"We believe Web browsers are the most important network-facing application, but the current browsers are fundamentally flawed from security perspective," King said in an interview with eWEEK. "If you look at how the Web was originally designed, it was an application with static Web pages as data. Now, it has become a platform for hosting all kinds of important data and businesses, but unfortunately, [existing] browsers haven't evolved to deal with this change and that's why we have a big malware problem."

Researchers at the University of Illinois at Urbana-Champaign

 

Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms - Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

 

...[T]here is a growing belief among engineers and security experts that Internet security and privacy have become so maddeningly elusive that the only way to fix the problem is to start over.

 

A new SSL attack has been revealed at the Black Hat conference. This new attack is the latest twist on the venerable man-in-the-middle (MITM) attack. MITM depends on a user being fooled into going to the wrong Web site...

 

Spammers harvesting emails from Twitter - in real time

 

"Web application vulnerabilities account for almost half the total number of vulnerabilities being discovered."

 

The Twitter account belonging to venture capitalist and Mac evangelist Guy Kawasaki was hijacked yesterday and used to push malware to some 140,000 Twitter users.

 

Hackers have broken into more than 20,000 legitimate Web sites to plant malicious code to be used in drive-by malware attacks.

 

...flaw with almost all Web browsers that undermined the protocol used to secure online banking transactions and other sensitive transmissions...

 

Number of Crimeware Websites Surge in Largest Jump Ever in Dec. 2008 - The number of crimeware-spreading sites infecting PCs with password-stealing crimeware reached an all time high of 31,173 in December, and 827% increase from January 2008.

 

SSL broken! Hackers create rogue CA certificate using MD5 collisions

I. How TRA Collects, Uses And Stores Your Data

It is important to first note that, unlike Web based services, all data and files sent to and received from the Collaborator service are encrypted. No data is EVER transferred to a TRA Server in a clear, unencrypted form. This is true regardless of the account type you purchase or how you use the service.

This channel encryption is a foundational characteristic of the TRA Secure Client software. Every connection to a TRA server is established using randomly generated, non repeating channel parameters, in order to establish a trusted, identity based channel session. As a result, identification and authorization occurs BEFORE the application session is actually granted. This is unlike Web based services that simply use SSL to encrypt data in transport and then have to provide a separate authorization mechanism.

For more information on the Caruso security infrastructure, please reference http://www.thoughtrealm.com/caruso/secure.

There are five basic types of information that TRA collects from or for you. The following is a description of each type of information.

  • User Account Credentials
    In order to communicate with a TRA Server, you must FIRST login using your user credentials. These include your Alliance, user name and two passwords, referred to as a "password" and "phrase".

    During login, a secure, encrypted channel is established between you and a TRA Server using randomly generated parameters provided by the server. These parameters, in combination with your user credentials, algorithmically determine random channel parameters for every connection. This process allows the Caruso channel architecture to establish a private, encrypted session without exchanging passwords of any kind, while still achieving highly trustable user identification.

    The only element of your credentials that is actually transmitted to the server during login is your user id, referred to as user name. This ID can be a name, number, or whatever you want to use. This ID is initially transmitted to the TRA server in an encrypted state, using a set of server keys that are shared between the connecting Client software and the TRA Server. Once the ID is successfully exchanged, the channel encryption is "promoted" using the random channel parameters.

    Your actual passwords, which are never transmitted during login, are stored in a TRA server database in an obscured state, by using cryptographic primitives that include salting and stretching. This storage technique, as well as the requirement of two separate passwords for every user, assists in the mitigation of password dictionary attacks, should the TRA user database ever be compromised.

    As a result, if you should lose or forget your password, TRA is unable to tell you what your password was. Therefore, you can only be assigned a NEW password, since it is not possible to determine what your password was, given the information that is stored.

  • Personal Information
    TRA requires several items of personal information in order to service you. Those elements are basically:

    1. Name information
    2. Email address
    3. Billing information for the account payments, which may include credit card information.
    This information is NEVER shared with any 3rd party without your approval, with the exception of the credit card processor for the purpose of charging your periodic fees. No email information is shared with or sold to any vendor.

    The only emails you will receive from TRA are limited to occasional emails to our customers and notification emails that you request to be sent to you from the Collaborator service.

  • Files
    One feature of the service is the ability to upload and download files. The files that you upload to Collaborator to store in your account are transferred over a separate, encrypted channel between you and a TRA Server. The transmission channel is secured via the Caruso channel technology, as described above. This transmission does not use FTP or any other web based transfer mechanism. Instead, it uses Caruso's own file transfer protocol with it's own secure channel implementation.

    Before your file is uploaded, it may or may not be compressed, in order to save transfer time and bandwidth usage. Some file types, such as jpg, zip and rar, do not compress well and may actually grow in size as a result of further compression. Those files are not compressed. For files that are compressed, they are compressed on your machine PRIOR to upload and then uncompressed on your machine AFTER they are downloaded.

    After your file is received by the TRA server, it is then encrypted with a randomly generated key and initialization vector on the server. The key is built from two different elements that are stored in a database on a TRA Server. The file itself is encrypted and then stored in a separate file directory for your account. Later, when downloading the file, the random keys are retrieved from the TRA database and the file is then decrypted for your download.

  • Entered data
    The data that you enter is stored in a database on a TRA server. This data is your project info, such as task information, discussion messages, etc. This data can only be accessed remotely using the TRA Client software. This data is never provided to any 3rd party without your approval.

    In order to speed processing of your data for access and storage, this data is NOT currently stored in an encrypted state in the database. It IS encrypted during transmission, just not when it is stored on the server.

  • Backups
    In order to provide a measure of failure recovery, TRA performs several types of data backups. These backups cover at least your entered data, and may also include your uploaded files, depending on account type. Some backups are stored locally on the relevant TRA server. However, some backups are stored in a different location periodically, for redundancy. Those backups that are stored in a different location are encrypted in order to make sure that a data loss or other compromise of backup data will not result in a compromise of your actual data.

II. Legal Requests for Your Data

While your data is NEVER provided to 3rd party vendors or sold for any reason, appropriate legal requests for your data will be serviced in accordance with legal proceedings, as a result of a criminal or civil investigation. Additionally, TRA makes every effort to comply with city, state, federal or other municipal entities as would be appropriate. These are the only circumstances where your data might be shared with a 3rd party.