Themes & Channels
IBM Research Unveils USB “Security-on-a-Stick”
This is a Press Release edited by StorageNewsletter.com on Thu, November 13th, 2008
To protect consumers and banks from the hacker attacks
Resembling a memory stick with an integrated display, a prototype USB device developed at IBM’s Zurich Research Lab brings a new level of security to online banking for consumers. Pilot devices are ready and available to banks for trials.
The Zone Trusted Information Channel (ZTIC) plugs into the USB port of any computer and creates a direct, secure channel to a bank’s online transaction server, bypassing the PC which could be infected by malicious software (malware) or susceptible to hacker attacks.
The consumer can use the security stick to logon and validate all transactions via a display, while the USB device is securely connected to the server, safeguarding against today’s ever more fiendish forms of attacks that can manipulate data in the background, hidden from the consumer and the bank. The USB device adds an extra level of security to the existing authentication solutions provided by smart card, PIN or one-time validation code, in order to counter the newest and most highly manipulative security threats.
Hackers are becoming increasingly inventive in their attempts to attack financial transactions on the Internet. Among the increasingly prominent threats are so called 'Man-In-The-Middle' attacks, where a hacker inconspicuously intercepts and modifies the messages flowing between a user and a financial institution. The modified messages appear to be official transactions from the financial institution, and the messages going to the financial institution appear to be from the consumer.
Malware is an even more fiendish form of attack, where the hacker manages to install a virus or Trojan Horse in a user's personal computer and is then free to manipulate the messages seen by and sent by the user. This allows the attacker to redirect communications and manipulate the data displayed by the internet browser in real-time during the user’s e-banking session and totally unnoticeable to the user's eyes.
Nearly 90 percent of identity attacks online are targeted at the financial services sector. A 2007 international study by the Swiss Reporting and Analysis Centre for Information Assurance (MELANI), found that successful malware intrusions have increased and that currently established “two-factor authentication systems (e.g. transaction authentication numbers, SecurID, etc.) do not afford protection against such attacks and must be viewed as insecure once the computer of the customer has been infected with malware”.
ZTIC provides an extra layer of security in the presence of both of these attacks.
“In the presence of an ever more professionally operating e-crime scene, it became obvious that PC-software based authentication solutions were potentially vulnerable and that we needed to innovate to stay ahead. That was the starting point for developing the ZTIC“, explains Dr. Peter Buhler, Manager Computer Science at the Zurich Research Lab, and adds: “The design of the solution was governed by and is based on the analysis of pros and cons of present and announced alternative solutions.”
This solution effectively moves all the cryptographic and critical user-interface processes away from a consumer’s PC onto the ZTIC device, creating a trusted communication endpoint between the banking server and the user. With the new device, a user can then communicate securely with sensitive online services such as a banking server. In combination with a smart card, which can be inserted into the device, this new solution brings a new level of end-to-end security to online banking.
After initial lab prototypes had been realized by the researchers, first pilot devices have now been industrially manufactured and are ready for trials.
Even if a user’s PC should be infected by malware that manipulates the information flow in the PC, the user can cancel the transaction while displayed on the ZTIC device. What the user sees on the ZTIC display is identical to what the server 'sees', no matter what malicious intervention may occur on the PC or anywhere in the Internet. “Owing to the direct secure connection between ZTIC and server, the device essentially provides a safe window to the server,” states Buhler.
Moreover, the ZTIC has been designed such that no change is required in either the server software or the software running on the client's PC. It runs on all major home computing operating systems.
Technological Specifications
The researchers designed the ZTIC as an USB device of about the same size as a memory stick. It runs the commonly used TLS/SSL protocol. The ZTIC hardware consists conceptually, at a minimum, of a processing unit, volatile and persistent memory, a small display and at least two control buttons (OK and Cancel) as well as an optional smartcard reader. The software is minimally configured with a complete TLS engine including all cryptographic algorithms required by today's SSL/TLS servers, an HTTP parser for analyzing the data exchanged between client and server, plus custom system software implementing the USB mass storage device profile and a networking proxy for running on a PC. It supports TLS/SSL client authentication as well as common chip-card based challenge/response protocols.
The Zone Trusted Information Channel (ZTIC) plugs into the USB port of any computer and creates a direct, secure channel to a bank’s online transaction server, bypassing the PC which could be infected by malicious software (malware) or susceptible to hacker attacks.
The consumer can use the security stick to logon and validate all transactions via a display, while the USB device is securely connected to the server, safeguarding against today’s ever more fiendish forms of attacks that can manipulate data in the background, hidden from the consumer and the bank. The USB device adds an extra level of security to the existing authentication solutions provided by smart card, PIN or one-time validation code, in order to counter the newest and most highly manipulative security threats.
Hackers are becoming increasingly inventive in their attempts to attack financial transactions on the Internet. Among the increasingly prominent threats are so called 'Man-In-The-Middle' attacks, where a hacker inconspicuously intercepts and modifies the messages flowing between a user and a financial institution. The modified messages appear to be official transactions from the financial institution, and the messages going to the financial institution appear to be from the consumer.
Malware is an even more fiendish form of attack, where the hacker manages to install a virus or Trojan Horse in a user's personal computer and is then free to manipulate the messages seen by and sent by the user. This allows the attacker to redirect communications and manipulate the data displayed by the internet browser in real-time during the user’s e-banking session and totally unnoticeable to the user's eyes.
Nearly 90 percent of identity attacks online are targeted at the financial services sector. A 2007 international study by the Swiss Reporting and Analysis Centre for Information Assurance (MELANI), found that successful malware intrusions have increased and that currently established “two-factor authentication systems (e.g. transaction authentication numbers, SecurID, etc.) do not afford protection against such attacks and must be viewed as insecure once the computer of the customer has been infected with malware”.
ZTIC provides an extra layer of security in the presence of both of these attacks.
“In the presence of an ever more professionally operating e-crime scene, it became obvious that PC-software based authentication solutions were potentially vulnerable and that we needed to innovate to stay ahead. That was the starting point for developing the ZTIC“, explains Dr. Peter Buhler, Manager Computer Science at the Zurich Research Lab, and adds: “The design of the solution was governed by and is based on the analysis of pros and cons of present and announced alternative solutions.”
This solution effectively moves all the cryptographic and critical user-interface processes away from a consumer’s PC onto the ZTIC device, creating a trusted communication endpoint between the banking server and the user. With the new device, a user can then communicate securely with sensitive online services such as a banking server. In combination with a smart card, which can be inserted into the device, this new solution brings a new level of end-to-end security to online banking.
After initial lab prototypes had been realized by the researchers, first pilot devices have now been industrially manufactured and are ready for trials.
Even if a user’s PC should be infected by malware that manipulates the information flow in the PC, the user can cancel the transaction while displayed on the ZTIC device. What the user sees on the ZTIC display is identical to what the server 'sees', no matter what malicious intervention may occur on the PC or anywhere in the Internet. “Owing to the direct secure connection between ZTIC and server, the device essentially provides a safe window to the server,” states Buhler.
Moreover, the ZTIC has been designed such that no change is required in either the server software or the software running on the client's PC. It runs on all major home computing operating systems.
Technological Specifications
The researchers designed the ZTIC as an USB device of about the same size as a memory stick. It runs the commonly used TLS/SSL protocol. The ZTIC hardware consists conceptually, at a minimum, of a processing unit, volatile and persistent memory, a small display and at least two control buttons (OK and Cancel) as well as an optional smartcard reader. The software is minimally configured with a complete TLS engine including all cryptographic algorithms required by today's SSL/TLS servers, an HTTP parser for analyzing the data exchanged between client and server, plus custom system software implementing the USB mass storage device profile and a networking proxy for running on a PC. It supports TLS/SSL client authentication as well as common chip-card based challenge/response protocols.
Print this newsWith all the daily news on the worldwide storage industry, this Web site is updated every day
at 4PM in Paris or 9AM in Chicago.
You can subscribe to receive
an email with the most recent headlines.
COMPLETE STORAGE
START-UPS DATABASE
It contains more than 300 current storage
start-ups in the world (2/3 in USA),
listed with the following data:
- company name,
- headquarters, web site,
- CEO,
- year founded,
- business activity,
- yearly financial funding
and total received,
- classsified by sectors.
Complete package for US$390.
To order this unique database
(in Excel format), please contact us
for an invoice by return mail.
MORE THAN 1,700
ONLINE BACKUP COMPANIES
IN THE WORLD
This database contains for each firm:
- company name,
- country
- Web site
To order this unique database
(in Excel format), please contact us
for an invoice by return mail.
COMPLETE DATABASE
OF MERGERS AND ACQUISITIONS
IN THE WW STORAGE
INDUSTRY
More than 800 mergers and acquisitions since 1998 listed, and for each one:
Who bought whom, when, at which price, and the activity of the
acquired company.
Complete package for $450.
To order this unique database (in
Excel format), please contact us for an invoice
by return mail.