The Espionage

I found this story over at Digg today about preventing spyware and hijacks on your computer. The story is written by Christopher Null of Yahoo! It has some helpful tips.

Share It!

Can you build a website that diffuses spyware by itself? Yes! I will explain how we did this with a little javascript, a little html, and a lot of logic. We call our solution a Shaker List™. Think of it as a special captcha code.

Captcha codes are web filters. They filter out spam. A Shaker List is a web filter too. It filters out spyware, pharming, and phishing. How does it work? Your favorite websites are displayed on screen after you have authenticated partially. At that time, you select a handful of your reserved favorites.  Choosing the correct items grants full access.  With careful logic, this process can diffuse spyware (if you need briefed on how spyware attacks a web page, see our Internet Security Monster post).

Why build a website that can diffuse spyware?

• To strengthen an online identity.
• To assist anti-spyware.
• To prove that it can be done.

Any or all of these reasons will do. Consider the following.

1.) Phishing relies on a common authentication experience. If you stagger the authentication to show a personalized item in between credentials, your website becomes phishing resistant.

On the topic of phishing, identity expert Ben Laurie says “any mechanism that can be imitated by a web page is dead in the water“. The keyword is imitation. Does our Shaker List eliminate the ability to imitate? Conveniently, everyone’s list of favorite websites is custom. That makes a Shaker List hard to imitate aka phishing resistant. Correct me if I am wrong, but doesn’t that make it pharming resistant as well? Any pharming site will not know the correct list of favorites to display to the end user.

2.) If you build in authentication that does not require typing then you avoid all keyloggers.

A Shaker List is filled out by hovering over the checkboxes that appear right beside your favorite websites. No typing.

3.) If your authentication is not somewhat innate, it will be unintentionally forgotten.

Anytime you are talking about favorite things, you are talking about an innate topic. Favorite websites are part of your personality. That makes a list of favorite websites a good identifier.

4.) If your authentication is too simple, it can be guessed.

A Shaker List has scalable complexity. Build a large list of favorites if you don’t want the challenge to be simple. Choose several favorites in your Shaker List to make the challenge even harder.

A Long List of Favorites + A Handful of Shaker List Favorites = Not Easy To Guess

5.) If your authentication experience runs off the screen then it is difficult to hijack the credentials in a screen shot.

A Shaker List challenge displays all favorites in a list straight down the screen. My Shaker List runs five screens deep if scrolling from top to bottom in the browser. Thats hard to capture in one screen shot

6.) If your authentication does not require clicking, then it is hard to take a screen shot on a click.

A Shaker List is filled out by hovering over the checkboxes that appear in front of your favorite websites. No clicking.

7.) If your authentication requires additional personal knowledge after several failed attempts, you have significantly increased the complexity of an attack.

If a Shaker List is being guessed at, it locks down and requires additional information. The additional information required is called a Secret Agent. If you are ever being attacked, you will need your Shaker List and your Secret Agent to bail you out!

8.) If additional personal knowledge required to unlock an attacked account is too public, it can be found out by the attacker.

The Secret Agent is extremely innate. Its not a maiden name, middle name, or zip code. Those things can be researched.

9.) If additional personal knowledge required to unlock an attacked account is too arbitrary, it will be forgotten.

My Secret Agent is rather comical. I want it that way. That makes it easy to remember. It is not a diluted request like memorizing yet another password. How many other identity systems ask you to remember a Secret Agent? Not many. Good.

You can practice the Shaker List if you want to. We have a page for that here. Just a note. The Shaker List practice page does not lock down if you guess too many times incorrectly. Our implementation at Spyshakers.com does lock down though.

Share It!

Last post I described several hazards to an internet identity on the user end. Spyware was talked about a lot. It is the 800 pound gorilla in the room that no one ever wants to talk about. I explained why anti-spyware isn’t always good enough to save you. That amplifies the problem. It’s just not popular enough yet to fear. But spyware products are innovating. They are scary stealth and sophisticated. With every revision, they get simpler to use. You can’t ignore that. That’s a gorilla riding a bull in a china shop.

You could approach the solution in several ways. You could cross your fingers and rely on anti-spyware. You could rely on an identity management system that authenticates directly between the local operating system and the websites themselves (I think this is what Cardspace does, but I am not sure of all of its spyware resistant features). Maybe other identity systems try to resist spyware as well. In our case, we are going to try to build a web-based, spyware resistant solution.

Now, if this spyware resistance I speak of cannot be done with a simple user experience in mind, then I say take the losses and scrap it. But follow me. What would it take? What would it take to build a website that is spyware resistant? Can we get phishing resistant too? I know we can. Consider the following bullets (with some of the points taken from my previous post The Internet Security Monster). I will describe how we implemented these bullets in an upcoming post.

• Phishing relies on a common authentication experience. If you stagger the authentication to show personalization before all credentials are supplied, your website becomes phishing resistant.

• If you build in authentication that does not require typing then you avoid all keyloggers.

• If your authentication is not somewhat innate, it will be unintentionally forgotten.

• If your authentication is too simple, it can be guessed.

• If your authentication experience runs off the screen then it is difficult to hijack the credentials in a screen shot.

• If your authentication does not require clicking, then it is hard to take a screen shot on a click.

• If your authentication requires additional personal knowledge after several failed attempts, you have significantly increased the complexity of an attack.

• If additional personal knowledge required to unlock an attacked account is too public, it can be found out by the attacker.

• If additional personal knowledge required to unlock an attacked account is too arbitrary, it will be forgotten.

Share It!

I have been talking a lot about philosophy and identity. I wanted to mix it up with this post. Let’s talk security. Let’s talk about internet security. Ohhh man. Here we go. I am going to call this post The Internet Security Monster. What is the Internet Security Monster? He is a mysterious creature.

I’ve heard that the Internet Security Monster does whatever he wants. And no one can do anything about it. That is what I have heard. I have encountered this monster more than most. I will try to define for you the skills of the Internet Security Monster. Please note. These are end user hazards. I am not including security breaches that occur on the back end of websites. That’s a different monster. That’s the Network Security Monster.

1. Deceptive.

The monster will show you websites pretending to be other websites. We call that phishing.  Monster phishes all day long.

2. Intelligent.

Monster uses spyware as his weapon of choice. Typed credentials are captured by spyware. The target web page is captured by spyware. Monster wins.

3. Stealth.

The monster tricks you into believing that anti-spyware will destroy him. Anti-spyware weakens the monster but it does not kill him. Anti-spyware definitely eliminates many threats. But it does nothing against hardware keyloggers or stronger keyloggers that run at the kernel level. It is also difficult for anti-spyware to detect spyware that it is not familiar with. Sometimes the monster is there but you can not see him.

4. All knowing.

Monster knows all. He knows you think that auto-completing all of your passwords saves you from spyware because you are not typing passwords. Spyware can capture your auto-completes. Monster 1. You 0.

5. If he doesn’t know he will guess.

Not all threats come from spyware. Your passwords must have some degree of complexity and length to save you from a brute force hack. Some say eight characters is safe. Some say ten. Monster says three digits. Don’t listen to the monster.

6. X-ray vision.

The monster can see through your house right to your computer screen, so it seems. Sophisticated spyware has screen capturing built in to the program. Pictures can be taken of your computer screen on a tight frequency if this kind of spyware is running (technically down to the second, but more practically once every 30 seconds or so). Some spyware can take screenshots when the mouse is clicked. Pictures are then sent off to a remote location. Scary.

7. Advantageous.

It is innocent, but it happens. You have a few friends over for poker night. You take out the trash. When you come back you are greeted to a screen full of those pictures of your girlfriend that no one was supposed to see. What a shame. Don’t auto-complete the credentials to your email. Bad move. Damn you monster!

8. Mobile.

We know. Your home computer is authenticated by a biometric face scan. Your firewall issues third degree burns, and you run anti-virus, anti-spyware and anti-aircraft weapons. But when you use your friend’s computer, you may be high and dry. The monster can set traps on other people’s computers. Beware.

9. Sticky Fingers.

Damaged, lost, or stolen flash drives means that your collection of passwords could fall into the wrong hands. Monster hands. Hopefully you backed up the flash drive so that you can recover most of the passwords. It gets worse if the password that was protecting the flash drive is weak. In that case, the flash drive can be brute force hacked by the monster. Now your identity is stolen. Here is a box of tissues. You will need them.

10. Copycat.

Copy and paste can be monitored by spyware with clipboard monitoring built in. Monster knows you don’t care, but it’s still true.

In an upcoming blog I will show you how to stop this menace.

Share It!