Malware-Resilient SAAS and Strong Authentication

Sunday, August 22, 2010

Contributed By:
Eli Talmor

There is good chance that your computer is infested with malware. In most of the cases the purpose of malware is perpetrate Identity Fraud for financial gain of the fraudsters.

The purpose of this blog is to demonstrate the need for Malware-Resilient Software-as-a-Service strong authentication.Malware-resiliency.

The problem we are facing today is that we cannot trust our computers anymore. The passwords we enter are stolen by key loggers, the transaction data we enter in browser is modified by Trojans, etc.

Given the scale of the problem and potential cost, especially in fragile economy, it is highly unlikely that the solution to the problem will be too expensive in terms of up-front, distribution and maintenance costs.

Software-as-a-Service (SaaS) is the natural candidate.

But can SaaS be malware-resilient ? In other words can we trust this SaaS, if we cannot trust our computer??? If this SaaS is computer client-only software - the answer is no. Malware will find ways to circumvent it- no matter how secure it may look.

SaaS must utilize client-server architecture to be trustworthy. We put our trust in server... Strong Authentication.Strong authentication may include a combination of something you have (your PC), something you know (your PIN) and something you are (your Biometrics).

But malware residing on your PC may key-log your PIN and replay your Biometrics, so that your "trusted" server will not be able to detect the problem. Therefore one needs to design the client in such a way that malware will not be able to bypass its security features.

For example it is well known that CAPTCHA is used to distinguish between humans and computer programs. It is also well known that fraudsters use "human service providers" who decode CAPCHA online for few $. Another way to distinguish between malware and humans is SPEECH.

Malware will not be able to speak to PC microphone, while humans can do it quite easily, making malware prevention straightforward , provided all the ways to circumvent it are blocked.

Scalability. Malware-resilient Strong Authentication may be 2-factor (PC ID and PIN) and without the need for extra hardware and to take no more then 5 sec of users time.

If application needs extra level of security , at the expense of longer session (15 sec) - then Live Voice Biometrics can be added.

Cross-posted from www.sentry-com.net/blog

Share This! |

Views:	2957
Categories:	Viruses & Malware
Tags:	malware SaaS

Post Rating I Like this!

Comments:

You Must Register or Login to Comment

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked

Latest Member Comments

"I thought this article discuss a very important issue of security.If we have well developed technology in one particular field then we ..."

Mobile Security Processes Could Be Applied t... Johnnie Nix on 05-21-2013

"ATM machine are for our convenience but if we are not careful they can compromise our safety. Discount theater tickets "

ATM Security (And Really Learning from the P... Johnnie Nix on 05-21-2013

"A expressive case study is used to explore causation in order to find underlying principles. Case studies may be prospective in which c..."

New Study Published on Mobile Malware... Caitlin Rachel on 05-21-2013

"In the social sciences and life sciences a case study or case report is a descriptive or descriptive analysis of a someone, group or ev..."

Case Study: A Cloud Security Assessment... Caitlin Rachel on 05-21-2013