The House of Commons Science and Technology Select Committee is currently holding an inquiry into malware.
I submitted written evidence in September and today I was one of three experts giving oral evidence to the MPs. The session was televised and so conceivably it may turn up on the TV in some strange timeslot — but if you’re interested then there’s a web version for viewing at your convenience. Shortly there will be a written transcript as well.
The Committee’s original set of questions included one about whether malware infection might usefully be treated as a public health issue — of particular interest to me because I have a published paper which considers the role that Governments might play in countering malware for the public good!
In the event, this wasn’t asked about at all. The questions were much more basic, covering the security of hardware and software, the role of the police (and at one point, bizarrely, considering the merits of the Amstrad PCW; a product I was jointly involved in designing and building, some 25 years ago).
In fact it was all rather more about dealing with crime than dealing with malware — which is fine (and obviously closely connected) but it wasn’t the topic on which everyone submitted evidence. This may mean that the Committee has a shortage of material if their report aims to address the questions that they raised today.
I read the written report. It’s a good analysis. We’ve discussed online banking and credit card transactions numerous times on Schneier’s blog. The strategy I always promote is to create a trusted path with cheap, separate, and secure hardware. The hardware would have a large LCD screen so enough information could be provided, along with onboard crypto for private key ops.
The user initiates action on the friendly GUI, looks at the device for confirmation, presses a button on the device, and the other party checks the signed transaction data. That simple. (IBM recently came up with a variation of my idea called ZTIC.)
For hardware, I was thinking we could make it as cheap and simple as the old electronic organizers. That gives it portability & a comfortable screen/keyboard. Portability might increase it’s use cases. The required functionality is similar & actually smaller than MULTOS, which was E6 certified. I’m always looking for robust hardware/software combos. Might get it to market quick with a INTEGRITY RTOS on Freescale PPC package.
The thing is that a trusted path & isolation of secrets from main PC solves much of the authorization/authentication problem. This would require changes in the bank infrastructure, but it’s a very simple process: send data to client; client creates signed transaction; client sends it to bank; bank checks it; sends signed data to client. Users part: start transaction; make a visual comparison; hit a button (or type in PIN, pass,whatever to device). Concept works in many more scenarios than banking. What do you think?
Further details and discussion here:
http://www.schneier.com/blog/archives/2011/06/court_ruling_on.html#c552667
Between the four of us, we actually came up with quite a few solutions with various cost and security profiles. Any of them are better than what organizations are currently doing.