Last month I blogged about Zfone. The Mac version is now out for public beta. A Windows version is expected for mid-April. Some aspects remind me of the PGPfone product of the last decade but updated to support the now common SIP protocol used by VOIP applications. However, unlike PGPfone, Zfone is not a standalone client but rather middleware that runs along side, and adds encryption capabilities, to a user’s already existing SIP softphone client.
In a related story, the VOIP and Gadgets Blog reports that Counterpath is set to release version 1.5 of its EyeBeam VOIP and video conferencing client – and one of the features is support for Secure Real-time Transport Protocol (SRTP) streams to secure the voice and video connections. While it is still extremely difficult to find a VOIP service provider that supports SRTP encryption, hopefully making the capability available to a wide group of potential users will generate demand and lead to the wider availability of more secure VOIP services.
After notes were found in a Google presentation for analysts, stories are circulating that Google may have plans in the works for an online drive which can be used to store a copy of certain data on a user’s hard drive. There will probably be privacy concerns identified but I wonder how long it would be before someone develops a hack (an “enhancement”) that can encrypt the data before it is sent to Google’s servers.
cnet News has an article about a new type of trojan that waits until an infected user logs into their bank account and then activates to transfer money out of the account. Password stealing trojans used to be the big concern (and probably still are an important threat). However, this new bread of trojan can defeat enhanced authentication schemes (such as two-factor authentication) and similar types of security measures implemented by banks, since they don’t need to grab a password or deal with getting access to an offline security token device. They simply wait for the user to do whatever is required to log in, and then they take over the computer and carry out their dirty business. Of course, these trojans have to be programmed with the intelligence for specific banking sites.
RSA Security has announced that it is working on initiatives to permit a broad range of portable devices to serve as SecurID authenticators. This will mean that businesses won’t have to procure additional token devices and that employees and customers will not need to carry yet another stand-alone token. According to RSA Security’s press release:
Continue reading RSA SecurID Security Tokens on mobile devices
From InfoWorld: The VeriSign Fraud Detection Service will incorporate Snapcentric’s anomaly detection software, which tracks how a user normally accesses an online banking site and then flags unusual patterns in behavior. If the software detects abnormal online behavior, however, a user may be required to answer a question or respond to an e-mail or phone message with a one-time code.
This service should be another useful tool that US financial institutions can potentially look to in order to comply with recent FFIEC guidelines (which state that user names and passwords are no longer sufficient for high-risk transactions).
A group of leading security software vendors (McAfee, Symantec, Trend Micro, ICSA Labs, and Thompson Cyber Security Labs) have announced an industry initiative to establish standards for identifying spyware and testing methodologies. Testing against common evaluation criteria is expected by such vendors to help them combate competition from other vendors whose products they claim are not as effective at detecting and removing spyware.
There is currently some debate about what constitutes spyware as some vendors of “adware” and employee-monitoring software have raised objections about having their products classified as spyware and being removed by anti-spyware systems.
I recently came across information about an interesting hardware-based VPN firewall. Its made by a company called Phantom Technologies and is called the iPhantom. The device connects to the ethernet port of a computer or router (so that it can be used to protect multiple computers at a remote location or for use in a small office). It then sets up a highly encrypted VPN tunnel to Phantom Technologies data center so that all traffic is routed back and forth to that data center. This can be useful to help protect a remote computer being used at a public location (such as a hotel) or in a foreign country where the information may be susceptible to interception. Unfortunately, its not very useful for laptops being used at wi-fi hotspots. It can also help protect against viruses and adware because all data being accessed from the Internet is scanned at the Phantom Technologies data center.
Note that the data is still susceptible to interception by anyone monitoring traffic moving into or out of Phantom Technologies data center. Also, an ongoing subscription is required in order to use the device.
Yesterday, E*Trade Financial has announced the launch of its E*TRADE Completeâ„¢ Protection Guarantee, providing complete fraud coverage, as well as complete bill payment protection and complete privacy protection to all customers. As part of that program, E*Trade will reportedly reimburse any customer who is the victim of fraudulent activity. Hopefully this step will encourage other competitors or even the banks to follow. If these financial institutions step up to take some of the risk of online fraud then maybe we will see more secure authentication systems implemented.