The short answer points out that operating systems are
becoming more resistant to trivial exploitation, but reminds us
all that there are still two important risk vectors:
• Users and administrators who make errors of judgement,
and who carry out fully-authenticated installations of
risky or inappropriate software. Vista’s warning that ‘this
operation requires elevation’, and its careful display of a
program’s digital certificate (or lack of it), for example,
can be undone with a single mouse click to authorize the
offending operation.
• Organized crime and the counterculture, who have shown
a willingness to invest considerable amounts of time in
probing even the most secure systems for tiny cracks into
which they can drive a subversive wedge. Additionally,
they are nimble enough to respond to technological
changes, such as their subversion of virtual keyboards, in
weeks or even days, a luxury which security
professionals cannot afford.
Q. So can we win? And is authentication the key component to
staying ahead of the phishers, even though it cannot solve the
whole problem?
A. Some say that we can, and it is. For example, researchers
from a Swiss financial institution and IBM [17] have
proposed an on-line banking authentication system which
sounds very secure.
Briefly summarized, the system relies upon an external smart
card reader, with a numeric keypad and a small display. The
cryptographic computations for authentication and security
between the user’s browser and the bank are offloaded to the
smart card (which is
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24