Privacy and Identity Theft

I spent some time reading Don Jackson’s excellent discussion of the Gozi Trojan this weekend, while I am layed up following my knee surgery.

Of great interest to me is that this crimeware not only injects itself as a TCP layer in the IE SSL stack, thus stealing any information that you type into the browser, but it also steals client authentication certificates and presumably private keys. This would indicate that a major target of this crimeware is to gain access to corporate VPNs and government systems, not just consumer banking and auction sites.

This illustrates the need for secure hardware that stores cryptographic authentication keys, and where said keys cannot be extracted from the hardware. There is also a pretty convincing argument here for stronger ways to store and communicate passwords and other shared secrets over the Internet (eg. secret images, secret questions and answers like “what is your pet’s name”).

This entry was posted on Sunday, May 27th, 2007 at 1:20 pm and is filed under ID Theft, Security, eCrime. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.