Saturday, March 31, 2007

DNA Hacking 100% Possible, 0% Detectable

Most computer virus detection technologies have been around for more than a decade now, and the better "real time" detection technologies, such as those developed by Authentium, are close to 100% effective.

Unfortunately, as Ray Kurzweil writes in a recent article on biological viruses, current biological threat detection systems are 0% effective in real time. In fact, as of this writing, no "real time" biological virus detection capabilities currently exist.

That's right: Despite billions of dollars spent every year in research, the biological world is currently virtually defenseless against bio-hacking.

The reason this is troubling to me - and should be troubling to you - is that hacking human DNA is fast becoming almost as cheap and as easy to do as hacking computer code. Worse, most of the labware - the gear needed to create a distributable smallpox virus, such as DNA synthesizers - and the information on a target DNA sequence or genome, can be found online.

Secondhand DNA sequencing machines (Kurzweil calls these machines "inkjet printers for DNA") are available from a large range of distributors and secondhand stores. Here's a DNA sequencer for sale for under $10,000 on eBay's German site:


Genomes and research papers detailing the work of scientists in the field of DNA synthesis are just as easily available. A ten second Google search revealed several research papers detailing the smallpox genome, including one describing "genome linear double-stranded DNA sequences of the alastrim virus Garcia-1966, a laboratory reference strain from an outbreak associated with 0.8% case fatalities in Brazil in 1966."

Not that you really need to do this level of research - pieces of the smallpox virus itself can be ordered online. In the UK, a team of journalists from The Guardian managed to order three samples of DNA from the protein coating of the smallpox virus, just a few months back. The copies of the sequence were sent to them by mail in a plastic bag. The order cost just thirty-three pounds.

Ordering the basic genetic material necessary for hacking a genome is currently not covered by regulations in many countries. Upon questioning by reporters, the UK distributor, VH Bio Ltd, admitted "There are no regulations in place which require us to carry out background checks on potential customers." The reporters were not challenged at two other European companies they approached.

So why am I writing about this, instead of writing about IT-related threats, such as computer viruses? I'm writing because hacking has changed utterly in the past five years - it has moved from being the province of teenagers to the focus of organized criminal gangs, and terrorists.

I'm worried that we're approaching a point where bio-hacking may soon start approaching computer hacking with respect to the cost of creating a threat, yet we lack any comparable capability when it comes to detecting an outbreak.

We need to grow up our capabilities with respect to detecting biological viruses. We need a real-time bio-threat detection capability every bit as good as the best we have in the computer virus mitigation world.

This is no trivial endeavor. It is going to take a major investment - maybe more than the cost of the entire Iraq war to date. But the return on this investment might just be the greatest return on any investment ever made.

Tuesday, March 27, 2007

$7b in Virtual Assets by 2009

According to an article at Bankrate.com, lenders in Europe have started setting up branches inside virtual environments, such as SecondLife, in order to support real money transactions for virtual assets, such as virtual real estate and laser swords.

No, this isn't a pre-April First article. It's actually happening.

One such virtual world, Project Entropia (PE), created by MindArk, based in Sweden, already features a separate virtual currency, the Project Entropia Dollar (PED) that is pegged to the US dollar at a fixed exchange rate of 10 PEDs to the greenback.

The size of Entropia and its PED economy is no secret: according to a senior executive at the company, David Simmons, more than $350 million dollars changed hands "inside" their virtual world during 2006. There were 565,218 users online when I visited PE this evening. Assuming two thirds of those folks were registered community members six months ago, that's $1,000 in spending per active member. That's an incredible amount. I'm sure teenagers are not exactly spending to that level at my corner store.

So what can I buy with PEDs? I went and took a look. Most of the items on offer were in the cents to dollars range (46 Gazzurdite stones for $1.15, a genuine RepEdge Battle Axe 2x0 for $0.43, a pair of Shogun gloves for a buck twenty), but prime real estate located in Calypso, PE's version of an upscale neighborhood, was selling for far more - hundreds of dollars per structure.

The bargain of the night? An online shopping mall in downtown PE. The price? $179,668.

Simmons says you can put money in and take it out freely, and goes so far to say that while your money exists inside their world, it is "guaranteed", which, the history of the US economy suggests, is a great recipe for growth. And it isn't like banks are standing back - ABN AMRO already has a branch up and running inside SecondLife, and ING has a SecondLife branch "under construction".

According to IGE, more than $7b in assets will be bought and sold using real dollars in the virtual world, by 2009. "We are convinced that within one year from its release on the market, Project Entropia will have its first dollar millionaire," MindArk's Patric Sundström told gaming site RPGPlanet.

A virtual economy, populated by real millionaires, where one of the primary requirements is moving money securely between banks located in online and offline worlds. Sounds like a job for VirtualATM!

Monday, March 26, 2007

Kids, Spyware, Taxes, Fraud

Kids are spyware magnets.

Not only do they enjoy clicking on things adults wouldn't dare go near, they do so without regard to the family tax files, or banking information stored on the same computer. Spyware-making criminals understand this, and increasingly are using your children as a vector into the family computer.

Kids > spyware > taxes > identity fraud.

According to a recent study by Symantec, in which they plugged a brand new computer into the net and "let it rip", sites targeting children accounted for by far the largest percentage of the 359 adware and spyware programs downloaded in the first hour. The runners-up were travel sites and sites offering sports information.

Tom Pahl, an attorney at the FTC (Federal Trade Commission), backed up the contention that kids are a troubling vector for malware in a recent interview on MSN.com.

"Kids are an easy way to sneak spyware onto a PC," he said. "... the behavior that makes you likely to contract spyware, that's the behavior kids engage in."

Parry Aftab, a child online safety advocate who has been talking about these kind of threats for years, agrees.

"When I talk to parents, you can always spot the parents with boys who are gamers. They say, 'My computer is running so slow, I have adware and spyware everywhere.' I always ask if they have a child between age 9 and 15 who like games. They are intentionally targeting kids without question."

So there you have it. Kids are a vector - and a risk, if you're doing your taxes on the same computer upon which they are playing games.

So play it smart this tax season. Buy the kids their own computer, so they can download all the spyware they like, and do your taxes at work on a computer you trust.

Sunday, March 25, 2007

Matrixed Multi-Tenancy and the Future of SAAS

SAAS buyers need to ensure the solution they are buying is built to match the purpose they have in mind, and the launch time-frame of the project.

We can say this from experience. Layering in an automated software distribution business on top of a millions of end points connected via a massive service provider infrastructure is the main thing we do. Since our first deployment of Authentium ESP almost five years ago, we've become very good at doing this.

One of the core reasons why? "Matrixed multi-tenancy".

As you probably already know, the main difference between "single-tenant" SAAS systems and "multi-tenant" SAAS systems lies in the design of the database.

Single-tenant systems have historically been designed to handle a single tenant, or customer. Single-tenant architectures usually take the form of a single, isolated database inside a single network, designed to serve up a single shared application set to a single, non-tiered distributed base.

Multi-tenant databases are typically far more complex, and are usually designed to serve multiple application and feature sets to multiple types of customers. Multi-tenant systems feature databases designed to handle multiple distributors and tiering relationships, multiple customer types, multiple application types, multiple brand-customer relationships, etc.

Why "matrixed? Because supporting multiple ISV application and feature offerings is complex and requires linkage between databases, in order to support complex policy settings, and tiered reporting, including end user status reports, and reseller commission and ISV royalty reports. A layered support infrastructure designed to handle all of the matrixed inbound and outbound relationships is necessary to enable global reporting, and support commerce.

Speaking on a purely practical level, one of the main things we've learned from our installs is that if your SAAS solution is going to scale, it needs to support not only end point application and feature modularity, but "distribution modularity" as well.

Most of the clients that we work with have to manage multiple distribution channels, support networks, ISVs, and brands, in addition to multiple physical networks. You just can't do this with a single-tenant data model - or even with a web-centric "multi-tenant-lite" model.

The single-tenant approach quickly falls down when sub-distributors need to be added, or applications/features withheld from subsets of the population, or prices adjusted by geography - or when new sub-systems need to instantly come online, as the result of a merger or acquisition.

In addition, single-tenancy systems are usually expensive to set up, highly inflexible when it comes to sub-distributions of application bundles or branded offerings, and usually don't scale well beyond the original brand that created them, or network that purchased them.

Matrixed multi-tenant systems, such as those we've built for ESP 4.0 (Elements) and ESP Enterprise, are highly-flexible by comparison, and are increasingly much more cost-efficient than their single-tenant predecessors.

By enabling true multi-tiering of offerings, including different application bundles, support offerings, and brands, matrixed multi-tenancy offers real and sometimes significant cost and time-to-market savings.

Historically, the argument against multi-tenant systems has always been expense-related, because, with the possible exception of hosting companies, no one has ever built these databases into a shippable product, or "service".

However, with the arrival of Elements and ESP Enterprise, the expense argument is now moot. Because of the cost-savings enabled through hosting multiple populations, it is possible for us to ship our ESP solutions for less price than the less-flexible single-tenant providers.

Right now, ESP is the only matrixed multi-tenant system of its class that supports automated, tiered distribution of complex end point applications by backbone service providers to multiple sub-distributors, such as regional or local ISPs.

I don't expect us to hold this high ground forever. As true multi-tenancy becomes cheaper, and more premium SAAS applications come onto the market; as CIOs and network administrators start developing a taste for productivity-based end point widgets; as more and more telco and cable companies merge their networks - all SAAS networks, enterprise and consumer, will inevitably move to matrixed, multi-tenant architectures.

Saturday, March 24, 2007

Keyloggers in Action

Last week, our CTO, Helmuth Freericks, showed me a demo of "All-In-One Keylogger" - one of the technologies he is using to test our new VirtualATM secure banking software.


Unlike hacker-built software, this technology was built by RelyTec to enable forensic tracking of suspected criminals, and it has a lot of well-engineered features. However, that doesn't mean that hacker-built technology is inferior in any way. To the contrary, given the rapid growth of involvement in hacking by organized crime, I suspect the illegal keyloggers may be every bit the match of the code built by RelyTec.

All-In-One Keylogger has some powerful features, including the ability to capture any text entered in a web form (including your name, social security number, date of birth, mother's maiden name, and anything else) and a screen-capture capability that is designed to capture a screen shot every time you click your mouse (goodbye virtual on-screen keyboards).

Inspired by Helmuth's demo, I bought a copy, and this weekend, I put All-In-One Keylogger to the test against the top ten online US banks, and, for good measure, Green Border's product, and the products of several brand-name security companies. The results were extremely sobering.

First, I went to onlinebanking.com and downloaded a list of the top 150 US banks, by asset value. Then I launched the keylogger and went to the top ten sites. AIO Keylogger captured not only every character of text entered at each one of these sites, but a screenshot of every single textbox in every single form of every single banking site visited.

Consumers, if you have accidentally been infected by a keylogger, you are 100% vulnerable, on 100% of the online banking sites I visited. Like the criminal versions of keyloggers, all I needed to do was click the "email me this log" button to get the data sent to an email address of my choosing.

Here's an example of the text that was captured, using the "textual log" function. It includes the name, social security number (if you know the site's layout already, and trust me, hackers do, it's relatively easy to figure out that the first nine numbers after the name are the SSN).


This info, plus date of birth, which is just down the page, really is good enough for just about any criminal. But as if that wasn't easy enough, the keylogger includes an additional screen-capture capability. Here is just one of the screen shots taken by the keylogger:


I ask you to pause at this moment and imagine a room filled with cubicle-inhabiting database entry clerks, turning emailed screen shots like this one into database entries.

Imagine the sheer amount of data that could be captured every day, from the millions of credit card and Internet stock trading and bank account application forms and tax filing forms - and even government license or regulatory forms - that exist on the Internet. Now imagine that data under the control of a well-organized criminal gang.

Since the beta release of VirtualATM, the Authentium R&D team has, under Helmuth's direction, been using keyloggers to demonstrate how unsafe the online credit card / tax filing / checking account / driver's license application process is to consumers, and, conversely, how much safer that process is with VirtualATM.

So far, with respect to keyloggers, the VirtualATM approach has outperformed every other product or technology on the market, including the antiphishing protection technologies recently introduced by the name brands, and our innovative friends over at Green Border (who incidentally deserve a ton of credit for trying to solve this problem).

Our hope is that by this time next year, you'll be able to use the VirtualATM technology to file your taxes, send your accounts to your accountant, pay your bills, buy a car at auction, and bank safely online.

By the way, before I sign off, here's a screen shot of the All-In-One Keylogger in action against a live Authentium VirtualATM banking session (this is a 100% untouched screen capture of how the keylogger sees VirtualATM):


No screen information visible, no text captured, no nothing. Your personal information is totally secured against prying eyes. You can see why we're excited about VirtualATM.

Friday, March 23, 2007

Why The Economist is Wrong About YouTube

Back in 1998, I arranged a $10m start-up financing for a startup created by a bunch of ex-Economist editors, journalists and sales guys.

Aside from the fact that my money is still in the company (so much for betting on economists-turned-entrepreneurs), I have nothing but good things to say about The Economist. It's usually a great read.

However, the recent article on Economist.com about YouTube displays some of the thinking that used to drive me crazy back at those late-nineties board meetings (example: "we should charge exactly what the newspapers in the same location are charging for classifieds").

If I learned one thing from those sessions, it is that you can't necessarily judge the potential long-term success of a new paradigm by the market-entry, or influence, of old-paradigm power-players.

Take the article's opening paragraph, for example:

"It has been a terrible month for Google, the biggest search engine and the internet’s reigning superpower, and for its subsidiary, YouTube, the pioneer and precocious leader of online video. Users may love them, but the old-media companies, feeling increasingly exploited, loathe them, sue them, and gang up on them. And that matters, because neither Google nor YouTube, as quintessential “new-media” companies, own any of the content that they organise so well."

So new media Google/YouTube doesn't "own" the content. Big deal. Obviously the author of this article somehow missed the mirrored cover of Time's "Person of the Year" edition. While Google/YouTube doesn't "own" the content on its site, neither does Old Media.

Last time I looked, which was today, via the YouTube player built into Authentium's new ESP Elements framework, the YouTube home page had on display a collection of two-minute clips from would-be independent filmmakers, college pranksters, high school geeks, Russian/Latvian dancers, Chinese lonely hearts, and pet owners: in other words, content from the "MeTube" Generation. Except for one contribution based around the BigBrother show, there wasn't a single old media contribution in sight.

If you subscribe to the fairly well-proven (by SEO experts) theory that 80% of navigation stems from the entry point to a web site (usually the home page), 80% of the YouTube videos watched and rated yesterday by YouTube visitors did not belong to either YouTube, or Old Media, but instead were owned by other YouTube visitors.

Which means YouTube is playing in a different sandbox - QED: Old Media can make all the announcements it likes, but YouTube will continue to do just fine, until some other company comes along with more interesting user-generated content or a better fulfillment system.

Parental Controls: Best Practices

The Child Online Protection Act of 1998 (COPA) received its final body-blow yesterday in the form of a dismissal ruling by Judge Lowell Read of the US Federal Court.

Siding with the ACLU, Judge Read said that while he was personally in favor of restricting a child's access to porn, First Amendment rights were more important. He also made the point that there are number of technologies out there designed to enable parents and teachers to put filtering and monitoring in place.

Despite its failings, I'm a big fan of the First Amendment: and I'm glad it's the First Amendment because to me that underscores its fundamental nature. So I would rather keep the First and solve this problem through technology.

As the world's leading licensee of those technologies, we have seen our fair share of filtering approaches. Some are incredible. Some don't work very well, and some don't work at all. I remember one famous vendor demonstration at a trade show in New York during which not a single site (out of fifty) was blocked. That company is no longer in business.

Aside from the methodologies related to analysis, policy-setting can be an issue as well. I remember another incident when we were testing the original PICS voluntary policy controls and came across a "naturist" (read: nudist - see comment below) site that had given itself the equivalent of a "G" rating. I called the guy up. "Everyone should see how we live - there's nothing wrong with it", he said to me.

Clearly he was not looking at the same shots I was.

The folks that have been around a while - PureSight, RuleSpace, SurfControl - and the folks that have good feedback systems built into their products, such as Fast Data Technologiers, NetSweeper and WebSense - have built some impressive systems, and, on aggregate, have created a situation where policies can be created for upwards of three quarters of a billion pages, across scores of categories.

With that much filtering going on, is a law really needed? Probably. While some kids are no doubt capable of self-policing, not all kids have the same processing powers and sensibilities. The views of parents also vary widely - a majority of children interviewed in a 2004 survey said they needed *more* supervision from their parents, and 40% of them stated that their parents were wrong to trust them to do the right thing without guidance.

That's why laws are needed - for the same reasons that truancy laws, or gun-lock laws, or child seat laws are needed - because you can't always rely on every parent out there to understand their child's sensibilities, or know the right thing to do, and you shouldn't underestimate a child's need for guidance.

As for the technologies, we'll keep on fine-tuning our technologies and our policies, but my personal view is that involvement with your kids online activities - and knowledge of their interests - is by far the best parental controls policy.

Thursday, March 22, 2007

The Guns At Work Coalition

I received a survey today from the "Guns At Work Coalition" of Florida, asking for my backing.

"No way", I thought to myself, as I read through the fax. Guns at work?

Then I did ten second's worth of research on Google. It turns out that this lobby group is actually working with folks like the Florida Chamber of Commerce and American Bar Association to try and prevent "Guns At Work" legislation backed by the NRA and others from being passed by the Florida State Legislature.

In other words, these guys are not the "Guns at Work" coalition, but the "No Guns at Work Coalition".

Folks at the GAWC: If you want our backing, please consider making the name of your lobby group the same as your stand on the issue. If you are not for human slavery, calling your lobby group the "Antislavery Coalition" is a lot more effective than calling it the "Slavery Coalition".

Tuesday, March 20, 2007

Why You Should Fake Your Mother's Maiden Name

Most folks see "CSI" and think "CSI Miami", as in "Crime Scene Investigation" in a city not too far south of where I'm writing this. However, security software folks look at "CSI" and think "Computer Security Institute", which publishes a much-read annual report and a dozen sample policy summaries through the year.

I opened the March copy of the Computer Security Institute today and spotted an article by Charles Cresson Wood entitled "Using Mother's Maiden Name to Authenticate Anybody". I thought he raised an interesting new way of approaching the maiden name non-dynamic password problem.

First of all, let's just agree on one thing: Using your actual mother's maiden name to authenticate anything or anyone is crazy. It took me about ten seconds to find the maiden name of one of my friends based here in FL using Intelius - and about fifteen minutes of refining searches in Google to track down a friend's MMN in a non-US jurisdiction.

This knowledge, however, will not set us free: many of the alternatives to "mother's maiden name" suck for other reasons, ranging from the logistics associated with distribution to the costs associated with management and support. For those, and a host of other reasons involving too much to do, certification, and fear of stepping away from the known, that "Mother's Maiden Name" text box on the bank's PIN reminder form is unlikely to be uncoded anytime soon.

Assuming this to be the case, Cresson Wood has a great suggestion for us. He suggests the next time you sign up for anything that asks you to submit your mother's maiden name, you make one up. Make sure it's memorable, of course, then offer this fake maiden name in place of your mother's real name.

"Franzappa" will not exactly resist a serious attack, but it will stop casual password hunters from finding our your mother's real maiden name using online tools, and using it against you. Remember, it's the low-hanging fruit that hits the ground first - so go up the tree.

Follow this simple trick and you'll reveal less information about yourself during sign-ups, and deposit less valuable information into databases.

Monday, March 19, 2007

Pump and Dump: The Katrina Moment

"Pump and dump" schemes have been around since well before New York City stock traders first gathered under the walnut tree.

It's a simple way to get rich - a bunch of criminals get together and conspire to "work" a public stock up or down in value, without the knowledge of other folks holding the stock, then sell out at their target value and leave innocents bereft of their money.

The old-style pump and dump scheme is relatively easy to spot - sophisticated systems have been developed to do just that. However, the new style "pump and dump" Internet trading schemes have changed the rules. On the Internet, the old adage goes, "nobody knows you're a dog". The bad news is, on the Internet, nobody knows you're a stockbroker either. In the new world of identity theft and online fraud, "you" could well be a criminal using stolen credentials.

The new-style pump and dump attacks recently reported by major online trading firms have so far resulted in less than $30 million in individual losses in less than six months. That's not a lot of money, but does prompt some interesting questions:

1. What level of tolerance is built into the online stock trading system?

2. Are they capable of withstanding a multi-billion-dollar scam?

3. Are the criminals capable of pulling such as scam off?

All these questions are really just one: at what point does such a scam become an online trading company's "Katrina moment", defined as the moment at which available assets are unable to fill an unplanned loss?

First, let's look at the classic "account hijack" version of the "pump and dump" scam. In this version of the "pump and dump" attack, online criminals create accounts using stolen personal or corporate credentials* at the online trading companies and then buy penny stocks. Then, using stolen credentials from legitimate account holders, they log in as these account holders, and start driving up the values of the selected stocks, by placing purchases through these hijacked accounts.

Nothing much different here - except that so far, the criminals appear to have stayed away from the main board, the big traders, the commodities market, the bond market, derivatives. What would happen if the losses suddenly escalated ten-fold?

First of all, SIPC (Securities Investor Protection Corporation) covers the customers of brokerage houses for up to $500,000 ($100,000 cash) in losses, should their trading company fail. That's good news for individual investors.

But what would it take to create a knockout blow on one of the trading houses? I took a look at the balance sheets of two mid-range trading companies and found that they had an average of half a billion dollars in cash on hand, or slightly less than 20x the amount stolen to date.

The thing that struck me in looking at these balance sheets is that some of these firms are great-looking companies - great margins, great ratios, great valuations. I bet that currently these companies are paying a relatively small insurance premium relative to the risk right now.

If the new pump and dump criminals move upstream, and bring about a "Katrina Moment", resulting in a collective loss to the industry of, say, $500mm, that could change.

As to the question of whether or not the criminals are capable of pulling off such a thing, there is no question in my mind that such a thing is possible, and possible today. Hopefully, the smart money will not aim this high, and choose instead to remain parasitic in nature.

Note: in researching this piece I went to three of the top five online stock trading sites, as defined by About.com. At all three sites, during the account creation process, I was asked to provide my social security number, my name and address, and account information: all the info any criminal would ever need to sign up for an online trading account - as me.

I chose not to continue.

Antiphishing Needs an Overhaul

I was on the site of one of our peer companies yesterday and saw that they are offering a "Fraud Protection" application designed to weed-out potential phishing sites. Consumers, beware. The approach they are using is not 100% reliable, and it is becoming less reliable by the day.

The average phishing site is up for far less than 48 hours, but even that doesn't matter any more - most criminal phishing sites are distributed among multiple domains now - some, across multiple countries - which means that "Fraud Protection" approaches that utilize database lookups simply cannot keep up. This kind of approach is fast losing its effectiveness.

The other problem is that it isn't just the bank's URL that is being compromised - often, the antiphishing program itself is more vulnerable to attack than the site.

We recently met with representatives of a major bank that distributes a free antiphishing technology to their customers. They were shocked when we showed them the ease with which this solution could be compromised. Not only did our "fake" demonstration site look exactly like the real thing, but the site certificates matched, and the bank's antiphishing program gave it a "green light".

We are one of the companies that ships database lookup approaches, and our approach uses one of the leading databases. But we've chosen to go a different way with our next generation of ESP releases. A fresh solution is urgently needed if consumers and business owners are to maintain confidence in online banking and financial transactions. This is why we created VirtualATM.

VirtualATM does not use "reported phishing site" database lookups - it assumes that your computer has already been compromised, and works to create a "secure island", or VirtualATM, from within which you can transact securely. VirtualATM uses our patent-pending technology to take manage the transaction session and ensure that a bank's customers only travel to trusted destinations - and are not redirected anywhere else.

Not only does this approach remove the possibility of phishing attacks, but it mitigates other potentially-harmful attacks as well, including "man-in-the-middle" attacks, keyloggers, and both local and remote DNS poisoning threats ("pharming" attacks).

And then, there's "phidgeting" (phishing widget) attacks. We saw the first example in our labs last week of how easily some of the existing widgets offered by major financial service providers can be compromised, and our prediction is that attacks conducted via "fake" or compromised widgets will soon make web site-based phishing look tame.

Luckily, our engineers made protection against phidgeting a cornerstone of their design. VirtualATM uses our patent-pending service-hardening (antitampering) technology - which makes it the first technology designed to protect consumers from phidgeting attacks.

Friday, March 16, 2007

The Valerie Plame Law

When Francine and I got married at the Plaza Hotel in February 2002 (see previous post), I invited a small group of friends. Among them were two guests from my days in Washington: Ambassador Joseph Wilson, and his wife, Valerie Plame.

I first met Joe and Valerie Wilson in DC, just after they were themselves married. At the time, Joe had been back from Iraq for several years and was working on several international telecom projects, focused mainly on solving communications issues in Africa. We first met through some mutual friends at WorldSpace, then again as I was shopping a wireless technology that would later be renamed WiMax.

Joe is a pretty easy guy to like. After a few meetings, he invited me to his house, in suburban Washington, where I met Valerie. I vaguely remember asking what she did when we first met and found she was working in a similar field to Helmuth's wife - consulting. Not at that time, nor any other time that I visited their house, or talked with Joe, was Valerie's true occupation ever mentioned, or discussed. At our wedding in New York, we enjoyed Joe and Valerie's company, without any of us being aware of Valerie's covert status.

Fast forward several months - you can't imagine our surprise when the news about Valerie's real occupation broke. I was sitting at home, watching TV, and they mentioned her name, and Joe's, and then broke the story - the story that would later break Scooter Libby. We had no idea beforehand, and it is still hard to believe now.

When I heard Valerie's testimony this morning before the US Congress House Oversight and Government Reform Committee, the same feeling I got when I first heard the news came over me again. Nothing about this action bothers me more than the knowledge that Valerie's life - and the lives of the folks recruited into Valerie's international network - were placed permanently at risk because of the reckless actions of a government official.

These networks are incredibly expensive and time-consuming to build, and vital to maintain - and the human intelligence produced is irreplaceable. The US intelligence community - and the CIA in particular - is poorer as a result of this compromise, and I imagine current covert field operatives are feeling none too secure about their own networks these days.

Hopefully, the House Oversight and Government Reform Committee will create a better law with clearer definitions and powerful penalties that will dissuade US officials from destroying these valuable assets in the future. Democrats should call this new law "The Valerie Plame Law", pass it, and get Bush to sign it while he's still in office.

Tuesday, March 13, 2007

Virtual Keyboards Offer Zero Protection

I like Netbanker.com as a web site. It provides some great stats and adds some clear thinking analysis on the online banking industry, and catalogs its analysis by bank brand. It is my first destination when I'm trying to right-size markets for VirtualATM or analyze what folks already have in place.

A few months ago, they ran a piece on TreasuryDirect.orgs new "virtual keyboard". What a waste of time.


I recently downloaded a keylogger to test VirtualATM's abilities to secure transactions against keyloggers. Transaction information and PIN numbers entered via Authentium's VirtualATM proved to be invisible to the keylogger. The TreasuryDirect.org site wasn't nearly so lucky.

Here's the deal. Online criminals expect banks to put in place screen-based logins that rely on mouse-click PIN inputs into a "virtual keyboard" - which is why they include screen-scrapers as part of their arsenal.

The keylogger I installed yesterday includes a screen-shot capability that is more than capable of defeating any and all of the "virtual keyboard" style PIN input mechanisms: it is designed to take a screen-shot every time the mouse is clicked, then wrap this information into an email and send it back to the hacker. Note to TreasuryDirect guys: scrambling is completely useless.

Is your PIN eight characters in length? Eight screen-shots later, the hacker has your PIN. Your social security number is just a single screen shot away.

Our patent-pending VirtualATM technology is the only technology I have seen in market than can defeat these kinds of sophisticated attacks. Email me if you know of anything even close to what we're doing.

Saturday, March 10, 2007

Universities Publishing Malware?

Coming soon from a major university near you* : a brand new mobile phone virus, complete with downloadable source code. Unbelievable, yet true.

Authentium's lead malware researcher, Robert Sandilands, has an excellent article in his blog about this case of higher education gone awry.

*The university in Robert's article is located in California.

Social Security Numbers Vulnerable Online

When it comes to identity fraud, there is nothing a criminal likes more than to get their hands on than a US Social Security Number (SSN).

The Better Business Bureau ranks social security numbers as the most sensitive (and useful, from the criminal point of view) of all personally identifying information. According to AARP, as of 2005, there were 227,000,000 social security cards in circulation in the US.

All these social security numbers are disturbingly vulnerable online, as I found out last night, when I went to the IRS web site to explore the options for paying taxes online. All the options I looked at require end users to enter their full names and SSNs as part of the submission process, in plain sight of keyloggers and screen-scrapers.

Looking at other web forms online, I found that virtually all banks and online financial institutions were making use of social security numbers - mainly as part of the financial service (i.e. loan) application process. Many allowed the use of a social and credit/debit card number to access online credential information, or change these credentials.

For example, clicking on the "Get Help with Your Online ID" at the Bank of America site, for example, this takes you to a form that enables you to access your online ID number, using a Social Security Number and your BoA account number. A sidebar includes the following explanation:

# We use your Social Security or Tax Identification number only to identify you. The information is safe and secure. No one else has access to it.

# Entering either your SSN or TIN ensures you get access to your Bank of America accounts. A Tax Identification Number (TIN) is for business owners.

When Bank of America says "this information is safe and secure", they are not talking about the point in time at which your social security number is entered by you into that form on a web browser. They are making a statement concerning only the security of the copy of your social security number they keep inside their database. At the point at which your SSN is being entered into a browser, your SSN is *not* safe and secure - it is highly vulnerable.

As you enter your information into a web browser, Bank of America currently has zero control over your computer and no idea whether any malware/spyware is installed on it. At this point, your information is clearly visible to a key-logger, and visible to screen-capture technologies as well - and we've seen some very capable screenshot capturing pieces of malware in the virus lab over the past few years.

Worse - if you are the target of a phishing site and end up at a clone of the "Get Help" site, it may not be possible for the average user to tell the difference. The padlock at the bottom of the page is only an image, after all, and easily copied, and sitekey, though a welcome step in the right direction, is not exactly the most visible or robust of technologies.

How can this problem be fixed? As many of you know by now, we have developed a new, patent-pending technology - VirtualATM - that enables online banks, tax payment agencies, money transfer agencies, and other financial institutions to protect these forms and user sign-up procedures from these kind of attacks. Several financial institutions are currently evaluating VATM. Our first deployment is planned for May.

VirtualATM takes the whole transaction out of the "visible" browser/PC environment and effectively prevents screen capture and keylogging devices from stealing the information. It doesn't work using tradition antivirus or antimalware principles: it is a pro-active security solution that focuses on protecting and concealing this kind of information at every step in the chain.

Look for it next year, during tax-time - or the next time you sign up for a financial service, online. I know I will be.

Wednesday, March 7, 2007

Dyan Dyer: In Memorium

One of Authentium’s co-founders, Dyan Dyer, passed away last night, after a long illness. She was 58.

Dyan was an amazing person – I knew her as an innovator, a spirited member of the Authentium board, a hugely supportive shareholder, and an extremely energetic (especially given her condition) and caring person. Authentium would not be what it is today without her.

I never got to see Dyan in action as CEO of Command Software - she was already ill when we merged our companies back in 2002. But based on the energy she displayed despite her illness, I can imagine what a terrific leader she was – the evidence is there in the company and systems and technologies she built, and the folks she chose to work with her that are still with us today, and in some of the innovations that she sponsored that are just now reaching fruition.

There are several companies in Canada today that can thank Dyan for the considerable help she gave them in taking them public during her years working in Toronto, prior to her founding of Command Software - she will be missed by many.

Our thoughts go out to Gary, Dyan's husband, to Helmuth and Ishrak, and to Dyan's family in the US, and in Canada. Gary, you made sure Dyan's final years were lived in as much comfort and happiness as possible. You were Dyan's rock, and you have earned the respect of us all.

Musings From Montgomery

Dan Williams of Montgomery invited me to the annual Montgomery Technology Conference in Santa Monica this week. I very much enjoyed it - and made some terrific new friends.

Unlike many conferences, sessions were divided into "selling" sessions, in which CEO's pitched their companies to bankers, and "information" sessions, involving distinguished panelists. This is a great format. Panelists didn't spend their alloted time selling their companies, but instead got into some of the issues facing technology companies, both public and private, and their backers - also public and private.

Today's lunch session was entitled "Private Capital Outlook for 2007: Venture, Private Equity and Hedge Funds". During the session, Tim Draper made a comment which I thought explained a lot about the recent rise of innovative companies, and the current backlog of companies lining up again for IPOs.

Draper's viewpoint is that many large technology companies dampened down technology research and development budgets over the past five years in order to maintain margins, and have kept them there - forcing a commensurate (or perhaps larger, due to any coordinated oversight of spending) amount of innovation into the hands of small startup companies wiling to take the risk of starting a company on the basis of a perceived gap in innovation.

I like this thinking a lot - if you look within the security software industry, this is precisely what we've been seeing: lack on innovation and technology investment from the giants, resulting in some terrific new technologies that fulfill needs that were not around five years ago. It explains the growing rate of merger and acquisition activity and also explains the current woeful state of some of the "big brand" technologies.

It also means that more and more startups will start coming onto the public markets again. If the pitch sessions here at Montgomery are an indication of things to come, the first startups that came into being over the past five years are maturing to the point where their revenues and growth will create new opportunities for public investors in the public markets within the next few months.

Sunday, March 4, 2007

Julie Amero: When Bias Meets Blogs

I'm a big fan of irony. The Norwich Bulletin's slogan is "Explore the Possibilities". In practice, they seem to do anything but.

I wish there was a newspaper version of the "Razzies" that could apply to the kind of reporting this paper has done on the Julie Amero case. Not that I should care - the rapid growth of the blogosphere is about to ensure that bias on every scale is evicted from the reporting tent.

The signs are clear. If the published comments of the good citizens of Norwich, Connecticut, are anything to go by, the Norwich Bulletin will disappear, replaced by blogs created by the citizens themselves. This was going to happen anyway - the Amero case just hastened the end.

Before the Julie Amero case came along, and "reporters" Daniel Axelrod and Greg Smith misread the blood-flow of the local populace and started writing pro-state articles about how much this 40 year old, married, pregnant substitute teacher deserved to go to jail, the Norwich Bulletin was on the same downhill slide many other carbon-based media entities are themselves confronting.

The difference in this case was that the Norwich Bulletin chose to prosecute a single side of the case: the side of the prosecutor, David Smith. Judging solely from the comments the paper has chosen to publish, this bias has managed to upset about 90% of their reader base. If Amero's sentence involves jail time, I predict there will be a lot more unhappiness.

Over the last year, I have gotten to see the power of blogs first-hand, and I have learned that if you stick to the facts and stay away from unfounded bias, the blogosphere eventually catches up with you: good or bad. You won't win every heart out there on the web - that is an impossibility in the blogosphere - but as second prize, you will get to experience the principles of Jeffersonian democracy in action: freedom of thought based on freedom of information.

As things stand in this case, Julie Amero's sentencing has been postponed until the end of the month. This decision had nothing to do with the planned arrival of legions of TV and national press reporters, including Fox News, and at least two security software companies. For our part, we were armed and ready to show the citizens of Norwich archived versions of the now notorious "new-hairstyles.com" web site, the site that launched the original investigation, including the original javascript. We still are.

Norwich, see you at the end of the month - at the new sentencing. But don't expect to see any coverage of our public demonstration in your local paper. That would involve unbiased information sharing. Check out your local blog - or the international news - instead.

SAAS Evolves Beyond "No Software"

John Loftus, Executive Vice President of Safeguard Scientific, and a board member of Authentium, just sent me a copy of Boenning & Scattergood's newsletter of Feb 27th. I'm very glad he did.

In this report, analysts Bradley L. Mook and Michael F. Ciarmoli focus on recent movements within the software-as-a-service (SAAS) sector. Clearly, they are impressed by the decision taken by RightNow Technologies to move their entire business to renewable SAAS-based subscriptions - a move that has recently impressed RightNow's shareholders as well.

But, even aside from their analysis of the rapid growth other companies are starting to show in this area, what really caught my eye was their endorsement of RightNow's decision to include an end point software agent in their delivery model, as part of RightNow 8.

Up until quite recently, SalesForce.com's "no software" (translation: "no end point software") marketing message has ruled the SAAS roost - and, without other clear examples of SAAS, analysts have often excluded "client software" from the SAAS model. However the B&S report, among others, shows that things are evolving away from the simple server-browser model that brought SAAS into the world.

In parallel to the SalesForce AppExchange model, which supports the delivery of simple, web-based (no-software) applications, a new model is emerging - one that blends the SAAS commercial model with client-server, non-browser-based encrypted communications, and complex end point functionality.

RightNow is using this approach - distribution of an end point agent - to improve client-server communications and optimize information security and transfer within RightNow 8. Our own Authentium ESP (Extensible Service Platform) system uses this system even more extensively - to deliver and update complex software technologies, such as antivirus engines, encryption engines, end point firewalls, and VPN technologies - to networked end points, under a SAAS subscription model.

This doesn't mean the SalesForce model of "no software" is doomed - far from it. My prediction is that in future, the "no software" model will persist for simple applications that can be served up by a web server. However for security companies charged with protecting local assets or personal data, the SAAS model will evolve to include even more complex end point applications, served up and/or updated on demand, as per a SAAS-based subscription agreement.

For SalesForce.com, it probably feels like they are miles down the SAAS path. I'm sure Right Now feels like they're just hitting their stride. Authentium, and other companies moving client software into the SAAS model - we're just getting started.

Saturday, March 3, 2007

Vista Licensing Cracked?

An anonymous post from "richarddd" on digg.com is claiming that a team of keygen (license key generator) crackers named Paradox has cracked the Microsoft Vista software licensing system.

The digg.com poster says the Microsoft Vista licensing system hack takes advantage of SLP 2.0' ('system-locked pre-installation 2.0') , a mechanism Microsoft's "Royalty OEM" partners use to ship product that does not require addition registration by product purchasers.

I just visited the web site that claims to be hosting the crack at paradox.crackteam.ws (BTW, the site drops a spylog cookie - please don't go here without your antispyware enabled) and there are several hacks up there that might be the one touted.

But a search isn't required - full information on the hack is proudly displayed at the site referenced by the poster, at www.uploadcrap.com, a site apparently owned by the digg poster, who appears to be located in the United Kingdom. The link to the ZIP file containing the Vista hack leads to Rapidshare.com, a Swiss-based hosting company.

T
his news, if true, is potentially quite bad news for Microsoft, coming this early in the release cycle. It also means that cleaning up piracy in some markets may remain a tough prospect for some years to come.

Thursday, March 1, 2007

Avoid "Fun Video" Links in Blogs, Forums

Dmitri Alperovitch, the principal research scientist over at Secure Computing, one of our OEM partners, suggests PC users should avoid clicking on "Fun Video" links in blogs or RSS feeds for the time being.

The Storm worm variant I blogged about yesterday is using both e-mail and Web sites to infect Windows-based PCs by injecting itself into the comments left by blog readers. It propagates by injecting itself into the operating system as a rootkit. Once installed, it intercepts web traffic and attempts to propagate itself.

What this means is that when that infected user next visits a blog, or forum, and posts to the blog or adds a comment, the Storm worm is able to insert malware into the comments or posts. Right now, the inserted line in the comments invites readers to watch a "fun video". Clicking on the link takes the reader to a web site where the whole infection process starts again.

According to Secure Computing, the malware inserted by the worm gives the criminal control of the PC, enabling them to utilize that PC for the purposes of sending spam, launching DDoS attacks, or running keylogger attacks for the purpose of capturing personal information.

They note that the worm is using server-based polymorphism (self-modifying code that changes automatically every time it is downloaded) - technology that is designed to outwit antivirus engines that are heavily reliant on signatures.

Warning: Some antivirus vendors, including some of the big brands, are *not* detecting this variant of the Storm worm. Authentium antivirus *does* detect this variant of Storm - in fact, our malware analysis engine detected this variant, in the wild, the minute it appeared, using our advanced heuristics, which means all Authentium partners were protected at zero hour.

Note to users of non-heuristics-based antivirus programs: to avoid infection, don't click on any links that contain the words "fun video" for the time being. Or better yet, upgrade to an antivirus technology designed to catch this stuff out of the box.