Friday, December 5, 2008

KoobFace Loves Its Hosting Service

Okay, so you've heard about KoobFace, the new piece of malware that is infecting Facebook users this week.

The thing that burns me up about KoobFace and things like it is that they would barely matter if hosting companies were better regulated and occasionally policed.

Here's what we know. KoobFace, like most pieces of malware, tries to redirect users away from their intended destination to a site loaded down with more malware, or designed to fool you into downloading a fake antivirus product, etc etc.

KoobFace, in what many would consider an ironic act, is reportedly re-pointing users towards sites.

It is no secret that the malware manufacturers rely on hosting companies either implicitly (please abide by your SLA and ensure you don't remove our server from the net for at least 48 hours even if requested to do so) or explicitly (we know what you're doing and we like your money).

Let's call it as it is: Without a destination to redirect users to, many crimeware writers don't have a business.

Robert Sandilands recently blogged about the dramatic effect of closing down one bad hosting company in California. Spam dropped globally by a remarkable percentage - just from closing that one company.

Recommendation: Hosting companies should immediately be forced by the DHS to adopt a KYC, or "Know Your Customer" policy similar to the one that banks use when they sign up a new customer.

I personally think that would help greatly. At a minimum, there should be more similar policing actions like the one taken in California.

I guarantee you that if hosting companies were suddenly made responsible for the malware sitting on their servers - or at the very least, for checking that the folks renting them are not criminals - things would get easier for IT guys to control, and we could start building a safer online world based on certified and proven safe destinations - and responsible hosting companies.

Friday, October 10, 2008

InfoWorld Takes Fresh Look at SafeCentral

I was enormously encouraged to find Authentium SafeCentral front and center on the home page of InfoWorld, next to a subheadline saying "was it (i.e. their recent recent review of SafeCentral) a misunderstanding about what the product actually does?"

Thank you, InfoWorld! And thank you, Roger Grimes - it takes a really big-hearted reviewer to take a second look at a product.

Note: In case you're new to this story, Roger originally tested a number of products for their ability to "shield" users from malware, or "sandbox" their activities. We scored poorly on this - mainly because we didn't stop malware from "entering the sandbox".

As I've explained in my previous blogs since, we don't do that. When we designed SafeCentral, our core objective was not to try and stop malware per se, but allow users to compute safely in the presense of it.

Our objective was to let folks go about their banking, buying, or information sharing safely - even in the presense of the most horrible viruses or spyware. Let me tell you why that concept is so powerful - and revolutionary. But first, an analogy:

Here's how antivirus software works: you are surrounded by bodyguards, highly-trained experts hired to recognize threats and deal with them before they can harm you. But if so much as one bullet skips through... you're dead.

Here's how SafeCentral works: you are invisible. You can surround yourself with bodyguards if you wish, but you don't really need them. Because the bullets have no target. They can't see you, can't have any effect on you. There is no such thing as "the bullet that slips through".

This was the revolutionary idea that myself and my co-patent developers had, and that our engineers and ops team have since matured into a ground-breaking product and service. If you want to try it for yourself free, just head over to

If we have one problem that we need to solve with this product, it's getting the message out about how much this product changes the game. You can't fault Roger Grimes or InfoWorld for not seeing what we're doing if we're not advertising it correctly.

You might think that advertising an easy, invisible, but highly-effective technology that doesn't need updating shouldn't be hard, but advertising anything new is a challenge.

Twenty five years ago, when I was a copywriter at George Patterson Advertising (now Bates) in Adelaide, my first boss used to say "Your first responsibility is to make sure it says 'tuna' on the can". In our case, that means making sure "reverse sandboxing" is part if our messaging to users - and reviewers.

The good news is, based on the discussion I'm seeing around this point, people are starting to "get" what it is we're actually doing. Now we just need to figure out how to broadcast this news on a wider scale.

Of course, front page of InfoWorld is a pretty great start. ;-)

Sunday, October 5, 2008

A Little Bit of Knowledge

A couple of years ago, I decided to get better acquainted with basic software programming, as a means of better understanding the challenges faced by my developer colleagues.

This had an unexpected effect. Since then, I've become a bit of a weekend addict. As Professor Richard Dawkins has noted, there is something incredibly satisfying about stringing together a bunch of conditional statements against a set of inputs and desired outputs - and then seeing the result pop up in front of you.

When it all works, it's a lot of fun. But I'm starting to suspect that in addition to the thrills described by Dawkins, there are other benefits that occur when someone from the corporate, or 'sales and marketing' side of the house starts playing with conditional statements on the weekend.

One of them is a more tangible level of respect. I've always had a ton of respect for developers, but that respect has sharpened now. I now also have an increased level of understanding of the challenges.

One example: I used to get exasperated whenever developers would talk about not being able to find a bug that was holding up delivery.

I would say, "Why can't you find it? Why is this so hard?"

Not any more. Developers, you are forgiven. Now, I too have sat for hours some weekends staring blankly at the screen in front of me - only to have it dawn on me that I didn't close a statement properly or call the right resource, after the hundreth walk through the code.

Lesson One: Bugs happen - we're only human.
Lesson Two: Code review should be done by someone other than the guy writing the code.

I also have learned the hard way why developers often insist on writing solutions from scratch. Yes, mash-ups can be fun - but they can also be unpredictable, and pieces of seemingly stable code can interact in weird ways.

And sometimes, unexpected updates (from the developers of one side of your code mashup) can destroy everything you've written (just ask a Facebook Apps developer) and take your project into a direction you never intended to go. No, it isn't always a good idea to 'buy it'.

Lesson Three: If it's fundamental to the business, write it yourself.

Documentation? Guys and girls, please spend all the time you like documenting your code - I get it now. Those little comments are worth their weight in gold - the more the merrier. Dev wikis, toolkits and forums can expand your developer network exponentially - providing the documentation is there.

Lesson Four: Documentation is as critical as the code to success.

The other benefits are a greater understanding of the way developers work. I now understand the requirement that when you're faced with something hard, you really need to bolt yourself down for 18 hours (or 36 hours) and have someone feed you Coke and pizza - because when you're working towards the middle of two ends of a two thousand line piece of code, it can be really hard to 'pick up the thread' (that's a developer pun) if you stop.

Lesson Five: Create a workplace for coders that is free from distractions.

One other thing I've learned is that coding and rocket science are similar in that they are not necessarily difficult (having worked extensively with both rocket scientists and coders, I feel qualified to make that statement) - but they do require a ton of knowledge. The more up-to-date and extensive that knowledge the better. Fewer things will blow up.

Note: If you can find a development manager capable of winning respect based on their past experience, willing to 'manage' rather than code, and willing to share knowledge with your young team and mentor them, I suggest that you pay them very very well. There is no greater value.

Lesson Six: Experience is critical. Put a "hands off" grown-up in the room with your young wizkids.

Finally, a word on testing. Too many people think quality assurance (QA) testing is finished once you've fired up a clean VM image and tested your software. This is BSQA - if you're not testing your code in the real world, with real users, on real machines, you're fooling yourself as to its quality and value to end users.

Lesson Seven: Real coders test on real machines using real users.

I should emphasize that my own coding efforts remain just a hobby (my stuff sits on an outside hosting company server, not at the company) - and my understanding remains a helicopter-level appreciation at best. But the experience has been very valuable and has given me a greater appreciation of the depth of skills we have at our company.

And as for the aphorism "a little bit of knowledge is a dangerous thing", my response is this: a little bit of knowledge is only dangerous when the person with that little bit of knowledge remains ignorant of the sheer amount of knowledge that exists outside that subset.

In my case, I believe my little bit of knowledge has led me to an enhanced understanding and greater appreciation of the scale of knowledge we have in our organization, the real time required for quality work to be done, and the kind of specialized skills that are needed to create great software.

And that's a good thing.

Wednesday, October 1, 2008

Effortless Security

Getting the messaging right around a new product offering takes time - especially when that product is as new and as game-changing as Authentium's SafeCentral.

The tradition view of security - that you're only as secure as the last set of virus definition files you downloaded - has been around since the dawn of the Internet. Security companies have all spent a ton of money driving that message home. Reveiwers still base most of their reviews on IT security products on a score out of 100.

The difference between this defensive model, and what we're doing with SafeCentral, is night and day. SafeCentral is "effortless security" - or as Corey O'Donnell, our head of Marketing likes to say, it's "Security Made Simple".

We designed SafeCentral so you can transact securely irregardless of what kind of malware has infected your PC, or infected the DNS servers upstream of you.

This design allows us to protect people in the "real world" of drive-by downloads, hacked wifi hotspots, teenagers that borrow your PC, and ever-more-sophisticated social engineering attacks.

SafeCentral creates a situation where staying secure becomes effortless. No worries about updates, vendors missing a virus, no "zero day attack" concerns. It doesn't matter if there is a keylogger on your PC. With SafeCentral running, it can't get at your data.

Compared to the cost and inefficiency of ongoing treatment, immunization provides an effective defense that is almost effortless in comparison. That's what we're aiming to do here - easy, effortless, effective security.

Think of it as immunization versus a surgical mask. That's the message that we'll be working on improving in the coming months, and folks start to get used to the idea of a future without virus definition files, filters, and walled gardens.

Note: It's no secret that most banks now have initiatives around protecting consumers and are actively looking for software to enable this.

We believe banks and other financial insitutions would be smart to consider the wisdom of an effortless, highly-effective, holistic solution like Authentium SafeCentral versus traditional higher-maintenance alternatives.

Sandboxing Is Not What We Do

One of my favorite sources of information and smart advice on the web is InfoWorld and one of my favorite IT writers there is Roger Grimes. So it was a pleasant surprise yesterday when I received a Google alert that Roger had done a review on us.

Unfortunately, the review turned out to be a general review of "sandboxing" products - one that we should never have been included in. Sandboxing is not what we do.

Sandboxing, defined as the attempted creation of a computing environment free of malware, tries to keep certain apps and processes free of malware using various defensive techniques reminiscent of traditional approaches to security.

What we do is entirely different - as Ray Dickenson, our CTO, is fond of saying, we do "reverse sandboxing":

"Authentium’s SafeCentral service delivers secure web browsing even on computers that are compromised with data-stealing malware."

In other words, SafeCentral allows consumers to safely bank or transact from computers that teenagers have downloaded horrible, horrible things onto.

This is poles apart from most defensive strategies and traditional approaches, such as walled garden-style sandboxing - and in my view, is much closer to what consumers need.

Note: I'm not negative on sandboxing as an approach. All security technologies have a role to play and there are some outstanding sandboxing technologies - Prevx being one such example. But what these guys do and what we do is very different.

IT folks - and marketing executives - looking for complimentary approaches should consider the virtues of both - our approach, and the approach of the sandboxing companies. I happen to think "reverse-sandboxing" is a much more consumer-friendly and effective approach to keeping folks safe.

Note: If you'd like to learn more about why SafeCentral is different, Ray's white paper on Reverse Sandboxing can be downloaded from here - please scroll to the bottom of the page for the link.

Friday, September 19, 2008

How Criminals Hacked

I decided to wait a day before posting about this to see if anything popped up that indicates the criminals that took over VP Candidate Sarah Palin's email address did anything special.

Nope. This was social engineering, plain and simple. According to the BBC, the hackers simply contacted Yahoo customer support and asked for the password to be changed.

When challenged by the security questions (What is your mother's maiden name? What is the name of your pet?), the criminals used "information from Wikipedia and other online databases helped to establish Mrs Palin's date of birth, zip code and other personal information."

As in:

"Okay Mr Bush, I can reset that password for you... but I need to ask you a couple of questions first... what is your mother's maiden name, and what is the name of your pet?"

The answers are, of course, "Pierce" and "Barney". Date of birth? July 6th, 1946. Zip code? The White House has its own: 20500.

Challenge-response has been an underlying security principle since the whispering of passwords upon approaching castle gates in pre-Roman times. But in an era where people can quickly and easily learn everything about you, easily-guessed questions are passe.

Over the past couple of years, many major sites have improved the strength of these challenge response mechanisms a little by allowing users to input their own questions.

But too many of these sites compromise this action by defaulting to common questions that are easily researched, such as "mother's maiden name", or guessed "city in which you were married".

Ultimately, where we are headed is towards trustworthy computing, powered by technologies like Authentium SafeCentral, which does a great job of protecting login credentials - and securely storing web site passwords.

Note: The criminals apparently left their fingerprints on the theft. One interesting conundrum will be whether on not C-Tunnel will be forced to turn over logs relating to their anonymizing of the session to the Secret Service.

My guess on that is "yes, they will".

Thursday, September 4, 2008

Beware: Skype "Security Center" Scam

I use Skype a lot to chat with friends and business partners outside the US. It's cheap, and the quality is often better than POTS (Plain Old Telephone Service)-based systems. However today, my Skype client almost bit me.

The above message (see screen shot) came in as I was on my normal telephone line and immediately caught my interest.

A Security Center warning? Via a Skype client?

Now, as the founder of a security software company, you'd probably expect me to be immune to social engineering attacks by now, and ultimately, I was. But it took me a few seconds. This is one well-crafted scam, and Skype is becoming so rich with features that for a moment, I wondered if Skype had in fact integrated with the Windows Security Center.

Then, the fog lifted.

A call to Robert Sandilands and the other hard-working guys in our Authentium virus lab confirmed that this social engineering scam and others (including dating offers) are starting to become reasonably prevalent on the Skype service.

Skype users, heed this advice: if you see a "Repair Service" warning come in over Skype, DO NOT click on the links.

According to Eric in the lab, the link takes you to a fake web-scanner complete with animated progress bar and a pretend file tree that will pretend to find spyware/viruses, then try and scare you into handing over your credit card details.

"The link at the bottom of your SKYPE snapshot image leads to a page that does a mock scan of your system (but what it really is just HTML code and java-script displaying several filenames pre-stored in a java-script file, with a progress bar and such, and then displaying number of infections found)..."

"...which then prompts the user to visit another webpage that asks the user to purchase their antispyware solution and prompts the user for shipping and billing information, credit card information, country and state of residence, etc. The page is written to look very professional with privacy statements, etc."

Skype users - please be careful, and please ignore "Security Center" security warnings that appear in the Skype interface - they are scams. And be prepared - we can expect to see a lot more of these Skype-based social engineering attacks in the future.

Wednesday, September 3, 2008

Password-Stealing Virus in Space

Remember how in Independence Day, the aliens were thwarted by a virus uploaded from Jeff Goldblum's Mac? Wired magazine has a news story out about a recurrence of malware-related activity in the International Space Station.

A NASA spokesperson confirmed to Wired yesterday that this was not the first time this has happened.

"This is not the first time we have had a worm or a virus," NASA spokesman Kelly Humphries said. "It's not a frequent occurrence, but this isn't the first time."

You can read the rest of the article here.

Google Chrome's Big Weakness: Screen-Stealing

Google Chrome improves the security profile normally associated with browsers, but it also leaves users exposed to one of the largest vulnerabilities: screen-stealing.

Screen-stealing is a real problem and a major objective of spyware and malware developers. It is a great way for criminals to gather information they can use to commit identity fraud, or outright identity theft.

Here's some instances in which you *don't* want criminals stealing shots of your web browser:

  • When you're banking
  • When you're doing your taxes
  • when you're applying for a new license
  • When you're paying your bills
  • When you're doing email in your browser
  • When you're entering account details
  • When you're viewing family pictures
  • When you're modifying settings
  • When you're opening a new account somewhere
If you're considering doing any of these things securely, you should probably avoid Google Chrome for the time being in favor of a truly secure browsing environment.

The screen-shot above of Google Chrome was lifted right off the desktop, mid-way through a new account sign-up at a major bank. There are literally thousands of examples of malware out there that can do this.

Authentium SafeCentral does not allow screen shots to be captured: SafeCentral prevents screen shots from being used by online criminals and identity thieves. Google Chrome is not able to stop this from happening - nor are IE, Firefox, Safari and Opera. Only SafeCentral has the ability to prevent screen-stealing.

If you need to bank online securely, go over to SafeCentral and download it. It takes about the same amount of time as downloading Chrome, but it is much more secure.

Tuesday, September 2, 2008

Google Chrome: First Impressions

Okay, I'm writing this blog post inside of Google Chrome, the brand new browser from our friends at Google. But as I was posting a screenshot into Blogger (a Google company), I experienced a blow-up complete with an image reminicent of what I used to see when my Mac 128k blew up:

You might say "hey, it's day one - cut them some slack!" But that would be boring. Besides, people need to know. So here's some instant things that I instantly hate, plus a couple of reasons why you still need a safe browser:

1. Web pages used to look different in just three popular browsers - now they are going to look different in Firefox, IE, Safari AND Chrome. More work for me and every one else that owns a web site. Thanks a lot.

2. Freaking-out fonts! I just went on Facebook and the fonts look ever so slightly - and weirdly - different. Why?

3. Yellow highlight around the form text field. I hate this as much as I hate seat belts and bicycle helmets.

4. Unexpected behavior - inside the Blogger edit window , I used to just click on an image to highlight it - now the browser thinks I want to travel there. Uh-uh. That's what Crl-Click is for.

5. Only slightly better security than Firefox. Not mind-blowing, not even close to comprehensive.

6. If this truly is representative of the front-end of cloud computing, we aren't going to be saying goodbye to desktop apps for some time to come - and Chrome adds nothing to the overall security of your device, save a slightly safer browser.

Anyway, that's five minutes worth of feedback. As far as #5 (security) goes, if everything works as advertised, Chrome will create a safer Internet browsing experience, but nothing even close to what our SafeCentral secure desktop provides.

We go deeper (in terms of operating system-level protection), broader (we protect *all* desktop apps, not just web apps running in your browser), and further (we protect DNS lookup requests and all of the associated infrastructure and files.

In other words, ignore page 26 of the comic book. Google attempts to protect only what is in the browser - and only does so in a limited way. We protect everything. Authentium SafeCentral rules the roost when it comes to holistic security - i.e. securing your Internet browsing and your desktop.

In Google Chrome's favor, the rendering speed is faster, and the support for multi-processing seems to work well (I recovered from the above issue without having to restart the browser). It is a very clearn UI. The bookmark import worked just as well as it does on Firefox.

Add to all this the fact that someone has bothered to redesign the idea of browsing from scratch (yet, BMW-like, incorporate the good stuff from years gone by), and Chrome may yet become a standard - we can only hope it doesn't grab a mere 15% market share and force yet another test case on the world's web developers.

Note: "Chrome" is a reference to what browser developers call the user interface, or visual part of the browser. If you've done any browser add-on development using XPI or XUL, the Firefox extension and UI languages, you'll be able to instantly relate - the rest of humanity is probably wondering why call it anything - other than "the Google browser".

Note: to get Chrome started on Vista, I had to navigate one amusing screenshot (the first shot in the battle?) - this is the screen shot that I was trying to post earlier, but couldn't:

Friday, August 29, 2008

FoxIT Exposes IE8 Beta Privacy Limits

There is a breaking story out of the Netherlands this hour regarding the recently-announced privacy features of the new Microsoft IE8 browser currently in beta.

Webwereld reported that forensics firm FoxIT has found that retrieving a user history is trivial, even with IE8's new privacy features turned on. Christian Prickaerts, a researcher with FoxIT had this to say about the IE8 beta:

"The privacy option in this beta is mainly cosmetic. For a forensic investigator, retrieving the browsing history should be regarded as peanuts. The remaining records in the history file still enable me to deduce which websites have been visited."

The IE team's response was interesting: "InPrivate Browsing is to prevent other users of the same computer to gain access to the browsing history. The feature isn't designed to protect a user's privacy from security experts and forensic researchers."

That isn't a great response. "Security experts" could conceivably write tools based on their techniques that are user-friendly, defeating the whole purpose. Which brings us to the real issue at stake here, and the reason why the stated design aim was to secure the browser history from "other users".

The feature has been roundly dubbed "porn mode" by many in the blogosphere. However, now that these issues have been raised, one wonders how many people desiring of this "porn mode" feature will migrate from Safari, the current "private browser" of choice, to IE.

Firefox, which has had issues of its own, is helped greatly by its adoption of a truly open developer polatform. Several plug-ins for the browser have been written using the XPI and XUL framework and tools that increase Firefox user security to acceptable levels.

Of course, the above is not an unbiased view - we have had the goal of building a secure and private browsing environment for several years, not for the stated purpose above, but for ensuring the privacy of online banking transactions.

With SafeCentral, we've achieved that purpose, and we now have the best solution for browser privacy on the market today - with the added claim of offering a security posture that protects privacy from the hardware layer of the PC all the way to the user's (private) web server of choice.

How do we achieve better security that the leading browser manufacturers? By not just focusing on the browser, and more specifically, its plug-in environment. Authentium SafeCentral includes its own secure virtual desktop, supported by a system-level security library developed over many years, a secure look-up system, and a global secure DNS infrastructure.

Because of this clsoed system, we are able to offer much greater control of what is stored (or not stored) when it comes to user privacy.

Friday, August 22, 2008

Phishing 1.0 Attacks Persist

I received a "warning" this morning - a "Sun Trust Banks Installation and Upgrade Warning" pretending to be from SunTrust Bank - requesting that I head over to the bank's "Upgrade Department" and download a "the latest software updates".

I'm pretty sure that if I called SunTrust and asked to speak with the "Update Department", the request would be met with some form of confused silence.

I find it interesting that these "Phishing 1.0" scams are still being sent out. The formatting alone looks pretty dire, and I wonder who, if anyone, might still be uninformed enough to click on such an obvious fraud.

True, it was addressed to me personally, and has a return email address that looks genuine. This combination may just prompt a consumer to click on the link. Despite some obvious malformations, the URL also looks somewhat official.

I saw a much better attempt a few days ago that targeted one of the leading main street banks in the UK and did a much better job of looking official and sounding convincing.

Some are calling these kind of attacks "Phishing 2.0" - phishing that actually looks real, as opposed to the easily picked-apart example above, that combines with malware that looks inviting (free antivirus) but is potentially extremely harmful.

If you're a bank, trying to communicate with customers so you can educated them about these threats can be difficult - many of the Phishing 2.0 scams include privacy notices and all kinds of promises concerning data security. They are much more carefully crafted than the example above.

One positive move you can make to reduce the effectiveness of these scams is to encourage users to use a secure browsing environment, such as Authentium SafeCentral when banking or trading online.

We have excellent protection in place against these kind of threats, and SafeCentral also enables a secure communications channel that can be used for customer education - and actual security warnings.

Thursday, August 21, 2008

Comments on "The State of PC Security"

I'm a fan of I met their CEO, Alan Meckler, at a conference in Singapore a few years ago, where he was speaking about the power of newsletters and blogs to create and engage an audience.

So it was with disappointment that I downloaded and read the latest white paper entitled, "The State of PC Security".

Much of the paper (in fact, the first three quarters) was up to the usual standards of research and reporting, with a solid article by Kenneth van Wyk benchmarking Linux and Mac security, and a good article on the current state of patching by Andy Patrizio, in which he quotes some interesting statistics from a recent study conducted by Secunia that showed just 5% of 20,000 surveyed computers were patched and fully up to date.

However, the final article "We Need to Rethink PC Security Software", written by Adrian Kingsley-Hughes, was rather a disappointment. He had nothing good to say about the PC security industry, or the people working in it. Instead of offering insights about how to protect PCs and users (against phishing and viruses, for example), he simply painted PC security software as unnecessary.

Fast-emerging threats, such as zero day attacks, man-in-the-middle attacks, man-in-the-browser attacks, root kits, and HOSTS file mods, were not even mentioned.

Now, I think I understand how the "sponsored white paper" works - if the sponsor is a patch management or software compliance company (i.e. like Secunia), then "reducing faith in end point security" serves an editorial purpose that serves the sponsor.

But white papers are supposed to inform, as well as serve their sponsor, and I personally think Kingsley-Hughes could have done better than simply rail against the number of alerts offered by his security suite. He could have easily supported the sponsor's argument for keeping a device and its applications fully-patched without writing things like:

"My take on the situation is that security companies have done a good job of convincing people that their products are essential if you are to keep your system free of badware (that's not true, but I'm not going to get into that argument right now), and as such the incentive to develop a good, solid product is lost."

This is simply untrue. The fact is, security software companies are innovating at a rate never seen before in the industry, and providing service at unprecedented levels.

Let me name just a couple of terrific innovations that I think have recently made the world a safer and more enjoyable for PC users: McAfee Site Advisor, Firefox v3's terrific Antiphishing and Identity Services, Authentium SafeCentral (our unique secure browsing service - which incorporates the Firefox 3 security innovations), the various Anti-Rootkit technologies produced by multiple vendors including F-Secure and Panda, SecureZIP, and in the world of business end point security, WebSense Express and the equally excellent Spector 360 (from our fellow Floridians just up the coast).

These products all provide excellent levels of utility - and a level of quality and efficacy that was unavailable years ago.

These improvements are important to note. High efficacy is much more necessary today that it was years ago - the kind of hacks we are seeing today are sponsored by criminals and involve unprecedented levels of sophistication, and not only in terms of the layered approaches we're seeing to deployment and data theft: social engineering has now reached a level of sophistication (personalized emails from government departments citing case numbers, accurate addressee information, seamless branding) where every contact with a corporation or organization is starting to become suspect.

In terms of service, when I look at the billions of emails we process in partnership with our spam-fighting friends at Microsoft, Google, WebSense and Secure Computing, and the constant improvements in process being brought online (30 minute update turnaround times, versus days or weeks years ago), I wonder how it is possible that all this hard work somehow gets missed by journalists.

At one point, Kingsley-Smith says:

"I've gotten to the point where I think I'd rather take my chances with the bad guys myself rather than bother with so-called security software".

Great. Hopefully, no one reading this article put it down and thought "that's good advice". I certainly wouldn't recommend it, and I think it was not useful for Kingsley-Smith to suggest it as the final paragraph in a white paper entitled "The State of PC Security". Computer users deserve better. So let me try and provide a different perspective.

The real state of PC security right now, from the user's perspective, ranges from "not protected" to "well protected". Advising PC owners to run even a fully-patched computer without security software is not responsible advice.

And while I agree that it is true that a perfectly-behaved, totally-informed person running a perfectly-patched PC could in theory potentially escape infection, or the exposure of their personal data or online banking credentials, in the real world, there is no such thing as a perfectly-patched PC.

Security software, such as our SafeCentral application, provides good insurance for those times when a phishing email fools you into clicking a link, or your chosen download turns out not to be the program (or content) advertised, or the bank's site gets overtaken by hackers, or your kids borrow your PC for five minutes and go somewhere without telling you.

Wednesday, August 20, 2008

Lions, Tigers, Hurricanes, Hackers

As if dodging tropical storms and chasing hackers isn't challenging enough... today, a lion and a Bengali tiger escaped from a private zoo a few miles down the road from the Authentium offices in Palm Beach Gardens.

Both animals were later caught without injury to either animals or State wildlife officials. No damage or loss of life was reported. Luckily, the other five lions, four tigers and six cougars, stayed put, and were not part of the outlaw posse.

The zoo has released no official word, but it is believed yesterday's passage through the area of Tropical Storm Fay may have created an opportunity for the pair to escape.

Hopefully, by tomorrow, it will be business as usual, and the only dangerous creatures on our radar (or in our neighborhood) will be those in the malware business.

Monday, August 18, 2008

Hackers Welcome Joomla Security Fixes

On Thursday, Joomla announced the 1.5.6 upgrade of its popular web-based CMS (content management system), a release designed to fix several security issues.

However, within hours of the security-oriented release, the Joomla web site was defaced by a team of hackers calling themselves the Red Eye Crew, bent on spoiling the fun.

The fact that Joomla's site got defaced isn't the newsworthy piece, though. The newsworthy piece is the fact that Joomla's site was defaced in a similar way almost exactly a year ago - in 2007.

I recall this because at the time, we were looking at purchasing a new CMS system and I was wading through one of various "Beginning Joomla" guides recently purchased from Barnes and Noble. For various reasons, we didn't end up going the Joomla route.

On Thursday, the PR folks did a reasonable job of explaining to folks why, on the eve of a security release, they should take the view that the hack was meaningless. But I'm not sure they went far enough. Joomla is a community - and any web-based hack is worrying to the people that have chosen Joomla as their web-based CMS.

Worse, the accouncement did not even acknowledge the previous issues, choosing to speak as if this were a one-time event:

"Nothing but good will come of this experience. There's nothing like first hand experience to remind us of the trust our end user community places in us and the importance of working harder and smarter towards improving security."

Nothing but good will come from this? This kind of statement only works the first time. The fact that this morning's hack was a repeat effort requires the organization to "get serious" - and do more than offer an apology for "poor operating procedures" - you can only do that once. That card was played last year (and possibly earlier - but evidence for this is mainly anecdotal).

On the Joomla site, the organization is encouraging users to adopt the new release for security reasons, and signs off by saying "In retrospect, we wish we'd followed our own advice more diligently."

When attacks occur a second, or possibly third time, you need to win back trust by committing to look deeper, and you need to personalize it as well, and offer to look at the people involved as well as the systems.

Five Steps to Avoiding a SCAM

Candy Colp, our director of sales, sent me a copy of a news article from the magazine section of the Palm Beach Post this morning in which Jeffrey Deaver, author of The Bone Collector, talks about his experience with identity theft.

The article contained a list I hadn't seen before - the US Department of Justice's four recommended ways to avoid having your identity stolen. It's a simple method - just remember the word SCAM and what each letter stands for:

S is for: Be Stingy with Personal Information

Start by adopting a "need to know" approach to your personal data. Your credit card company may need to know your mother's maiden name, so that it can verify your identity when you call to inquire about your account.

A person who calls you and says he's from your bank, however, doesn't need to know that information if it's already on file with your bank; the only purpose of such a call is to acquire that information for that person's personal benefit.

Also, the more information that you have printed on your personal bank checks -- such as your Social Security number or home telephone number -- the more personal data you are routinely handing out to people who may not need that information (buy Frank Abagnale's book "Stealing Your Life" for some insight into what criminals do while waiting in the check-out line).

If someone you don't know calls you on the telephone and offers you the chance to receive a "major" credit card, a prize, or other valuable item, but asks you for personal data -- such as your Social Security number, credit card number or expiration date, or mother's maiden name -- ask them to send you a written application form.

If they won't do it, tell them you're not interested and hang up.

If they will, review the application carefully when you receive it and make sure it's going to a company or financial institution that's well-known and reputable. The Better Business Bureau can give you information about businesses that have been the subject of complaints.

If you're traveling, have your mail held at your local post office, or ask someone you know well and trust ­ another family member, a friend, or a neighbor ­ to collect and hold your mail while you're away.

If you have to telephone someone while you're traveling, and need to pass on personal financial information to the person you're calling, don't do it at an open telephone booth where passersby can listen in on what you're saying; use a telephone booth where you can close the door, or wait until you're at a less public location to call.

C is for: Check your financial information regularly

If you have bank or credit card accounts, you should be receiving monthly statements that list transactions for the most recent month or reporting period.

If you're not receiving monthly statements for the accounts you know you have, call the financial institution or credit card company immediately and ask about it.

If you're told that your statements are being mailed to another address that you haven't authorized, tell the financial institution or credit card representative immediately that you did not authorize the change of address and that someone may be improperly using your accounts.

In that situation, you should also ask for copies of all statements and debit or charge transactions that have occurred since the last statement you received. Obtaining those copies will help you to work with the financial institution or credit card company in determining whether some or all of those debit or charge transactions were fraudulent.

Note: If someone has gotten your financial data and made unauthorized debits or charges against your financial accounts, checking your monthly statements carefully may be the quickest way for you to find out.

Also, if someone has managed to get access to your mail or other personal data, and opened any credit cards in your name or taken any funds from your bank account, contact your financial institution or credit card company immediately to report those transactions and to request further action.

A is for: Ask for a copy of your credit report

Your credit report should list all bank and financial accounts under your name, and will provide other indications of whether someone has wrongfully opened or used any accounts in your name.

M is for: Maintain your financial records

Even though financial institutions are required to maintain copies of your checks, debit transactions, and similar transactions for five years, you should retain your monthly statements and checks for at least one year, if not more. If you need to dispute a particular check or transaction ­ especially if they purport to bear your signatures ­ your original records will be more immediately accessible and useful to the institutions that you have contacted.

Even if you take all of these steps, however, it's still possible that you can become a victim of identity theft. Records containing your personal data -- credit-card receipts or car-rental agreements, for example -- may be found by or shared with someone who decides to use your data for fraudulent purposes.*

This is a good, sensible list and solid advice for every consumer - and if you follow it religiously, you will indeed reduce the chances of having your identity stolen. However, there is one addition step you should take.

If you've read my blog before, you already know that the fifth thing you should do to protect yourself from identity theft online is add another letter "s" to the above and download SafeCentral - Authentium's anti-identity theft service.

Source of list: U.S. Department of Justice

Sunday, August 17, 2008

6,000 to 6,000,000,000 in 25 Years

On November the 7th, 1988, USA Today reported that the world's first Internet worm, the Morris virus, had effectively propagating itself to 6,000 computers:

The "virus'' - a rogue program planted by a high-tech vandal - showed up last Wednesday, duplicating itself rapidly and using vast quantities of computer space. It apparently didn't destroy any information, but it clogged an estimated 6,000 computers at universities and military labs.

Though there is some dispute over this estimate, that 6,000 number fairly accurately describes the reach of a virus back then (it was estimated that 10% of 60,000 hosts connected to the Internet were affected.)

Today, a 6,000 PC outbreak would barely rate a mention outside the targeted organization.

Part of the reason is the massive scale of our telecommunications networks, worldwide. Two years prior to the publishing of the USA Today article, the number of hosts on the Internet was less than 2,000. In the year immediately after the publication, the number more than doubled - to 130,000 (

The growth has not abated. Today, the number of networked devices in need of protection has grown to an estimated 3 billion, possibly as many as 3.5 billion, if you include computers along with consumer cell phones.

This hard-to-believe 3 billion cell phone estimate comes from a reputable source - Jan Chipchase, one of the lead researchers at Nokia. He estimates that within another two years, i.e. by 2010, another billion cell phones will come online (according to the ITU, China turned on its 601 millionth cell phone at the end of March, 2008.)

Which means that if current trends continue, we're talking close to 6,000,000,000 networked devices online by the end of 2013.

This remarkable difference in scale - and the fact that in three to five years, the total number of potentially vulnerable networked devices could be almost 1,000,000 times larger than it was when USA Today reported on the above story in 1988 - is interesting to ponder in terms of past and future risk mitigation efforts.

As Chipchase reported in his TED talk, there are three objects that consumers grab when they leave home - their keys, their money, and their (increasingly, Internet-enabled) cell phone.

Yet, if several of the start-ups that myself and others are involved in have their way, within a few years, you will simply grab your cell phone on the way out the door: your house security and your cash will be embedded.

The door will lock behind you (upon you entering the correct PIN), and your SIM will be loaded with more cash than you currently carry with you in your wallet. Which means your entire assets are going to be IP-based and in need of protection - the kind of protection currently offered by a mere handful of non-government threat mitigation companies.

This is worthy of study. I happen to think that the researchers and engineers at the antivirus and antispyware and firewall companies have done a pretty stunning job of keeping devices (and their users) protected over the twenty years since the Morris worm outbreak.

But have we factored in enough R&D, enough new staff hires and training, enough process automation, enough industry cooperation, to take into account the fact that a consumers entire asset base will be online, not to mention the exponential rise in networked devices?

Are we adequately prepared for the fast-approaching situation in which the average consumer will effectively place their assets (or access to them) entirely in digital form, lock their houses via the Internet, or trust their lives to a networked heart monitor or medicine dispenser?

Back in 1988, there were few assets at risk - and no antimalware software. Authentium (Command) was one of the first to release a professional antimalware scanner in product form, with F-Prot Professional, in 1992 - and at the time of our v1.0 release, we protected computers from an incredible one hundred viruses.

Now, our complete update file contains almost one million signatures, a number that, like Moore's law, has been doubling roughly every eighteen months since that first release.

The fact that both key variables - the number of networked devices and the number of signatures - are increasing trending exponentially suggests that in the next few years, we are going to see some quite different approaches to security emerge, if only to alleviate the tax on networks due to update (and scanner upgrade) delivery.

Like the innovations of before, these innovations will come from the private sector, but this time, the stakes are significantly higher: as the world moves to a scenario in which a majority of the world's population and assets are online - including all the criminals, device blueprints, and software exploits.

Our own SafeCentral service provides a hint of one such innovation - it doesn't use definition files, and doesn't require knowledge of the malware targeting the user. There will be others.

Note: Yes, I know that some of the cell phones I'm referring to here are not "Internet-enabled" as such, but that doesn't mean they're immune to malware - the core subject of this blog entry. If you're interested in what cell phone viruses look like, read this.

Saturday, August 16, 2008

The Viruses of Khan El Khalili

I recently came back from a 16 country trip, during which I had a chance to meet and talk with IT security guys in lots of different environments.

What I discovered was that in some countries, consumers are overwhelmed with phishing and identity fraud-style attacks, including man in the middle and man in the browser attacks, while in other countries, destructive viruses are far more of a concern.

I also discovered that some markets have grown to the point where local language attacks and coding efforts are starting to pay dividends to hackers. This is not good news.

The other day in Cairo, I got to talking with an IT guy who does quite a number of large data center installations. He says one of the problems he faces is that western-based antimalware applications that are signature-dependent don't do a great job of detecting some of the local viruses.

He wasn't complaining - he spends a lot of his time re-imaging machines because of this (the best remedy when no disinfection routines are available), and it's good business - it also helps drive customers to adopt Linux, which is the fastest-growing part of his company.

But as we sipped our coffees by the eastern side of the Nile (in a very nice bar called Sangria), it was clear to both of us that a system that relies on constant re-imaging of devices is eventually going to be pushed aside in favor of one that doesn't (Ubuntu, anyone?).

Interestingly enough, in Japan, I noticed the issues they faced were more similar to Egypt that the US. More emphasis on data backup and protecting files from viruses, and less talk about spyware and the stealing of user credentials - which might explain why Trend Micro, a Japanese company, is, in my opinion, better at the former than the latter.

One of the reasons I think Rising and Jiangmin are doing well in China is because they are focused on viruses and other forms of malware (such as the Panda virus above) that target the Chinese market. The same could be said for Korea-based Hauri.

In the Southern hemishere, phishing and 419 scams, identity fraud, spyware, and all of the virsues and Trojans recently written to steal user credentials were far more prevalent issues. From South Africa to Australia, and north to regions such as Singapore to Europe and the UK, it was clear that user credentials, not devices, were more the focus of attacks.

Likewise in the Gulf countries I visited, where phishing, wifi hacks and man in the browser attacks increasingly dominate conversations. I heard from several IT guys, including several CSOs, about increased prevalence of local language attacks - something they never used to see at all until quite recently.

Clearly, as these individual markets grow, at a certain point, hackers start "going local" - creating demand for security solutions capable of protecting local users from locally-focused hackers. I expect this "going local" factor will start to have ramifications soon regarding antimalware testing and certification, which is currently very Europe-centric in nature, and design.

Because when it comes to local threats attacking narrowly-defined markets, even signature-based systems that feature great heuristics will find it harder and harder to keep up.

This last fact was one of the concepts that we kept in mind while designing Authentium SafeCentral, our "secure browser plus virtual desktop plus secure DNS service". When we designed this product we focused on five basic areas of vulnerability: the user, applications, the device, the network and the destination.

SafeCentral maintains a solid security posture, and enables secure transactions, regardless of your location, or where the malware was written. You could look at it as our investment in a future build on increasingly large, interlocked, local economies.

You can download a free copy here.

Note to the antimalware companies mentioned above - if you're interested in offering SafeCentral to your customers, we do have an OEM program: a large part of our antimalware business is OEM-based, through companies like Google, Microsoft and Symantec.

Monday, August 11, 2008

Protecting Your Online Trading Account

Among the many entertaining stories in the book "Stealing Your Life" (mentioned below), Frank Abagnale relates the story of an online brokerage customer who has their account taken over by a hacker and used to trade options in Cisco Systems, to the tune of a $40,000 profit.

Now, if the story stopped there, you can imagine it becoming a modern-day version of "The Elves and the Shoemaker".

"I swear Honey, we had 2,000 Cisco options when I went to bed, but when I woke up, they'd all been sold - for a net gain of 170%!"

Unfortunately, like most stories involving identity theft, the story doesn't stop there. The thief isn't a charitable elf. He performs a risk-free set of trades, cashes out, and leaves you with those GM and Lucent shares you bought eight years ago.

Yes, you can go to your broker and explain your loss, and most of the time they'll believe you. But don't think this is the first time your broker has heard the "it wasn't me - I was hacked" story. Be prepared to have all your documents prepared, and get ready to prove your case.

Or better still, stop it from happening before it starts.

This is both harder (and, ultimately, easier) than it sounds.

Harder, because a lot of people try and apply enterprise security solutions to situations that are much different.

Easier, because it is possible to harden the user authentication mechanism against attack, so that user credentials are not easily stolen. You just need the right approach.

A lot of on-lines banks and brokerages have recently started experimenting with expensive physical tokens and "virtual keyboards" - on-screen keyboards that feature randomized, repainted numbers that users can click on with a mouse to gain access.

Both these approachs are seriously flawed.

Let's look first at Virtual Keyboards. Let me say this loud and clear: virtual keyboards are 100% useless. If you're infested with malware created by a hacker with an IQ even slightly above room temperature (and more than half of you that are reading this are infested with malware that matches this description), your randomized virtual PIN entries are going to get captured - in the form of JPG screen shots.

Print. Print. Print. Send as email (to hacker).

Hardware-based tokens can be equally problematic. It's not that these sleek-looking devices don't do their job and create credentials that are unfathomably hard to guess - they do. That isn't the problem.

The problem is that these credentials are susceptible to being stolen by hackers en route to the login page, via very simple forms of the Man In The Browser attack. See my earlier post on this subject a couple of months back.

So what's an online brokerage to do, if it wants to protect its customers, aside from keep paying its SIPC dues?

The technology issues seem overwhelming. If someone were to dream up a technology solution for adoption by online trading professionals, it would, on the surface, appear complex.

It would, out of necessity, include a combination of system-level command handling and file hardening approaches, desktop virtualization, a locked-down non-standard browser with update and plug-in controls, secure DNS infrastructure, secure application update channel, and the best in current third party anti-phishing systems. And all of this would have to work seamlessly and simply.

I'll spare you any further build-up: we've built this. The solution we've created to protect consumers against online trading fraud is called SafeCentral.

Authentium SafeCentral is currently being evaluated by online brokerages on four continents, and our first release went live just over three weeks ago at Firstrade, the top-ranked US online broker (Consumer Reports).

"Stealing Your Life" by Frank Abagnale

Frank Abagnale is best known for writing a rip-roaring memoir that was adapted into the Steven Spielberg/Tom Hanks/Leonardo DiCaprio movie "Catch Me If You Can".

The scenes where Frank impersonates a PanAm pilot are my favorite - I think of them everytime I travel through MIA/Miami.

I contacted Frank (played by Leonardo DiCaprio in the movie) right after seeing the movie, to see if there was a way we could team up to fight Identity Theft.

At the time, Frank was helping to put together PrivacyGuard, now one of the most widely-deployed solutions on the market. We decided to keep in touch, once our respective identity protection products - PrivacyGuard, and SafeCentral (then called VirtualATM), launched.

As it turns out, Frank's product beat me to market by three years. And, as I recently found out, he followed up the launch of PrivacyGuard with an outstanding book on the identity theft problem.

Called "Stealing Your Life", the book is one of the best-researched and practical books on identity theft yet written - and easily the most readable.

As in "Catch Me If You Can", Frank is able to detail what criminals are thinking as they're plotting to steal your money. The stories he has to tell in "Stealing Your Life" are disturbing - in some cases, appalling.

I'm going to pick up on a couple that I have some additional color on and share them over the next week or so. In the meantime, I strongly suggest you go out and find this book, or order a copy through Amazon.

You won't find a more informative book on the wide-ranging forms of identity theft out there, and you certainly won't find another written by a former confidence guy.

If you'd like to review our own solution to identity theft, Authentium SafeCentral, just head over to our site and download the free trial version.

Saturday, August 9, 2008

ID Theft: What is a 419 Scam?

The term "419 scam" is synonymous with phishing and identity theft. I personally receive about a hundred million dollars' worth of these emails a day.

The variations are endless. The scams range from the baiting of the greedy and needy ("I AM THE FORMER CFO OF A LARGE BANK AND I HAVE 9.5 MILLION DOLLARS THAT I WISH TO SHARE WITH YOU") to out-and-out scare tactics ("SOMEONE HAS PAID ME $5,000 TO KILL YOU").

But what does "419" mean?

"419" refers to the name of the section of the Nigerian Criminal Code used to prosecute these crimes, when they are prosecuted. The section, one of several sections within Chapter 38 (Obtaining Property by false pretences; Cheating), reads as follows:

419. Any person who by any false pretence, and with intent to defraud, obtains from any other person anything capable of being stolen, or induces any other person to deliver to any person anything capable of being stolen, is guilty of a felony, and is liable to imprisonment for three years.

If the thing is of the value of one thousand naira or upwards [about seven $US], he is liable to imprisonment for seven years.

It is immaterial that the thing is obtained or its delivery is induced through the medium of a contract induced by the false pretence.
The offender cannot be arrested without warrant unless found committing the offence.

A quick read of a half dozen Nigerian newspapers today turned up very few stories involving the successful prosecution of 419 email scammers. Attempts to pass and prosecute a law in Nigeria targeting computer crime in general, such as the above, have mostly failed.

This inaction at the government level has reduced many intelligent and proud Nigerians to despair. One London-based Nigerian expat, tired of the association with Nigeria and email scams, blames lack of government investment in Nigeria's younger generation:

"What has the local, state or federal government done in the last 20 years for example to prepare for the future of this generation of internet rats? What have they done or what are they still doing other than stealing, looting and gallivanting like nonentities?"

Many other in-country commentators agree. About the only positive seems to be the fact that voices are at last being raised. Maybe change (and a decent law) is in the air.

Note to recipients of 419 scam emails: 419 scams are unbelievably easy to avoid. If you receive an email from anyone, claiming:

a) you won a lottery you didn't enter
b) you have the same last name as the heir to a fortune
c) you are targeted for murder (unless you pay up)
d) you will have "bad luck" if you don't pass on the email
e) you are otherwise in line for a windfall have just received a scam email of the variety commonly known as a 419 scam. Don't respond to strangers offering money by email. Don't get tricky and try and "scam the scammer" like some have attempted. Delete the email.

There is a much better chance you'll get five dollars in a card from your grandmother on your birthday that you'll see any money from one of these emails.

Note: I found a curious story tonight while researching this post. Rumor has it that Mary Winkler, the Tennessee woman convicted of shooting her 31 year old preacher husband in the back, owed $17,500 to the Nigerian "Yahoo Boys" (the local Nigerian lingo for 419 perps) at the time of the murder.

You can read more about this story, and others, here.

Friday, August 8, 2008

Counting Sheep

Brian Krebs of the Washington Post wrote a nice article today about how sometimes security industry folks don't follow their own rules.

In fact, it turns out that security professionals can be pretty bad at remembering not to send their usernames and passwords over non-encrypted wireless networks - of the temporary type typically slapped up at conferences.

Thank goodness none of them were in a room full of hackers when their credentials were sniffed*.

You can get to Brian's post on the Black Hat "Wall of Sheep" here. The part where some of the people change their credentials after finding out they've been outed (even thought they are still connected to the same non-secure wifi network) is, well, illuminating.

*That's a joke, folks. The Wall of Sheep experiment takes place at every Black Hat conference, and always, unfortunately, they post similar results.

Bring Back "I Am Rich"

Dan Frommer of the Silicon Valley Insider thinks the Apple iPhone "I Am Rich" application that Apple pulled from their store today is "for jerks" because it costs $1,000 and "doesn't do anything" except twinkle.

I disagree entirely.

I think Armin Heinrich, the developer of "I Am Rich", is possibly smarter than just about any other developer on the iPhone platform. Not only has he created the first $1,000 program, he's come up with an app that acts exactly like a Rolex watch or a Gold Card, except in software.

Yes, you got it. "I Am Rich" meets a need that is as old as time: creating attraction by proxy.

Let's compare: Real gems are typically purchased from trusted brands/stores. Real gems feature hefty price tags. Real gems do nothing - except twinkle and assist in attracting mates, which in turn helps us, their owners, propagate the species.

Yes, I know, anthropologists and economists would have us believe that people also buy gems and precious metals in order to make their wealth more portable - but I think people also buy gems for the same reason people buy silver BMW convertibles and Apple iPhones: to show off/try to be more attractive.

Think about it. What need does the iPhone really serve, aside from creating a sense of status? Do we really need all those sleek, cool design components, just to make a call? If it's all about "personal communications" and "productivity-based applications", why isn't there a brown-paper-bag version? Why is the iPhone always on display?

The answer, as everyone knows, is that "cool is attractive" - and being cool is as important to us humans as shiny chrome objects are to bottle cap-collecting magpies.

"I Am Rich" may indeed be crass, and it may be a little too "in your face" for some (or possibly many) iPhone users - but that doesn't mean it deserves to get yanked from Apple's store.

One of the benefits of living in a free society is that you get to choose what kind of jerk you want to be. In revoking this application, Apple has acted more like an old-style communist dictatorship than an innovative, capitalist-led technology company.

Apple should recognize what's going on here and bring back "I Am Rich". It doesn't matter what people think of the app - revoking it wasn't cool, and will just create unfair competition for a space that Mr. Heinrich had targeted well - almost as well as Apple itself.

Thursday, August 7, 2008

DNS - The Basics Explained

I realized today why consumers sometimes get so fed up with news involving Internet security alerts: it's because sometimes the basics and the acronyms are not explained, which makes the rest of the news story hard to follow.

Take, for example "DNS", as in the recently-announced "DNS flaw" - currently the subject of much current news and speculation.

What, exactly, does a Domain Name Server do?

Let's start by explaining the concept of a "domain" on the Internet. The modern word "domain" originates from the Latin word "dominion". It's most commonly used by people to refer to their house, corner office, or area of expertise.

If you live in a block of condos, your domain is the condo in which you live. If you live in a house in the suburbs, your domain is your house. Your "domain" is simply your part of a much larger area - i.e. your condo, vs. the entire development.

Likewise, in Internet terms, a "domain" in simply a sub-section of the Internet.

The largest "top level" domains (i.e. the suburbs) use ".com", ".net", ".org", ".gov", ".edu" and similar suffixes to identify the type of top-level domain (.gov = government).

The next level down (i.e. your condo development) is usually the name of a company, organization, or government agency that is part of the top-level domain.

For example, the domain name "" refers to the ".com" top level domain, then to the part of the Internet that is under Authentium's control. "" refers to the ".com" top level domain, then to the piece under Google's control.

Put another way, when you type the domain name "" into your address bar, you are saying, I want to 1) Go to the commercial section of the Internet, then 2) Go explore the domain of the company Google.

"" refers to a sub-domain of Google relating to finance. The smallest domain is on the left: The finance sub-domain is smaller than the Google domain. The Google domain is smaller than the ".com" top-level domain.

Now you're probably reading this, thinking "I thought I heard today that there was a problem with Domain Name Servers. How could there be a problem? I just type in a web site address, and so long as I spell the domain name correctly, I connect, right?"

Unfortunately, the answer is no.

The definition I just gave you is how us humans look at domain names. Computers - more specifically, the web servers that host the web pages of Authentium and Google - use a different form of domain name: a set of numbers called an Internet Protocol address, or IP address.

Human-version domain name: ""
Computer-version domain name: ""

Which is where the Domain Name Server (DNS) comes in.

DNS servers, or Domain Name Servers, are simply translation devices. What they do is take your request for "" and turn it from "" into the IP address, so that your request can be understood by the computers that form the Internet and sent to Google's domain for processing.

As you can imagine, translating the names of all the web sites we type in every day into numbers is a massive task - and that is what the ten million or so DNS servers do every day.

Sometimes, to make things faster, the servers store these translations. It is not uncommon for even small-sized Domain Name Servers, like the kind you might have sitting in a rack at your office, to contain thousands or even millions of similar "translations" in storage.

The problem with this approach is that hackers can make a ton of money by successfully changing the "translations". Typically, in a DNS hack, the hacker just takes your request for, changes the IP address, and re-routes you to a look-alike site, so he can steal your username and password.

Now, the effort required to hack a DNS server is not trivial, and not likely to be successful with respect to large, well-organized organizations. But the recent announcement of a major flaw in the underlying DNS software has even seasoned pros working late into the night to get their fixes in place.

The good news is - since the announcement yesterday of the full extent of the "Kaminsky DNS flaw", a majority of the world's servers have been patched, including 70% of Fortune 500 companies.

The other good news is, our product SafeCentral provides a really nice set of protections that secure DNS requests and bypass the standard DNS infrastructure. If you're worried, give it a try. It also stops key-loggers and screen-scraping spyware.

Note: If I didn't do a good job explaining these basics, email me, and help me improve this post. The shorthand in here (yes, I know the Google domain includes multiple IP addresses, etc, etc) is by design - I just want to help folks understand the basics of DNS so they can get a handle on what this flaw means.

If you want to dig deep on DNS, head over to Kaminsky's blog at DoxPara Research.

VIP Laptop "Rematerializes" in Office

Verified Identity Pass issued a press release today stating the they have "found" the laptop we reported was missing with over 33,000 personal profiles on it.

According to the firm's head of business development, the laptop was discovered in the office in which it was lost over a week ago. An "initial investigation" has revealed no tampering with the data.

Comments out on the blogosphere this afternoon range from the sarcastic ("that must be one a heck of a large office") to the suspicious ("Probably was put back after stealing the information" and "I would not use that computer - there is probably a hacker chip installed in there now") to the incredulous ("How do we know it's even the same laptop?").

I'm going with the "Gordian Knot" approach on this. I'm assuming VIP simply misplaced the laptop and found it sitting under a paper file somewhere. I am going to assume there was no attempt at cover-up, or no attempt to deceive -because that is the simplest explanation.

But I have a feeling that we're going to hear a lot more of these "discoveries" in future.

"Rediscovering" a laptop that has been reported missing with your entire company's customer base on it - after it has been missing a week - is a lot less painful than watching the story grow and your business shrink.

I am happy to assume this didn't happen in this case, but I'm quite certain folks looking for a quick solution in future will remember this approach, and apply it - safe in the knowledge that like me, most people will accept the news at face value.

Note: I originally read this occurred in NY. It didn't - it happened in SFO.