Wednesday, May 30, 2007

VirtualATM vs. GreenBorder

We're pretty familiar with GreenBorder, the virtualization software that Google acquired this week.

As we've talked about before, GreenBorder attempts to do what our TSX-based VirtualATM succeeds in doing: create a secure environment for web browsing sessions, including sessions that require transmission of personal data by consumers.

But pictures speak louder than words - let's "go to the tape". Here's a screenshot of what a keylogger sees when it encounters Google GreenBorder:


Result: Unfortunately, GreenBorder presents hackers with a "green light". The keylogger we used not only captured clean images of the session (and the data entered into the fields) but it also captured the text that was entered too, and was able to route that text back to us in an email.

Here's a screenshot of what that same keylogger sees when it encounters Authentium VirtualATM:


Result: The keylogger was unable to capture any text, or images, from the Authentium VirtualATM session. Yes, our screen shot is less colorful, but that's the idea - you want hackers to capture *zero* data from your PC.

There are many technical differences between the two approaches. Authentium VirtualATM secures each transaction session using a combination of client and downstream technology, and uses much deeper, patent-pending system-level technologies to secure the virtual session.

GreenBorder presents pretty-much just a virtualized environment, and lacks the deeper security that our TSX library provides. The result is a less than totally secure environment that is relatively easy for hackers to capture data from.

Bottom line: Authentium's sessions are totally invisible to screen-scrapers. Personal data entered into fields inside Google's GreenBorder session screens can be captured using keylogger technology.

I know which technology I'll be using to file my taxes through.

Sunday, May 27, 2007

90,000 Malware Sites, Zero Regulation

Brian Krebs over at the Washington Post recently asked this question: should there be a law that requires web hosting companies to take down malicious sites, and protect law-abiding sites from malware.

You *bet* there should.

Cynics would say that I'm saying that so I can make a few bucks off hosting companies by providing them antivirus or antispyware scanners.

Rubbish. I'm saying it because I'm deeply worried about what I see going on in server-land. With more than 90,000 infected sites dishing up malware (source: Krebs, stopbadware.org, Google), how will life improve for consumers until these servers are forced into compliance?

The DHS needs to bring hosting companies into line. Banks currently are mandated to "know their customer" - why should information transactions be treated any differently? How hard would it be for governments to mandate that hosting companies know their customer?

How much would it cost to install malware detection and alert owners if the code changes on their site? Peanuts, relative to the multi-billion dollar hosting industry - and it's evil twin, the multi-billion dollar online fraud industry.

As Brian does a terrific job of pointing out, the biggest problem that all of us face in this industry is that it doesn't matter how much client software we track down, put a ring around, neuter, or quarantine - there is always a hosting company standing ready to take a dollar off a phishing gang or similar criminal organization.

It is time for the government to pass a law, and empower an agency to step in and put a stop to hosting companies that willy-nilly take money from terrorists and criminals.

Yes, it will take a few years to clean out all the transgressors, but we need to start: servers, not clients, are the issue - and with the current level of escalation up the value chain we're seeing in the phishing world (nice "Rock Phish" article also, Brian), it won't take too many intrusions at the client level to add up to significant value for a criminal.

Time to clean house.

Friday, May 25, 2007

Attack Targets Executives by Name

If you have received an email from the Better Business Bureau recently, treat it with special care.

The email may not be from the BBB. It may instead be the latest variant of a targeted malware attack first reported by the BBB back in March - one of the first such attacks to use the actual name and title of the executive in addition to their email address.

We received several samples from our industry partners, and one such email yesterday, directly addressed to Doug Brunt, our President. The virus lab posted a report on this version last night. I noticed from Alex Eckelberry's blog that our partners over at Sunbelt Software received a similar email, addressed to their head of marketing.

The format of the email suggests to me that Doug's information and title were harvested from a web site by some form of bot - possibly from the contacts page of our corporate site, or from a business-oriented social network, such as LinkedIn or Spoke.

As with the original attack, the email presents the recipient with a document in RTF format. Upon opening the document, the recipient is presented with a PDF icon, entitled, in our case, "Document_for_Case.pdf". Here's a screenshot:


Clicking on the object (which Patrick Knight, one of our researchers did from the safety of one of our malware research lab computers), links to a server located at a hosting company called IX Web Hosting based in Hopkinsville, Kentucky. At the time we ran the program, the link was down, but we've added it to our 24/7 monitor list and will report back if it goes live.

Our researchers have classed this as a very dangerous threat. The highly-targeted nature of the email, the use of name and title, and co-opting of the Better Business Bureau's trusted mark all add up to a scam that is likely to leave its mark - and provide a template for copycats that may be better-funded and even more creative.

Note: We called IX Web Hosting, the company identified as hosting the server targeted by the attack to alert them to the information contained in the malware payload. The level of interest they displayed in acting on this information and pulling down the server was astounding low. Needless to say, we will not be signing a hosting deal with them anytime soon.

Thursday, May 24, 2007

Version 5.0 Release

The DLL form of our new v5.0 antivirus scanner engine gets delivered Tuesday. As many of you know, that isn't soon enough for me. ;-)

V5.0 is a major version upgrade for us - the first in four years - and represents the results of four years of continuous development. Here's the highlights of the testing so far:

Our heuristics have been significantly improved to the point where they now beat most zero-day approaches in market. The advantage of having good heuristics is that whole specie of threats can be caught on the fly - without the need for definition files, or prior to triggering a lookup request. This improves response times, and provides additional options with respect to event chains and service levels.

The other improvements in the areas of heuristics that we're working on involve dealing with black and gray-listed "packers" - otherwise known as "Russian Dolls". This threat takes the form of a piece of malware wrapped in multiple layers of encrypted code, each of which looks to a normal scanner like a new threat. Typical approaches involve infinite "peeling back" of these layers and this can slow down devices significantly.

Note: we're not abandoning definition files as the basis for our analysis - not by a long shot. In addition to the new heuristics, the new engine will feature more than 130,000 additional virus definitions. These are not generic definitions but absolute, bit-accurate virus definitions.

These additions will mainly benefit users of our COM SDK desktop products. Currently, our desktop products rely on our superior on-access scanner - and its built-in heuristics engine - to catch threats "on access".

The addition of these def files will bring our on-demand scanner into line with real-time/DVP results and also bring our test scores into line with market (most currently published tests are of our older on-demand scanner and don't reflect our new analytic capabilities: for example, the most recent AV-Test results reference our 4.93 engine - a product that is nine months out of date).

With respect to the DLL version of our AVSDK that will be delivered Tuesday, this is our most-licensed product, and is typically deployed in high-throughput environments. We've spend a lot of time thinking about how we can improve ROIs in that space, and we've focused mainly on five areas consequential to operating MSSPs:

1. Detection rate
2. Speed of response
3. False positive rate
4. Speed of analysis (throughput)
5. Size of memory footprint

So far, in QA testing, the new engine appears is showing very good numbers in all these areas - but especially so in terms of throughput and memory footprint. The new engine's optimization will enable us to continue to lower the capital expense costs of our appliance manufacturer and MSSP licensees.

Gateway customers will find the new engine much faster. Practically, what the tests show is that we have the ability to rip through the entire database in a fraction of the time taken by many of the other engines on the market, while maintaining a superior detection rate.

That all adds up to less false positives, better detection rates, less boxes, less air conditioners, and a greater ROI for our partners - all factors that will keep our AV SDK business humming - provided this release comes out on time.

Wednesday, May 23, 2007

Julie Amero Sentencing Delayed Again

No, I haven't forgotten about Julie Amero.

Her sentencing has been delayed again, to enable the world - and in particular, the global news media - to forget about this ongoing travesty of justice taking place in Norwich, Connecticut (and, a cynic might say, to prevent certain security executives from showing, up pre-sentencing, armed with spyware examples and malicious javascript demonstrations).

For those unaware of the situation, Julie Amero, a 40 year old married, pregnant, former substitute teacher at CT's Kelly Middle School has been found guilty of child endangerment because a computer she was operating displayed pornography to her students after she clicked on a disguised hyperlink to a Ukrainian porn site and triggered a javascript popup loop.

Despite the fact that the above events have now been examined and well-documented beyond any reasonable doubt, Amero faces the potential of a forty year jail term at the sentencing.

Had Amero been piloting a school bus with failing brakes that day, rather than a PC, and ended up with her kids in a ditch, she may have been awarded a medal after going for help (which she did) - and the court may have seen fit to haul the mechanic that last looked at the brakes up for questioning.

None of that happened in this case. The one technical expert called was dismissed midway through his testimony, and the fact that the school computers had not been updated for years did not even make it into the record.

Amero was fired because of this. The school's IT guy (i.e. the brake mechanic) has yet to receive even a slap on the wrist for not doing his job and protecting the school's computers - a task that other school IT directors across the country manage extremely well.

Will Julie Amero get forty years for unsuccessfully fighting a piece of malicious javascript? Will the new judge refuse to be swayed by the Norwich Bulletin's pro-prosecution journalism? Will common sense - or the governor - save the day?

Mark your calendars, global news media folks - the new sentencing date is set for June 6th. That's just a couple of weeks from now. Stay tuned, and stay alert - years from now, this may be seen as a landmark case, in the spirit of another trial that took place just up the road in the village of Salem in 1692.

60% of Enterprise Data on Laptops

I was chatting with Jim Sheward, Chief Executive Officer, Co-founder and Director of Fiberlink, this morning, and he clued me into a data point I had not heard before.

According to research conducted by IDC, fully 60% of the data inside a Global 2000 organization is replicated on laptops that leave that organization. Put another way, 60% of enterprise data is mobile - and only 40% of the data stays within the perimeter.

Whoa, I hear you say - no way. That just can't be possible - not at any company I have shares in/gave blood to/parked my money at. Well, let's explore.

* March, 2005. UC Berkeley. A laptop was stolen containing personal information on 98,369 graduate students and graduate-school applicants.
* November, 2005. Boeing. A laptop is stolen containing a human resources database with 161,000 social security numbers and bank accounts.
* April, 2006. Union-Pacific. A laptop was stolen with the names and Social Security numbers of 30,000 current and retired Union Pacific employees.
* May, 2006. Equifax. A laptop containing Equifax employee names and Social Security numbers of "nearly all of Equifax's 2,500 U.S.-based employees" was stolen from a worker traveling on a train in Europe.
* May, 2006. Ernst & Young/Expedia/Hotels.com. A laptop belonging to an Ernst & Young employee was stolen in a car theft earlier this year. Ernst & Young is the auditor for Hotels.com, an Expedia company, and the laptop contained personal data on 243,000 Hotels.com customers.
* June, 2006. Department of Veteran's Affairs. Social security numbers and dates of birth of about 2,200,000 active-duty, National Guard and Reserve troops were likely stored on a PC stolen from a VA employee's home. That device also contained information on 26,500,000 U.S. veterans.
* June, 2006. YMCA.
A laptop computer containing personal information on 65,000 members was stolen, including credit card and debit card numbers, checking account information, Social Security numbers, the names and addresses of children in daycare programs and medical information about the children.
* July, 2006. Williams-Sonoma. A laptop stolen from the Los Angeles home of a Deloitte & Touche employee conducting an audit for Williams-Sonoma contained information on 2,600 employees, including payroll information and SSNs.
* July, 2006. US Dept. of Transportation. A special agent's laptop stolen from a vehicle in Miami contained names, addresses, SSNs, and dates of birth for 80,670 persons issued with commercial drivers licenses in Miami-Dade County, plus 42,800 persons in FL with FAA pilot certificates, and 9,000 persons with FL driver's licenses.
* July, 2006. US Navy Recruitment Office. Two laptop computers with information on more than 4,000 Navy recruiters and applicants were stolen.

* August, 2006. Chevron. A laptop was stolen from "an employee of an independent public accounting firm" who was auditing its benefits plans containing SSNs and sensitive information related to health and disability plans of up to 59,000 workers.
* August, 2006. PSA Healthcare. A company laptop was stolen from an employee's vehicle that contained 51,000 names, addresses, SSNs, and medical diagnostic and treatment information used in reimbursement claims.

* September, 2006. General Electric. An employee's laptop computer holding the names and Social Security numbers of approximately 50,000 current and former GE employees was stolen from a locked hotel room while he was traveling for business.
* October, 2006. Gymboree. A thief stole 3 laptop computers from Gymboree's corporate headquarters. They contained unencrypted human resources data (names and Social Security numbers) of upwards of 20,000 employees.
* October, 2006. T-Mobile USA
. A laptop computer holding personally identifiable information of approximately 43,000 current and former T-Mobile employees disappeared from a T-Mobile employee's checked luggage.
* October, 2006. U.S. Army Cadet Command. A laptop computer was stolen that contained the names, addresses, telephone numbers, birth dates, Social Security Numbers, parent names, and mother's maiden names of 4,600 applicants for the Army's four-year ROTC college scholarship.
* November, 2006. Internal Revenue Service. According to document s obtained under the Freedom of Information Act, 478 laptops were either lost or stolen from the IRS between 2002 and 2006. 112 of the computers held sensitive taxpayer information such as SSNs.
* November, 2006. Kaiser Permanente. A laptop was stolen from the personal car of a Kaiser employee in California on Oct. 4. It contained 38,000 names and Kaiser ID numbers, alogn with date of birth, gender, and physician information.
* November, 2006. Philip Morris. 5 laptops were stolen from Altria HR consultant Towers Perrin, allegedly by a former employee, containing the details on 18,000 past and present employees.
* November, 2006. Starbucks. Starbucks lost four laptop computers containing employee names, addresses, and Social Security numbers for more than 60,000 current and former US employees.
* December, 2006. Boeing (again). A Boeing Co. employee loses a laptop containing "the names and social security numbers of hundreds of thousands of employees and retirees".
* December, 2006. Electronic Registry Systems. Two computers (one desktop, one laptop) were stolen containing cancer patient registry data for more than 63,000 patients at several area hospitals.
* December, 2006. KeyCorp. A laptop computer stolen from a KeyCorp vendor contained personally identifiable information, including the social security numbers of 9,300 customers in six states.
* January, 2007. North Carolina Dept. of Revenue. A laptop computer containing taxpayer data was stolen from the car of a NC Dept. of Revenue employee containing personal information on 30,000 taxpayers.
* February, 2007. Kaiser Medical Center. A doctor's laptop was stolen from the Medical Center containing medical information of 22,000 patients.
* March, 2007. Los Angeles County Child Support. Two laptops were stolen containing data on almost 250,000 individuals.
* April, 2007. Baltimore County Dept. of Health. A laptop containing personal information including names, date of birth, Social Security numbers, telephone numbers and emergency contact information of 6,000 patients who were seen at the clinic between Jan. 1, 2004 and April 12 was stolen.
* April, 2007. Chicago Public Schools. Two laptop computers contain the names and Social Security numbers of 40,000 current and former employees was stolen from Chicago Public Schools headquarters.
* April, 2007. ChildNet. Laptop stolen from an organization responsible for managing Broward County's child welfare system. The laptop contained personal information on 12,000 adoptive and foster-care parents including financial and credit data, Social Security numbers, driver's license data and passport numbers.
* April, 2007. Neiman Marcus Group Inc. Neiman Marcus acknowledged this week that sensitive information on up to 160,000 current and former employees was housed on a laptop stolen from one of its consultants.
* May, 2007. Texas Commission on Law Enforcement Standards and Education. A computer was stolen from the state agency that licenses police officers. It contained personal information on 230,000 individuals - every licensed peace officer in Texas - including SSNs, driver's license numbers, and birth dates.

No, I didn't make that last one up. It actually happened. And so did all the rest. And this is just a tiny, tiny sample of the reports.

It begs the question, is there any enterprise data left to steal? Are there any enterprises that wouldn't show up on this list, given enough search time?

It also creates another question - are we allocating our expenditure on security the right way? If fully 60% of our data is now moving through the revolving door, shouldn't we be defocusing the perimeter, and focusing more on end point security?

The answer is, of course we should - and companies like Authentium and Fiberlink are well-placed to meet those needs.

But in addition to beefing up end point security, administrators need to start questioning the need for data to "grow legs" - before it leaves the building.

Monday, May 21, 2007

CSRF and the Perils of Convenience

Since the recent advent of tabbed browsing, I've become a fan.

The idea that you can log into email, then open a new tab and browse news, then open yet another tab and check your bank account, then open another one and search for a recipe... this is a welcome addition to Internet browsing, and a very convenient and excellent way to surf.

Or is it?

Today, Ray Dickenson, our head of Innovation, gave me an update on what hackers are doing with cross-site scripting (XSS) in the form of the new "headed for prime time" version: cross-site request forging (otherwise known as CSRF, or "sea-surf").

Note: When an attack has a snappy name, you know it's headed for prime time.

The CSRF attack is also known as the "Confused Deputy" attack (hey - another snappy name!) because it confuses a source of authority (i.e. your web browser) into permitting something to happen that shouldn't (i.e. like using your logged-in identity to transfer funds.)

This is a potential problem for those of us that like tabbed browsing, because chances are, you're logged into something useful/valuable via one of those windows.

Here's the scam: you wake up, turn on your PC, and log into your bank. You check your stocks, make sure your spouse's current account activity is in line with what you expected, then open a new tab. You check the news. Then you open a new site, and search for something interesting and the search takes you to a video site. The video has a title and a sexy splash shot guaranteed to make you click. So you do.

Unfortunately, buried in the HTML request associated with the hyperlink you just clicked on (attention web developers: forget what you've heard, both GET and POST requests are equally vulnerable) is an HTML request that includes a request to your (top-five branded) bank to transfer a thousand bucks to an account on the same network.

And if the scammers are even a little bit into taking the trouble to create a good user experience, the same link will even launch the requested video using AJAX, without triggering javascript cross-site scripting protections.

Here's what happens next: while you watch the video - and are mightily entertained - the hidden request is sent to the online bank you stayed logged into in your other tab, and, if it is within your daily limits, executed.

Do you get a pop-up window, asking you to approve the transfer? Maybe, but not at all sites. Would you read it? Hopefully - but not at all times. Either way, statistically, the scammer wins.

The user defense to this is easy: never launch another browser window without logging out of the first one (goodbye, tabs!), clear out your cookie cache after every session, and learn to "just say no" when a web portal offers to store that login state for you for *two weeks*.

The web developer defense is easy, but invisible to users - read up on plugging in user-specific session tokens, hidden input fields, and "double submission of cookies" using Ajax, folks. You may not garner any respect from users upon implementing this - it is nigh impossible for a user to know you've implemented session-specific tokens, for instance, unless they peruse your code - but at least you'll feel better knowing you made the net a safer place.

My prediction? CSRF and Confused Deputy attacks will, with the growth of tabbed browsing and persistent login, grow to become a major issue. They will cause pain for us "triple-tabbers" for years to come.

Note: You don't really need to be using tabbed browsers to get hit by this attack - if you don't log out, and your site doesn't expire the cookie automatically, you're still vulnerable. As for the tabbed browser focus, I just focused on tabbed browsers because I like them.

Saturday, May 19, 2007

George Ou on Crapware

Okay, I admit it: I love George Ou.

George, who blogs on ZDNet's site, is one of the clearest-thinking guys in IT, and his posts are written with a clear eye and a lack of bias. In a world where stream-of-consciousness blogging and bias is almost expected, George is a welcome voice.

His latest blog is a must-read if you just purchased a new PC.

Why? Chances are, upon starting up you new computer, you encountered the problem commonly referred to by industry experts as "crapware": pre-installed, branded, often-castrated software designed to promote the download and installation of a premium product.

We have to deal with this stuff all the time - many PCs these days often come with multiple security programs pre-installed, many of which are not designed or configured in any way that would enhance security.

We've encountered situations where manufacturers purposely leave out the uninstall program altogether (which, if you read one of my most recent posts, fits the definition of "spyware".)

As a result, Authentium has become expert in uninstalling crapware from multiple manufacturers as a precondition of installing *actual security* - i.e. fully-functional security applications.

Anyway, back to George. If you have recently encountered crapware upon purchasing a new PC, check out George's latest blog posting - "Killing The Crapware Problem on PCs". It provides a crystal-clear, step-by-step explanation of how to deal with all the stuff that brand-new PC's throw at you on startup, including an analysis of the best utilities for the job.

Here a direct link to the story - happy uninstalling.

Note: George's post leads off with a link to one of the funnier Mac vs. PC ads. I doubt there is a computer user alive that can't relate.

Thursday, May 17, 2007

The Real Cost of Stolen Credit Cards

Joe Pereira of the Wall Street Journal recently wrote an excellent article on the world's largest-ever theft of credit card numbers - an incident that involved a wireless hacker and various divisions of the TJX retail business.

According to the Wall Street Journal, over 45,700,000 credit card numbers, mostly of US residents, an undisclosed number of driver's license records, and approximately 451,000 social security numbers, were stolen by a hacker sitting in a parking lot outside a TJMaxx store, who used a laptop and a telescopic antenna.

TJX, it appears, utilized such poor network security that the hackers were not only able to break into their database with relative ease, but felt comfortable enough to leave encrypted messages lying around for each other alongside the files, detailing what work had already been done (i.e. "I've copied all the cards in this file"), in order to make the process of stealing the consumer information more efficient.

Let's pause for a second and consider the real costs of this fraud. According to the article, fraudulent charges are showing up on the credit card reports of consumer customers of banks up and down the country, as carders snatch up the cards and use them everywhere from FL-based Walmarts, to Mexico, to Australia.

As a result of the wide-ranging nature of the fraudulent spending, many of the affected banks have either had to replace the cards of their consumers, or draw up plans to do so. Needless to say, the banks are *not* happy with TJX - some 21 banks in the NorthEast have come together in a law-suit and Barney Franks has legislation on the boiler.

Why are the banks not happy? The reason is the *$690 million* cost they will now potentially have to bear to replace all those cards. Read on.

I decided to ask a few sources about the cost of replacing these compromised cards. The lowest estimate I received was $8 per card, not including re-issue, database update costs, shipping and handling, and customer service calls. The highest? $50 per consumer, all-in, including customer service costs.

According to the WSJ, TJX has made a private allocation of $20 million to cover the risks associated with the massive theft: that is the amount of fraudlent transactions they expect will result from use of the cards. However this ignores the real cost to the banks - and to consumers - in time, handling and replacement of physical materials.

$20 million doesn't even come close.

Let's draw the line down the middle and assume a $30 credit card replacement cost - in reality, the small issuers are going to be closer to $50, and the larger banks closer to $20, just based on ability to scale, and quality of service. If you draw this line here, and assume that the "50% of the cards were expired" data is correct, the "cost" to banks of the TJMaxx credit card database theft lies in the region of $1.38 billion/2 or $690,000,000.

No wonder congressmen are drawing up legislation - there are whole industries in this country that don't generate $690,000,000 in business.

What can be done? Obviously, every business that handles credit cards needs to treat this incident as a "wake up call" and run an audit on their security - as soon as possible. Laws need to be passed that place the burden of loss on the retailer, not the bank. Shareholders need to educate themselves.

And, finally, Congress and the Secret Service need to act - and start mandating the use of stronger database security technologies and emerging "secure client" technologies such as our own Authentium TSX-based VirtualATM. The costs of these technologies are far less than the costs quoted above.

There are a lot of ways in which we can improve the security of consumer transactions, and the longer we wait to implement them, the more risk there is of another TJX incident exploding onto the scene and draining yet another half-billion dollars from the banking system.

Wednesday, May 16, 2007

A Short History of Spyware

One of the mild inconveniences associated with being an executive at a security software company is you find yourself doing a lot of trouble-shooting and question-answering for friends, family and neighbors. One of the questions I get asked most, apart from "what are computer viruses?" is "what is spyware?"

The term "spyware" denotes a class of computer programs that:

1. Install without permission (or on the basis of misleading info)
2. Maintain a presence on your PC on terms you never agreed to
3. Interface with a human (or machine) you have not requested a relationship with
4. Transmit data using a system you have no control over
5. Typically do not come with "uninstall" routines ;-)

In other words, spyware is something you never asked for from someone you don't know. It is a tool that transmits an unknown amount of your personal data to an unknown destination using systems you know nothing about. It is something designed so you won't know it is there, and won't be able to get rid of it once you find it.

Authentium is the world's leading licensee of antispyware technologies, and we maintain a useful database and pretty terrific scanner of our own as well. One thing I have noticed in all of the demonstrations I have witnessed on antispyware over the past few years is that a slowdown in computer performance is a usually-reliable sign that you may be infected.

If your machine is acting strangely, or performing slower than normal, it is time to run a spyware scan. Spyware is generally written in a hurry, and not optimized to utilize your memory in the most efficient manner.

Some people make the mistake of thinking "if I can see the program, then it isn't spyware." Be careful. Spyware is not necessarily invisible upon install: in fact, some of the most effective forms of mass-market spyware are known to masquerade as browser toolbars, antispyware applications (!), and video games - and conduct their nefarious activities in plain view of the target.

For more information, Wikipedia has an excellent overview of the origins of spyware, including a couple of data points that I was unaware of (such as the first use of the term back in 1995, on Usenet) - here's a snapshot of that info in bullet-point form:

* The first recorded use of the term spyware occurred on October 16, 1995 in a Usenet post that poked fun at Microsoft's business model.

* Spyware at first denoted hardware meant for espionage purposes.

* In early 2000 the founder of Zone Labs, Gregor Freund, used the term in a press release for the ZoneAlarm Personal Firewall. Since then, "spyware" has taken on its present sense.

* In early 2001, Steve Gibson of Gibson Research realized that advertising software had been installed on his system, and suspected it was stealing his personal information. After analysis, he determined that it was adware from the companies Aureate (later Radiate) and Conducent. Gibson developed and released the first anti-spyware program, OptOut.

* According to a 2005 study by AOL and the National Cyber-Security Alliance, 61% of surveyed users' computers had some form of spyware. 92% of surveyed users with spyware reported that they did not know of its presence, and 91% reported that they had not given permission for the installation of the spyware.

* As of 2006, spyware has become one of the preeminent security threats to computer systems running Microsoft Windows operating systems. In an estimate based on customer-sent scan logs, Webroot Software, makers of Spy Sweeper, said that 9 out of 10 computers connected to the Internet are infected.

* Computers where Internet Explorer (IE) is the primary browser are particularly vulnerable to such attacks not only because IE is the most widely-used, but because its tight integration with Windows allows spyware access to crucial parts of the operating system.

Tuesday, May 15, 2007

Online Criminals Targeting Tax Refund Checks

This year, the IRS took the somewhat unusual step of issuing a pre-tax filing deadline warning - about the growing number of fake tax filing sites online.

According to the IRS, these phishing sites look very similar to many of the 19 sites officially sanctioned by the IRS. They have form fields designed to accurately and efficiently capture your first name, last name, social security number, home address and date of birth.

Nothing better suits an identity thief than a form full of taxpayer information. Especially when that form includes bank account information for the refund check.

When that information is included, criminals don't even need to steal your identity - they just do a "pass through": change the banking and refund information, submit the form on your behalf, and wait.

Before you've made the call asking where your check is, it's already been deposited, and withdrawn - half a world away.

In an interview with MSNBC's Brian Braiker, Terry Lemons, spokesperson for the Internal Revenue Service, acknowledged the existence of the above scams, noting that they had uncovered such a scam just a few days before filing day:

"What we discovered late Friday is that there was a site pretending to be one of the affiliates to get these people’s tax information, with official looking logos. If you stumbled onto this site you might think it’s legitimate."

"People were entering info, and the [people behind the scam site] were taking the bank account number, changing it to their own, and having the refund routed to their bank account."


He suggested taxpayers should only go to the 19 officially-sanctioned sites "directly from the IRS web site". The only problem with this is the number of ways criminals can divert traffic away from these legitimate sites to equally official-looking sites.

If you did visit a tax filing site that promised lower filing fees or some other benefit - and you're not sure it was on the list - you could go back through your browser history and take another look at it... maybe check the URL listed in the form field and see if it makes sense to you...

But the reality is, if you were scammed, the only thing you can do is wait for your check to come - and watch carefully for activity in the area of your bank account. The following comment from a Newsweek reader, Ms. Teresa Fleming, dated April 17, shows this kind of diligence can pay dividends:

"I recently filed my taxes electronically. Within days someone illegally accessed my bank account, set themselves up as a payee and scheduled themselves a large payment from our account on the same day we were scheduled to receive our tax refund."

"Although we can not be absolutely sure that it was because we filed our taxes electronically, it certainly seems the most likely scenario since they were attempting to withdraw the money on the exact day that we were scheduled to receive our refund. In addition, they managed to access our account within days of our filing our tax return electronically."

"Fortunately for our family, our bank sends out an alert anytime there is a change made to our account and we were able to prevent the theft. However, we had to close our checking account; order credit reports and are still in the process of working with the bank and notifying the IRS."

"We have already notified the tax filing software program company. Although we have filed electronically in the past, we will not do so in the future. The risk is simply too great."


In this instance, Ms. Fleming got lucky - in the "diversion" scam mentioned by the IRS, it is unlikely any error would ever be noticed, because the action taken by the criminal - changing the refund remittance information - is only known to them.

The fact the form was submitted for processing rather than discarded by the criminal makes this a much more elegant scam than simple theft, and much harder to wipe out.

Hopefully, by next year, there will be a better system in place - one that will enable consumers to stop worrying about whether or not their tax refund checks will turn up. Authentium makes a solution that I believe has the ability to prevent this kind of scam in the future - hopefully this will alleviate some of the uncertainty about filing online.

We're currently showing it to several of the folks on the list, along with some of the relevant tax filing software companies. With a bit of luck, it will be in place prior to next year's filing date.

Fighting Common Sense

I just read in the US News and World Report - my old neighbors in DC at the 2400 N Street Building - that the ban I talked about earlier today on US military personnel accessing Internet sites YouTube.com, iFilm.com, and MySpace.com is not really that much of a big deal.

According to the PR folks quoted in this report, the talk of censorship is "overblown" and for most of the military it is business - and blogging - as usual, via Internet cafes and calling centers at all of the larger US bases.

Soldiers, the magazine reports, can log on to Internet services provided by private contractors for just $70 per month.

This is somewhat surprising news - because I recently encountered an article on a DOD policy change instructing soldiers to run any blogs, videos, emails, etc past their commanding officers. This excerpt is from Noah Shachtman, writing in Wired:

...an alert came down from highest levels of the Pentagon that "effective immediately, no information may be placed on websites … unless it has been reviewed for security concerns," and the Army announced it was activating a team, the Army Web Risk Assessment Cell, to scan blogs for information breaches. An official Army dispatch told milbloggers, "Big Brother is not watching you, but 10 members of a Virginia National Guard unit might be."

Like I said earlier, I'm all for enabling URL filtering if bandwidth cost reduction, workday productivity, and family environment are the drivers, but the censorship of adults using the Internet on their own free time - while on break from active duty supporting the rest of us in the free world - just isn't right.

The DOD should restore access to the video upload and download sites immediately. South Korea, one of the affected zones, leads the world in broadband access - getting the network interconnects upgraded shouldn't be too tough in that neighborhood.

As for security, it certainly sounds from the above Wired extract that they have the policing capabilities to figure out the security issues.

Verizon/CyberTrust Deal is a Smart Move

Long long ago, when we were starting Authentium, we met with a company called Baltimore Technologies, which at that time was looking for a suitor. A distant competitor to VeriSign, as a public key encryption vendor, Baltimore never quite made it out of the gate with the same amount of "oomph".

The assets of Baltimore Technologies eventually ended up pooled with Ubizen, a European MSSP, TruSecure, a professional services and consulting company, and BeTrusted, which became the owner of Ubizen in September of 2004. Then the whole thing eventually ended up coming together under the CyberTrust banner, along with ICSA (formerly the International Computer Security Association) Labs.

The resulting grouping of these technologies has been well-managed and developed, and now presents a strong, unified offering. Authentium is one of several security companies that utilizes the certification services of ICSA Labs (according to InfoWorld, ICSA Labs certifies 95% of the security applications offered on the US market today) .

So what does this merger/acquisition mean for telecoms, security and SAAS - and Verizon shareholders?

Firstly, it means one more security software company just got taken off the market by a large company that isn't a core security software developer, but a service-based infrastructure company.

Secondly, it shows telcos are serious about identity management. This combination of the technologies available within the CyberTrust umbrella will go a long way towards solving Verizon's identity management problems - and enable them to better create a solid platform for the services Verizon is already offering, or planning to offer.

Thirdly, it shows service providers are smart - and focused on the fact that security issues are becoming much harder to solve than they used to be. Like Authentium partner BT's acquisition of Counterpane before it, this deal will give Verizon the ability to support computer forensic analysis services and technology certification.

Finally, it shows that even with only a small amount of the market penetrated, SAAS is here to stay. This acquisition further confirms what we have been saying for years: within ten years, 100% of security software is going to end up as an embedded service within your data access provider's business offerings.

There are several reasons. The two most obvious reasons are that telcos already have service-based billing platforms and customer service departments. But the big reason I think they are going to win with these mergers is the combining of software-based IP with their service-based sales forces - and loyal customer bases.

In my experience, the telcos have always had pretty impressive dynamic sales departments, and far stronger ties to large customers than software vendors.

Verizon shareholders should rejoice. This is a smart deal.

Monday, May 14, 2007

DoD Censorship of YouTube

Today, the DoD announced it would block access from NIPRNET to MySpace and YouTube, among other web sites (1.fm, MTV.com, Hi5.com, and Live365.com are also on the list, among other video upload and social networks). David Utter has a piece on his blog about it here.

The official reason? It appears soldiers in the field are using up too much bandwidth uploading and watching videos, and attending to their blogs - bandwidth that DoD officials say is needed to support massive real-time data transfer from unmanned surveillance planes and the like.

In a statement, Julie Ziegenhorn, spokeswoman for U.S. Strategic Command said:

"We're not passing any judgment on these sites, we're just saying you shouldn't be accessing them at work... This is a bandwidth and network management issue. We've got to have the networks open to do our mission. They have to be reliable, timely and secure."

Secure? From what?

There has been a lot of commentary recently about the in-battle videos posted by the new form of "embedded reporter" - the soldier-turned-documentary-filmmaker. Much head-shaking has been directed at the violent (and horrifying) footage uploaded by these front-line reporters. It was only a matter of time before someone would make the move that was made this morning.

Unfortunately, whoever made this decision seems to have forgotten that much of the support for the wars in Afghanistan and Iraq comes from the guys in the fight - the same folks that will now have to wait until they get home to blog: US-based military personnel are unaffected by the ban.

As the leading licensee of content filtering technology, at Authentium, we get to see a lot of client-side and server-side solutions. Some of the arguments - that businesses have the right to control their bandwidth, and block web sites that diminish productivity, and parents have the right to create an environment on the Internet that matches the environment young children experience at home - are solid arguments.

But the difference is, we get to go home after work and log on to an unfiltered, uncensored Internet. For the guys on the front lines, there is no "after work".

My prediction? This will prove to be an ineffective move and will be dumped by mid-year. Leaving the front line troops out of the public argument by blocking access to MySpace from NIPRNET will have a negative effect on public opinion, as negative-sentiment bloggers start to outweigh "positive" support for the war from the guys fighting it.

Either that, or the troops will turn to unauthorized Internet proxies created expressly for the purpose of uploading videos, leading network administrators into an arm's race of their own, as they scramble to catch up with what I can only assume will be a wily and formidable adversary. ;-)

Tuesday, May 8, 2007

Protecting Consumer Data Online

Over the past few months, we've been keeping a close eye on some of the widget releases from security and financial firms, and some of the web forms associated with account acquisition as well.

We've come across several widgets that feature architectures that are vulnerable to trivial modifications from malware. One of the widgets, a login widget produced by a major financial services company, loads its login URL from a location in a text file.

Modifying the URL is easily accomplished - with the result that a hacker could send consumers to a fake login site and easily steal credentials.

We called the company responsible and showed them the issue and they understood the problem and were very responsive to our suggestion they hash this information and check the integrity of it using a combination of client-side and server-side technologies.

The issue of what to do about protecting data collected and submitted via web forms is equally in need of a security makeover.

As I pointed out in my recent blog about the FTC's poorly conceived identity theft report process (FTC Identity Theft Form a Keylogger's Paradise), the idea of using a web form to aggregate social security numbers and names and addresses and other personally identifying data from consumers needs to be reviewed by financial services firms - and, now that tax time has come and gone - by online tax filing companies.

What can be done to improve data collection processes and protect consumer data? Authentium has developed a technology that enables data collected via a web form, such as tax or financial information, to be aggregated using a normal browser and submitted safely to the target database, without threat of interception or "man in the middle" attacks, or attacks from keyloggers.

It may take an attack of some size, or simply the reaching of a tipping point for this technology to become mandated but the facts are clear: there is a growing problem, a better technology is available to protect consumers than the processes currently in use, and consumers deserve better protection for their data.

Monday, May 7, 2007

Mujahedine Secrets

Since January, iDefense has been analyzing an encryption program they obtained that appears to have been developed by a group that calls itself the Global Islamic Media Front (GIMF).

This analysis illustrates just how much the world of threat mitigation may be changing. The encryption program, released on Jan 1st 2007 and named "Mujahedine Secrets" by its creators, takes the form of a non-installed executable, and targets non-English speaking users.

The portability of the program - Jim Melnick, the Director of Threat Intelligence at iDefense says the program can be run from a USB key - is designed to appeal to terrorists making use of Internet cafes and kiosks.

iDefense says that the program is currently being "marketed" on hacker and pro-terrorist forums. I found a copy of one such advertisement here.


In the advertisement, the software is marketed as being "the first Islamic computer program for secure exchange [of information] on the Internet," and it provides users with "the five best encryption algorithms, and with symmetrical encryption keys (256 bit), asymmetrical encryption keys (2048 bit) and data compression [tools]".

The CounterTerrorism Blog links the GIMF with Al-Qaeda - and it certainly sounds as if GIMF has a political objective. According to the SITE Institute , the GIMF is "a jihadist mouthpiece, and visual and print media organization, usually associated with Al-Qaeda."

It kind of sounds like it - the last time this group made it onto the world stage was with the September 2006 release of a video game entitled “Night of Bush Capturing.” The game, a shooter featuring segments entitled "Bush Hunter Like a Rat" and "America's Hell" was targeted at teenagers and distributed via jihadist forums.

But building video games (based on an existing engine) and developing encryption software require somewhat different skills. Is this being developed by the same group? I would be interested to hear further feedback from Arabic speakers as to the intent contained within the advertisement. Is the software GIMF's own? Or is it a "private-label" version not just of PGP, but of some pre-existing encryption software built for non-criminal activities?

Whatever the answer, there is a silver lining in this cloud for those inclined to think positive about negatives: assuming this encryption software finds a wide release among terrorists, and becomes a standard tool among their operatives worldwide, we will at least know how to best direct our code-breakers...

Thursday, May 3, 2007

Digg.com: Publish and be Damned

As Kevin Rose, the founder of Digg.com, said on his blog last night, yesterday was a rough day for Digg.

Beset with lawyers armed with cease and desist letters, Kevin and his management team had to decide what action would best appeal to their community of users: remove published keys designed to protect HD-DVD titles from the site, or allow them to remain published.

For those of you not familiar with the story, the cracking of the HD-DVD code isn't new - it happened back in December and an application made by SlySoft Software has since been available since February that (ostensibly) enables users to "back up" their HD-DVDs.

So what changed? The bloggers at rudd-o.com have been trying to make people more aware of the issues surrounding the crack (and, apparently, succeeding). It appears someone from this site (or spurred on by the site) put up the initial post at Digg.com that contained the keys that unlock the HD-DVDs.

Initially, on the basis of receiving the C&D letter, the Digg guys made the decision to take down the keys. Then, late yesterday, they reversed this decision and reinstated the postings. Then, just to make things even more interesting, around 11pm, the site went dark.

Which brings me to the point of this blog.

Like the scientists who originally created the keys for the Hollywood studios to use to protect their assets, our company, Authentium, is in the trust business.

It makes me mad to think of the amount of development work that went into creating the protection mechanism - and how many assets have been placed at risk by the guys who cracked it.

As a CEO *and* long-retired ex-songwriter that is more amused than excited by my $9.17 annual royalty check (from a long-forgotten ditty written 25 years ago that fifteen years later somehow found its way into an Alicia Silverstone movie), I think I can understand how people that depend on copyright protection to pay a studio full of salaries must feel: not to mention all the single contributors who maintain families solely on the basis of royalty remittances.

However...

The value of an open market for information lies in the openness of that market. As the "Godfather", Bruce Schneier, likes to say: "Security through obfuscation isn't security." Security flaws get fixed faster when information about them hits the open market - and that is indeed what has occurred with the HD-DVD crack.

From a security perspective, once the keys have been published, the game is over. And the end result is: the security just wasn't good enough.

And what of Digg? It doesn't matter that Digg.com is in the business of "continuous publication" - the fact that the keys have been published *once* means that they have already propagated to at least a subset of the folks most interested in them.

In the end, this makes Digg no different from the newspapers of previous generations. The phrase "publish and be damned" still applies. And the value of a post-publication cease and desist letter remains what it has always been: zero.

Note: Newer HD-DVDs now use a different mix of multiple encryption keys - crackers, good luck copying that Shrek 3 DVD when it hits the shelves.

Tuesday, May 1, 2007

Antivirus is Dead, Long Live Antivirus!

There's been a lot of speculation recently around the future of desktop antivirus, and whether or not desktop antivirus will still be required "in the future" - i.e. once behavior-based systems become finely-tuned enough to deal with a majority of computer viruses.

The answer to this question is "antivirus is not going away any time soon".

As Robert Sandilands has already indicated in his Virus Blog, signature-based desktop antivirus will remain firmly in place, but will be complemented by advanced heuristical analysis, such as the type that we are building into our version 5 engine.

Safety mechanisms rarely disappear. Like car seatbelts, which were later augmented by airbags, desktop antivirus will remain a core component of device security solutions for years to come, as will other defensive technologies such as antispyware, antiphishing and URL filtering.

Antivirus will disappear eventually - the day that all data traversing the Internet, and all interacting consumer and corporate identities, become 100% trustworthy.