Friday, August 31, 2007

Scary Monster

The theft of data from Monster.com is generating a significant number of new news headlines about spear-phishing attacks, including several, like this article in USA Today, that quote the investigations done by the team here at Authentium.

Financial gain is the leading motive for all attacks on IT infrastructure, and it has been that way for more than three years. Getting control of Monster's data was just the first step of a larger plan - probably to enable some form of spear-phishing.

Spear-phishing is the term used for targeted phishing against a marketing database as opposed to random emailing to non-aligned end users. The criminals that hack customer databases such as Monster.com's and enable spear-phishing lease access to that database to marketers - let's call them "badvertisers" - on a "name per hour" basis.

This is the same basic economic rationale behind the rise of botnets - networks created from millions of hijacked computers, that are leased out to criminals that pretend to be advertisers or rich widows of third-world presidents.

But whereas botnets may be leased by criminals to criminals for anything from a few cents to a few dollars an hour per user/end point, the value of a single, unified customer database like Monster.com's is potentially far higher.

Like all marketers, "badvertisers" understand that messages from a trusted source - or embedded within a trusted source, such as the Wall Street Journal, or Fox News - have far more value than messages from an untrusted source.

This is why legit advertisers get Rush Limbaugh to read those ads out loud on his radio show - his words are far more trusted by his listeners than those of an anonymous announcer. Which means Rush, the more trusted voice, is worth a multiple of what the anonymous announcer would charge.

How much of a multiple? One useful guess is 4.5x - that's the number Hiawatha Bray at The Boston Globe quoted this morning in one of the better-researched articles on the Monster.com problem..

"A 2005 study at Indiana University found that 72 percent of students obeyed the instructions in phishing messages when they appeared to come from a trusted source, while the compliance rate for untrusted messages was just 16 percent."

The ability to target millions of Monster.com customers exclusively with a message that appears to come from a trusted source (Monster.com), is worth many times - 4.5 times, if you agree with the Indiana University study - what a criminal might pay to lease a botnet.

Note: At the end of the day, I'm not sure this attack counts as a "success" from the perspective of the criminals. Smart criminals understand that parasites are more successful when they leave their host (i.e. hijacked database) alive, and most successful if they can remain invisible.

The attackers in this case failed to create much value for themselves because they chose to go too big too fast, causing so much press that even the most in-frequent Monster.com user must now about the attack. By biting off too much, and gaining press attention, the hackers have effectively ruined any chance they might have had for long-term financial gain.

Tuesday, August 28, 2007

VOIP Eavesdropping

Working in this industry is a little like walking into a supermarket and trying to find something "not unhealthy" to eat: everywhere you look, there are problems.

Take, for example, VOIP.

I'm not talking about the issues that bedevilled Skype this past week (although that seems to be developing into a fascinating story about what happens when one node on a peer-to-peer network gets out of sync and "central command" lacks sufficient permissions to prevent disaster) - I'm talking about the issues that are emerging relevant to VOIP and security.

VOIP, as we all know, stands for Voice Over Internet Protocol. And it is the "IP" part of this anagram this is both the root of its greatness and its largest potential weakness. Because if your systems are not architected just right, introducing VOIP into your business can introduce an easily-exploitable vector for corporate espionage.

By corporate espionage, I mean the ability to "listen in", record, or otherwise intrude on your corporation's most sensitive phone discussions.

Will Stofega, research manager for VoIP services at IDC, recently said “One or two years ago, the discussion of VoIP security risks was theoretical. What we’re going to start seeing is the threat of moving from theoretical to reality.”

This is no longer a theoretical threat. Stan Quintana, VP of Managed Security Services at AT&T, who I had the pleasure of meeting last year, believes, when it comes to VOIP traffic, "there is substantial exposure to intercepting that conversational data and monitoring it."

Bogden Materna, CTO and VP Engineering for VOIPshield Systems, recommends deploying a "multi-layer security infrastructure that... consists of... SBCs, VOIP Network Intrusion Prevention Systems (NIPS), VOIP DoS defenses, VOIP Network Intrusion Detection Systems (IDS), Host IPSs, AAA servers, encryption engines and VOIP antivirus software."

That may not be overkill - it is absolutely essential to protect voice communications in an enterprise, and VOIP needs added protection so confidence doesn't wane.

Because, as we saw last week in the Skype situation, people will very quickly start experiencing fond recollections of 100 year old POTS technologies when VOIP clients suddenly become unavailable, or start affecting (or infecting) other clients on the network.

Sunday, August 19, 2007

One and a Half Billion Heartbeats

Many years ago, astronaut-legend Neil Armstrong sat down for an interview with news-legend Walter Cronkite. It was just after the time of the Apollo project, which was coincident with the beginning of the jogging craze.

Cronkite asked Armstrong for his opinion on jogging. Armstrong thought about it for a second, then responded:

"I believe that the Good Lord gave us a finite number of heartbeats and I'm damned if I'm going to use up mine running up and down a street."

This quote has always tickled me. I repeat it whenever anyone asks me to work up a sweat. So I was pleased yesterday, when Geoffrey West, a Santa Fee-based scientist, confirmed what for me has been merely Neil's opinion for the past thirty years.

Interviewed on NPR, West confirmed that the results of his most recent research show the heart of the average mammal, humans included, beats approximately one and a half billion times in its lifetime, regardless of the size of the mammal or its habitat.

In other words, it appears that it doesn't matter if you're an elephant or a mouse. Every mammalian heart is programmed to beat 1.5 billion times - before beating no more.

The story contained a number of nice audio props, such as recordings of the bongo-like heart of a shrew, which beats approximately 1,000 times a minute, and of the whale, whose heart beats (if a low squishy sound can be called a "beat") approximately once every three to four seconds.

But the thing that interested me most was the part the story left out - a quote from one of the most famous humans to yet walk the Earth, which at the time was just his opinion, but which now ranks as a fully-fledged - and very welcome - hypothesis.

Saturday, August 18, 2007

Virtualization: The Next Generation

The success of VMWare's IPO last week took none of its customers - which include Authentium - by surprise. The intra-day run-up, from $29 to over $50 a share (resulting in a $19 billion market cap), shows that market watchers believe that virtualization is barely out of the front gate in terms of economic potential.


One of the reasons for this is because virtual machines are still really only being installed on servers. And despite the obvious reduction in support costs and physical overhead that is enabled by installing multiple virtual machines on a single physical server, many IT administrators are only a small way into their migration plan.

Which means, come rain or shine, VMWare revenues should continue to grow healthily for many, many years.

But are servers really the most profitable line of business? Or are there other forms of virtualization that could enable an even bigger payday, a few years down the line?

I believe there are. According to our experience (and Microsoft's volume pricing tables), for every 30 servers in an organization, there are approximately 500 PCs, or, increasingly, laptops. Obviously, desktops and laptops present an attractive market for virtualization in the future.

However, I don't think we're going to see the same form of virtualization take root on the desktop.

I believe by the time new technologies like VirtualATM, which is based on our VERO ("Virtual Environment, Restricted Operations") virtual environment take seed, purely web-based forms of "the applications formerly known as desktop applications" will have arrived in force, creating a situation where the operating system may become redundant with respect to many of today's tasks.

Certainly, tasks requiring heightened security will use virtualization and restricted runtime environments almost exclusively. It makes *zero* sense for a large bank or online trading firm to expose their transactions to processes running in the non-virtualized environment.

Far better to elevate the application and restrict interaction to only those processes and network assets which can be absolutely trusted - which is what we do with VERO.

Of course, this all begs the question as to what will happen to the faithful desktop PC, and/or Mac? Will our computers simply become pretty boxes capable of instantly downloading any number of virtual environments, such as VERO, and metering their use via mechanisms like KPP?

Microsoft seems to think so. Here's a quote from an article in the Wall Street Journal last year that showed up in a 2006 article by the ever-alert Mary Jo Foley, over at ZDNet.com:

“Meanwhile, a cadre of respected Microsoft computer scientists and programmers formed a group under Chief Software Architect Ray Ozzie to start building software that could be a critical piece of what Windows might become, say people familiar with the work.

That group, says a person familiar with the matter, sees the future of Windows as much more as an Internet service than software that runs on a PC.”


In other words, "Windows as a webOS".

I personally think by this time (2012?), virtualization and servicizing of the services we consumers use the most (web browser, word processor, spreadsheet, financial management software, games, etc.) will be so far along, and so easily accessible and secure, that Microsoft - and Apple - could find themselves in 2012 with highly-virtualized operating systems that no one, except die-hard fans, will want or need to use.

Note: One potential piece of gold at the end of the Microsoft virtual rainbow is KPP - otherwise known as PatchGuard. PatchGuard provides metering support for software application usage and license management - such as desktop applications deployed using Microsoft SoftGrid.

KPP - and Microsoft Update - could become the critical components of the Microsoft webOS. It will be interesting to watch Microsoft's upcoming technical releases, including kernel-level APIs, in this area.

Skype's Problem is PR, Not Technology

Before their 2-day outage this week, it was impossible to imagine that Skype would ever find itself comparable to your typical airline in terms of information policy.

But that is exactly the position that Skype's less than impressive PR strategy has put it in. By releasing little tangible data and punctuating releases with periods of "dead air" up to twelve hours in length, Skype has turned itself from "trusted VOIP top dog" into just another big company that doesn't care how long we're going to sit on the runway.

The PR folks handling the Skype situation seem to have forgotten who built the company into the 220 million user powerhouse it is today: a combination of technology-savvy, socially-networked geeks.

This network of super-smart customers needs to be given much more to chew on than an "algorithm deficiency" - otherwise they will use their gray matter to come up with any number of conspiracies involving viruses, saboteurs and terrorists. Indeed, many such theories are doing the rounds.

Tell us more, Skype. Name the data centers and customer base subsets affected, discuss the nature of the breakdown in encryption that has occurred between your clients and servers, tell us if it was caused by a bad update or a piece of malware - share with us.

You will not lose customers because you chose to share this information: the opposite is much more likely.

As a resident of downtown New York during 9/11, I remain thankful for Rudy Giuliani's handling of the situation, and how much he shared with us during that day. Despite having to manage a broken city, and fires on numerous fronts, he found time to address New York's residents and provide enough information for us to understand, react, plan, navigate, and compensate on that horrible day.

Skype's PR team need to maybe take a leaf out of Rudy's book and think about how people use Skype, and how much more information might be warranted above what is currently being released.

Tuesday, August 14, 2007

Adding the Value Only You Can Add

I sometimes get asked by my employees what I think they should focus on. The answer I usually give is: take a look at the company, take a look at where we're heading, and “add the value only you can add.”

In my experience, there are *four* ways in which value gets created in an organization:

1. The coming-together of capital and people (foundation)
2. The reaction of people to plans and needs (task-based work)
3. Contributions to intellectual property (creative thinking)
4. Self-organization based on a combination of the above (entrepreneurial activity)

Additionally, there are *four* ways in which value gets destroyed:

1. Resistance to change
2. Secretiveness and/or disrespect
3. Lack of communication or understanding
4. Criminal acts: theft, fraud, sabotage

Destroying value is easy - everything you need to know is listed right here, and applies in equal part to religious terrorists or atheist technologists.

I personally prefer to focus my gray matter on how value is created – because when value gets cooked up at companies, a surprising amount can end up in the hands of individuals and their families. And that's a good thing.

1. Task-Based Work

Task-based work is where the bulk of the value gets created in a business – especially in areas like sales, development, QA, and customer support, where repetitive work builds the odds of success, and corporate governance and finance, where process-based attention to detail is critical to a company's prosperity.

But task-based work can also be wearying if you’re kept in the dark or not properly tasked – it can feel at times like negative value is being created.

How do you know if you’re working for a bad manager? If you have a bad manager, you’ll find yourself frequently with time on your hands - or no idea of the value of what you’re doing – because the manager either misjudged your ability to get something done, or because they didn’t provide any context or understanding.

Suggestion: Tell your manager you need to understand why doing the task you’re doing is important. If you don’t have a task, ask your manager what problems they need to solve or processes they are trying to create.

If you are tired of doing a repetitive task, figure out how to automate that task or response, and sell your manager on your plan to do so. Tell everyone when you’re done, so we know the value you’ve created - the value that only you were able to bring to the forefront.

2. Creative Thinking

Creative thinking is highly useful to an organization – but only if it is shared. Ideas are valueless if kept a secret. For an idea to have any value at all, it needs to be shared with managers, or with the custodians of intellectual property – the CTO, the General Counsel, the CEO, and department VPs.

Equally, the ability to see around corners is useful only if shared - taking pleasure in watching someone fail because you recognized the path they were on is a particularly nasty form of amusement.

For an idea to have maximum value, like sushi, it should be served "sliced but raw". The biggest mistake I see people making is the mistake of “polishing their idea”. The only thing that adds value to an idea is *work* – "bulk thinking" seldom adds much value to the initial burst of inspiration.

As Einstein once said, the four steps to success are: saturation, incubation, inspiration… and perspiration. He rated perspiration 99% of the effort.

Suggestion: Don’t assume something is valueless – or valuable – in its current context. Don’t keep it a secret. Make sure someone outside your department is aware of your idea – it may be worth a hundred times more in Legal or Marketing than in Development (or vice-versa).

3. Entrepreneurial Activity

The very best entrepreneurs combine thinking and action, and the best of these guys create value every waking minute of every day. Venture investors are *always* looking for people like this, and, believe it or not, these guys always come to the investors with exactly the same presentation, regardless of the nature of their invention.

At the end of any decent presentation of a business plan, there is always a graph. The graph indicates to the investor that the entrepreneur understands it is their job to add value over time.

In fact, on the graphs I have personally seen, the “x” axis is always “time”, and the “y” axis is always “value”. The guys that get the money are the guys that design the best-looking “hill to climb”, and have the best-looking (and most proprietary) walking sticks to do it with – i.e. the guys that are able to prove their company will add more value over time, and face less competitive pressures, than competing operations.

Suggestion: In today’s world, the folks that add the most value in the least amount of time (Bill Gates, JK Rowling, George Marshall, Steven Spielberg, Paul McCartney, Larry Page and Sergey Brin, Rupert Murdoch, Bono, Steve Jobs, Tiger Woods, Warren Buffet, etc), win.

Note: You hear a lot about the "compromises" entrepreneurs make to become successful. Really? How much do you think each of these guys on this list compromised either their beliefs or their personalities?

Read this list through again - if you can find a compromiser among them, I'll buy dinner.

Don’t think you can add value from where you sit? Look around – there are people rising fast at Authentium because they took an idea home on the weekend and worked on it until it became a product line. These people are inventing valuable work habits and may one day find this approach useful when starting their own business.

Summary

If you find yourself not adding value, ask for tasks, or invent them, or jump in and help someone with too much to do. Share ideas outside your group, and act on them. Take ownership of your output and take pride when others offer you improvements, because they will make your idea more valuable.

The cell phone of today is infinitely more valuable than the first prototype telephone. Don't you think Alexander G. Bell would be proud to hold the iPhone in his hand today? SHARE your idea, and watch it become something far greater than you.

Above all, DO NOT sit idle – because when you do that, you’re not creating value for anyone.

By the way, this is "just my small change" - you're welcome to disagree. But in thirty years of doing this, I have seen a bunch of guys succeed, and watched how. The key to every success, however long coming, is to work as a team, and add the value only you can add.

Sunday, August 12, 2007

When Zombies Attack

A couple of days ago, I blogged about a group of Russian criminals that are distributing a PHP-based malware creation kit called MPack, designed to enable criminal gangs to target Internet banking and shopping customers.

The "developers" of this kit recently boasted about creating a network consisting of tens of thousands of hijacked web servers, worldwide.

This weekend, days after my post went up, one of our sites became the target of an attempted DDOS (Distributed Denial Of Service) attack involving tens of thousands of IP addresses.

Coincidence? Maybe, maybe not.

The attack was not harmful. As a security company, we get this kind of stuff aimed at us all the time. Many security companies and commentators do: Microsoft, Symantec, VeriSign, CERT, Steve Gibson, Ben Edelman - the list is a long one, and these are just the guys willing to be open about it. In a 2006 USA Today article, it was claimed that Symantec alone found itself the target of an average of almost a thousand DDOS attacks a day during 2005:

"Security software giant Symantec saw an average 927 DDOS attacks per day in the first half of last year, up 679% from the last six months of 2004."

I imagine the guys at Symantec are pretty well-prepared for these events by now. The Authentium NOC guys, and our ISPs, were also well-prepared for the additional traffic that came our way today, and our systems responded to plan.

Note to Russian authorities: it may turn out that someone else was behind today's incident. That doesn't matter - you should do the Internet users of the world a favor, and arrest these MPack lowlifes: It is naive to imagine the well-funded criminal gangs buying their kits will continue to focus their attention exclusively on banking and commerce targets outside Russia.

Speaking of which... according to research done by VeriSign iDefense (and published on a blog maintained by our partners, IronKey), the MPack Internet banking "crimeware" kit is being used by more than 50 criminal groups - and associated malware has been unintentionally downloaded and installed by an estimated 500,000 PC users worldwide.

Bankers, beware. Readers, if you want to view my previous post on this, click here.

DHS - PCs = No Plan

On Saturday, the DHS computer network at LAX shut down, preventing incoming international passengers, and some passengers from Alaska, from being processed. Peter Gordon, acting port director for customs, said the shutdown, the latest in a series of incidents to affect the DNS system, was unprecedented:

"I've been with the agency for 30 years and I've never seen the system go down and stay down for as long as it did."

During the 10 hour-long outage, which lasted from 2pm until midnight and affected more than 20,000 passengers, air conditioning and water was in short supply, leading to a situation where dehydration was observed among some passengers by two LA Times reporters:

"Water fountains were not accessible due to renovations in the terminal, and the only air conditioning was provided by three industrial fans with limited range."

Ultimately, three people had to be hospitalized. The last passengers were processed at around 3.50am on Sunday - almost 14 hours after the shutdown started.

This is the latest in a series of incidents involving INS or DHS computer systems. I experienced one such incident myself, first-hand, at JFK about a year ago. I was at the front of the line at JFK when the computers went down for about an hour and a half.

Being at the front of the line, I observed uniformed INS staff repeatedly tried to log in to the DHS network. I asked the officer manning the booth in front of me if there was a back-up plan "if the computers don't come back on line".

"Not that I'm aware of", he said. "You just have to be patient".

The computer system that shut down yesterday provides officials with details on who they need to detain for secondary screening, which is without doubt a worthy goal in this day and age. But the lack of a backup plan reveals a critical lack of "defense in depth" thinking - and planning.

The incident at LAX should have created an ideal situation to test the DHS (non-computerized) back-up plan. The fact that no back-up plan appears to exist - none was executed inside ten hours of downtime - indicates a lack of planning that few private companies would allow.

It isn't as if the DHS doesn't have the resources. The Department of Homeland Security has a $30 billion annual budget.

What would happen in the event of a terrorist attack on an airport? What is the plan if the entire US network were to go dark? Are incoming passengers to be carted off to a hanger somewhere? Is there even a plan in existence with that amount of detail?

On July 30th, Bennie G. Thompson, D-Miss., and Chairman of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Chairman James R. Langevin, D-R.I., both signed off on a letter to DHS CIO Scott Charbo, asking him some hard questions. about the 844 security breaches the DHS has experienced over the past two years.

They have given Mr. Chabo until August 27th to respond. Post this incident, I expect his response will draw a significantly greater audience of reporters that it would have previously.

Tuesday, August 7, 2007

MPack Developer: "Just Creating Ammunition"

An article appeared on the SecurityFocus website a few weeks ago containing an interview with the developer of the MPack Infection Kit, a Russian-based malware-creation toolkit that retails for between $750 and $1,000 on the Internet.


According to Symantec (who made this movie), MPack presents itself as an IFRAME Manager tool, basically an FTP updater client, written in PHP language, that runs on a webserver with MySQL as back-end. It takes as input a list of website administrator accounts (possibly obtained in the black market). It then periodically checks the home pages of those sites to inject a chosen IFRAME into their code.

Nasty stuff. And well-organized - and, apparently, well-funded. In the SecurityFocus interview, the developer appears to not be too concerned about forking out $10,000 for an exploit:

"For our pack, there are two main methods of receiving exploits: The first one is guys sending us any material they find in the wild, bought from others or received from others; the second one is analyzing and improving public reports and PoC (proof-of-concept code).
We sometimes pay for exploits. An average price for a 0-day Internet Explorer flaw is $10,000 in case of good exploitation.'

The actual impact of MPack on consumer computing is not known with precision. The developers claim only "tens" of copies of the software have been downloaded. However, the developer appears to admit "tens of thousands" of web pages have been compromised, which lends credence to the claim by SecurityFocus that exploits based on MPack have compromised "hundreds of thousands" of computers.

In the interview, which can be found here on Register.com, the "developer" of the malware toolkit admits that he knows what he is doing is illegal - "we are just a group of people working together, but doing some illegal business" - and that he is aware of Russian laws covering the nature of his work.

He also goes on to illustrate that he cares nothing about the consequences of his work.

Q. Do you feel sorry for the people whose machines are infected by an attack?

A. Well, I feel that we are just a factory producing ammunition.

He then further goes on to complain that "AVers" (i.e. antivirus companies, like Authentium), are painting him as a criminal.

"AVers want to make an image showing us like bad guys stealing something from a store, etc. But really, almost none of my friends have any contact with criminals about our work or anything else."

Authentium to MPack Developer: you *are* an Internet criminal. You are not just "supplying the ammunition", you are fueling the battle by supplying criminals, and making the Internet worse for hundreds of thousands of consumers.

Which is why, one day, you will end up in jail. Hopefully, for a very long time.

Note: Symantec's blog has an excellent posting on this malware.