Security

SAN FRANCISCO--A widely used technology to authenticate users when they log in for online banking may help reduce fraud, but it does so at the expense of consumer privacy, a civil liberties attorney said during a panel at the RSA security conference on Thursday.

When logging into bank Web sites, users are typically asked for their user name and password. But that's not all that is happening. Behind the scenes, the server is taking measures to identify the device being used in an attempt to verify that the person logging in is the person whose account is being accessed under the assumption that most people use the same computer for banking.

Wachovia, which recently merged with Wells Fargo, tags the consumer's computer with a unique identifier, said Chris Mathes, an information technology specialist in online customer protection at the bank.

The technology not only can be used to allow legitimate customers into Web sites, but also to block computers that have been targeted as "bad actors," said Todd Inskeep, a senior vice president for the Center for the Future of Banking at Bank of America.

Another device fingerprinting technology provided by 41st Parameter is similar but doesn't tag the computer. Instead, the technology figures out the degree of probability that the computer accessing the site is the one that should be accessing it by querying the computer for things like time zone, language, browser type, Flash ID, cookie ID and IP address, said Ori Eisen, founder of the company. If enough of the answers match, the account can be accessed.

The 41st Parameter technology is being used by 120 large e-commerce companies, including the top five banks in the U.S., USAirways and Continental Airline, Eisen said in an interview.

Even though none of the information gathered during a log-in is personally identifiable, the bank shouldn't have to collect regular data on when, how often and from where a consumer accesses a bank account, said Jennifer Granick of the Electronic Frontier Foundation. Such information can be compiled with other more sensitive information to create profiles and cross referenced to learn more about consumers, she said.

For instance, the bank could learn who a consumer's roommate is if the same computer is used regularly to access different accounts, Granick said. Consumers also could be deemed suspicious for breaking with their patterns on deposits or withdrawals or the information could be sold to advertisers, she added.

"There is very little privacy protection in the U.S. for this type of information," Granick said. "We don't want it shared with affiliates that do advertising." There should be restrictions on how long the bank will keep the data, who it can share it with and for what purposes, she added.

Eisen said his technique was more "privacy friendly" because it doesn't assign identification numbers to devices. The questions posed to computers by his technology are akin to what WebTrends and Google Analytics find out from computers for Web analytics purposes, he said.

Granick wasn't convinced, noting that even without a unique device identifier, the bank is still able to monitor consumer transactional patterns.

Right as the session was ending, Louie Gasparini jumped from his seat in the audience to make a comment at a microphone set up for the question-and-answer session.

"The privacy issue is encumbering banks," who have a fiduciary obligation to prevent fraud, said Gasparini, who said he used to work in Internet banking at Wells Fargo and helped create Device ID at RSA, the security division of EMC.

Another attendee had a different perspective.

"The concerns are not overstated. There are fundamental deficiencies in privacy law," said Andrea Matwyshyn, assistant professor of legal studies and business ethics at the University of Pennsylvania's Wharton School. "If an end user license agreement contractually reserves the right of a company to collect data for fraud prevention purposes and if this data is then sold as a secondary revenue stream, a privacy concern would clearly exist."

SAN FRANCISCO--It will likely come as no surprise to anyone familiar with virtual worlds and online games that they can be hacked. But what might come as a shock is the sheer breadth of types of exploits that are possible.

That was the broad message of a Thursday panel called, appropriately, "Exploiting Online Games" at the RSA 2009 security conference here.

Moderated by Gary McGraw, CTO of software security consulting firm Cigital and an author of several books, the panel took the audience on a deep dive into the diverse ways that hackers and others have figured out to either skim real money or to gain game play advantages not available to normal players.

McGraw opened the panel with a brief explanation of the fact that there are real, functioning economies in virtual worlds and online games, and that players cash in their virtual goods for real money, to the tune of more than $1 billion a year. This, of course, is old news to those in game playing circles, but for many of the security experts in the room, it may well have been eye-opening.

And, McGraw said, it's the very fact that real money is at stake that often gets otherwise uninterested game players to pay attention to the security risks they face every day.

"There's a whole bunch of normals (those not steeped in knowledge about computers) using games, and they don't care about security," McGraw said. "But they like their stuff, (and) when their stuff gets taken, that really hurts the hell out of them. That's a way to start a conversation about computer security with normals, because almost everybody knows somebody who plays online games."

The first panelist to present was Greg Hoglund, the founder of Rootkit.com and the CEO of the consulting firm, HBGary. He explained that online games are regularly under attack by two discrete types of cheats: exploits--actual bugs in games that clever hackers have figured out how to mine in various ways, and bots, which are essentially automated macros that can be used to perform mundane tasks again and again and again, and very profitably.

The bugs, Hoglund said, often exist "at the borders of systems," and are used for things such as duplicating gold, or leveraging poor synchronization between back-end databases to extract money out of a game economy or even to gain teleportation powers that otherwise don't exist.

Hoglund also recalled a security expert who figured out a hack that allowed him not only to filch Second Life users' virtual currency--which is directly convertible to US dollars--but also to get ahold of users' credit card information and then use it to buy more of the currency to trade in. That exploit, Hoglund explained, was done only to prove that it could be done, but it underlined some of the significant risks facing players of online games and virtual worlds with functioning economies, as well as the publishers of those titles.

He also talked about bots, and explained that they, too, are often employed to gain an advantage most players don't have. They are almost universally prohibited, but Hoglund said creating them and using them is remarkably easy for those who know what they're doing. And he talked about one he had written to use in World of Warcraft that allowed his character to stay safe from attack from the rear, while also luring in loot-bearing enemies to kill. Once killed, the enemies would be regenerated by the bot, allowing Hoglund's character to kill them and pick off all their loot over and over again, a process that netted him significant profit, he hinted.

Similarly, he explained that games like World of Warcraft have vulnerabilities that allow savvy hackers to tap into the games' code, allowing for all kinds of new abilities, like being able to perform 15 charms at once, not available to the public at large.

Hoglund said companies like WoW publisher Blizzard are always actively trying to stop players from employing bots and ban those they catch, but added that for those who know what they're doing, detection is not something to worry about. And that, of course, is one of the explanations behind the so-called gold "farmers," often teams working in third-world countries whose job it is to run multiple accounts simultaneously, usually employing bots to perform gold-earning tasks and essentially just making sure that their in-game characters don't get "lodged in a tree."

Courts weigh in
Next up was Sean Kane, a partner with the New York law firm of Drakeford & Kane, and a leading voice on issues surrounding the law and virtual worlds.

Kane talked about two specific cases, one that is several years old and one that is much more recent.

The older case, Bragg v. Linden Research, focused on whether Linden, the publisher of the virtual world Second Life, was right to shut down the account of a user who had discovered an exploit allowing him to buy virtual land at below-market prices. Mark Bragg, the plaintiff, demanded $8,000 in restitution and eventually won a settlement from Linden in which his account was reinstated. But that only happened, Kane pointed out, after a federal judge ruled that the arbitration clause in the Second Life terms of service was onerous and one-sided.

At the time, the entire virtual world community had been watching the case closely, as many thought it would be the case that for the first time established the real-world value of virtual goods (and despite the fact that Bragg, himself a lawyer, had filed his suit in state court with a hand-written form), However, the settlement, not long after the federal judge's ruling, side-stepped that outcome.

But what many found interesting at the time was that Bragg had argued his hack was fair game, since all he did was exploit a feature hidden in the Second Life code. In effect, Bragg argued, code is law, and anything that players can do with the tools at their disposal is legitimate. Linden obviously disagreed, but ended up settling anyway.

Kane also focused on another case, MDY Industries v. Blizzard, in which MDY had created a bot, called Glider, that allowed players to level-up their characters without even having to be playing.

Blizzard sued for copyright infringement, arguing that bots like Glider were prohibited under its end-user license agreement (EULA) and that only that license actually allowed players to run WoW. In essence, the argument said that by running WoW under circumstances that violated the EULA, Glider was supporting copyright infringement.

Ultimately, though many argued that Blizzard's argument was beyond specious, the courts ruled in favor of the publisher, awarding it $6 million. But, not surprisingly, the outcome is on appeal.

Hacking Disney
Aaron Portnoy, a researcher with Tippingpoint security research, took the microphone next and talked briefly about his experiences hacking the Python code of the Disney online game, Pirates of the Caribbean. He explained that because Python is a dynamic language, he and a colleague had needed just a couple of days to reverse-engineer all of the game's code, and were able to use their exploit to get their in-game characters to do things that were otherwise impossible.

During a panel on exploiting online games, Tippingpoint's Aaron Portnoy talked about how he and a colleague discovered that Disney's online game Pirates of the Caribbean was written in Python, a language that allowed them to reverse-engineer the game's code in just two days. The result was that Portnoy's character was able to fly high in the sky, whereas everyone else in the game was limited to jumps of just four feet high.

(Credit: Daniel Terdiman/CNET Networks)

For example, Portnoy said, he was able to easily get his character to jump high in the air, while the standard maximum jump was just about four feet. Or, to jump out of a pirate ship, walk on water at a speed faster than sailing ships in the game could travel, and attack at will.

"Everybody could see my guy jumping over buildings for miles," Portnoy said.

And, given how easy he and his colleague found it to reverse-engineer the code, Portnoy said, "It's almost like (Disney) didn't even consider security."

Gaming the games
Last up was Avi Rubin, a professor of computer science at Johns Hopkins. He talked, also relatively briefly, about how easy it is for some cheaters to exploit the game of online poker.

Essentially, Rubin argued, a hack called a Sybil attack--which employs fake people participating in games--makes it possible for online poker players to gain a big advantage over their opponents. That works, he said, by making it possible for a single player to control multiple hands in a game, allowing that person to see more cards than they would otherwise, and get a better handle on the odds of their own hand.

For example, he said, in a game of Texas Hold'em, a player employing a Sybil attack on an online poker game could control multiple hands and see things like whether the fives or eights they need to complete a full house and beat an opposing player's flush had already been played.

Rubin's point, then, was that game operators need to work harder at identity management, in order to keep players from employing such exploits. He didn't, however, offer any solutions as to how to do that.

All told, the panelists made it clear that just about any kind of online game or virtual world--especially those where money is on the line--is subject to some kind of hack or exploit, and that for those with the skills to launch such attacks, the barriers stopping them are easily surmountable.

The lesson, then, is that publishers of such games need to think harder about how to manage their players' actions and expectations. Otherwise, players may find themselves in games that are so compromised that the economies collapse and the fun disappears.

SAN FRANCISCO--Technology is not enough to help the security industry keep botnets from stealing peoples' money and committing denial-of-service attacks, a top botnet researcher said on Wednesday. His suggestion? Stop the flow of money to their coffers.

"We need to disrupt their business model and make it hard for them to carry out their attacks and make money," Joe Stewart, a security researcher at SecureWorks, said in an interview at the RSA 2009 security conference here.

"Right now, it's risky to surf the Internet with a PC," he said. "I would like to see us return to a time when you could surf the Internet and trust that your computer wasn't going to get infected."

Computers can be infected in any number of ways, but typically they get a Trojan or other malicious program downloaded onto them without the owner's knowledge, which happens either from visiting a Web site with malicious code on it or opening malicious attachments in e-mail.

Once infected, depending on the attack, a computer can be controlled by remote attackers who are able to steal data or instruct the computer and other so-called zombies into sending spam or launching distributed denial-of-service attacks to shut down Web sites.

Researchers have focused on trying to stop attacks, but once they get a botnet operator kicked offline by shutting down its hosting provider it's usually not long before the botnet cranks back up with its command-and-control server at a different location, he said. For example, four months after a major botnet hoster, McColo, was shut down in November, the spam volumes were back up to normal levels.

Specifically, victims should be encouraged to seek reimbursement when they are charged for things like purchasing software that masquerades as a legitimate antivirus program, said Stewart, who created an ingenious eye-chart program that PC users can use to test whether their computers are infected with Conficker. The eye chart was needed because Conficker blocks access to security sites people would normally visit to check for infection.

The industry should also create teams of researchers that would focus on a single crime group or operation much like police stay on the trail of a particular real-world organized crime gang until everyone is arrested, Stewart said.

The organization would need funding, which could possibly come from the companies that seem to be impacted the most from cybercrime, like credit card processors, he said.

Law enforcement efforts are thwarted because officials in other countries where cybergangs are based often can't be convinced to cooperate, he said. Getting countries to sign a global anti-Internet abuse accord would be ideal, he said.

Meanwhile, national CERT (Computer Emergency Readiness Team) organizations should be given authority to fight botnets, by ordering Internet service providers to shut down hosting providers, Stewart said. In South Korea, for example, malicious Internet activity dropped drastically when the CERT three got teeth, he added.

Stewart is scheduled to give a presentation on his idea during a session Thursday at RSA and at an upcoming Interpol meeting.

In past years, I looked at the RSA security conference as a high-tech flea market staffed by the world's best security carnival barkers. Yes, important security topics were discussed, but the real focus of the show was selling products and doing deals.

This year's event has its share of tacky presentations and booth babes, but I'm hearing a lot of chatter about a far more important topic: the state of information security and its impact on us all. Finally, the combination of unending data breaches, sophisticated malware, and the very real cybersecurity threat has everyone paying attention. There is a broad recognition that we security professionals aren't hawking hardware or writing code, we actually have a responsibility to educate, help, and safeguard users.

This theme is evident throughout the event. Microsoft's Scott Charney, a former U.S. Department of Justice attorney, talked about Microsoft's vision for end-to-end trust, describing why this is necessary and how it can be done in simple terms. While security crowds are often skeptical about Microsoft, Charney stated clearly, "It is our responsibility to make technology trustworthy."

Charney was followed later in the day by National Security Agency Director Lt. Gen. Keith Alexander, who talked about NSA capabilities and its role in security cyberspace. Wednesday's speakers include Melissa Hathaway, acting senior director for cyberspace and the individual tasked with researching the state of domestic cybersecurity and reporting her results to President Obama. Finally, the day concludes with one of my favorite authors, James Bamford, who has written several books such as "Body of Secrets" and "The Shadow Factory" that are must-reads for anyone interested in cybersecurity, privacy, and the NSA.

I applaud this group of speakers and their messages, but I truly believe that private-public security cooperation needs to go to another level. Here are a few suggestions where this would help:

1. Security standards. The National Institute of Standards and Technology and the NSA should champion standards across the public sector while cooperating with the security industry on education and promotional programs. I'd like to see this cooperation on standards like the Key Management Interoperability Protocol (KMIP) and the Extensible Access Control Markup Language (XACML). I'd also like to see a standard for data "tagging" so that security requirements travel with the data for distributed security policy enforcement.

2. Information assurance. The defense and intelligence community is pretty good at data discovery, classification, and security. The private sector on the other hand is struggling. I'd like to see government agencies work more closely with the security industry to define standards, create best practices models, and enhance education.

3. Secure software development. This is the Achilles' heel of the technology industry, and secure development programs remain underfunded and behind the scenes. The federal government should flex its purchasing muscles by auditing vendor development processes, demanding that vendors adhere to the Common Weakness Enumeration/SANS Institute list of "Top 25 Most Dangerous Programming Errors," and creating some type of "good housekeeping seal of approval" certification for software vendors. This will stimulate new security training, products, and services and force the private sector into similar requirements.

Talk is cheap and cybersecurity gets worse each day. I hope that the government and security industry can build upon this common understanding to make real and immediate progress.

SAN FRANCISCO--Security firm Finjan has uncovered what it says is one of the largest bot networks controlled by a single cybergang, with 1.9 million infected zombie computers.

The botnet has been in use since February, is hosted in the Ukraine, and is controlled by a gang of six people who are instructing the Windows XP-based machines to copy files, record keystrokes, send spam, and take screenshots, Ophir Shalitin, Finjan marketing director, said in an interview on the eve of the RSA security conference.

The gang has compromised computers in 77 government-owned domains in the U.S. and elsewhere, he said. Nearly half of the infected computers were in the United States. Nearly 80 percent of the infected computers are running Internet Explorer, while 15 percent are using Firefox, Finjan said.

The criminals operating the botnet can make as much as $190,000 in one day renting out the zombies to others, according to Finjan Chief Technology Officer Yuval Ben-Itzhak.

The command-and-control server being used to control the infected PCs is instructing the bots to download and execute a Trojan horse, which is detected by only 4 out of 39 antivirus products, said Shalitin.

The Trojan installs malicious executables that communicate with other computers, inject code into processes, visit Web sites, and other activities the user has no involvement with, according to a post on the Finjan Malicious Code Research Center blog.

"Overall, the cybergang can remotely execute anything it likes on the infected computers," the post says.

Updated 10:30 p.m. PDT with comment from ESET.

SAN FRANCISCO--Computer equipment is arriving on stores shelves in the U.S. with viruses and other malicious software, but industry insiders said at the RSA conference on Tuesday that they don't know whether it's the result of intentional manipulation or just poor manufacturing processes overseas.

In 2007 and last year, digital photo frames sold around Christmas time were found to be infected with malware, and in previous years GPS devices, hard drives, laptops from Toshiba, iPods, and USB keys that accompany Hewlett-Packard servers were found to have similar problems, said Marcus Sachs, executive director of national security policy at Verizon Business.

The Defense Department temporarily banned the use of thumb drives last year after USB memory sticks still in their packaging were found pre-infected with malware and in recent weeks there have been reports of ATMs that were modified before shipping to include a backdoor, he said.

"Can we guarantee that what's being built off shore when it comes to our country is exactly what we think it is?" he asked. "Today, if the conflict is going to be in cyberspace, our weapons are being built by our potential enemies."

The U.S. government has poisoned products used by enemies, he said. In the 1980s, the CIA fed software to Russia that had a logic bomb in it to sabotage the trans-Siberian pipeline, Sachs said.

"That shows that our own government in the United States is willing to do this," he said. "We have done this. We have poisoned the supply chain for critical infrastructures in other countries."

He asked a panel of industry leaders and government officials whether they thought such problems were the work of nation states purposely targeting the United States or whether it's merely a problem with "dirty manufacturing processes," like those that have led to recalls of all sorts of products that were manufactured in China.

No one had an answer. In fact, panelists said they were more focused on preventing software piracy.

"It's a fairly new world for our company and frankly other companies to deal with. We've cared about supply chain from an intellectual property perspective," said Tiffany Jones, director of government relations for the Americas at Symantec.

"I personally believe that much of what we see are...violations of norm of intellectual property which is in the counterfeit space," said Mitchell Komaroff, director of the Defense Department's globalization task force.

Later, he acknowledged the threat, saying: "The development products are already tainted with viruses...all of these are things a sophisticated adversary can take advantage of."

In an interview late on Tuesday with CNET News, James "Randy" Abrams, director of technical education and anti-virus firm ESET, said he suspected that most of the new product infections are accidental and due to situations like quality assurance test machines being connected to the Internet and getting infected. In the iPod case, he said his understanding was that the only iPods that appeared to have been infected were the ones that had been quality tested.

"My best guess is 99 percent of the time it is not espionage," said Abrams, who worked at Microsoft for years making sure the software the company shipped out was infection free.

The problem is likely due to "people with traditional manufacturing backgrounds who do not understand the implications of software and that your quality-assurance machine can't be connected to the Internet," he said. "There's a generation of manufacturing supervisors and employees that doesn't understand the digital age."

With all the Internet attacks that exploit Adobe Acrobat Reader people should switch to using an alternative PDF reader, a security expert said at the RSA security conference on Tuesday.

Of the targeted attacks so far this year, more than 47 percent of them exploit holes in Acrobat Reader while six vulnerabilities have been discovered that target the program, Mikko Hypponen, chief research officer of security firm F-Secure, said in a briefing with journalists.

Just last month, Adobe issued a fix for an Acrobat Reader hole that attackers had been exploiting for months, after issuing a patch for a critical vulnerability in Flash player the month before.

In 2008, the favored targeted attack vector was Microsoft Word, which had 15 known vulnerabilities (compared to Acrobat Reader's 19) and which represented 34.5 percent of the attacks (compared to 28.6 percent for Acrobat Reader), he said.

Top-level executives, defense contractors, and other people who have access to specific sensitive corporate or government information are subject to targeted attacks where an attacker sends a file that has malicious code embedded in it. Once the file is opened, the computer is infected typically with a back door that then steals data.

PDF and Flash browser plug-ins are also used in attacks known as "drive-by downloads" in which malware is surreptitiously downloaded onto a computer while the user is surfing the Web. The number of PDF files used in attacks rose from 128 between January 1 and April 16 last year to more than 2,300 in that same time period during this year, said Hypponen.

Adobe should make security a priority, he said.

Adobe "has a lot to learn from, of all places, Microsoft," which offers regular security patches on a monthly basis as part of Patch Tuesday, Hypponen said.

Part of the problem is people don't expect that Acrobat Reader upgrades necessarily contain important security patches like they do with Microsoft software, he said.

Hypponen did not recommend a PDF reader, but said Acrobat Reader alternatives are listed on the PDFReaders.org Web site.

SAN FRANCISCO--A group of pioneers in the security field, whose work in encryption is used to protect Internet data and communications every day, spoke about the state of security at a cryptographer's panel at the RSA security conference on Tuesday.

They tackled various questions about cyber security in general, but the topic that dominated was cloud computing.

"Cloud computing is a challenge to security, but one that can be overcome," said Whitfield Diffie, chief security officer at Sun Microsystems. "I believe cloud computing will get to (the point) where no real program...will be done anymore on the computers of the company that's doing it," he said.

"I'm worried about cloud computing," said Adi Shamir, a computer science professor at the Weizmann Institute of Science in Israel. While a virus or other problem on a desktop computer can be a big annoyance, computation centers in hosted computing could spread problems more widely, he said.

Bruce Schneier, chief security technology officer at BT Counterpane, said, "I'm kind of bored with it." Cloud computing is presented as a new paradigm...but fundamentally I don't see a lot of differences" between it and client-server and dumb terminals, he said. "It's still all about trust."

Ronald Rivest , a computer science professor at MIT, predicted that cloud computing "will really be a focal point in our work in security." "I'm optimistic about cloud computing," he said. "I think a lot of us have hard work to do."

Asked about their thoughts on the likelihood of a "Digital Pearl Harbor," the researchers concurred that the threat is hyped.

The talk about risks of a cyberattack on the magnitude of a Pearl Harbor strike is overblown, said Schneier. The real threat "will be boring things" like viruses, identity theft, and buffer overflows. "We're better as an industry if...we look at the more common risks...that cost (people) money."

"We're more likely to suffer a digital 9/11," said Diffie. Pearl Harbor was an attack by a known entity as opposed to an unknown threat from a mysterious source, as cyberattacks tend to be, he said. "I think we could suffer some astounding event," he added, noting that there was an electricity blackout in the 1990s and a severe telephone outage in the 1980s due to a bug.

Shamir said cyberattacks should be put in perspective and compared with other events that can have even more serious consequences. "If the government has extra money to spend they should spend it on regulating the financial markets and not spend it on regulating cybersecurity," he said.

Martin Hellman, professor emeritus at Stanford, said he has been focusing on nuclear weapons security lately and looking at how risky nuclear deterrence is with his NuclearRisk.org site. It's "at least 1,000 times riskier than having a nuclear power plant located near your home," he said.

Technology "has given human beings power that has historically been reserved for the gods; the ability to create new life forms, the ability to destroy civilization, and the potential for creating unbelievable cooperation or unbelievable chaos," he said.

"Our species is like a 16 year old with a new driver's license who somehow gets his hands on a 500-horsepower Ferrari," Hellman said, adding that people need to learn to control our impulses or risk destroying everything.

Scott Charney, corporate vice president of Microsoft's Trustworthy Computing Group, delivers a keynote address at RSA.

(Credit: James Martin/CNET)

SAN FRANCISCO--Microsoft is testing some of its new identity-based security technology in Washington state schools, where students and teachers will be able to securely access grades and class schedules, a Microsoft executive said in a keynote address Tuesday at the RSA 2009 security conference here.

The software company is working with the Lake Washington School District-- comprised of 50 schools and nearly 24,000 students in and around Microsoft's home town of Redmond--to deploy its Geneva claims-based identity platform, said Scott Charney, corporate vice president of Microsoft's Trustworthy Computing Group.

Students and parents will bring identification information into the school to prove children's identities, and the students will then get small notebook PCs with identity information cards on them to be used for accessing online education materials.

Microsoft announced the Geneva technology last week when it announced its first hosted security service under the Forefront brand.

A former leading federal prosecutor for computer crimes at the Justice Department, Charney left PricewaterhouseCoopers to join Microsoft as chief security strategist in 2002.

"Initially my friends laughed because I used 'Microsoft' and 'security' in the same sentence," he quipped. Microsoft has made progress since then, he added.

In addition to improving the security of Windows, Microsoft offers SmartScreen technology in Internet Explorer 8 that allows users to block malware from being downloaded onto their computers. The company also shares its Software Development Lifecycle guidelines and tools for building secure software with outside developers and firms.

Current mechanisms used by Web sites to protect consumer data by requiring people to prove they are authorized to access sites are broken, Charney said. Web sites ask for personal information, like city of birth and mother's maiden name, "but those secrets aren't secret at all," he said. "We need a different model for thinking about identity."

All of Microsoft's security news is designed to further the company's mission to provide what it calls "End to End Trust" for people using the Internet, regardless of what data they are working with, what hardware they are using, and where they are located.

Key to the End to End Trust initiative, which was launched at RSA last year, features a trusted stack of components that authenticate everything from the user to the data and applications.

In addition to software features for authentication and identity, the Windows 7 beta includes support for Trusted Platform Modules that provide encryption at the hardware level.

In discussing all the threats and risks Internet users face today, Charney revealed what he called "Charney's Theorem"--"there's always a percentage of the population up to no good."