When the U.S. Secret Service wanted to put a stop to password theft and phishing, they went to TRUST -- Team for...
Research in Ubiquitous Secure Technology -- a recently formed group of some of the best computer security experts from eight of the country's top universities.
Three years ago, the San Francisco Electronic Crimes Task Force, a division of the Secret Service met with, Stanford University professors Dan Boneh and John Mitchell and asked them to come up with software to prevent man-in-the-middle attacks.
The group's objective is to build trustworthy systems and develop government and business policies that will protect the nation's digital infrastructure from cyberattacks. For instance, one current project involves language-based security and developing a "security grammar" for computer programming languages. TRUST hopes the effort will help end an array of dangerous occurances, such as allowing software executables and worms downloads to run without a user's or a system's knowledge.
Along those lines, scientists are attempting to carry out some tasks such as "static-code verification" by setting out the design principals for secure application programming interfaces, as well as develop tools to check new APIs. Another principal is "dynamic analysis," which would closely scrutinize the inner workings of operating systems to stop inappropriate actions.
Meanwhile, as a direct result of the meeting with the Secret Service, Boneh and Mitchell and their team at Stanford have developed software that ties a user's password directly to the URL (and IP address) of a Web site being accessing, thus preventing the dangerous man-in-the-middle attacks, in which an attacker intercepts messages in a public key exchange and then retransmits them, substituting his own public key for the requested one, so that the two original parties still appear to be communicating with each other directly.
The software is called PwdHash and it can be downloaded from the Stanford web site.
Even if a hacker hijacks the DNS server, posts a false Web site and captures the incoming username and password login information, it will be incorrect because it will be tied to a false IP address.
Identity theft and fraud prevention are high priorities for the group. Identity theft has become widespread, but better technology will do little to reduce the problem without significant policy changes, according to Fred Schneider, TRUST's chief scientist and a professor of computer science at Cornell University.
"Many companies accept publicly available information such as a Social Security number as a means of [partly] authenticating a user," Schneider said. "This is a typical policy problem where government, law enforcement and the technology industry need to work together to encourage proper authentication methods."
Another policy problem is that both government and industry store vast amounts of information on individuals, often without their knowledge or consent, which is then regularly mined. "We have not developed good policies for allowing corporations to extract the information that they need without invading the privacy of the individual," Schneider said.
That is why the program includes Pamela Samuelson, a law professor at UC Berkeley's School of Information Management and Systems, who is examining the legal implications of storing and managing databases of personal information.
Meanwhile, TRUST reads like a who's who of computer security academics. Vanderbilt University in Nashville, Tenn., for example, is noted for its expertise in Supervisory Control and Data Acquisition (SCADA) systems used in the industrial, engineering, power generation and oil and gas industry. Stanford, located in the heart of Silicon Valley, has long been an IT research powerhouse, as have Berkeley and Cornell.
Added to the mix are Smith College in Northampton, Mass. and Mills College near Oakland, Calif., both small liberal arts womens' schools. According to Schneider, these two schools are interesting to the alliance because they have young, predominantly female student populations to lend diversity to the more technical campuses.
Boneh and Mitchell also lead a project on preventing web "phishing" and identity theft, funded by the Department of Homeland Security and conducted in conjunction with the U.S. Secret Service. It's called SpoofGuard it can be downloaded from the Stanford Web site. The software places a traffic light in the browser toolbar, it performs a number of checks and if any of them come back negative, the traffic light turns red warning the user not to enter sensitive information.
Niall McKay is a freelance technology writer based in Oakland, Calif.
Dig Deeper on Secure software development