manipulation that could affect millions, and the very fabric of the market. An example of this occurred recently, with the 'pump and dump' scheme executed using stolen credentials from two other trading firms. The resulting $22 Million in losses could have been prevented if users had been using secure browsing tools like SafeCentral.
Friday, July 25, 2008
Firstrade Partnership Launches.
Wednesday, July 23, 2008
PCMag.com Reviews SafeCentral
In my line of work, you grow accustomed to product reviews and opinions that either praise or punish the monumental efforts of the company. Most reviews are fair, and most are conducted with integrity and impartiality. However, nothing is more rewarding or satisfying than a review or opinion piece that begins by understanding and validating the fundamental purpose of a product or service correctly. Such is this review from PC Mag.com's Neil J. Rubenking; which truly 'gets it' with regard to SafeCentral's raison de etre.
We're already working on a few of the small requests noted in this review (Password Manager coming soon!), while the rest of Neil's analysis captures and validates SafeCentral's revolutionary security promise superbly. Please give it a read and share your comments.
Monday, July 7, 2008
Take the Guided Tour!
I've posted a 5-part "Guided Tour" on the release version of SafeCentral. This is the most complete and compelling look at the entire service, and should help even SafeCentral veterans understand the service a little better.
http://www.safecentral.com/howitworks/Guided_Tour.html
Your feedback and comments are appreciated.
Wednesday, June 25, 2008
The Road to Safety
One of the biggest challenges with any security product is trying to find the proper balance between security and usability. The two goals often seem at odds with one-another; after all, for each thing you make possible, you may open a door for exploitation. We made it a priority at the beginning of the SafeCentral project NOT to sacrifice the security of our solution, so we've been tirelessly seeking ways to provide a seamless experience without softening the security promise. The suspend/resume functionality I previewed earlier (now in the live build), is an example of that. We provided the ability for SafeCentral to seamlessly co-exist with your other applications/activities, without inviting the weaknesses of those applications into our safe environment.
We've achieved similar success with a new browser plug-in feature, that actually INCREASES the security of our product by offering configurable alerts to the user when the site they're trying to visit might warrant the extra safety of SafeCentral. The same framework can be used to prevent phishing, by filtering URL's against known phishing sites. The great thing about this function is that it doesn't alter or weaken the security of the SafeCentral environment in exchange for simplicity, but provides the user with a completely seamless experience that makes SafeCentral a part of their normal workflow. I like to think of SafeCentral as the secure companion to your everyday browsing, and nothing makes that companion easier to access than this plugin feature.
As a self-described technology geek, I'm often asked by friends, neighbors and relatives for advice on what electronics to buy. One of the most common requests is which camera to get. I've read the reviews, tested various units, and formed plenty of opinions about the features that I think matter most. However, I often recommend a camera with lower resolution, fewer features, and other sacrifices. Why? Because "the worst picture you can take is the one you never take". Which is my way of saying that features and image quality are great, but if you don't have your camera with you because you can't stand lugging it around, all of those features aren't going to matter. So, get the small one that fits in your pocket. The same principle applies to security software design; the only security that matters is the security that you use.
So, we've gone to great lengths to provide many 'on-ramps' to the SafeCentral experience: the Programs menu, desktop icons, the taskbar, your normal browser and more all can invoke a SafeCentral session. As a user, that means you'll have the option to enter the safe environment whenever the whim, need, or opportunity arises, without having to remind or retrain yourself to do it. That, more than anything, is the most powerful form of security: security you'll use.
The attached video previews the plugin function; I welcome comments and look forward to its release in our July build.
Tuesday, June 10, 2008
Testing Confirms SafeCentral Security
Sometimes you can get so caught up in the work to build, prepare and launch a product into market, that you forget to stop and measure it against your original vision. Does it solve the problem you intended to solve? After all, the rest is just presentation and packaging; if you don't meet the benefit statement you've promised your customer, you've already failed.
With that in mind, we commissioned IRM's world-renowned security testing team to evaluate SafeCentral. We were ecstatic to see that SafeCentral met or exceeded every claim, and indeed is 'certified' to provide true privacy when transacting online. We've outlined the results in a Press Release this morning, but I wanted to take a moment here to elaborate on the report.
There are 3 points of peril when it comes to sharing sensitive information online. First, and most importantly, is the user's PC. A compromised system infested with spyware agents is an identity thief's greatest ally. Second, is the connection to the site, you can't transact safely unless you know who you're transacting with (and know with certainty that it IS the site you intend). And finally, is the authentication of user and site to one-another. With multi-factor authentication, websites have done a pretty good job guarding up #3, but items 1 and 2 have been left open for far too long. SafeCentral was built to sure up these holes.
According to the IRM Report:
In all scenarios, it was observed that SafeCentral adequately protected a user's browsing session by ensuring no keystrokes entered in the secure Firefox web browser were intercepted. Viewing logs from various keyloggers clearly indicated that keystrokes entered in the duration SafeCentral was active were clearly missing. This was true for both user and kernel land keyloggers.SafeCentral was built to cripple desktop spyware agents, like screen-scrapers and key-loggers, even if they're successfully installed and functional on the user's PC. Every one of the more than 20 spyware agents thrown at SafeCentral was unable to capture the activities during the SafeCentral session. And on item #2:
The first test involved editing the virtual machine's "host" file to contain static entries that would redirect requests for websites supported by SafeCentral to test websites setup by IRM consultants. However, when SafeCentral was launched, the user was not redirected to the static entries and was presented with genuine websites.
SafeCentral identifies the websites your visiting against our known directory of safe sites, and ensures that you can't be re-directed to phishing/pharming sites meant to steal your credentials.
Again, while I'm happy to pat ourselves on the back, the important thing here is that we tested ourselves to ensure that we live up to our security claims, and our promise to our customers. There is too much false information and 'snake oil' already in the identity theft sphere, we need bring real solutions to market.
So, now we'll go back to putting the best possible presentation, polish, and packaging on SafeCentral.
Thursday, June 5, 2008
ID Fraud on the rise
According to leading industry analyst Avivah Litan, and a recent study by Carnegie Mellon sited in this PC World article, Identity Fraud has been on the rise over the last year and a half and is projected to maintain a meteoric rise.
It appears that despite the recent focus on new authentication systems, and stronger data warehouses, the hackers are adjusting their tactics to take advantage of holes in the security chain. As discussed here many times before, the weakest link is likely: You, and your malware infested PC.Gartner's Litan offered one more observation that might explain Carnegie Mellon's findings: The fraudsters are also getting better at what they do, she added. "If you talk to the largest banks, they will tell you that fraud has really increased in the past 18 months," she said. "And they project it going up very significantly in the next two years."
"The thieves are just getting better and there's more fraud," she said.
Wednesday, May 21, 2008
ID Theft in the news...
Infoworld took a look at Check Point Software's ZoneAlarm Forcefield, and ultimately walked away unimpressed.
Unfortunately, although ForceField does offer some real improvements over the other products I've reviewed, it wasn't enough to stop malware from infecting my test systems. In less than a minute, by clicking only my third malicious Web site link, my test system was silently compromised without so much as a chirp out of ForceField.The writer admits to being skeptical about 'sandbox' security clients,
Ultimately, our outlook is that previously proposed solutions fall short thanks to limited security features beyond 'site classification' (prompting the user that a site is safe or 'risky' based on white-list/black-list rules and inaccurate logic) and rudimentary key-logger defenses. No solution to date has offered network level protection, or a secure DNS/Directory to ensure that the user is going only to safe sites. No solution to date offered kernel-level security and the ability to defend itself from attack. SafeCentral is a different kind of sandbox. I hope we have a chance to get this reviewer and others to take a look at SafeCentral.
I've reviewed similar over-marketed and under-effective virtualized or "sandbox" security clients over the years (most notably GreenBorder, subsequently acquired by Google), all of which promised to provide superior protection against all malicious Internet threats.
In other news, LifeLock is facing a new class-action lawsuit claiming that it has made false and misleading claims about the level of 'protection' it provides.
"While LifeLock has only publicly acknowledged that Davis' identity was compromised on one occasion, there are more than 20 driver's licenses that have been fraudulently obtained [using his personal information]," the suit states.To be honest, I'm not sure this lawsuit has merit. I don't view the claims of LifeLock and the myriad of other 'identity insurers' to be PREVENTATIVE at all. They claim to help you discover identity fraud quickly, and mitigate the financial losses associated with a breach (though disguising it as protection). They do nothing to actually STOP identity theft from taking place. Ultimately, they're like an alarm system - it only goes off only after a crime has begun. A layered approach is best: start with good defensive measures to protect your identity from theft, and then layer on monitoring/insurance to buffer against a breach.
"Furthermore, a simple background check performed using Davis' Social Security number reveals that his entire personal profile has been compromised to the extent that the birth date associated with his Social Security number is Nov. 2, 1940, which would [inaccurately] make Davis 67 years old."
I'm not sure whether these articles help us by raising the 'noise-level' for the need for greater identity security, or hurt us by defining the problem as 'unsolvable' and establishing a poor reputation for companies associated with Identity Theft/Fraud solutions. Leave a comment and let me know your take.
Tuesday, May 13, 2008
Pain in the aaS?
I was forwarded this article from the Economist which outlines the new "as-a-service" model now being adapted by cyber criminals. The article makes an excellent point about the continuing migration of software from boxed discs to online services that we 'rent' or use as necessary, and points out the inevitable migration of that model to include malware. Want to conduct a denial-of-service attack on a website without having to build your own army of zombie PC's, or even having any hacking skills at all? You can. Just rent the access from an established cyber-criminal and you can 'borrow' their hack for your personal mission of destruction.
The tone of the article suggests that "as-a-service" is becoming a dirty word, which may be true. However, I think the term is accurate and that the model actually provides an opportunity for greater security. After all, with services living 'in the cloud' you're less prone to local attacks, and the effects are less likely to impact other applications. What's required is secure access to those 'in the cloud' services, so that each session becomes a trip into a secure portal isolated from everything else...I might know something that's a possible solution for that.
Monday, May 12, 2008
FBI Internet Crime Complaint Center (IC3) Report
I was reviewing the latest report from the FBI on internet crime, and found that the disturbing trend of skyrocketing losses continues, despite the number of claims holding relatively steady from it's peak in 2005. This confirms that the cyber-thieves are refining their tactics to focus on extracting more money from every breach or scam. The report includes all types of cyber-crime, but only tallies those that are reported to the IC3, so it's safe to presume that the actual numbers are much higher.
The report calculates that the 206,884 claims received via the IC3 website in 2007 resulted in more than $239 Million in losses. While only a small portion of the cases were specifically cited as 'Identity Theft', all were related to conducting business via criminal websites, email, or auctions. This reinforces the notion that email is a broken system, and that people really do fall for the "Nigerian Letter" scam (1.1% of complaints!). It also demonstrates that the general trust of the internet, websites, and email infrastructure is going to continue to decline, as users discover that there is really no way of knowing the origin of a message, or that they can be sure to visit the website they intend.
Perhaps most disappointing, as a current Florida resident, is the state's #2 position among the top homes for perpetrators. Thankfully I work for a security firm and my home Wi-Fi network is secured (as best as possible); you never know who the internet criminals are.
Thursday, May 8, 2008
SafeCentral Video Introduction
Just finished a brief SafeCentral introduction video, you can see it here.
