WO2003069482A2 - System for preventing a computer virus accessing email addresses - Google Patents

System for preventing a computer virus accessing email addresses Download PDF

Info

Publication number
WO2003069482A2
WO2003069482A2 PCT/NZ2003/000030 NZ0300030W WO03069482A2 WO 2003069482 A2 WO2003069482 A2 WO 2003069482A2 NZ 0300030 W NZ0300030 W NZ 0300030W WO 03069482 A2 WO03069482 A2 WO 03069482A2
Authority
WO
WIPO (PCT)
Prior art keywords
message
preventing
computer
address
client
Prior art date
Application number
PCT/NZ2003/000030
Other languages
French (fr)
Other versions
WO2003069482A3 (en
Inventor
David Lynch Waterson
Original Assignee
Ripple Effects Holdings Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ripple Effects Holdings Limited filed Critical Ripple Effects Holdings Limited
Priority to AU2003206478A priority Critical patent/AU2003206478A1/en
Publication of WO2003069482A2 publication Critical patent/WO2003069482A2/en
Publication of WO2003069482A3 publication Critical patent/WO2003069482A3/en
Priority to US10/920,268 priority patent/US20050120230A1/en
Priority to US12/385,268 priority patent/US20090254994A1/en
Priority to US13/349,635 priority patent/US20120174233A1/en
Priority to US14/495,097 priority patent/US9317701B2/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/83Protecting input, output or interconnection devices input devices, e.g. keyboards, mice or controllers thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/48Message addressing, e.g. address format or anonymous messages, aliases
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0414Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden during transmission, i.e. party's identity is protected against eavesdropping, e.g. by using temporary identifiers, but is known to the other party or parties involved in the communication

Definitions

  • the field of the invention generally relates to the prevention of the spread of viruses from a computer system receiving a virus, and in particular to a system for preventing a computer virus from accessing message addresses for further replication.
  • Computer viruses constitute a danger for computer users and in particular companies.
  • Many computer virus protection software programs try to prevent computer systems being infected by scanning incoming and outgoing e-mails for virus patterns. These types of virus protection programs depend upon the virus definition files being kept up to date. When a new virus appears there is a window of opportunity for viruses to spread. In even a few hours viruses can spread rapidly, worldwide.
  • viruses carry their own SMTP commands. That is they send outgoing emails without going through the email program. If a virus operates in this manner, then the only way it can replicate is by cracking the encryption technology such as the standard 128-bit encryption. Part of the encryption formula is the user-defined password this differs on each machine. Therefore, if a hacker- initiated virus breaks the encryption, it theoretically would only do so on one machine.
  • a problem with conventional anti virus systems that rely on standard 128- bit encryption arises via accessing the password.
  • Keyboard sniffer programs exist that can intercept keyboard entries. It is possible (although quite difficult) for a trojan horse program to wait until the user enters a password, and then to intercept the password. Once the virus knows the password, cracking the encryption would be difficult, but possible. If the encryption were cracked, the virus could replicate through the email program, entering via the password itself.
  • Conventional security systems do not offer any protection against password interception. Therefore, what is needed is a new security method capable of defeating a trojan horse attack that intercepts a user's password.
  • Another point of failure in a conventional anti virus system occurs when the user clicks a confirmation button when sending emails with attachments that could contain a virus.
  • a virus could duplicate user keystroke actions, and activate the confirmation button itself.
  • OK buttons can generally be activated by the Enter key in addition to a mouse click. This would ensure that the confirmation can only be activated by a user activated mouse click.
  • Mouse clicks are far more difficult for a virus writer to duplicate.
  • the present invention may broadly be said to consist in a system for preventing a computer virus from accessing message addresses, said system comprising an interception component adapted to communicate with a messaging client and a messaging server, said interception component including: means for receiving messages from said server and forwarding said messages to said client; means for receiving messages from said client and forwarding the messages to said server; means for identifying message addresses in messages received from said server; means for replacing an identified message address in messages received from said server with a corresponding unique identifier; means for identifying unique identifiers in messages received from said client; and means for replacing an identified unique identifier with a corresponding message address before sending the message received from said client to said server.
  • the present invention may broadly be said to consist in a system for preventing a computer virus from activating a send confirmation of a messaging client comprising means for preventing keystrokes activating said send confirmation wherein said send confirmation can only be activated by other input means.
  • the present invention may broadly be said to consist in a system for preventing keyboard sniffer programs from intercepting input via a keyboard comprising: means for adding randomly generated characters into the keyboard buffer between password keystrokes; and means for reading said keyboard buffer; and means for reading the stream of said randomly generated characters and removing said randomly generated characters.
  • the present invention may broadly be said to consist in a method of preventing a computer virus from accessing message addresses, including the steps of: receiving messages from a messaging server and forwarding said messages to a messaging client; receiving messages from said client and forwarding the messages to said server; identifying message addresses in messages received from said server; replacing an identified message address in messages received from said server with a corresponding unique identifier; identifying unique identifiers in messages received from said message client; and replacing an identified unique identifier with a corresponding message address before sending the message received from said client to said server.
  • the present invention may broadly be said to consist in a method of preventing a computer virus from activating a send confirmation of a messaging client comprising the step of preventing keystrokes activating said send confirmation wherein said send confirmation can only be activated by other input means.
  • the present invention may broadly be said to consist in a method of preventing keyboard sniffer programs from intercepting input via a keyboard including the steps of: adding randomly generated characters into the keyboard buffer between password keystrokes; and reading said keyboard buffer; and reading the stream of said randomly generated characters and removing said randomly generated characters.
  • the present invention may broadly be said to consist in a system comprising: an email or messaging server which sends and receives messages including a message address; an email or messaging interface which replaces said external address with a unique identifier; and an email or messaging client which sends and receives messages including a unique identifier.
  • the present invention may broadly be said to consist in a system for preventing a computer virus from accessing message addresses, said system comprising an interception component adapted to communicate with a messaging client and a messaging server, said interception component including: means for receiving messages from said server and forwarding said messages to said client; means for identifying message addresses in messages received from said server; and means for replacing an identified message address in messages received from said server with a corresponding unique identifier.
  • the present invention may broadly be said to consist in a system for preventing a computer virus from accessing message addresses, said system comprising an interception component adapted to communicate with a messaging client and a messaging server, said interception component including: means for receiving messages from said client and forwarding the messages to said server; means for identifying unique identifiers in messages received from said client; and means for replacing an identified unique identifier with a corresponding message address before sending the message received from said client to said server.
  • This invention also may be said to consist in the parts, elements and features referred to or indicated in the specification of the application, individually or collectively, and any or all combinations of any two or more of said parts, elements or features, and where specific integers are mentioned herein which have known equivalents in the art to which this invention relates, such known equivalents are deemed to be incorporated herein as if individually set forth.
  • Figure 1 is a diagrammatic representation of a conventional message client program including message folders and message address book.
  • Figure 2A is a diagrammatic representation a system for receiving incoming email according to an aspect of present invention.
  • Figure 2B is a diagrammatic representation a system for sending outgoing email according to an aspect of present invention.
  • Figure 3 is a diagrammatic representation of the system operating in an environment including a message address server according to an aspect of the present invention.
  • Figure 4A is a diagrammatic representation of the operation of a conventional Keyboard Buffer.
  • Figure 4B is a diagrammatic representation of the operation of a Keyboard
  • FIG. 1 shows a typical prior art message client 100. Viruses source message addresses by checking folders 102 accessed from within messaging programs 101. Folders 102 such as Inbox, Sent box, Outbox, Drafts, are used for storing messages. Message addresses found in the headers of individual messages are used to replicate the virus.
  • the software of the present invention includes an interception component 205 as part of an application program that operates on the same environment as the client messaging program 201.
  • the interception component 205 acts as an intermediary between the messaging client 201 and the messaging server 204, encrypting and decrypting message addresses.
  • an installation component of the application program changes the messaging server settings of the messaging client 201 to refer to the interception component 205 instead of the messaging server 204.
  • the interception component 205 acts as a messaging server.
  • the interception component acts a client messaging program.
  • the interception component 205 of the present invention comprises an application program running on a computer.
  • the application program has a module to receive messages from a messaging client 201 and a module to send messages to a messaging client 201.
  • the application program of interception component 205 has modules to send messages to the messaging server 204 and receive messages from the messaging server 204.
  • the messaging client 201 receiving and sending modules and the server 204 receiving and sending modules implement the functionality of standard client and server messaging protocols.
  • the application program of interception component 205 has a find address module to locate messaging addresses in messages received from the messaging server 204.
  • the find address module passes located addresses to an encrypting module that has both encrypting and decrypting functions.
  • the encrypting module encrypts message addresses and passes the encrypted address back to the find address module as a unique identifier to replace the message address.
  • a find identifier module is used to locate the unique identifier that has replaced the message address.
  • the find identifier module passes the located identifier to the encrypting module for decrypting, receives a message address from the encrypting module and replaces the unique identifier with the message address.
  • the interception component 205 also has an address book module to monitor the address book 203 of the messaging client 201. This module detects new addresses added to the address book, passes the message address to the encrypting module, receives the encrypted address from the encrypting module and replaces the address in the address book 203 with the encrypted address.
  • the application program of interception component 205 includes an installation component which uses the scanning modules and encrypting modules to encrypt message addresses in message folders 202 and message addresses in address books 203.
  • the installation component has functions to replace the messaging server settings of the messaging client 201 and store the existing messaging server settings of the client 201 in the application program of interception component 205 for use by the modules that send and receive messages for the messaging server 204.
  • the application program also includes a scanning module message folder and a message address book scanning module. Each scanning module uses the find address module to locate message addresses and the encrypting module to encrypt any message addresses found.
  • a module of the interception component 305 to interface with a messaging address server 306 has functions to interact with both messaging clients 301 and messaging address server 306.
  • the module receives requests for an address from the client 301 and forwards the requests to the server 306.
  • the module passes the address to the encrypting module, receives the encrypted address and forwards the encrypted address to the messaging client 301.
  • Fig 3 The operation of the system of the present invention in use is described with reference to Fig 3 as follows.
  • the messaging client 301 forwards the message to the interception component 305.
  • the interception component 305 decrypts the message address data and sends the message onto the messaging server 304.
  • a user requests that the messaging client 301 check for new messages, the messaging client 301 requests that the interception component 305 checks with the messaging server 304 if there are new messages. If there are, the interception component 305 downloads the messages, identifies and encrypts the message addresses, and then passes the messages onto the messaging client 301. All message addresses entering the messaging client are thus encrypted.
  • Messaging clients may be set up to automatically check to see if there are new messages.
  • the messaging client 301 checks for new messages by checking with the interception component 305.
  • the interception component 305 in turn checks with the messaging server 304. If there are new messages the interception component encrypts the addresses and forwards the messages to the client 301 in the same way as if the user had made the request to check for new mail.
  • message addresses entering the messaging client 301 are encrypted, when messages are subsequently saved in the various folders 302 within the messaging client 301, such as the Inbox, they are stored with encrypted message addresses.
  • Message addresses stored in the address book 303 are also stored in an encrypted form as the addresses have been encrypted when messages enter the system.
  • the address book 303 is where details of contacts are stored, including message addresses. In the case of Microsoft Outlook Express, this is the Windows Address Book (WAB).
  • WAB Windows Address Book
  • the interception component monitors all changes to the address book. Whenever a new contact is added, the address book monitoring module of interception component 305 will encrypt the message address.
  • the installation component encrypts all existing message addresses found in the various folders 303 of the client message program 301, as well as all message addresses found in the address book 303.
  • the interception component uses an encryption key, unique to each user to prevent viruses from activating the interception component 304 in order to use it to decrypt message addresses. This technique makes it difficult for a virus to duplicate entries from a user.
  • the interception component can be used with message address servers 306 such as Microsoft Exchange or an LDAP Server.
  • Address servers 306 store public addresses such as those addresses required to locate local users of the system and message addresses located outside the system.
  • the messaging client 301 may request addresses from a message address server 306, the interception component 305 intercepts the request, makes the request of the message address server 306, receives the address and encrypts the addresses before forwarding onto the messaging client 301. The message is then sent in the normal way with the interception component 305 decrypting the message address before forwarding the message onto the messaging server 304.
  • a conventional keyboard buffer 402 receives input data from a keyboard (not shown) over an input line 401.
  • the contents of the buffer are read by a relevant software program over a suitable connection at 403.
  • an aspect of the present invention provides a keyboard buffer scrambling feature that adds randomly-generated characters into the keyboard buffer 402 between the password keystrokes which are input at 401 into keyboard buffer 402 from a keyboard or other or other data entry device. It will be appreciated that this aspect totally defeats keyboard sniffer programs. A Trojan horse program attempting to intercept a user's password only would receive a lot of meaningless characters.
  • a continuous stream of random characters are generated from a buffer scrambler 405 that randomly streams data in while someone enters a password to help prevent the password being picked up by a keyboard sniffer program.
  • the buffer scrambler 405 comprises a random number generator, which also can be a cryptographic accelerator or other means for providing a variable and unpredictable stream of random characters that are sent as a data input 401 to the keyboard buffer 402.
  • the contents of the keyboard buffer 402 are then read at 403 by a reader which is coupled with or otherwise has access shown at 407 to the random character stream provided by buffer scrambler 405.
  • the reader 403 deletes the random characters inserted in the input data 401 from the contents of keyboard buffer 402. By comparing the random characters with the contents of keyboard buffer
  • the reader 403 is able to reconstruct original (correct) input data 401 from the keyboard.
  • Unauthorized software such as keyboard buffer sniffer software
  • the system on startup checks that files that could alter a message just before a message leaves the system are unchanged. The system does this by comparing the checksum of critical files with a stored checksum of those files.
  • the present invention modifies the messaging client to prevent the message send confirmation being activated by keystrokes.
  • the present invention replaces any button confirmation with a graphic confirmation.
  • the graphic confirmation is moved to a different location either at each login or each time a user prepares an email to send. This prevents a virus writer from establishing the coordinates of the graphic and programming the mouse to go to that position.
  • the email client is modified by the installation component of the present system.
  • the features of the invention are compatible with WAP or any mobile device enabling standard.
  • an equivalent arrangement can be accomplished by implementing the keyboard buffer scrambling feature as well as other features described above in a PDA, cell phone or other computing device. Accordingly, persons of ordinary skill in this field are to understand that all such equivalent arrangements are to be included within the scope of the claims.

Abstract

A system for preventing a computer virus from accessing message addresses is described. The system comprises an interception component that communicates with a messaging client and a messaging server. The interception component receives messages from the server and forwards messages to the client. Before forwarding messages to the client the interception component replaces message addresses with a unique identifier. The interception component also receives messages from the client and forwards messages to the server. Before forwarding messages to the server the interception component replaces a unique identifier with a message addresses. Also described is a system for preventing keyboard sniffer programs from intercepting input and a system for preventing a computer virus from activating a send confirmation of a messaging client.

Description

"SYSTEM FOR PREVENTING A COMPUTER VIRUS ACCESSING
EMALL ADDRESSES"
FIELD OF THE INVENTION The field of the invention generally relates to the prevention of the spread of viruses from a computer system receiving a virus, and in particular to a system for preventing a computer virus from accessing message addresses for further replication. SUMMARY OF THE PRIOR ART
Computer viruses constitute a danger for computer users and in particular companies. Many computer virus protection software programs try to prevent computer systems being infected by scanning incoming and outgoing e-mails for virus patterns. These types of virus protection programs depend upon the virus definition files being kept up to date. When a new virus appears there is a window of opportunity for viruses to spread. In even a few hours viruses can spread rapidly, worldwide.
Many viruses carry their own SMTP commands. That is they send outgoing emails without going through the email program. If a virus operates in this manner, then the only way it can replicate is by cracking the encryption technology such as the standard 128-bit encryption. Part of the encryption formula is the user-defined password this differs on each machine. Therefore, if a hacker- initiated virus breaks the encryption, it theoretically would only do so on one machine.
A problem with conventional anti virus systems that rely on standard 128- bit encryption arises via accessing the password. Keyboard sniffer programs exist that can intercept keyboard entries. It is possible (although quite difficult) for a trojan horse program to wait until the user enters a password, and then to intercept the password. Once the virus knows the password, cracking the encryption would be difficult, but possible. If the encryption were cracked, the virus could replicate through the email program, entering via the password itself. Conventional security systems do not offer any protection against password interception. Therefore, what is needed is a new security method capable of defeating a trojan horse attack that intercepts a user's password.
Another point of failure in a conventional anti virus system occurs when the user clicks a confirmation button when sending emails with attachments that could contain a virus. For example, a virus could duplicate user keystroke actions, and activate the confirmation button itself. Thus, what is needed is a way to ensure that no keystrokes can activate the confirmation (for example, OK buttons can generally be activated by the Enter key in addition to a mouse click). This would ensure that the confirmation can only be activated by a user activated mouse click. Mouse clicks are far more difficult for a virus writer to duplicate.
However, it would be possible for a virus writer to establish the coordinates of a confirmation button on a screen, program the mouse to go to that position, and then to generate a mouse click at that position. Thus, what is needed is a method for ensuring that a virus cannot find the position of the email activation button. SUMMARY OF THE INVENTION
Therefore, what is needed is a system for overcoming the above- mentioned difficulties by interrupting the spread of viruses through the use of messaging software such as e-mail. What is also needed is a system for preventing a computer virus from accessing message addresses.
In a first aspect the present invention may broadly be said to consist in a system for preventing a computer virus from accessing message addresses, said system comprising an interception component adapted to communicate with a messaging client and a messaging server, said interception component including: means for receiving messages from said server and forwarding said messages to said client; means for receiving messages from said client and forwarding the messages to said server; means for identifying message addresses in messages received from said server; means for replacing an identified message address in messages received from said server with a corresponding unique identifier; means for identifying unique identifiers in messages received from said client; and means for replacing an identified unique identifier with a corresponding message address before sending the message received from said client to said server. In a second aspect the present invention may broadly be said to consist in a system for preventing a computer virus from activating a send confirmation of a messaging client comprising means for preventing keystrokes activating said send confirmation wherein said send confirmation can only be activated by other input means. In a third aspect the present invention may broadly be said to consist in a system for preventing keyboard sniffer programs from intercepting input via a keyboard comprising: means for adding randomly generated characters into the keyboard buffer between password keystrokes; and means for reading said keyboard buffer; and means for reading the stream of said randomly generated characters and removing said randomly generated characters.
In a fourth aspect the present invention may broadly be said to consist in a method of preventing a computer virus from accessing message addresses, including the steps of: receiving messages from a messaging server and forwarding said messages to a messaging client; receiving messages from said client and forwarding the messages to said server; identifying message addresses in messages received from said server; replacing an identified message address in messages received from said server with a corresponding unique identifier; identifying unique identifiers in messages received from said message client; and replacing an identified unique identifier with a corresponding message address before sending the message received from said client to said server.
In a fifth aspect the present invention may broadly be said to consist in a method of preventing a computer virus from activating a send confirmation of a messaging client comprising the step of preventing keystrokes activating said send confirmation wherein said send confirmation can only be activated by other input means.
In a sixth aspect the present invention may broadly be said to consist in a method of preventing keyboard sniffer programs from intercepting input via a keyboard including the steps of: adding randomly generated characters into the keyboard buffer between password keystrokes; and reading said keyboard buffer; and reading the stream of said randomly generated characters and removing said randomly generated characters.
In a seventh aspect the present invention may broadly be said to consist in a system comprising: an email or messaging server which sends and receives messages including a message address; an email or messaging interface which replaces said external address with a unique identifier; and an email or messaging client which sends and receives messages including a unique identifier. In a eighth aspect the present invention may broadly be said to consist in a system for preventing a computer virus from accessing message addresses, said system comprising an interception component adapted to communicate with a messaging client and a messaging server, said interception component including: means for receiving messages from said server and forwarding said messages to said client; means for identifying message addresses in messages received from said server; and means for replacing an identified message address in messages received from said server with a corresponding unique identifier. In a ninth aspect the present invention may broadly be said to consist in a system for preventing a computer virus from accessing message addresses, said system comprising an interception component adapted to communicate with a messaging client and a messaging server, said interception component including: means for receiving messages from said client and forwarding the messages to said server; means for identifying unique identifiers in messages received from said client; and means for replacing an identified unique identifier with a corresponding message address before sending the message received from said client to said server.
This invention also may be said to consist in the parts, elements and features referred to or indicated in the specification of the application, individually or collectively, and any or all combinations of any two or more of said parts, elements or features, and where specific integers are mentioned herein which have known equivalents in the art to which this invention relates, such known equivalents are deemed to be incorporated herein as if individually set forth. Brief Description of the Drawings
Figure 1 is a diagrammatic representation of a conventional message client program including message folders and message address book. Figure 2A is a diagrammatic representation a system for receiving incoming email according to an aspect of present invention.
Figure 2B is a diagrammatic representation a system for sending outgoing email according to an aspect of present invention. Figure 3 is a diagrammatic representation of the system operating in an environment including a message address server according to an aspect of the present invention.
Figure 4A is a diagrammatic representation of the operation of a conventional Keyboard Buffer. Figure 4B is a diagrammatic representation of the operation of a Keyboard
Buffer when awaiting password input from the keyboard according to an aspect of the present invention. DETAILED DESCRIPTION OF THE PRESENT INVENTION
Conventional anti virus software attempts to prevent viruses from entering and leaving the system, by examining incoming and outgoing messages and attempting to identify possible viruses. In contrast, an aspect of the present invention stops viruses from replicating, by preventing viruses from spreading to other systems through the use of message addresses such as e-mail addresses. Many viruses replicate by using message addresses found on the infected system. Viruses source message addresses in order to replicate. Figure 1 shows a typical prior art message client 100. Viruses source message addresses by checking folders 102 accessed from within messaging programs 101. Folders 102 such as Inbox, Sent box, Outbox, Drafts, are used for storing messages. Message addresses found in the headers of individual messages are used to replicate the virus.
Another source of message addresses for replicating is the address book 103 that stores details of contacts including message addresses. The virus may then proceed to send itself to the located addresses using its own embedded mail daemon. Referring to Figures 2A and 2B, the software of the present invention includes an interception component 205 as part of an application program that operates on the same environment as the client messaging program 201. The interception component 205 acts as an intermediary between the messaging client 201 and the messaging server 204, encrypting and decrypting message addresses. During installation, according to an aspect of the invention, an installation component of the application program changes the messaging server settings of the messaging client 201 to refer to the interception component 205 instead of the messaging server 204. With respect to the messaging client 201, the interception component 205 acts as a messaging server. With respect to the messaging server 204, the interception component acts a client messaging program.
The interception component 205 of the present invention comprises an application program running on a computer. The application program has a module to receive messages from a messaging client 201 and a module to send messages to a messaging client 201. To communicate with a messaging server 204 the application program of interception component 205 has modules to send messages to the messaging server 204 and receive messages from the messaging server 204. The messaging client 201 receiving and sending modules and the server 204 receiving and sending modules implement the functionality of standard client and server messaging protocols.
The application program of interception component 205 has a find address module to locate messaging addresses in messages received from the messaging server 204. The find address module passes located addresses to an encrypting module that has both encrypting and decrypting functions. The encrypting module encrypts message addresses and passes the encrypted address back to the find address module as a unique identifier to replace the message address.
A find identifier module is used to locate the unique identifier that has replaced the message address. The find identifier module passes the located identifier to the encrypting module for decrypting, receives a message address from the encrypting module and replaces the unique identifier with the message address. The interception component 205 also has an address book module to monitor the address book 203 of the messaging client 201. This module detects new addresses added to the address book, passes the message address to the encrypting module, receives the encrypted address from the encrypting module and replaces the address in the address book 203 with the encrypted address.
The application program of interception component 205 includes an installation component which uses the scanning modules and encrypting modules to encrypt message addresses in message folders 202 and message addresses in address books 203. The installation component has functions to replace the messaging server settings of the messaging client 201 and store the existing messaging server settings of the client 201 in the application program of interception component 205 for use by the modules that send and receive messages for the messaging server 204. The application program also includes a scanning module message folder and a message address book scanning module. Each scanning module uses the find address module to locate message addresses and the encrypting module to encrypt any message addresses found.
Referring to Figure 3 a module of the interception component 305 to interface with a messaging address server 306 has functions to interact with both messaging clients 301 and messaging address server 306. The module receives requests for an address from the client 301 and forwards the requests to the server 306. After receiving the message address from server 306 the module passes the address to the encrypting module, receives the encrypted address and forwards the encrypted address to the messaging client 301.
The operation of the system of the present invention in use is described with reference to Fig 3 as follows. After a user composes a new outgoing message, and sends a message, the messaging client 301 forwards the message to the interception component 305. The interception component 305 decrypts the message address data and sends the message onto the messaging server 304.
To receive a new message, a user requests that the messaging client 301 check for new messages, the messaging client 301 requests that the interception component 305 checks with the messaging server 304 if there are new messages. If there are, the interception component 305 downloads the messages, identifies and encrypts the message addresses, and then passes the messages onto the messaging client 301. All message addresses entering the messaging client are thus encrypted.
Messaging clients may be set up to automatically check to see if there are new messages. In this case the messaging client 301 checks for new messages by checking with the interception component 305. The interception component 305 in turn checks with the messaging server 304. If there are new messages the interception component encrypts the addresses and forwards the messages to the client 301 in the same way as if the user had made the request to check for new mail.
As all message addresses entering the messaging client 301 are encrypted, when messages are subsequently saved in the various folders 302 within the messaging client 301, such as the Inbox, they are stored with encrypted message addresses. Message addresses stored in the address book 303 are also stored in an encrypted form as the addresses have been encrypted when messages enter the system.
The address book 303 is where details of contacts are stored, including message addresses. In the case of Microsoft Outlook Express, this is the Windows Address Book (WAB). The interception component monitors all changes to the address book. Whenever a new contact is added, the address book monitoring module of interception component 305 will encrypt the message address.
When the system component is installed for the first time, the installation component encrypts all existing message addresses found in the various folders 303 of the client message program 301, as well as all message addresses found in the address book 303.
The interception component uses an encryption key, unique to each user to prevent viruses from activating the interception component 304 in order to use it to decrypt message addresses. This technique makes it difficult for a virus to duplicate entries from a user.
The interception component can be used with message address servers 306 such as Microsoft Exchange or an LDAP Server. Address servers 306 store public addresses such as those addresses required to locate local users of the system and message addresses located outside the system. When composing a new message, the messaging client 301 may request addresses from a message address server 306, the interception component 305 intercepts the request, makes the request of the message address server 306, receives the address and encrypts the addresses before forwarding onto the messaging client 301. The message is then sent in the normal way with the interception component 305 decrypting the message address before forwarding the message onto the messaging server 304.
An additional safeguard provided by the present invention against keystroke loggers and sniffer programs is shown with reference to Figures 4A and 4B. Referring to Figure 4A, a conventional keyboard buffer 402 receives input data from a keyboard (not shown) over an input line 401. The contents of the buffer are read by a relevant software program over a suitable connection at 403.
Referring to Figure 4B, an aspect of the present invention provides a keyboard buffer scrambling feature that adds randomly-generated characters into the keyboard buffer 402 between the password keystrokes which are input at 401 into keyboard buffer 402 from a keyboard or other or other data entry device. It will be appreciated that this aspect totally defeats keyboard sniffer programs. A Trojan horse program attempting to intercept a user's password only would receive a lot of meaningless characters.
As shown in Figure 4B, a continuous stream of random characters are generated from a buffer scrambler 405 that randomly streams data in while someone enters a password to help prevent the password being picked up by a keyboard sniffer program. The buffer scrambler 405 comprises a random number generator, which also can be a cryptographic accelerator or other means for providing a variable and unpredictable stream of random characters that are sent as a data input 401 to the keyboard buffer 402. The contents of the keyboard buffer 402 are then read at 403 by a reader which is coupled with or otherwise has access shown at 407 to the random character stream provided by buffer scrambler 405. The reader 403 deletes the random characters inserted in the input data 401 from the contents of keyboard buffer 402. By comparing the random characters with the contents of keyboard buffer
402, the reader 403 is able to reconstruct original (correct) input data 401 from the keyboard. Unauthorized software (such as keyboard buffer sniffer software) is able to access reader 403, but cannot determine the random character stream at 405 and is therefore unable to determine the input data 401. In addition to replacing email addresses with identifiers the system on startup checks that files that could alter a message just before a message leaves the system are unchanged. The system does this by comparing the checksum of critical files with a stored checksum of those files.
As a further means to prevent viruses utilizing a messaging client to send out email the present invention modifies the messaging client to prevent the message send confirmation being activated by keystrokes. In addition the present invention replaces any button confirmation with a graphic confirmation. As a further protection the graphic confirmation is moved to a different location either at each login or each time a user prepares an email to send. This prevents a virus writer from establishing the coordinates of the graphic and programming the mouse to go to that position. The email client is modified by the installation component of the present system.
While the invention has been described in connection with what are presently considered to be the most practical and preferred embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but rather is intended to cover various modifications and equivalent arrangements which are included with the scope of the claims.
For example, the features of the invention are compatible with WAP or any mobile device enabling standard. Thus, an equivalent arrangement can be accomplished by implementing the keyboard buffer scrambling feature as well as other features described above in a PDA, cell phone or other computing device. Accordingly, persons of ordinary skill in this field are to understand that all such equivalent arrangements are to be included within the scope of the claims.

Claims

CLAIMS:
1. A system for preventing a computer virus from accessing message addresses, said system comprising an interception component adapted to communicate with a messaging client and a messaging server, said interception component including: means for receiving messages from said server and forwarding said messages to said client; means for receiving messages from said client and forwarding the messages to said server; means for identifying message addresses in messages received from said server; means for replacing an identified message address in messages received from said server with a corresponding unique identifier; means for identifying unique identifiers in messages received from said client; and means for replacing an identified unique identifier with a corresponding message address before sending the message received from said client to said server.
2. A system for preventing a computer virus from accessing message addresses as claimed in claim 1 including: means for identifying message addresses in stored mail of said messaging client and/or any address books of said client or client system; and means for replacing an identified message address with a unique identifier in said stored mail and/or said any address books.
3. A system for preventing a computer virus from accessing message addresses as claimed in claim 1 or claim 2 including: means for identifying unique identifiers in stored mail of said messaging client and/or any address books of said client or client system; and means for replacing an identified unique identifier with a message address in said stored mail and/or said any address books.
4. A system for preventing a computer vims from accessing message addresses as claimed in anyone of claims 1 to 3 wherein: said means for replacing an identified message address in messages received from said server with a corresponding unique identifier includes on encrypting engine; and said means for replacing an identified unique identifier with a corresponding message address before sending the message received from said client to said server includes a decrypting engine.
5. A system for preventing a computer virus from accessing message addresses as claimed in claim 2 or claim 4 wherein said means for replacing an identified message address with a unique identifier in said stored mail and/or said any address books includes an encrypting engine.
6. A system for preventing a computer virus from accessing message addresses as claimed in anyone of claims 3 to 5 wherein said means for replacing an identified unique identifier with a message address in said stored mail and/or said any address books includes a decrypting engine.
7. A system for preventing a computer virus from accessing message addresses as claimed in anyone of claims 1 to 6 including: means for reconfiguring the message server settings of said messaging client to point to said interception component; and means for storing original message server settings, wherein said original message server setting are accessible by said interception component.
8. A system for preventing a computer virus from accessing message addresses as claimed in any one of claims 1 to 7 including means for monitoring one or more address books, said means for monitoring including: means for identifying message addresses added to an address book; and means for replacing an identified message address with a unique identifier in said address books.
9. A system for preventing a computer virus from accessing message addresses as claimed in claim 8 wherein said means for replacing an identified message address with a unique identifier in said address books includes an encrypting engine.
10. A system for preventing a computer virus from accessing message addresses as claimed in anyone of claims 4 to 9 wherein: said encrypting engine; and said decrypting engine, include means for receiving a unique user identifier from a messaging client user
11. A system for preventing a computer virus from accessing message addresses as claimed in claim 10 wherein said means for receiving a unique identifier from a messaging client user includes means for preventing keyboard sniffer programs from intercepting input comprising: means for adding randomly generated characters into the keyboard buffer between password keystrokes; and means for reading said keyboard buffer; and means for reading the stream of said randomly generated characters and removing said randomly generated characters.
12 A system for preventing a computer virus from accessing message addresses as claimed in anyone of claims 1 to 11 including means for preventing keystrokes activating a send confimiation of a messaging client wherein said send confirmation can only be activated by other input means.
13 A system for preventing a computer vims from accessing message addresses as claimed in claim 12 wherein said send confirmation is a button and including means for replacing said message send confirmation button with a graphic.
14. A system for preventing a computer vims from accessing message addresses as claimed in claim 13 including means for moving said graphical randomly.
15. A system for preventing a computer vims from accessing message addresses as claimed in anyone of claims 12 to 14 wherein said send confirmation is activated by a mouse.
16. A system for preventing a computer vims from activating a send confirmation of a messaging client comprising means for preventing keystrokes activating said send confirmation wherein said send confirmation can only be activated by other input means.
17 A system for preventing a computer vims from activating a send confirmation of a messaging client as claimed in claim 16 wherein said send confirmation is a button and including means for replacing said message send confirmation button with a graphic.
18 A system for preventing a computer vims from activating a send confirmation of a messaging client as claimed in claim 17 including means for moving said graphical randomly.
19. A system for preventing a computer vims from activating a send confirmation of a messaging client as claimed in anyone of claims 16 to 18 wherein said send confirmation is activated by a mouse.
20. A system for preventing keyboard sniffer programs from intercepting input via a keyboard comprising: means for adding randomly generated characters into the keyboard buffer between password keystrokes; and means for reading said keyboard buffer; and means for reading the stream of said randomly generated characters and removing said randomly generated characters.
21. A computer program comprising program instructions which when loaded into a computer constitute the processing means of any of claims 1 to 20
22. A method of preventing a computer vims from accessing message addresses, including the steps of: receiving messages from a messaging server and forwarding said messages to a messaging client; receiving messages from said client and forwarding the messages to said server; identifying message addresses in messages received from said server; replacing an identified message address in messages received from said server with a corresponding unique identifier; identifying unique identifiers in messages received from said message client; and replacing an identified unique identifier with a corresponding message address before sending the message received from said client to said server.
23. A method of preventing a computer vims from accessing message addresses as claimed in claim 22 including the steps of: identifying message addresses in stored mail of said messaging client and/or any address books of said client or client system; and replacing an identified message address with a unique identifier in said stored mail and/or said any address books.
24. A method of preventing a computer vims from accessing message addresses as claimed in claim 22 or claim 23 including the steps of: identifying unique identifiers in stored mail of said messaging client and/or any address books of said client or client system; and replacing an identified unique identifier with a message address in said stored mail and/or said any address books.
25. A method of preventing a computer vims from accessing message addresses as claimed in anyone of claims 22 to 24 wherein: replacing an identified message address in messages received from said server with a corresponding unique identifier includes the step of encrypting said message address; and replacing an identified unique identifier with a corresponding message address before sending the message received from said client to said server includes the step of decrypting said unique identifier.
26. A method of preventing a computer vims from accessing message addresses as claimed in claim 23 or claim 25 wherein said step of replacing an identified message address with a unique identifier in said stored mail and/or said any address books includes the step of encrypting said message address.
27. A method of preventing a computer vims from accessing message addresses as claimed in anyone of claims 24 to 26 wherein step of replacing an identified unique identifier with a message address in said stored mail and/or said any address books includes the step of decrypting said unique identifier.
28. A method of preventing a computer vims from accessing message addresses as claimed in anyone of claims 22 to 27 including the steps of: reconfiguring the message server settings of said messaging client; and storing original message server settings, wherein said original message server setting are used when receiving messages from said messaging server; and forwarding message to said server.
29. A method of preventing a computer vims from accessing message addresses as claimed in any one of claims 22 to 28 including the step of monitoring one or more address books, said step of monitoring including the steps of: identifying message addresses added to an address book; and replacing an identified message address with a unique identifier in said address books.
30. A method of preventing a computer vims from accessing message addresses as claimed in claim 29 wherein said step of replacing an identified message address with a unique identifier in said address books includes the step of encrypting said message address.
31. A method of preventing a computer vims from accessing message addresses as claimed in anyone of claims 25 to 30 wherein said steps of: encrypting said message address; and decrypting said unique identifier include the step of receiving a unique user identifier from a messaging client user
32. A method of preventing a computer vims from accessing message addresses as claimed in claim 31 wherein said steps of receiving a unique identifier from a messaging client user includes the step of preventing keyboard sniffer programs from intercepting input including the steps of: adding randomly generated characters into the keyboard buffer between password keystrokes; and reading said keyboard buffer; and reading the stream of said randomly generated characters and removing said randomly generated characters.
33. A method of preventing a computer vims from accessing message addresses as claimed in anyone of claims 22 to 32 including the steps of preventing keystrokes activating a send confirmation of a messaging client wherein said send confirmation can only be activated by other input means.
34. A method of preventing a computer vims from accessing message addresses as claimed in claim 33 wherein said send confirmation is a button and including the step of replacing said message send confirmation button with a graphic.
35. A method of preventing a computer vims from accessing message addresses as claimed in claim 34 including the steps of moving said graphical randomly.
36. A method of preventing a computer vims from accessing message addresses as claimed in anyone of claims 33 to 35 wherein said send confirmation is activated by a mouse.
37. A method of preventing a computer vims from activating a send confimiation of a messaging client comprising the step of preventing keystrokes activating said send confirmation wherein said send confirmation can only be activated by other input means.
38. A method of preventing a computer vims from activating a send confirmation of a messaging client as claimed in claim 37 wherein said send confirmation is a button and including the step of replacing said message send confirmation button with a graphic.
39. A method of preventing a computer vims from activating a send confirmation of a messaging client as claimed in claim 38 including the step of moving said graphical randomly.
40. A method of preventing a computer vims from activating a send confirmation of a messaging client as claimed in anyone of claims 37 to 39 wherein said send confirmation is activated by a mouse.
41. A method of preventing keyboard sniffer programs from intercepting input via a keyboard including the steps of: adding randomly generated characters into the keyboard buffer between password keystrokes; and reading said keyboard buffer; and reading the stream of said randomly generated characters and removing said randomly generated characters.
42. A computer program comprising program instructions for causing a computer to perform the process of any of claims 22 to 41.
43. A system comprising: an email or messaging server which sends and receives messages including a message address; an email or messaging interface which replaces said external address with a unique identifier; and an email or messaging client which sends and receives messages including a unique identifier.
44. A system for preventing a computer vims from accessing message addresses, said system comprising an interception component adapted to communicate with a messaging client and a messaging server, said interception component including: means for receiving messages from said server and forwarding said messages to said client; means for identifying message addresses in messages received from said server; and means for replacing an identified message address in messages received from said server with a corresponding unique identifier.
45. A system for preventing a computer vims from accessing message addresses, said system comprising an interception component adapted to communicate with a messaging client and a messaging server, said interception component including: means for receiving messages from said client and forwarding the messages to said server; means for identifying unique identifiers in messages received from said client; and means for replacing an identified unique identifier with a corresponding message address before sending the message received from said client to said server.
PCT/NZ2003/000030 2002-02-18 2003-02-18 System for preventing a computer virus accessing email addresses WO2003069482A2 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
AU2003206478A AU2003206478A1 (en) 2002-02-18 2003-02-18 System for preventing a computer virus accessing email addresses
US10/920,268 US20050120230A1 (en) 2002-02-18 2004-08-18 System for preventing a computer virus accessing email addresses
US12/385,268 US20090254994A1 (en) 2002-02-18 2009-04-02 Security methods and systems
US13/349,635 US20120174233A1 (en) 2002-02-18 2012-01-13 Security methods and systems
US14/495,097 US9317701B2 (en) 2002-02-18 2014-09-24 Security methods and systems

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
NZ517257 2002-02-18
NZ51725702 2002-02-18
US40961402P 2002-09-09 2002-09-09
US60/409,614 2002-09-09

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US11/311,133 Continuation-In-Part US7779062B2 (en) 2002-02-18 2005-12-20 System for preventing keystroke logging software from accessing or identifying keystrokes

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US10/920,268 Continuation-In-Part US20050120230A1 (en) 2002-02-18 2004-08-18 System for preventing a computer virus accessing email addresses

Publications (2)

Publication Number Publication Date
WO2003069482A2 true WO2003069482A2 (en) 2003-08-21
WO2003069482A3 WO2003069482A3 (en) 2003-12-04

Family

ID=27736676

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/NZ2003/000030 WO2003069482A2 (en) 2002-02-18 2003-02-18 System for preventing a computer virus accessing email addresses

Country Status (2)

Country Link
AU (1) AU2003206478A1 (en)
WO (1) WO2003069482A2 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19803339A1 (en) * 1998-01-29 1999-08-05 Deutsche Telekom Ag Access authorization verification method for banking machine or computer system
US6321267B1 (en) * 1999-11-23 2001-11-20 Escom Corporation Method and apparatus for filtering junk email
DE10029643A1 (en) * 2000-06-16 2001-12-20 Deutsche Telekom Ag Interception-secure provision of internet protocol services via radio medium e.g. satellite by combining target address with unique identification number
US6366950B1 (en) * 1999-04-02 2002-04-02 Smithmicro Software System and method for verifying users' identity in a network using e-mail communication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19803339A1 (en) * 1998-01-29 1999-08-05 Deutsche Telekom Ag Access authorization verification method for banking machine or computer system
US6366950B1 (en) * 1999-04-02 2002-04-02 Smithmicro Software System and method for verifying users' identity in a network using e-mail communication
US6321267B1 (en) * 1999-11-23 2001-11-20 Escom Corporation Method and apparatus for filtering junk email
DE10029643A1 (en) * 2000-06-16 2001-12-20 Deutsche Telekom Ag Interception-secure provision of internet protocol services via radio medium e.g. satellite by combining target address with unique identification number

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
KRASAVIN SERGE V.: 'Keyloggers-content monitoring exploits', [Online] 11 February 2002, Retrieved from the Internet: <URL:http://ccso-staff-nts.cso.uiuc.edu/skr asavi/Info/Keyloggers.pdf> *
MAZIERS DAVID AND KAASHOEK FRANS: 'MIT Laboratory for Computer Science. 5th ACM Conference on Computer and Communications Security', November 1998, ACM PRESS article 'The design, implementation and operation of an e-mail pseudonym server', pages 27 - 36 *
NEEDHAM ROGER AND LAMPSON BUTLER: 'Network Attack and Defence', [Online] 20 February 2001, Chapter 18 Retrieved from the Internet: <URL:http://www.unixreview.com/documents/s= 1385/urmb18/c18_anderson.pdf> *
SCHULTZ M.G. ET AL.: 'Data mining methods for detection of new malicious executables' 2001 IEEE SYMPOSIUM ON SECURITY AND PRIVACY. S & P PROCEEDINGS, [Online] 14 May 2001 - 16 May 2001, OAKLAND, CA, USA, pages 38 - 49 Retrieved from the Internet: <URL:http://search.ieeexplore.org/searcg97/ s97is.vts?action=View&VdkVgeKey=924286&23/0 5/2003> *

Also Published As

Publication number Publication date
WO2003069482A3 (en) 2003-12-04
AU2003206478A8 (en) 2003-09-04
AU2003206478A1 (en) 2003-09-04

Similar Documents

Publication Publication Date Title
US9317701B2 (en) Security methods and systems
US9906550B2 (en) Computer virus protection
CN102227734B (en) Client computer for protecting confidential file, server computer therefor, method therefor
CA2610394C (en) Method and system for content management in a secure communication system
US6173402B1 (en) Technique for localizing keyphrase-based data encryption and decryption
US7487213B2 (en) Techniques for authenticating email
US8171085B1 (en) Methods and apparatuses for authenticating electronic messages
US7471796B2 (en) Apparatus for and method of controlling propagation of decryption keys
US20050120230A1 (en) System for preventing a computer virus accessing email addresses
US6981156B1 (en) Method, server system and device for making safe a communication network
KR101387600B1 (en) Electronic file sending method
IL211758A (en) Authorization of server operations
WO2001067252A1 (en) Secure remote kernel communication
JP2007505554A (en) Message security
US7093135B1 (en) Software virus detection methods and apparatus
US20130145483A1 (en) System And Method For Processing Protected Electronic Communications
Brown et al. A proxy approach to e‐mail security
US6968458B1 (en) Apparatus and method for providing secure communication on a network
US7404212B2 (en) Apparatus and methods for intercepting, examining and controlling code, data and files and their transfer
WO2011030352A2 (en) System and method for mobile phone resident digital signing and encryption/decryption of sms
Guttman et al. Users' security handbook
WO2003069482A2 (en) System for preventing a computer virus accessing email addresses
Igor et al. Security Software Green Head for Mobile Devices Providing Comprehensive Protection from Malware and Illegal Activities of Cyber Criminals.
CN113475038A (en) Secure messaging using semi-trusted intermediary
JP5158625B2 (en) Encrypted mail transmission / reception system including an external device storing a secret ID

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 10920268

Country of ref document: US

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP