Good Morning:
Ah Friday. On vacation, every day is Friday, isn't it? But when are are at the beach, it always helps to have Plan B. Inevitably it rains and when it rains, you better have a plan to keep the kids occupied. Or it gets messy pretty quickly. Optimally, you get a half and half. Glorious sunshine in the morning with the weather rolling in around 2 PM. 

By then, the kids are beached out and they probably don't need any more sun at that point. Then we can bring them back to the house, feed them and get some naps in. Maybe a late afternoon movie would be on the plan as well. It's also good to have some games to play and art projects ready to go. Better to be prepared than have a bunch of bored kids writing on the walls of the rented house. 

It used to be a lot easier. There was one thing we'd do on a rainy beach day BK (before kids). Right to the bar. It could be 10 AM or 2 PM, no matter. If it was raining, I was drinking. That always helped my sleep habits too, since I'd usually be incoherent right around dinner time, so I'd eat and then pass out. After a few hours of sleep, I'd go for round 2. What we could do when we were young...

But I am not that young anymore. Nor do I live in the past. So right about now, it's probably time to break out Sorry or Chutes and Ladders. I can't wait until we can bust out the Monopoly and Stratego. Of course, by then the kids will want to play online with kids from around the world, I'm sure. Yet, I can still hope for family game day, can't I?

Have a great weekend.

Incite #5: Night of the Internet Dead

With a majority of attacks (like drive-by downloads) no longer requiring user interaction; the number of active zombies continues to exponentially multiply. Organized fraud networks increasingly use targeted, social engineering-based attacks because they work, forcing users to put a premium on REACTING FASTER and training users to stop doing stupid things, as opposed to hoping a new shiny product will solve the problem.

Read the original Days of Incite post on this topic.

6-month grade: A

I'm happy to wind up the first week of Incite Redux on a high note. This Incite (although obvious) has certainly come to pass. We hear about new and more sophisticated bot networks weekly. We are starting to learn just how advanced the crime organizations are that drive much of the cyber fraud around the world. 

I heard (anecdotally, of course) that one of the crime networks has built a database of private information that rivals "legal" information sources like ChoicePoint. Of course, that could be boasting and hyperbole, but to think that a crime database that size is within the realm of possibility is nothing short of shocking.

If you've made it through the first half of the year with no issues, none of your users losing their devices, none of your trading partners firing someone who had access to your stuff, and no public disclosures, then pat yourself on the back. I'm not sure if you are lucky or good, but all the same - the likelihood that you'll have the same answer next year is pretty small.

So plan for the inevitable. There are a lot of very smart guys that I hang around with, who make a living trying to figure out what attack is next. They find a lot of bugs and they do the right thing by responsibly disclosing those "features" to the vendor in question. Most of the time anyway. But of all the smarts these guys have, they missed little things like Melissa and SQL*Slammer. They missed many of the new social engineering attacks and crimeware, spyware and other x*ware variants that have been compromising machines and converting devices into zombies at an alarming rate.

And this has nothing to do with the talent and capabilities of the researchers. My entire point is that no one has a crystal ball. None are practicing fortune tellers. One of the most valuable roles that security research plays in the ecosystem is to find new attacks, pull them apart, and figure out how to defend against them. But to be very clear, in most cases, these folks are not working ahead of the curve. They are working against the clock because the bad guys have already weaponized the attacks.

Which is why the REACT FASTER doctrine is so important. No widget is going to protect you against an attack you've never seen. Although truly new attacks are fairly infrequent, they happen enough that we need to plan for the next one. So we monitor our networks and our servers. Also our databases and applications. We look for anomalies and other funky behavior that is not the norm. Then we investigate to see if that strangeness is just random or representative of a real issue.

Then we address the issue. Once that work is done, we live to fight another day. Take pride in the fact that most of the world reacts slowly, if at all. They are the ones that get to disclose breaches to their customers and mop up a real mess, if they can. Or they are constantly working on their resume and hoping their number doesn't come up before they get that new job.

It's true you can run, but you can't hide. All you can do is REACT FASTER. And that deserves an A.


Photo credit: "fortune teller" originally uploaded by yunheisapunk

As the number of drive-by's I want to do continues to grow, I'll start to chip away by looking at Bharosa. They do authentication stuff for financial institutions. I came across a couple of their press releases over the past few weeks, and am particularly interested in the topic. Two-way authentication is going to be big in the 2nd half of the year as the FFIEC guidance suggesting stronger authentication is closer to its end of year deadline. 

So let's swing by their website (www.bharosa.com). Here are my first impressions:

1. Headline doesn't mean anything to me - Identity theft is inevitable, but vulnerability isn't? What the hell does that mean and I tire of the old lock and key visual metaphor.
2. They do "multifactor online authentication" - OK. I can get that. I'm not sure what exactly they mean, but at least these are familiar terms.
3. IDC recommends these guys for FFIEC - Hmm. I guess they must have gotten some funding so they could pay IDC to say something nice about them. This isn't a positive in my book, but then I know too much about the business. But FFIEC indicates they are targeting the financials.
4. They've got 10.4 million users licensed - I'm not sure what that means either, but it's a big number. Clearly they are targeting financials and have some decent numbers. This should be more prominent on the homepage because it adds some credibility.
5. They have a video, let's check it out - This was pretty good. The CEO did the pitch and was clearly not a professional speaker, but did a decent enough job. It was too long. I lost focus about 2 minutes into the 5 minute pitch. But it did give a pretty good overview of what the product does and how it does it.

Overall assessment of the homepage is that it's pretty weak. Good thing I'm not one of those folks that just gives up if I don't see something interesting on the front page. So let's see what I can learn in the product section.  Here are a few quick observations:

1. They've got two products, Tracker and Authenticator (the video indicated this as well). Tracker verifies the user is coming from an authorized device, using it as kind of a second factor. And authenticator uses some visual authentication tokens to provide a multi-factor experience.
2. Tracker works behind the scenes, so using attributes like a user's device and location and even some behavioral stuff (like what they are doing) to determine if it is the user. But that's about all the information that is there. Kind of like Cyota, in that they use a lot of different data sources to figure out if something is OK to do, but they don't seem to have any kind of policy to enforce contextual authentication (forcing the user through additional hoops depending on what they are trying to do).
3. Authenticator is less clear (and it's not like Tracker is very clear). They protect the PIN. How? All they show on the page is a few graphical "virtual authenticators." I have no idea how this works.

So I dig a bit deeper into the product section and discover that I still have no idea what Authenticator does or how it does it. They claim it protects data from key loggers, etc. because neither the keyboard nor the mouse is used to enter information. Hmm. I guess they've mastered that elusive telepathic interface. Yeah, I'm lost at this point. Let me check out the Tracker page and see if at least I can learn a bit more about that.

Tracker does the work behind the scenes as I describe above. But it does seem that depending on what the policy says (and what they find through their analysis), it can ask for  additional authentication.

Tooling around the site some more, it seems they are pushing FFIEC pretty heavily, as expected. They also have a deal with the Air Force to build some strong auth into their web applications. So not just financial centric.

Overall, Bharosa is playing into the hot strong authentication market. But after driving-by their web site, I don't have any idea about what differentiates them from someone like RSA, nor to I get a clear understand of how their technology works. If I'm a buyer here, I probably move on because the last thing I have is time to get someone to explain everything to me.

Just goes to show, if folks can't go to your website and tell what you do and how you do it, you better get back to work. End users will disqualify you from consideration if they have to do too much work to figure it out.

It seems that all the rage this week is about a new consumer device called the Spam Cube (www.spamcube.com). These folks have a box (and it comes in 5 fancy colors) that uses a "proprietary AI (artificial intelligence)" algorithm to block spam before it hits your computer. They are charging $150 for the box, but that includes the anti-spam services. If you want anti-virus and/or anti-phishing, there is a $52/year annual charge.

On the positive side:

• They have a cool demo on their web site of their install process. It seems to be pretty idiot proof, which for a consumer box is critical. It's not clear to me weather you need to install on each of the protected devices (up to 4 are supported) or not. If so, then it must reconfigure you e-mail settings to proxy through the spam cube to get your mail. If not, then it must sniff the wire.
• The marketing is very consumer friendly. Clearly they are targeting the unsophisticated user by promising to make their spam problem go away.
  

One question I have is how does it support mobile/remote users? I spend a bunch of time on my laptop and expect to get mail wherever I am. Hmmm. Let me ask. They have a chat button on their web site. Someone is on the session within a minute, so that is pretty responsive. I got a response in less than 2 minutes and my questions were answered within 5. That is good. 

The answer to the question is that it won't support mobile use until the next release in August. That seems like a pretty big oversight, but what do I know? I've only been doing this for 15 years. I also found out you don't need to install software on each machine and it works by sniffing the wire. It also only supports 4 machines due to hardware limitiations. I'm sure they spared no expense on top quality components.

So, why the inflammatory title - scam cube? Basically, consumers don't need this. Now I was the guy that did the rant about Bill Gates being wrong and spam still being a problem. But since then, pretty much every ISP has stepped up and is offering anti-spam and anti-virus as part of their service. Many are taking AOL's lead.

If you are a consumer or SOHO and your ISP doesn't offer this stuff as part of the monthly service. Find a new ISP. It's that simple. 

It's also not like consumers need to be worried about the amount of spam crushing their inboxes. If your desktop anti-spam works fine, then you are covered. It's only if you have a significant amount of mail traffic would you need to get rid of the crap at the perimeter of the network. 

Secondly is the price. Sure people want to get rid of the spam once, and a box sitting on the perimeter is a good way to do that. But not for $150 bucks and another $52/year for anti-virus. That's on top of the desktop protection that you need anyway. Finally, anti-spam is a feature of all of the desktop suites. This is certainly not replacing your desktop security suite, so you'd be duplicating a lot of resources and spending money needlessly.

So I think these folks have some good marketing, but ultimately the product isn't something that you as a consumer or SOHO need. Remember we are trying to simplify, as opposed to adding more stuff and that goes for your home network as well. Unfortunately I suspect these guys will sell a bunch of boxes to unsuspecting technical neophytes, who don't even know they can get this stuff for free.

Nice try, but no cigar.

As part of my daily analyst ritual, I am always scanning the wires, looking for interesting stuff and trying to get a feel for the impact to the user of what I find. Yesteday I came across a press release from a company called RedCannon Security, and their KeyPoint access control system. 

Basically, if you believe the marketing stuff (since I haven't tried it - I'll put that disclaimer on) KeyPoint gives you the ability to plug a USB thumb drive into any device and get your local desktop (through Citrix) with access to whatever corporate files you'd need to get to. You could then enforce whatever usage policies are in use on your internal networks. All of the cookies and cache is actually written to the USB drive, so there is no record or information left on the device.

Seems pretty cool, no?

The thing I struggle with is why do I need this? Sure, if I have a bunch of managers roaming around a shop floor and they need to quickly plug into a kiosk and get information, this could be useful. But if I'm a mobile professional, is this going to allow me to stop carrying around that friggin' laptop. My chiropractor wouldn't be happy with that, but I probably would.

I don't think this gets me there. I can do a bulk of my email when I'm travelling on my blackberry. Attachments are challenging and it's a pain to write anything more than a paragraph or two, but it's possible. But how long do I want to sit in a business center or Internet cafe on someone else's machine to catch up on stuff? I'm pretty sure those Internet access devices that plug into a hotel TV don't have a USB port or a Windows OS, so that won't work. I also need to work on a plane, so this doesn't really help me there either. 

So in concept, I like this idea. If folks in your company always have access to some type of desktop, this could be an interesting solution to make sure your corporate policies are enforced regardless of where your users connect from. But I'm having a hard time understanding the use cases where this is anything but a niche. Yet another example of technology looking for a problem to solve.

To be fair, I have not spoken to RedCannon, so maybe they can explain more legitimate use cases to me. So why am I going to hit submit anyway? Because the rest of you out there don't have either the time or desire to call up a company and figure out what they do. They need to be able to tell you quickly and succinctly. I hate it when I'm talking to a vendor and it takes them 45 mintues to tell me what they do. If it takes more than 5 minutes for me to understand your value proposition and how you do things (not necessarily the specifics, but the high level), then your messaging and positioning suck and you need to go back to the drawing board.

From time to time, I'll pick apart the public face of some company BEFORE I TALK TO THEM because that's what users do. The vendor may not like it, but too bad. Got to love the First Amendment. If they can't make their value proposition and use cases very clear from their external presence and collateral they aren't going to be around for too long anyway. I'm going to call these pieces "Drive-By."

I do promise to be fair, so if the vendor does want to clarify things for me, I'm happy to publish a follow-up telling everyone what I've learned. But be cautioned that this cuts both ways. If the story once I hear it is no better (or even worse), then I'm going to publish that as well.