http://www.wired.com/news/privacy/0,1848,66647,00.html By Ryan Singel Feb. 18, 2005 SAN FRANCISCO -- The 2005 version of the nation's pre-eminent cybersecurity conference features hundreds of speakers and 275 exhibitors bombarding the estimated 13,000 attendees with PowerPoint presentations and free USB memory keys in an effort to sell their particular firewall, smart card or fingerprint reader. To find some of the most interesting offerings on the floor, Wired News met up with cryptography expert Jonathan Callas, who has been attending the RSA Conference since 1993, when the show had fewer attendees than there are exhibitors in 2005. Callas currently serves as the CTO of PGP, a company that sells encryption software to corporations and government and is now working to make e-mail encryption easy for almost anyone with a computer. Callas took time from working the floor to give Wired News a kick-the-tire tour of the expo, where vendors vie to scan the high-tech conference badges of potential clients or partners. Here are three companies that Callas thought were interesting enough to turn over his badge to for scanning -- not the best or worst of show, just a few he found innovative and clever, or worth a further look. As usual, RSA included a slew of biometric applications, from iris readers to fingerprint scanners. Though Callas started the tour expressing skepticism about previous years' biometric offerings, he turned over the badge to at least one company selling a fingerprint reader. Privaris is a small Fairfax, Virginia-based startup that makes a key-chain-size fingerprint fob that can be used to log on to a computer, open a garage door or enter a building. The reader, which has 300 Kb worth of memory, matches a person's fingerprint to a template stored on the device, and then sends an encrypted security code to any remote reader, using either Bluetooth or low-frequency RFID (without being vulnerable to bluesnarfing). The $179 fob, which has been on the market for just eight months, has already been tested by North Carolina law enforcement to verify the identities of truck drivers who haul hazardous materials, and is one of two fingerprint-based technologies in a Transportation Security Administration-funded pilot program to tighten airport worker security, according to Megan Prosser, product manager for Privaris. Though the mention of biometrics often invokes worries of Big Brother, privacy should not be a concern, according to Prosser. "The fingerprint template never leaves the device, so there's no need for a biometric database, which eliminates privacy concerns," Prosser said. Callas likes the idea since it takes something like a secure parking access card that works well enough and makes it better, by adding a layer of authentication. "They are one-plussing it," Callas said. Callas also counts himself a fan of WholeSecurity, a company that works to prevent spoofing, worms, key logging and phishing attacks. But the company's software eschews the typical strategy of relying on blacklists of virus names or of websites pretending to be PayPal. Instead, the company's software looks for behaviors or signs that a website with the Citibank logo is fake or that a computer on a corporate network is trying to send out information in a sneaky manner. Callas prefers this approach to relying on lists that might only get updated after attacks have been reported elsewhere. "WholeSecurity is cool because they are behavior-based," Callas said. "Their rules are that nobody should be e-mailing this information or that this application should not be sniffing and that you should not be going to an unknown website with Citibank's logo and entering password information." While most computer users won't find themselves using the full, always-on power of WholeSecurity's software -- which is sold only as enterprise software -- many already use the company's technology without even knowing it. For example, eBay included the company's anti-phishing algorithms in its Internet Explorer toolbar. Though Callas is a technologist through and through, he also likes the simplicity of a service called Authentify, which helps cut down on online fraud using an antique technology known as the telephone. Companies use Authentify to verify a customer's ID when a person first signs on to their bank account or if an account primarily used for checking balances is used at 4 a.m. to transfer $10,000 to an account in the Ukraine, according to CEO Peter Tapling. The software pops up a screen that informs the user that a quick phone call to one of the phone numbers associated with the account is necessary to complete the transaction. The company then calls the number and asks for some authentication information or records the person's voice. Though two years ago Authentify executives were wondering whether they had a decent business model, last year the company handled 4 million transactions and called 165 countries using voice recordings in 30 different languages. One ISP, which found itself battling to keep spammers from signing up for accounts and then sending millions of e-mails before the new accounts got terminated, has eradicated the problem by using Authentify and simply requiring new customers to have their responses taped. "For real customers, it is very easy. For phishers, it's game over," Tapling said. Callas loves the simplicity of the solution, which he compared to the days of bulletin board systems, when administrators concerned about unknown people dialing into their modem bank would call the prospective user back on a regular phone line. "Spammers don't want to have their voice recorded on tape," Callas said. "This is a great deterrent factor. It gets rid of untraceablity, which a lot of network attacks rely on." _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Tue Feb 22 2005 - 08:08:03 PST