Computer-Security Efforts Intensify
As attacks on computer systems multiply, security experts are turning to new, rigorous ways to verify the identity of companies and computer users.
The initiatives, to be discussed at a high-level conference in San Francisco this week, are designed to prevent theft of personal or corporate information as well as reduce unsolicited commercial e-mail, also known as spam. In both cases, unscrupulous mailers often disguise their true identities and e-mail addresses.
In one rapidly spreading scam, known as "phishing," computer users are fooled into revealing credit-card numbers and other confidential information by e-mail that appears to come from legitimate banks or Internet-commerce sites. They are tricked into clicking on hyperlinks that send them to disguised Web sites, set up by identity thieves who may use consumer information to steal money.
Increasingly, however, corporate computer users also have been targeted by bogus e-mail that may appear to come from internal security administrators, asking them to reveal password information that could allow hackers to crack into corporate computer systems.
"It's getting almost impossible to tell whether e-mail is legitimate or not," said Pavni Diwanji, chief executive and co-founder of MailFrontier Inc., a Palo Alto, Calif., start-up that sells security software. "It's not about fooling naive users anymore."
Fraudulent e-mail is expected to be a hot topic at the conference, an annual event hosted by RSA Security Inc. Bill Gates, Microsoft's chairman and chief software architect, is among the keynote speakers.
One proposed solution -- dubbed SPF, for Sender Permitted From -- is based on publishing the Internet-protocol numbers of computers that senders have authorized to send mail in their names. That way, recipients can check incoming mail against those numbers, known as IP addresses, to check for falsified identities. SPF has been tested by Time Warner Inc.'s America Online unit, and is being incorporated into software from MailFrontier and others.
PassMark Security, a start-up funded by former Intuit CEO Bill Harris, Monday is announcing a different approach that uses images to help identify legitimate Web sites. Users are assigned a random image the first time they come to a site that uses the PassMark system, and would be shown that image on subsequent visits before entering their user names and passwords.
If they don't see the right image, users would know something is awry. The Woodside, Calif., company expects significant testing of its system in the next few months, and aims for "large-scale rollouts" in the second half of the year, Mr. Harris said.
Other experts say passwords are no longer enough. Sun Microsystems Inc. is pushing for broader use of smart cards or special security tokens, which it says can help protect Web sites and better identify senders of e-mail to reduce spam and fraud.
VeriSign Inc., which has long offered technology to help protect e-commerce transactions, Monday is announcing new technical guidelines to make it less costly to use smart cards and other strong forms of identification. The Mountain View, Calif., company is working with partners that include International Business Machines Corp., BEA Systems Inc. and Gemplus International SA on what it calls the open authentication reference architecture, or OATH, to help companies create online identification products that work with each other with little extra programming.
Safeguarding information is becoming a hotter topic because of new laws that can penalize corporations that lose it. Companies such as Oblix Inc., Cupertino, Calif., help manage the way users log on to multiple corporate applications and ensure they can only tap into certain files. Vontu Inc., San Francisco, helps screen corporate e-mail to prevent company insiders from sending confidential information, a capability not included in conventional "firewall" programs that companies use to block external attack. Voltage Security Inc., of Palo Alto, and others are now offering technology for protecting instant-messaging sessions from eavesdropping.
电脑安全加强方案纷纷出笼
随著电脑入侵事件频频发生,网络安全专家们正试图寻求新的、更为严格的甄别方法,以检验登录企业和电脑用户的身份。
预定本周在旧金山召开的电脑业高层会议将就有关的措施进行讨论,这些措施意在预防电脑黑客窃取个人或公司信息,并减少垃圾邮件的数量。在上述两种情况中,那些不怀好意的寄件人通常会隐藏其真实身份和电子邮件地址。
目前,在一种迅速流行的名为"phishing"的骗局中,电脑用户往往轻信了貌似来自合法银行或商业网站的电子邮件内容,并向其透露个人信用卡号码和其他保密信息。这些电脑用户还被诱骗登录到由网络窃贼们经营的网站,而这些网络窃贼可能会利用客户的信息盗取钱财。 然而,越来越多的企业电脑用户也已成为虚假邮件的目标,这些邮件似乎是来自公司内部负责网络安全的管理人士。邮件要求企业电脑用户披露其登录密码,从而使电脑黑客能够入侵公司的电脑系统。
在RSA Security Inc.主持召开的一年一度的会议上,欺诈性邮件可能成为会上讨论的热点问题。届时,微软(Microsoft Corp., MSFT)董事长兼首席软件架构师比尔?盖茨(Bill Gates)将在会议上发表重要演说。
目前提出一项称为终端发送准许(SPF)的方案,该方案的基础思想是,公开已经同意以其姓名发送邮件的用户电脑互联网协议地址。采取这种方法后,接收者能够校验电邮IP地址,从而查获虚使用假身份的用户。
PassMark Security周一公布了另一项解决方案。这项方案是利用图像帮助识别网站的合法性。在用户首次访问采用PassMark Security系统的网站时,将被随机设定成为一种图像,并在该用户以其用户名和密码登录前被显示为那个图像。PassMark Security由财捷集团(Intuit Inc., INTU)前任首席执行长Bill Harris创办。
如果他们没有看到正确图像,用户将知道有错误发生。Harris表示,PassMark Security预计,公司未来几周将对该系统进行重点测试,并计划今年下半年隆重推出。
其他专家表示,仅仅依赖密码已经不足以识别用户身份。
Sun电子计算机公司(Sun Microsystems Inc., SUNW, 又名:升阳微电脑)正在广泛推行智能卡或特殊安全标识的方法,同时称,这些方法有利于保护网站的安全,并能够更准确的识别发件人身份,从而减少垃圾邮件和虚假邮件的数量。
长期提供技术以确保电子商务交易安全的VeriSign Inc.周一公布了几项新的技术方案,以节省使用智能卡及其他用户识别方法所带来的高成本。该公司正在与其合伙人研制OATH,以帮助企业建立网上识别产品。VeriSign的合伙人包括国际商业机器公司(International Business Machines, IBM)、BEA系统有限公司(BEA Systems Inc., BEAS)和Gemplus International SA。
