It may sound strange, but there’s a computer security company just outside Boston where the engineers have declared that the conventional battle against viruses, worms, Trojan horses, and other forms of computer malware is already lost.
Norton, McAfee, and other anti-virus companies may still make millions selling consumers software that promises to keep computers malware-free. But these solutions stop barely half of the malware attacks these days, say the folks at Waltham, MA-based Verdasys. So the only sure way to protect sensitive data—say, when a bank’s customers are online, managing their accounts—is to assume that their computers are compromised, and keep the data out of malware’s reach.
That’s the strategy behind SiteTrust, a new service that Verdasys is launching today for banks, brokerages, and other big companies that serve customers over the Internet—and that are legally liable for losses from online fraud. A privately backed company founded in 2003, Verdasys has served many of these same companies for years with a product called Digital Guardian that keeps sensitive data from slipping outside a company’s walls. SiteTrust is its first foray into the consumer world.
“The leading anti-virus products today are only about 50 percent effective against the current crop of malware, let alone against some of the newer techniques that do a much better job of hiding themselves,” says Bill Ledingham, Verdasys’s new CTO. “A lot of our online-broker customers, given the losses they are encountering, need a new approach. Given that malware is already resident, how do we insert ourselves and protect just the transaction that is happening between the customer and the corporate website?”
In theory, it’s easy to secure the data passing between a user’s Web browsers and a corporate server by encrypting it using established standards such as SSL. But this technique doesn’t work if the user’s PC is infected with malware that’s peeking at the data before it gets encrypted—for example, when a user is typing a password. Based on their experience creating Digital Guardian, which monitors and encrypts all proprietary or sensitive information passing through a desktop, laptop, or enterprise server, Verdasys engineers built a small client-side software package—a download less than 1 megabyte in size—that turns on whenever the user visits a website protected by the SiteTrust service.
This software—which is designed for Windows only, though Ledingham says the company is working on Mac and Linux versions—first spawns a new instance of the user’s Web browser, shutting out malware that may be eavesdropping on processes in other Internet Explorer, Firefox, or Safari windows. Then it inserts itself into the innermost operations of the user’s computer, creating a secure space around
