.406 Ventures LiveFeed

Weekly News Roundup

Welcome to our Weekly News Roundup. Read on to learn about the latest this week in the world of security, put together for you by our marketing team. Enjoy! 1. Android users potentially hit by malware attacks: Two possible Android attacks, one, according to Symantec, due to thirteen applications from three different developers that have [...]

Penny Wise, Pound Foolish – Avoiding Security Spend Pitfalls: A Conversation with Wendy Nather

If your organization had an unlimited budget to spend on your enterprise security program, in what areas would you focus investments? Application security? Mobile strategy? Web Application Firewalls? Wendy Nather from the 451 Group and Veracode’s CTO Chris Wysopal presented the latest research on enterprise security spend, and discussed how to “make the case” for [...]

A Holistic Approach to Fraud and Risk

Bank Technology News (BTN) ran an article on the first of the year entitled “9 Trends Reshaping Risk Software”, and Trend 8, “The bringing together of different risk systems”, caught my eye (being a fraud guy). My observation over the years is that centralized / consolidated vs. decentralized/ siloed is a cyclical thing. The idea of consolidating and centralizing keeps coming back, so that tells me it is generally considered to be a good idea. One explanation for the cycle swinging the other way might be the technical issues associated with implementing the consolidated model. A common data model goes a long way toward resolving many technical issues and systems that run disparate solutions on a single data model are promising for the consolidated approach.

FBI Says Cyberthreats to Overtake Terrorism as Top Threat

The threat landscape is changing. Cyberthreats pose a more common and severe obstacle to most of us than traditional terrorism now. This does not mean – going forward – that real ground-level threats should be ignored or belittled, and of course these threats pose physical harm as opposed to digital ones. Nonetheless, cyberthreats need a larger acknowledgment as a viable problem in the coming years. Cyber War is not a current problem for the U.S., but it very well could be in the future as more states play a role in hacking opposing countries’ corporations and businesses to influence markets in their favor.

Yesterday, FBI Director Robert Mueller and National Intelligence Director James Clapper, testified at the annual Worldwide Threat hearing regarding future threats the country faces. He estimated that cyberthreats will surpass terrorist threats in the near future. Saying, “Down the road, the cyberthreat, which cuts across all [FBI] programs, will be the number one threat to the country.”

So how is this affecting you now? Well currently, several countries are participating in corporate espionage. China, one of the main power players within this practice, is funneling intellectual property by the tera and petabytes from U.S. companies. Richard Clarke, former advisor to the president on cyber security, discussed in a recent video interview about China’s new influence in hacking U.S. companies (VIDEO).

Because hacking is largely an invisible threat, most corporations do not take security seriously. Many never realize they’ve been hacked and if they do, it’s usually months – sometimes years – after being breached. What we are seeing is that corporations are forced to take it seriously when they are informed by the U.S. Government – usually the FBI – that their data and intellectual property has been stolen. This threat doesn’t just pose a threat to corporations either, defense contractors need to take the threat seriously as well and outfit their IT ecosystem to protect against the advanced threat.

“The cyberthreat is one of the most challenging ones we face,” Clapper said. “Among state actors, we’re particularly concerned about entities within China and Russia conducting intrusions into U.S. computer networks and stealing U.S. data. And the growing role that non-state actors are playing in cyberspace is a great example of the easy access to potentially disruptive and even lethal technology and know-how by such groups.”

In the past year, we’ve seen high-level breaches like RSA, seen Symantec’s source code stolen, and even over 100 million records stolen from Sony PlayStation’s online network – just to name three. It’s time for Corporate America to take security seriously, and focus on protecting the most important part in the viability of their company: their intellectual property.

Reshaping the Way We Think about RFID

As published in the Jan/Feb 2012 issue of PassAGEnow:

When predicting technology trends, Bill Buxton, Principal Researcher at Microsoft Research and author of Sketching User Experiences may have said it best:

“If history is any indication, we should assume that any technology that is going to have a significant impact over the next 10 years is already 10 years old!”

This theory holds true for several technologies. For example, the first mobile telephone call was made in 1946, many years before the first commercial cellular network was launched in 1979. GPS was in use for nearly 30 years in government and military programs before it became a must have for personal vehicle navigation. And, the formation of the Internet as we know it began in the 1980s, but wasn’t truly incorporated into virtually every aspect of modern human life until a decade later.

Applying this premise to radio frequency identification (RFID) seems to hold true as well. The technology itself was well over 10 years old in 2004 when retail giants began pushing it as a means of driving efficiencies into their supply chains. While these initial retail programs didn’t succeed according to plan, and mass adoption didn’t happen the way many analysts predicted, these initiatives did kick off a high level of interest from retailers, product manufacturers and many other industries and markets focused on improving their business and service processes. Between 2004 and now, something else happened that makes one ask if RFID is ready to have that significant impact Buxton mentions.

During this span, RFID hardware and software providers have continued to innovate and collaborate at a notable clip. RFID readers have evolved to include a wide variety of purpose-built and multi-use form factors. Smaller, more powerful embedded RFID modules are being used to enable many stationary and mobile devices with the auto-identification technology. These advancements, coupled with continued innovation in the RFID tag and software markets, have resulted in RFID system performance improving exponentially. While these advances are significant, I’m not suggesting that that there will be an ‘ah-ha’ moment when businesses and consumers realize that RFID is a technology they can’t live without. To the contrary, RFID adoption will likely be steady; finding its way into a greater number of solutions and replacing less effective legacy technologies as time goes on. A key point in all of this however, is that the technology itself has matured to a point where it is no longer a barrier to entry.

‘Climbing the Slope’

So where are we now, more than 40 years after the first passive radio transponder with memory was patented in 1970, and nearly eight years since the retail industry brought attention to RFID at a global scale? Confirming the market’s progress is evidence that RFID technology has passed several critical milestones of Gartner Research’s well known Hype Cycle, including first and second generation products, media hype, negative press, supplier consolidation and failures, and emerging methodologies and best practices. Taken at face value, this would put the market in the Hype Cycle’s Slope of Enlightenment stage and moving toward the emergence of third generation products, out-of-the box usability, and high growth adoption.

What’s more, businesses across all industries have a great number of well documented end user case studies and best practices to help them with their ROI analysis. Many pre-configured and kitted solutions are emerging, and ease-of-use features are starting to find their way into once highly-technical, hard to use products. Maybe most importantly, vendor promises and user expectations about performance have found solid common ground. Error rates have dropped significantly and there are many applications where 100 percent read rates are achieved. That said, users accept that there can be momentary losses of visibility of RFID tags owing to environmental factors and that software error correction, along with well-designed installations, should be a principal consideration in implementing successful solutions.

So now what?

It’s Time to Reshape the Way We Think About RFID

With the reliability of today’s RFID systems and the apparent progression through traditional stages of technology advancement, it’s time to reshape the way we think about RFID. RFID vendors and solution providers have survived the technology maturation process. End customer organizations of all sizes have learned where and when it makes the most sense to apply RFID to their business processes. Now it’s time to think beyond RIFD of the past 10 years and toward the next wave of innovation.

We should think beyond the underlying technology – and toward the value of the data, emerging methods of data access, and about the many innovative enterprise and consumer applications that can be enabled with RFID data.

We should think beyond one-size-fits-all readers – and toward the wide variety of fixed-position and embedded RFID reader form factors that can support a great number of unbelievably diverse applications.

We should think beyond siloed deployments of RFID – and toward the hardware, software and data becoming an integrated element of the enterprise.

We should think beyond the singular technology of RFID – and toward the combination of RFID and other technologies like GPS, Wi-Fi and Bluetooth.

As an industry, we are beginning to see glimpses of this forward thinking. Technology vendors are more willing to collaborate. True solutions are starting to emerge. We are experiencing a realization, albeit a slow one, that no single technology is suitable for identifying and tracking things because different assets hold different values and each technology has its strengths and weaknesses relative to a given application.

As we’ve experienced with many other data-driven solutions, I expect this progression may eventually lead to RFID as a platform – with RFID modules and extensible software interfaces allowing for the integration of RIFD with other technologies. Purpose-built systems will incorporate passive sensors and computational systems will emerge. In certain applications, it is easy to imagine everyday physical objects with built-in RFID. If we’ve learned anything from the mobile device revolution it is that there is great promise when devices are able to connect with objects around us. Even more compelling is when these devices will be able to learn about our environment, provide contextual adaptation if necessary, and, connect those objects to the broader Internet and business systems.

There is no doubt that over the next decade, RFID systems will become an integral part of the consumer and business experience. The convergence of wireless technologies will be augmented by RFID systems. The development of passive RFID as part of this platform will be driven by the potential to measure, report and monetize a growing number of transactions in the physical world.

Similar to the mobile phone, the widespread integration of GPS into today’s commercial and consumer positioning solutions, and the adoption of this thing called the Internet, RFID is ready to transform markets. Only time will tell the scale and impact RFID will have, but I for one, bet it will be a big one.

Answering Customer Questions – What is an application?

One re-occurring question we get is ‘What is an application?’ which on the surface of things sounds trite – after all, every one of us uses applications every day for one thing or another. Yet the initial success of a fledging application security program often depends on answering that question. When discussing software that runs [...]

Solers Uses Bit9’s Application Control to Protect IP

Solers Inc., a leading information technology solutions provider for U.S. government agencies, is now utilizing Bit9 Parity Suite, designed to protect their customers from advanced threats. One of the challenges in today’s industry is recognizing how: threats operate, populate your servers and endpoints, and exfiltrate your intellectual property (IP).

Sure, “known threats” can be protected by traditional antivirus solutions, but what about a malformed PDF with executable files embedded within it? What happens when a malicious attachment arrives in the marketing departments email from the VP of marketing? It looks real and seems real, but expecting each user operating on an endpoint to scan for trust on each email/attachment – which could be thousands of employees equaling thousands of endpoints – is a little unrealistic.

One of the main problems in IT Security is: Problem Exists Between Keyboard and Chair (PEBKAC). Virtually meaning people are dumb – thanks Dan Brown. Because it’s impossible to control everyone, corporations need to build trust in the applications they’re running. Here’s where Application Whitelisting comes in. With Bit9 Parity Suite’s Application Control, Solers was able to provide configurability and flexibility in their environment. Because Bit9 Parity Suite also provides the most flexible Application Whitelisting on the market, Solers was able to confidently secure their endpoints and servers with Parity Suite while providing a workable environment for their employees.

“Before deploying Bit9 Parity Suite, we struggled to find a balance between keeping our infrastructure secure and giving our developers the freedom they needed to approve software on their own,” explained Mike Nutbrown, who has recently been promoted to director of information security at Solers.

So what if you could trust your software, attachments and servers? What if you could detect your company's risk with real-time sensors and reduce actionable events from millions to dozens? What if you could protect against the Advanced Persistent Threat (APT)? And what if you could measure the success and functionality of all of this? Well, like Solers, you can. Click here for more details for a 5-day trial of Bit9 Parity Suite. We protect the world’s leading brands.

Top Ten Java Frameworks Observed in Customer Applications

One of the great things about the Veracode platform is the insight we get from examining our anonymized customer data – not only information about the vulnerability landscape (as published in the State of Software Security report) but insight into the composition of the applications that we scan. As I alluded in my last post, [...]

Weekly News Round Up

Happy Friday everybody, and welcome to another installment of our Weekly News Roundup. It certainly was another busy week in the application security world, with several cyber attacks, new regulations, and updated security measures making headlines. Veracode’s Marketing team rounded up some interesting articles on some of the biggest topics of the week. Give them [...]

RFID Boosts Fan Loyalty

Being a sports fan, I find myself going from one end of the pendulum to the other as far as being totally enamored with my team, to giving up hope and not wanting to hear their name until the next season. But, I will admit I could never change allegiances, no matter how disillusioned I may feel at certain times.

Even though season tickets and attending sporting events are probably the last thing people would give up in an economy when tightening belts is a way of life, team franchises must still recognize that times are tough and tickets and concessions aren’t cheap. They need to figure out ways to keep fans coming back, especially if they’re not winning.

Having exhibited technology savvy in the past, the Tampa Bay Lightning has recognized the business benefits of RFID. They have embedded RFID tags in about 10,000 season ticket holder jerseys. Why? To help drive ticket sales and team loyalty.

Season ticket holders will each receive the new team jersey with an RFID tag embedded into it. As the tags are scanned by one of the 250 readers installed into the Quest terminals throughout the arena, at concession stands, and in the retail stores and kiosks, they are offered discounts on food, beverages and team merchandise. And if you’re watching the game on TV, you can bet you’ll see a lot more Lightning jerseys in the crowd. Since embarking on this latest project, the Lightning franchise has seen a noticible increase in demand for season tickets.

We’ve seen this before. In a previous blog post, we experimented with RFID and social networks to build brand loyalty. The results showed so much promise that we feel this combination will soon take off in business. The Boston Celtics have recently used social media to convert Facebook fans into ticket holders. Mark my words, it won’t be long before the Celts see the promise of RFID with social networking to boost ticket sales.

For insight into how others are using RFID to build brand loyalty, download our case study: Building Brand Loyalty and Reach through RFID and Social Media.

A Conversation With Richard Clarke – Part II

In continuation of yesterday’s piece on Chris Wysopal’s discussion with cyber-security guru Richard Clarke, this second installment focuses on questions asked by webinar participants in the live webcast. Remember, you can always download and view the recorded versions of our webinars here. Q: Are you concerned about the merge to electronic healthcare records? RC: Yes [...]

A Conversation with Richard Clarke – Part I

Following a dramatic increase in the number and severity of breaches in 2011, Chris Wysopal and internationally-renowned cyber security expert Richard Clarke discuss the changing cyber threat environment, the evolving cyber legislation landscape, and steps you can take to strengthen your organization’s resilience to the current threat environment while complying with evolving regulations. This well-attended [...]

The 4 Rs - Reduce, Reuse, Recycle, and RFID

The next time you walk through the office, take a count of how many of those blue recycling bins you see until you reach your destination. Chances are, you’ll be running out of fingers and toes before you reach the other side of the building. The reason I point this out is because of the three proverbial legs of the recycling stool – reduce and reuse being the others – recycling is by far the most popular and easiest to implement. This holds true across office environments and the shipping world.

While there have been some interesting developments on the reduction front in recent years with companies finding new and innovative ways to make packaging smaller, reusable packaging has been an area that has evaded progress; until now anyway. During Pack Expo Las Vegas 2011, several prominent consumer brands, including the likes of Coca-Cola, Ghirardelli Chocolate and Alpha Baking, presented case studies on the topic of reusable packaging.

There had been a lot of talk in the past about implementing RFID into packaging, yet the cost continued to be an inhibitor. However, what is gaining steam in the shipping world is the use of RFID tags in reusable assets such as trays, crates and pallets where there is cost incentive for companies to find and reuse the shipping assets.

In the case of Alpha Baking, they have introduced a test program where they have implemented RFID tags in 8% of their estimated 350,000 reusable trays. The company uses RFID readers to obtain valuable data that helps improve shipping processes and prevent losses of these reusable assets. You may recall the blog we did on container tracking to prevent fraud. Now RFID brings about another benefit to the distribution market – enabling sustainability.

The key to making sustainable packaging successful is to have all three elements working effectively. If one of those areas is neglected, it has a negative impact on the entire process. One could easily make the case that reusable packaging is the most important of the three and yet perhaps the hardest to implement. RFID allows companies to track these important assets, saving them money and greatly reducing the number of units needed, and ultimately discarded. We all know that creating waste is counter to the philosophy of three Rs. Four Rs gets us even closer to the sustainability goal.

Did the FBI Go Too Far with Megaupload?

With the recent suspension of the SOPA and PIPA bills, the latest story in the Federal government’s war on Internet piracy was the shutdown of file-sharing site Megaupload.com. But did the FBI go too far? Now anyone who knows a little bit about Megaupload, knows that the site did carry a ton of illegal content – but is this the site’s fault or its users?

So what is Megaupload? Essentially the site offered a storage locker – in the cloud – to upload content that gave users un-policed access to post whatever they wanted. In certain cases, several used the site to post illegal content, with most of it being publicly accessible. Once posted, the content could be downloaded by anyone searching for it. This could be music, movies, television shows or applications. This provided a seemingly endless stream of content users could acquire for free without repercussions or payment.

The site had to know its days were numbered, but a shutdown and arrest of Kim Dotcom, Megaupload founder, may have been a bit overboard. In fact, the details of the arrest involve a police raid utilizing helicopters, Dotcom locking himself in the safe room of his 25,000 square-foot mansion with a sawed-off shotgun, while the police cut him out of the room to make the arrest. This all happened during a raid that seemed more like a scene from a nerd-ier version of Scarface than anything else. Someone should have told Dotcom that sawed-off shotguns are illegal in laser tag.

Maybe the recent arrest of Dotcom and the shutdown of Megaupload – and its sister site Megavideo – are proof that the U.S. government may not need SOPA or PIPA to protect copyrights? The flawed Digital Millennium Copyright Act (DMCA), enacted in 1998, gives lawmakers the authority to remove the presence of illegally posted content, without going as far as shutting down the site itself. Nonetheless, a shutdown of Megaupload was still accomplished. This was due in large part because the site had actively advertised its illegal content. Now even though the site was based in China, its .com domain still meant it fell under U.S. jurisdiction. SOPA however, would allow lawmakers to venture further, shutting down U.S. access to foreign domains as well as domains falling under U.S. jurisdiction.

It’s a slippery slope. We’re reaching an age where the definition of copyright infringement is blurred. If Megaupload is illegal, how is YouTube not? It’s a classic argument of who’s to blame? If the bank leaves the safe doors open and someone walks in and steals your money, is it the banks fault or the thief? Most would say both, but what if the bank never promised any level of protection? Or should they?

Upon hearing of the shutdown, it’s hard to defend the site, but also equally hard to keep the impending-doom light from going off regarding the future of my favorite websites – Google Music or YouTube to mention a couple.

As Internet-wide panic exploded over the weekend, several other sites have either revoked U.S. access or stopped file sharing indefinitely. FileSonic, one of the top file-sharing sites, has suspended all file sharing. Maybe this is what the government wanted? SOPA and PIPA fell by the wayside so maybe this is their next-best option? It’s hard to tell, but I believe the Internet is heading in the right direction. It’s just about getting there with only bumps and bruises and not broken bones.

2012 Social Security Blogger Awards

In case you haven’t heard, Veracode has been nominated for two awards at the 2012 Social Security Blogger Awards: Best Corporate Security Blog and Single Best Blog Post or Podcast of the Year. Let me first say that we are absolutely thrilled to be nominated for these awards and are honored to be listed amongst [...]

Anonymous: Why the Media is Getting it Wrong

Anonymous may be falling victim to their very name. Because of it, it allows them the freedom to become larger than they otherwise could independently – while also protecting them from the obvious legal repercussions. But what’s more important within this group, is how the media has blown out this larger than life perception of the organization – yes it’s becoming that. But now, they’re essentially egging on a group more consumed with PR attention than what most would deem hacktivism.

In light of this, we’ve recently seen Anonymous hack into several law enforcement agencies websites (Boston and Salt Lake City to name two), gain access to informants and tipsters, and go further into sensitive data related to drug crimes, personal information and listen in on FBI internal communications. They have even called on shutting down the social giant Facebook as well – for what, who knows?

Gone are the days when Anonymous could loosely associate its hacking efforts with a cause. A new day for Anonymous is rising and it’s a day when the group itself may be unable to control its own message. Perhaps falling victim the same way the individuals they look to disrupt did – too big too fast. Luckily – insert sarcasm – we have CNN to help focus their message.

Recently, Anonymous perpetrated some denial-of-service attacks against web sites belonging to the FBI, Department of Justice, as well as the RIAA and MPAA, lashing out in retaliation over the FBI's shutting down of Megaupload.com, a popular file-sharing website. The mainstream media, however, has gotten the analysis of the situation a great deal more wrong than usual.

Really, this is War?

CNN catapulted cable journalism to prominence by breaking new ground in its Gulf War coverage some twenty years ago, and should be able to recognize a war when they see one. They seem to have totally lost perspective on what war is, however, using that term many times during prime news coverage (Wolf Blitzer's show, Friday) to describe this action by Anonymous.

These actions are much more comparable to Occupy Wall Street protests than to actual war. When protesters link arms across a street, or handcuff themselves to doors, gates, or cars, they're denying other people access to buildings or thoroughfares. This is denial-of-service and usually we don't get that worked up about it when reported. Does anybody think the FBI and DOJ rely on their websites for internal operations? Were field operatives and lawyers unable to pursue their cases because their PR machine was offline for a few hours?

Please, folks. I know Anonymous breaks into stuff sometimes, they cause damage, and that's illegal and wrong. The DDOS stuff is arguably more illegal than it is wrong. Let's start making a distinction between hacktivism and cyber-terrorism; can we agree on that?

By the way, a great deal of media's important failure to grasp basic facts centers around the distinction between denial-of-service attacks and actual infiltration. That's an important distinction, but we'll save that for another post.

Media Dups: It's not about Hacking!

The media also fell into a huge trap, and an old one. Think about this question for a second, what is Anonymous actually about?

Have an answer? If you said, "hacking,” you got it wrong. Hacking is secondary for Anonymous, it's a tool. What is Anonymous really after? What are they much better at? PR!

They're after attention, and they're very very good at this. They're so good at it that I entertained the humorous notion to myself that they might not have even hit a single keystroke to affect this DOS attack. All they needed to do was get enough journalists and bloggers in a lather to get them to DOS the sites. In reality, it probably helped get the job done - with journalists constantly pinging these websites every couple minutes to see if the sites were still down. I'll bet these sites got more legitimate hits in a single hour than they usually get in a whole year!

Well, it turns out I was half right. Anonymous apparently went even further and purposely tricked curious netizens into taking part in the attack – so much for media savvy. Really, congress can obviously do plenty of damage through ignorance, but media seems equally willing to embrace it for the sake of ratings and buzz.

Same as the Old Boss

Probably the simplest evidence that the media is a naive and unwitting hand puppet for groups like Anonymous, is the fact that this sort of thing has been going on for a long time. One of the favorite pastimes of modern hacking groups that started emerging in the 90's, is manipulation of the media through propaganda and misinformation. If it's a psyops technique that the military has ever deployed, there's probably a shadowy version of it going on underground. Why do they do it? Well mostly for fun and this has been true for quite some time.

The sad thing is, the media never seems to catch on. As a friend of mine likes to say, .

New Platforms, Old Mistakes

You don’t need me to point you to stories such as this New York Times article that reported on data from Flurry, a mobile analytics firm to convince you that mobile app usage is growing exponentially. 25B downloads at the end of 2011, a 300% increase year over year. I mean Angry Birds Rio was [...]

Weekly News Roundup

What a busy week for the internet! With topics from attacks and hacks to protests, bloggers have been busy covering the most recent news in the cyber security industry, and we are here to wrap it all up. The following are some of this week’s biggest headlines, along with some of the best commentary on [...]

Greening the Data Center with RFID

By now you’ve probably figured out that we’re on a mission to reshape the way people think about RFID. “Efficient use of energy in the data center” is not the first thing most people would think of when they think of RFID. However, with the 1.8 zettabytes of data we are on pace to generate and consume as a society in 2011 (forecasted by IDC) RFID must fit in somewhere! What’s more, is data centers around the world are expected to use 19 percent more energy in the coming 12 months and more than one-third of companies expect at least one of their data centers to run out of power, cooling or space sometime within the next year. That’s a big problem to have. So what’s the answer?

There needs to be a way to manage the consequences that come along with the advent of Big Data. Not only are large amounts of data hard to manage, but it is also a costly operation. Many organizations are turning to cloud computing services to reduce their reliance on internal servers, which also contribute to lower energy consumption. But is that the only option? In a recent post, I discussed how the use of RFID will generate lots of new data. What if I told you the use of RFID can also be used to drive efficiencies into the data center infrastructure?

Russell Klein, Aberdeen Group analyst noted in a recent eWeek article that businesses large and small should be concerned with controlling data center costs, including energy consumption. One of the ways he suggested organizations do so is with RFID, which can be used to monitor conditions, such as temperature and air pressure. RFID provides real-time data streams to feed the analytics engine, a function other sophisticated infrastructure management platforms lack. As organizations look for more energy efficient IT operations that save money and build better infrastructure, it is likely that RFID will become a frontrunner.

RFID at Work in the Data Center

Implementing RFID in the data center is a form of asset management, but maybe not the way you currently think of asset management. For example, sensor modules with temperature probes can be wired to RFID tags. The modules are then attached to racks in data centers, where the probes measure the temperature of various devices and use RFID to transmit the data to a reader. The reader receives the temperature data and sends it along to the software residing on a dedicated server. The data is then used to regulate temperature controls in real-time to conserve energy, ultimately reducing the cost to run a data center.

The cost-effectiveness and ease of RFID in this type of implementation allowed the Franchise Tax Board in Sacramento California to reduce the consumption of energy in the agency’s data center by 75 percent, also saving them more than $40,000 a year. Due to the successful results, the state continues to receive funding for the project from the U.S. Department of Energy.

What other ways can we use RFID to create a greener environment?

SOPA: Government Overreach at Its Worst

I remember my father, a retired physician, railing against government attempting to legislate on medical matters, an area in which they demonstrated little to no understanding. I didn't have a full appreciation for the sort of legislative blunders congress was truly capable of until SOPA and PIPA.

In short, the Stop Online Piracy Act (SOPA, congress) and PROTECT IP Act (PIPA, senate) bills try to placate the Big Media industry, which claims that Piracy is rampant and causing significant financial harm to the industry. This claim, particularly that piracy is causing great financial harm to the music and movie industries is credibly disputed, however. I won't bombard you with links on the matter, except to point you to eff.org for a good place to start.

However, not only is the goal of SOPA (and PIPA) possibly misguided, but the means for enforcing the controls on online piracy are incredibly irresponsible. This is not to say that congress is acting out of ill will, collusion or self-interest (necessarily), but at the very least out of an abundance of ignorance. Why? What harm do these bills pose?

Tampering with How the Internet Works

These bills attempt to legislate how the Internet works. Last I heard, the brilliant minds who crafted and refined the Internet over years are not working as congressmen. What the geniuses in D.C. have decided in their rampant technological naiveté amounts to surgery on the Internet with a spoon. These laws would require service providers (you’re likely familiar with Comcast or Verizon) to block offending sites from being listed in the global name registry called DNS. This would be something like having your business removed from the Yellow Pages (back when people actually used the YPs). Worse, like other egregious examples of technical legislation like the DMCA, there is little or no due process when complaints are filed. Basically, you’re guilty until proven innocent. It’s a little hard to grasp based on these abstract descriptions, but take the example of Youtube. If some copyright holder files a complaint that someone has posted their copyrighted material, the resulting actions effectively shut Youtube down for some period of time, until the matter could be resolved. In Youtube’s case, it would simply be decimated, effectively never online. Would this stop piracy? No. Would it stop a great deal of the Internet you’ve come to rely on from working? YES!

Ignorance is Bliss

Probably the most worrying thing about the SOPA debacle is congress’ willingness to legislate out of willful ignorance. In 1995, congress made the ill-advised move to dismantle the Office of Technology Assessment. This is exactly the independent body that could have provided congress with the clear-headed and technically aware perspective needed to kill these bills before they saw the light of day.

Backlash

Now that these bills have made it so far through the legislative process, there has been a growing backlash among the tech community. Wikipedia shut down most of the English version of their site (though you could still get the content if you knew where to find it), and Google and many many others either shutdown or modified their sites in protest of these bills.

Anybody with some knowledge of these matters knows that these bills are a bad idea. As technically informed citizens, we must tell congress to put an end to ignorance-based legislation.

Muzzled through Censorship: SOPA Bringing Google to Its Knees

Before starting I want to address first that this is my opinion and not that of my employers. With that said, here we go.

Today Wikipedia, Reddit and 10,000 additional websites have gone black to raise awareness of two impeding bills: The Stop Online Piracy Act (SOPA) the PROTECT IP Act (PIPA). Several other sites have created petitions (the largest being Google) to help fight these bills. So what’s the issue? Essentially there are two at play. Keeping the Internet free, but somehow protect against the onslaught of websites that are providing copywrited content for nothing.

For instance, under this new legislation the music video you watch on YouTube for free would otherwise require YouTube itself or whoever is posting it to acquire consent from the original content provider. What could follow is having any real tiebacks from additional links posted on blogs, websites, or social media platforms to become illegal – or unnecessarily hard to accomplish. This could essentially kill SEO currently and where it might end up. In the end, all you will be left with is a mundane list of articles with no real interactivity. This could disrupt Google, Reddit, Wikipedia, Facebook, and thousands of other websites business models. In turn, muzzling the Internet through censorship.

This could cripple open source projects across the web, give law enforcers new powers to enforce filters on the Internet, and block access tools to get around such filters. The bill will not remove pirate sites, but merely lay down cones in the road in which to navigate around. This hurts true job creators within the web industry like Google. The Mountain View Company has already mentioned – in their blog – on how to combat pirate sites by attacking their funding.

I can think back to the old Encyclopedia Britannica on compact disk and how limited that was to where we have gone. It’s not because this resource was not valuable, but it offered no room for growth - that is unless you purchased updates.

So let’s face it. We’re spoiled. We live in a world where updates are automatic and in large part for free. Most of them go unnoticed because they are just assumed – with Wikipedia coming to mind. But what it offers is the idea of rapid growth through a community of knowledge. It may take a village to raise a child, but a community can educate the world. Why would we stop this? I agree that protecting content and its producers needs to be address, but the way the bill is written offers moderate resolution for maximum consequences. If you agree, sign Google's petition here: https://www.google.com/landing/takeaction/.

The Illusion of Declining Account Takeover Attempts

In a recent Bank Info Security article, Account Takeover: Better or Worse?, Tracy Kitten interviews Doug Johnson, Vice President of Risk Management Policy for the American Bankers Association to get his expert opinion on the state of account takeovers and identity theft.

ACH fraud may be defined as many different fraud types including account takeover and payments fraud. Because there are no statistics on the total ACH losses for 2011, there may be the illusion that losses are down. In my opinion, the trend may seem that ACH fraud is decreasing due to tighter controls, but when I speak with industry colleagues, I tend to hear the opposite.

Dude, Where’s My Car? RFID Knows.

Imagine this scenario for a minute. You’ve got a couple of hours between meetings and have to run an important errand outside the city limits. No problem you say, I’ll login to my Zipcar account, reserve a car for an hour or so and be on my way. You get the confirmation email letting you know that your car is parked somewhere between #100 – #500 Center St. As it turns out, a lot of cars are parked in this location, and did I mention that it’s raining? So much for a simple transaction and convenience, you’ve just wasted 30 minutes of your available time trying to locate your car and will now be hard pressed to complete your errand in time to be back in the office for your next meeting.

Hello GPS and RFID

Now most people are familiar with GPS technology and have probably used one of these devices at some point in order to navigate an unfamiliar route and get to their destination. However, as illustrated in the example above, a GPS doesn’t help all that much if you can’t find your car. Or can it? A new car service known as Car2go which launched in the summer of 2010 in Austin TX, has found a way to implement GPS and RFID technology to help its customers instantly locate and gain access to their cars.

Here’s How it Works

Using an iPad app, the GPS device in the car points you to the precise location of the car you have reserved. No more searching general locations and wandering up and down the streets or through parking lots. Once you have arrived at your car, RFID makes things really easy. Simply tap your membership card on the windshield and the doors open. The membership card contains the RFID tag and the windshield contains an embedded RFID reader. Now you can grab the keys from the glove box, punch in some numbers on the keypad and you are on your way.

This just another example of how companies are finding ways to incorporate RFID technology into every day functions to make our lives easier. It’s no longer a technology that is reserved to address big business issues related to supply chains and distribution channels, or to make possible game-changing hospital procedures. Keep following along as we reshape the way you think about RFID.

CES 2012: Your Car is Hackable - A Call to Arms

A few events have converged to make me think this post is a timely one. One of these events is the recent CES announcement of GM's "OnStar Future Car" and associated developer API. This follows un-coincidentally on the heels of Carlos Ghosn's announcement that Renault will open up the car as a platform, allowing Android devices to interface with some systems on the car.

Among other things, GM "...will let you use a mobile app to unlock OnStar-quipped [sic] cars". The way I feel about this can only be properly expressed with a prepubescent teenage texting meme:

O... M... G

This is one of the worst ideas in the long, sad history of bad ideas. It has already been demonstrated that the OnStar system is hackable and presents a significant potential threat. Perhaps less well known is that all modern cars use a common bus, called CANBUS that links a plethora (I know I know, “gesundheit”) of small embedded computer systems that control braking systems, stability control, fuel injection timing, etc. Even more worrying than someone else starting your car remotely is the fact that these CANBUS-linked systems are also vulnerable to attack, as shown in this NSF-sponsored research paper. There, researchers (including names that you infosec folks should recognize) demonstrated that cars can be compromised and controlled in ways very similar to your desktop computer.

Take CANBUS, connect OnStar-of-the-future, add a dash of Android, et voila! A recipe that security nightmares are made of.

Perhaps most worrying of all is the lack of response this seems to generate among the press and industry. After demonstrations like these, automakers press on with their tabletization of cars, and the press coverage either gushes, yawns, or decries the driving distraction issue – all seemingly oblivious to the real and obvious threat this poses.

These threats bear many similarities to the SCADA threats that have finally started to receive long overdue attention and will be the subject of a future post. I haven’t found many references, but I know that Mudge has been waving his hands about the threat these vulnerabilities pose to our infrastructure (nuclear power plants, electric grid, etc.) for many years – long before Stuxnet came along – and is now in a position to do something about it. Richard Clarke’s recent fictional books also contain many warnings about potential worst case SCADA attack scenarios.

Let’s not wait a similarly long time to act on this problem. It’s time for us to wake up and smell the new car smell – carrying a faint whiff of ozone and solder. We can’t afford to wait for the well-established pattern to unfold, where hypothetical security threats play out in startling reality.

Let’s discriminate between technical progress and security regress. At consumer shows like CES, we need to start exercising real consumer power and demand that security come first!

Flower Shop Fraud

Committing bank fraud is easy when you have help on the inside. That’s what the prosecutors in the UK think happened in a $2m fraud scheme involving high net worth accounts. Between July and September 2008, a gang lead by Neil Wynne targeted Barclays Bank branches throughout the middle of England. Prosecutors believe that the gang had help from a bank employee as they had an uncanny knack for picking the best accounts to target. They also had no problem overcoming the bank’s security procedures. They just can’t prove that an employee was involved – at least not yet.

Here’s the scheme… With a fake passport in hand, one member of the gang pretended to be the owner of an existing, well-funded, Barclay’s Bank account. A second member of the gang posed as the accountholder’s partner.

Once the new account was opened, the gang proceeded to ...

RFID, Big Data and Retail

The holiday retail sales season by most accounts was characterized as volatile – with huge surges at the start and end of the season, and big dips in the middle. That’s obviously good and bad for retailers. How to smooth out the peaks and valleys surely will be discussed at the National Retail Federation’s “Big Show” this month.

This also gives us an opportunity to illustrate how an industry can think differently about RFID to help address this problem. As we asserted in our 2012 prediction that data and apps will rule RFID for the next 10 years, when companies hear the term “RFID”, they shouldn’t be thinking about readers and tags, but rather about processes. Here’s how it can be done within retail.

Real-time Data, Real-time Decisions

The age-old challenge in retail is how to maximize razor-thin margins. The newer challenge is sustaining increased sales in brick-and-mortar stores. Technology is essential, but it has more of an advantage for online retail.

A key to optimizing sales and margins is making near real-time decisions about merchandising, assortments and promotions. It’s easier to do this on the web because of data available from such things as what items people are clicking on, search queries, etc. Retailers can change what gets promoted on the fly with this information.

But how can this happen in physical stores? Point-of-sales systems provide data as to what people buy in the store. This has been where innovations in terms of data warehousing and analytics have come. There’s a lot of consumer behavior that takes place before the check-out though, and data from this activity can help make even faster decisions about assortment and promotions on the floor.

There are project-level RFID implementations in retail that we have highlighted here that can be broadened to make a process-level impact. For example, last month we wrote about how a department store in Japan is the first to use RFID-based interactive hangers that trigger a display of a model wearing a garment that a customer selects off a rack. The idea is to make the item more appealing at the point of interest.

Those hangers could do a lot more for a retailer, however. The mere fact that someone picked the item off the rack shows an initial level of interest, which can be captured as a new set of data; like clicking on an item online. If a person takes it to the fitting room to try it on, where there is another RFID reader, the system can capture this as additional data related to the level of interest in an item. If the item is left in the fitting room, the retailer can know this immediately, as well as if the item is taken from the fitting room to the check-out counter.

This is as valuable as the data that can be mined from web site clicks and searches and allow in-store managers to change assortments and displays much more quickly than before.

Processes and Solutions

When we say that we should reshape the way we think about RFID, we mean that we should not fixate on the need to prove the technology, but rather think about ALL of the processes that can be improved with the availability of RFID data. As the example above is intended to illustrate, retailers should think about how they can get data about shoppers’ behavior from the moment they walk in a store and the kind of analysis they can do to optimize processes accordingly.

Specific processes can be gleaned with the help of McKinsey’s recent Big Data report, which looks at retail as one of the industries where more value can be created from new data sources like RFID systems. These include in-store behavior analysis, customer micro-segmentation, assortment optimization and placement and design optimization.

Beyond the process identification, retailers can benefit from the availability of full RFID solutions that help them incorporate data generated from RFID systems with the data warehousing, analytics and mostly home-grown software applications used to manage operations.

We’ll continue our series of posts about how other industries can think about leveraging RFID data by looking more closely on healthcare and the in-transit markets. In the meantime, what are some other ways retailers can use RFID to enhance existing processes?

What if RFID was Never Invented? A ThingMagic Top Ten

You know you are in the height of the political season when you turn on the Late Show with David Letterman and see all of the candidates lining up to give their top 10 lists. While these attempts to connect with the American people normally fall flat, it did get us thinking about our own Letterman style top ten and what fun and interesting uses of the technology we’d present if given the opportunity to visit the show.

So without further delay, we present to you our Top Ten things to consider if RFID had never been invented:

10. The lines would be a lot longer during our coffee runs: Cup o’ Joe to Go

9. All of the crazy story lines in crime dramas might actually happen: RFID and The CSI Effect

8. We couldn’t install “LoJack” in our cactuses: Cactus Chips

7. We’d all be subject to search and seizure at border crossings: RFID for Border Security

6. It would mean counting bees the old fashioned way: RFID for Counting Bees. Really?

5. Fox could theoretically run ‘Prison Break’ forever: RFID Put Behind Bars

4. The “Where’s Waldo” effect would run rampant in salvage yards: The New Junkyard Dog

3. There would be a lot more false pulls in the milking business: Milkin’ It with RFID

2. Really bad golf would still be in play this season: Find It, Play It – With RFID

And the number one consideration if RFID had never been invented is…

1. Unauthorized use of electroshock weapons would surely climb: Don’t Lose Your Taser Bro

Maybe we’ll never get the chance to join Dave on the show, but hopefully we’ve given you a few interesting thoughts about the impact RFID continues to have on all walks of life.

For more, check out our ever popular list of 100 Uses of RFID!

The Symantec Flap: Why A/V Was Dead Already

The recent theft of Symantec's flagship product, Symantec Endpoint Protection (SEP) version-whatever has the twitter-blogo-news-osphere in hyper-overdrive mode. There's lots of speculation about who the source was stolen from (right now seems like Indian military intel servers), who did it (credit claimed by a group called "Lords of Dharmaraja"), and what this means for Symantec and infosec in general. But many of the talking points seem way off to me.

Attackers getting access to source isn’t, from a technology standpoint, the big a deal that headlines want you to believe. The first claim is that this is a huge blow to Symantec’s technology. Now that their “secret sauce” is out there, big bad hackers will be able to have their way with SEP. The biggest problem with this claim is that attackers worth their salt already have their way with SEP. I have first-hand evidence that SEP is straightforward to bypass. It’s a given in the infosec research community and has been for years.

Second, implicit in this claim is that having access to source code makes something less secure. This isn’t true. For example, the reason we have so much confidence in cryptographic algorithms like SHA256 is that they’re publically available, for experts to scrutinize over a long period of time. Proprietary encryption has a long sad history of failure. Just ask DVD Jon. Also, ask industry wonks which is more secure, IE or Chrome. You’ll likely get a belabored argument which neither side will win. Now, I wouldn’t rule out that Symantec has done some silly things that they wouldn’t do if they thought the bad guys had their source, but this argument is mostly erroneous. Yes, it’s bit harder to find flaws in software that’s binary. But source code analysis is not the way most bugs are found. There are a myriad of ways to find software flaws, including binary reverse engineering, automated analysis tools (fuzzers, static analysis and dynamic instrumentation, etc.). That’s why QA folks have jobs. Programmers are guaranteed to make mistakes, lots of them, and not all will be found by code reviews.

Another claim I find extremely ironic, and this one is made by Symantec to downplay the incident, is that this is no big deal since the source code is old. To quote Symantec’s spokesman, Cris Paden, “We distributed 10 million new signatures in 2010 alone. That gives you an idea of how much these products have morphed since then, when you're talking four and five years.”

Wow. There’s just so much wrong with this it’s hard to know where to start. First, if your large, mature commercial software product has largely been rewritten in the last five years, a) you’re likely doing something wrong and b) I don’t believe you. Second, adding signatures to a database is not the same as modifying your product’s source code. The code implements the scanning, and the signature database says what to look for. Little if any code needs to change for new signatures. Third, Paden appears to be bragging about one of the largest flaws in traditional antivirus software: the huge number of signatures they have to look for. How many of these 10 million new signatures are wrong? Probabilistically quite a few. Worse, do you think the signatures in this database comprehensively cover all of the malware out there? Of course not. All new malware bypasses signature a/v until it’s found, analyzed and signatures are generated. Besides, there are well-known tools to evade traditional a/v by encoding (scrambling) existing known malware so that the signatures don’t match and the malware slips right by. And that’s just one way to get by.

The basic problem with the premise, that this breach is a huge blow to Symantec’s antivirus technology, is that this technology was fundamentally flawed to start with. Traditional a/v is often the punch line to bad jokes at security conferences. There’s no particular need to mourn the loss of a little spilled a/v source code.

If, however, this gets a few more people to rethink their reliance on a/v for protection, then this could be one of the best things to happen to infosec in a long time.

DRM: The Poison Pill In Online Movies

I’ll preface this with the disclaimer that this rant is my own opinion and not necessarily that of my company - particularly the bit about The Black Eyed Peas. With that out of the way, let’s talk DRM.

You may not be aware of Digital Rights Management (DRM) but it is a technology that you likely use on a weekly, if not daily basis. Most music and video obtained (legally) online is encumbered with DRM. DRM uses cryptographic means to enforce Big Media’s control over content in your possession. With it they can make the media playable only on a single device, they can make the data uncopyable (so you can’t make backups), and they can require you to repurchase the media if you, for example, lose your device or have it stolen.

In short, DRM sucks. But, with streaming movies becoming the rule rather than the exception, there doesn’t appear to be much push back from the consumer. Are we really going to take this lying down? Are we going to let big media specify the terms of when and how we consume media?

If we do, perhaps we should give up hope, just go ahead and adopt the following DRM pledge:

DRM Pledge

I do solemnly swear on my public key

To attest for Big Media’s certainty

That my bits are aligned with integrity

To teach children to honor PROTECT-IP

DMCA, SOPA, then maybe we

Can live together in harmony

I swear to shun Pirate Bay and all P2P

And loopholes of analog variety

Which lead to decay of society

In return, nebulous Clouds promise me

To store content paid for, indefinitely

And never to charge me recurring fee

For content delivered so cleverly

So with approved devices I can see

Schlock like Gigli and The Black Eyed Peas

In an upcoming post I’ll discuss the security applications for the technology underlying DRM, called TPM, and why it can be a Good Thing™.

UHF is the Magic Pill for RFID in Healthcare

As we look to 2012, our first major event is HIMSS and we can’t wait. The healthcare market has been at the forefront of RFID adoption, discovering a plethora of ways in which the technology can streamline operations, reduce human error and make the patient experience exponentially better.

This year HIMSS (February 20-24, Venetian Sands Expo Center, Las Vegas) will host the Intelligent Hospital Pavilion in which it will showcase a variety of technologies that work together to deliver real-time patient information to the mobile devices and tablets of physicians and hospital staff (Visit ThingMagic in KIOSK #16). Scenarios from the OR, ICU and ED and will demonstrate how information is coordinated from diverse patient care environments with Near Field Communications (NFC), RFID, RTLS (real time locating systems), sensors and wireless technologies.

RFID has proven its worth in healthcare and continues to improve procedures and enhance environments from tracking expiration dates on medication, to personalizing the experience for cancer patients, to managing inventory of critical dose medication, to helping surgeons locate tumors.

According to a Frost & Sullivan report, RFID: Unlocking Opportunities in the Healthcare Vertical from July 2011, “The RFID market is expected to witness a significant increase in revenues by 2017, due to its acceptability, capability, and credibility. It has taken an affirmative position in the healthcare sector owing to substantial cost savings and convenience.”

RFID’s Success in Healthcare Can Be Attributed to Passive UHF RFID

Barcodes have long been used in the hospital supply chain for tracking products, supplies and inventory control. By using barcodes on forms, wrist bands and records, healthcare providers have driven efficiencies into the patient registration process.

Passive UHF RFID can enhance or replace many supply chain management, patient registration, patient safety, clinical care, and billing workflows that currently use barcodes. While both barcodes and RFID can be used for these activities, Passive UHF RFID is more effective due to the additional automation and cost saving opportunities it delivers. Simply put, Passive UHF RFID enables the rapid and precise measurement of almost every operation in the healthcare setting - from counting and verifying the number of items in each surgical tray to analyzing the slightest body movement.

Passive UHF RFID allows tags to be read from far away so that readers can be deployed in a variety of ways including permanent installations wired to the existing hospital Ethernet network, within strategically located “portals,” and integrated into mobile and stationary devices like carts and cabinets. This flexibility is complemented by the wide variety of Passive RFID tags that can be affixed to or integrated into consumable inventory, handheld surgical tools, patient wristbands, photo ID badges, and many other items.

Put simply, Passive RFID is the most economical way to measure a large number of parameters in healthcare setting, enabling innovative patient-centric applications that would otherwise not be implemented

Proven Uses of Passive UHF RFID Solutions Include:

Departmental Loss Prevention – proven to deliver an ROI in a short period of time by saving high value assets from being mistakenly discarded.

Asset Tracking – identifies the location and travel patterns of many types of valuable assets in real-time, resulting in reduced product loss, reduced capital equipment purchases & leases, and enhanced patient services.

Patient/Staff Tracking – tracks the travel patterns of staff, patients and personnel in real-time for access control, improved patient & staff workflows, reduced wait times, and integration into anti-abduction, wander prevention, and hand hygiene solutions.

We’re sure to see these and other uses in action at the Intelligent Hospital Pavilion at HIMSS. For more examples of ThingMagic in Healthcare, please download the following case studies:

Disney Family Cancer Center Case Study: The Roy and Patricia Disney Family Cancer Center Implements Innovative RFID Solution to Enhance Patient Experience and Increase Efficiency

XECAN Oncology Clinic Case Study: Eliminating Wrong Patient and Wrong Treatment Errors with RFID

Hopefully what happens in Vegas, doesn’t stay in Vegas!

U.S. Military Approves Android Devices Not iPhone

Score another win for Android. The Department of Defense (DoD) has recently announced the approval of the Dell Streak Series of Android devices, running Android 2.2 (Froyo), to be an alternative for the floundering RIM usually utilized by defense professionals. Call it a black eye for iOS and maybe the nail in the coffin for RIM, Android’s escalation to the top of the smartphone food chain has been swift and brutal to its competitors.

The problem here is Android 2.2. The military does not have a great reputation of staying ahead of the curve. The adoption of newer devices has been known to evolve its approval process slower than a shuffleboard game at a retirement home. The move to Android is no different. Sure DoD approved Android devices is great news for Google, but what they are running is a bit more concerning.

Android 2.2 was released in August 2010. Last time I checked that’s light years behind in the smartphone world. Also, they have approved Dell’s Streak series of tablets that have recently been discontinued. Is this a bad joke? It’s like giving your kid a Nintendo 64 this past Christmas and then raving about how good the 15-year-old graphics are – the kid doesn’t buy it so why should you?

Froyo has not been maintained with current patch updates since the summer. Most current Android devices – including the discontinued Dell Streak Series – have upgraded to Android 2.3 (Gingerbread) or beyond. Recently Bit9 released a report, regarding the vulnerabilities of the Android update ecosystem, and how the broken system prevents security patches and updates from being pushed to devices other than its Nexus models.

Android’s fragmentation is the result of its open-source nature and its update model handled by Android manufacturers. Fragmentation hurts the average user with regards to security, because more often than not Grandma is not going to manipulate Android’s source code in between bridge games to resolve security issues. Which means the average user could be left with buggy devices – or worse – security problems. The DoD seems to think that because of these same open-source principles, they can tinker with Android’s source code to prevent these types of issues. It’s a little bizarre. Why discontinued Dell devices? And why a year and a half old OS?

With mobile malware up 400 percent on the Android platform this past year and malicious applications finding a new home in the Android market – you figure and hope the Pentagon knows what they are doing. They are revoking access to the Android Market and locking down specific features, but in the end, is it enough and does anyone really care?

My Favorite Things from 2011 Mihaela Mohirta

Name: Mihaela Mohirta Position: Associate Support Engineer Location: Bucharest, Romania What is your favorite blog to read for work? http://techcrunch.com/ How do you see your kids shopping online, and how is that making the holidays easier or harder to keep their gifts a secret? I don’t think I’ll let my kids to shop online. What | View post »

My Favorite Things from 2011 Eugen Paraschiv

Name: Eugen Paraschiv Position: Senior Java Developer Location: Bucharest, Romania What do you tend to shop for online? Hardware, electronics, etc. What business book did you read this year that had a lasting impact? Read the Mythical Man Month back in January, great stuff. What retailers did you see bring commerce to the next level | View post »

My Favorite Things from 2011 Andrei Pirvulescu

Name: Andrei Pirvulescu Position: QA Engineer Location: Bucharest, Romania What is your favorite blog to read for work? James Bach - http://www.satisfice.com/ What is your favorite blog to read for fun? It’s a personal blog from Romania: cutiutza-cu-recenzii.blogspot.com What excites you about Optaros and 2012? New projects to work on. How do you like to shop | View post »

My Favorite Things from 2011 Cristina Gheorghisan

Name: Cristina Gheorghisan Position: Senior Developer Location: Bucharest, Romania What do you do for fun? Skiing, skating, reading, dancing. What is your favorite way to spend your holiday? Traveling. I like to visit new places. Skiing in winter. How do you watch your favorite TV show (Hulu, Netflix, Comcast, AppleTV, other)? I don’t usually watch | View post »

Ready! Set! Hut! Hut! RFID?

Football is by far the most popular sport in the United States with much of its success being credited to its sheer brutality and gladiator mentality. Let’s face it; if you watch football on TV, you are likely drawn in by the bone crushing hits.

If you pay attention to the sports scene at all, you undoubtedly have been hearing a lot of discussion around player safety, specifically, the issue of concussions. What was once referred to as “getting your bell rung” has now been more appropriately diagnosed as a concussion, and has sparked spirited debate over player safety and the ramifications of multiple concussions on a player’s long-term health.

The issue of concussions was largely ignored in contact sports such as football and hockey until the middle of the last decade when former Ivy League football player and former WWE wrestler Chris Nowinski wrote a critically acclaimed book called: Head Games: Football’s Concussion Crisis, which was published in 2006. This book and his subsequent research and affiliation with the Boston University School of Medicine has shown a bright light on the issue of sports based concussions.

So what does Football have to do with RFID?

I’m glad you asked.

Treehouse Labs, a product development firm based in Austin, TX recently announced that they will soon be testing a prototype along with Shockwave Impact Systems of Chicago that allows them to install a sensing system inside of football helmets in order to alert coaches and medical personnel when a player experiences an impact great enough to cause a concussion. Using RFID, the data is transmitted to a web-based server that can be accessed via smartphones. The transmitters are expected to have a range of approximately 2.5 miles.

These developments have the potential to open up a whole new arena for RFID technology. In addition to football, contact sports such as hockey and lacrosse would seem a natural progression. Other sports such as auto and motorcycle racing and cycling could benefit as well; information gathered from these sensors could assist medical personnel in diagnosing head injuries quicker and take the appropriate steps for treatment.

These are just the latest examples of how RFID is finding its way into our everyday experiences and improving the quality of our daily lives.

My Favorite Things from 2011 Noreen Vincent

Name: Noreen Vincent Position: Director of Marketing Location: Boston, Massachusetts What is your favorite blog to read for fun? The Sartorialist is an amazing photo blog on fashion. Evernote’s blog. I need to keep organized and this blog inspires me to use the app more. GoodMorningGloucester. It is an informative blog that keeps the locals | View post »

My Favorite Things from 2011 Jay Paz

Name: Jay Paz Position: Senior Developer Location: Austin, Texas What retailers did you see bring commerce to the next level and why? For me it is Woot. In the last year they have expanded their model to include wine.woot.com, home.woot.com and woofi.woot.com. They have great job of keeping it fresh and interesting. How do you | View post »

My Favorite Things from 2011 Pilar Muner

Name: Pilar Muner Position: Operations Coordinator Location: Boston, Massachusetts What retailers did you see bring commerce to the next level and why? E.L.F. (Eyes, lips, face) they send their subscribers deals nearly every week so it is always a matter of timing of which deals you are looking for and how much you are looking | View post »

My Favorite Things from 2011 Sinora San

Name: Sinora San Position: Senior Staff Accountant Location: Boston, Massachusetts What is your favorite iPhone app? Facebook Where did you shop on Black Friday? Best Buy. How do you like to shop (mobile, tablet, online or in the store)? Online What do you tend to shop for online? Baby items How do you see your | View post »

My Favorite Things from 2011 Adrian Hartline

Name: Adrian Hartline Position: Senior Developer Location: Boston, Massachusetts What is your favorite iPad app? Instapaper and Reeder. They let me catch up on blogs and articles while I am on the T (MBTA). What is your favorite blog to read for fun? The Brazen Careerist (Penelope Trunk) What do you tend to shop for | View post »

My Favorite Things from 2011 Paul Marbach

Name: Paul Marbach Position: User Experience Consultant Location: Austin, Texas What retailers did you see bring commerce to the next level and why? Amazon. They have a clean interface, offer the Prime shipping method, and have interesting features like the app barcode scanner, the Kindle store, and the buyback program for video games and books. | View post »

2011 Fraud Trends – 3 Key Takeaways

At year’s end, I like to take a step back and assess the main fraud trends I’ve seen and heard when speaking with our customers. Not only have we seen a lot of movement in the ACH area due to the FFIEC Supplement released this year, but there also have been some major events in the news this year that have driven action in fraud prevention measures overall. There are a few trends, in particular, that stand out to me more than others.

1. Internal Fraud is Here to Stay: The interest in Internal Fraud continues to be high, and without a proactive monitoring system in place, banks are at higher risk of being exposed to theft from their own employees. Some of the more common fraud strategies in Internal Fraud include ...

2012: Year of the "Smack"

2011 was the Year of the Hack. We saw an unprecedented rise in targeted attacks, ranging from the rather primitive (but effective) to the highly sophisticated.

While state sponsored attacks and cyber espionage have been occurring for decades, the level of disclosure and visibility of these attacks rose to new levels in 2011. Among just a few of the high profile attacks:

With the RSA breach, we saw just how sophisticated and patient nation states can be when it comes to stealing intellectual property. In a scene reminiscent of a sci-fi movie, they attacked one corporation in order to get the keys to break into other corporations months later. It is estimated that the attack which hit RSA was actually used against over 700 other companies. This was not a smash-and-grab cyber attack, it was a lie-in-wait attack.
With Operation Night Dragon, we saw a coordinated and wide scale attack on several energy companies across multiple continents. The cyber attack used multiple vulnerabilities and techniques in a coordinated campaign specifically against petroleum and energy companies. The attacks were traced back at least two years.
With Operation Shady RAT, over 70 different companies across dozens of countries and different industry sectors were attacked using the same command and control server. The attacks spanned at least five years and included companies from energy, finance, real estate, technology, government, and even the International Olympic Committee. As common for targeted attacks, Shady RAT established its foothold through spear-phishing (targeted emails), using social engineering to trick users into opening malicious content.
With Nitro, at least 48 different companies within the chemical and defense industries were targeted. In the Nitro attacks, a program was installed allowing the attacker remote control of the infected systems. Interestingly, the same servers used in these attacks were previously used in a campaign against human rights organizations and NGOs.

In total, thousands of different companies around the world were attacked in 2011, with no stone left unturned. If you have any data of value, regardless of your company size or industry, you are a potential target. All of these attacks were targeted and involved manual interaction, where humans were on the other end controlling the malware and all of these attacks have been linked, with various degrees of certainty to individuals or groups within China.

We are witnessing the greatest theft of intellectual property in history. Unfortunately, 2012 looks to be no better when it comes to organized state-sponsored attacks. Not only have the attackers been emboldened by their successes, there are currently no consequences for their activities.

As the 2011 examples demonstrate, energy and utility companies are a particularly ripe target. The SCADA (supervisory control and data acquisition) systems and ICS (industrial control systems) computers controlling our nation’s public and private infrastructure are woefully outdated when it comes to security. Until real progress is made in securing these systems, we will continue to see further breaches. Most concerning is that attacks on ICS systems can result in physical damage or even loss of life.

2011 also saw a dramatic increase in hacktivism – politically and socially motivated attacks with the aim of causing embarrassment to a target or simply make a public statement. We saw the rise, and sort-of-fall of LulzSec, as they used Sony as a punching bag for hacking. We saw Anonymous continue making social and political statements, aligning with movements like Occupy Wall Street. The internet is an integral part of the fabric of modern society; it is natural that it has become a common medium for protest.

It does not take a crystal ball to realize that the trend of hacktivism will continue, not just into 2012, but throughout the next decade at least. While the techniques used by hacktivists will get more advanced, they are generally and comparatively “low tech” today – using well known techniques for distributed denial of service (DDoS), SQL injection, and cross-site scripting to take down or deface web servers. From a security perspective, it is disheartening to see how successful such basic and well known attacks can be against even the largest of corporations. I would like to believe this year has been a wake-up call for companies to get their basic security house in order. Sadly, this is not the case and we will see more big names successfully “hacked” in the coming year.

2011 saw the rise of the smartphone. The number of smartphones sold in the last quarter of 2010 was greater than the number of personal computers, and this trend is continuing. The amount of malware targeting these devices has increased dramatically, with estimates ranging from four-fold to well over ten-fold. While this is still a game of small numbers, even a penny-a-day-doubled adds up very quickly.

Seventy-six percent (76%) of smartphone consumers use their devices for business purposes as well. These miniature computers contain not only our most personal information (e.g. contacts, text messages, geo-location, credit card and password information) they also contain confidential business information (e.g. corporate emails and documents). As our report on the most vulnerable smartphones of 2011 describes, most smartphones run out-of-date software with known vulnerabilities that leave users at higher risk.

In 2012, we will reach over one billion smartphones worldwide. This is a green field for attackers, as the technology has evolved faster than security. We will continue to see a rise in traditional malware targeted personal and financial information on these devices. Like the personal computer, we will begin to see targeted attacks on smartphones where the motivation shifts from financial to corporate espionage and IP theft. I will coin a new term here to describe the next generation of smartphone hacking – “smacking.” I predict 2012 will be the year of the “smack down,” as mobile devices earn their place as a critical corporate asset under cyber assault.

Back In the USSR

2012: The Dawn of the Information Oligarchy

For several years now, the founding principles of Internet freedom have been under attack. The sources of these attacks are largely media industry organizations (meaning movies and music), and the politicians that seem to be in their pockets. The basis of these attacks come from a desire to control, police, or tax the Internet and the technology marketplace in general. Of particular concern are software patent lawsuits like this one, the Stop Online Piracy Act (SOPA) and its senate cousin, and the battle surrounding net neutrality. These issues are reported on very lightly, obscured by current worldwide concerns, but I believe they may be equally historic and potentially disastrous.

In all these cases, certain special interests have lobbied Congress to make sure they do the exact wrong thing. Individually these actions are egregious examples of the dysfunction of current political governance in the U.S., and together they may spell the end of the Internet as we know it.

Software Patents

Most people think of their smartphones as hardware devices, which sound like reasonably patentable devices. However, the useful functionality of these devices are driven primarily by software, with the hardware playing only a supporting role. The types of legal shenanigans where simple features are patented as if they’re comparable to inventing the telephone, currently playing out in Apple’s trivial feature suit against HTC are simply the latest examples of the fallout from innovation-killing software patents. It’s rather difficult to summarize in lay terms why software patents are such a terrible idea, so I’ll be brief and mostly just point out a few arguments online. The basics are that, as software professionals, I and millions of others have to constantly look over our shoulder, wondering if, during the course of our day to day work, we might actually be reinventing something trivia that has somehow been previously and inexplicably patented.

Worse, companies are incentivized to patent virtually everything they do, ostensibly to defend against patent infringement suits waged by competitors. This situation becomes self-enforcing unless patent law reform is enacted. The fallout is that the consumer mobile device and other software-based markets may deteriorate into monopolies, creating malware-friendly monocultures, not to mention simply destroying innovation through litigation.

Intellectual Property

Did you know that when you watch streaming movies, your hardware is complicit in providing a guarantee to Hollywood that you are running certain software that is incapable of copying the media? That’s true even if you “own” the movie that you’re watching. That means that if their site is down, you can’t just pop in your backup copy of Pirates of the Caribbean. This is part of the righteous battle being waged by the Motion Picture Association of America (MPAA) and Recording Industry Association of America (RIAA) against evil media pirates, like 10-year-old girls, grandmothers (not an isolated incident), and homeless people. Now they’ve taken that fight to Congress, who, for some reason, don’t appear to be much opposed to legislating on their behalf in the form of SOPA and PROTECT-IP. Perhaps the apparent moral failings of the proposed legislative action can be partially excused by the widespread technological ignorance among members of Congress that appears to be the true enabling factor. However, evidence continues to mount, that this ignorance is ironically self-chosen.

Net Neutrality

It’s important to understand history and to learn its lessons. Most important is understanding what those lessons really are. Politicians often invoke history, at least their understanding of it, in their political campaigns and rhetoric. In this particular case the politicians have their history wrong; very very wrong.

Having worked for several years at a company that lays a reasonable claim to contributing substantially to the creation of the Internet, I believe I have a better perspective on that history than do most politicians, Al Gore among the possible exceptions.

Opponents of Net Neutrality claim that the Internet is broken. No single entity exercises appropriate control over the Internet, and it is currently bigger than any one country. That is exactly the point. The Internet is bigger than any one country. The Internet abhors censorship and secrets. Controlling the Internet is not only doomed to failure (“The Net interprets censorship as damage and routes around it” – I would argue that bandwidth shaping is a form of censorship), but is misguided and will cause damage and unfairness in the meantime. It is antithetical to the principles under which the Internet came to become such a powerful tool and facilitator of free and open communication. By the way, you can add Al Franken to the short list of Washington-folk who seem to “get it” on technological issues, and omit others who apparently do not.

These issues are converging to form a pivotal moment in history. If we fail to sufficiently educate the public and political leaders on these issues, it will usher in a new age of information oligarchy. Innovation will be stifled, free speech censored, and information security will face brand new challenges. Control of the Internet will increasingly become concentrated in the hands of a few. Criminals and tyrannical nation states will be the only ones to appreciate the new world order… back in the USSR.

Prediction: Data and Apps Rule RFID For The Next 10 Years

“If history is any indication, we should assume that any technology that is going to have a significant impact over the next 10 years is already 10 years old!”

-- Bill Buxton, Principal Researcher at Microsoft Research and author of Sketching User Experiences

It amazes me each year. It seems like I blink and all of a sudden I see the torrent of predictions coming at me from all directions. Where did the year go?

Indeed, it was another year of fast-paced change in the RFID market. The end of the year is always a good time to take a step back and consider what the next year will hold. I personally find it fun to make predictions. Except, instead of predicting the next year, I’m going to channel Bill Buxton and his quote referenced above and issue somewhat of a challenge for the next 10 years.

It’s Time to Reshape the Way We Think About RFID

During the last 10 years (and even going back 40 years since the first passive radio transponder with memory was patented in 1970), RFID hardware and software providers have continued to innovate and collaborate at a notable clip. RFID readers have evolved to include a wide variety of purpose-built form factors, and embedded RFID modules are being used to enable many stationary and mobile devices with the auto-identification technology.

In fact, the technology itself has matured to a point where it is no longer a barrier to entry for most markets and applications. What’s more, businesses across all industries have a great number of well documented end user case studies and best practices to help them with their ROI analysis.

So now what?

End customer organizations of all sizes have learned where and when it makes the most sense to apply RFID to their business processes. RFID vendors and solution providers have survived the technology maturation process. Now it’s time to think beyond RFID of the past 10 years and toward the next wave of innovation.

Big Data, Meet RFID

We should think beyond the underlying technology – and toward the value of RFID data, emerging methods of data access and analysis, and about the many innovative enterprise and consumer applications that can be enabled with this data.

We should think beyond one-size-fits-all readers – and toward the wide variety of fixed-position and embedded RFID reader form factors that can support a great number of unbelievably diverse applications.

We should think beyond siloed deployments of RFID – and toward the hardware, software and data becoming an integrated element of the enterprise.

We should think beyond the singular technology of RFID – and toward the combination of RFID and other technologies like GPS, Wi-Fi and Bluetooth.

As we’ve experienced with many other data-driven solutions, this progression will lead to RFID as a data platform – with RFID modules and extensible software interfaces allowing for the integration of RFID with other technologies. Even more compelling is when these devices will be able to learn about our environment, provide contextual adaptation if necessary, and, connect those objects to the broader Internet and business systems.

Thought about in this way, RFID becomes much more valuable in the context of “big data” and how it is “the next frontier of innovation”, as McKinsey states earlier this year in its report Big Data: The next frontier for innovation, competition, and productivity. In fact, it cites the Internet of Things as a major contributing factor to the explosion of data.

Consistent with Bill Buxton’s view, big data is not new. If you look at the amount of information Google deals with as an example, it’s been around for at least 10 years. But as more objects get connected to the network, the idea of “big” data as we’ve known it so far will seem quaint (a view that McKinsey shares).

The increasing volume and detail of information captured by enterprises, the rise of multimedia, social media, and the Internet of Things will fuel exponential growth in data for the foreseeable future.

Along with the torrent of data RFID platforms will produce come challenges in dealing with the data; first and foremost the need to think at a business process level about how this data can be used to create more organizational value in the form of increased revenue, cost savings and profits.

So, along with the challenge to think about RFID from a data vs. technology perspective comes the need for the industry to provide more end-to-end-solutions. The market needs to move fast because companies already are thinking at this level, in particular in the in-transit, retail and healthcare markets - which we’ll examine in future posts.

In the meantime, what do think? What are the challenges you see ahead for the industry? I’d love to discuss in the comments and in future posts.

Android Persistent Threat (Part 2): The Data Mule Threat

When you think of information theft, you think exfiltration from the corporate network, right? Maybe with the occasional Manning-style insider threat scenario thrown in. There’s a more pernicious way that data can wend its way from its home to the adversary’s lair: data mules. “Data mule” is a term I’ll co-opt from Disruption Tolerant Networking (DTN), a networking research area in which I’ve done some work in the past.

In this threat scenario, a compromised mobile device is sent into the corporate environment, carried by an unwitting worker bee where it can collect any pollen of interest, including pictures, audio, video, network communications, location information, and of course email. At the end of the day, the device is carried back to the hive, where it is connected to an unwatched, unprotected wifi network with lots of bandwidth, for each exfiltration. Think of all the honey that can be harvested this way (struggling to find any additional use for the bee metaphor, I’ll press on without).

This way we sidestepped the whole sticky issue of getting the data out through the corporate firewall. Who needs steganography and covert channels?

If you think this is a far out scenario, remember that not too long ago we would have thought that the RSA/Lockheed/… attacks were science fiction, theoretically possible but involving far too much effort and risk for the potential payoff. But somebody managed it and the payoff is believe to be quite sufficient. And the data mule attack would not be as hard as one might expect. Do we need a remote zero day vulnerability to get scary malware onto phones? No, we just need physical access. Almost every Android phone out there right now can be rooted. Neither would the would-be espionage require stealing phones. Simply buy a bunch of used ones off eBay, root them, install whatever you want, and put them back on the market cheap. It’s an opportunistic approach, but so are most client-side attacks these days.

Will this scenario really happen? Perhaps. The point is that there are a lot of threat scenarios like this that need to be taken seriously even if they seem fanciful right now.

Remember, just because you’re paranoid doesn’t mean they’re not out to get you.

Will NRF’s ‘The Big Show’ Be a Good Barometer of RFID in Retail?

Already in its 101^st year, the National Retail Federation (NRF) is gearing up for its Annual Convention & EXPO in New York next month. It looks like there is a lot of excitement in store for us (no pun intended) including a keynote speech from Bill Clinton!

Aside from a former U.S. President being in attendance, digital retail and mobility are dominating the buzz this year. This shouldn’t come as a huge surprise because retailers are marketing to the consumer in ways that align with their behaviors – which is largely dominated by using mobile devices to consume digital information.

According to Susan Newman, NRF’s Senior Vice President of Conferences, “Right now, it’s all about how you reach customers, engage with them, and help them engage with you.”

If you walk into any mall or store, or even just observe people walking down the street, EVERYONE is carrying a mobile device. If that’s an accurate representation of the consumer market today, retailers must recognize that they can reach a very large portion of their target audience via digital media and the smart phone. As a proof point to that theory, Shop.org’s First Look Track at NRF will be two days that focus on all things digital, related to topics such as The Future Shopper and Buying Behaviors.

A while back we experimented with mobility and social media, having RFID play the integral role. We determined that RFID + Social Media = Reach. Meaning that by adding the two together, it was easier and more effective to reach the intended audience, customize to their preferences and build brand loyalty. How can RFID help get us closer to that Holy Grail (in a simple, easy way) in retail?

One way to get to get a better understanding of your customers’ preferences is through item-level tagging. It may actually be on its way to being considered a best practice in retail. The Voluntary Inter-industry Commerce Solutions (VICS) Association started the VICS Item-Level RFID Initiative for that very purpose. Its goal is to foster innovation, improve business processes and enhance consumer experiences by developing business applications and best practices around standards-based RFID. This is the kind of support the industry needs to effectively sell, and sell in such a way that is embraced by consumers. Using mobile devices and digital/social media will undoubtedly be widely accepted because it aligns with their current behavior.

We can’t wait to see some of these session tracks at NRF to learn more. Congratulations, NRF on 101 years and a sold out expo floor!

Android Persistent Threat (Part 1): Why Mobile will be China's New Dance Partner

In a previous blog post I promised to lay out a more detailed picture of why smartphones and tablets are so attractive for sophisticated malicious espionage. When you want to steal intellectual information or gather competitive intelligence, no more ubiquitous and capable device exists than the modern smartphone. Equipped with increasingly higher resolution still and video camera capabilities and a microphone in addition to significant storage space, these devices make the perfect espionage tool. And there’s nothing suspicious about employees bringing them in and out of the enterprise environment every day.

There seems to be an unwritten rule that blog authors must periodically make brash and attention-getting predictions, so here is mine: In 2012, smart devices will play a crucial role in at least one significant corporate or government breach event.

To my mind, it’s almost impossible that this will not happen. They are too capable and subvert too many corporate security measures to be ignored by APT actors. It’s not a matter of if, it’s a matter of when.

In Part 2 I’ll discuss a possible scenario for how smartphones will be used to exfiltrate data, bypassing corporate security.

Holiday Gift Idea: Game On RFID!

Kids are harder to please come holiday time every year. The more that technology goes into toys, the more kids expect from them. The Wii and Xbox Kinect have set the bar high for the use of wireless technology in game play. Action figures are downright boring if they don’t make wondrous sounds. They need RFID to really make them interesting.

That reality is here with one of the hottest gifts for the 2011 holiday season. Activision, the company that brought the “Guitar Hero” franchise to life, has introduced Skylanders, the latest innovation in gaming technology. Through the use of plastic action figures that act as thumb drives for storing data, users are able to connect wirelessly to a video game system with each of the figures serving as an independent wireless storage device.

The action figures have RFID chips that are read by the “Portal of Power” on which they are placed. This allows users to play with the figures on one gaming system and transport them to other locations and different systems without losing any of the stored data so they can pick up at the point they left off. For example, a gamer could start off a skylander mission on his PlayStation 3 and complete the adventure on a Wii system without any loss of status or interruption of game play. This has never been possible before.

It is being speculated in the gaming industry that if the Skylander franchise takes off as expected, it will lead to other game manufactures such as Nintendo with its popular Mario brand to begin producing its own version. This is incredibly exciting news for the makers of RFID technology as gaming is one of the fastest growing industries in existence. If anyone has any doubts to this, try finding a shopping plaza these days that doesn’t have a GameStop store.

As RFID technology continues to become more a part of our daily lives it stands to reason that we will see even more breakthroughs in the areas of entertainment in the years to come. And with the consumer of this technology being much more tech savvy than previous generations, companies are going to be forced to push the envelope of innovation in order to capture market share.

This is good news for consumers and RFID alike.

Image credit: Activision Publishing, Inc.

RFID Making Fresh Produce Cool

I have to admit that I buy organic milk, not just because I think it’s healthier for my family, but because I can stock up on it without the risk that it’ll go bad before we use it. Why does organic milk have such a longer shelf-life than regular milk? Maybe they’ve figured out something that the others haven’t. Maybe it’s Intelleflex.

Recently, the company developed what they call the Cool Chain Quick Scan. It helps farmers and shippers identify spots in their temperature-controlled supply chain - or cold chain - to improve freshness. This may sound familiar to you because during our 100 Uses of RFID program, we blogged about RFID enabling temperature tracking in real-time for sensitive, pharmaceutical shipments. Now we learn about it being used to track produce temperatures, which makes a ton of sense.

The time for fresh produce to be harvested, cooled, processed and shipped can vary by hours and is influenced by several external factors beyond the farm. Air temperatures of refrigerated vehicles add to the complexity because they vary significantly, potentially causing the food to go bad before it reaches the store. That could explain the condition of the avocados I see in my supermarket.

The Cool Chain Quick Scan replaces guesswork, visual inspections and First In/First Out inventory methods, with a snapshot of the cold chain. It identifies, measures and documents the impact of the temperatures on the produce. The monitoring is continuous - from the field, to the pack house, through distribution, and finally the retail store. It sounds tedious, but with RFID, it’s easy and cost-effective.

RFID tags that use light, temperature and humidity sensors, are placed on the produce and processed as usual. For example, tags could be placed with produce in the field during harvest, or in pallets being transported from the pack house to distribution centers. Readers and condition monitoring tags use battery-assisted, passive RFID to read through pallets and containers with precision. The tags are removed at the pack house and mailed back to Intelleflex for analysis that is included in a detailed report, including:

Temperature variation that the product is experiencing
Amount of shelf life lost due to temperature issues
Impact on customer satisfaction
Recommendations to improve temperature management

This level of reporting can help farmers, distributors and retailers develop cold chain best practices.

By transforming climate monitoring from trailer-, container- and warehouse-tracking devices to individual pallet tags, RFID can give fresh produce suppliers detailed visibility into the lifecycle of the produce. They can use this new found visibility and resulting best practices to reduce shrink and improve profitability. Every fresh produce supplier’s dream come through thanks to – of all things - RFID.

Top Three Tips for Avoiding Lost Luggage: RFID, RFID, RFID

A while back, we blogged about airlines using RFID to track parts for inventory control. Now, it looks like more progress is being made in the airline industry around luggage tracking.

ThingMagic partner, Tagsys has developed an RFID-enabled luggage tag, the Permanent Bag Tag being used by Quantus Airways. The “Q Bag Tag,” containing an EPC Gen 2 passive RFID inlay is affixed to each bag. It’s also environment friendly. Each tag can be reused for an unlimited number of times. Here is how it works:

The RFID chip in the tag stores the details of several flights and can be reprogrammed at read points to use all over again on new flights.

After receiving a boarding pass, a passenger puts his RFID-tagged suitcase on the conveyor belt. A reader built into the conveyor reads the tag's unique ID number.

The traveler follows prompts on a touch screen connected to the RFID-enabled conveyor, indicating the type of baggage that he is checking in and how much it weighs.

The system activates the reusable Q Bag Tag and the conveyor belt takes the luggage into the handling system where it is sorted and screened via the RFID system.

Airline baggage handlers are able to see each bag's destination on a video monitor as the luggage passes an RFID reader.

The last two steps are probably the weakest link in a manual process that would inadvertently send your bags to Miami when you are going to Boston.

The Permanent Bag Tag can also work without an RFID reader. They can be used to display passenger and flight data on a built-in, electronic paper-based screen. Airports that do not have an RFID infrastructure in place, can still use the tags that will display the passenger's name and flight number on the screen for the baggage handlers to see. This isn’t as error free as the full RFID system can be because it still requires an element of manual processing, but it can certainly help make it more efficient.

ReadWriteWeb wrote about RFID-enabled luggage as an example of the Internet of Things back in 2009. Their story focused on the more personal, human element. More specifically, customer satisfaction and brand loyalty. Wouldn’t you choose an airline if the odds of your bags arriving in the same city at the same time, were significantly higher?

So, again we learn how RFID can be used to easily re-invent a manual process, making it more efficient and helping to control variable costs. We also see (again) that RFID goes beyond business benefits to the airline, and yields added perks for the consumers that turn their travel into a positive experience. If RFID can be the reason your vacation travel goes off without a hitch, it deserves a special place in our everyday lives.

If you happen to be flying this holiday season, safe travels to you. And if you are flying with an airline that doesn’t use RFID this holiday season, here are some tips for keeping your bags with you, or at least making them easier to retrieve. Good luck!

Zuckerberg's Photos Breached: Facebook Launches Totally New Profile

Most people who use Facebook have numerous personal photos that remain private on their account. In an effort to segregate content between different groups, Facebook has recently created ways to manage which friends see what. However, thanks to a recently exploited security flaw, 14 private photographs posted on Mark Zuckerberg’s personal profile were recently made public. Photos ranging from Zuckerberg cooking with his long-time girlfriend to one of him holding a chicken by the legs were posted on the photo-sharing site Imgur on Tuesday – the chicken one is a little weird.

Since yesterday, the flaw has been resolved, but it reiterates one of Facebook’s lingering problems – security. As more of what we do becomes social, it should be the responsibility of the company to ensure the user’s privacy. Most users operate under the promise that what gets posted on their profile is only available to the user’s unique friends – or publicly if they choose to do so. However, the “report inappropriate photo” feature was the work around an anonymous blogger says he utilized to access unauthorized content.

Believe it or not, the error was made known in a body-building forum – evidence the internet really does have everything – with a brief walkthrough on the loophole. Now the fact that Zuckerberg’s profile was targeted can actually be seen as a good thing. Facebook is not known for timely responses to user security complaints, but targeting the company’s founder/CEO is one way to drive home a message.

Here’s what Facebook said in a statement to the media:

"Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously."

"The bug was a result of one of our most recent code pushes and was live for a limited period of time. Not all content was accessible, rather a small number of one's photos. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed."

Facebook is also known for pushing out updates before security is fully baked into them. With the launch today of Facebook’s new Timeline feature in New Zealand, the company’s biggest revision to your profile is set to arrive in the U.S. shortly. Now more of your content can be pooled and categorized in different ways, potentially unlocking new and “exciting” security loopholes to exploit. Perhaps the chicken photo is more representative with regards to security and user control? With Zuckerberg clenching a user’s feet and never letting go.

Year-End Transaction Volume

Depending on which news report you read, sales on “Black Friday” and “Cyber Monday” were considerably higher than last year. What does that mean for the bank fraud investigator? More transactions to wade through! Right about now, bank fraud departments around the United States are working overtime combing through billions of transactions. Unfortunately, when volume increases, so too does the volume of fraud attempts.

When transaction volumes spike, any weaknesses in a bank’s fraud detection landscape are often magnified. That’s what the fraudster wants. The more stress the bank’s fraud department is under, the more likely it will be that fraud transactions will slip through.

You can’t do that much to control the volume, but you can capture the lessons learned when you and your team are pushed to the breaking point. Consider the following questions ...

Facebook vs. Google+: The Imaginary War No One Wants to Fight

Facebook and Google have been at war for search dominance for a while now. With Facebook a close third place in search behind Google Search and YouTube (both owned by Google), Google recognizes the importance of social integration and the threat it poses to their primary product: Google Search.

When Google+ launched this summer, many jumped the Facebook ship to Google+ for its streamlined design and privacy features. After a quick initial explosion of users, Google+ slowed in the early fall. Now a half year later, the question still exists: Facebook or Google+? But maybe that’s the wrong question to ask. Why was it ever a choice in the first place?

A large group of my close friends had to bear with my initial push to convince them to join Google+. To which one of them answered, “If a post gets posted on Google+ and nobody sees it, does it really happen?”

This is how many view Google+: “well my friends aren’t on it, so what’s the point?” To me, that’s the wrong way to look at it. Like any other site, Google+ should not be judged by whether it can replace Facebook, but rather by the benefits it currently possesses.

In my experience, I view Facebook as a place to connect with friends and Google+ as a place to categorize interests. I don’t travel to Google+ to find out what my friends ate for breakfast, but rather as a place to find out about everything else.

With Google+’s integrated grouping feature “circles,” I can differentiate my interests more than I differentiate my posts. As a result, if I want to view my circled photographer’s posts I view my “photographer” circle, tech posts in my “tech” circle, etc. This gives me the opportunity to find out about what really interests me, as opposed to viewing a nonsensical stream of mundane posts on Facebook – sorry daily quote guy.

Google+ also gives companies the opportunity to create exciting and engaging interactions with more customers on a truly social level. For example, on Dec. 15, Bit9 is launching its first Game Show within Google+’s “hangout” feature. The first nine of Bit9’s circled followers to arrive in our hangout with host John Herman, will be one of nine that have the opportunity to win an Amazon Kindle Fire.

The show will have a live musical performance before and after the show, Android themed questions tied back to our blog site, and physical challenges. This all in a 20-minute span hosted on Bit9’s page. On the day of the show, John Herman will give Bit9 circled followers a two-hour "heads up" before going live. It’ll be up to Bit9’s followers to be there in time to make it into the hangout to enter the contest. This just isn’t possible on Facebook.

Now of course Facebook has its benefits. With over 800 million users, the breadth and scope of Facebook cannot be matched. The same way Twitter could never replace Facebook is perhaps the same way we should look at Google+. It’s just another tool for us to interact with and I think that’s worth being excited about.

If you would like to participate in our Dec. 15, Game Show, circle us on Bit9’s brand page on Google+. There’s no catch. Just circle us and be there in two weeks. Also, if you would like to be a music guest on a future show, please contact my Google+ page directly at Jon Cilley.

Tis the Season for RFID

It’s that time of year. With the holiday season in full swing, it seems like retail is the topic of choice for RFID stories lately. We last blogged about the mobile wallet and how it can enhance the check out process, which could have a huge consumer impact during this time of year.

And here's yet another way that RFID is improving the shopping experience and potentially helping boost sales. A department store in Shibuya, Tokyo, Japan is the first to try out interactive hangers. When a shopper picks up a garment, RFID triggers one of the large screens above the rack to display a person modeling the clothes selected. Beyond the holiday season, this use of RFID could also have a huge impact on the back-to-school purchases, and even prom season.

Check it out here.

The hangers were developed by Tokyo tech firm Teamlab. They are regular hangers with a large central rectangle that houses the RFID tag. We didn’t find reports that included information on the RFID readers, but they could be placed on the clothing racks or ceiling mounted. The hangers can also be used to manipulate the music and lighting in the store. The diagram above depicts how the RFID system works.

We like it because it’s unobtrusive, as is the case with RFID in general. If you don’t care to see what the garment looks like on the model on the screen, simple. Don’t look up. It’s out of the way and can be easily ignored.

Many shoppers can be easily influenced by a positive image and I bet this is why retailers will like this solution. If a leather jacket looks good on the GQ model, I transfer that image to myself, I buy it and the marketer wins.

Take the concept one step further, what if the model on the screen showed us how to tie a tie or scarf and the various other ways it could be worn? That could be extremely useful, especially if it’s a new fashion trend.

This implementation of RFID reinforces that the technology can play a valuable role in all phases of the retail supply chain - from the manufacturer to the show room floor. While this use case may not be the driver for RFID being widely adopted in the retail sector, it shows that very intelligent people are thinking of creative, yet easy ways to integrate RFID into everyday processes.

Which one of your everyday activities can be enhanced with RFID?

Image Source: TechCrunch

Are You Being Tracked? Android May Record All User Data

Carrier IQ is an application installed on over 140 million smartphones. The software is advertised as an application that offers real-time data for carriers on devices the app is pre-installed on to help them improve their service. Because almost every phone is sold through a carrier, most of these phones have this application pre-installed.

The reason I mention all of this, is because a recent report, from researcher Trevor Eckhart, discovered that Carrier IQ may be recording almost everything you do on your device (see video below). From recording SMS text messages, location data, key strokes, and browsing history – including encrypted data over https (SSL). This means where you live, what you say, and how you do it is being recorded and possibly stored on Carrier IQ’s servers.

The majority of Android phone owners are stuck with no way of protecting themselves from this potential breach of privacy.

Now unless you’re a part-time nerd or know one, chances are you don’t know how to root your phone – you may not even know what that means (think jail-broken iPhones). But that is exactly what you will need to do to stop Carrier IQ’s software from recording your private data off of your Android device – unless you have a Nexus phone.

This means that aside from the four Nexus phones (Nexus One, Nexus S, Nexus S 4G, and Galaxy Nexus), the remaining Android devices remain locked with Carrier IQ pre-installed. The reason Nexus is off the hook is because Google controls the software, the phone can be purchased without a carrier (key point), and no additional bloatware is installed from manufacturers or carriers. So if you remove the carrier and manufacturer out of the equation, you remove Carrier IQ.

Now if you don’t have a Nexus phone, you are part of the overwhelming majority of users this application affects. With over 200 unique types of Android smartphones and 200 million activated Android devices in the marketplace. This number means 53 percent of the smartphone market is vulnerable to this potential threat – pulling the four Nexus products out of the equation. Android’s growth is also magnifying, as they add more users to the problem. Currently, 52 percent of all new smartphone purchases are Android, with 550,000 being activated daily. Most of these devices will not be Nexus phones.

It is true that this same problem is present on iOS devices, but this feature can be quickly turned off by disabling “Diagnostics and Usage” in the system settings (there is no option for Android). There’s no word whether the information is being funneled back to Carrier IQ’s servers, but the thought of tracking on this level is scary enough.

Carrier IQ even tried to bully Eckhart into removing his research off the web – which seems like an admission of guilt. Eventually they backed down after Eckhart received legal support from the Electronic Frontier Foundation, but if they were not using the data, why record it at all?

Google Maps Goes Indoors: Tiny Blue Dot Puts Security in Perspective

For those who use Google Maps, that tiny blue dot symbolizes your location in relation to Google’s digital blueprint of your surrounding environment. As the dot moves from location to location like a slow version of the checkered line from an Indiana Jones time-lapsed cut scene, it really puts things in perspective. So much information is stored within that tiny dot. Personal and work emails, photos, passwords, text messages, music, browsing history, location-based content, banking information, and the list goes on. With that said, almost everything that makes you who you are – in a digital sense – is stored in that tiny blue dot. Like in 1990, when Voyager 1 after 13 years in space and 3.7 billion miles from Earth reduced everything anyone has ever known to a Pale Blue Dot – ignoring Apollo astronauts. Google is now digitizing a similar perspective.

Yesterday, a new version of Google Maps was launched, which now enables navigation in some airports and major malls. It’s also not limited to merely a blueprint. Within the app you can locate bathrooms, ATMs, stores, and travel between multiple levels. All of this provides important information to users, while more than likely providing important analytical data to companies. For now the update is only available to Google Maps users with the Android platform in the U.S., but Google is working on mapping indoor environments in Tokyo’s underground subway network and retail shopping centers as well. It’s all very exciting, and at times can seem like magic, but like all doomsayers, I ask: “what are the risks?”

The reason I mention this, is that more of what makes us who we are is getting compacted into that tiny blue dot. The modern world is obsessed with consolidation and infatuated with convenience. Now this attitude provides true benefits to the end user, but those benefits can also expand to criminals longing to exploit the relatively easy access to this information.

There is no true security solution for the mobile space, and as Bit9 has mentioned in our recent Android report, serious vulnerabilities exist within Android’s update ecosystem. Unlike Windows, which also has several manufacturers utilizing their product, Windows itself is centrally managed. Android’s open platform creates an environment fueling innovation, while also crippling their capability to resolve security loopholes. Manufacturers are responsible for updates and only Android’s Nexus products provide a centrally managed OS solution.

With more compressed into one place, be mindful of the risks and be aware of new solutions. Click here for our report on these risks.

The Value of Integration and Collaboration

I recently attended part of the Orbograph user group meeting where I participated in a panel discussing the value in combining forces in the fight against fraud. The panel was moderated by Jodi Pratt, well known in fraud-fighting circles. Speaking with me on the panel was Carl Bortol of Data Support Systems. Both Carl and I represent companies that have partnerships with Orbograph. On the panel, we discussed two levels of working together, integration and collaboration.

Integration
This level focuses on integrating the fraud detection system into the rest of the bank’s systems in an operational sense. This includes core systems like DDA and CIS, and transaction processing systems like Exceptions...

Is the New Facebook Phone Dead on Arrival?

Does anyone remember the ESPN MVP? For those who can’t, before the iPhone revolutionized the smartphone business in 2007, ESPN launched their own branded product and service through Sprint back in 2005. Most people looked at the service and thought it to be overpriced and unnecessary, with many seeing it as dead on arrival. As expected the service did not last very long, not even making it a full year before ESPN announced they would discontinue it.

The reason I bring it up, is that ESPN serves as a warning shot for Facebook. The tech world can be brutal, becoming a launch pad or an implosion for companies with either outcome usually revealed in six months or less. So why a Facebook phone? Almost all of us who own a smartphone use mobile Facebook in one way or another. What could be the necessity for a phone centered around the social media giant? Well, like all things: money. Many experts expect mobile payments to be a massive trend in 2012, as yet another service gets consolidated into the mobile space. With that said, Facebook is behind the ball. Google launched Google Wallet in September of this year with the expectation of pushing payments through their phone’s near field communication (NFC) capability.

On the horizon, is the absence of the credit card and the implementation of the smartphone. Facebook recognizes this, attempting to claim territory in the mobile space before the barriers to entry in this digital frontier are impenetrable. But will it work?

Most of us use Facebook on our smartphones every day. We recognize the value of social integration, but isn’t it already too late for yet another smartphone platform? How far does the interlocking web of Facebook have to spin in order for us to see the value in a service outside the application we already use? Plus, Facebook’s new OS is rumored to be based off of the global-leading Android platform. It’s no secret Facebook and Google are at war for search and social media worshipers, so why build off of your competitor’s strength? It’s like giving your enemy the keys to kingdom and then complaining when they overthrow you – not smart.

We already know that Android’s new operating system has deep Google+ integration as well, and that trend will only continue. It seems Facebook is trying to follow Amazon’s lead with how they repurposed Android to build their popular Kindle Fire. So it can be done. At the end of the day, the question comes down to: will people see enough value in a Facebook phone that tries to convince them to leave an already established ecosystem they have come to love? The tech world is full of examples, with Android being one of them, but in my personal experience, users are just getting comfortable with where social media has invaded their lives currently. Deeper integration may scare people away from stepping outside of their current app or mobile web. Facebook will have to provide real differentiation with its new platform that doesn’t off-put customers already out of their comfort zone.

To me, there's a chance it could be in the same league as the Ford Edsel, Betamax Video, DeLorean, and New Coke. Facebook wants to push you towards web-based apps composed in HTML5. Although it's more than likely the future, is it too soon to make that leap? I guess we'll have to find out.

Cyber Monday Beware

Couch commerce has become the new norm within the global market place. Like “Black Friday” for so many over-caffeinated retail campers, “Cyber Monday” has become the barn burning holiday of the e-commerce world. It has become so prevalent that ComScore, a data-tracking firm, estimates that sales could exceed $1.2 billion today – a new record.

As you can imagine, with possible record breaking sales on the horizon, a tremendous amount of data needs to be transferred in order to make this happen. Most of this will consist of logistics, user data, and that all important credit card information. Now just in case you thought you were safe from the stampede of overindulgent deal hoarders by purchasing content from the safety of your couch or cubicle. The FBI has already reported seizing 150 counterfeit websites in preparation for the digital holiday. This means you’re still at risk.

With so many great deals represented across most major retailers, be careful of the fraudulent sites that either pose as the real deal or offer products through an un-identified third party site. The goal could be to either complete a fraudulent transaction or steal your credit card information.

“The ramifications can be even greater because the illicit profits made from these types of illegal ventures often fuel other kinds of organized crime," said John Morton, Immigration and Customs Enforcement Director.

Many participants will also purchase from their mobile devices. In fact, last year 7.3 million mobile shoppers plugged away for deals on “Cyber Monday.” That number is expected to double this year to 17.8 million mobile shoppers according to BigResearch. With mobile malware up 400 percent on Android devices this past year and 52 percent of new smartphone purchases being Android devices in the same year, the risks have never been higher. Information flow and accessibility is only increasing as we trust more sites with this valuable information. Protect yourself against the risks.

The Better Business Bureau (BBB) has published some helpful tips to avoid the digital Hamburglars of the world and to keep your holiday season protected from these criminals – seemingly something Ronald McDonald never figured out how to do. Follow these tips and assure a happy holiday.

What's In Your (Google) Wallet?

Google Wallet has drawn a lot of attention to the act of making purchases with the tap of a smart phone. It’s considered the first NFC mobile wallet system that, with the SingleTap feature, conducts the transaction, redeems coupon offers and earns loyalty points, all in one step. Visa has said that their payWave system will work with Google Wallet and American Eagle Outfitters, Macy’s, Toys“R”Us and Jamba Juice have stated that they will accept Google’s SingleTap payment in some of their locations.

Using smart phones as wallets is not a new concept, but momentum seems to be growing. In fact just a few weeks ago, Intel and MasterCard announced their alliance to offer a better experience for online shopping. Part of their aim is to provide a safer and simpler checkout process for consumers using devices. If the number of smart phone options and support from financial institutions are any indication, this form of RFID will soon become an integral part of the consumer experience – potentially transforming the retail market.

It will be interesting to see if some shoppers lose control of their spending because of the ease of tapping a phone instead of being forced to take cash out of their wallets or signing a credit card slip. It may be those extra motions that make consumers think twice about whether or not they really need to buy that item.

Is it only a matter of time before we’re all buying our groceries, clothes and gas with digital dollars? Will there come a day when future generations don’t know what paper money is and goods are purchased thought the exchange of virtual credits?

I’ve bought into the convergence of my phone, MP3 player, rolodex, newspaper, video game system, calendar, camera, and much more, into a single device that I carry in my pocket, but for now I’m sticking to the good ol’ American dollar, bread, buck, clam, dough, frogskins, greenbacks, loot, bones, coin, folding stuff, moolah, spondoolies, wonga…

Much Ado about Android

Chris DiBona says that there is a lot of FUD going on around mobile security recently, Android in particular. I agree with him that open source software gets a bad rap and isn’t inherently less secure than commercial software. I also agree that traditional signature AV doesn’t make sense on Android (or anywhere else for that matter). However, the rest of Chris’ comments are misguided. He states that “No major cell phone has a ‘virus’ problem in the traditional sense that Windows and some Mac machines have seen”, and also “No Linux desktop has a real virus problem”. This isn’t true except for a uselessly narrow definition of the word “virus” as something that has to propagate from phone to phone.

Chris’ comments lead to an incorrect conclusion that the sandboxing Android provides is “secure enough”. This is also wrong.

Sandboxing is generally a good thing. However, the way it is applied in mobile devices aggravates an already untenable security situation. Android’s sandboxing model prevents third party security solutions. You want whole device encryption, ASLR or DEP? You can either root your phone to use real third party solutions (an unrealistic option), or you can wait for Google to offer it. This is a monoculture which prevents the market from being able to provide solutions to real security problems. Attackers know precisely what is on the target device because third parties can’t play there.

This results in a scale that is tipped in favor of the attacker. Contrary to Chris’ comments that “No major cell phone has a ‘virus’ problem”, attackers can root the phone; zero day vulnerabilities do and always will exist in Android and its underlying Linux OS, as with all other operating systems, and threats will emerge that don’t require installing malicious apps. To think otherwise is naïve. If you think I have a bias, you may be right. My phone runs Android and I’ve been an avid Linux user/developer since the days of Slackware 1.0 and Sasteroids, but the company I work for does not sell a mobile security solution.

Chris’ comments are too narrowly focused on what he calls “traditional viruses”. But this ignores many relevant and important threats including one that enterprises face on a daily basis. This threat is not FUD, not imagined, not theoretical and it goes by the name APT. Simply, smartphones are the next major threat to the enterprise and to corporate intellectual property. I will blog more about this in the days to come, but for now just consider following facts.

The actors who are most likely to find and exploit smartphone vulnerabilities are the ones you least want to find and exploit smartphone vulnerabilities. Employees have their phones with them everywhere they go. Software on phones can wake up and record boardroom conversations. Software on phones can record phone calls, take pictures, and store large amounts of data. Smartphones are often connected to corporate networks. And phone data physically leaves the office building every day without going through all of the traditional information security mechanisms that companies rely on for security, ready to be uploaded through the unsecured unmonitored Internet connection at home.

Have you seen this happen? Perhaps not. But information security isn’t about sitting around waiting for theoretical threats to become real. They’re about anticipating what we know is possible and doing what we can to stop it before it happens. It’s about realizing that the next Aurora or Stuxnet that uses a mobile device is almost certainly already under development.

Android is growing in popularity and can no longer hide behind security through minority.

Leading Oncology Clinics Recognize Merits of RFID

The state of Massachusetts has long been considered a hub for technology innovation and medical research. So, it’s no wonder that RFID linked the two together in our own backyard.

Recently, ThingMagic announced that several leading oncology clinics had deployed RFID solutions in order to improve patient safety and radiation treatment reliability. In the cases of Commonwealth Newburyport Cancer Center, Lahey Clinic and Jordan Hospital, they looked to RFID to help eliminate “wrong patient, wrong treatment,” commonly associated with human error.

The cure has arrived! No, it’s not medicine. It’s innovation with RFID. In the image to the left, a Jordan Hospital patient is wearing a XECAN lanyard with an RFID badge. When the patient walks into a CT scan room he is identified automatically by a ThingMagic Astra UHF RFID Reader installed in that room. Because of the extended read range of the reader, patients need only pass within approximately 15 feet to be recognized. Not to worry. Patient-identifiable information can only be viewed within the clinic, and only by authorized staff members.

When the patient's badge is read, their chart and treatment plan are immediately opened by the XECAN system. If another patient’s chart is open in the system at the time the new patient arrives at the CT scan room, the first chart is closed and the chart of the patient who is physically present is automatically opened. Treatment devices are also tagged so that they can be detected by ThingMagic Astra readers during treatment. Radiation cannot be started if treatment devices are incorrect or missing. Thi added measure of reliability delivered by the XECAN system gives patients and doctors peace of mind.

By automatically identifying the patient, the system eliminates the need for the patient to correct the spelling of their name or reiterate their appointment time, for example, when they have already signed up for an emotionally and physically taxing day. Reducing the manual tasks of the hospital staff allows them to spend more quality time with the patients.

In this application, RFID also replaces ID cards with barcodes which can often be cumbersome for the patients to scan if they’ve become worn.

When you put it all together – fewer manual tasks for clinicians, peace of mind for the patient and improved reliability for the doctors - the oncology clinics mentioned can offer a far more inviting medical experience. The situation allows for a more successful treatment. And who wouldn’t want that?

If you would like more information about this deployment, please download our case study:

We plan to check in with these Massachusetts clinics in a few months to see how the implementation is going and if they’ve discovered even more unexpected benefits from using the RFID system.

We're also interested in your thoughts about the use of RFID in healthcare. Where to you think it will have the most impact? What RFID-based systems are most effective? Is it best to start with small departmental deployments and scale or go for a full enterprise-wide deployment from the start?

Ginger… What? How Android is Left Orphaned and Alone by Manufacturers

Cupcake, Donut, Éclair, Froyo, Gingerbread, what’s your flavor? The majority of smartphone users now have one of these dessert renditions of Android running on them, but did you ever stop and wonder how not having the most fully baked version of Gingerbread could be compromising yourself or your company’s security? Many people do not take security into account when purchasing a device and most of them may not even know that the software on their Android device is out-of-date – sometimes right out of the box.

In fact, almost every Android phone purchased – no matter how new or old – on the market today does not have the most recent version: 2.3.7. Some are a full year behind the update schedule dictated by Google, which means security vulnerabilities are not being maintained, bugs are not being patched, and loopholes in your system are being left open. To drive home the point, out of all 150 plus Android phones on the market today, only one phone has version 2.3.7 running on it: The Nexus S 4G. And with Ice Cream Sandwich (4.0) weeks away from implementation, who will get updated and when? On Dec. 7, 2010, Gingerbread (2.3) was released. Since then, there has only been a 44.4 percent adoption rate among all Android devices that have received Gingerbread within the range of 2.3 to 2.3.7. I’m sorry, but to me this just seems ridiculous doesn’t it?

Sure you have a dual processor, a front-facing camera, or an HD display, but behind all that hardware lies serious weaknesses in the software. To the consumer we only care about features will never receive, programs we can’t install, and bug fixes we’ll never get, but to companies the problems get much larger.

Many companies do not take mobile security into effect either because of laziness or ignorance, but they should. Juniper Systems noticed a 400 percent increase in malware on the Android platform from the summer of 2010 to 2011. That’s pretty big. During this same timeframe, 52 percent of all devices purchased have been of the Android variety, with all of them (barring the Nexus phones) out-of-date at one time or another.

The reason why I stress the software update ecosystem of Android, is because it prevents Google from being proactive about security. To steal a quote from my friend Harry Sverdlove here at Bit9, “It’s like watching someone steal their car from the seventh floor at Google headquarters.” They can witness it happen, but there’s virtually nothing they can do about it. This is what happens when you put the manufacturers in charge of deciding what devices get what flavor of Android and when they will push it out to consumers. Don’t even get me started on the carriers.

This system gives the power to the manufacturers, while hobbling Google from giving updates to their customers. Google does a great job of resolving problems, but because of its open nature, it’s up to HTC, Motorola, Samsung, etc., to implement the changes to their devices. And because manufacturers are obsessed with getting you from device to device, software updates are not a priority.

So what does this all mean to your security? Well, when Microsoft has a vulnerability, loophole or bug, the company can push updates to all consumers because their updates are centrally managed. No waiting for Dell, HP or Toshiba, it just gets there. With Android, manufacturers give halfhearted efforts to differentiate the free and open Android. Because of this, they then have to tinker with their modulated software, sometimes causing more bugs than fixes – if the updates happen at all. While the consumer is waiting for any of this to happen, malware is embedding itself on the individuals device, connecting to their company’s network, and possibly stealing intellectual property or information.

So how do we stop it? Demand more. Consumers speak with their pocketbooks. So demand a device that has a better update schedule. The reason why the Nexus phones get updated on schedule is because they are centrally managed by Google. The Galaxy Nexus being the newest rendition to launch in the coming weeks. Having a mobile device connect to your company’s network is just as bad if not worse than connecting a personal laptop to a company network. Be mindful and informed, and always demand more to protect your personal and corporate security.

So where’s Apple in all of this? So for those of you who ask: “Ginger-what?” When trying to make sense of all of these version names and numbers. Let me explain. Like the iPhone’s iOS which numbers each new version sequentially (1.0, 2.0, 3.0, 4.0), Google also arranges new software in this fashion, but also linking an adjacent alphabetized dessert name in relation to each improvement to the OS (Cupcake 1.5, Donut 1.6, Éclair 2.1, Froyo 2.2, Gingerbread 2.3, and Honeycomb 3.0 – for tablets). Apple centrally manages everything, so unless you do not dock your phone to iTunes – which happens more than you think – you have the latest security fixes for the iPhone 3GS, 4 and 4S.

For more information regarding our report, please visit: Report.

If you like this blog post, please follow us on Twitter @Bit9, Facebook and Google+.

* All information provided is accurate as of Nov. 3, 2011. As you can imagine, this information is constantly evolving and subject to change.

Orphan Android: The Not-So-Smartphones of 2011

It’s that time of the year again, when Bit9 releases its annual Dirty Dozen report to highlight software vulnerabilities and the risks they pose to both consumers and corporations – except this year is different. Instead of our usual report on the most vulnerable applications, we decided to tackle the fastest emerging threat vector facing the security industry… smartphones. There will soon be over ½ billion smartphones in use worldwide, with the majority of consumers using their devices for both personal and business use.

Smartphones running the Android operating system represent the majority of all new phone purchases. Unlike Apple iOS, RIM Blackberry or Windows Phone, the phone manufacturer – not the software vendor – is responsible for providing Android software updates to their smartphone. Phone carriers also inject themselves into the process, selling further customized models and sometimes charging data usage for software updates. The result is chaos. As anyone who has ever owned an Android phone can attest, waiting for your phone to receive the latest Android release is like walking through prickly bushes – slow, painful, and sometimes buggy (except for the Google Nexus phone, the only model where Google is responsible for the software updates).

It should come as no surprise that all of the top 12 most vulnerable smartphones of 2011, are Android phones. More than half of all Android devices are running a version of the operating system that is over 18 months old. In this year’s report, we dove deep into the waters to understand how well manufacturers perform with regard to updates. The results were disappointing at best.

Most Android phones come to market at least one major version behind the latest Android release, and they stay around six months behind the update curve moving forward. Manufacturers come out with newer models every 12 to 18 months and quickly end-of-life their previous models, usually well before the two year contracts most users sign with their carriers. Many times, updates are not pushed over-the-air (OTA). Users are required to go to support websites, download and unzip packages, manually backup their data, and wade through painful processes to get the latest updates. When OTA updates are released, they are staggered across geographies and phone carriers and can take months before reaching all affected models. Samsung – recently declared the world’s biggest smartphone vendor – performed the worst of the top four Android manufacturers. Initial releases and updates to Samsung Android phones fall, on average, eight months behind Android’s release schedule (that’s counting when they start rolling out updates; no one knows how long the process actually takes).

Why does any of this matter? Because the average smartphone user only spends about 3% of their device time actually using the phone. These are not phones which happen to be “smart”; these are small computers which happen to be phones. We use them for email, business documents, web browsing, online shopping, banking and more. They contain our private information and confidential data. We need to start viewing these devices with the same security scrutiny as we view normal computers and laptops.

All software has vulnerabilities. The Android code is no more vulnerable than Apple iOS or any other operating system. The issue is what happens when a flaw is discovered. The quicker a software update can be distributed, the more secure you are. The longer a device remains outdated with known vulnerabilities, the greater the risk.

The Android market has cultivated innovation and significant growth in the smartphone industry, but there are systemic problems in the distribution ecosystem which adversely impact security. It’s time to raise industry awareness and put pressure on the manufacturers and carriers to do better.

To read the complete Bit9 Report of The Most Vulnerable Smartphones of 2011, click here.

If you like this blog post, please follow us on Twitter @Bit9, Facebook and Google+.

* All information provided is accurate as of Nov. 3, 2011. As you can image, this information is constantly evolving and subject to change.

Google Music: A Hacker's Paradise?

Vinyl, magnetic tape, compact disc, MP3, and now streaming. These services have allowed Lead Belly, Bing Crosby, Buddy Holly, The Beatles, Marvin Gaye, Michael Jackson, Nirvana or Lady Gaga to get repurposed to you over and over. Because of these innovations, the music industry has reinvented itself, consolidated and reprioritized its efforts time and again – sometimes against its will – in order to stay relevant to the needs of their consumers. Streaming is nothing new to us. Moore’s Law has never been more appropriate in the last decade. We’ve seen cellphones become smartphones, record stores vacated to the web, and now virtually all content having a cloud management tool available. All of this has taken the album out of our hands, our ears out of the record store, and glued our eyes to the computer screen.

Now trust me, cloud services are cool. I’m not trying to pretend to be some nostalgic hipster too preoccupied with jeans that don’t fit, an unsustainable vegan diet or an ironical infatuation with The Beach Boys all while I smoke outside of the health food store – don’t worry they’re just cloves. But to be honest, what seems like a never ending effort to give the consumer their catalog wherever they want it could also create new security threats. For hackers, making your catalogue more convenient and accessible could open doors to rooms you never thought would have them.

Today Google announced Google Music, the latest effort by Google to bring more of your content to the web. With this service, users will be allowed to upload 20,000 songs for free to Google Music’s digital locker as well as share purchased content with their friends on the company’s social networking site Google+. With Google Music, the Mountain View juggernaut is trying to take a page from Facebook and Spotify’s partnership, using social media to propagate word-of-mouth endorsements of particular artists, songs or albums. Unlike Spotify, which is only a subscription service not a direct purchasing platform, Google Music will be able to endorse content that was directly purchased by the user on Google+. This effort has been tried before with Apple iTune’s Ping service, which allows users to directly follow an artist’s recommendations for additional content. But with regards to true direct purchasing like iTunes, no other service offers a social media platform for endorsing these purchases through a cloud-based program quite like Google Music. Sorry Amazon.

So how does all this affect your security? Even to the casual user, most people who use Twitter, Gmail, Facebook, etc., can probably think of a time when the service was either overloaded or hacked. Scarlett Johansson, Christina Aguilera, Mila Kunis or Vanessa Hudgens ring a bell? Now maybe you’re not a celebrity – sorry for the harsh reminder to those who want to be – but ultimately you are still at risk. Phishing attacks are becoming more and more relevant, and with Google Music allowing users to upload 20,000 songs to their site as well as purchase over 13 million copyrighted MP3s. Hackers now have an incentive to target an individual who may not have a dog as an accessory.

For those who are not familiar. A phishing site is when a hacker clones the login page to a trusted site you use: Twitter, Facebook, Gmail, or Google Music, and gets you to enter in your login credentials. Once you make the mistake of assuming it is the actual site, you’ll usually login as if everything is hunky dory – “Hunky Dory,” also not a bad Bowie album. When you do this however, the hacker now has all they need: access to the site under your name. From there, they can do as they like, in this case, steal control of your account or catalogue. Scared yet?

So with all of this, stay mindful of the risks, be aware of the vulnerabilities, and well, don’t be dumb. If you are usually always logged into your accounts, be mindful anytime the site asks you to re-login. More than likely, it’s a phishing attack. Usually these sites get pumped to you from a referrer. This could be a direct message on Twitter, Facebook or Google+ asking you to check out something. From there, you will be prompted to login again. My recommendation for when this happens? Try to travel to these sites the way you always do when accessing the notification you’ve been alerted to. Once properly logged in, if the notification isn’t there, it’s probably safe to assume it’s a phisher. No security is perfect, and there are always loopholes. So be aware of the risks on these sites and mindful with how you get there.

Raising the Stakes for Internal Fraud

Earlier this week, Bank Info Security released an article on the Computershare civil suit against a former employee for stealing company information and shareholder data. The piece discusses the potential impact such a suit might have on the financial services industry, and I was able to contribute my two cents about the matter.

My opinion is, that in the case of data breaches and insider fraud, legal action against employees is historically rare. Most of the time these incidents are handled as internal matters; the exceptions have only been the worst or largest breaches and fraud schemes.

But, we do see a shift in how firms are approaching internal fraud. A handful of high profile internal data breaches and fraud cases (e.g., SocGen, UBS, Madoff ...

Raising the Bar for RFID Readers

Helping Enterprises Realize the Value of RFID

Economies such as the one we are living and working in now, are forcing enterprises to trim costs while maintaining, and even increasing output. This approach requires skill and creativity to avoid misguided cost-cutting initiatives. One could argue it also requires making intelligent technology investments that can pay for themselves quickly while establishing a foundation for smart growth. That’s where RFID comes into the picture. RFID isn’t unattainable. It isn’t a pie in the sky solution that requires a team of engineers and it isn’t cost-prohibitive. It’s right here in front of us waiting to help.

Taking Flexibility and Integration to a New Level

Those of you who are familiar with ThingMagic most likely saw the product announcement we made last week. Enhancements to our Mercury6 (M6) UHF RFID Reader raise the bar for flexibility and integration. For reasons, in part brought about by current market conditions, high-quality reader capabilities are much needed by enterprises today. The firmware upgrade to our M6 reader includes several enhancements to address these needs, most notably support for Low-Level Reader Protocol (LLRP) and Reader-Hosted Applications.

What is LLRP and Why Now?

Let’s first start with EPCglobal - the organization that supports the adoption and implementation of standards-based Electronic Product Code™/Radio Frequency Identification (EPC/RFID) technology. EPCGlobal was responsible for standardizing the tag and reader radio frequency interface protocol with the UHF Gen 2 standard. As a next step in facilitating the adoption of EPC and RFID technology, EPCglobal ratified the LLRP standard, a specification for the network interface between the reader and its controlling software or hardware. In creating LLRP, EPCglobal included air-protocol configurations and a robust set of vendor extension points that support the flexibility and integration required to innovate. The FAQ can be found here.

We’ve chosen to implement LLRP now for two primary reasons. First, a growing number of enterprise organizations are deploying RFID technology. In doing so, they need to integrate data generated from RFID reads with existing standards-based enterprise systems to support critical aspects of their business. Secondly, as the distribution channels for RFID products continue to evolve, supporting standards is crucial. Supporting LLRP and other standards makes it easier for our channel partners to sell and support ThingMagic products. The bottom line is that all of this makes it easier for customers to deploy and manage their RFID systems, allowing them to recognize the business benefits of RFID faster.

Reader-Hosted Applications

Also included in the upgrade is a Linux-based operating system capable of hosting on-reader applications. This feature allows the M6 reader to perform application-specific actions independently, providing solution developers the opportunity to differentiate their offerings to the enterprise market.

An example of this is a solution developed by ThingMagic partner XECAN, a leading provider of RFID patient safety solutions for the healthcare market. XECAN developed a RFID plug-in application designed to eliminate patient identification and potential treatment errors by interfacing directly with Electronic Medical Record (EMR) software. This application is hosted directly on the ThingMagic reader (in this case and Astra reader, but could just as easily have been an M6). According to Bin Yang, Ph.D., CEO of XECAN, “By embedding our agent software directly onto the Astra reader, we’ve made our RFID Oncology Solution truly plug-and-play…This breakthrough advantage sets us apart while enabling us to provide an affordable, yet highly reliable RFID system.”

Multiple Choice

It’s important to note that, with this upgrade, ThingMagic customers now have the option of operating M6 readers with the ThingMagic MercuryAPI or LLRP depending on their project requirements. Existing M6 customers can take advantage of LLRP by upgrading to the new interface without changing how their current host programs interact with the API – making the transition seamless and transparent. If desired, customers can continue to use the ThingMagic MercuryAPI - a common application programming interface implemented across all of ThingMagic's readers.

To help you visualize the value of the MercuryAPI and how you can develop an application that takes advantage of the breadth of ThingMagic’s product line, including the USB desktop reader, Astra integrated reader, Vega in-vehicle reader and the Mercury6, watch the following video: ThingMagic Mercury6 (M6) RFID Reader Makes Integration Easy

As illustrated below, with one application, enterprises can gain access to location, employee identification and time stamp information that allows them to track asset throughout the entire chain of custody, including plotting the location of the assets in-transit using integrated GPS.

RFID Tag Selection & Automated Placement Testing

Another important aspect of creating any successful RFID application is knowing where to place the RFID tag for maximum performance. But don’t worry, it’ll be easy. We’ve done the work for you in our lab, and it can be seen in the video, “RFID Tag Placement: Where do you stick it?”

It’s Time to Reshape the Way We Think About RFID

Only time will tell the scale and impact RFID will have, but I for one, bet it will be a big one.

Can We Do Better?

With the new year here, I figured it was a good time to step back and take stock of our progress – as an industry – in the ongoing battle against fraud. A frank assessment: we could be doing a lot better.

Sure, there are always improvements that can be made to the organizations, processes and technologies that must come together to solve a complex issue like fraud management. But I think the more important barriers our industry faces are more fundamental and structural in nature. Specifically, I see the following:

The Boiling Frog
Our industry’s slow reaction to the growing, morphing fraud problem makes me think of the boiling frog phenomenon. If you haven’t heard of it ...

“Getting it Right” at the NACHA Mega Meeting

Last week, ACH payments and fraud prevention professionals attended the NACHA Council Mega Meeting held on the waterfront in Boston, MA. In the sessions related to quicker payment processing, the overall sentiment was that banks need to do a better job of monitoring to manage the increased exposure. Two of the hottest topics were Expedited Processing and Settlement and, of course, the new supplement to the 2005 FFIEC Guidance.

Expedited Processing and Settlement (EPS): As anyone who is involved in ACH payments knows, NACHA is proposing a new payment option called EPS, which would allow ...

Hackers Go Phishing on Twitter

To most people when we think of phishing attacks we usually relate it to email spam flooding our inbox. Sometimes, if we’re really lucky, we get a message from a hacked email account of a friend, coworker or supervisor drawing us back to a cloned landing page hungry for our login credentials. It’s an impossible hope that employees remain hyper vigilant or alarmingly paranoid regarding every single email. To compound the threat, Twitter has recently become the latest hotbed of phishing attacks.

Cybercriminals are now hacking into Twitter accounts and blasting direct messages to followers, with the hope that they login to the phished site to address an attributed photo or a “bad blog” about themselves. First of all, congratulations if you’ve reached the pinnacle of the socially digital world and believe that someone is so concerned in relation to your existence that they could only express it in a blog. Probably unlikely, but if you are one of these chosen few, clicking on a link that was only accessible while being logged into Twitter in the first place, but now otherwise requiring an additional login might be a warning sign. Another red flag could be that your saved credentials that usually auto-fill within the login page are no longer utilized. Come on, just use common sense.

I know for IT professionals, resolving the Problem Exists Between Keyboard and Chair (PEBKAC), can sometimes seem like a logical human being trying to tell someone that their love for the show “The Jersey Shore” will directly result in the fall of modernity. Because sometimes no matter how reasonable something may seem to someone, it isn’t necessarily a guarantee they’ll follow through. But the important thing is to realize that these attacks are real and the second step is to act. An educated employee is more secure than the alternative. If we can learn to educate, apply common sense at our desks and take proper security procedures to alleviate these threats, we’ll all be better off.

Laundry is Less of a Dirty Chore with RFID

If there is one thing we know about RFID, it’s that if there is one way to use it within a market or market segment, there are 100 ways. Using RFID to modernize or improve laundry management is no different. RFID–enabled laundry applications are being used in hotels, casinos, government offices, hospitals, schools, professional sports, and basically any institution that deals in employee uniforms, garments and linens.

The benefits of implementing an RFID-enabled laundry system range from streamlining processes to eliminating inventory errors, decreasing manual labor, and even reducing the spreading of disease. More advanced business objectives can include improved energy and water efficiency. All of these benefits have a direct, positive impact the bottom line, which is often the case with enabling a process with RFID.

However, it’s not just the use of RFID in general that improves laundry management. It’s very specific capabilities that have been designed into in RFID tags and readers, and the manner in which they operate with one another that make this use of RFID truly innovative.

The RFID tags used in laundry management need to be able to withstand water immersion, extreme heat, pressure and chemicals. On the flip side, RFID readers need to be able to read tags simultaneously for clothing or other items that may be stacked or in piles. As the technology has evolved, UHF RFID solutions are beginning to replace other RF and proprietary technologies in this space (we are also seeing the same thing in waste management, tolling, access control, and other markets and applications). UHF has proved to be ideal for laundry management because, not only can it be used to identify and locate hundreds of items per second, but it also has the added benefit of reading items from greater distances.

For organizations that need to track their garment inventory in large batches, UHF technology allows them to eliminate the less efficient practice of single-piece barcode or proprietary tag scans. Further, they can eliminate or reduce the number of expensive, dedicated read stations which can lead to added time-saving and cost reduction benefits.

Now, take into consideration that many business don’t have a laundry facility on-site. In these cases, the laundry is shipped elsewhere to be cleaned and sorted, making the management piece a little more challenging. If the laundry is done off-site, the implementation of RFID portals and use of tag directionality features can play a big role. It can be used to tell if the items are leaving or arriving for better inventory precision. Points of loss can be identified so that any necessary corrections can be made to prevent similar situations in the future.

Share your experiences or thoughts on the use of RFID for laundry management. We’re eager to hear them!

Saving Trees, One SAR e-Filing at a Time

In September, FinCEN released for comment a proposal to make electronic filing of SARs mandatory as of June 30, 2012. FinCEN’s e-filing system has been available since October 2002, and about 85% of BSA reports are currently filed electronically.

If you were unaware of this...

The latest Advanced Persistent Threat: Stuxnet-derived Duqu

It was bound to happen sooner or later. A new derivative of Stuxnet has been found targeting industrial control firms. There isn't much information about this new Trojan, yet, as it was only disclosed a few days ago, but a few facts seem fairly evident already. The purpose of this Trojan is to steal information about equipment used to build or control our national infrastructure in order to learn their vulnerabilities.

This ain't script kiddies; this screams nation state. And for every breach like this that we detected, there are likely many more that remain unknown.

As was the case in the Stuxnet attacks in Iran, the targeted systems involved appear to be SCADA systems, which are usually ancient and vulnerable Windows-based software control systems for operating power plants, refineries, transportation systems and the like.

One pattern unique to cyberwar compared to conventional warfare that this episode demonstrates is the rapid proliferation of weapons that the digital domain makes possible. This fact makes deployment of sophisticated digital weaponry like Stuxnet a very risky proposition. If the technology is discovered, it is easy for adversaries to copy and adapt it, and potentially use it against the nation of origin.

But there are ways to mitigate this sort of infrastructure risk. As Richard Clarke has previously bemoaned, if only we could get the owners of such vulnerable infrastructure to follow the obvious advice and disconnect it from the Internet.

If only.

ThingMagic Named Frost & Sullivan ‘Mover & Shaker’

Analyst firm Frost & Sullivan recently featured ThingMagic and General Manager, Tom Grant as one of its much acclaimed Movers & Shakers. In their Movers and Shakers interviews, Frost & Sullivan places the spotlight on dynamic companies and leaders recognized for achieving milestones such as launching a breakthrough technology or implementing a revolutionary vision for the future of their industries. Needless to say we are very appreciative of being asked to participate.

Frost & Sullivan’s interview with ThingMagic explores interest in our business since being acquired by Trimble. As a division of Trimble, we are now in a better position to deliver UHF RFID products and solutions to the marketplace. As Grant said in the interview, “We have not changed post the acquisition, we have just become stronger.”

In describing what innovation means to ThingMagic, Grant explains that the most innovative solutions are those where users can interact with RFID naturally and where the technology is so integrated and transparent that it disappears. We’ve seen this in a growing number of deployments including those by Ford Motor Company and The Disney Family Cancer Center. We’re also seeing this begin to take hold in solutions like presence-based smart displays and kiosks where RFID is helping to create a seamless and pervasive interaction between people, the environment, and information. This innovation in content delivery and management systems is also intersecting with social networks, which makes it attractive to new markets and an expansive base of new users.

The interview also highlights ThingMagic’s vision of how RFID solutions and innovation will drive the next revolution of wireless and mobility. We believe that the next wave of innovation and success will come from combining technologies such as active and passive RFID, GPS, Wi-Fi, and Bluetooth. The success metric will be when the best of these technologies are combined in a hybrid product or solution that is less defined by the technology and more about what the users can accomplish with it.

As a market, we’ve reached several important milestones. It’s time to set our sights on the next one. We need to start thinking beyond the enabling technology and focus on the value of the data generated by RFID reads and how it can be applied to business processes. “it is time we reshape the way we think about RFID”, says Grant.

What do you envision the next RFID milestone to look like?

Microsoft: Choose Your Words Carefully

The media is abuzz over news from Microsoft that the security threat from Zero-Day exploits are "overblown" and that companies should therefore reevaluate their priorities. This commentary from Microsoft derives from their assessment of data collected as part of their Security Intelligence Report (SIR) volume 11.

My advice? Take Microsoft's advice on this point, carefully write it down in a memo, tear it up and throw it out the window.

Microsoft's reasoning for this advice is that Zero-Day exploits count for less than one percent of attacks. This isn't a lie or a damn lie, it's beyond that - it's a statistic - a statistic that desperately needs to be considered in its proper context.

Many current enterprises have thousands, tens of thousands, or even hundreds of thousands of security alerts coming from their SIEMs on a daily basis. If even a fraction of these represent real threats, how many of these represent Zero-Day attacks? The important piece of information missing from this ill-advised advice is the risk associated with Zero-Day attacks. Even if they are a small number of overall attacks, they are a significant component in a much higher percentage of successful, targeted and advanced persistent threat (APT) attacks. The majority of attacks are blind, non-targeted attacks - highly unlikely to exfiltrate your company's secrets.

Should we dismiss Aurora? Stuxnet? Because these attacks represent less than one percent of all exploits? Microsoft released SIR at an RSA conference (Oh the irony!).

Yes, there are lots of threats companies deal with and some probably deserve more attention than they get, but companies that have done their due diligence in other ways and have generally good security are rightfully searching for ways to mitigate or prevent Zero Days. Advice that downplays the threat that Zero Days pose just won’t do anybody any good.

Letter from Client Services

It’s now been three months since I joined Memento, and I want to take the opportunity to say hello, communicate some of the exciting changes which are taking place, and offer my perspective on what you can expect to see from us going forward.

Perhaps I should start with what hasn’t changed. What hasn’t changed is Memento’s commitment to, and passion for, helping its customers detect, prevent and manage fraud. This dedication spans the products we build, the consulting services we deliver, and the ongoing relationships we develop. Our goal is to help you successfully deal with your ever-changing fraud-related challenges, and ultimately enable you to reduce losses and exposure to risk.

What has changed is how we accomplish this. For starters, we recently ...

CHEW on this: Today’s Threat Landscape

I’m in DC at the Mandiant Incident Response Conference (MIRcon). Richard Clarke, who is on the Bit9 board of directors, gave the opening key note address. In talking about the threats we face today, he spoke about the importance of knowing your enemy, and he coined an interesting acronym for remembering these actors: CHEW.

(Cyber) Criminals: Organized groups of criminals who hide in “cyber sanctuary” countries like Eastern Europe. They use malware toolkits, malicious emails, and compromised web sites to launch broad based attacks against individuals and companies for financial gain.

(Cyber) Hactivists: Loosely organized collections of hackers, forming groups like Anonymous, with agendas ranging from ideology (e.g. make the internet safer, embarrass large corporations, free access to all information, etc.) to glory. They launch targeted campaigns against specific entities or web sites, generally using less sophisticated technologies, but still able to cause tremendous embarrassment and, in many cases, financial damage.

(Cyber) Espionage: As Richard says, espionage is the second oldest profession. Nation-states like China are extremely well-organized and well-funded, and have penetrated nearly every industry and sector across the world. They use this stolen intellectual property to enhance their own economies.

(Cyber) War: This is when the motivations of a nation-state or a terrorist group turn from intellectual property theft towards damage and destruction. Fortunately, we don’t see too many occurrences of this today, but it is a given that computers run the infrastructure of almost every major country. We’ve seen glimpses of how cyber war might look when Russia severely crippled Georgia’s computer systems during their conflict in 2008, and of course with the Stuxnet virus that set Iran’s nuclear program back years.

I wrote about many of these same actors when I discussed the cyber attack on the IMF early in the summer. Each of these actors has different motivations and different levels of sophistication. Consequently, they have different ways in which they might be deterred, whether through technology, criminal investigations, or even political policies. It’s a brave new world and we must understand our enemies in order to protect ourselves. Something to chew on.

Security Through Obscurity

In security circles, a controversy has come up that's been causing some discussion. Among many security practitioners, the phrase "security through obscurity" has had a bad connotation. If you rely on obscurity for your security you must be doing something wrong, the reasoning goes. All it takes is someone discovering your secret and suddenly your security is worthless.

The original statement against security through obscurity is called Kerckhoff’s Principle, popularly stated “The enemy knows the system.” While this statement was primarily meant to apply to cryptographic systems, it has come to be popularly applied to almost every aspect of information security. Applying this platitude so broadly has never sat well with me. A recent paper has taken issue with Kerckhoff’s Principle, suggesting that obscurity has a place even in some cryptographic systems.

It seems to me that much of security is based on obscurity. It is even arguable that cryptographic forms of authentication are based on obscurity or secrets. Passwords, passphrases, pin codes, biometrics, and public key infrastructure, all rely on the notion of effectively hiding secrets that are in principal discoverable (even if the cryptography makes it impractical). Few seriously entertain the notion of doing away with these types of secrets.

The real issue is determining when and where obscurity is appropriate. It is mostly accepted that cryptographic algorithms are not a place for obscurity. Wait a minute, that sounds a little funny doesn’t it? Isn't cryptography inherently about keeping secrets? Yes and no. Cryptographic methods or algorithms are thought to be strong only when they are vetted openly by the community (and only after a long period of time). However, the use or implementation of cryptography is to facilitate the keeping of secrets. So-called asymmetric, or public key cryptography is one of the more popularly used forms of cryptography, and if you've ever done your banking online, you've (hopefully) used public key cryptography perhaps without even being aware of it.

There is a subtle argument that authentication or keeping explicit secrets isn't obscurity, but I'm not one for such subtlety. This argument leads to shades of gray, and the distinctions between passwords, pin codes and other obscure information has to be parsed too finely to make a difference.

Take port knocking, for example. In network security, there are firewall mechanisms that make it appear as if a firewall is not permeable by a certain type of traffic, when in fact, if you know the right secret "knock,” or sequence of packets to send, the firewall will open up for you. Port knocking is really a form of authentication through a shared secret. Both sides need to know what the knock pattern is. Essentially it is a form of passcode.

Another place where obscurity is applied is in software anti-reverse-engineering. A fair amount of modern software relies on obscuring some features of its operation in order to make it more difficult for adversaries to achieve their objective. The software may be trying to enforce some security on the host which the adversary would more easily bypass if they knew the obscured underlying design of the software.

Compared to port knocking, it's less clear when anti-reverse-engineering is appropriate for software since it can involve a non-trivial amount of effort. The two positions that can be reasonably argued are 1) apply Kerckhoff’s principle - don't bother, or 2) it's appropriate in some circumstances. The "don't bother" camp argues that the adversary will eventually discover the secret, because all of the information is available and it's just a matter of time. The "some circumstances" crowd on the other hand, argues that software obscurity can increase the cost of compromise by the adversary for a potentially small cost to the software producer. Particularly effective is when obscurity can be easily altered with each revision of the software, requiring the adversary to spend the same effort for each version of the software that they encounter.

I would argue that the unifying element between the network security port knocking mechanism and software anti-reverse-engineering is obscurity. Because of this, they are really not fundamentally different. Both rely on secrets that are eventually discoverable, with the former case using brute force and the later utilizing reverse engineering resources.

The real question to determine in every facet of security is, "is the cost worth the protection?" Cost versus benefit is really what matters in the end. If you've dismissed security methods out-of-hand because they speak of security through obscurity, consider taking another look. If the cost is low and it helps raise the bar, it just may be worth implementing.

The Influence of Apple

There has been one interesting constant throughout my career in technology. This constant was brought forward by many others over the past week with the passing of Steve Jobs on Tuesday, October 5^th.

During my time at a handful of companies in a handful of markets there has always, at some point, been a hardware engineer, software developer, product manager, marketer, or company executive who has referred to Apple’s innovation, design elegance, user experience or marketing genus. This reference has been introduced most often when some sort of impasse has been reached and someone wants to make a point that everyone in the room will understand.

The point usually goes something like this…

“Look at the [choose your product: iMac, Mac G4 Cube, MacBook, MacOS, iPod, iPsd, iTunes]. Our product should be as [choose one or more: elegant, simple, inviting, easy to use, brilliant].”

Making this point usually leads to discussion about how to embrace the user experience, think creatively, and achieve greatness.

Apple and their products have had an unmatched influence on how many of us work, play and communicate. They have also influenced how we think, create, design and market. I can’t think of another company that has had as much influence across as many areas of my personal and work lives.

I’m proud to say that one of the influences behind ThingMagic’s '100 Uses of RFID ' program was the Apple III advertisement from 1983 (part 3) which answered the question “Will someone please tell me exactly what a personal computer can do?”

I think Apple answered that question well.

RFID in Retail is Making More Noise

Beyond the Right product, at the right place, at the right time...

RFID in retail has demonstrated major business benefits in the way of streamlining the supply chain, which leads to reduced costs and enhancing the customer experience - resulting in increased and recurring sales. All good for a thriving business, which is probably why Macy’s and Bloomingdale’s have recently taken a stronger stance on their RFID deployment plans.

Last week it was reported that Macy’s is embarking on a widespread adoption of RFID. This is very exciting to those of us who have been supporters (and developers) of RFID since its infancy. Macy's will be one of the first retailers to implement RFID on a broad scale. Next year, the company plans to be using RFID in all U.S. stores to track items that are regularly stocked and automatically resupplied as they are sold to customers. These “replenishment goods,” which include men's furnishings, intimate apparel, men's pants, denim and women's shoes, make up about 30 percent of its sales. One can deduce that Macy’s expects that number to grow based on its investment in RFID.

According to Tom Cole, Macy’ chief administrative officer, the goal of the project is to help them ensure they have the right product, in the right place, at the right time for their shoppers. It would seem like a simple notion, but there are many variables in retail that make that a difficult task. But, RFID can replace some of those pesky variables with the desired constant.

From the Supply Chain to the Fitting Room

RFID is improving the retail experience outside of supply chain enhancements as well. Recently, ThingMagic UHF RFID readers were featured in a Musical Fitting Room video to show the powerful combination of music, fashion and RFID. It’s a great concept. The idea is to appeal to the individual shopper by playing music that resonates with them, then sending them an SMS with the name of the song and a link to download it for free on StarHub.com.

To make this work, the clothing items have RFID tags applied to them that, when brought into the dressing room, trigger a song that matches the ‘mood’ of the clothes. The project coveres 16 genres and more than 10,000 songs to encompass all ages and types of shoppers.

With RFID, retailers can count and track item-level inventory much easier, faster and accurately. A very important part of the equation solved. Once you have that part of the equation, you can arrive at “right product, right place, right time” answer. And who doesn’t like getting the right answer all of the time? Now, with a soundtrack to boot!

Video Search and Discovery and the Consumer’s Love for Entertainment

Ben Weinberger

CEO & Co-Founder

Posted by ben on Oct 6th, 2011 09:02 AM

Today’s video viewers have a multiplicity of options for watching their favorite shows and movies. Pay-TV, video on demand, blu-ray and online streaming just to name a few. And there is proof – from viewers and content owners – that viewers are taking advantage of this explosion of video options. Just read the following:

Getting in Shape for the Software Training Marathon

In my previous post “Ensuring Successful Adoption of an Enterprise Fraud Management System,” I left off at the point where I started to address training content and delivery. Anyone who has sat through hours of application training knows how painful this experience can be. And, if the training content is not in alignment with audience expectations, you end up with a roomful of frustrated users who will be reluctant to use the new fraud management system.

As someone who dabbles in athleticism on the weekends, I have found many similarities between designing a physical training program and a software training program. Before one even begins to train, he or she must understand the end goal and design a program with that goal in mind. If you support your software vendor in defining the following content areas, the participants will be more successful at using the new fraud management system and catching the fraud at your organization.

1. Set Training Goals: Make sure the software vendor understands exactly what the users are expected to do and know about the enterprise system and what fraud area they are focused on, so the vendor can build the training appropriately. For example ...

The SIEM-ple Life: Security is Evolving

Yesterday was a big day. To great fanfare, Apple announced the iPhone 5. No wait, that didn’t happen. But something else significant happened. Not one, but two different companies announced acquisitions of SIEM (Security Information and Event Management) vendors. IBM will acquire Q1 Labs and Intel’s McAfee will acquire NitroSecurity. Both Q1 Labs and NitroSecurity provides solutions for monitoring and analyzing security intelligence data across the enterprise. A year ago, HP acquired SIEM vendor ArcSight, and earlier this year RSA acquired NetWitness, a network monitoring platform that recently released Panaroma, a multi-source analysis product.

What’s going on here? As other analysts are pointing out, this consolidation is in direct response to the evolving security landscape, where advanced persistent threats (APTs) and nation-state enemy actors are wreaking havoc on traditional security solutions. Back in March, we posted a blog showing a graphic of how we see a new stack of technologies combining to combat today’s threats. In the center is the SIEM, where real time intelligence from sensors across the network can be combined to provide early detection of attacks and risk assessment. These recent acquisitions are a natural evolution towards realizing this vision. The SIEM is the central nervous system for a security operations center (SOC), around which next generation technologies can be integrated.

This is good news for consumers, but it is only a starting point. There are two major challenges for SIEM technologies today. The first is that simply gathering data is not enough. You need to analyze it in near real time in order to effectively respond to attacks. In most organizations, the SIEM consumes terabytes of data every day; hundreds of millions of events. Advanced threats are targeted in nature and specifically designed to avoid detection. They lie dormant until active periods and then hide in plain sight. Having all the data in a single pane of glass is great when you need to do forensic analysis after the fact, but finding the security anomalies in real time requires more than simple filtering. SIEM technologies must evolve to provide better analysis, faster analysis, and return far less false positives.

The second challenge is that the value you get from a SIEM is only as good as the data you feed into it. For most customers, the majority of data coming into a SIEM comes from sensors “on the wire” – firewall logs and intrusion detection and prevention systems (IDS/IPS). There are some very sophisticated technologies for dissecting network traffic, including deep packet inspection (DPI), sandboxing and decryption. But the overwhelming majority of traffic is benign and finding the needle in the haystack is more art than science. The other problem with network-only monitoring is that, by definition, when you detect something wrong, the attack is already in progress (e.g. a compromised system is communicating with a remote command-and-control server, or data is being actively exfiltrated). Most attacks have to first establish a foothold on a single system within an organization, an endpoint. Having active sensors on the endpoints, and correlating that data with network intelligence provides a far more complete picture and enables you to detect attacks earlier, focus on the truly suspicious activity, and investigate incidents far more quickly.

We are witnessing the evolution of security in response to the evolution of threats. Major security vendors are building out their solutions in response to this change, using a SIEM as their backbone. The focus now needs to be on providing more complete data to that engine, and enhancing the SIEM’s ability to process this data.

Why End User Security Fails: People are Dumb

First of all, I hate the term "social engineering." It's a relatively new term for a concept as old as dirt - lying or manipulating - and makes it sound like a sophisticated, new, and legitimate undertaking. Wannabe hackers are proud of themselves when they get someone to open a URL with malicious content, but let's face it, the reason this works so well is that people are dumb.

I don't mean some people are dumb, I mean all people are. I include myself in this group. We all do stupid things sometimes – some more than others – and when you’re attacking a large organization, usually the easiest way to get in is through people’s naiveté or temporary inattention. The only safe conclusion to draw is that we have to remove Problem Exists Between Keyboard and Chair (PEBKAC) as the low bar in security. Stated more simply, enterprise security has to expect that people are dumb.

One attack I’ve been thinking about recently is a particular type of spear phishing attack. The attacker provides a link to a known web login frontend such as an Enterprise’s webmail login. These are often public facing interfaces so they’re easy to clone, and the attacker does just that. They send an email to several people in an organization with a message that says they should check their webmail using the enclosed link, which happens to be a Trojan clone of the webmail login page. Perhaps the premise of the email is that the sender is from IT and would like to verify that the user is currently working. The URL is perhaps an unsecured http link to the webmail server and the attacker has a man-in-the-middle attack waiting to intercept the unsecured password entry. Even more simply, the URL may point to a webserver that is outside the enterprise domain.

Users frequently do not understand the types of threats that are out there and generally won’t think twice about entering their credentials in a web page as long as it looks the way they expect it to. This is the gist of why the web is broken. Browsers have no way to warn users that they’re visiting the “wrong” site.

So while there’s a lot of bluster recently about how SSL is broken, this type of attack can simply bypass SSL altogether.

So using the browser for authenticating users isn’t a good idea even though it’s done all the time. Ideally, a frontend would authenticate that the backend to which it is attaching (something equivalent to the webmail server) is a known, trusted site, for example using PKI. There are alternatives. Imagine, for example, a protocol in which the server provides a random salt value, and then the client provides many hashes that ostensibly represent the hashed password, only one of which is correct. The server must then indicate what the correct hash is. These servers that are unable to correctly identify the correct hash might cause a security alert, and clients which are unable to provide the correct hash might be blacklisted. This sort of protocol just can’t be enforced by a browser, which is why the web is broken. This protocol isn’t perfect, but it’s much better than the browser authentication model. The point is that browsers aren’t good at protecting user secrets, since people are dumb.

Another alternative is to use a tailored endpoint environment, where isolation and firewalling rules protect users from themselves. If you’re not familiar with Qubes OS, I suggest taking a look. Qubes represents one possible direction for the (arguably distant) future of client computing security. In the above attack scenario, a user’s VM containing their email could be firewalled, such that embedded links would be prevented from accessing sites outside the enterprise or accessing internal sites without the use of SSL to authenticate the webmail server. This would drastically reduce the change that users would reveal their authentication credentials inappropriately outside the enterprise. Isolation does not prevent compromise but it significantly mitigates the damage and poses significant challenges for attackers to increase their reach past the point of infection.

We can’t leave security up to the end user. If we do we’ll lose because people are dumb.

FFIEC Guidance 2011 – Where Do We Start?

The FFIEC recently supplemented its 2005 Guidance in response to what it calls an “increasingly hostile online environment”. Regardless of the size of institution, if it provides banking products online, it is a target. On almost a weekly basis, we hear of a new online fraud case that caught one or more banks unprepared. The Guidance is timely, but it stops short of providing a “step-by-step” approach. Here’s what I believe financial institutions can do in light of the Guidance:

1) Revisit the risk assessment
Not surprisingly, risk assessments are hated by most bankers and viewed as a useless exercise. I have personally spent countless hours locked in a conference room attempting to document all the types of fraud that might happen. Unfortunately, risk assessments are a necessary part of fraud prevention. Moreover the supplement to the 2005 Guidance stresses the importance of keeping the risk assessment current. Here is a suggestion ...

Bit9 Participates in Brazilian Motoring Confederation Race

On a bit of a side note, Bit9 – through our partner FreeDivision – recently participated in The Brazilian Motoring Confederation’s Rio Grande Do Sul Motoring. Bit9 had a featured car during the eight-stage race that took place on four speedways and the event was broadcast on the Latin American Speed Channel. As our business grows nationally, Bit9 is emerging as an influential endpoint security company within Latin American companies.

We’d love to thank FreeDivision for facilitating this opportunity by sponsoring a vehicle in our name. What better way to provide an appropriate analogy for the fast-paced environment of cyber security? Like all facets of our business, the strength of what we do relies upon the ability to adapt to complex problems and provide timely solutions in an incredible fast-paced environment. Cyber-attacks are constantly evolving and the race for true endpoint security is a marathon battle, but Bit9’s flexibility and proven results provide truly first-place solutions to these ever changing threats.

Check out the youtube video of the race here.

Data Breaches - Part Two

“We all have a part to play, and playing as a team we will be so much more effective than as individuals trying to do our solitary best.” That is a quote from a blog post I wrote back in June on how data breaches are more pervasive and premeditated than many understand. Because of this, fraud prevention specialists need to take extra precautions by having multiple security check points in addition to a robust back-end detection system. This is exactly the concept behind layered security.

At this point, many of us recognize that there are no silver bullets in the ongoing fight against fraud. Fraudsters use a variety of tools and they collaborate. Fraud prevention specialists such as ourselves need to do likewise...

State-Sponsored Threats Very Real

When we think of hackers, our minds usually visualize individuals amplified by excessive energy drinks while hovering around multiple computer screens in their mother’s basement. Their motivation could range from a wide net of issues, but more than likely it is truly intrinsic to the individuals at the helm. Rarely do our minds venture down the road of state-sponsored espionage and if our minds go there it’s usually huddled in bed reading a good spy novel. The truth is, however, that the threat is real: very real.

Recently it was reported that Japan’s biggest defense contractor, Mitsubishi Heavy Industries, was the latest victim of a malware-based attack. The firm states that 10 of their sites became infected across Japan, including a submarine manufacturing plant. The total damage equating to 45 network servers and 38 PCs compromised from eight strains of malware. The company reassures that no intellectual property was acquired during the ordeal, but it reiterates the point. State-sponsored threats are real.

Former Cyber Security Czar Richard Clarke, who is on the Bit9 board of directors, recently stated in a video interview that, “The government of China is involved in hacking into American companies and taking that information and giving it to Chinese companies.” [Video]

Now no confirmation has been made among these attacks against China, who typically gets accused of such activity, but it highlights that there are significant weaknesses in domestic and international security defenses. And more specifically, we would argue that there is a blindspot on the endpoints – servers, laptops, PCs – that are running in corporations and in government organizations. It’s a blind spot that malicious hackers take advantage of when they target intellectual property and state secrets. State-sponsored threats should be taken seriously and there should be effective security in place to prevent malware as well as unauthorized applications.

Long gone are the motivated lone wolves of the hacker world. As almost all of our intellectual property is digitized and more and more endpoints come online, the risk increases. The barrier to entry becomes easier for these countries as the upside of these attacks generates greater returns. Traditional antivirus software is just not cutting it anymore and companies are demanding more control and security. Application whitelisting solutions deny access to all applications outside of the preapproved ones, giving the user and their intellectual property security from Advanced Persistent Threats (APT). Application whitelisting is significantly more effective than traditional blacklisting antivirus solutions, and could have prevented such threats regarding the Mitsubishi Heavy Industries firm from ever happening in the first place.

Richard A. Clarke, Security Visionary, Joins Bit9 Team

Today Bit9 announced the appointment of Richard A. Clarke, former U.S. cyber security czar, to our company’s board of directors. With increased threats of state-sponsored attacks on government agencies, having security mechanisms in place to prevent Advanced Persistent Threats (APT) is essential to bridge the gap in defending against IT security vulnerabilities. There has been no bigger voice regarding the protection against state-sponsored threats than Richard Clarke. With over 30 years of government service and serving three presidents, he has been a thought leader regarding the future of IT security.

It only seems appropriate that Clarke would join our team. Bit9 is at the forefront in endpoint protection, stopping some of the most advanced attacks recently, including ones that infiltrated Lockheed Martin and others. Our solutions use innovative technology - Application Whitelisting – which is the antithesis of antivirus and gives the user complete control over all software on all endpoints. This prevents the risk associated with malicious, illegal and unauthorized software that can compromise your computer or your company’s network and Intellectual Property. It’s even more important to note that governments are sponsoring these attacks in order to acquire information regarding American companies.

“The difference here is that we are seeing some governments doing industrial espionage and then turning that information over to companies in their country,” Clarke states.

Clarke brings up a valid point regarding how we approach security. Many companies ask too much of their employees -- demanding that they maintain a level of paranoia in order to prevent malicious software from being delivered within the employees’ individual email account. As a result it handcuffs the employee from doing what they do best: their job. Bit9 alleviates this paranoia by preventing unauthorized and/or malicious files from running, which frees the employee to do their job and allows everyone to focus on their business objectives.

Within this position, Clarke will join a leading group of thought leaders already present on the Bit9 team, and provide us with even more insight on the future of cyber security. As our company grows, it is important employ the best minds within this important field. Clarke sits on a bedrock of knowledge and experience that will become invaluable to our team and our customers. For more information regarding Clarke’s recent appointment please visit: News Release.

Why Comodohacker Won't Pwn Your Windows Updates

Comodohacker is the handle that somebody claiming to have recently forged SSL certificates goes by. He claims, and most believe him to be a 21-year-old Iranian student. Most also believe him to be a braggart and a bit of a dolt. He brags about carrying out activities that would be typical for a new Computer Science student. And now… he claims to have the barrel of a new Windows gun trained at everybody’s head. Comodohacker claims to be able to push fake Windows updates. The imagery this evokes is of some guy in his Iranian mother’s basement, ready to unleash digital Armageddon at the push of a big red Staples button.

So why aren’t we in the security industry quaking in our boots?

Because it’s an empty threat. CH can “reverse ENTIRE windows update protocol” until the cows come home; it’s just not happening. Here’s a few points to keep in mind.

First, Microsoft says that Windows updates are signed by a Microsoft root certificate. It’s not clear whether CH actually fully understands the validation mechanism that he exploited with his recent forgery of tickets, but until he compromises Microsoft’s own root certificate by stealing the secret key, Windows machines will simply not accept his updates as valid.

Second, updates don’t get “pushed” to clients. Microsoft doesn’t have a big list of the IP addresses of all of the systems Cyberspace running their OS. No, Windows PCs “phone home,” requesting their updates from a Microsoft server. So, is it possible for CH to insert himself as a man-in-the-middle attacker when you update? In theory, yes. But this is a targeted attack, not a global one. Usually DNS MITM attacks are fairly scoped in terms of time and the number of systems affected. Plus, I seriously doubt CH’s ability to pull it off.

Finally, imagine what Comodohacker’s purported update description might look like. Here’s a possibility:

This update of microSoft is good for your computer! It contains many useful goodnesses that took me very quickly to write. There are no malwares in this update. Please update quickly – very important!

“Some people have a way with words… some people not have way”

-Steve Martin

HP Protect 2011: Evening the Odds with Whitelisting

I'm at the HP Protect 2011 conference in Washington D.C. and there is a record number of attendees this year, up 60% from last year. While technologies such as adaptive application whitelisting provide the most effective defense on your endpoints, as Tom Reilly, VP and General Manager at HP, said in his key note address, “no one is 100% secure.” In addition to implementing security controls in your organization, you need actionable intelligence to continuously monitor and react to activity on your network. You need risk management tools to identify areas that are most vulnerable and/or most likely to be attacked.

Most of the sessions here are focused on how to use ArcSight to build correlation rules to detect anomalous and high risk activity, and how to incorporate network monitoring feeds (like IDS/IPS solutions), user activity and web application logs into the monitoring process. Given that most security operation centers (SOCs) handle tens to hundreds of millions of events per day, it’s a daunting task. Quite frankly, the odds are clearly in favor of the bad guys – it only takes one event to go unnoticed and your customer lists or corporate intellectual property could be stolen.

While there are some great advancements being made to network monitoring and analytics, focusing exclusively on the wire leaves a gaping hole in your security visibility. By definition, suspicious activity can only be detected on the network when an attack is “in motion,” such as an incoming port scan or an outbound connection made to a known command-and-control server or suspicious geographic location. Today’s threat actors know this and go through great pains to hide their activity in plain sight (piggybacking on common web traffic during peak hours) or lying dormant for months waiting for the right time to exfiltrate. Malware on portable devices and remote workstations can wait until the compromised system is off the main network, outside of the eyes of the security analyst, to make their outbound connections. In addition, detecting suspicious activity often requires knowing the IP addresses of the “bad” servers in advance – the same problem that antivirus vendors have trying to keep their malware signatures up to date, as malware morphs by the minute.

But there is hope. The gap in security visibility can be filled with real-time intelligence from an endpoint sensor. According to a recent study, 99 percent of enterprises have a serious gap in their IT security defenses. Most advanced threats today have to establish a foothold on some endpoint to initiate an attack, and that’s where application whitelisting comes in. The same technology that is used to prevent the execution of unauthorized code can also be used to report, in real time, all suspicious resource and file activity. In this sense, the whitelist is not just about what is allowed to run; it is a noise filter to report relevant events to the SOC.

To give you a very simple example: Consider a network event that reports an executable being transmitted over the wire. This event will be fired by your IDS or network monitoring solution when someone is trying to send malware into your network. Unfortunately, this event also fires whenever a user downloads a legitimate program, or Windows is updating itself, or a hundred other “normal” conditions. In most organizations, this event occurs hundreds of thousands of times every day. If you don’t have an endpoint sensor, you are left trying to sift through this deluge by looking for clues – maybe the target machine will subsequently connect to a known bad remote server, maybe an unauthorized login attempt will be made on the target machine; all of these things will only occur if the payload was malicious and actually begins executing, and you are forced to guess what a “bad” program might do that is worthy of trapping. With this limited view, finding the needle in the haystack is more art than it is science. But with a technology like Bit9’s adaptive application whitelisting running on your endpoints, you can make more effective determinations based on actionable data. Did the file actually arrive on the target system in question? If so, was it already approved or authorized? Most executable code floating on the wire is good, and the whitelist automatically filters this out when it arrives on the endpoint. Only if it’s unapproved will an audit event be generated, and correlating this with network activity gives you true visibility into which bits of code floating on the network actually establish foothold and are suspicious. This is just one very simple example of basic correlation. More advanced examples include monitoring the entry vector (e.g. did the file get installed by Microsoft Office, something highly suspicious in itself) and correlating with other events sources like your firewall.

I’ll be speaking at HP Protect later today about a pilot we ran at The Johns Hopkins University where we used this intelligence to filter millions of events a day down to a few dozen actionable security events. Tom Reilly is correct that improving security requires real time intelligence and risk assessment. Sometimes more really is less – by augmenting the information fed into the security console with endpoint activity, you can effectively filter the noise and balance your odds against the attacker that only needs one successful penetration to cause irreparable harm.

The PC In Your Pocket: Is Malware Following You?

Imagine this. Take your 10 year old PC, running Windows 3.old, hook up every kind of wireless and networking technology it will still support, put all your most valuable data on it, turn it on, and then take it on a cross-country trip in your caravan. Sound like a great idea? Probably not. But we this do all the time - with smartphones. Mobile computing is the Wild West of IT security. It is estimated that 5 percent of all Android or iOS devices will become infected at least once by viruses or trojans by 2012. Consumers are not aware of the problem, and Industry isn't sure what it can do about it. I know of people laboring under fairly draconian IT policies that actually network their phone to their desktop (called "tethering") in order to bypass their company's networking safeguards.

Worse, everything seems to be headed in this direction. Pundits say that tablets are going to replace our desktops. And for some reason, people seem to love dumping all the free software they can find on the Intertubes onto the same machine they use to log into their bank. And I'm still talking about smartphones.

It's the sexual revolution of computing.

So what led us here? Why did we take such a huge step backward? One big reason is that the Mobile security model is flawed in several important ways.

First, the sandbox model is a broken model. Virtually all smartphones use a tiered operating system, where a privileged lower layer, the real operating system, provides an upper tier sandbox environment in which apps run. Some tinkerers (like me), "root" their phones, providing us access to the underlying operating system, so that we can customize the phone in ways not possible from the sandbox, or to provide additional security or features. This risks turning the phone into a useless lump of plastic and glass, however, and requires a certain level of technical knowledge to achieve with some level of safety. Manufacturers and OS vendors certainly don't condone it, and it can void your warranty. Some modifications are even illegal. Sounds reasonable, right?

The problem is that this model offers malware authors a huge advantage. Would-be security solutions are relegated to playing inside the sandbox, while malware can exploit flaws in the phone to break out of the sandbox and run where the security software can't follow. A few security solutions do exist that run beneath the sandbox, but companies are leery of adopting them for a wide variety of reasons. This is a truly unsustainable security model, and it appears that it's simply not going to be fixed.

Second, smartphones are loaded with all sorts of features that are anathema to security. Just in terms of wireless communication, my most recent phone has probably three different cell phone bands (each with varying degrees of insecurity), Bluetooth, Wifi, and Near-Field Communication (NFC). And I'm probably forgetting a couple (receiving GPS signals isn't generally a security threat). And of course there's the browsers and web technology, probably the largest source of software vulnerabilities in use today. So in addition to all the man-in-the-middle attacks possible (and demonstrated), there's the same client-side attacks we seem to fear more on PCs.

Finally, smartphones are Mobile, with a capital 'M'. The whole point of the device is to take it everywhere you go - the commute to work, the cramped plane, the train station, conferences, hotels when you're on vacation. You're probably got your cell phone with you and turned on more than your significant other. Like I said, the sexual revolution of computing.

All of these factors - hamstringing security solutions, loading on features (aka attack vectors), and Mobility - all have a multiplicative effect on insecurity. If we were to mitigate any one of these factors, our phones and our digital lives, would be a whole lot more secure. With mobile malware up 273 percent in the first half of 2011, it just doesn't appear that any of these issues is getting addressed any time soon.

Fraudsters Are Going 'Back to School'

In most college towns, this is the time of year when swarms of U-Hauls and overstuffed cars bear down onto college campuses. Students will settle into their dorms and likely kick off their social lives before their classes even begin. The funds that they have for day-to-day expenses will begin to run low, and students will look for ways to supplement their income. This is prime opportunity for fraudsters to seek out and prey upon students.

Given that, we can deduce why college campuses are a ‘hang out’ for fraudsters - because students are easy targets. The sheer volume of students makes it easy to recruit vulnerable, needy, and/or naive students. I find it interesting that the scams have not changed much since I was in college. Scams relating to fraudulent grant letters, credit cards applications, work from home, check cashing and the ever so popular ATM card scams are still thriving. It is still common for fraudsters to not only pay students to pass bad checks through their accounts for nominal compensation, but also to ...

Rogue SSL Certificate Issue Should Not Be Trivialized

A lot of the commentary floating around on the SSL "rogue certificates" issue (see Diginotar, Comodo, etc.) is misleading at best. There's some downplaying of the issues that seem to be based on misunderstanding of the typical attacks that can employ these certificates. There is mounting evidence that the recent Diginotar certificates have been used to spy on a large number of Iranian citizens. However, this sort of massive scale spying is not the only use of rogue certificates.

There are many types of so-called Man-In-The-Middle (MITM) attacks, and some have been demonstrated in the wild quite recently. First, Firesheep is a tool that is generally used for performing MITM on people using sites that don't make proper use of SSL; examples including Amazon, Facebook, etc.

Here's a good article describing this sort of MITM attack in an Internet café scenario. Using Firesheep with rogue certificates is a logical next step.

Also, DNS attacks, either on a broad scale or targeted at particular endpoints are seen in the wild. Yes, this stuff is really happening.

In addition, using stolen certs can help attackers infiltrate enterprises, by providing them with an additional rich source of credentials which are normally encrypted and therefore unavailable.

There are a wide variety of uses for rogue certificates. This is a legitimate concern with Internet security and it’s only getting worse.

The Nation State, Advanced Persistent Threat Excuse: Enough Already!

In a recent post, I described a new authentication mechanism for the web called Convergence. While still based on Public Key Infrastructure (PKI) cryptographic certificates, it (mostly) side steps the need for so-called Certificate Authorities (CAs). In that post I describe the problem that certificates solves, and how Convergence addresses a very substantial weakness present in the CA model. In the CA model, the proliferation of CAs increases the likelihood of forged certificates, the presence of which break the CA model.

We already knew that a Comodo had been the victim of such an attack, and the attacker made off with valuable forged certificates. However, it wasn't clear that these certificates were actually used to perform man-in-the-middle (MITM) attacks.

Just within the last few days, clear evidence has emerged that recently forged certificates (possibly a lot of them) have been used to carry out attacks - involving DigiNotar, a Dutch certificate authority that sells SSL certificates. A wary surfer navigating to a google.com site noticed warnings in his Chrome browser indicating a MITM attack and he prudently raised the alarm. Further investigation has started showing the extent of the forgery problem.

And this is a serious problem. As has become a pattern in IT security, attacks once restricted to the domain of theory are rapidly making the transition to reality, in some cases with huge practical impact <RSA, Lockheed>. The Certificate Authorities, however, are hiding behind… the APT. “Nation State! Nation State!”, is their cry. The original Comodo attack as well as these new attacks are blamed on Iran (and by extension, the Iranian government), because that’s where the IP addresses associated with the attacks in some cases are shown to originate.

Let me make this point clear. This is a smokescreen. Subterfuge. Hand-waving. A big, fat, whopper of an excuse.

Just because the IP address is from Iran does not mean some significant government resources are behind these attacks. Huge budgets and resources are not required. At the Blackhat talk unveiling Convergence, Moxie Marlinspike made a very convincing case that the Iranian actor who hacked Comodo and made off with forged certificates was probably acting without any government support – and is a real bozo to boot. Some of his bragging was comical and sophomoric – effectively akin to claiming to be able to tie his own digital shoelaces. In addition, the day after stealing the certificates, the thief was found to have downloaded Marlinspike’s well known and publically available ‘sslsniff’ MITM tool.

The real kicker? The referring URLs in Marlinspike’s logs show that his previous visit was to YouTube to get pointers on how to perform a MITM attack and what tools to use.

While it is possible that all this is meant to throw the scent off of the Iranian government’s trail, that truly taxes the imagination. There is simply no evidence that the attack was sophisticated enough to require the resources of a nation state.

The real problem (and at this point nearly an unsolvable one) is the insecurity of the Certificate Authorities, and the motivation for ever increasing numbers of them. It’s a solution that just doesn’t scale.

All this said, it’s really not Comodo’s, or any particular CA’s fault (well, at least not all their fault). The problem is systemic. There are roughly 650 Certificate Authorities in existence at present and that number is growing. The proliferation of CA’s drastically increases the probability of certificate forgery and reduces the expense of pulling off such an attack. The beauty of Convergence, on the other hand, is that increasing the number of Notaries increases the security of the infrastructure. At the moment, bootstrapping this Notary infrastructure still relies on CA’s, but it drastically reduces the number necessary. I also have my own ideas I am toying with to possibly reduce Convergence’s initial reliance on CAs.

This all leads to a larger point – the misdirection organizations feed to the media in response to hacks. It is strongly in the interest of these organizations to cover their collective back ends. The media’s current fascination with APT is a convenient rug under which organizations can sweep their woeful security practices. Ending the APT excuses and taking basic but real steps to secure our infrastructure is the single most important thing we can do to improve the security landscape.

Bit9 Endpoint Security Survey 2011

On August 30, 2011, we announced the results of the third annual Bit9 endpoint security survey. While the majority of IT and security professionals said they are most concerned about advanced persistent threat attacks - like the one on RSA Security, a large number have not taken all the steps necessary to protect themselves from these attacks. Endpoints – laptops, desktops, servers – are the big blind spot for companies right now.

This survey shows that IT and security administrators need to take a serious look at how they are protecting their endpoints and do more than just have a written policy.

The above infographic sums it up.

What they say about APTs, what they do: A Disconnect

2011 has been called the “year of the hack” and in Bit9’s third annual endpoint security survey, it was clear that the majority of IT and security professionals are most concerned about the so-called “advanced persistent threats.” These are the modern attacks that bypass existing security defenses –firewalls, IDS/IPS, HIPS and antivirus.

Despite the worry, many organizations have not taken the steps to actually do something about it.

Here are some of the highlights from our survey:

60 percent of the IT and security executives said they were concerned about APT attacks like the RSA breach, more than double the next closest response, showing the growing anxiety among around modern threats.

(The second biggest hacking concern, at 28 percent, is having one of their own employees steal company data and posts it online, much like what happened at the Department of Defense (DoD) with WikiLeaks. In third place, at 26 percent, are concerns around a vendor partner being hacked, much like what happened to Epsilon earlier this year. And in fourth place, at 25 percent, are concerns over a cloud application breach, much like what happened with Sony.)

But when it comes down to the question of: What are they doing about it? It’s clear that they aren’t doing enough. A lot of organizations rely on written polices to control what software is allowed and a narrow majority of companies surveyed (51 percent) said they allow their employees to download and install software at their discretion. All it takes is one person to download a hijacked version of Google Earth that contains malware that pulls data and sends it to servers in Asia. Or to click on that Excel spreadsheet that promises the “2011 Recruitment plan.xls” that contains zero-day malware. You get the picture.

The companies that allow employees to download software often find digital music sites like iTunes, social media sites and instant messaging software on its endpoints. Additionally, almost 80 percent of companies allow employees to use removable storage devices, exposing companies to the loss of sensitive data and intellectual property while increasing exposure to malware.

For a more full view of all the responses and to read more about the survey please visit here.

Breaches that occurred in the first half of 2011 have changed the rules of security by exposing high profile companies like RSA, Sony, Lockheed Martin and numerous others. If this survey of 763 IT and security professionals is any indication of how prepared our corporations and government agencies are as a whole, we are not ready for APTs. Drop the “A’ in Advanced Persistent Threat and we’re not even well prepared for that.

Bit9 Parity Now Integrates with Symantec Protection Center

Today we announced the integration of Bit9 Parity Suite and the Symantec Protection Center (SPC), the leading open and centralized enterprise security management console. This technology alliance will help companies that use SPC protect against targeted attacks and “advanced persistent threats” by using Bit9’s adaptive application whitelisting technology. Bit9 is the first application whitelisting provider to integrate with the Symantec Protection Center.

The integration of the Bit9 Parity Suite and Symantec Protection Center is an important step in providing enterprises with the ability to protect against modern malware and advanced persistent threats while reducing complexity through the use of a single console. This strategic partnership allows Symantec customers to remain with their current security management platform, while still leveraging Bit9’s application whitelisting solution to ultimately create a more secure corporate environment.

Learn more about it here.

Interview with Bit9 CEO Patrick Morley on Advanced Persistent Threats

interview to venture: Patrick Morley, Bit9 (8/4/11) from Alex Taussig on Vimeo.

Our CEO Patrick Morley met up with Alex Taussig, Principal at Highland Capital Partners, for a video interview in early August. Highland Capital has been an investor of Bit9 for over five years now, and one of a few venture capitalist firms that fund our company. In the interview, Patrick discusses the current cyber landscape, his experience in the information technology industry, and advice for new CEOs and executives.

Patrick talks about how modern cyber threats, widely known as Advanced Persistent Threats (APT), are breaking through current security architectures and causing massive data breaches worldwide. Whether it’s the RSA attack, breaches of law enforcement agencies, or the recent Shady RAT attack, organizations are more vulnerable now than ever before and need to have additional layers of security. Patrick says that Bit9 is “the only company out there today that can effectively stop this new class of attack.” Bit9 can protect from these attacks through our adaptive application whitelisting solution, Bit9 Parity, which allows only trusted software to run on endpoints, eliminating all malware.

Patrick emphasizes that right now we are experiencing “the biggest transfer of intellectual property the world has ever seen…and it’s all occurring illegally.” It’s a challenging time for both individuals and organizations alike. To hear more about his concerns, watch the video. Or you can read more about the interview on Alex Taussig’s blog infinite to venture.

Adding Insult to Injury: FINRA Slaps Big Bank with Big Fine

Failing to supervise employees appropriately is a recipe for disaster. In a case involving Citigroup Global Markets, that failure not only resulted in the embezzlement of nearly $750,000, it also attracted the attention of the Financial Industry Regulatory Authority (FINRA) and a fine of $500,000 for “lax supervisory practices”.

What can banks learn from FINRA’s investigation and resulting fine? Will FINRA fine other banks for similar lapses? Will FINRA’s actions trigger more aggressive enforcement by bank regulators? It’s too early to tell, but let’s take a look at the particulars of this fraud...

Ensuring Successful Adoption of a New Fraud Solution

In my previous blog entry posted at the end of June, Ensuring Successful Rollout of a New Fraud Detection Solution, I discussed how to get started with implementation and defining new business processes. In today’s post, I am going to share with you some steps to help ensure successful adoption of your new fraud solution, including product training.

When implementing a new fraud detection solution, a successful training experience will go a long way towards user adoption, so careful planning at this stage is critical. First impressions matter, and if users don’t have a positive experience with the new software at the initial training session, it will be ...

Forced Decryption: How Taking the Fifth Isn't Quite Enough

Recent news about the U.S. Department of Justice attempting to force a woman to hand over her laptop encryption keys raises some interesting issues about applying the U.S. Constitution to electronic media. Ramona Fricosu has attempted to "take the Fifth" and is refusing to hand over the password to her encrypted laptop, which she and her lawyers see as forced self incrimination. The Department of Justice sees things differently, claiming that she is preventing them from "assembling information that could become evidence during a trial." Another twist here is that the Department of Justice is not seeking the password itself, but is asking Ms. Fricosu to type it in for them, leaving them to examine the files on her computer. It's by no means clear whether a court can compel you to decrypt your laptop and it looks like this case will set precedent on appeal, likely all the way to the U.S. Supreme Court. Prior cases (e.g. United States vs. Boucher) were not precedent setting and did not include a complete refusal to cooperate.

Other countries, including Canada and many in Europe, have specific laws on key disclosure. There's a summary on Wikipedia if you're not under U.S. jurisdiction.

In the meantime, I'm planning to continue to encrypt important data including my laptop disk, whether I can take the Fifth or not.

Shady RAT: Why all roads lead to Beijing

Making headlines this week was McAfee’s report on a wide scale cyber attack on at least 72 different organizations across the globe over a period of at least 5 years. They have dubbed this attack Operation Shady RAT (for “Remote Access Tool”). Briefly reviewing the facts:

All of the attacks analyzed by McAfee came from a single machine that was used as a CnC (Command & Control) server. Therefore, we can assume the same person or organization was behind these attacks.
All of the victims were specifically targeted through spear phishing campaigns, where an email was sent to specific individuals containing a malicious payload. This was not a random or broad spectrum campaign; the targets were hand-picked.
Once a target was infiltrated, a human being at the other end of the CnC server issued commands to the compromised systems. It was not simply an automated virus or worm - the attacker(s) manually controlled the behavior and the data exfiltration process.
While most targets were based in the United States, other countries were also attacked, including government organizations within Canada, India, South Korea, Vietnam and Taiwan. If we assume a government is unlikely to attack itself, the list of potential countries behind Shady RAT is rather narrow.
The targets spanned the gamut in terms of organizational category, including government, energy, manufacturing, real estate, security and information technology, non-profit think tanks, and even the International Olympic Committee (IOC) and the World Anti-Doping Agency.
According to Joe Stewart of Dell SecureWorks, the attacks used the HTran tool as part of its camouflaging. HTran was developed by a Chinese hacker believed to be loyal to the People’s Republic of China. (Note: HTran was also used in the RSA security breach.)

In the report, McAfee suggests that the attacker was a state actor (read: nation state), but it does not name the nation. Various security professionals, including myself, have come out and said that the attacker was either directly working for, or supported by, China. Rather unsurprisingly, China, through its official People’s Daily newspaper, has denied it was involved and has called any such accusations “irresponsible.”

As I’ve said before, it is important to identify your attackers so you can have an honest and open discussion about how to best defend and respond to such attacks. If we keep hiding behind the nebulous monikers “nation state” and “state actor,” as if some mysterious unnamed boogeyman is targeting our most sensitive data, our success will be limited.

I could write a book explaining the rationale behind identifying China, or the Chinese government, by name, detailing a pattern of Chinese cyber (and physical) espionage that dates back over a decade, and explaining the motivations behind a nation whose economic and global position depends on the theft of intellectual property (IP). There is enough evidence that even the O.J. Simpson jury would convict if this were a criminal trial.

Aside from the compelling inferences of the facts I listed above, consider one of the most important tools used in law enforcement: Victimology.

By analyzing the victims of Shady RAT - their characteristics, locations, and the information they contain – we can better understand the attacker. What do the targets have in common? How does the attacker choose the targets? What information are they seeking? What gain can be made from that information?

The commercial enterprises that fell victim to Shady RAT all contain some form of intellectual property, be it plans for a communications satellite or energy creation or computer security. Were it just one specific vertical, we might infer the attacker is an industry competitor. But this was corporate espionage on a global scale. Only a government or a state-sponsored entity has the wherewithal to take advantage of such a broad spectrum of data. Furthermore, the suspect set is restricted to countries where the government is in tight control of their economies and private sector, so they can use the stolen information to advanced their economic standing.

At least a half of a dozen government entities were also attacked. These are organizations that contain political and military secrets. Likely parties that would want such information again point to nation states, or perhaps terrorist organizations. Given the breadth of governments, and the organizational skill required to spear phish each of them, I think we can safely rule out rogue terrorist groups. We can also rule out any of the governments victimized, unless you are conspiracy theorist who believes governments attack themselves to throw off suspicion. The governments attacked were First World countries within North America and Europe, and a swath of countries across South East Asia. While Russia has been thought to be involved in past cyber incidents, it is telling that no Eastern European countries were targeted.

Lastly, there is this seemingly bizarre insertion of victims within non-profit organizations, Olympic committees, and economic and political think tanks. It’s not that bizarre when you consider the value information can be to enhance geo-political influence. Even if the data from most of these organizations is going to be made public, a few weeks advance notice can give you an edge on world currencies, trade negotiations, or political posturing. Were the targets only economic think tanks, a sufficiently organized criminal enterprise might be the attacker, but given the breadth, only a nation could truly benefit from such data. As far as the International Olympic Committee and World Anti-Doping Agency, those attacks occurred just prior to and immediately after the 2008 Summer Olympics. Hmmm, did I mention those were hosted in Beijing, China? Might be probative, I don’t know.

People may accuse me of just trying to make noise, but I truly believe it is important to not stick our heads in the sand when it comes to security. The evidence is compelling and the victimology is telling. The Chinese government is either directly or indirectly behind Operation Shady RAT.

Convergence: Another Way to Trust

Moxie Marlinspike's Black Hat talk was one of the most significant this year, since it proposes a solution to arguably the most troublesome issue with web security today. You may recall that major Certificate Authority Comodo (or one of its many sub-entities) was breached, resulting in the theft of certificates for major domains: login.live.com, mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org, and "Global Trustee" (uh, ok, that last one's weird). The certificates were not technically stolen - they were fraudulently issue, or forged, using stolen system credentials at the Certificate Authority.

The breach means that the thief has the ability to perform man-in-the-middle (MITM) attacks on visitors to those sites, assuming that the thief is in a position to be the MITM, stealing even encrypted content. How is this possible? Quick review:

Web sites provide digital certificates to visitors, cryptographically proving their identity (read: domain name) and forming the basis for an encrypted channel. That's not sufficient to authenticate identity, however. If all a web site provides is a "self-signed" certificate, it's akin to trying to walk through airport security by saying "I'm Dan Brown and I am who I say I am" without any further proof of identity. What's needed for web security is a Certificate Authority - a trusted verifiable third party that provides attestation about the certificate for the web site being visited. In the airport security example, I can provide proof in the form of my driver's license that some authority, in this case the Commonwealth of Massachusetts, attests that my likeness is associated with my name, using a document that is ostensibly difficult to forge.

A successful MITM attack can succeed if either the web site's certificate is self-signed, or the certificate chain to the Certificate Authority has been compromised, including forged certificates. I'll skip the tedious details of the cryptographic techniques involved in the attestation as they're a bit daunting for a blog post. Suffice it to say, your browser is preloaded with all of the trusted third party certificates required to take part in this web security scheme. When the web site you browse to uses self-signed certificates, you get a warning which most users will click through without thinking much about. When the MITM has forged a certificate - no warning; your browser thinks the MITM is google.com or live.com, etc.

And so we come back to the problem - stealing certificates. The problem that Moxie points out (and has been well known for a long time) is that the system of trust breaks down if I can easily steal your driver's license and paste my picture on it (the analogy is starting to break down at this point, but hopefully you get the idea). Moxie proposes a solution to the problem - a solution available now, with no modification to the way certificates are used, servers are implemented, or any other architectural changes. In fact, I am writing this post via a web app over a secure web connection authenticated without the use of any Certificate Authorities.

Significant enough?

How does it work? We need to go back to the problem that certificates were meant to solve - the MITM attack. To break web security, the MITM attacker provides you with a different (forged) certificate. It has to - since the cert must include its own cryptographic key pair in place of the original web site's pair. Now, what is the MITM in the “middle” of? It's between the client and the web server. This means that other clients, not subject to the MITM attack, have access to the original web site certificate. Moxie's solution takes advantage of this fact.

"Convergence", as he calls it, is a Firefox browser plugin that replaces the traditional certificate verification process that involves Certificate Authorities. Instead, the client checks with other nodes, called "notaries", asking them whether they see the same certificates that the client sees. If there isn't a match, it's likely that there is a MITM attack. In one elegant stroke, Convergence does away with Certificate Authorities, certificate chain verification, and makes self-signed certificates just as valid as CA-issued certificates. No more warnings about web sites that generate scary warnings in your browser when you visit them.

One downside at the moment is that this only applies to web traffic. "Web" does not equal "Internet". What about other protocols that use certificates, like VPN? The approach used by Convergence would apply equally well but the clients would need to be changed, in the same way that the Convergence plugin modifies Firefox's behavior. There are other potential subtle issues involving vulnerabilities with DNS which need to be addressed - perhaps subject for a future post.

For now, this is largely a proof-of-concept. There are only two notaries, presumably run by Moxie. So for the moment, using Convergence means trusting Moxie's plugin and notaries instead of the plethora of Certificate Authorities listed in my browser's database... I can live with that.

How happy do you suppose the Certificate Authorities are about this? How bad do you suppose I feel for them? I'll give you a hint - both questions have the same answer.

Application Whitelisting: Say What You Mean

The Nevada sun has set on the first day of Black Hat briefings. Exhibitors, IT security professionals, and gamblers alike have one thing on their minds: ROI. At the Bit9 booth in Las Vegas, there is record turnout. The record attendance at Black Hat may be partly due to the elevated attention paid to enterprise computer (in)security by the media of late. I see few other vendors that have a similarly credible story regarding mitigating advanced threats against the endpoint, and I like to think this has affected the substantial interest we see at our booth.

I'll report on some of the highlights of the Black Hat talks I attended in a later post, but I feel the need to clarify some terminology. I'm a bit of a stickler for precision in terminology and it's important that folks in the industry understand and adhere to convention in their use of industry terms; or risk diluting the terms, losing their credibility, or both. In particular, I find that there's a lot of misuse of the term "whitelisting".

One booth I visited was for another vendor which shall remain nameless, claiming to have some aspect of whitelisting in their product. The term "application whitelisting" is not used by many vendors other than Bit9, so I was curious as to what this vendor meant when they used the term. I'll paraphrase their answer: "any application which is not determined to be bad is remembered as being ok, and therefore whitelisted".

This, friends, is great example of poor terminology in practice. By this definition, any application encountered that is not on the "blacklist" is on the "whitelist" - thus making the term "whitelist" utterly redundant. Application whitelisting is supposed to mean an intentionally generated list of allowed software - a "default deny" position, which enhances security by dealing with software that is newly introduced into the system on a case-by-case basis, rather than trying to run scanners and heuristics to determine if the software is "bad" and allowing that software to run if it passes the heuristics du jour. That's a losing game - always has been, always will be. Trying to defeat the Turing-complete logic of that argument is akin to trying to invent a perpetual motion machine.

It is a challenge for folks evaluating IT security solutions when the vocabulary pool is polluted like this. I don't begrudge other vendors making their pitch for solving some part of the IT security problem, but let's get the terminology right and not claim too much credit. Be precise: say what you mean, and mean what you say.

RFID Offers More to Race Timing than Just Timing

Marathons are popping up everywhere. It appears as though there is one for everyone, with a slew taking place across the country over the summer including: the Extraterrestrial Full Moon Midnight Marathon near Area 51 in Nevada, the Rock 'n' Roll Seattle Marathon, and the Grandfather Mountain Marathon inNorth Carolina.

So, what better time to revisit race timing since we last blogged on the topic? In our previous post, we focused on how UHF RFID could be used for extremely precise timing, as well as the efficiencies gained by using RFID due to the technology’s ability to process a greater amount of data in a shorter period of time. Today, we thought we would highlight a few additional benefits of using UHF RFID in race timing applications as described in our latest Application Note: Designing Race Timing Applications Using UHF RFID Technology.

Checking-in participants before the race - The slow, manual process of checking-in racers on race day can be eliminated by mailing pre-associated RFID-enabled race bibs to the racers in advance. With an RIFD-enabled race system, participants get checked-in automatically via an RFID reader at the starting point, eliminating time consuming check-in processes that can impact a runners pre-race outlook.

The motivation factor - As we noted, marathons are attracting a wide demographic of people - from the born runner to the novice. But they all have one thing in common. Most runners want to be cheered on, celebrated and supported and this motivation can go a long way to help them dig deep to find what it takes to finish a grueling race. With the combination of RFID-enabled tags and check points, sponsors, friends or family can display personal motivational messages on big screens for individual racers or a group of racers at any given time. Or the statistical information of a particular racer could be presented at different check points so they can see their performance in relation to the rest of the field. This motivation factor is also very fitting for charity races and even walks.

The importance of real-time data - Without RFID, race coordinators have to record the time of each participant at certain milestones, which can be a tedious and is prone to human error. RFID systems automate the collection of timestamps by reading the participant’s bib at certain locations and updating them to a central database, which is then interrogated in real-time during the event or at the end of the race. Race statistics, like checkpoint time stamps, can also be stored on servers that can be made accessible via the web for participants to check their performance. These time-sensitive application requires fast data transfer between the reader and the tag and could not be achieved at the same level of accuracy with manual processes.

These are just a few of the ways that UHF RFID can be used to enhance the race day experience for race organizers and participants alike. If you are designing a race system and interested in exploring RFID to enhance your solution, please download our Application Note here.

The next time you run a marathon or participate in a walk for charity, what message would push you to cross the finish line?

Digitalsmiths Family Night at the Durham Bulls

Christine Cobuzzi

Sales & Marketing Coordinator

Posted by christine on Jul 29th, 2011 11:14 AM

When Your Financial Institution Hampers Your Own Security Efforts

A few weeks ago, Harry mentioned the recent PayPal study that showed people behaving badly when it comes to choosing and using passwords. I fancy myself not one of those people. After all, security is my business and I know better. But the reality is my passwords are not diversified enough given the hundreds of separate accounts I have scattered through the Net, and some of those passwords are stale, weak or both. Time to get this mess in order before I, too, fall victim to another security breach with my account information lifted and reused, or my contacts targeted.

I started with some high-value accounts—financial, work, e-commerce, email, social—and a simple plan to make sure all passwords were reasonably strong and diverse.

First up was Digital Federal Credit Union. I changed my password to an analog of DoneCo@chingUmp!res, only to receive an error stating my password “must contain between 6 and 16 characters, include at least one letter and one number, and cannot contain any blank spaces or special characters.” You@reK!dd!ingMe,Right? How could such antiquated password restrictions be in effect at an institution that was once at the forefront of technology back in the halcyon days of DEC?

I fired off an email to customer service complaining about restrictive password requirements. I also suggested that their customers would benefit from two-factor authentication, primarily because it helps address the staleness and reuse problems of password maintenance. Below is the verbatim response I received:

“Chris, PC Branch is an extremely secure way to manage your accounts at DCU. Please go to www.dcu.org and click on Password Requirements which can be found directly under the PC Branch Online Access box. Here, you will find detailed information on how secure your password and PC Branch is. You will also find information on our recent Multi Factor Authentication for PC Branch. DCU cares about keeping your financial information secure and safe.”

There was no response to my specific issues with password restrictions, but the multifactor authentication note was intriguing since this was the first I’d heard of its availability. I’ll save you the bother of a trip to the site by quoting the salient bits from the referenced page:

Enhanced Login Security with Multi Factor Authentication for PC Branch.

DCU cares about keeping your financial information secure and safe. That's why we've added security questions to our network of fraud-protection tools for members…We are using Multi Factor Authentication coupled with a computer registration process. These security processes are industry standard methods for keeping information secure and they are likely familiar to you if you are using another financial institution or brokerage firm…You select and answer three security questions. This will help to confirm your identity when logging in. Your correct answers to these questions will help us verify it's you…When you register those computers typically you will not need to answer the security questions when you log on. This is because a secure cookie is placed on your computer - if you delete your cookies on a regular basis you will be required to re-register the computer or answer the security questions.

As you may have read a few months ago, that’s single-factor authentication, folks: stuff the user knows (username, password) plus more stuff the user knows (favorite food, favorite movie, name of first pet, etc.). That doesn’t help me when I start reusing passwords. And it doesn’t help me when I stop changing them.

As I worked through my accounts, I continued to encounter similar seemingly arbitrary collections of restrictions. Companies that manage personal or sensitive data on the Internet need to modernize their systems and start taking security more seriously. There is no reason why password should have maximum length restrictions. There is no reason to prevent symbols from being part of a password. Both length and complexity are important ways to prevent attackers from using brute force or dictionary attacks to crack passwords. If your online accounts are restricted in their password complexity, speak up and let the company know your displeasure. And if a company tries to tell you that multiple questions equals multifactor authentication, be alarmed.

Postscript: In a subsequent exchange, I did learn that DCU’s password restrictions were actually imposed by their vendors and outside services and cannot be changed without a more concerted effort. Now that is truly disturbing because it means we have a few polluting the many, and it means it isn’t likely to improve soon.

Closing the Books – Really?

In the July 1 column of “The Ethicist” in The New York Times, I came across this concern posed by an unnamed CFO of a financial services company:

“… I found our bookkeeper using the corporate charge card for her personal use. The misappropriation was approximately $47,000 over a six-month period. She forged a partner’s signature to acquire a card in her name. We fired her, and she paid back the funds in exchange for our not pressing charges. But I cannot get closure if she is not punished for this egregious betrayal. I recommended that we call her husband, as I think family humiliation would be punishment enough. Would this be ethical?”

What I find interesting here is that the question posed by the CFO was not about whether or not the agreement was ethical, but whether or not revenge was ethical. And it seems like the columnist was on the same page. In response to this query, the columnist first reminded the CFO that the financial services company had agreed to sweep the issue under the rug as long as the perpetrator repaid the money, and the CFO’s revenge-seeking was not only against the ‘agreement’ but also inappropriate. Then the columnist writes, “I have to wonder, meanwhile, about a financial-services company that allows someone to steal and then to just stroll off to the next company to do it again.”

Now, this point raises some serious questions. Did the financial institution ...

Bit9 @ Black Hat 2011

If you’re at Black Hat this year, stop by the Bit9 booth #713. We’ll be there doing demos of application whitelisting along with some of the fun marketing stuff – a cash machine, raffle and the ubiquitous black T-shirts that engineering here is already clamoring for.

It’s been six years since I’ve personally been at the show. That was the year that Michael Lynn, a researcher for ISS disclosed how his new exploitations could be applied to old vulnerabilities in Cisco routers to seize control or shut them down. It was quite the hullabaloo. Everyone was talking about it having the potential to “take down the Net” and a bunch of attendees were drinking red bull all night trying to recreate it. Lawyers got involved. Business press swarmed. It seemed like the event became a bit corporate after that. No one wanted a repeat so the big security companies swarmed in the next year with sponsorships.

I’ve since become a fan of the Hacker Halted conferences. It should be interesting to see how the two compare after so long.

So if you’re there, drop by the booth or speak to us during the lunch sessions on August 3^rd and 4^th. We’ll be talking about how application whitelisting stopped some of the recent “APT” attacks at our customer sites.

And this just in from our social media master, Katie Campbell – The first 50 people who become followers of @Bit9 on Twitter and answer the question “Why is @Bit9’s Adaptive Application Whitelisting effective in stopping modern security threats?” will get one of the T-shirts. Just DM your address after you become a follower and @mention your answer to our question. Needs to be a good answer, though, to motive Katie to send you one so beware.

Also – if you have not registered for the conference yet, we have a discount of $250 savings on your Black Hat registration; please fill out our Contact Us form and we can send that along to you.

Fraud Goes Mobile

It seems like yesterday when I first saw an ATM and had to be taught how to use it. When my bank sent the piece of plastic to me called a debit card, I was ever so hesitant to use it. And forget about online banking; my fraud investigations experience would in no way enable me to use my computer to perform my banking transactions. For baby boomers like me, we have seen a dramatic shift in the way we perform our banking, especially with online and mobile banking. It appears that the face of banking is an ever changing frontier. From a consumer’s viewpoint, all of these changes make things easier. But as a fraud professional, I am very nervous about the implications.

With this evolution in the way we do banking comes new threats. Modern trojans and viruses that may infect not only our computers but our mobile devices are alive and thriving. Just as I graduated from my old flip phone to my new high tech smartphone, I heard about a variant of the ZeuS Trojan that runs on the Android phones. According to researchers ...

The Reviews are in - and Bit9 Parity Gets Five Stars!

When IT security companies know a product review is coming up, they get a few butterflies in anticipation of the results. They wonder …

Does the reviewer understand how to use the technology? What type of set up do they have at their lab? What is their level of experience? Will they get it?

Questions like these sometimes come to mind, but ultimately, when you have great application whitelisting and endpoint security solution… there is nothing better than getting rave reviews on your work.

SC Magazine just came out with their Endpoint Security Group Test and Bit9 got an A+. Bit9 Parity Suite, our signature application whitelisting solution, earned the highest rating of “Outstanding” and five stars in all categories.

Here is the link to the full review: http://www.scmagazineus.com/bit9-parity-suite-6/review/3510/.

The Bit9 Parity Suite received an “Outstanding” rating of five stars in all the following categories:

Features
Ease of Use
Performance
Documentation
Support
Value for Money
Overall Rating

In its review, SC Magazine praised Bit9 Parity Suite as a “great value for the amount of endpoint security features" it offers and said the solution is “a great fit for organizations looking to add onto their current anti-virus solution to provide additional layers of whitelisting, hashing and reputation scoring."

While our laser focus is on protecting the endpoints and servers of our customers, it is always nice to get five star reviews from the critics.

Click to Tweet:@Bit9’s Parity Suite wins a “Five Star” review from @SCMagazine in endpoint security group test

Another Example of Driving Viewer Engagement on Broadcast TV

Patrick Donovan

VP Marketing

Posted by patrick on Jul 14th, 2011 04:17 PM

The way we watch and interact with video continues to change. At Digitalsmiths, we know how the use of search and discovery technology will increase viewer engagement, enhancing the viewer experience and opening doors for greater content monetization. Being video discovery fanatics, we’re always excited when we see new examples of search and discovery technology being used to propel the industry forward.

FFIEC Guidance for Online Authentication Evolves

As you probably have heard by now, the FFIEC has issued new Guidance for authenticating online customers, and we should expect these guidelines to take effect in January 2012. That doesn’t leave a lot of time for financial institutions to get themselves ‘in compliance’.

The new guidelines are an enhancement to those originally issued in 2005. As one banker said to me, “These guidelines aren’t revolutionary like the original ones, they are evolutionary”. As the FFIEC points out, the internet is far more risky today than it was in 2005, and criminals are much more effective at compromising accounts despite existing bank controls. The FFIEC strongly encourages banks to perform periodic risk assessments and enhance their current controls due to this new environment.

In 2005, the FFIEC ...

Google vs. Cisco: business ethics vs. business pragmatism?

According to a recent Wall Street Journal article, Cisco is helping the Chinese build "a citywide network of as many as 500,000 cameras that officials say will prevent crime but that human-rights advocates warn could target political dissent." This highlights very different corporate attitudes when contrasted with Google, who pulled out of China rather than censor their search data as required by Chinese law, and raises interesting issues about how business should be conducted. Should companies worry about how their technologies will be used or sell to all comers? Can companies afford, as Google has done, to leave potentially billions of dollars of revenue on the table because of ethical issues? Cisco felt the need to defend its behavior in its blog, much in the vein of weapons manufacturers (we sell weapons, but we don't tell you how to use them). So there is doubt even among those companies that actively do business in China and other such places.

There are some differences between the United Kingdom, which already has a widespread surveillance system in place, and China. But the ethical issues might well be cast in the same light. Does a democracy deserve different treatment, even when the outcome of using its technology is the same? The United Kingdom's relatively strong data protection laws may act as a balance to the tendency of law enforcement to intrude excessively, but once the toothpaste is out of the tube, retroactive protections can seem lacking. And I'm sure technology companies were and are lining up to supply this lucrative market.

There is not One True Answer for this issue, but we can rest assured it will become more complex and more nuanced as the available technology becomes more powerful.

Facilitating Cross-Channel Fraud Resolution

In a recent Bank Fraud Forum blog post, Discussing Multi-Factor Authentication, Shirley Inscoe stated that cross-channel fraud detection enables the analysts "...to see the complete picture with regards to a customer or account, and detect suspicious events that would otherwise result in losses...” Having been an investigator as well as a manager of a cross-functional fraud team for over 2 decades, I could not agree more.

However, it must be said that even if you provide a holistic picture of fraud to the analysts, it does not do them - or your customers - any good if they are not skilled in investigating and properly mitigating cross-channel fraud alerts. For those who have worked fraud over multiple channels, there are varying rules and regulations that may entail some compliance issues, including Reg E, Reg CC, UCC Articles 3 and 4, Reg J, Check 21, Clearinghouse Rules ...

How Digitalsmiths Unleashes Eight Simultaneous Video Feeds for TNT’s RaceBuddy

Patrick Donovan

VP Marketing

Posted by patrick on Jul 5th, 2011 03:30 PM

Continuing our award-winning work with Turner, we are thrilled to be contributing to their latest cool interactive video application - TNT’s RaceBuddy on NASCAR.COM.

Ensuring Successful Rollout of a New Fraud Detection Solution

If you work at a bank that is introducing a new fraud management software product, you know these are exciting times. Your organization has spent a great deal of time and money selecting the right solution for your organization, and the stakes are high for a successful deployment.

Banks that approach the software implementation process with careful preparation help ensure successful adoption by fraud management teams. As someone who’s been on the front line of training users on new technology tools for many years, I’ve seen some great strategies that banks have used to help ensure a successful rollout.

Gannett Government Media Breach: A Cyber Attack on our Soldiers

Earlier this week, Gannett Government Media Corp released a statement saying that the personal information of subscribers to publications read by U.S. government officials and military personnel was stolen. The information included names, emails addresses, and – you guessed it – passwords. It also included zip codes, duty status, and paygrade when provided by the subscriber.

First of all, can we all just collectively roll our eyes again, bang our heads against the firewall, and ask why companies are still storing customer passwords in plain text in their databases? Have people not learned anything from the recent string of passwords stolen? Gannett Government Media Corp should be embarrassed. In the past two months alone, the hacker group known as LulzSec stole and released hundreds of thousands of user passwords. They also showed, as if we needed any further reminder, that most people still re-use their passwords for multiple accounts.

The Wall Street Journal recently ran an article discussing passwords. In it they quote a study from PayPal noting that “two out of three people use just one or two passwords across all sites, with Web users averaging 25 online accounts.” For those of you who think you’re safe because you have two passwords – one for your throw away personal accounts, and one for your “sensitive” accounts like online banking – think again. If your “throw away” password can access even one personal email account, you and your friends are vulnerable. From that account, an attacker can launch a spear-phishing attack against your friends or your co-workers. Most people use their personal email accounts at least on occasion for business purposes. If not from email, the attackers could use the password to launch attacks from your social networking accounts, like Facebook, where they can post malicious links in your name – how many of your friends would trust a link if they saw it posted from your legitimate account?

Secondly, we have a cyber attack directed at our military. That’s a focused and target rich environment for further infiltration and to obtain classified data. If there’s another important lesson we’ve learned from the recent news, it is that not all cyber attacks are one time instances. As in the case with the RSA breach, where data stolen was used to launch subsequent attacks on defense contractors months later, cyber attackers often plan multi-stage and long term campaigns. They use information stolen today to launch deeper attacks tomorrow. If thousands of military personnel passwords have been compromised, the possibilities for subsequent breaches is high.

ADP: Another Day, Another Breach

Last week, ADP disclosed a malicious intrusion at a recently acquired Massachusetts-based subsidiary, Workscape Solutions. The damage is described as being limited to one customer. Beyond these facts, little has been disclosed or discovered about it. Assuming the affected customer isn't a large institution, this accident is just one among many larger recent attacks, and we'll probably soon forget about it.

Before we do, however, let's dig a little deeper and see if there are any issues here worth considering further.

Perhaps this subsidiary wasn't security conscious when they were first acquired? We could cut ADP some slack then, right? According to Workscape's website:

You can rely on Workscape to keep your employee data safe and secure. Our performance management, compensation planning, manager self service, and outsourced benefits administration solutions — all of which share the common Workscape Total Rewards Platform™ — are delivered from hosting centers that have attained SAS70 certification (SAS70 Level II for our benefits solutions) and are fully compliant with ISO 27002 security standards. What exactly does this mean? It means we take data security as seriously as you do.

So much for alphabet soup certifications.

So many domestic companies outsource their payrolls to ADP that their National Employment Report is heavily relied upon by the government for compiling labor statistics. The potential impact of a significant breach of ADP payroll services is the sort of thing that keeps security professionals awake at night; particularly if their paystubs say “ADP” on them. Is the cost savings of outsourcing HR functions such as payroll worth the risk? Maybe this worry is for nothing? Perhaps ADP has a stronger culture of security than their subsidiary?

I once asked an ADP representative if it was possible to opt out of certain web services, such as the ability to view and change routing and ABA numbers online. From the reaction I received you would have thought I had asked if Santa’s workshop outsourced their payroll to ADP.

So much for the culture of security.

Acquisitions often pose security challenges. If the organizations merge their IT infrastructure, changing such infrastructure often results in temporary or permanent security holes via misconfigured routers, firewalls, temporary passwords, etc. Division of responsibility can be unclear between the organizations, leaving loose ends. Unsecured communication between the organizations' IT departments is valuable if intercepted by an adversary. Could it be more than a coincidence that the Workscape breach was reported after the ADP acquisition?

Finally, the tradeoff between security and convenience, or more accurately between security and efficiency, needs to be examined. Since ADP services a large number of domestic payrolls they're naturally going to be a target. With high profile attacks making headlines almost daily, IT security needs to take front and center stage during any merger or acquisition.

Banks 1, Corporate Account Holders 1?

For those keeping score in the legal battles between financial institutions and their commercial account holders, a recent decision by Judge Patrick J. Duggan in the Experi-Metal Inc. (EMI) vs. Comerica case evened the score at one a piece for the interested parties…or did it? Two weeks ago the recommendation by the magistrate in the Patco vs. Ocean Bank case favored the bank. The District Court has yet to decide if that recommendation will be accepted, but observers have expressed the opinion it will be. With the Michigan bench opinion out, maybe not. Now we get an opposing view that the bank may be liable for the losses. This could have serious repercussions for the industry, because anyone paying attention knows that commercial accounts are regulated under UCC statutes, not Reg. E. Commercial customers and their banks are subject to the UCC4a guidelines, specifically by § 4A-202.(c), which reads, “Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated.” I can see in part where ...

Citigroup Data Breach: It’s just too easy

As has been widely reported now, Citibank was “hacked” a few weeks ago and the personal account information of 200,000 – no wait, 360,000 – customers was stolen. I use the word “hack” loosely, because when you understand how it occurred, you can’t help but scratch your head and think “Is this really the best security a financial organization can provide?”

As the New York Times and other outlets have reported, the breach occurred by manipulating the URL or address that appears in the browser when you log onto Citigroup site. In the same articles, they refer to the attackers as “especially ingenious” and “sophisticated cyber criminals”. Really? Let’s break this down with a really simple example:

Let’s say you log onto a web site using your “5551212” account number and the address shown at the top of the browser is:

hxxps://reallysecuresite.com/account/5551212

Hmmm. Your account number is listed right there in the address. Maybe it has a few extra digits or is rearranged a little, but there it is, in plain text for the world to see. Now, you reach into your friend’s wallet and notice he has a credit card with the account “5551313.”

Does it really take a super genius to try editing the address in the browser to now read:

hxxps://reallysecuresite.com/account/5551313

You would think that if you tried this, the “reallysecuresite” would realize you are trying to access a different account and ask you for a different set of login credentials. Apparently not if you are Citigroup. In the case of this recent breach, since the user was already “authenticated” from the first login, they are not asked for any additional credentials. They can happily try thousands of different random numbers and, if they stumble upon a legitimate account, they are now shown the details of that account – as if they had logged onto the site with that account’s credentials.

So that’s what the cyber criminals did. They created a script that generated hundreds of thousands (or millions) of random account numbers and tried entering those numbers into the address string. This takes all of about 2 or 3 lines of script to code. Not rocket science for even the most junior of “hackers.” There was no custom malware involved here, no vulnerability in the browser, no sophistication at all. This was simply an egregious insecurity in the design of the web site. You might as well add a form on your site:

“Please enter the account number you would like to access: [____]”

Citigroup boasted that the hackers “weren't able to gain access to social security numbers, birth dates, card expiration dates or card security codes.” That’s nice. They basically logged into those accounts as if they were the legitimate customers and were able to see everything a customer could see – account numbers, email address, transaction history and more. That information is more than enough to cause serious damage, launch subsequent spear phishing attacks, or even make purchases so long as they don’t need the credit card security code. They didn’t get the mother’s maiden names either. Do you feel safer? It's like being told by the police "A criminal broke into your house last night, but don't worry, they didn't take your car keys."

I realize this is a bit of a rant, but please stop telling me the attackers were ingenious, or the attack could not have been foreseen, or that this represents some new level of cyber threat sophistication. This was just sloppy and irresponsible design on the part of Citigroup. My 15 year old son could have done this. Come to think of it, where did he get those new sneakers?

Digitalsmiths Participates In President’s Job Council

Christine Cobuzzi

Sales & Marketing Coordinator

Posted by christine on Jun 17th, 2011 01:03 PM

Ben Weinberger, co-Founder and CEO of Digitalsmiths, was invited to the President’s Council on Jobs and Competitiveness meeting held this week here in North Carolina. This committee was formed to focus on figuring out ways to grow the economy. Austan Goolsbee, Chairman of the Council of Economic Advisors, chaired the meeting. The full list of attendees included:

Data Breaches, Insiders and Fraud

When most people think of data breaches, they think of the big headline grabbers like Hannaford, Heartland, and TJ Maxx (now disappearing into the distant past, but dredged up every time a big one like Heartland occurs). There are many more, but you get the point. The naïve view of breaches is that they are accidental most of the time, but that notion should have been dispelled by the overwhelming evidence that breaches are often times the result of a premeditated attack. We have seen that these data breaches do result in fraud, sometimes quickly and sometimes as much as two or more years later.

Why can the fraudsters wait so long? Because there is a ready supply of personal data to be had in the fraud underground, a veritable secondary economy with producers, brokers, and buyers.

This ready supply is fueled not just by the “biggies”, but also by a host of largely unreported breaches of various sizes. More often than we care to imagine, these breaches are ...

Angry Birds (and RFID) Coming Soon - Everywhere

Really? Did I just read that the maker of one of my favorite mobile games, Angry Birds, is going to be connecting the virtual world of slingshot flung bids and grunting pig heads with the physical world by using near field communications (NFC) and GPS?

Yup – as reported by ReadWiteWeb, Rovio (the Angry Birds game maker) will be making this announcement at the ReadWriteWeb 2WAY Summit taking place this week in New York City.

According to the article, game players with NFC-enabled phones will be able to unlock new levels and special birds by taping their mobile devices together or on NFC-enabled tags placed on merchandise like toys, books, or presumably just about anything. Taking the virtual-physical world connection a step further, when played in certain locations – that “make sense for the birds and the brand” - you will be able to access new location-specific features. Rivio also plans to offer a GPS-enabled version for those without NFC-enabled phones.

This isn’t quite where I thought RFID and GPS would converge to reach thousands if not millions of consumers, but I guess you’ve got to start somewhere!

You’ve got to like the name too. Known as Angry Birds Magic, the branding for Rivio's internet of things platform follows our affinity for adding magic to everyday things.

Angry Birds fan or not, share your thoughts on the convergence of auto-id technologies and the virtural world. Where do we go from here?!

Going Green with Xerafy for RFID

The following guest post has been provided by Dennis Khoo, CEO and Founder of Xerafy. For more information about the powerful combination of ThingMagic RFID readers and Xerafy RFID tags, please contact sales@thingamgic.com or sales@xerafy.com.

There’s a lot of enthusiasm around going green lately. From recycling paper to reducing carbon footprints, companies are now very aware of the impact their business can have on the environment. Yet, have you ever considered how RFID technology would be able to support the green initiative?

RFID has been around for a while, you have probably use it today when you get out of the car park, check out a library book, gain access to your office and maybe to make a payment for your coffee. RFID is used to track many things from retail clothing to livestock. It’s a technology that can provide organizations with unprecedented improved visibility and traceability of items throughout their journey in the value chain.

At Xerafy, in addition to our green logo, we like the fact that our RFID technology is not only allowing businesses to be more efficient but also allowing companies to reduce waste, over consumption and limit the carbon footprint. By enabling more industries to use RFID with the smallest and most rugged tags on the market and working with partners like ThingMagic, Xerafy empowers our customers to do the following: reduce, reuse, and recycle with RFID.

Reducing consumption - RFID tracking of tools and equipment increases product utilization and reduces theft, loss, and requirements for redundant supplies.

Reuse of containers – Tracking returnable transit containers with RFID can ensure containers are returned and managed.

Reuse of tools, and equipment – Utilizing RFID tracking for maintenance and repair calibration records ensures that parts last longer and are verified for quality checks.

Recycle – RFID tracking of parts from point of manufacture to end of life can allow customers to return to manufacturers to recycle or ensure proper disposal is taken.

Xerafy is committed to bringing innovative tag solutions to help our customers meet their individual needs and help the environment. We have a suite of different EPC UHF tags built for industrial markets for reliable identification of on-metal parts, embed-in-metal assets, and versatile tags that can perform over a wide range of materials including metals and plastics. Let us know how your company has helped the environment with RFID on our Facebook page.

Do you have a market-changing RFID product or a unique RFID-enabled solution that has produced a nice ROI for your customers? If so, please let us know and we'll consider it for ThingMaigc's RFID Blog!

Cyber Attack at IMF - Why Motivations Matter

The news of major cyber attacks and data breaches just keeps coming. It has just been reported that the International Monetary Fund, an organization tasked with monitoring and ensuring the financial stability of the global economy, was the target of a major cyber attack. According to the reports, the attack occurred over a period of several months and involved sophisticated and custom malware that established a foothold, and performed reconnaissance and data exfiltration within the IMF network.

The IMF monitors the economies of 187 member nations. The financial information it collects on these nations could be used to influence currency trading, stock markets, and more. Depending on the information stolen, the possibilities are truly frightening.

In today’s cyber threat landscape, we are facing three major actors. What makes the IMF breach a useful case study is that all three of these cyber enemies have motives to target the IMF:

Hactivists: These are loosely organized groups of hacker activists. Two of the most renowned are Anonymous and LulzSec, and claimed responsibility for several of the numerous attacks on Sony. Hacktivists’ motivations can be unpredictable. They will target individuals, companies, and even nations if they feel an injustice has been committed. Just 10 days ago, Anonymous placed IMF on notice that they were to be targeted for their policies regarding Greece’s economic situation.

Hacktivists are not motivated by money and they rarely shy away from making their point as publicly as possible. If they steal confidential or sensitive information, they’ll post it online for the world to see (case in point: their strong support for WikiLeaks). With rare exception, they tend not to wage long term campaigns – they attack in force, make their point loud and clear, and move on. (Sony is one of those exceptions – because after months of attacks, hackers are still able to easily steal information from the various Sony networks and it’s become sort of a running joke within the hacktivist community.)

Given the apparent sophistication of the IMF attack, the fact that it began months ago, and that no hacktivist group has publicly claimed credit, it is fair to say this recent breach was not the work of such an attacker.

Criminal Enterprises: There are organized crime syndicates operating global networks.
They make money through cyber crime. While many of these enterprises are based in Eastern Europe, they can be found around the world. They are the easiest of all the actors to understand – they are motivated by profit. They use social networking, phishing and malware to trick users into revealing their personal information, and use that information to steal identities, steal credit cards, and siphon money out of bank accounts. They are not discriminate in their targets – cyber crime will attack anyone and anything it can.

An email sent to IMF staff last week said there “was no reason to believe that any personal information was sought for fraud purposes.” Given the attack appears to be highly targeted, and does not appear to involve basic identity data, it does not fit the typical pattern of a cyber criminal. Moreover, influencing or destabilizing the global economy does seem a bit far-fetched for a criminal enterprise (unless we’re talking about Dr. Evil from the Austin Powers movies). Stealing personal information from Citigroup is more their style.

Nation-States: The last, and by no means least, major actor on today’s cyber threat landscape are nation-states. These are countries and governments who sponsor and support cyber attacks. In today’s interconnected world, there is no better way to spy on your enemies than through their own computers and networks. Why invest billions of dollars into some new stealth fighter when you can steal that information with the click of a mouse? If a war comes, why send citizens to fight when you can cripple an enemy’s economy or their infrastructure from a keyboard halfway around the world? Nation states desire to obtain as much intelligence and intellectual property as they can, and establish footholds in as many sensitive locations as possible. These enemies have bottomless pockets - profit and expense are no matter, and they have endless patience – they are comfortable spending years on infiltration campaigns. They have the resources to perform the most sophisticated cyber attacks possible.

The articles currently describing the IMF breach come right out and use the phrase “nation state” when describing the targeted nature of the attack. This has all the tell tale signs of a state sponsored attack – patience, sophistication and stealth. And only a nation state, with its resources, could truly capitalize on the type of data that might be stolen from IMF.

Three very different cyber enemies: different motivations, different resources and sophistication, and different end goals. All very dangerous and all very active. When you are in the cross hairs of all three, as IMF is, you had better think hard about your cyber security.

Rootkits Can Sometimes Be Their Own Worst Enemy

Rarely does anyone write about the benefits of rootkits, and for good reason. These sophisticated packages are very effective at hiding and defending their presence and that of their malicious payloads.

Whitelisting is an effective defense against rootkit droppers. It doesn’t matter whether it tries to load as a print processor, a service or a driver, or whether it tries to attach to something already running. If it isn’t approved, it doesn’t run.

But what happens if an endpoint is already compromised? Whitelisting often starts with a baseline of known good software on the endpoint. If the system is already infected with malware when this baseline is created, then the malware may get approved along with legitimate software. But rootkits are different.

We recently had a customer roll out Bit9 Parity to systems that were infected with a TDL3 (aka TDSS) variant. The system was presumed to be clean (it had an antivirus product installed, after all), so software already present was approved to run on that endpoint. But the rootkit succeeded in hiding its pedestrian payload while the baseline was created. This ensured the payload would not be approved because it was never seen.

Sure enough, when the payload ran, it was successfully blocked and reported, and its very presence was indication enough of an infection, which was subsequently eliminated.

Rootkits can sometimes be their own worst enemy.

“Digitalsmiths Gives Back: Put Yourself in Their Shoes” Campaign

Christine Cobuzzi

Sales & Marketing Coordinator

Posted by christine on Jun 8th, 2011 12:56 PM

Discussing Multi-Factor Authentication

A couple of weeks ago, NACHA’s Electronic Check Council hosted a Forum entitled, “Moving Beyond Well-Trodden Paths: New Maps for Combating Risk and Fraud”. In this Forum, several industry experts discussed a wide variety of risk and fraud topics related to payments.

I was honored to open the forum with a session that subsequent presenters could build upon. In my session, “After You’ve Authenticated the Customer: Transaction Monitoring”, the audience and I discussed the need for layered security on all payment systems. Financial institutions have learned that multi-factor authentication is no silver bullet, nor are systems which validate the hardware transactions are originating from, monitoring IP addresses, etc. In order to better protect themselves and their customers, it is becoming increasingly important to proactively monitor transactions to detect suspicious activity in real time.

Digitalsmiths Provides Award-Winning Video Discovery Services

Patrick Donovan

VP Marketing

Posted by patrick on Jun 7th, 2011 02:19 PM

Congratulations to Digitalsmiths’ customers the PGA and Turner Sports, who have received the People’s Voice Webby Award for Best Use of Interactive Video for the 2010 Ryder Cup LIVE Video production in Wales.

Connecting the Sony, RSA and Google dots

It’s time for a serious heart to heart. Whether you are just a casual follower of technology or computer security is your business, you need to understand what is happening and what it means to you – because it does impact you.

In the few days since my last blog:

Sony Hacked Again

Sony was once again hacked, compromising the personal information of more than 1 million users. The hacker group LulzSec has claimed responsibility for the attack, and claims that they were able to steal customer emails, passwords, home addresses and birth dates with a simple SQL injection attack.

Let’s talk straight. Sony’s reputation is devastated at this point. If you have an account with Sony Pictures, the Playstation Network, or at this point, if you ever purchased a Sony Walkman, you should assume your personal information has been exposed. Time to change passwords, possibly email accounts, and while you’re at it, you might consider changing your birth date.

If you still want to be a netizen, an active participant in today’s interconnected world, it’s time to wake up. Think twice before you share your information with companies, and be smart about what information you share. You don’t give out your name and phone number to everyone you meet, you establish some level of trust first. Apply the same common sense when giving out information on the internet. And I know it’s a pain having so many passwords, but stop using the same password for everything. Do you really think the Sony hackers care about your Playstation account? They don’t. The danger is when they can use that same information to access your bank account; or your email or social networking accounts, which they can then use to spear-phish your friends, tricking them into installing some malicious program onto their computers. The average computer user has 18 online accounts. There is a good chance they don’t have 18 unique usernames and passwords.

If you’re a company that manages consumer data, stop treating security as an afterthought or annoyance. There are industry standards such as the Payment Card Industry’s Data Security Standard for managing customer sensitive data like credit card numbers, but quite honestly, those standards should be a starting point not an endgame for your security. My view is achieving compliance is an act of complacency – not a best practice for security. All customer data, not just credit cards, should be encrypted, or at the very least isolated from your other systems with strict access controls and limits. It’s not just your data that is at risk, it is your reputation. Stop waiting for a regulatory agency to tell you what minimum steps you should take to protect your network and start hiring expertise for yourself. If you don’t, consumers will choose with their pocketbooks, and sometimes their lawyers.

Sony’s saga is the direct result of their prosecution of individuals who were hacking PS3 consoles. Regardless of where you stand on whether it should be OK for someone to hack their own console, Sony grossly misread the situation and was woefully unprepared for the consequences. In their desire to protect their intellectual property (IP), their tactics drew the ire of the hacktivist community, and now both their IP and reputation have been damaged. Will the ultimate price tag Sony pays be worth the few dollars they appeared to have saved on security?

Lockheed Confirms Breach Involved RSA SecurID

A lot of speculation has been done regarding the recent news of cyber attacks at three of the largest defense contractors: Lockheed Martin, L-3 Communications, and Northrop Grumman. Thanks to the diligence of Christopher Drew, the New York Times has confirmed that the breach at Lockheed was at least partly based on data stolen from the RSA breach back in March. As I, and many others in the security community, had theorized, if the data stolen from RSA included the magic seed values that the SecurID tokens use to generate passcodes, it could nullify the efficacy of RSA’s two-factor authentication. This possibility now seems almost certain. While the attacks on L-3 and Northrop Grumman might not have involved data from the RSA breach, the fact remains that confidence in RSA SecurID technology is now seriously shaken. It is akin to losing the master key to a building with thousands of locks, except in this case, there are over 240 million locks that might be picked with such a key, and the doors lead to some of the most sensitive data our government and private companies manage.

The RSA attack was far more sophisticated than the spate of Sony hacks. It involved a well crafted spear-phishing email, a zero-day exploit, and a fairly advanced trojan capable of encrypting and then siphoning data out. I don’t believe this breach resulted from anywhere near the level of negligence of Sony, but RSA now has the same consumer confidence problem and it must take steps to repair and restore that trust. Lockheed is already replacing its 45,000 SecurID tokens, and Northrop is moving to alternative authentication technologies like smart cards. RSA is working behind the scenes with customers to help them protect their SecurID implementations, but now they need to make a more tangible public announcement to restore confidence. In the security business, information is critical, and without specific data, the only responsible thing to do is assume worst case scenarios.

Meantime, consumers of SecurID technology need to review their security posture. Whether or not you replace your tokens, you need to review the security of your computers that connect to your network. If you have remote workers or contractors, you should be requiring a level of security be present on those systems before they are allowed to even log into your network. Simply requiring more passwords or even longer, more complex, passwords for your users will do nothing against this attack vector. For someone to breach the SecurID authentication, they need either the serial number of the token or the time sensitive passcodes generated by the token. The easiest way to do that is to place a keystroke logger or backdoor on a system and watch a user enter that information; and at that point, they’ll capture any password no matter the complexity or length. You need to prevent the malware from getting on the system in the first place. Advanced security technologies like application whitelisting are the most effective means of stopping these types of targeted attacks. Monitoring user login activity is another useful technique – it is reactive, but better than nothing. For example, if a user logs in from New York, and a few hours later that same account logs in from Brazil, you might want to take notice.

Unlike the Sony breach, where the hackers proudly announced their identity and their motives, no one is going on record with respect to the identity of the attackers of these sensitive private and government networks. And I find this the most disturbing aspect of the story. To paraphrase from the ancient Chinese (and yes, the pun is intended) military treatise, The Art of War: Know Your Enemy. In fact, it’s useful to understand the more complete translation of this proverb:

So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss.

If you only know yourself, but not your opponent, you may win or may lose.

If you know neither yourself nor your enemy, you will always endanger yourself.

Which brings me to the final piece of these week’s puzzle…

The Enemy Has a Name; FBI to Investigate Gmail Attacks

The FBI is being tasked to investigate Google’s recent claim that attacks on the gmail accounts of senior government officials, and hundreds of others, originated from Jinan, China. This is the same location identified in the highly publicized and sophisticated Aurora attacks that hit Google, Adobe, Intel and others in late 2009. Jinan is the home of the Lanxiang vocational school, which reportedly has military links. My hats off to Google for putting a name to the face, amidst the flurry of news regarding cyber security, advanced threats, and generically named “nation-states.” Either you have to assume that Google’s forensic capabilities exceed that of the government and defense contractors, or that Google is simply not under the same political pressure to keep that information secret. It is the latter. Both civilian and public institutions are under constant cyber attack from China, and the organizations being attacked are more often than not able to trace the sources. But officially, few are willing to go on record with this information. It is ironic that China is trying to hide and censor the result of Google searches while Google is trying to reveal the source of breaches.

When an embassy is bombed or there is some sort of physical attack on infrastructure, the attackers are identified by name as soon as possible. This information helps us understand the motivations, improve our defenses, and develop appropriate responses. Should it be that different simply because the attacks are electronic? We need our government to demand more disclosure about the nature and origins of cyber attacks so we can develop appropriate defenses. We need our government to develop policy responses as well, because this level of organized attack rises above singular criminal acts. The military spends billions of dollars on developing new defense technology and that technology can be stolen with the click of a mouse. Moreover, by targeting private corporations and individuals, these attacks are not solely the problem of governments. We are watching as these attacks cause serious economic damage, and this impacts all of us. We must all be responsible for defending against these threats.

In his recent news letter, Mark Anderson, CEO of the Strategic New Service, said it most starkly and most alarmingly: “What Americans, and perhaps Europeans, even at the Presidential level, continue to miss, is that this ongoing transfer of IP is not the result of a cultural mismatch, nor is it something the Chinese are ‘working on;’ to the best of my understanding, it is the centerpiece of the Chinese economy. They cannot afford not to continue, or the model breaks.”

National Geographic recently released the “typical” human face and it was a 28-year-old Han Chinese man. It’s time for a serious heart to heart.

Cybersecurity warfare, email hacking and tornados, oh my!

Wow. What a week it is turning out to be for cyber security. First, Lockheed Martin disclosed that last week it was subject to a targeted attack. Yesterday, it was reported that another defense contractor, L-3 Communications has also been targeted by similar attacks. Fox News is now reporting that Northrop Grumman may also have been attacked. All of these attacks are following on the heels of the RSA breach, and suggest a coordinated and multi-phase attack where information stolen months ago might be used to thwart RSA SecurID two-factor authentication at some of the nation’s most sensitive networks. Not coincidentally, the Pentagon is developing a new cyberwar “doctrine”, where cyberattacks could be considered acts of war.

Meantime, also this week, the PBS website was hacked (with a fake news story about late rapper Tupac Shakur), showing that while nation-state enemies may represent the most dangerous and sophisticated threat, hacktivists are also here to stay and make their voices known.

Are you keeping up yet? I’m driving home with tornado warnings (in New England!) and thinking, is it really only Wednesday?

Then, a few hours ago, Google posted a security warning on its blog. They were not hacked, but they are reporting that email accounts of very specific individuals were compromised. The passwords for personal email accounts of Chinese political activists, US government officials, and others were hacked and their email was being monitored. I was asked if this bodes poorly for cloud-computing, and the answer is definitively “no”. In fact, it was through the strength of correlation and analysis, made possible through cloud computing, that Google was able to identify not only the scope of the attack, but the source (if you guessed China, you win a gold star). Google is using this as an opportunity to educate consumers on how to best protect their accounts and their passwords. Finally, a bit of news that comes with some recommendations and remedy on how to protect yourself. They included tips such as: Don’t use the same password for multiple accounts, and use strong passwords. I’ll add a tip: Don’t use your personal email accounts for anything business or government related, especially if you work with sensitive information.

I believe in the intelligence community, all of this would be called “increased chatter.” There is an increased awareness of the threats and costs of modern cyber attacks, an increased (but not yet sufficient) level of disclosure regarding those attacks, and an increase in the actual attacks occurring. We are witnessing the salvos in a cyber war that started with the dawn of the Information Age and will continue for years to come. If you use a computer (and if you’re reading this, that means you), you are on the frontlines of this war.

A Community Against Fraud

Recently a group of bankers got together for the Memento Peer Bank Forum as a community against fraud to discuss and share strategies for improving fraud prevention at their respective institutions. I’ve had the pleasure of participating and hosting a few of these events, and for me there is no substitute for the types of discussion that always seem to happen when a group of passionate, determined individuals get together to compare notes and share perspectives on improving fraud prevention. Here are a couple of my takeaways from the meeting.

• A wide range of institutions attended the forum - underscoring the pervasiveness of the fraud threat facing all banks and credit unions. There is no institution immune from fraud and increasingly the fraud crosshairs are being focused on small to medium sized institutions.

• Existing fraud threats are ... Read full blog post

The Cyber Attacks Continue

As I blogged about back in March, the RSA breach of its SecurID technology could be just one phase in a long term series of attacks on sensitive computer networks. This weekend, Lockheed Martin disclosed that it was the latest target in a sophisticated cyber attack that may have involved a breach of their RSA security tokens. At the time, I theorized that “attacking the end terminal and monitoring both the user passwords and token codes might be enough for an attacker to assume a user’s identity.”

While the details of this latest attack are not fully known, it appears that an attacker was able to get a keylogger installed on a system, and use the information captured along with knowledge about the RSA token generation algorithm to breach the Lockheed Martin network. If true, this is the worst case scenario for the RSA SecurID system. It would mean that a single point of attack can be used to defeat the dual factor authentication provided by the security tokens.

Soon after the RSA breach, the NSA recommended that defense contractors put in place additional passwords to access critical systems. Again, as I discussed in my blog on multi-factor authentication, simply having more passwords provides no significant additional protection. If the reports are true, and a keylogger was used in the attack, it wouldn’t matter if Lockheed Martin had required 20 passwords – all of them would be compromised by the same initial infiltration.

How did the keylogger get installed in the first place? It has been suggested that the attack came from a remote system that connected to their network via a VPN. This would not surprise me. If you are going to attack a secure network, your best bet is to go after its most vulnerable endpoints, which often means remote machines or computers connecting from a sub-contractor, where the systems are not under the direct control of the target’s security department.

In any case, is it possible that whoever attacked Lockheed was also responsible for the RSA attack? Absolutely. We are living in an age of state-sponsored, sophisticated, and organized cyber enemies. They plan and carry out multi-phase attacks across different targets and over long periods of time. And it is almost certain that such an attacker will continue to target high value systems.

Publicizing of the China Wire Fraud Scheme – Too Little Too Late?

Was it too little too late when the FBI publicized a wire fraud scheme involving Chinese shell companies? Knowledge is power, right? Once the specifics of a fraud scheme are made public, aren’t we better prepared to prevent fraud? In the short term, the answer is yes. As banks deploy effective countermeasures, that particular fraud scheme’s success rate will decline over time. However, your bank needs to be equally concerned about the fraud schemes that the FBI is not talking about.

Let’s say your bank read the FBI’s press release ...

Mandating Full Disclosure of Cybersecurity Breaches?

Congress is getting in on the act: a group of Senators wrote to the SEC Chairman, telling her that "in light of the growing threat and the national security and economic ramifications of successful attacks against American businesses, it is essential that corporate leaders know their responsibility for managing and disclosing information security risk" and recommending that the SEC mandate guidelines for full disclosure of "cyberattacks" for public companies.

Since the implementation of California's "right to know" disclosure law (SB1386) in 2003, followed by other states, there's been an on-going debate about how much shareholders and the public deserve to know about breaches that may affect both them and their personally identifiable information. It seems inevitable that some level of mandated disclosure will emerge at a national level in the US. The European Union's tighter data privacy requirements and its e-Privacy Directive (2009/136/EC) already impose disclosure requirements in certain circumstances.

All of this, of course, relies on a company's ability to know that something untoward has happened. It's not yet clear whether there's any liability when a company is unaware of a break-in, since there really isn't any case law yet, but we have to suspect that as in other areas of the law, ignorance will not be a viable defense.

So what should you do in your company? Preventing the attacks in the first place is, of course, what most people would wish for. You may also find that despite your best efforts, a problem occurs, in which case you'd like to have the best possible forensic information available, so that you can quickly assess the impact and legal ramifications of any break-in.

Are You Ready for Fraud in the NFC Space?

Near field communication (NFC)¹ is here to stay, according to new analysis by Frost & Sullivan, which states that NFC-enabled mobile phones will reach 53% of the overall mobile phone market, or about 863 million units, by the year 2015, as well will be the chosen method for mobile payments. To me, this is somewhat disconcerting because 2015 is not that far away, and consumers already use NFC payment devices. I wonder how much training is going on around investigating money movement within the NFC space?

Read full blog

Worst Practices in Fraud Monitoring

I always chuckle to myself when I see a heading for an article entitled, “Best Practices in [fill in your favorite topic here].” After all, who wants to hear about someone’s worst practices? But as someone whose job it is to educate fraud experts on how to use new technology tools for monitoring and detection, I hear a lot about practices that aren’t so effective.

Banks and credit unions, large and small, wrestle with many of the same issues when it comes to fraud management. Here are common challenges that I’ve heard:

1. Monitoring Fraud in a Silo: Fraudsters don’t usually limit themselves to one type of fraud, so why should we separate our monitoring by different fraud areas? Although it makes sense for FI’s to...

Bit9 Thoughts from InfoSecWorld

Last week, I spoke at MIS Training Institute's InfoSec World conference in Orlando. I also attended several sessions, keynotes and social events. Some themes caught my attention and seemed to be on the minds of other attendees too.

Mobile. Everyone is trying to understand the unique threats presented by mobile devices, but also to empower employees and customers to use them to conduct business. Understanding the risks is fairly easy, but remediating them is quite a challenge. I expect there to be a lot more software and services on the market in the mobile arena. I have heard that there are more than 30 mobile security startups out there. Anyone know if this is true?

Deploying technology appropriately. This issue was discussed in our Data Loss Prevention panel and elsewhere: no amount of technology can solve a problem without an underlying commitment and buy-in at a business level. With DLP, it's critical to identify the value of information to the organization and to classify data before you can begin to protect it. One panelist cited an example of his organization's on-going DLP efforts for the last few years, which did not result in a technology purchase until well into the data classification phase. That said, conducting proof-of-concept trials of new technologies allows an organization to hit the ground running when they decide to deploy a technological solution at an enterprise level.

Advanced Persistent Threat. The APT is definitely on the radar at many organizations. It's very clear now that some malware is specifically targeted at particular organizations, and that this malware takes advantage of zero-day flaws to do its work. There was a lot of interest in how APTs function and a lot of discussion of techniques to address them forensically. Very often in security, new challenges require an old school approach with a different skew, rather than a completely fresh angle. Once in a while, we need a radically different approach to address radical changes in underlying threats, and this is clearly the case with the APT.

Whitelisting Security Technology: Foundation for Endpoint Protection

LimeWire. Chinese spyware. Screen savers embedded with malware coding.

These are a few of the “favorite things” listed on the “What’s On Your Endpoints” survey of more than 1,200 IT security professionals conducted last year. The survey revealed that unauthorized, illegal and downright malicious software continues to sneak its way onto laptops, desktops and servers despite the layers of fortifications put in place to thwart them. Today agencies are being bombarded with attacks and one measure they are using is whitelisting security technology for the foundation of their IT security.

What is Whitelisting security technology?
For more than 20 years the security industry has been chasing an infinite list of malicious software and creating a blacklist to prevent it from running. Given the exponential growth in malware and the targeted nature of today’s attacks this reactive approach is now ineffective – evident by the number of data breaches still taking place.

In response, Whitelisting technology allows the execution of software that you trust and denies all other software. Games, Instant Messenger, Spyware, Rootkits, Keyloggers, Botnets, Advanced Threats – if this software is not something you trust, it will not install or run.

What is the problem Whitelisting addresses?
The explosion of malware and the inability of existing blacklisting defenses to defend computer systems was clear this past December during the Operation Aurora zero-day attacks that targeted many of the United States’ top technology companies seeking information and intellectual property. Government agencies have been under attack by these Advanced Persistent Threats for years and it was only this recent public admission that brought them into the public consciousness.

The Symantec malware report showed 2,895,802 new malicious code signatures created in 2009, a 71 percent increase over 2008. And 240 million distinct new malicious programs were detected, a 100 percent increase over 2008. These attacks have created a never-ending game of catch up that can take days and even weeks to address. I often imagine Wile E. Coyote futilely chasing Road Runner. It’s just not going to happen. Software vendors are continuously releasing patches to security vulnerabilities found the code; Antivirus companies are continuously pushing out large .DAT files filled with new signatures to stop the newest malware that will then morph into an undetectable state within a few hours.

Benefits of Whitelisting Security Solutions
First, let’s be realistic. There is no silver bullet in security and a layered, defense-in-depth approach is needed to protect computer systems. Whitelisting provides what Gartner has termed a “foundational” solution to endpoint security. By not needing to identify the attack by a signature - in terms of antivirus or behaviorial host intrusion detection systems (HIPS) - security professionals are able to stop zero-day and targeted attacks.

One example: a security team at a US Command used Application Whitelisting as that foundational defense during a “Red Team” exercise. A targeted attack came in through a very realistic email that talked about new organizational rules. The program was not caught by the existing defenses of Antivirus and HIPS, but was stopped by Application Whitelisting because the malware was not on the whitelist and therefore not approved to run.

Whitelisting, which takes the security engineering “default deny” approach and puts layers of nuance on it when applied to endpoint security (a topic for another day) was first introduced in 2002. Today, it has become a fundamental base in the security stack, helping government organizations in their fight against advanced threats.

Mobilizing the Front Lines of Fraud Prevention

I have been in countless dialogues regarding fraud prevention with fraud and risk specialists at various management levels within financial institutions of all sizes. In my many discussions around various fraud prevention measures, I’ve come to realize that while a sophisticated enterprise fraud management system is the bank’s best line of defense, the front line employees can play a valuable role in detecting and preventing fraud.

Bank tellers are the front line of the institution, handling deposits, withdrawals, and transfers while trying to accurately account for every piece of paper and coin that passes through their hands every day. They also are human and, while they have been trained to spot alterations, counterfeits, and other fraudulent items, they also have instincts. Many times, a teller might not have physical proof of fraud but often has a ‘gut feeling’ that something just isn’t right.

Fanatical! The G22 TruSpeed Digitalsmiths Porsche Cup Car

Greg Skloot

Project Manager

Posted by gskloot on May 2nd, 2011 12:32 PM

It is a well known secret here at Digitalsmiths that our Chief Operating Officer, Gregg Hodges, leads a double life: video discovery fanatic by day and racecar driver by night. Ever since he was 13 years old, Gregg has had a passion for the high speed thrill of racing, starting in motocross during his teen years until he had to find a “real job.” In 2009, he decided to continue his passion and purchased a shifter go-kart followed by a Porsche GT3-R the following year.

Identity Wars: A Bit9 Take on the Sony Breach

It’s all fun and games until someone loses an identity. Sony has announced that its PlayStation Network and its Qriocity streaming service were compromised last week, resulting in the possible loss of the personal information of over 70 million subscribers. Their online gaming network has been down since April 20. Among the information that may have been stolen are names, email addresses, home addresses, birth dates, passwords, and possibly credit card numbers and purchase history. This could be one of the largest personal data breaches in history.

I think it’s safe to say that, unlike a number of recent high profile breaches, this was not a state-sponsored or “cyber terrorist” attack. It’s hardly in a foreign state’s interest to take down a gaming network used primarily by minors. Rather, this is the work of a hacktivist or criminal organization. There is speculation that this was in response to a settlement Sony reached with the hacker George Hotz. But no matter the reason or the perpetrator, the attack is yet another wake-up call for organizations which handle personal or confidential information. If your success is dependent on the loyalty and trust of your customers, you had better be protecting that asset. Investing in next generation security is not a "nice to have", it’s a "must have" if you value your data and your customers.

Meantime, I feel bad for the millions of parents out there who, in addition to now worrying about their identities and credit cards, have to deal with their complaining teenagers who have been unable to play Call of Duty for the past week.

Bit9 Stops Advanced Persistent Threat (APT) Attack at Customer Site

It’s a statement we make nearly every day. Bit9 detects and stops advanced attacks (advanced persistent threats) long before they are publicly known.

We know it’s true and when it happens in one of our customer deployments, it’s gratifying. This was the case the first week in March when one of our customers shared with us how they stopped an advanced attack – one that leveraged an unpatched “zero-day” vulnerability in a common software package.

On March 8, one of our customers informed us that they saw an attempted attack come through via a targeted email containing an Excel file (a spear phishing attack). The Excel file contained an embedded Flash (swf) file that exploited a zero-day vulnerability in Adobe Flash. Bit9 stopped the malicious file because neither Excel nor Flash is authorized to create new executable content. Our console reported what had been attempted, and our customer worked directly with Adobe to help them identify the flaw. This occurred prior to the public announcement of the RSA breach.

While many of our customers have advanced network forensics tools in order to detect attacks, they do not proactively prevent them. In this case, if the attack had gotten through, the advanced network forensics tool may have detected it, but some damage would have been done. The same goes for antivirus since this attack exploited a previously unknown flaw.

In my view, application whitelisting is the only tool that protects against unknown attacks using unknown vulnerabilities. In addition, the full visibility provided by the technology can play a key role providing behavioral and forensic analysis of early attacks.

Looking at the world practically, there still is a need for added layers of defense, multiple roadblocks if you will, to prevent malicious actors from penetrating networks and hosts. Here is a view on a stacked approach to security.

Continuing the Conversation from The ABA Risk Management Forum

The ABA Risk Management Forum was held last week in Denver, Colorado, and I was glad to be in attendance and have the opportunity to present on the topic of deposit account fraud. The forum offered numerous educational sessions for financial institution employees as well as several great networking events.

Session topics covered during the forum included: implementing Dodd Frank; new risks in ATM security; cloud computing; and several other hot topics. To me, this event is one of the best annual industry events for community banks, and I am sure the larger banks in attendance were satisfied with the content as well.

Discovering NAB

Patrick Donovan

VP Marketing

Posted by patrick on Apr 19th, 2011 10:11 AM

Yes, we are fanatical about video discovery! And to show you just how fanatical we are, Digitalsmiths took video tagging to a whole new level this week at the National Association of Broadcasters show in Las Vegas - the biggest show of the year.

Check out the Live Scene Discovered by Digitalsmiths.

Digitalsmiths Crosses the Finish Line with 2011 NASCAR Highlights Website

Greg Skloot

Project Manager

Posted by gskloot on Apr 18th, 2011 09:54 AM

As the second most viewed sport in the United States, NASCAR is made up of a proud and active 75 million fan community. As NASCAR fans, we love to re-live the excitement of the smoking spinouts, heart stopping bumps and thrilling victories of our favorite drivers. The 2011 season has been off to a fantastic start in Daytona, and as the drivers race on through the Sprint Cup Series, we want to make sure that fans across the country know where they can go to be inside the action.

Digitalsmiths Surprises at NAB 2011

Greg Skloot

Project Manager

Posted by gskloot on Apr 18th, 2011 12:00 AM

Every April, 90,000 digital media professionals from over 150 countries flock to Las Vegas, Nevada for the National Association of Broadcasters annual trade show. Throughout five days, industry entrepreneurs attend intense educational seminars, view stunning product demos and visit booths that make the Las Vegas Convention Center floor seem more like a circa 2050 space station.

Defending Your Brand

I recently read an interesting article on AmericanBanker.com entitled, Defending Your Brand 2.0: Rapping w/readers, 140 characters at a time, by Sara Lepro. In her article, Sara demonstrates the need for financial institutions to insert themselves into social media conversations in order to have more control over the ‘chatter’ and ultimately to protect and defend their brand.

Historically, banks have been concerned about negative customer experiences and the impact of customer churn, especially when it comes to customers becoming victims of fraud. With the evolution of Facebook, Twitter and other social media forums, negative feedback is not only accelerated but many times exaggerated, thereby making it more of a challenge for banks to protect their brand.

Epsilon: Front Door is Easiest Entry - Despite Endpoint Security

The Epsilon attack should be a wake-up call that targeted attacks are the wave of the future.

Unlike the recent RSA breach, where the data stolen may be used in ways we have not yet imagined, we can draw a clear line of attack with the Epsilon breach. Like the RSA attack, this attack is only one stage in a multi-phase and long-term approach to infiltrate organizations. What the attackers have learned is that, sometimes, the old ways are the best ways. As security technologies have improved over the years, it is harder to successfully and silently breach company perimeters. Why not simply walk through the front door? That’s exactly what spear-phishing involves. No matter how much we have tried to educate people on best practices, the majority of users will click on any document or link if sent from a person or organization they know and trust. The victim becomes a willing participant in their own attack.

It used to be that attackers would simply spam any email address they could get their hands on, with dire warnings or false promises. Those types of emails were easy to spot; you’re less likely to open an email from “Acme Bank” if you don’t even have an account there. Their effectiveness was less than 1%. But if the email appears to come from your personal bank, and to the same email address you use at the bank, the effectiveness jumps exponentially. Depending on how specific the target, and the content of the message, effectiveness can be anywhere from 10% to 70%. These are staggering numbers and the attackers have taken notice.

The Epsilon breach has exposed millions of email addresses which can be associated with dozens of specific companies. This is a target rich platform from which to launch spear-phishing attacks. Combine this with data that can be combed about almost anyone using simply social networking, and you have an extremely effective weapon to target individuals and companies. For example, let’s say I know your name and email address, and you are registered with Best Buy (thanks to the Epsilon breach). Maybe you just posted on Facebook a picture of your brand new TV. I can now craft an email, appearing to come from Best Buy, thanking you for your new purchase with a link to receive 10% off your next purchase. What are the chances you will click that link? If I’m targeting a specific company, I can correlate my stolen list with an employee list (or just look for specific domain names in the email addresses), and cherry pick a set of individuals to target. All I need is to get on one computer.

While both security technologies and malware have advanced over the years, the front door is still the easiest way in as long as there is a person willing to hold the door open for you.

Four Ways To See Digitalsmiths At NAB

Patrick Donovan

VP Marketing

Posted by patrick on Apr 7th, 2011 10:15 AM

1) Schedule a private meeting in our executive suite - contact sales@digitalsmiths.com

2) See CEO Ben Weinberger present "Connecting Consumers to Content through Video Metadata" in the Broadband Pit on Tuesday from 11am to 11:25am. The Broadband Pit is in South Hall on the upper level, booth SU10502.

Meet Me Halfway

I admit it. I am vulnerable.

As a consumer with a bank account and credit cards, I am vulnerable to a fraud attack. I’ll even admit that up until a couple of months ago I was somewhat lazy when it came to reviewing my bank and credit card statements, especially since going paperless. When I did get around to looking them over, I was in catch-up mode, and did not spend the time carefully checking each line item. The unfortunate thing is…I’m not alone. There are many account holders just like me who aren’t on the ball when it comes to monitoring their statements in a timely fashion, if at all. Many consumers rely on their banks to do this for them.

What’s Your Favorite NBA Playoff Moment?

Greg Skloot

Project Manager

Posted by gskloot on Apr 3rd, 2011 12:00 AM

The National Basketball Association has unveiled a new video portal for fans to discover, watch, and share their favorite NBA playoff moment. Powered by Digitalsmiths and sponsored by Cisco, the video hub contains dozens of videos from this year’s playoffs stretching all the way back to the pre-1980’s.

Guide for Understanding the RSA Breach

The RSA security breach sheds new light on the strength of external security systems and the sophistication of fraud attacks. Since the breach, so much has been written about its impact on customers and what it means for the fraud prevention world that Memento has put together a list of news resources and articles that might provide additional context and help answer some of your questions. This event is another reminder that there is no perfect solution for online security.

RSA and the APT Attack, Part 2 from Bit9

As promised, here is the second part of the two-part post inspired by the RSA SecurID breach.

In the aftermath of the RSA SecurID breach many security experts are recommending a layered approach as the way to prevent future “advanced persistent threat” (APT) attacks. The approach is discussed by Avivah Litan of Gartner in one of many articles to advocate layered defense.

It makes sense; of course, to build many barriers that an attacker would need to circumvent before getting to the proprietary data they seek. A layered maze. The picture that comes to mind is multiple strata overlapping across the network and endpoints, each built on top of each other like layers in the earth. With each new technological era, a new layer of protection is added, filtering out malware.

But what the articles are short on are specifics. What are these layers? Are there many sets of layers for specific applications?

After the APT attack last year that targeted many high profile enterprises we went out and spoke with a number of Fortune 500 companies that had adopted Bit9 application whitelisting to protect their endpoints (laptops, servers, desktops, kiosks, ATMs, other fixed function devices, etc.). We asked them: “What else are you doing to protect against Advanced Persistent Threats?” We understand that companies are using many different technologies to achieve the same goal. There is no proverbial silver bullet in IT security; this sentiment is true despite becoming a cliché in the industry.

A theme that came across from the CISOs at these enterprises was “advanced.” While the threats are being called that, so are the technologies being used to fight them. So what are these “advanced” technologies?

According to the people we spoke to the technologies stacking up to fight these attacks consist of the following:

Advanced endpoint protection whose approach focuses on the applications can be trusted (e.g. application whitelisting) versus finding the bad “needle in the haystack” (e.g. traditional antivirus technology). This also includes technology which creates visibility on the endpoints – historically a significant blind spot for IT security

Cloud-based reputation services to provide insight/ intelligence regarding trust and threat levels for the applications running on the endpoints

Advanced network protection – new IDS/IPS appliance technology that does not rely on signatures and works at the network level

Incident response/forensics – Mandiant and other like providers who can address the need for highly specialized groups of security experts with the skills to investigate the aftermath of a breach from an Advanced Persistent Threat

Security Information & Event Management (SIEM) technology that correlates all events into one dashboard enabling the identification of threats via a “single pane of glass”

At the bottom are the legacy antivirus endpoint technologies and traditional network protections that are already installed. They are not going away, according to the companies we interviewed, but they are facing price pressure as corporations pay less for incumbent technologies and use the excess to pay for newer, more advanced solutions.

While there are many permutations of layers in the industry, this stack of technologies is the one that we found to be the most prevalent in enterprises looking to arm themselves against the advanced threats.

The threat landscape is changing with some research suggesting that 75% of all threats are targeted at 50 machines or less. Given the highly targeted nature of APTs a new approach is clearly warranted – an approach that we’ve been told is reflected in this new IT security stack.

Lessons Learned from Organized Crime Rings

Recruiting bank employees to participate in an identity theft scheme can be well worth the effort. Eleven banks in Minnesota, Arizona, and Texas, as well as 5,000 victims, learned just how damaging “flipping” bank employees can be. Over the course of five years, the ring defrauded the victims and generated more than $10 million in “revenue”.

The X Factor: Thoughts on multi-factor authentication

As Bit9 blogged about at the time, RSA made headlines last week when it announced that it has suffered a data breach at the hands of an extremely sophisticated attack. While we know very little about this specific incident, it is a good opportunity to discuss both the benefits and pitfalls of multi-factor authentication.

The idea behind multi-factor authentication is to employ multiple and independent methods to allow someone to validate your identity. Independent means that even if one factor were compromised, it would not be enough to compromise the system. The most common form of identification is passwords – or “something you know”. Even if a system uses multiple questions or pictures that you must identify, it is still 1-factor authentication, as these are all variations of something you know.

Multi-factor authentication comes when you introduce a completely new component, such as “something you have” or “something you are”. For example, when you retrieve money from an ATM, there are two factors at play: your PIN (something you know), and your bank card (something you have). One without the other is not enough. Biometric authentication (e.g. fingerprints, iris scanners, voice recognition) are examples of “something you are”. Each factor added to the authentication chain is another hurdle that an attacker must overcome to fake the system, fake your identity.

The choice of which factor or factors to use is a trade-off between security, convenience, and cost. It’s simply not cost effective to have fingerprint scanners everywhere we use passwords, for example. And in fact, even if we could, unlike passwords and some other methods, fingerprints cannot be easily changed. If someone did get their hands on (no pun intended) your fingerprints, that method of authentication is useless to you forever more.

We’ve all seen movies where a black ops team breaks into a multi-factor authentication system through a series of high-risk adrenaline pumping missions –stealing an iris scan by spraying something in the target’s eye, swiping the target’s access card with sleight of hand during a dinner party, and then cracking the password with some fancy cigarette-pack sized electronic device. It’s great entertainment, but it’s not really practical for even the most advanced criminals. Instead of trying to break each piece of authentication independently, real world attacks focus on the choke points – places in the system where all of the information can be stolen at the same time.

ATM skimming works on this principle. By placing a fake magnetic reader over the real one at an ATM, along with a hidden camera, they are able to steal both your card data (something you have) and your PIN (something you know). The choke point is the physical location of the ATM – there, criminals can obtain all the factors needed to assume your identity.

For most systems, the computer is the choke point. Consider a computer terminal where you have to both swipe a card and enter your password. If there is a trojan on the system, it can capture all information being input. Even if the system encrypts all of the data before transmitting it, too often the data resides in memory unencrypted, or is unencrypted at the point of entry (e.g. the keyboard or system driver for the magnetic card reader).

Which brings us to the RSA SecurID attack. SecurID is a hardware token that generates a “random” number every 30 or 60 seconds (which it either displays on an LCD panel or transmits to the computer automatically). That number must be entered into the system, usually along with a password. The idea is that even if the system were infected and the number were stolen, it is useless within a minute. Unlike passwords and biometric authentication, this type of “something you have” authentication can be used to create continually changing codes, mitigating the computer as a useful choke point. But in computers, nothing is truly random. Random numbers are generated using formulae and magic seed values. How else would the server on the other end of the system know whether the number you entered is actually valid? The server is able to predict what number your specific device will display at any given time. If attackers were able to steal this formula, they might be able to predict future hardware-token values. If, to do this, they require the serial number or other identifying information about each specific hardware-token device, then be on the lookout for phishing attacks or emails asking you for your token serial number or other information that might otherwise seem innocuous. As we’ve seen with some of the more sophisticated cyber attacks of late, enemies are both organized and patient. This could be just one phase in a longer term or multi-pronged plan to compromise one type of authentication.

But speaking purely theoretically, what if the stolen information was enough to predict future codes given enough data points – in other words, by matching the same user password with multiple token codes over several (or perhaps hundreds) of points in time? In that case, attacking the end terminal and monitoring both the user passwords and token codes might be enough for an attacker to assume a user’s identity. This is entirely speculative and I am not saying that SecurID has been compromised as such. I am simply noting that every authentication factor has both pros and cons, strengths and vulnerabilities. The level of sophistication required to reverse engineer such tokens, even given the seed values, is enormous.

The real point is that when considering multi-factor authentication, think about your choke points. Each additional factor adds a hurdle to an attacker if they are tackled independently. If you use systems where all these factors come together, and those factors are either unchanging (e.g. fingerprints and most passwords) or predictable, you are vulnerable.

RSA and the APT Attack

(Note: This is the first of a two-part Bit9 post.) Top security company RSA, the eponymous founder of the IT security industry’s largest conference, announced late Thursday in time for the Friday news cycle, that it has been a victim if a very “sophisticated” attack. Intruders succeeded in stealing information on the company’s SecureID two-factor authentication products, according to the company.

SecurID is that little dongle that adds a layer of protection to the login process by requiring the computer user to enter a secret number cryptographically generated every 30 seconds.

According to the RSA blog: “While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”

It begs the question: Is the algorithm compromised? Is it now “one factor” authentication for these millions of users?

It’s got a lot of people wondering today whether the SecurID card that is allowing them to access their corporate network and view sensitive information is secure. Could this go so far as to affect an RSA customer's IP and eventually its billion-dollar market cap?

RSA (owned by EMC) as of yet has not provided any details about when the attack happened, how long it lasted, when it was discovered or how it happened. As a consequence there is much speculation in the media, in blogs and in the Twitterverse. RSA categorized the attack as an advanced persistent threat (APT.) APT attacks often use zero-day vulnerabilities and are targeted attacks, thus are rarely detected by antivirus and intrusion detection systems. The intrusions are known for being stealthy, lying in wait in a company’s network, sometimes for years, even erasing all trace of themselves after stealing data.

The attack that Google announced last year was considered an APT attack, and, like many intrusions in this category, was linked to China. The hackers are looking to find vulnerabilities in commonly used programs. Anything that is ubiquitous. SecurID is ubiquitous squared as it gives access to millions of users and company data.

RSA, a division of EMC, also filed a disclosure with the Securities and Exchange Commission, which includes this list of recommendations for customers who might be affected:

• We recommend customers increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.

• We recommend customers enforce strong password and pin policies.

• We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.

• We recommend customers re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.

• We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.

• We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.

• We recommend customers harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.

• We recommend customers examine their help desk practices for information leakage that could help an attacker perform a social engineering attack.

• We recommend customers update their security products and the operating systems hosting them with the latest patches.

This has the potential to make the news for a long time to come and become one of those attacks that sits on the cyber attack timeline in the history of information security. It also will push the more security sensitive corporations to consider adding additional layers of defense to protect against advanced persistent threats (APTs). A month ago, RSA talked about their vision of how to handle APTs here. We have recently interviewed a long list of large corporations on what they are doing to prevent APT attacks and it was definitely a layered approach. What we learned about what companies are doing will be in part II of this post next week.

Metadata Madness! Digitalsmiths Delivering Immediate, Personalized Highlights for NCAA Fans

Patrick Donovan

VP Marketing

Posted by patrick on Mar 17th, 2011 09:11 PM

For millions of fanatical fans across the country, March is the greatest month of the year because of the NCAA Division 1 March Madness® basketball tournament. Sixty eight men’s and women’s college teams will battle for supremacy in the most signficant sporting event of the year next to the Super Bowl. There are always unbelievable moments, like buzzer-beating three pointers, huge blocked shots, no-look passes, and thunderous dunks.

APT Summit with Bit9, Gartner, ArcSight (HP), Netwitness, Accuvant

Bit9 is hosting an "APT" Summit in Washington, DC on March 23 at the "Newseum" - a very cool interactive and fairly new museum on Pennsylvania Avenue across from the National Archives. Executives from Bit9, Gartner, ArcSight, Netwitness and Accuvant will discuss advanced threats and ways to detect and stop them.

The keynote will be given by Neil MacDonald, VP and Fellow at Gartner. Other speakers will be:

Dr. Prescott Winter, ArcSight, “Dealing with APT: Technology and the Rest of the Story”
Gary Golumb, Principal Security Researcher, Netwitness, "Using Better Network Forensics to find APT"
James Foster, vice president, Accuvant
Tom Murphy, Chief Strategy Officer, Bit9, “Illuminating the Endpoint Blind Spot"

There is no charge for the event, but seats are limited. To sign up head on over to this sign up page.

The keynote will be given by Neil MacDonald, VP and Fellow at Gartner. Other speakers will be:

Proposed FFIEC Changes Mean Improved Prevention

As many of you probably know, the FFIEC has drafted and is ready to unveil their guidance on ‘Authentication in an Internet Banking Environment’. It is my understanding that the focus for improvement (albeit closely aligned to the recommendations made in 2005) relates to 5 key areas for enhancing online security. One area I want to address is the possible requirement for financial institutions to incorporate ‘layered security’ controls to better detect and respond to suspicious or anomalous activity.

They're Coming For You

RSA 2011 has come to an end and I wanted to talk about one particularly memorable statistic I heard at the conference. Enrique Salem, President and CEO of Symantec, said in his keynote that 75% of the attacks they saw in 2010 were targeted at 50 computers or less, or as he calls them “micro-distribution” attacks. Or micro zero day attacks.

Think about that. We’re not talking about viral attacks intending on stealing mass credit cards or creating large botnets. These are targeted at specific companies or specific individuals. Whether it’s economic espionage, military espionage, or all out cyber warfare, if an attacker is targeting a handful of computers, he is going after a specific goal. He is tailoring his attack just for his target.

Think “smart bullets” versus random gunfire.

Some other interesting stats shared this week at the conference:

Symantec sees nearly 2 million threats every day
McAfee generates 55,000 unique signatures every day, and estimates there are 2 million malicious web sites appearing every month
Sophos receives 95,000 malware samples every day, and detected 100,000 new fake antivirus products just in December

Now imagine that just a small fraction of these numbers are targeted attacks.

It’s time to get smart about our defenses.

Forecast: Cloudy Skies with a Chance of Mobility

It’s been a bustling week at RSA. The weather in San Francisco has been cloudy all week, and that seems fitting given the themes floating around the RSA Conference this year. Everyone is talking about the “cloud”… both the challenges it presents; with sensitive data being stored and accessed from outside controlled perimeters, and the opportunities it offers; applying limitless computing power and global collaboration to identify and mitigate risks faster than ever before.

Security services from the cloud, trust and reputation in the cloud (see our own press release earlier this week), identity management and authentication to the cloud, virtualization in the cloud, cloud computing and privacy, private clouds, public clouds, hybrid clouds, and more. That’s a lot of cloud talk. The cloud means a lot of different things to different people, but at its essence, it both broadens our capabilities and blurs our perimeters.

And that brings us to a second hot topic at RSA: mobile and the consumerization of IT. Smart and mobile devices are becoming increasingly important in business applications. People are using their personal smart phones to access email and critical business data, directly on their corporate networks, through virtual private networks, and through public cloud services. It is estimated that by 2012, mobile devices will represent more than half of the assets connected to corporate networks. While the overwhelming majority of cyber threats are still targeted at traditional desktops and laptops, we know that mobile devices represent an ever growing weak spot – hence a growing opportunity for malicious actors to attack.

This environment presents a tremendous security challenge. The vendors at the RSA Conference are working hard to develop and present responses to this challenge. Through a mix of both hype and reality, there are some interesting ideas being applied to help secure this brave new cyber world. It is clear that this space is evolving. No single technology will keep you safe in the era of interdependent and boundary-less information. But it’s exciting to be a part of this process, and it’s a good sign that at least there is broad-based acknowledgement and understanding of the security challenges we face.

What’s the Score? 20 Years of Malware & Security

RSA is celebrating its 20th anniversary this week in San Francisco. On this occasion, it’s worth taking a look back at the past two decades of security. Some things have changed dramatically, others have stayed the same.

In 1991, the year of the first RSA conference, Symantec released Norton Antivirus (the other major antivirus player at the time, Central Point, would be acquired by Symantec in 1994). It was a blacklisting technology, using signatures to identify malware. At that time, there were maybe a few hundred signatures. That number stayed under 10,000 for almost a decade, but has grown out of control in the past five years. It broke the 100,000 mark in 2005, the 1 million mark in 2008, and approached 5 million in 2010. In 2009, Symantec wrote 2.9 million signatures (almost 8,000 new signatures every day); more than half of all signatures written since they first introduced their technology. We’re talking about new signatures, not total. Cumulatively, we’re approaching the 10 million mark.

These are signatures, not actual threats. Many of these signatures are pattern based, intended to identify multiple variants of the same threat. Just last month, IT security lab AV-Test registered its 50 millionth sample in its malware repository. And that’s just the malware we know. It doesn’t includes the millions of uncharted samples. In 20 years, we’ve gone from a few dozen known attacks to tens of millions; from a few hundred signatures to almost 10 million.

While the volume of threats has grown uncontrollably, so has the sophistication and nature of the attacker.

Let’s take a look at some of the high profile attacks over the past 20 years:

- 1990: The first polymorphic attack hit the world stage with the Chameleon virus.

- 1995: Windows 95 is released, and the first macro virus appears in the wild, Concept. It did not cause any damage, but it made the point that a new breed of attacks were on the horizon.

- 1999: The Melissa macro virus showed the power of macros and social engineering. Arriving as an email entitled “Important message from xxx” with an attachment and message of “Here is the document you asked for… don’t show anyone else ;-)”, it quickly spread through address books. It clogged email servers around the world, causing an estimate $1B dollars worldwide in damage.

- 2000: The infamous ILOVEYOU or LoveBug worm wreaked havoc on over 45 million computers, causing an estimated $10B in damage (ILOVEYOU has the dubious distinction of being one of the first multi-billion dollar attacks). It arrived via email as an attachment, or via IRC as a link, and users were more than happy to open it. It spread in a similar manner as Melissa, and also through mIRC, but also modified system settings and dropped additional payloads onto each computer, and attempted to steal password information.

- 2001: This was a particularly bad year to be in security. Among the most notable attacks that year were Code Red and Nimda. Code Red was one of the first memory-only worms, leaving no files or trace of on the hard drive. Exploiting a buffer overflow vulnerability, Code Red attacked IIS web servers. It is estimated to be the most expensive malware of 2001, causing $2.75B in cleanup or lost productivity costs. On its heels, came Nimda (“admin” spelled backwards), one of the fastest spreading worms of all time. Nimda spread through multiple vectors, including back doors left open by a Code Red variant.

- 2003: This year saw attacks on SQL Server (Slammer) and Distributed Denial of Service (Blaster), and most notably, the second most expensive attack of all time, Sobig. It was the fastest email spreading worm of its day, and it also dropped a trojan that could turn an infected system into a spamming bot. It caused an estimated $37.1B in damage.

- 2004: Another year of nasty attacks (Netsky, Sasser, Vundo, …) but the clear standout, and the most costly virus of all time, was Mydoom. With an estimated cleanup cost of $38.5B, it remains the fastest spreading mass mailer worm. It is estimated that, shortly after its release, 20-30% of worldwide email traffic was due to Mydoom. In addition to containing its own SMTP engine which it used to spread via email, it would also use the infected systems in organized Denial of Service (DoS) attacks on various high profile sites.

- 2006-2007: The war of the botnets heats up, with the Stration (aka Warezov) and Storm worms vying for top position in number of machines infected. Believed to originate from Russian gangs, later variants of these worms tried to gain control of the systems compromised by their rival. It is estimated that Stration, at its peak, was generating a new variant every 30 minutes, and accounted for nearly one-third of all reported malware infections. Millions of computers are compromised by these attacks and form large networks of botnets, able to be controlled remotely.

- 2008: As social networking increases in popularity, they become a rich target for attack. High profile attacks like Koobface (anagram of “facebook”) make their debut. One of the most sophisticated attacks was the Conficker worm, which combined several vulnerabilities and techniques for spreading. Estimates of its spread are hard to come by, with more hype than fact, but Conficker likely infected several million computers.

- 2009: Cyber warfare heats up. In mid 2009, an organized set of DDoS attacks on web sites in the United States and South Korea occur. Operation Aurora, a series of state-sponsored and coordinated attacks against corporations (including Google, Adobe and Juniper) was publicly disclosed. The attacks were multi-faceted, involved multiple levels of encryption, and used sophisticated techniques to remain stealth. While such attacks have occurred for years, the level of public disclosure raised the awareness that the enemy had changed. From garage hacker, to individual criminals, to organized crime, and now to state sponsored and targeted (well financed and highly advanced). A new term was added to the public lexicon to describe this new type of attack: APT (Advanced Persistent Threat).

- 2010: Typifying exactly how dangerous today’s attacks can be, Stuxnet makes its debut. As I blogged about at the time, Stuxnet is one of the most advanced attacks ever written. Designed to target SCADA systems, such as those used in nuclear power plants, Stuxnet has been dubbed a “cyber super weapon”. Also, the Zeus trojan continues to steal millions of dollars. Zeus was first identified in 2007. It is essentially a toolkit that can be used to craft custom malware for controlling computers and stealing information. In 2009, several high profile outbreaks were reported, and again in 2010. Signature based detection is simply ineffective at detecting or stopping it. Lastly, as if to rub salt in the wound of a 20 year-old technology that has not kept pace with the threat, the “Here you have” email virus appears, in an attack almost identical to the Melissa virus of 1999. With an email body reading “This is The Document I told you about, you can find it Here”, this virus shows that you can still trick people into opening anything and there’s very little traditional antivirus can do about it.

2011 is still young, so we’ll see what demons lurk in the waiting. But just last week, McAfee produced a report on an attack dubbed “Night Dragon” that details a sophisticated set of attacks originating from China against global oil and energy companies. In fairness to my timeline, these attacks occurred at the end of 2009 and through 2010, but the report was only just released. It’s reminiscent of Operation Aurora, where the attack is targeted and multi-pronged, involves several vulnerabilities and techniques, and is sponsored by a determined and well-financed enemy. We will see more of these types of attacks this year.

Remarkably, in twenty years, the basic nature of the antivirus technology that was first introduced in 1991 has not evolved much. Sure, they’re building new malware signatures at record pace, but playing the numbers game is a losing proposition. More importantly, the enemy is developing specialized attacks designed for penetration and stealth, not broad based infection. With the growth of mobile and smart devices, the perimeter surrounding a company’s assets is becoming less defined and the number of vulnerable entry points is exploding. Two decades later, at this year’s RSA, there will be recognition that a new approach to security is needed.

The Blame Game

Who is to blame when a company is a victim of wire fraud? Does the bank bear full responsibility for policing the company’s account for unusual transactions? Does the company bear more responsibility since they “own” and manage the credentials needed to login in to the bank’s website? Unfortunately, for Experi-Metal and Comerica, the answers to these questions will end up being provided by the United States District Court. The trial to decide who should assume wire fraud losses ended on January 26 and the verdict is expected any day now.

Customer catches fraud more often than not

According to the survey results recently released by Bank Info Security, the most common way fraud is detected is when a customer notifies a financial institution. Below are all responses to the question, “When is a fraud incident involving your organization usually detected?”

New Data From 2010 Payments Study

Every three years the Federal Reserve releases a study that shows macro trends in the payment choices of consumers and commercial account holders. Many in the industry consider the report to be required reading as it offers important insights and trends regarding different payment types including check, ACH, debit card, credit card and prepaid card.

Government Awards for Bit9 Parity

Tooting our own horn a bit here: Bit9 was just awarded two government awards - the "Best Anti-Malware Solution" from Government Security News' Homeland Security Awards and the American Security Challange 2010 Pilot Award.

Government agencies have increasingly been adopting Bit9 Parity application whitelisting to defend against the "Advanced Persistent Threat" and some examples of the company's traction in government include:

Numerous government-wide acquisition contracts (GWACs) spanning GSA, NASA SEWP, and Defense IDIQ contract vehicles ENCORE II (small & large business), ITES-2S and NETCENTS
Strategic alliances with federally focused organizations including CACI, Iron Bow Technologies, Lockheed Martin IS&GS and TKC IS
Partnerships with Guidance Software and Mandiant
Integrations with ArcSight, BigFix and Symantec
Evaluation for certification to Common Criteria Evaluation Assurance Level 2+
Strong commitment to preventing targeted cyber attacks with recent launch of Bit9 Cyber Forensics Service™

Why does the Government need advanced threat protection such as application whitelisting? Government agencies at all levels are entrusted with sensitive information. Managing the risks associated with this information is critical not only for government security but also to ensure citizens' confidence in public services. The attacks coming from China dubbed Operation Aurora at the beginning of the year provide the best motivation.

The Intelligence Community, among others, is advocating the approach of default deny - or restricting applications as an important security approach. In their operating system guidelinace, it says "an application whitelisting technique significantly increases the security posture of the domain by preventing some malicious programs from executing." While they are discussing Software Restriction Policies in this instance, the precursor to AppLocker, the technique and end result is the same. This whitepaper goes in depth into the differences between application whitelisting and AppLocker.

Reading Into Payments Fraud

Cybercrime is justifiably getting a lot of media attention these days. From industry advisements, FBI operations and plenty of cases in the news – it is easy to see why it’s a hot topic.

Reported Vulnerabilities: Quality versus Quantity

A lot of buzz has been generated by our annual report on applications with the most reported vulnerabilities. I wanted to provide some further context as data is always subject to interpretation. We encourage honest and open disclosure by product vendors of security vulnerabilities (and their remediation when available). Much of the data provided to the NIST NVD is reported by the vendors themselves, and we applaud this honesty.

While we analyzed the volume and severity of vulnerabilities reported in 2010, it also useful to understand what we did not analyze, as it is not available in the NVD. How many of the vulnerabilities were self-reported (by the vendors themselves) versus externally reported? What was the average time-to-fix (which requires knowing when a vulnerability was actually “known” to the vendor versus when it was reported to NIST)? Was the reported vulnerability a single issue or a roll-up of multiple issues? You can’t really compare who is #1 on our list to #10, for example, without further context.

In fact, companies such as Google and Mozilla run incentive programs where people who report new vulnerabilities can actually get paid. By intent, such programs may lead to higher numbers of reported vulnerabilities, while also leading to more secure products. Reporting guidelines also vary - some vendors may report all vulnerabilities internally found, while others may not. In these regards, the products toward the top of our list may in fact be more secure or present less risk – IF you are keeping your applications up to date.

And that is the real point – the applications in our list are present on almost every desktop, and on average across the list, more than one high severity vulnerability is found (and often fixed) every day. Whether you are talking about your personal computer or you are managing hundreds of corporate endpoints, be aware and be diligent. Know what versions of products you are running and update them regularly. Apply best endpoint security practices and security products to protect yourself when applications have not been patched and for the next vulnerability which might be only a day away.

United by Flaws

Today Bit9 released its fourth annual report on the applications with the most vulnerabilities reported against them—our attempt as a company to help customers, and the broader business community, understand that they need to be ever-vigilant when it comes to endpoint security.

Our report ranks end-user/consumer-facing applications (not an enterprise-only application like a server, router or O/S) that have the most reported vulnerabilities, based on data from the U.S. National Institute of Standards and Technology’s (NIST) database of vulnerabilities. NIST tracks applications with reported vulnerabilities, and we analyzed information about downloadable software that typical consumer and business users will encounter each time they use a computer.

The list is familiar and I personally use many of the “dirty dozen” apps in the report. Do I worry about using apps at work and home that are highest in reported weaknesses? Absolutely not. Am I mindful of using precautions and keeping my software updated, a resounding YES.

The list shows that all software, like humans, has flaws, and this is one of the single unifying constants in the industry. The companies reflected on the list do a superb job of correcting vulnerabilities to protect their customers. Now it is our job to make sure we’re protecting ourselves and keeping our endpoints secure.

When All Accounts Are Compromised

Anyone see this story on BankInfoSecurity about the Zeus Trojan that hit mobile banking users at 12 Spanish banks? In addition to providing another catchy term (Zeus Mitmo – for Man in the Mobile), this event is perhaps the harbinger of a wave of new attacks aimed to compromise remote channels, and yet another example of how nimble fraudsters will always find the open window.

Filling the IT Security Gap for The Social Network Generation

Recently I spoke with an IT Executive within the U.S. armed forces who was discussing the importance for new recruits and younger soldiers to stay connected with friends and family using the tools they’ve grown up with, namely Facebook. He is concerned with denying access to technology that is ubiquitous among Generation Y and Z but has to weigh the security and other risks that come with loosening restrictions to the Internet.

This is a common issue even among private sector businesses trying to strike the right balance between security, employee productivity and access to the Internet and web-based applications. It will only get more challenging.

According to a Pew Internet & American Life Project survey, 73 percent of U.S. teens aged 12-17 use social networks, and a whopping 93 percent use a computer to go online. As the so-called iGeneration enters the workforce, the pressure to remove barriers to the Internet and web-based apps at work will increase. In addition, social media is increasingly becoming the way businesses market themselves, and engage with employees, customers and partners, and this trend will continue to escalate. Look at the Gap logo controversy, and the power of Internet users to influence a corporate decision.

It’s time to eliminate the security constraint from the equation so organizations can enable the apps and tools employees need to be successful in 2010 and beyond.

Rethinking the Security Question
Cybercriminals have invaded Facebook, Twitter and other social networks, and they will continue to use social engineering attacks to mine data. These exploits have been well documented. Employees -- or soldiers for that matter -- accessing such sites from work or with a laptop that connects to the corporate network do present serious security challenges.

But there’s a gap in how most organizations are approaching IT security that limits their ability to support today’s baseline web resources. Each year, nearly three million malware signatures are created in this never-ending cycle of the good guys chasing the bad guys. And it doesn’t work.

The recent ‘Here you have’ virus used a 10-year-old technique to compromise computers, illustrating the futility of negative security models that pit vendors against hackers in a race to combat each new attack variant. On the other hand, positive security models define what is allowed and rejects everything else. Advanced malware protection such as whitelisting technology stopped ‘Here you have’ and will prevent custom attacks that defy malware signatures.

Changing Mindsets
The reality is that social media has changed the world and the workplace. Today 80 percent of companies use LinkedIn to find employees. Facebook reached 200 million users in less than a year, leapfrogging the adoption of the Internet, which achieved 50 million users in four years.

One recent customer came to Bit9 after disabling website browsing because they could not manage the risk of malicious software being introduced. After realizing this approach was untenable, the company deployed Bit9’s application whitelisting technology to define the sites users were allowed to visit and blocked all other by default. They have now restored user’s ability to openly browse websites, including social media sites, and have eliminated the risk of malicious payloads being dropped when browsing.

The Social Network generation is here, and they want their Facebook, Twitter and iPhones. Keeping this group engaged and productive at work means providing access to the tools that are ubiquitous to them as the telephone and fax machine are to Boomers. Anything less is shortsighted.

Security done right can allow more free access to online tools from work, without opening companies up to undue risks.

PCI DSS Still Behind When it Comes to Targeted Malware

Today, the PCI Council launched v2.0 of their 12 security requirements referred to as the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS has enabled a common language for merchants, banks, hardware and software vendors, and payment processors to better protect cardholder data.

Since v1.2.1 came out in July 2009, custom malware has been on the rise, targeting organizations, users of a specific payment processing application and even high-profile individuals in the form of “whale phishing”. According to the 2010 Verizon RISK Team’s Data Breach Investigations Report, malware contribute to 94% of records compromised and 97% of the 140+ million records were comprised by custom malware. If custom malware has now become the most effective attack vector, why does the PCI Council continue to prescribe antivirus as the must have defense to meet PCI DSS requirement #5?

A More Proactive View
By comparison, the SANS-driven Consensus Audit Guidelines is a set of 20 Security Controls that has gained significant momentum over the past couple of years especially within the government sector. The current CAG (v2.3) was released in November ‘09 and has gained traction as a guideline and best practice because it ranked the most common ways organizations get compromised, and prioritized the controls that would have the most significant impact. The CAG does not prescribe a 20-year-old, antiquated technology to protect against today’s custom malware. The CAG prescribes a proactive application whitelisting approach to address the onslaught of targeted attacks that are looking to steal intellectual property, extract military secrets, or establish remote command and control on the electrical grid.

Most organizations, subject to the PCI DSS, recognize the 12 requirements are a baseline to protect cardholder data. These security professionals and their Qualified Security Assessors (QSAs), like SANS, should leverage application whitelisting to put an end to the most effective crimeware – custom malware.

Using Metadata To Get Inside The NBA

Patrick Donovan

VP Marketing

Posted by patrick on Oct 27th, 2010 02:16 PM

Yesterday, we were very pleased to start another season powering Turner Sports' Inside The NBA, starring Ernie Johnson, Kenny Smith, and the newly slimmed-down Charles Barkley:

Gotuit Named Streaming Media Readers' Choice Award Finalist

Patrick Donovan

VP Marketing

Posted by patrick on Oct 20th, 2010 10:09 AM

We are excited to announce that the Gotuit Video Metadata Management System was named a finalist for the Streaming Media Readers' Choice Awards in the Search and Indexing Platform category for the second year in a row. Check out the entire list of finalists here.

Self Dealing is Not Your Average Policy Violation

Most banks and credit unions have policies in place that prohibit employees from accessing or performing transactions on accounts owned by themselves or family members. While such behaviors, often called “self dealing”, can be relatively minor infractions that highlight the need for re-training or better policy enforcement, they can also be part of large scale fraud schemes, as in the case at this West Virginia credit union.

New: Bit9 Cyber Forensics Service™ for Advanced Threat Protection

This morning Bit9 announced our new Cyber Forensics Service, which is an “in the cloud” service that leverages our Global Software Registry™ (GSR) database, and provides another tool in an organization’s arsenal to fight the Advanced Persistent Threat. The GSR is the largest and most complete authority on software, helping users identify, authenticate and trust software.

The GSR has over 5 billion records and over 500 million unique files, and is growing at a rate of up to 20 million files each day – testament to how fast new malware signatures are coming online. Traditional, reactive antivirus approaches attempt to keep out the “known bad.” But with almost 700 new malware signatures being created every hour, and virtually all breaches the result of customized malware, how can these antivirus solutions keep up? They can’t and the results are often catastrophic and very public breaches.

Add to this that there are about 15,000 legitimate executables on the average Windows computer. With the Cyber Forensics Service, organizations can identify the “known good” quickly, and move on to identifying and protecting against more suspect or malicious software. And this investigation time can now be reduced from weeks to days, creating a solid foundation of advanced threat protection much more quickly.

Our GSR, and therefore the Cyber Forensics Service, boasts:

- The most comprehensive repository of software and software information in the world;

- Over 150 integrated software and security analyzers collecting and identifying more software than any other source;

- Runs more malware and vulnerability scanners on software files than any other source;

- Contains more metadata on each file than any other source; and,

- Grows faster than any other software identification repository.

The Bit9 Cyber Forensic Service is available immediately, with pricing starting at $50K for five forensic users/year, and is offered through an on-demand “in the cloud” web service or via a monthly disk refresh program. Visit our website to learn more.

Worms of Mass Destruction

We've been hearing a lot lately about Advanced Persistent Threats (APTs). What are they? Are they really anything different than the malware and viruses we've seen for decades? They are, and the Stuxnet worm flooding the news is a perfect example why.

First off, Stuxnet is advanced. Very advanced. It takes advantage of four zero-day vulnerabilities, uses two different valid (stolen) digital certificates, and contains dozens of encrypted code blocks. It uses a rootkit to hide itself, peer-to-peer capabilities for remote command and control, and alters its behavior based on the systems on which it is infecting. Utilizing a nasty vulnerability within the Windows Shell, the attack occurs upon simply viewing files within Explorer.

Secondly, it is a targeted attack. Unlike common worms and malware, its goal is not to spread everywhere or to anyone. It was designed specifically to target SCADA (supervisory control and data acquisition) systems, or industrial control systems like those used in power plants and other critical infrastructure locations. Among other behaviors, it is designed to reprogram the PLCs (programmable logic controllers) used in these systems. The advanced nature of the worm, along with its very specific targets, helped Stuxnet elude detection for months, perhaps even a year. Targeted attacks often fly below the radar of the major antivirus security vendors.

Lastly, most experts agree, the Stuxnet worm is the work of organized, and quite likely state-sponsored, professionals. Its creation required detailed knowledge of the SCADA systems being targeted, it was written using multiple languages, and it rivals many commercial applications in both complexity and stability (it’s hard to perform all of the work Stuxnet does without crashing or destabilizing a system, risking detection). At nearly 500KB in size, it is notably larger than most malicious worms we’ve seen. These observations suggest that a team of engineers developed Stuxnet over a significant period of time – something that requires commitment and more importantly, money.

Aside from being more advanced than traditional attacks, it is different in motivation (purpose and target) and generation (who created it). Kudos to the army of security researchers that have, and are continuing to, dissect this worm. But the most notable attribute of Stuxnet is, in my opinion, its initial entry point. The attack initiated from a simple USB stick, just like the one in Operation Buckshot (which I discussed a month ago). All the sophisticated techniques in its arsenal, and Stuxnet still needed to be physically inserted into “patient zero.”

And therein lies two important lessons: Number one is that the host computer is still the most vulnerable point of an infrastructure. All the perimeter defenses in the world (IPS, IDS, firewalls, …) would not have stopped Stuxnet (or the DoD attack involved in Operation Buckshot). It was delivered directly to an endpoint. It’s like a building with motion sensors in every hallway with office doors that open directly to the outside world. Why bother navigating the hallways when you can walk right into a room?

Number two, as I’ve harped on many times before, traditional reactive and signature based technologies will continue to fail at detecting these new and unknown attacks. Don’t you think there were antivirus products on at least some of the estimated 45,000 computers infected by Stuxnet?

Bit9 Parity's advanced threat protection would have stopped Stuxnet from ever executing in the first place – with or without the Windows Shell Explorer flaw. If a file is not approved, it cannot execute, whether or not the execution is explicit or via some unknown vulnerability. Moreover, even if the stolen certificates were approved, Parity application whitelisting would have stopped the attack with its simple “block all executes from removable devices” policy. Beyond the initial entry point, if a Parity-protected system were attacked by an infected computer, it would remain clean. For example, Stuxnet uses a Print Spooler vulnerability among its techniques to spread. The print spooler is hardly an approved software distribution system, therefore any attempt to write and execute content would be blocked.

A number of articles have commented that Stuxnet marks a new era in cyber-warfare. I agree. Advanced threats like Stuxnet are the new weapons of mass destruction. Just as the attackers and their methods have evolved, the defenders and our methods must as well.

Organized Fraud Attacks Increasingly In The Headlines

Breaking news this week is that the New Jersey FBI charged 53 people in connection with sophisticated identity theft and fraud. It is thought that 43 individuals were part of a single, large scale criminal organization named the Park Criminal Enterprise. Those charged are said to be responsible for identity theft, credit card fraud, bank fraud, tax fraud and other crimes.

Why the ROI Curve is the Right Curve to Look at

In my earlier post I talked about the ROI curve for deposit fraud. Now we’ll discuss why this is the right curve to look at. Well, for starters it tells a story and illustrates answers to important questions. Using our original graph, I’m going share a couple of these stories.

Vote Gotuit for 2010 Streaming Media Readers’ Choice Award

Patrick Donovan

VP Marketing

Posted by patrick on Sep 13th, 2010 02:49 PM

We are excited to announce that once again, Gotuit has been nominated for Streaming Media’s 2010 Readers’ Choice Award in the “Search and Indexing Platform” category. We were named a Finalist in 2009 and took home the award in 2007 in the category of "Best Search and Indexing Platform".

‘Here you have’ AntiVirus Companies Scrambling Again

Yesterday, at around 2:00 PM, a new virus hit major companies across the world. You’ve probably already read about it by now (see here and here). It hit companies like ABC, Coca Cola and NASA. Comcast even had to shut down its email servers after being attacked. Most of the major antivirus vendors did not stop it. McAfee and Symantec released updated definition files by Thursday evening – too late to stop the damage. One of the attributes of this virus is that it may disable or entirely delete your security software, so remediation becomes that much more difficult.

It’s a case of oldies but goodies. ‘Here you have’ is not a zero-day attack. It does not use some advanced never-before-seen technique to infect your PC. It is mass-mailing worm using simple social engineering to infect and common techniques to propagate. All it takes is a few unsuspecting folks to click on a link from a benign looking email. Instead of getting the PDF attachment or whatever they think they are opening, an SCR virus file is dropped on their system. This file then proceeds to email itself to everyone in the victim’s address book, while also dropping other malicious files onto the system. Then, a whole new set of people receive the email, except this time it’s from someone they likely trust, and the process repeats itself with victim computers growing in numbers exponentially. The virus payload is still being analyzed, but it does a lot more than simply mass email itself. It propagates to mapped drives and removable drives, disables various security products and may attempt to steal passwords. It creates files with official sounding names like csrss.exe (although it places those files in different locations than the original/official versions). It changes system configuration settings and generally just makes a mess of your system.

We saw this before with the ILOVEYOU worm in 2000 and Anna Kournikova worm in 2001. But wait, we can go back even further. Mass-mailing worms first hit the world stage in 1999 with the Melissa virus. Each of those cases wreaked havoc on a global scale. More than 10 years later and the world is still getting fooled by the same tricks. A decade has passed and traditional antivirus security still can’t stop the next variant. This is madness, simply madness.

I hate sounding like a broken record, but it needs to be said yet again… traditional detect and react security does not work. Advanced whitelisting, like Bit9 Parity, can and does stop the ‘Here you have’ worm, and it will stop the next one too. It’s quite simple – if a file tries to execute that is not approved, it is blocked. It doesn’t matter if the person sending the email is someone you trust. It doesn’t matter if the file trying to run sounds official. We weren’t up late last night trying to update malware signatures because we don’t use malware signatures. We already have customers calling us to thank us for protecting them from this attack.

To those companies and users currently down because of ‘Here you have’, I feel your pain but after more than 10 years of the same thing happening over and over again, maybe it’s time to re-think your defenses. To our customers who slept well last night, you’re welcome.

Finding the Needle in the Haystack

A common theme among some of the companies we've been working with lately has been the acknowledgement that they are already hacked or infected; they just can't prove it. This theme has been echoed by many of the conferences I’ve attended over the past few years, so maybe it is starting to sink in a little! Regardless the source, these organizations have a common objective: they want to locate the malware that is dodging their current defenses.

If you think about it, this is a very daunting task. Basically the task is to narrow down a list of hundreds-of-thousands or millions of files to a subset that is questionable. This is not too different from challenges that face other industries, like law enforcement, where they attempt to identify a thief or an organized crime gang among millions of innocent people. So, using Parity, I’ll demonstrate how it is possible to speed this project on its way.

We’ll be relying on attributes of files that Parity gathers and makes available for reporting. We’ll also be using some of the reporting and filtering functionality available in the solution.

First, I’ll define three categories of attributes that we’ll use in the analysis: authenticated, reasonable, and unreliable. Authenticated attributes are either a digital certificate or a hash; attributes that are relatively irrefutable, much like a fingerprint. Reasonable attributes are ones that are discovered by the operating system or by Parity and are accurate but not by themselves conclusive: file path, Threat score, or file size. Unreliable attributes are ones that can easily be spoofed in the file metadata and should not be used for making a decision: company name, product name, or product version.

With those attributes as our framework, let’s look at some ways to narrow down our population of files.

With the Parity software, we can create baselines of our existing standard images. I know I used to build my standard images in an offline setup so I had a reasonable degree of certainty that malware didn’t exist in my standard image. We can then filter out all of the files that are in my baselines, assuming those are known-good files.

Next, I’ll toss out all of the files that are digitally signed. True, malware could be signed, but I can identify all of the signed files in a different report in Parity and that would be rather trivial to spot.

I’ll also use the reasonable attribute of Threat to toss out all of the clean files. Threat is a verification on a hash level that Bit9 has an exact copy of that file in our ParityKnowledge repository and it has checked out to be clean by all of the leading Anti-Virus scanners.

Finally, I’ll filter our all of the files larger than 1MB. Why would I do that? Well I took a look at over 10 million pieces of malware that we have collected for our knowledgebase, and statistically-speaking, 99% of malware over the past decade has been smaller than 1MB. I thought that was pretty amazing, but it actually makes sense: who wants to try and surreptitiously move a 10MB file around a network and onto hundreds of machines?

I can also filter on other reasonable attributes like Trust, file prevalence, and file path to whittle my list down further.

In my tests, using many of the filters mentioned above, I’ve been able to pare down my population of files by 90% or more. Does it draw an arrow and pinpoint the advanced threat? Not at first blush, but thieves aren’t exactly lined up outside the police station volunteering their identity either. It definitely sets me up, however, to do so in a much shorter timeframe with the remaining files!

How Bit9 Stops DLL Hijacking Attacks with Application Whitelisting

Check out this new video on YouTube by Brian Heffernan, Bit9 Systems Engineer. He demonstrates how Bit9 Parity Application Whitelisting can be used to stop the "new" DLL hijacking attacks - similar to how Bit9 Parity stops an Advanced Persistent Threat attack.

The Buckshot Heard Round The World; Bit9 Weighs in On Cyber Security

It may seem passé to be discussing an attack from 2008. Two years is an eternity in the cyberworld. But the incident discussed in a recent New York Times article (see also CNN) was a watershed moment worthy of revisiting.

In 2008, a flash drive was plugged into a laptop on an American military base. It contained the Agent.btz virus, and proceeded to propagate from device to device, machine to machine, planting its tentacles across both secure and non-secure networks within the government. Details of what information or what systems were compromised were never made public, but we know the attack was severe enough to warrant a security brief for the President of the United States. The effort to counter this attack was dubbed Operation Buckshot Yankee.

I was there, working with our government and civilian customers, when the DoD ban of all portable devices went into effect (it was later relaxed, but the initial ban was without exception across all their sub-agencies and contractors). All of the computer systems within the Defense Department were running the latest antivirus software with firewalls, intrusion detection, internet filtering, and advanced policy management settings. Millions, if not billions, of dollars had been spent on IT security. Yet one tiny device, with a payload less than 1MB, went undetected and wreaked havoc. All that money, manpower, and technology, and Uncle Sam was reduced to physically banning the use of USB sticks.

It reminds me of a Dr. Seuss story that I used to read to my kids, Yertle the Turtle. There’s a line in that story, “his burp shook the throne of the king”. One tiny turtle, at the bottom of a stack, caused the entire system to collapse. This flash drive “burp” got the attention of the highest levels of government. It’s as if a light bulb went off in the heads of the top brass, “This really happened? How could our cyber defenses be so ineffective? There has to be a better approach.”

I saw two things happen next. First, the collective recognition within the government that traditional “react-and-respond” security was ineffective against today’s cyber threats. New approaches, like the “proact-and-prevent” paradigm of whitelisting, were needed. Bit9 was already successful within the government sector, but this raised awareness to a new level.

The second thing that happened is, when the global ban of all things removable went out, the world didn’t end. It quickly evolved into more relaxed policies and selective/monitored exceptions, and it’s certainly not the ideal way I would recommend transforming a security posture. But under fire, it was necessary. The posture transformed from “let everything in and then see if it behaves badly” to “block everything until it is verified to be good”. That model has always been the way the government approaches personnel security, but it had not been applied to cyber security. People were so used to the old way of thinking about security that they feared change. This incident and the Operation Buckshot Yankee response showed that approval based protection works.

Whether you’re talking about people, or removable devices, or software, positive security is more effective than negative security.

The Barclays - Another Live Event with Premium Video Metadata

Patrick Donovan

VP Marketing

Posted by patrick on Aug 26th, 2010 01:46 PM

Following up on the huge online success of the 2010 PGA Championship, Turner Sports is using Gotuit metadata in the live broadcast of their next golf event – The Barclays, going on right now at the Ridgewood Country Club in Paramus, New Jersey.

'Zero Days' of Summer: Application Whitelisting, Bit9 & DLL Hijacking

The Zero-Days Of Summer

Summer is coming to a close and yet another “zero-day” exploit is being reported (See here and here). It's not really a "zero-day", as it has been known for a long time; it’s more a design “quirk” or flaw in Windows, but the media likes to say zero-day, so I’ll oblige.

This one is going by the names “Binary Planting”, “DLL load hijacking”, and “DLL preloading”. According to ACROS Security, this vulnerability impacts around 200 widely used Windows applications, many of them from Microsoft. Another day, another zero-day, and the anti-malware vendors and Microsoft are forced to react, update malware signatures, and provide security updates.

This one is a little more pernicious because it involves behavior that many applications rely upon. Microsoft does not have a simple patch for this problem. Rather, they have introduced an update that allows you to create registry entries that may thwart such attacks but requires some pretty heavy lifting (i.e. forethought on the part of the system administrator to use properly). What a pain.

What is interesting is that this zero-day, almost by definition, is exactly the type of attack that whitelisting mitigates. We at Bit9 are not changing a thing in reaction to this latest vulnerability because Parity already stops it.

Let's break it down in simple terms. Most Windows applications contain or rely upon dozens of independent files. These files are dynamically loaded when the application runs – hence the term Dynamic-Link Library (DLL). (Note: Acros Security claims the vulnerability can also impact EXE and COM files, but the principle behind the vulnerability is the same.) When a Windows application loads a DLL file, if it doesn’t specify a full path to that file, Windows will search a predefined set of locations. This allows programs to use shared files in the Windows System folder or anywhere in your PATH environment variable, for example, without any heavy lifting. The application simply needs to specify the filename.

If an attacker can place a file with the same name at a search location before the legitimate version of that file, they can get their code to run – with all the elevated privileges that your application has. Essentially, this solves the second of the two key problems that an attacker must overcome: the first is that they must get their program onto your system; the second is they must find a way to launch that code, ideally bypassing any privilege restrictions. As a bonus, they get a level of stealth because you won’t see any “strange” processes running, and if you were to look at the names of the libraries loaded in memory, you likely won’t see anything suspicious.

(Note: The attacker still needs to get their file onto your system at the right location, or trick you into opening a document from a remote location where their malicious library is present. Therefore, it is likely that an effective use of this vulnerability will still involve using other exploits or social engineering as part of the attack.)

This entire problem is non-existent if you are using an advanced whitelisting solution like Parity. Parity only allows files that are approved to load; it doesn’t matter whether they are in the Windows search path or even in the same folder as a legitimate application. It’s really very simple -- even if the application (or executable) is approved, if it tries to load an unknown or unapproved library, it will be stopped.

This exploit is also a great case study on the limitations of blacklisting. Since the attack can take the form of any known filename in any possible location, there is no malware “signature” that can be used to stop it globally. Only once an instance of such an attack is discovered can a signature be reactively made. Anti-malware technologies may be able to stop some of the vectors by which the file is placed, but unless the file is known bad, its simple existence in an unexpected location is not a good enough trait to build a blacklist signature.

It's also worth noting that other reactive technologies, such as HIPS, would be equally ineffective at stopping this type of attack. A HIPS product looks for suspicious or bad network activity. So, by definition, the malware would already have to be loaded into memory and running before HIPS would be able to detect anything. Moreover, most modern attacks remain stealth, dormant or avoid suspicious network activity. They can do a lot of damage without triggering any HIPS-detectable behavior. Lastly, like anti-malware, HIPS technology is only as good as its latest rules, which need to be updated continually in response to known bad activity, bad IP addresses, etc.

If you’re waiting for your AV or HIPS vendor to fully protect you from this one, good luck.

There are still a few days left in summer. We’ll wait and see what zero-days are lurking in the shadows. But while the blacklisting vendors keep chasing their tails reacting to each new exploit, I’m thinking I might sneak in a few more days at the beach.

PGA Tees Up Gotuit For 2010 PGA Championship

Patrick Donovan

VP Marketing

Posted by patrick on Aug 13th, 2010 07:27 PM

Golf anyone? Yesterday, we went live with our latest major implementation – this one with PGA and Turner Sports powering the video for the 2010 PGA Championship. Gotuit time-based video metadata is being used to define each shot for each golfer as they happen live across three different video feeds for the entire tournament.

IP Matters.

Patrick Donovan

VP Marketing

Posted by patrick on Aug 5th, 2010 02:23 PM

Yesterday, it was announced that Facebook bought the social networking patent portfolio owned by Friendster for $39.5 million. This included seven issued patents and eleven patent applications the earliest of which only dates back to 2006, (but is at the beginnings of social netwo

A Look at Fraud Prevention and the ROI Curve

What's the of point fraud prevention? Perhaps the simplest answer is that it pays by recovering losses (costs) to the organization. This article discusses the importance of understanding power of enterprise fraud management analytics and the return on investment of your organization's fraud mitigation efforts.

How Gotuit Metadata Unleashes President Barack Obama

Patrick Donovan

VP Marketing

Posted by patrick on Jul 29th, 2010 04:24 PM

Congratulations to our customer ABC for their historic achievement of having the first daytime talk show to host a sitting President, when President Barack Obama appeared today on The View! The full video of his appearance is available within the Gotuit-powered VIEWer's Choice.

Using Gotuit's time-based video metadata, each individual question and answer that President Obama gave can be instantly accessed, shared via direct URLs, and embedded in blogs like this one. For example, click the links below to see some of the key topics they discussed, such as:

Have you hugged your risk managers today?

Risk management is enjoying a lot of attention these days. And I don't just mean the person at your institution that holds the title of Chief Risk Officer or the equivalent. I mean everyone that thinks like a risk manager, that asks the tough questions, "How will this new product/service/payment channel impact the risk profile of this institution? I'd argue that one illustration of how shoddy risk management impacts financial institutions is the graph below.

Whitelisting at 30,000 feet

Right now I'm flying back to Boston after visiting a prospect this week (so I’m literally at 30,00 feet) and an interesting event occurred before takeoff that I thought I’d share!

The plane waits at the gate for many extra minutes and a man eventually runs on, presumably because our flight had waited for him. As he boards, he hands the flight attendant five or six candy bars. That seemed odd, but she thanked him and he wandered down the aisle, likely getting stuck in a middle seat.

What happened next sent me into a tizzy. The flight attendant opens the “flight deck” door and hands each of the pilots one of the candy bars! Maybe I’ve watched one too many movies, but that immediately struck me as a horrible idea. What if both pilots eat them?! Then I thought “maybe the flight attendant knows the man and trusts him.” So I asked the flight attendant if that was the case and she said “no, I have no idea who he is.” Outstanding….

In reality, however, what happened there is analogous to what happens to our users every day when they browse the web and check email. Innocent-looking and even "corporate-branded" websites and emails entice them to “click here”, “download this”, or “install now” and almost all of it is garbage.

Really, I’m fine if the man had handed candy bars to everyone on the flight and everyone gets sick and rolls off the plane. But whatever food goes into that cockpit had better be WHITELISTED! :D

One Year later – A Veteran's Perspective

Tim Brady discusses what has changed over the past year in fighting and preventing fraud. He comments that as banks lose more of their ability to generate fee income, it is becoming more apparent that they need to â€˜rethink fraud' and its impact on the bottom line.

Can Your System Adapt to Changing Fraud Schemes?

Many instances of fraud do follow predictable patterns that are relatively easy to detect and prevent. However, it is the fraud that is "below the radarâ€ (aka not detected by the bank's fraud rules) that is of concern.This article discusses how fraud systems need to be flexible to respond to the rapidly changing nature of fraud schemes today.

"Slice and Dice" Your Video - With Metadata

Patrick Donovan

VP Marketing

Posted by patrick on Jul 8th, 2010 04:37 PM

Have you checked out “Sliced and Diced” yet? This is the Gotuit-powered video portal for Hell’s Kitchen that FOX launched last month. It is the latest and greatest site we have done to date.

The Mashery Blog

Please visit http://blog.mashery.com to read the official Mashery Blog. Thank you, The Team at Mashery

Knowing When to Stop

This article discusses the issue of false positives, the accuracy of fraud detection systems, and the question: when dealt a queue of fraud alerts for review, how do you know when to stop?

Visualizing Software Risk - part 2

In my last post, I graphed the introduction of software onto a new system. In this post, I'll graph the risk that that software poses to an environment.

By introducing an unapproved application, end users seldom realize the risk that change could have to the network. For example, a single user introducing an alternate web browser onto their computer might have a risk profile that looks like the graph below. By itself, a single application on a single computer does not pose a huge threat to the network (unless of course that application is malicious in nature, but we will assume for now it is not).

(You can download a larger version here: http://bit.ly/aXBFnE )

Over time, there may be patches or updates that need to be applied to the application, and because the end user is likely the only one who knows about this application, it is up to them to be responsible for applying these patches or updates. In an attempt to address the lack of central patching and upgrading, many products now come with self-updating functionality that will either check at runtime or on a set schedule for these files. Unfortunately, most end users are neither aware of the importance or the urgency with which some of these patches need to be applied. Therefore, updates get postponed, versions get skipped, and vulnerable applications grow within the network.

Now the graph will move up the risk scale a bit because there is little control over this unknown web browser and there is a level of uncertainty about its patch level. Depending upon the application that has been installed, the responsiveness of the publisher, and the timeliness of the patches can also bump up the risk level. For example, Secunia reports that Firefox, a very common alternate browser, had to release patches for 115 vulnerabilities in 2008 (source: http://bit.ly/cFAA4z ). Comparatively, Internet Explorer, which IT has a fairly good grasp over patching, suffered from 31 in 2008.

(You can download a larger version here: http://bit.ly/biXqpK )

This issue is only compounded by the fact that not only will users install an alternate web browser, but also install games, toolbars, media players, peer-to-peer tools, and a plethora of other programs either intentionally or unintentionally.

This final graph shows the compound level of risk that multiple machines introduce when they all have unwanted programs added to them. It is very easy to see why unauthorized software is almost more of a concern these days than malicious software.

(You can download a larger version here: http://bit.ly/ddF79Q )

All of these programs expose an organization to increased support costs as unwanted programs conflict with business-related applications, increase re-imaging costs as the easiest and most effective way to eliminate this software from an end user’s computer is to start from scratch, and increases the risk that a computer will be compromised with an attack on a vulnerable application.

Coupled with strong written policies, it is understandable why many organizations are turning towards methods that can apply tighter control around what software end users are able to introduce onto their systems. Without a reasonable mechanism for attempting to inventory and patch unauthorized software, the best approach for IT is to prevent the introduction of these applications in the first place.

Visualizing Software Risk

At Bit9, we talk with customers and prospects every day about the risk that unauthorized software introduces into an environment. Some IT folks have a difficult time presenting to senior management what the actual threat to the environment is of users introducing programs like iTunes, Firefox, or Skype. They are so commonplace that we start to get the impression that they are benign!

I've put together some charts, that could be incorporated into a presentation, to help convey the message that any unmanaged application, especially if IT is unaware that it exists within the environment, is an exposure that should be addressed.

(You can download a larger version here: http://bit.ly/8YxzqJ )

This graph illustrates the typical introduction of new software onto a freshly imaged system. The bane to any of us who have ever spent days or weeks creating a pristine base image! I think the important thing to note is that much of the "software pull" that happens over the lifetime of the computer, happens relatively early. Within hours or days of a user being issued a system, they have re-introduced their favorite chat programs, music players, screen savers, and more. Once the user is satisfied with the state of the software, then over the coming months and years, you have blips of software packages getting installed, or a package upgrading to a newer version.

Once new unknown software has been introduced, the attack surface of that system goes up significantly. My next post will discuss this further.

Gotuit Executive Organizes 8th Annual “Big” Golf Tournament Benefiting BBBSMB

Patrick Donovan

VP Marketing

Posted by patrick on Jun 24th, 2010 08:55 AM

Dan Gill, Gotuit's VP of Sales & Business Development, tournament Chairman and Big Brother, along with his committee of fellow Bigs and Big Alumni organized the 8th Annual "Big" Golf Tournament to benefit Big Brothers Big Sisters of Massachusetts Bay .

This event was created for Bigs, so other Bigs could get together, have fun, and fundraise for a cause near to their hearts. The tournament was held on Tuesday, June 22nd at Sandy Burr Country Club in Wayland.

What do soccer (or football, if you prefer) and fraud have in common?

Identity fraud crimes typically involve at least a pair of separate acts and is often a 3-step process to perpetrate the crime. and the need . This article outlines the need for a holistic approach to combating this type of fraud that brings IT security and the fraud/loss prevention groups to better communicate and work closely together with the help of technology.

Announcement: Bit9 Parity Suite 6.0

This morning, Bit9 announced the launch of Bit9 Parity Suite 6.0 - the latest version of our award-winning application whitelisting solution. Bit9 Parity Suite 6.0 provides advanced threat protection against targeted and zero-day attacks.

As evidenced in the recent Operation Aurora attacks, the threats companies face now are much more organized, deliberate, and covert than seen in past years. With the evolving threat environment, there is no choice but to change a company's approach to security. We believe that Application Whitelisting is a central part of the answer, the "foundational" layer of the security pyramid as Gartner explains it.

In our recent Bit9 Unauthorized Threat Report, we found that 99 percent of polled companies noted that antivirus was running on their computers, but 46 percent noticed malicious software had passed through that antivirus security layer. These weaknesses are being targeted explicitly by cybercriminals in hopes of attaining companies' confidential information through the holes left open by antivirus.

The most evident problems that customers have identified as putting their business and government environments at risk are the lack of properly enforced IT policies and the inadequate management and protection of systems. To address these problems, new features found in Bit9 Parity Suite 6.0 include:

File Integrity Monitoring - Bit9 Parity 6.0 continuously monitors, controls and reports on all changes that occur to help prevent malware from making unauthorized changes to sensitive files. Bit9's FIM capabilities provide PCI DSS compliance.

Registry Protection - Bit9 Parity 6.0 comes with out-of-box policies to secure high risk and targeted registry objects. Bit9 protects specific registry objects from unauthorized and malicious changes and helps demonstrate compliance.

Operating System Integrity - Bit9 provides operating system tamper protection, which prevents malicious hackers from harming the OS.

Threat Identification - Using the Bit9 Global Software Registry^TM, the largest repository of software intelligence, Bit9 provides a live software inventory of all software on organizations' endpoints at any given time. Bit9 provides a Trust Factor on all software and identifies all malware attempting to execute including the Advanced Persistent Threat. Bit9's live reports provide IT professionals with the ability to demonstrate when an advanced attack bypasses antivirus and is stopped by Application Whitelisting.

To learn more about Bit9 Parity Suite 6.0, visit our website here. Or if you want a free trial, sign up here.

Content is Tony Stark and Data is Iron Man.

Ben Weinberger

CEO & Co-Founder

Posted by ben on Jun 22nd, 2010 10:49 AM

I saw Iron Man 2 about a week ago and was not able to get the Black Sabbath 70’s hit “I am Iron man” out of my head until I saw a recent TV preview for Marmaduke featuring animated dogs singing and dancing to Ke$ha’s “Tik Tok”.

Bit9 Announces CSA Replacement Program

Today, Bit9 launched a migration program for customers of Cisco Security Agent (CSA) endpoint security solution, which is now scheduled for end of life. See the announcement on the Cisco website here.

Cisco customers that replace their current CSA solution will receive promotional pricing of Bit9 Parity^TM Suite that will be offered until December 31, 2010. You can get a quote by emailing us at contact@bit9.com or filling out the form here.

This program was created in response to the many inquiries we have already received from customers looking for a replacement solution. And Bit9 has already replaced CSA in large corporate environments.

Security and IT professionals have historically looked to CSA for:

- Zero-day protection against attacks for which no patch or antivirus signature yet exists;
- Visibility and control of applications and sensitive data against loss from users and targeted malware; and,
- Total security that protects systems even when users are not connected to the corporate network or computers that lack the latest patches or antivirus signatures.

Bit9 Parity offers this and more and is a reliable and proven alternative.

Organizations interested in learning more about Bit9, Inc.'s CSA migration program can visit: www.bit9.com/csamigration, where they can find case studies from companies that have already made the switch, as well as whitepapers and webcasts.

Gotuit Recognized In The Rich Media Category At The 2010 MITX Technology Awards

Patrick Donovan

VP Marketing

Posted by patrick on Jun 3rd, 2010 03:37 PM

Seventh Annual Awards Celebrates New England's Most Inventive Technology Advancements

Conan's Rethinking The Future Of Network Television -- And So Am I

Matthew Berry

CTO & Co-Founder

Posted by matt on May 24th, 2010 03:27 PM

Not sure if you had the chance to catch Conan O'Brien's interview with Google, but I did, and I think he is onto something. In the interview, Conan talks about how network television is essentially becoming dated, referencing his recent split from "The Tonight Show" and how he has been reaching millions of fans through Twitter to promote his new TBS gig, as opposed to relying on television to reach his massive fan base.

Khobe: Final Nail in the Antivirus Coffin?

Called an "8.0 earthquake for Windows desktop security software" by its creators (Matousec.com) the KHOBE (Kernel Hook Bypassing Engine) or the argument-switch attack has been recently presented as a technique that can bypass most antivirus software.

Last week, researchers at Matousec.com showed how attackers could exploit kernel driver hooks that most Antivirus security software use to reroute Windows system calls through their software to check for potential malicious code before it's able to execute. The Matousec-written paper described how an attacker could swap out benign code for malicious code between the moments when the security software issues a green light and the code actually executes.

This is yet another example of why enterprises cannot place all their eggs in the AV basket. Today's malware writers and hackers are skilled enough to penetrate even the most up-to-date and expensive antivirus/anti-spyware software. This latest finding by Matousec shows that this is an industry problem and not the failed attentions of a particular vendor. 35 of the most popular anti-virus software programs have been identified as being vulnerable to this "argument-switch" attack. Perhaps this is finally the final nail in the coffin - at least in the eyes of its user base.

Right now the best advice being provided to computer users is that they are being advised to avoid opening email from unknown sources and to avoid clicking on suspicious pop-up ads. Why leave it to chance? Controlling applications at the endpoint - in a more positive approach - makes more sense.

NBA & Turner Launch NBA Playoff Highlight Site, Powered by Gotuit

Patrick Donovan

VP Marketing

Posted by patrick on May 13th, 2010 09:54 AM

Anyone else gripped by NBA Playoff fever? We here at Gotuit are, and not just because the Celtics are putting on such a show. Coming on the heels of Turner's Inside the NBA site that we power, Turner and the NBA launched another site, just for the 2010 NBA Playoffs. Called the NBA Playoffs Highlight Reel, Presented by Starbucks, this site has the best highlights from each of the 2010 NBA Playoff games starting in the secon

HIPS versus Application Whitelisting: Which is better?

This webcast by research analyst Eric Ogren will focus on the failure of Host Intrusion Prevention Systems (HIPS) to provide scalable endpoint security. And it will discuss the emerging acceptance of Application Whitelisting as the foundational approach to endpoint security - the foundation used to stop advanced threats.

Eric Ogren has intimate knowledge of HIPS technologies, as he was an executive at Okena, which through acquisition became Cisco Security Agent (CSA).

One of the big problems with HIPS is the prohibitively expensive administration required to continually update the behavioral signatures. Another is that it fails to stop advanced threats. Another is high false positives.

It's a controversial topic. I'm interested in others' thoughts on the issue.

It's Time for Better Cyber Security

There have been many calls to action over the past few years for government to take a stronger stance in the fight against cybercrime. While well intentioned, there have been a variety of local and national hurdles to achieving real cooperation, including a variety of extradition laws, varying volume and type of local resources, and tried and true national security concerns.

All that seems to be changing, sparked in large part by Operation Aurora and its impact on large multi-national companies that are at the center of commerce for a number of countries, including rumored defense contractors. Two recent items in the past week bring this changing reality to the forefront.

* The East West Institute is holding its first WorldWide Cybersecurity Summit this week in Dallas. The program is focusing on international cooperation and the need for governments to proactively engage in stronger security laws and technologies, and looks to include countries long considered bastions of cybercriminal activity such as Russia and China.

* The Business Software Alliance on Friday issued its Global Cybersecurity Framework "to assist countries in crafting effective national policies and laws to thwart cybersecurity threats."

What seems to be somewhat new regarding these initiatives is acknowledgement regarding the speed of security outbreaks and issues in today's globally connected world. A portion of the BSA's framework discusses the parameters and market conditions under which a new framework becomes essential.

Innovation-cybersecurity is a fast-paced race, in which we must stay ahead of cybercriminals who adapt constantly. Cybersecurity policy should maximize the ability of organizations to develop and adopt the widest possible choice of cutting edge cybersecurity solutions.
A risk-based approach-consumers, businesses and government agencies seek to protect a wide spectrum of targets against a wide variety of cyber threats. Cybersecurity policy should enable them to implement the security measures that are most appropriate to mitigating the specific risks they face.

Industry bodies such as the BSA and the East West Institute are doing their part to bring these pressing issues and needs to light, and Bit9 commends them in their efforts. The next phase of efforts that will give some of these initiatives real, sustainable momentum is cooperation from vendors and government agencies to help drive actionable solutions forward, be it on the technology or legislative side. Technology innovation is surely part of the equation, as well as things like tax incentives for going beyond regulatory norms in order to bolster security at high value targets, for example However there are two approaches and solutions that can bring immediate relief without the red tape and time lag these approaches require.

1) Defense in depth and a layered approach can't be given mere lip service. Yes, it costs more, however the cost of not protecting your IP or vital national secrets is too high given the rapidity, speed and variety of attacks governments and enterprises face to both their networks and endpoints.

2) "Be proactive" is the rule of the day. Technologies such as Anti-virus and HIPS have their place, however the reactive nature of these solutions puts at a significant disadvantage and organizations have become too reliant on them. Embracing solutions that immediately limit access and exposure to known vulnerabilities that are key attack vectors (applications and endpoints) must happen in order to enable security professionals to more easily target additional vulnerabilities in real-time.

It's time for government and industry experts to put stakes in the ground and combine to effect real security change both now and in the immediate future.

ABC Unveils The VIEWer's Choice, powered by Gotuit

Patrick Donovan

VP Marketing

Posted by patrick on May 4th, 2010 03:43 PM

Friday, we went live with our latest customer - ABC, powering VIEWer's Choice, the new video portal for The View.

Rather than describe it myself, here is ABC's blog post announcing their new feature:

Watch All You Want with VIEWer's Choice
May 03, 2010 | Posted at 2:21 PM

Gotuit Named 2010 MITX Technology Finalist

Patrick Donovan

VP Marketing

Posted by patrick on May 3rd, 2010 12:38 PM

We are excited to announce that we were named a finalist for the 2010 MITX Technology Awards in the Rich Media category (four years running). Check out the entire list of finalists here. The MITX Technology Awards recognize emergent and innovative technologies developed in the New England area.

Where's The Pandora App For Video?

Matthew Berry

CTO & Co-Founder

Posted by matt on Apr 28th, 2010 03:00 PM

Hot on the heels of the NAB Show and the much-anticipated April 3rd arrival of the iPad, Netflix and broadcast networks ABC and CBS recently announced moves to offer video applications for the iPad.

Matthew Berry

CTO & Co-Founder

Posted by matt on Mar 24th, 2010 09:49 AM

I'm glad to see that my article last week on the value of time-based metadata (Dive Deep With Video Metadata For Major Monetization Opportunities) has spurred a spirited debate around one of my favorite subjects. I would like to address some of the questions that came up about time-based metadata, but first wanted to take a step back and provide the lay of the land.

Dive Deep With Video Metadata For Major Monetization Opportunities

Matthew Berry

CTO & Co-Founder

Posted by matt on Mar 15th, 2010 02:05 PM

Metadata is simply data about data. While it sounds really boring, metadata is the key to unlocking exponential growth in viewership, discovery and monetization opportunities for premium video content.

Like everything in digital media, there are different flavors of metadata, with no standard definitions and a variety of descriptions. I'm going to muddy the waters a bit and provide my take on this vital component of the video landscape.

The PCI Council Speaks on Application Whitelisting

Recently the PCI Security Standards Council released an FAQ that mentions how Application Whitelisting can be used as a control for Antivirus.

"The Council is looking for equivalent controls that address malware and all types of threats referenced in Requirement 5, which are often found in traditional Anti-virus solutions. If another type of solution (application whitelisting, for example) addresses the identical threats with a different methodology than a signature-based approach, it may still be acceptable to meet the requirement."

The PCI DSS 1.2 standard mandates the use of Antivirus technology, which at the time the standard was published was cutting-edge technology.

A lot has changed since then.

The Operation Aurora zero-day attacks and the Zeus botnet revealed that existing security platforms that use Antivirus and HIPS (host intrusion prevention) are not able to stop these attacks. There were no signatures or behavioral patterns available to stop these attacks. And the patch from Microsoft came days later. Germany went as far as to recommend that its citizens not use Microsoft Internet Explorer until the vulnerability was fixed because they were keenly aware that existing security defenses were not able to stop it. It has become clear that Anti-virus and HIPS are no longer cutting-edge technology.

Now the PCI Standards Council plans to add a new technology - Application Whitelisting-that can offer security in lieu of Antivirus. In fact many retailers are already using Application Whitelisting in lieu of Antivirus. There are many cases where Antivirus, with its constant need for updates and inability to keep up with the latest threat, is not the right technology.

We applaud the inclusion of Application Whitelisting in the PCI requirements. We are seeing similar inclusion of Application Whitelisting (and Application Control) requirements in the Government through NIST and CAG (Consensus Audit Guidelines).We also believe that this is an area where the Council can talk about security requirements in general and the end goal. This end goal - protecting the endpoints - is the key for our customers. For example, the discussion could be based on a requirement that: Mandates use of endpoint technologies that protect against known and unknown malware attacks - including Advanced Persistent Threats.

Application Whitelisting, as we have seen from the recent analyst research from Gartner, does just this.

The Best Way To Increase Advertising Load For Broadband Video

Patrick Donovan

VP Marketing

Posted by patrick on Mar 8th, 2010 03:09 PM

Last week, I read Will Richmond's blog post "ABC.com is now Achieving DVR Economics for Its Programs" and was struck by this section talking about his discussion with Albert Cheng, EVP of Digital Media for Disney-ABC Television:

The Tipping Point for Metadata

Ben Weinberger

Why is it that existing security software didn't stop Operation Aurora cyber attacks from using the Microsoft IE zero-day vulnerability to hack into multiple high-profile technology providers? Is it that this level of malware sophistication has never been seen before?

Dennis Blair, the US Cyber Chief, testified today before Congress and called these attacks "Cyber Pearl Harbor." Read the story in the New York Times by Mark Mazetti here.

Malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication," he said.

As zero-day attacks proliferate, antivirus vendors have begun blocking websites and offering intrusion prevention features aimed at trying to stop malware before it happens and even before it is identified. The problem is development and promotion of new security features often come as a result of cyber attacks like Operation Aurora and the Hydraq Trojan. Organizations and AV vendors appreciate the need for proactive IT security solutions, but if action is taken post-breach, the damage is already done.

Comprehensive layered defenses against cyber threats have been announced as the "new" methodology for preventing zero-day and targeted attacks, but proactive prevention is not new. Application Whitelisting, offered by Bit9 has been around since 2002. And many more companies are beginning to offer it.

Gartner analyst Neil MacDonald just wrote in his blog that: "whitelisting at the endpoints would have stopped these attacks."

Application Whitelisting delivers malware prevention rather than reaction by establishing a list of known and approved applications, devices and files and halting execution of everything else. We've tailored whitelisting for organizations across all industry verticals - from government and finance to retail and healthcare. So when AV reacts to new attacks with new solutions, keep in mind that it is reaction, not prevention, that distinguishes their approach.

Bret “The Hitman” Hart Returns To The WWE

Patrick Donovan

VP Marketing

Posted by patrick on Feb 2nd, 2010 02:32 PM

World Wrestling Entertainment’s Smash-Ups site has just been updated with highlights from Friday Night Smackdown and Monday Night RAW, featuring the return of Brett “The Hitman” Hart.

Here’s a quick sample smash-up of “The Hitman”.

Gotuit, Microsoft, Ooyala and More to Discuss Advertising Breakthroughs on Digital Hollywood Panel

Patrick Donovan

VP Marketing

Posted by patrick on Oct 14th, 2009 04:01 PM

Going to Digital Hollywood in Santa Monica, CA next week? Gotuit will be attending and will participate on a panel. Gotuit CEO Mark Pascarella will speak on Wednesday morning at “Breakthroughs in Advertising, Technology and Content - Innovation in The Visual and Contextual Experience - Web, Video and Mobile”.

Wednesday, October 21, 9:00-10:15 AM

Want More Engaged Viewers? Try Scene-by-Scene Navigation

Patrick Donovan

VP Marketing

Posted by patrick on Sep 30th, 2009 02:07 PM

You are a video publisher and you want to drive more engaged viewers and better monetization. What tactics or options do you have to better present your video and make it easier and more fun for your viewers to watch it?

TV Everywhere is More Than a Bandwagon, It’s a Great Monetization Opportunity

Ben Weinberger

CEO & Co-Founder

Posted by ben on Sep 30th, 2009 09:16 AM

It’s not in my nature to be a follower. I’m just not built that way. Years ago, when the online video space started to heat up and hundreds of new companies were launched to help consumers post videos of dancing babies and waterskiing dogs on the Internet, I thought to myself, “cute, but how are they going to make money at that?”

Yes We Can! Vote Early, Vote Often and Vote for Digitalsmiths

Ben Weinberger

CEO & Co-Founder

Posted by ben on Sep 18th, 2009 09:35 AM

As a rule, I use this Blog to provide you information on the digital media industry, successful customer strategies and latest innovations. My goal is for this to become a “go-to” resource for honest, insightful and practical information – not a place where I shamelessly promote Digitalsmiths.

Today, I’m going to break my own rule.

SANS Instructor Talks about Proactive Cyber Security - Web Seminar

SANS and Bit9 are hosting a web seminar this coming Thursday, August 27, 2009. Sign up here.

Here is the seminar description:

Learn how organizations can eliminate malware and close the security gap that leaves our nation’s infrastructure vulnerable; join us for this web seminar featuring Chris Brenton, SANS Instructor, Security Consultant and founding member of the initial Honeynet Project. Chris's presentation "Stopping Tomorrow's Cyber Attacks Today" will answer:

- What makes a system vulnerable?

- Why the rise in malware?

- Why are we losing the battle?

- How do we win the war?

In addition, Bit9 will address how several US government agencies now use application whitelisting as the cornerstone of their security projects.

Bit9 Announces Government Solution - Application Control, Configuration Management

Bit9 announced the Bit9 Parity for Government solution today. You can read about it here. Stephen Northcutt, the head of the SANS Institute speaks about whitelisting in it.

Data Breach Roundtable: PCI Council, Deloitte and Touche

We are hosting an online data breach "roundtable" featuring Bob Russo, general manager of the PCI Council; Rich Baich, the former CISO of ChoicePoint who weathered the historic breach in 2004 and is now a partner at Deloitte and Touche; and Tom Murphy, chief strategy officer at Bit9, Inc.

Topics include the recent data breaches in the news and solutions.

To sign up, go the registration page here.

Application Whitelisting for Government

Criminals are getting smarter and more sophisticated, responsible for security breaches in both the public and private sector that put sensitive information in danger. Just last month it was discovered that cyber spies repeatedly hacked critical design data in the U.S. Joint Strike Fighter project. Brian Krebs of the Washington Post writes about the Facebook and Twitter attacks here and the Marines have just banned Facebook.

From state and local government to federal defense agencies, the government seems to be constantly under attack.

Standards such as the Federal Information Security Act (FISMA) were put in place to provide U.S. federal agencies and contractors with a uniform set of information systems processes. But compliance, as we have seen with PCI DSS standards, is never enough. Gaining control over the software that runs on government systems is more than a strategic initiative aimed at compliance; it is crucial to protect against zero day and targeted attacks that are getting past traditional, reactive defenses.

Patrick Donovan

VP Marketing

Posted by patrick on May 20th, 2009 10:08 AM

Last week at the Streaming Media East 2009 show in NYC, we gave a 20 minute overview of the Gotuit Video Metadata Management System, and announced our latest customer - HISTORYTM, with Ice Road Truckers Video Mash-Ups.

The good folks at Streaming Media just posted video from the event. For those of you not able to make it, you can watch our presentation here.

Patrick Donovan

VP Marketing

Posted by patrick on Mar 26th, 2009 04:37 PM

We were happy to announce this week our fourth season of powering QuickKicks for Major League Soccer. Completely redesigned, this year has all of our premium video navigation and discovery features as well as a remix capability.

CISCO urges Network Administrators to validate their Router Software

Earlier this year at EuSecWest 08, Sebastian Muñiz of Core Security has demonstrated how to unpack and repackage Cisco IOS binaries. Effectively this showcases how rootkits can be embedded inside a valid Cisco IOS image. There are valid uses for this, especially when it comes to debugging, troubleshooting or penetration testing. But the upside potential is staggering, especially given the proliferation of fake Cisco hardware sporting fake CISCO software. Even US Government is aware of tainted hardware that has made it into Government purchasing streams.

In their defense, Cisco has published a guide for Network Administrators urging them to double check MD5 hashes of their router software. Now what happens if Cisco OS components are customized?

WWE Smash-Ups: Long Form Publishers Take Note

Patrick Donovan

VP Marketing

Posted by patrick on Mar 13th, 2009 09:44 PM

If you are a long-form video publisher looking for better ways to engage your audience, check out what we have just done with World Wrestling Entertainment. As part of their promotion leading up to Wrestlemania 25, WWE has put together a video application called WWE Smash-Ups. Powered by Gotuit, this application lets fans access highlights from 25 years worth of thrilling WWE video, then create their own 2 minute highlight reel. The best highlight reel will win $5000, and there are other prizes as well.

Paperclips, needles and PCI

Given that the encryption is moving into firmware of embedded chips and devices, it is just the matter of time that this types of attacks will become a common place. Researchers at Cambridge University have used paperclips and needles to tap into chip and pin terminals to record a magnetic stripe data and PIN from ATM cards. Needless to say, you do not need to break into an ATM, a typical cash register would do just fine.

Connecting onto pin terminals harks back to attacks and investigations of the past, but just as MBR Rootkits is making a comeback.

Virtualization Vulnerability Trends

It has been touted that Virtualization is a more secure alternative to today's physical real estate approach to coming.

Yet X-Force ISS Report tells us to be prepared for new attacks against the Virtualization infrastructure. For one, discovered vulnerabilities against virtualization software are at all time high.

Report claims that "although virtual machine breakout vulnerabilities tend to get a lot of attention from the press, they are rare" and they target solutions that predominantely require a fulling blown operating system.

Hypervisor solutions are cure for this as they remove, for example, a RedHat Service Console (in VMWare's case) from the mix. Similarly Microsoft's implementation tries to remove all the unnecessary components from the stripped down OS as not to be affected by any fringe vulnerability.

It is very likely that new hypervisor compromising malware, attacks on management infrastructure, and other malicious activity will make headlines very soon. Yet, hypervisors are a very safe today. After studying their structure, we can safely challenge the world to break it and evaluate it. It will not be easy.

Attacking Intel® Trusted Execution Technology

New Centrino platform will be all of the rage at the upcoming Black Hat 2009 conference in Washington DC this February. Joanna Rutkowska and Rafal Wojtczuk will evaluate attacking scenarios against Intel's Trusted Execution Technology.

Intel's efforts to bring a fully features Web Server directly into the Motherboard has been discussed on numerous boards and has been highlighted by Ivan Krstic in his keynote at the First Conference in Vancouver earlier this year. Subverting permanently one's motherboard may end up being the ultimate acts of subversion.

So what's all the rage. You can read on Intel's pages:

"3. Intel AMT Platform Security

While one of the key usage models for Intel AMT is that it allows management applications to access client computers when they are in a powered-off state, the radio in a wireless network interface card (NIC) is typically not operational in power states other than S0. Thus, no wireless Intel AMT functionality is available when laptops are powered down or in low-power modes (sleep, hibernate, etc.).

Going one better: "Intel AMT Releases 2.5 and 3.0 are concurrent releases, with Release 2.5 supporting wireless capabilities on mobile platforms and Release 3.0 supporting wired PCs."

You may not need a physical access anymore, but rather wardrive through a neighborhood or just take a public transportation to attack all those laptops that do not even need to be powered on.

Accompanying the Centrino Duo and Centrino Pro release were announcements of new notebook computers from Hewlett-Packard, Gateway, Fujitsu, Sony, Toshiba, Acer, Lenovo, Dell, and others. Several hundred new notebook models with the updated Centrino platforms are expected to be released and make this technology ubiqitous.

IDS vs. Endpoint Lockdown

Here's a great illustration of effectiveness between IDS and Endpoint Lockdown as we have implemented it. Having a passive IDS (Intrusion Detection System) product in your Enterprise is akin sitting in a train and snapping pictures of the world that goes by. You may see bad things that you would have liked to have eliminated, but it is usually to little and to late.

On the other hand, your ability to eliminate all the unwanted or unknown components each and every time, gives you the protection for exactly the same motives that an IDS system was bought, additional visibility. As in example, you need to whack exactly what is wrong, and whack them all without a mistake.

Suspicious Software Part 2: Email vs. SPAM Tools

Most organizations permit use of alternative Email clients. We all have our preferences. I still love Pine under Unix, for example. Yes, a bit retro. But, where's the line between an alternative Email client and a SPAM tool? They both send email, yet a SPAM tool does it more efficiently. A good SPAM tool may even be a great commercial product with a large price tag or even with Anger Management features. Should an Enterprise IT department monitor a list of Email clients used throughout the organization and pick only the top 10 to 20 most popular ones, and disable these boutique tools used by employees that have too much free time or too much desire for a quick buck? Down side for having your Enterprise IP segments blacklisted is known. A lot of SPAM from your organization creates brand damage that goes beyond the inability to send or receive domain from a certain mail servers. Depending on where your internet or web services traffic is destined to, it may be subjected to stricter control and outright traffic denial.

Suspicious Software Part 1: Credit Card Generators

Spyware has generally taken to mean a low-tech malware that is more of a nuisance than threat, unless it tries to steal my personal data. And, given the sophistication of today's cybercrime gangs, spyware is below the belt. They are interested in rootkits, sophisticated botnet C&C protocols, etc.

Yet, we should look below the surface and ponder how bad would it be to find Credit Card Generators in your Enterprise environment. It surely cannot be permissible according to the corporate policy. Even worse, there will be liability for damages generated by the rogue employee even though he may not possess an immediate threat to the company itself. Any software used for outright criminal activity, although not necessarily malicious from the IT security's perspective, should be controlled by Enterprise IT departments.

The iPods data hole - an argument for device control

This article, man-buys-used-ipod-gets-60-pages-of-sensitive-military-data.ars, on Ars Technica made me both laugh and groan. The subject of the article purchased a second hand mp3 player. Apparently the former owner was using the device as a removable storage disk to ferry data around. Many of us have done exactly the same thing. The difference, however, is this data contains the names and personal details of US soldiers

The US government has many rules and processes that govern secure data. There is a wealth of information on this at the Federal Information Security Management Act (FISMA) NIST site.

We can guess at which rules and what processes the original owner violated to enable this breach. That exact rule broken isn't as important as recognizing this breach happened because it was possible in the first place.

In the effort to get jobs done short cuts often are taken. I can certainly think of a scenario where, in a time crunch, this government employee took some secure data home so they could finish up their task over a weekend. His employer may have acknowledged the sensitive nature of the data he was working on and required that this data exist only on computers attached to a secure network that has no connection to the internet. Unfortunately that tempting front mounted USB port calls to people. They bring in their camera and music player, their USB keys and webcams. Heck they may even bring in their USB rocket launchers to blow a little steam at the end of a tough day.

This article isn't the first time that removable storage has led to data loss. The massive TJX breach comes to mind. More recently the details of more than 6,000 prisoners was lost. Through malicious and accidental acts gigabytes of data leak out USB ports around the world.

Physically removing USB ports may work for some organizations. Some have even suggested epoxy as an answer. USB ports have their uses, though, and these tactics are often too extreme. Antivirus and application whitelisting software can prevent the running of malicious code from these devices but they don't adequately address data loss issues.

What then is the answer? Whitelisting hardware is something that is still in its infancy but for this class of problems I think it shows a lot of promise. Selectively allowing USB devices by the device's serial number or by the logged in user allows a flexibility that none of the others solutions posses, not even epoxy. :)

I would love to hear your thoughts on these issues. Are there better solutions out there that we, the security industry, should be exploring?

Ex post facto introduction - Since this is my first time blogging for Bit9 a quick introduction might be in order. My name is Naveed Ihsanullah. I have worked in the field of software development and security for the past fifteen years. I have always been a firm believer in white listing as a solution for IT infrastructure control and to the ever increasing glut of malware. After hearing about the exciting Parity product, I joined Bit9 in Autumn 2008 as a Development Architect.

Making Firmware Software Trustworthy

It is old news that Seagate has built-in encryption directly into the hard drive firmware. In short succession the rest of the industry has followed suit or announced plans for it. This has made digital forensics practitioners screaming in agony ever since, as if it was not hard enough sifting through TBs of data that a typical Enterprise investigation now takes.

Researchers and more importantly intelligence professionals have been playing with cold boot attack mechanism, bringing in a healthy dose of science fiction into what really is a purely digital problem, by spraying DRAM memory chips with a coolant, so that HD encryption keys could be taken out. Here's an interesting report from Bruce Schneier.

More interesting angle to this is to consider the encryption firmware itself. Should we mention that it may be highly proprietary and difficult to reverse? Or not, but how are we to know? Or should we fantasize about some government's hidden backdoors and decryption mechanisms that were forced upon these hardware vendors? Think US Government, if you are on the left, or Chinese or Russian if you are on the right. Last Year Chinese offered to buy Seagate. It caused quite a stir.

We do not have problem with encryption. Protection is a right (should we say your first amendment right?), but we need to be able to certify our encryption solutions and verify their functionality and integrity long after the purchase date. Only in that way, will we be protected and assured of our digital assets. In a more open environment, even forensics solutions will find a way to adopt and use more straight forward ways to acquire the data.

Success with Application Whitelisting: Finding a perfect Security for YOUR problem

There are hundreds if not thousands of anti-malware researchers who are extremely hard at work trying to give us the best possible set of signatures, the best possible protection against the bad things that are trying to harm us. They are the so-called blacklisters. We need to thank them. We also need to explain that not all security products fix all security scenarios. New challenges are making the old processes obsolete. Advances in security breed advances in malware creation, hence the flood of incoming samples.

Application Whitelisting in the current form, on the other hand, does some things extremely well. It is the best solution to lock down an end point to an acceptable set of applications and their derivatives. It has always been a challenge to deal with automatic updaters, patches, services packs and the like that continually change your system's basic software image. Application Whitelisting can give the flexibility of forgetting about these challenges and focusing on a positive security model.

But lockdown is not for all end point or all end users. They may need to have a flexibility to experiment, go outside of the box and drill down into more exotic areas of the Internet. Even though, Application Whitelisting could help them with software reputation and software assurance that the system has not been compromised by unknown software applications, it is still very prudent to combine the benefits of a whitelisting solution with that of a typical anti-malware suites.

When SAFE is really safe

We have been asked many times about SAFE, our "Software Approval for the Enterprise" mechanism. What is it and why is important? SAFE lays at the heart of Bit9 Parity system and it encapsulates the most complex part of Bit9 Parity end point system. It is Bit9's answer to mistakes made by the first generation of Whitelisting products, extending the concept to what we today refer to as "Application Whitelisting".

The greatest problem to solve with Whitelisting is the complexity that comes with management of millions of files that can be found on an average Enterprise network. Once an administrator os given the power to ban or approve every script, dll and executable, the responsibility is on him or her to do the right thing.

Bit9's SAFE implementation is a smart logic layer that can determine what a software application is, apart from the operating system and not including malicious hooking that could potentially promote an application trust to a malicious software component. As such, SAFE allows Bit9 Parity to view and manage software application as collections of files, giving them a distinct level of trust and manageability.

SAFE is Bit9's mechanism that truly distinguishes it from a standard blacklisting solution because it can be driven by numerous types of trust policies, be it by using digital certificates, trusted repositories or any other automatic approval method already in the Bit9 Parity arsenal.

The One Panel You Cannot Miss at CES

Patrick Donovan

VP Marketing

Posted by patrick on Jan 7th, 2009 11:44 AM

In Las Vegas for the Consumer Electronic Show? Gotuit’s VP of Business Development, Dan Gill will speak on a must-see Digital Hollywood panel where he will discuss how broadband video publishers can maximize their advertising revenue using the power of interactive, rich metadata and flexible advertising logic.

Application White listing Going Mainstream

This article by Rob Vamosi of CNet came out last week and created a lot of debate on white listing, what it means.

I'm seeing a few outdated misconceptions, and a couple of points made in the posts that we can help clarify.

Regarding the Bit9 Global Software Registry: -- the Bit9 GSR is used as a look up service
- in the cloud - for enterprises that want to identify unknown applications. It provides reputation ratings for applications, which are classified by hash. This is completely different than an enterprise's white list of good applications that are allowed to execute. The enterprise decides what applications are included on their white list and which ones are acceptable according to company policy.

The Bit9 GSR is extremely helpful as a service for IT, security, audit and compliance professionals who are deploying white listing protection and want to find out what is on their end points. It is an eye opening experience discovering all the applications that are on an enterprise's endpoints. IT professionals often find something and have no idea what it is. Think of the GSR as the Yellow Pages or Consumer Reports for trusted applications.

What's clear is that the blacklist-only approach to IT security is quickly becoming extinct. There's just no way to test, catalog, update, patch and scan our way to protection from malware using antivirus signatures. If there were antivirus signature updates being pushed across enterprise networks every time a virus mutated, the signature files would cause more network slowdowns than the viruses themselves.

Google, Yahoo!, Pixsy Video Search Indexes Explode with Gotuit

Patrick Donovan

VP Marketing

Posted by patrick on Oct 31st, 2008 10:29 AM

The Internet has evolved from text, to images, to video and video publishers are hungry for solutions that will better drive search traffic to their video libraries. However, accurate, relevant, and useful video search remains a difficult problem that the biggest technology companies in the world are still trying to solve.

Helping Major League Soccer Go Viral with the New York Times

Patrick Donovan

VP Marketing

Posted by patrick on Oct 29th, 2008 10:23 AM

We have been powering Major League Soccer’s QuickKicks video portal for the past three seasons. Using our premium, scene-based metadata viewers can choose any game, and then watch playlists of just the Highlights, Goals, Saves, Set Pieces, Best Runs and player spotlights from each team. Any scene can be directly linked to, or embedded using the metadata.More and more, soccer fans are using the site to get the best moments of the games to insert in their blogs - which is exactly the kind of viral sharing that helps to drive more traffic for MLS.

Check Out Gotuit at Digital Hollywood

Patrick Donovan

VP Marketing

Posted by patrick on Oct 22nd, 2008 03:35 PM

Going to Digital Hollywood next week? Gotuit will be there in force, with a booth (#45) and a presence on two different panels. Gotuit CEO Mark Pascarella will first speak on Wednesday at “The Television and the PC-Mobile: Technology and Content that Bridge the Digital Consumer Experience” and then on Thursday at “Video Metadata Revolution: Unleashing the Value of Video Programming in an On Demand World”.

Wednesday, October 29th - 3:50PM

What's a Perfect Security Tool?

Security industry has exploded in the last 10 years, with a huge quantity of products and approaches. Yet for most people security is a singular concept that demands a single solution. For the first ten years of Anti-Virus protection, it was just that: one approach with few competing vendors. Then came the network connectivity, firewalls, exploitation for economic benefit, and the top has exploded.

The point here is that the market has quickly developed from generic to specific methodology for protection. Solutions are being built to address one or very few use case scenarios, and never all possible cases. For example, Vanja Svajcer of Sophos, among a long list of security researchers, warns users against relying solely on their anti-virus protection. It cannot work for every case. In today's landscape of Sql Injection attacks and custom botnet infiltration, AV tools that are built under one-size-fits-all model will not protect your data and property.

Microsoft has been so successful in pushing its Personal Computer Operating System that it now protects among others: Point-Of-Sales Terminals, Cash Registers, ATMs, Gambling Machines, Voting Stations, and not to mention TVs and mobile phones. These end points cannot and should not have the same security posture as a typical Personal Computer. For starters, many of specialized devices have a very controlled execution environment. So now, why should they have a security product that assumes that a user will want to run all the unknown code?

According to hype, Anti-Malware protection is viewed as a stale incumbent with a little life left in it. Yet no one is really recommending that we do away with it. Actually, according to Alex Eckelberry, CEO of Sunbelt Software, a typical user is quite satisfied with it, with Enterprise users a bit less. We still want protection from the known attacks while we dream of a silver bullet that would make all of our bits and bytes behave. And for those who dream, industry has a plethora of endpoint and network based offerings to fit their budget. It is really not all that important if your IDS or HIPS product is disabled or logs are never ever reviewed.

But that's not the point. Anti-Malware suites rightfully assume that there is a physical freedom loving rebel behind each end point. That's their target audience. Purpose-built terminals that perform only a set of very specific tasks require a different, more tightly controlled, environment. Needless to say, Anti-Malware suites were never meant to protect them against unknown attacks.

Slick UI = Rogue Anti-Virus?

Check out the Rogue Anti-Virus gallery at Sunbelt Blog. Somehow it appears that the bad guys are investing more in User Interface design than the legitimate Anti-Malware vendors. Compare these rogue UI's: Rapid Antivirus, Antivirus 2010, XP AntiSpyware 2009 to our legitimate Anti-Malware product beauty contest.

Fixing SCADA: Talk or Just Talk?

At last week's VirusBulletin in Ottawa, Peter Allor of IBM gave a bit of an untraditional talk for VB, discussing security issues with SCADA systems. The list of fears and problems is long and wide. After all, most of the SCADA systems are designed to be working for 10-20 years. You do not expect to be changing power generation equipment whenever Microsoft releases a major OS upgrade. Yet what struck me was how little U.S. Government, amidst all the activity surrounding SCADA security, discusses the specific ways that these systems are exposed or could be improved. There's much to talk about when some of these systems are built on top of Windows 95, do not have encrypted command & control protocols, and can be damaged by simple operator error. Try starting and stopping turbines 10 times in a row. It will not look good. It runs over IP. Adding security software to some of these systems is absolutely out of question as they have been timed and tuned to do one thing only.

Is it simply that the situation is so hopeless that retrofitting security into these systems is too futile? Do we hope that noise raised will force the legislators to mandate that old and insecure software are replaced by newer more up to date variety? Economic chaos on the Wall Street will not help us in the short run. Still, SCADA vendors and Government users should be open to specific discussions surrounding threat exposures in their systems. That's the only way to devise a meaningful set of policies and requirements that a future of SCADA should be implementing. This has to go beyond encryping communications protocols, logging of all the activities and investing in negative QA testing cycles. Security infrastructure has to be required from security code inspection and review (think of Fortify or Veracode) to actually locking down software execution policies on each SCADA system.

Check Out Gotuit at MITX Panel: “Making Money from Online Video”

Patrick Donovan

VP Marketing

Posted by patrick on Sep 12th, 2008 03:09 PM

Next Wednesday September 17th, Gotuit CEO Mark Pascarella will speak on the Massachusetts Innovation and Technology Exchange (MITX) panel “The Ins and Outs of Making Money from Online Video”. The panel is being moderated by Will Richmond, Editor/Publisher of VideoNuze and will be held at Fidelity Investments, 245 Summer Street, 14th Floor, Boston MA from 6pm to 8pm.

Here is the panel description from MITX:

Sports Illustrated’s Heisman Hopefuls, powered by Gotuit

Patrick Donovan

VP Marketing

Posted by patrick on Sep 5th, 2008 09:03 AM

College football season has started, and once again Sports Illustrated has launched a Gotuit-powered video portal to track the leading Heisman candidates. Viewers to the 2008 Heisman FilmRoom sponsored by Nissan can watch by Top Contenders, Players, Position, or School. There is a 2008 preview video for each player live now, and each week SI will publish highlights for each player and update all the playlists including new rankings for the Top Contenders. Once choosing a player, Gotuit metadata allows the viewer to jump to a specific scene, like Touchdowns, Sacks, or Stati

Identifying Software: Servers and Attics

The following line came to my inbox recently courtesy of IDG Connect: "Servers are like attics. Start poking around and there's no telling what you might find. Hardware, applications, platforms, operating systems--all with varying layers of dust."

This cannot be further from truth. Windows have the memory loss complex, as they get older they slow down and begin to forget things. It is not the aging hardware, but rather the aging software that keeps pasting layer over layer of stuff that even the army of forensics and vulnerability researchers could entangle.

There are very few solutions today that actually try to discover and identify every piece of software running in your environment. This is not a cheap pitch for Bit9 Parity, but rather a call for an interesting exercise. Do you really know what is in your attic? Bit9 staff can fix you up with a simple trial where we are sure that you will be astonished in what is discovered. Bit9's Global Software Registry can then help you determine exactly where those allegedly rogue files come from.

IE 8.0: Wonders of Porn

Microsoft has finally released a public Beta of their next major browser release. IE 8.0, among many other great features, has an "InPrivate" mode, popularly dubbed the "Porn Mode", as if "InPrivate" was not subtle enough. Irish Times then went a bit further and labeled it the "porn browser". This all recalls the debate over Heatseek browser from two years ago. Heatseak is an alternate browser built on IE.

Mention of Porn does get people excited. Just Google IE and "porn mode" and you'll find more than 76K pages.

So why do we really need InPrivate mode?

As it has been repeated everywhere, it disables page caching, browser history and remembering of any session states such as form fields and cookies. Caching has annoyed me in the past. As Internet connection became rather fast, it made the caching irrelevant. Still, if you did not frequently clear your cache, you were likely to severely fragment your hard drive. Unlike the rest of your file system each page generates hundreds of small files that take ever more hard disk space, all in small blocks, which in turn clog large contiguous spaces and make the drive go back and forth just to cache a simple web page. Imagine dumping garbage down your drain. It clogs. Hence, if you ever wondered why your machine slows down by simply browsing the Internet, check your fragmentation levels, wipe that cache and defragment your drive. It is no wonder that Firefox offers automatic cache cleanup ("always clear my private data" feature). If this indeed is your experience, you may want to consider buying Diskeeper.

But there are better reasons

Keeping your cache or browser history has serious implications in Enterprise:

(1) Web Mail Privacy: Do you really want Google Desktop or any other desktop indexing software to be indexing your private mail along with your corporate data? If you don't care about it, you may still want to think twice as Web mail is protected private mail and your Employer should not be intercepting it without a warrant. As soon as it becomes a part of Google Desktop index, the story changes. Yet if it was not kept on the disk in the first place, you wouldn't have had the problem in the first place.

(2) Custom Web Application and Proporiatary Portals: Every Enterprise has one internal facing portal or another, tracking customers, partners, IT resource, you name it. As we all take our laptops home, should potentially sensitive data about our businesses and people be easily available for malware to grab it? If it is in cache, it is usually in clear text form and hence easily extractable by an outside piece of malicious code. How does that relate to any of the HIPA regulations? Think Medical records, Pharma Trial results. (3) Browser Cache based malware will need to work harder to infect your system as they will not be written to the disk by default. We could hence expect better protection from our Anti-Malware suites as there will be less things to scan and better heuristics for catching rogue buffer overflow attacks that are forcing their way onto disk.

Yes, porn will squeeze by too. Cheapening the discussion to simply a "porn mode" does make Microsoft sexier, something from which Microsoft could always benefit, but it doesn't do much to help us refine our security postures and do things better.

Yet concerns raised are valid as well. Without web cache, it will be more difficult to pinpoint a certain crime to a location and time. Did you surf that web site? Not everybody has implemented a DLP solution like Vontu, Vericept or Tablus. Web cache, and for that matter any HD analysis that you can imagine, was a treasure trove for Forensics professionals in the past. It may be less so in the future.

That is all to change. Forensics will require new tools and new solutions. So in a tug of war, we fix some security scenarios which surely break other security solutions that worked around them, knowing full well that what was working before shouldn't have been working in the first place.

Stars are aligned for Application Whitelisting, aka Application Control

The stars are aligned for application whitelisting in the marketplace -- all the big players are talking about it now and analysts are predicting that it is the future.

The new Gartner analyst research report - "Application Control Market Update," 4 August 2008, by Neil MacDonald and Michael A. Silver - is a great one. To Gartner, the terms "application control" and "application whitelisting" are synonymous.

Copied below are some top quotes from the Gartner Research Note.

"Organizations are looking to application control solutions to augment signature-based antivirus protection and to exert more control over endpoints."
"We continue to advise organizations adopting application control solutions that the key to successful tool selection and implementation is the capability to automate the exception management process and to automate list management. Bit9 has delivered significant innovation in this area by enabling organizations to query their "whitelist/blacklist in the cloud" knowledge base as a subscription service (see "Cool Vendors in Infrastructure Protection, 2007")."
"Application "whitelisting" and "blacklisting" techniques are becoming increasingly useful to supplement shortcomings in antivirus systems. These techniques deliver more flexibility to reduce diversity, improve operations and manage PC configuration than merely locking down desktops."
"When antivirus agents and patching aren't possible, consider application control and system hardening as alternative security controls for point-of-sale (POS) terminals, supervisory control and data acquisition (SCADA) systems, and other devices that fall under regulatory requirements."
"Application control solutions address shortcomings in antivirus and other signature-based approaches and provide security and operational benefits."
"In most cases, application control software (see Figure 1) doesn't replace traditional antivirus and personal firewall offerings. Instead, it acts as an additional layer of protection for endpoints to supplement the increasing ineffectiveness of signature-based antivirus solutions, which can't keep up with the explosion in malware variants and the increases in targeted attacks. Application control solutions are of interest to information security and operations managers, typically for reducing the chances for image corruption, system damage or data loss by end users, rogue applications or malware."

And this whole section:

"Application Control Is a Gentler Form of Lockdown

In addition to security protection, application control solutions provide operational benefits by preventing the arbitrary introduction and execution of unknown code ("lockdown") on endpoints, even for administrators. There are several security and operational reasons that organizations may want to use application control solutions:

To ensure that unlicensed software isn't being used
To manage known PC configurations so that enterprise software is easier to deploy and maintain
To restrict users from running software that could be detrimental to enterprise systems or the network
To prevent users from adding applications to the organization's application portfolio that will require increased support and cost

Many organizations mistakenly believe that they've accomplished lockdown by removing administrative access from users and designating them as standard users. However, this can cause a number of problems:

Users who have a real business need to install applications to do their jobs won't have that right, which hampers creativity.
Client software components that Web sites upgrade on a regular basis (such as Flash, Acrobat Reader and Web conferencing software) cannot be updated, potentially obstructing user access to important business content or causing lost productivity, as users look for workarounds. It's nearly impossible for organizations to have the latest clients packaged for software distribution so that they can be delivered to users as needed, and standard user access does not allow exceptions.
Contrary to common perception, running users as standard users does not prevent them from installing and running unknown applications. Depending on the level of lockdown, standard users may be able to download and install well-behaved applications that don't require administrative privileges to install or run. Furthermore, without additional restrictions or tools, users are able to load and execute single executables from the network (including via the browser) or removable media. Organizations are also at risk from malware that targets user data and settings, rather than system files.

Application control solutions address these issues and provide organizations with more flexibility and granularity for all users regarding the applications that can and cannot be run. Users can be left running as administrators, allowing them to update client software as needed, including Web applications. Software that's detrimental can be automatically blacklisted, but resources (and/or subscription models) may be needed to keep the list current. Depending on the user, new software can be allowed or blocked by policy. In either case, it is always logged, so that the organization can monitor, at a granular level. what software users are looking to run. Even if users are running as standard users, application control products can plug the gap created by applications that don't require administrator privileges to install and run or single file executables."

Technorati Profile">As an aside, we are now registering our blog with Technorati.

Who's the Sexiest AV Product Around?

Intego came up recently with the first AV product for the iPhone Platform. What struck us is the awesome User Interface that it carries, as would only be expected for Apple based products. True to the form, we have ignored its functionality and any protection benefits that it may carry.

Hence we'd like to have some fun and have an informal poll. Who do you think has the sexiest Anti-Malware product and why? Functionality does not apply, we are only talking about the looks, even though some beautiful products are really good. Please send us more screenshots of relevant products if you can, and we'll add it to the list. Of course, subjectivity matters, as this is about taste, that is guessing the consumer's taste.

Why is this important? It is really not, but many companies heavily invest into making their security products visually exiciting. They even excessively stress about it, hiring expensive PR firms, as is the case with Symantec. It ended up being dinged in reviews for its Yellow Fever theme. Why do we think that customers care about their AV UI is a topic for another discussion.

Feel free to be biased. We are too, although saying that anything Apple is sexier than anything Windows is as an objective statement as possible. Whitelabel products are absolutely welcome.

So here are our top 3 sexiest AV contenders:

1. Intego - Obvious, eye candy makes us more secure

2. HelloKitty AV - As long as it protects from HelloKitty Malware, Kitty's in

3. Suze Orman AV - Because security starts with a face

REST OF THE LIST, TBD. Please vote!

Finally, here's the trailing bunch. Supporting documentation was liberally borrowed from Download.Com and Softpedia. Here are some screenshots. Obviously there're more interesting products.

Intego iPhone AV

Hello Kitty AV

Suze Orman's Identity Theft Kit

F-Secure

iolo

PCTools

Symantec

McAfee

K7 Total Security

Eset NOD32

Trend Micro

Kaspersky KIS 2009

AVAST

AVG

AVIRA

BitDefender Total Security

Panda Platinum Internet Security

Technorati Profile

Online fundraising and malware: Could Elections be in trouble?

In this pre-election season, we seldom step back and think about potential threats to our democracy. All eyes are on picking the best candidate. Yet, we need to be very concerned about the influx of Internet into our election process. For one, most candidates fundraise on the web today. They also heavily use their web sites and email as communication vehicles and as means to mobilize the party faithful.

Internet opens up a great opportunity for a qualitative electoral advantage, but it also opens gates to serious fraud and a potential for significant campaign disruption. We have seen heavy usage of technology in the past elections. Democrats may have seemed technologically challenged (curious with so many young and Silicon Valley pundits). Republicans seemed savvier with their palmtops and electronic lists of party faithful.

2004 Election was a watershed election bringing a number of firsts:

- First use of E-mail solicitation
• 45% of Democrat donors received Email daily Organizing of supporters on web
– Political BLOGs - Online fund raising with Kerry campaign taking a lead
• 70% of Online Donors forwarded emails to others
- Candidates raised:

John Kerry - $82MM
Howard Dean - $20MM
George Bush - $14MM

Black Hat 2008

Online campaign donations can be tampered with.

Political Campaign SPAM

Vulnerable campaign web sites & blogs

Are Enterprise Customers really Uninstalling VISTA?

Vista Enterprise rollouts seem to be hitting a significant snag, according to Devil Mountain Software, with 35% of Windows VISTA installs being uninstalled in favor of Windows XP. HP & Dell have been downgrading new Vista machines to XP in response to customer demands. Even though Microsoft no longer supports XP, HP & Dell will allow customers to downgrade XP until July of 2009. Still, a sample of 3,000 machines is not a too convincing statistic. There're more than 200 million desktops and laptops shipped annually. The vast majority of them carry the latest Microsoft OS of record, VISTA. Hence, we need to question results based on less that 0.0015% of the sample.

Bit9's experience speaks to the contrary. Even though the adoption of VISTA is slow and the migration path lengthy, organizations are planning their moves to VISTA. Software compatibility problems are offset with new functionality, better user interface and significant security improvements. Even though some organizations are clamoring about skipping the Windows VISTA refresh, they may simply be waiting for others to work out software and driver incompatibilities for them.

As for downgrades, many organizations need new hardware to replace decommissioned machines. That new hardware needs to be running XP at least until VISTA migration procedures are in place, as not to impact internal security and operational procedures. Not that downgrading is inconceivable, yet 35% seems to be overtly exaggerated.

Vulnerability Disclosures: Who's on top now?

Max blogs about difficulties in getting Apple to acknowledge their vulnerabilities.

Yet, according to ISS X-FORCE Security Report, Apple has overtaken Microsoft in the number of vulnerability disclosures. Microsoft still leads the race in the number of exploits. It seems that it still pays more to exploit Windows instead of MacOS, even though this discrepancy is narrowing.

Note the high positions for Joomla and Drupal. It is a testament to their success, as well as Sql Injection attack exploitability.

What galvanizes Apple's effort is popularity of iPhone. Vulnerabilities affecting iPhone are taken more seriously, which helps users like me, but is also bound to filter down to other products that are based on the same OS.

Breaking News: From Abortion to Anti-Cancer Trials

Fake Adobe Flash downloads seem to be a perfect social engineering attack. After all, we are all used to automatically accept updates of Flash and similar technologies. In a sense, this is a similar strategy to last year's Fake XP Re-Activation case. Let's hope that this will be the demise of release-poor-code patch-later philosophies.

Yet we are all news junkies, and as such will be hearing more about these types of attacks in the coming weeks. As of today "CNN Top 10" emails have gotten a bit more sophisticated. They now read: "CNN Alerts: Breaking news". Much less suspect message, as I never cared much about Top 10 of anything, but would be curious about that Breaking News event.

What makes it more exciting is a hint. Latest Fake Adobe Flash peddling SPAM tries to guess my economic, wellness or political interest. It becomes a worthy marketing study: "what would it take to make me click on a news link?"

For example,

if I was following latest business news, I could pick:
msnbc.com - BREAKING NEWS: Jerry Yang relinquishes control over Yahoo

If I was incensed about the state of the economy:
msnbc.com - BREAKING NEWS: Oil prices rises due to attacks

If I was keeping up with the pre-election madness:
msnbc.com - BREAKING NEWS: Abortion outlawed in California

If I was tracking foreclosure fiasco:
msnbc.com - BREAKING NEWS: Fredie Mac losses mount, loses billions every month

If I was wellness junkie:
msnbc.com - BREAKING NEWS: Vitamin C shows promise in anti-cancer trials

If I was technology mad:
msnbc.com - BREAKING NEWS: Microsoft announces takeover bid for Intel

Best of all, social engineering tactics are well positioned for attacking social networks. Kaspersky researchers have recently discovered fake Adobe Flash downloads attached to picture links posted in Twitter updates. As identity theft shifts to stealing social network identities, it will no longer be necessary to create bogus social network account on Twitter or Facebook. Stolen identities will be sufficient for the next iteration of these attacks.

Sadly, good mitigation strategies are few. Our SPAM protection would have to be stellar, which is not. SPAM still gets through. We would have to be able to trust digital certificates, which we cannot, thanks to loose certificate issuance policies. We would need to assess from where automatic downloads originate, something that is not trivial even for expert users. Adobe recommends that you only install Flash and its updates from official sites, as if my grandmother knows where Flash comes from. It is also contrary to the viral marketing strategy that was always behind Flash. This strategy has been for years providing automatic download of Flash behind each and every flash animation. Adobe's advice is what it is, provided "AS IS". Nice touch.

Gotuit on Panel with MTV, Turner Sports, Metacafe at the Akamai Conference Next Week

Patrick Donovan

VP Marketing

Posted by patrick on Aug 12th, 2008 04:20 PM

If you missed us at Building Blocks last week, get over to the inaugural Akamai Global Customer Conference next week in Boston. The show is being held at The Boston Renaissance Waterfront Hotel, from August 18-20.

We will be set up in the Partner Pavilion where you can see demonstrations of our very latest technology, including our recent integration with Move Networks, plus our President & CEO Mark Pascarella will also be speaking on a panel.

How to spot fake Adobe Flash downloads?

I've been wondering what's up with all the "CNN Top 10 News" spam. I was happy top read that someone has spent the time investigating it.

It turns out that compelling headlines led victims to infected web site which, not surprisingly, were prompting you to install an infected Flash player. So far not very exciting.

What strikes me is the following: isn't Flash just a perfect ruse? There are multiple versions of it, Flash, Shockwave, Flex, AIR, plus several retired players. Not all require a free new player to view content, but they all build a complacence saying, if it says that it is Flash and seems benign, just install it and be done with it.

So as a security professional, you scream gotcha. Installer was most likely not signed, and if signed, it was not signed by Adobe Inc, as that would certainly make all the news outlets at the same time. It was a user mistake, hence not so exciting. Social trickery takes advantage of unsophisticated users, making this into a laughable matter, into a not very sophisticated attack.

Yet we are dealing with very fair questions. How many people know that Flash is made by Adobe? Wasn't it made by Macromedia until not so long ago? How many people understand why Flash is installing in the first place? How many people know what Adobe is? How does an average person know for sure what should really be installed on their machines and what not?

Gotuit-Move Networks Integration: Why Should You Care?

Patrick Donovan

VP Marketing

Posted by patrick on Aug 8th, 2008 05:24 PM

Yesterday’s announcement of our completed integration with Move Networks was a major milestone for Gotuit on a few dimensions.

First, it means any video publisher that is currently using Move Networks, or thinking about switching to Move for their premium video quality, now can take advantage of Gotuit’s ability to deliver personalized, non-linear viewing experiences that will serve (more) advertising along the way at precise advertising insertion points.

Websense Report: It still takes Weeks to get Malware Blacklisted

Dan Hubbard's Websense Research Team produces very interesting research reports. I have attended their latest web presentation and found the following slide interesting, if not all that surprising:

One day and a half before a first signature is written for a popular piece of malware! You can only imagine what happens with custom tailored pieces of malware that you identify and ask your anti-malware vendor to write a signature for. We have heard from our customers that they have been waiting 3 days or more (factory floors at standstill) to get a definition written.

Websense data does not cover proactive technology. It does cover samples that have been seen upwards from 100K times in the wild and require a signature ASAP. We cannot leave it up to user to decide whether to allow, block or ignore.

Furthermore, Websense suggests that most infections are web born, coming from top 100 web properties, either compromised through the likes of compromised via SEO Script Injection Attack or by simply using free accounts to host malware on sites like googlepages, blogspot, or rapidshare. As much as 29 percent of malicious Web attacks included data-stealing code.

These figures tell us that you cannot trust new and unknown components on the web, even if your favorite anti-malware scanner does not flag them. But what you can do is enforce rules of what is allowed. You can trust people, companies, signature models, your grandmother if wish, but you need to have a trust model. Letting just about anything execute is a recipe for disaster. It is Marcus Ranum's "Default Deny" policy.

Infections of Good Web Sites on the Rise, Time to Change Strategy

Ellen Messmer of Network World has interviewed Stephan Chenette, manager of the Websense Security Labs. He said that "Sixty percent of the of 100 most-popular Web sites have been hosting malicious code or inadvertently distributing it." Even more disturbing is that "75% of malicious Web sites in general are actually legitimate Web sites that are compromised." That's a huge jump from last year when Websense surmised that number stood at 51% and a testament to the effectiveness of Sql Injection attacks.

Quite a few popular Web sites were listed as inadvertently hosting malicious code during the last half of 2008 including CNET.com, MSNBC.com, ZDNet.com, Wired.Com, News.com, Yahoo.com, Excite.com and perl.com."

Not much detail was given, but it was cited that banner ads distributed by Yahoo's network were used for malicious code. If you look at comScore's Ad Network June propagation report, this can indeed be eyebrow rising. Top five add distribution networks (AOL, Yahoo, Google, SpecificMedia, ValueClick) have each a reach of over 75% of 190M unique Internet users tracked by comScore.

We need better protection from injections against trusted web sites and trusted advertising networks. All web based exploits require writing of payload to your local file system, be it rootkit or trojan components. These elements are unknown and unwanted. Any Application Whitelisting solution will be able to help you in determining which files are new and unknown. That should be our model from defending ourselves from increasingly complex web-based attacks. It will not be long before web-based attacks migrate inside of flash and flex widgets and start heavily using AJAX technologies.

Pro-Active Protection: The more you ask the worse it gets

Microsoft's luminary Vinny Gulloto, and a fellow Bostonian, talked about latest findings of his threat response team. Few incredible results were shared demonstrating just how many infected end points are there.

For example, Gulloto claims that Windows Defender, Microsoft's Anti-Spyware application, finds in average two pieces of unwanted code per machine. The program runs on 62M machines! But that's not all. His team has performed 42M disinfections over last 6 months, claiming that each day 15M pieces of malicious code executes successfully. Even though most of their tracked end points belong into a consumer segment, and do not represent a corporate end point, these are very sobering statistics.

This certainly proves time and time again that traditional blacklisting is not rising to the challenge. One can certainly argue that proactive protection would do a better job. Heuristic, HIPS, or Behavioral approaches would certainly be beneficial. Yet, the downside of pro-active protection is its false positives and the ubiquitous user prompts. [image] What does an average user do when you ask him or her "Hey there's something potentially malicious or unwanted on your machine. What do you want to do?" User knows what to do, and researcher is absolved of any other responsibility. Sounds odd? It does to almost any researcher that I have ever spoken to, but there was no tangible evidence.

Yet, the latest data available in Microsoft's Security Report shows what we needed to know. Anywhere from 10% to 25% of users ignore warnings that there is something malicious on their machine, that is, if they are given a choice. If you are running an enterprise, these are shocking findings and you wish that you have locked down every one of your personal computers. Application Whitelisting is here a better choice for a concerned IT administrator as it allows him or her to set policies on what types of applications are automatically allowed to run. This set it and forget it approach makes choices up front and does not require an end user downloading an infected video codec to guess whether "do you want to block a trojan?" message is real or not.

DNS: Where to find Dan Kaminsky's Presentation?

In case you hit the empty page on the Black Hat site, and were looking for Dan Kaminsky's presentation here's the presentation that he gave on Black Hat 2008 in Las Vegas. It is titled "Black Ops 2008: It’s The End Of The Cache As We Know It" and available on his blog DoxPara.

Could POS Breaches generate $40B in damages?

We have written a lot about the need to clamp down POS terminals. Today's news is particularly important as they provide much speculated evidence about the largest case of identity fraud on record.

Right here in Boston, 11 defendants got away with 40 Million Credit Card Numbers, defrauding organizations such as OfficeMax, Barnes & Noble, Boston Market, Sports Authority, Forever 21, DSW, BJ's Wholesale Club and TJX Companies.

How did they do it? Mass Attorney General Michael Mukasey explained that defendants used "sniffer" programs to "breach security systems and then install computer programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves." This is the first confirmation of the criminal method. We are not talking about simple "Wardriving", but a criminal enterprise designed to steal as much as possible.

And to make the matter worse, 1 of the defendants was double dealing, according to ABC News, as he was involved in the heist and at the same time working with government on other cases.

People speculated for awhile that most of the losses were caused by simple Wardriving or sniffing poorly secured networks for credit card data in transit. This may sound plausible in Dave & Buster's case which allegedly involved some 5,000 credit cards (even though it is not true). But it could never explain theft of 40M credit card numbers.

It turns out that it was all work of a single gang that at least in the case of Dave & Buster's, have installed the "packet sniffer" software directly onto Dave & Buster's computers, intercepted networked computer transmissions of 11 cash registers over 4 months, yielding 5,100 credit cards. 675 "good numbers" were used to generate $600K of damages.

If 5K stolen credit cards can generate $600K, then 40M stolen credit cards could easily generate $40B in damages. That's more than the federal bailout of Bear Stearns.

These kinds of breaches could seriously undermine the global economy if left unchecked. POS entrypoints, as well as all the systems involved in handling of personal financial data, have to be locked down, insuring only that only allowed applications run, with "sniffing" software safely blocked. Anti-Malware suites are not designed to help in these scenarios as "sniffing" software can be a useful tool in the hands of IT administrators, and yet deadly in the hands of criminals.

Top Bad Behaviors and Whitelisting

With advent of Application Whitelisting, behavioral approaches to security gain new prominence. It is much easier to determine a bad behavior when you have removed all the known good suspects from the line-up. ISS Mid-Year report on reports that the Top Bad Behavior is to no surprise a dropping of a file into the Windows/System folder.

Why is this important? Windows/System folder is reserved for known good elements, your system device drivers. All files there should have been placed by the Operation System or any of its trusted derivatives. Even more so, under Vista, and in the ideal world, all of those components should be signed to run.

So it is absolutely correct to concluded that if an unknown device driver is ever placed in the Windows/System folder, it should be treated as unwanted if not malicious. Modern Behavioral approaches utilizing Application Whitelisting or a complete lockdown of a system where no unauthorized software is allowed to run are the proper solutions.

PDOS and Trustworthy Computing

In this Brave New World, fads fade quickly. For example, we have been accustomed on ignoring DDOS attacks. Organizations like Yahoo and anti-spam heavyweight http://www.spamhaus.org">SPAMHAUS seem to be continuously under attack. In one of the more recent instances, it took a coordinated ISP effort to reverse the bot net armies and tell them to shut up for an instant to stop the attack.

But now we wake up to a new type of problem, courtesy of friendly faces at Hewlett Packard. (By the way, it would be nice to hear more on their security strategy). Welcome PDOS, or permanent denial of service attacks. This type of attack claims that botched firmware updates can permanentely destroy hardware beyond repair. There are still quite a few embedded solutions that do not require a authentication for firmware updates. These are obviously the most vulnerable. Actually, it has been like that as long as we can remember and no one has attempted to truly exploit this vector. Infinite variety of hardware platforms and firmware must have something to do with it. Does anybody remembers this old article? It is about software killing hardware, relevant but not cataclysmic.

Yet, the beauty behind a PDOS attack, according to HP, is that it is much cheaper. A single attack can easily knock down your entire infrastructure. You do not need to continue paying bot herders their outrageous fees. Or not, depending on your point of view, as bot rental fees become dirt cheap. Should we say they are pegged to the market?

One thing that seems a natural solution is that all firmware updates as well as all OS updates need to be validated and only installed from trusted sources. Trusted Computing Group has spent years working on various plumbing to make this exercise fully feasibile. We are looking forward to see Application Whitelisting being overlayed as the controlling element of what is a trusted firmware or trusted OS update.

Check Out Gotuit at Digital Hollywood Building Blocks Next Week

Patrick Donovan

VP Marketing

Posted by patrick on Jul 31st, 2008 03:44 PM

If you are interested in hearing our perspective on metadata and how it vastly improves a publisher’s ability to monetize their content, you are in luck.

Gotuit’s President & CEO Mark Pascarella will speak at the Digital Hollywood - Building Blocks 2008 conference next week in San Jose, CA. He will be on the panel: “Video Metadata Revolution: Unleashing the Value of Video Programming in an On Demand World” on Thursday, August 7th at 2:15pm.

What do Burritos have to do with Software Assurance?

Here's one of the most brilliant illustrations of a principal software assurance problem. It is a story of a lonely burrito, and what do we really know about software in our environment? It was created by Brian Chess, Chief Scientist and Founder at Fortify Software for the May meeting of Software Assurance Forum. Full presentation can be found here. It does an amazing job of telling the story.

So what do we do when we presented with a tasty burrito? We can wonder if it is really a burrito? What is it filled with? These are easy tasks. Unwrap the tortilla and ingrediants, although mixed, will be self-evident. But does it taste good? Easy task, try the burrito and determine if you want to proceed. Yet, it is not possible to easily tell where this burrito has come from.

Burrito is a wonderful analogy for a software application. How often do we find an application on our system that looks and feels like an application, but we do not know what to do with it? If it is an installer, we can install it (hoping it is not malicious) or we could do a bit of reverse engineering to probe the internals. Then, if still curious, we could get a taste for its behavior by running it. But we still will not know where that software application has come from, baring the existance of a digital certificate.

Bit9's Global Software Registry helps you with just that, being able to tell where files and software are coming from. It is not an information that is extracted from the software itself, but matched against a trusted central repository, which by using cryptographic hashes, the digital world's equivalent of DNA matching or RFID scanning, can accurately determine where a piece of software has come from.

Defcon's Race2Zero contest and Whitelisting

Defcon is next week. Race2Zero is Defcon's contest that will attempt to create new strains of malware in order to test security capabilities of Anti-Malware products. Setting aside fears that some of these strains could be released to the public, it is an ethical question: Should malware be created for fun and game?

All malicious samples should be treated equally, as they could all be potentially released at one time or another, by malicious intent, by a data breach or by mistake. Yet using artifically created samples to test products that were built to protect from threats iin the wild is not a reasonable study or contest of any kind. It is no secret that anti-malware solutions have their weak points, and pointing them out with bogus examples does not make them any better or the public any safer, in my opinion.

The problem resides in the limited space each anti-malware solution needs to reserve for signatures of truly virulent and prevalent malware samples. Filling signature databases at the end point with thousands upon thousands of signatures for "fun" experiments is not a very good use of time for those few malware analysts and it certainly adds to the performance burden end user experiences.

From the perspective of our Global Software Registry, however, we are looking forward to receiving the Race2Zero samples. If it has been created to run on a computing machine, for fun, profit, game or by mistake, it should have its reputation assessed and we will be doing that. Such information is then of paramount value to any end user, researcher or automated process that may stumble upon it.

On the issue of whether we should be scanning on the endpoint -- the samples created in the lab are few. Because of this, we should not burden the endpoint. But there is no reason not to hammer a database index in-the-cloud as there we are not limited by space and performance constraints of a personal computer. Bit9's Global Software Registry functions in the cloud just fine with almost 7B entries. Comparatively, a typical Anti-Malware Suite keeps a 1-2M entry index on each computer.

Cuil.com launched on Monday demonstrating that it is possible to keep extremely large indexes when necessary. They claim to have a 120B entry index, three times the size of Google's.

In security, we have been afraid for way too long of technical complexity. It is time to embrace it. And put it in its proper place.

From unsecured POS terminals to Identity Theft

It is amazing that all of the recent attacks against Point of Sale (POS) terminals share similar parameters -- these attacks were done by unauthorized applications that do the dirty work. 73% of attacks come from outside of the organization, with Eastern European focusing on getting to the data available through our POS systems. A full Verizon Business report is available summarizing some 500 data breach investigations that the company has done over past few years. The majority of the attacks use a "foothold" -- a Trojan, bot or a persistent exploit to grab the data.

More disturbingly, in the recent Identity Theft Resource Center's report is that 82 percent of victims learned about the breach from their creditors or worse, collection agencies. Going down the path of shame -- 62 percent of the respondents to the ITRC survey reported that thieves had committed crimes, such that warrants were issued in the victim's name. That should really be a rallying call for all of us.

The interesting thing is that most of these attacks could have been prevented by simply locking down the perimeter servers or Point of Sale terminals that are used as entry points to the network.

One of the new ways to do this is to employ Application Whitelisting, which can clearly articulate what types of software are trusted, e.g. signed by your department or your trusted set of vendors, so only those trusted applications are allowed to run.

North East is a mecca for data theft

It seems that hackers love attacking the North East. First the TJX Breach, then the Hannaford Brothers, and now the Okemo Mountain Resort in Vermont and in Connecticut. Even Dave & Buster's has locations in Rhode Island and New York. These targets are very lucrative places for credit card numbers as New Englanders seem to be quite wealthy to various, Russian, Ukrainian and Estonian eyes. Law enforcement reported at least 50 such investigations in the North East alone!. It is imperative to employ Application Whitelisting in locking down attack beach heads - the point of sale machines -- to turn the tide.

Application Whitelisting solves problems that Anti-Malware products never will

Courtesy of our friends at PCTools came this interesting piece, and all correct. Video didn't kill the Radio Star. They all lived happily ever after. The goal of combining whitelisting with blacklisting is always to combine the best of the breed solutions and utilize them for the maximum effect.

Whitelisting can do wonders to improve, speed up and scale the Anti-Malware solutions of tomorrow. Everybody is getting on this bandwagon: Kaspersky, Symantec, Trend Micro, PCTools and others. Robert Vamosi explains well these recent approaches.

What is not talked about in this context is the power of Application Whitelisting to replace Anti-Malware solutions altogether. Tom Murphy talks about this. Bit9's customers have found out that there are scenarios where pure Application Whitelisting is sufficient to secure the endpoint. For example, any organization that has attempted to secure and control approved software images can take advantage of Application Whitelisting and endpoint lockdown. Point-Of-Sales (POS) terminals, servers, trading stations, single purpose virtualized sessions and almost anything that is not a "personal" computer or a laptop can safely be locked down. They should not be able to run P2P applications, games, or Trojans.

Dangers of Firmware as a Mini-OS

As security is moving into hardware, network cards, hard drive firmware and motherboards, are starting to look more and more like mini-Operating Systems. This is all the opposite direction to where the TransMeta promise would have taken us.

But from the security perspective, it appears that the security infrastructure that we have been building so far will be useless as well. This is something that is already happening with Virtualized Environments as people are expecting new tools and new technologies to be developed.

We can expect hardware components to be owned, participate in distributed attacks and permanently shut our ability to easily recover already at the hardware level.

How often would you be patching your firmware embedded web browser?

More software complexity will expose more bugs, more vulnerabilities, and will bring in more third party code to erstwhile monolithic code bases. It will be interesting to watch firmware updates performing automatic over the web updates. I wonder how will it inform the user of the impeding system reboot request? Let's assume for the moment that the time of trivial protections against random firmware flashing, and PDOS attacks are over.

Intel's Centrino Active Management, built a web server into your motherboard, allowing you to quite easily override the behavior of your hardware, firewall rules, etc., even when the machine is powered off. This is all quite alarming on the Cryptography mailing list. Ivan Krstic, one of the most influential security minds according to eWeek, has been quite severe in his keynote address at the FIRST 2008 conference in Vancouver. Obviously, all the rage is over advanced "features" that are now accessible to anyone even when the machine is powered off. I bet Ivan hasn't read Eric Filiol's piece from July's edition of VirusBulletin that talks about accessing RAM when the machine is powered off. Yes indeed, data continues to persist. Let's welcome a new set of spy movies.

From the Application Whitelisting perspective, this is a worthy opportunity, since who will not want to have the firmware image locked down? You just want the trusted components and their updates to reside in the hard to reach depths of your hardware. But to get there, we need to start promoting some basic standards and procedures. For example, this still seems to be quite relevant. For purpose built operating systems, firmware images and appliances, a control harness that limits the built-in OS to do only what it should, has to be a priority from the security aspect.

Does whitelisting kill AV?

This was a particularly well thought out blog post from Threat Fire on whether whitelists will kill AV or work with them. It is a response to CNET writer Robert Vamosi's article Defense in Depth column on whitelisting that quotes Bit9 CEO Patrick Morley. The Threat Fire writer talks about AV and whitelisting working together, with AV eventually - in the future - becoming commoditized (JAMPoJ if you like silly jargon). When the writer talks about the whitelisting solutions sitting beside the "more exposed" whitelisting ones, I take it to mean that whitelisting will be the first line of defense at the endpoint - stopping malware and unauthorized software from running. In terms of when this will happen, there is the ideal and then there is the real. When it comes to innovative technology like whitelisting, it will not be a wholesale change, but a more gradual one as the Threat Fire writer said.

Best security practice for POS terminals

Thinking back about Dave & Buster's breach. People are saying that protocol obfuscation made possible by vendors like Arxan, VI Labs and Cloakware would fix these flagrant theft attempts. Dave & Buster's & Hannaford Bros data was stolen because their wireless data was being transmitted in the clear. What has not been told is that systems were compromised with backdoors and unauthorized sniffing software. Had that not been the case, attackers would not have had the chance to get to the data in the first place. This is the ancient debate of should I secure the network or the endpoint? I would argue that you need to do both. Endpoint systems like POS terminals have to be pristinely clean. Application whitelisting helps here immensely. Imagine, what could be the purpose of unauthorized components on such a system?

Not locking down POS terminals should be a crime

Every other week unchecked POS systems end up costing organizations dearly. Credit card number from only one of Dave & Buster's restaurants rung as much as $600,000 in unauthorized charges. The culprit was unauthorized network sniffing software. This sounds very similar to Hannaford Brothers scenario. How much of card member's money needs to be spilled before users of POS systems realize that their devices are not meant for surfing internet and playing games? They should rather be machines whose configuration needs to be locked down.

Even more so Peter Tippett, VP at Verizon Business claims that 45% of all breaches have a POS element. He would know as Verizon Business is exclusive forensics investigator for Credit Card industry when these breaches happen.

Not to boast our own successes, but everyone should look up to what Marks & Spencers is doing in UK. All POS systems need to be locked down with application whitelisting products like Bit9 Parity.

Blacklisting and Whitelisting will Co-Exist

We couldn't agree more with Carl Weinshenk in his piece on Malware Protection. Blacklisting and Whitelisting will co-exist. Questions of whether something is good or bad, good for me or bad for me, are part of the same continuum of the same curiosity about files and applications that cannot and should not operate in vacuum. It is obvious that someone would want to know that unapproved or unauthorized piece of software is in fact malicious. Similarly it is of paramount value to offer the user a comfort of knowing that a suspicious piece code on your machine (e.g. svchost.exe) is in fact a legitimate part of your Windows OS distribution.

Looking closer at the malware statistics

Ever since Symantec CEO John Thompson's keynote at the RSA Conference this past April, there have been several stories that quote statistics claiming that there is more malware produced than bona-fide good code. At first it sounds quite alarming, have the bad guys won? Do bad citizens outnumber the good ones? As most of us do not believe such alarmist hoopla, these claims merit some looking into. There may be more and more criminals focusing on Internet theft out there, as the population grows and the opportunities for cyber crime increases. However, it is questionable whether there is actually more malware produced than good software.

The Bit9 Global Software Registry database grew 300% in 2007. From what we have seen, by collecting the world's software in this database and cataloguing it, is that the amount of malware has only doubled in that the same period, based on most aggressive of reports. This leads me to believe that there is not more bad software out there than good software.

Yet, the story of faulty statistics keeps being retold. In InfoWorld, the reporter quoted Thompson as saying there was more malware than good software. In ComputerWorld it was written that only in one month more than 54,000 new applications were discovered (BTW, Bit9 discovered more applications in a single day). The story said the majority of them were malicious and it attributed the data to Symantec's Community Watch. What we are not told in this story is that this system is looking only at new and suspicious applications among Symantec Enterprise customers. And it is ignoring all other uninteresting but good applications. Think about suspicious apps as something a HIPS or a Behavioral engine would detect. Does this mean that Symantec's Community Watch approach to discovering malware yields as much as 50% of false positives?

What is clear, is that there is a significant growth in the quantity of malicious software, as all anti-virus vendors and analysts have spoken about. In fact, Gartner analyst Peter Firstbrook called it the "explosion of the malware universe" recently at the Gartner IT Security Summit Conference in Washington, DC. The most important takeaway here is that to keep up with this flood of malware, a new set of tools is required. Existing products will not suffice for much longer, as the industry and analysts are painfully aware, and as such there will be more and more stories and technologies exploring approaches, including whitelisting.

What is Application Whitelisting?

What is Application Whitelisting?
It's antivirus turned on its head. It's looking through the opposite end of the lens. It's the opposite of blacklisting.
Instead of playing the 1980's game "Whack a Mole" where the mole keeps popping up and you're constantly behind trying to bop the little toy on the head - people do odd things for fun - you decide who are the good moles and then open the holes for only those good ones.
Instead of putting US air marshals on every airplane to look for the bad guys who are already on, you secure the gate better and let only the good guys onto the plane.

NFL Draft FilmRoom. Analysis by SI. Powered by Gotuit.

Patrick Donovan

VP Marketing

Posted by patrick on Apr 23rd, 2008 03:48 PM

With the NFL Draft coming up this weekend, it is a great time for you to check out our latest FilmRoom with Sports Illustrated. SI secured video highlights of the top 200 collegiate football players in the country, and then used Gotuit’s patented technology to present those highlights in multiple ways, recognizing that their visitors have different reasons for coming to the site.

Are You Ready for Enterprise Application Whitelisting? Part 5

Welcome to my final posting in a series entitled "Are You Ready for Enterprise Application Whitelisting?" I hope these little snippets have been helpful and have assisted you in determining if your IT organization is mature enough to consider whitelisting - and if you would be able to take advantage of its benefits.

Today's post is one that I've seen many IT groups struggle with first-hand. It has to do with the complexity of modern security products and how much training they seem to require today. Lots of IT administrators simply are not equipped to effectively manage these overly-complicated security policies. Which leads us straight to the question:

Question 5: Is the security expertise required by endpoint protection suites too much?

Think about that one for a minute and ask yourself a few questions:

Do you run an advanced desktop security suite that includes antivirus, personal firewall, HIPS, and other components?
If not - why? What's holding you back?
If so - are you really using all the components?
If you aren't using everything - why did you buy such a comprehensive piece of software and not use it to full effectiveness?

The answer is almost always that most IT organizations simply are not ready or don't contain the skillsets to run and operate an advanced security tool that forces you to define cross-product policies that account for malicious behavior patterns and multi-layered protection schemes.

IT organizations have always been great at deploying AV because all they had to do was make sure that the AV packages was installed and up-to-date. They didn't have to decide what was secure and what wasn't.

But operating a HIPS solution or even a personal firewall today requires the operations team to be making decisions about the security policy that will have dramatic impacts on the ability for the organization to actually protect its systems and its data.

Usually what happens is the IT group gets one of these advanced desktop security products and then doesn't deploy it. So they've increased costs and decreased security, all at the same time.

If you are one of these people then you are absolutely ready to look at application whitelisting. Becuase with whitelisting, there are no complex security policies to understand. Simply choose the applications that your business should be running. Nothing else gets in.

If an application is found to contain a vulnerability - ban it. If an application fails to pass some basic security screens, stop it from being able to run. If you don't know what an application is, you never have to be concerned abnout judging its behavior because it simply will not be able to execute.

An application that can't execute can't do any damage.

I hope you've enjoyed these postings on application whitelisting and I really hope that you've learned something from it. We've learned a tremendous amount from our customers and what's enabled them to make the transition to a whitelisting environment. Now it's your turn to ask yourself one more time: are you ready for enterprise application whitelisting?

Are You Ready for Enterprise Application Whitelisting? Part 4

Welcome to Part 4 of my series on "Are You Ready for Enterprise Application Whitelisting?" Lots of people have been reading about application whitelisting - or at least wondering if there are easier ways of protecting endpoints than removing administrative rights - and are trying to figure out if now is the time to take a look at whitelisting.

So I'm presenting a number of questions that you can ask yourself to evaluate if you are in fact ready for whitelisting. And today we're going to talk about your users. Because if you have ever tried to remove administrative rights from users you know that it's an all-or-nothing proposition.

This leads us to the next question you can use to determine if you are in fact ready for enterprise application whitelisting:

Question 4: Do your users need flexibility (you can't lock them down too tightly)?

Let's talk a little more about removing admin rights from Windows computers. The motivation for doing this is because presumably users who can control the administrative aspects of their PCs are more likely to mess them up and get into trouble. Furthermore, any malware that may start running on the PC would be running with the privileges of the user, and if that was not at an administrative level the malware would be much less likely to inflict serious damage on the machine.

But because of the way that admin rights are implemented and managed in Windows, you practically are left with a very limiting and very inflexible choice. Either:

You can remove administrative rights from your users but every time they need to make a change you have to send an IT admin to their desks to help them, or
You can't remove administrative rights because of legacy applications or cultural issues, and they can do anything they want to their PCs.

Most companies will assess each department individually to decide if the costs of supporting installations (#1 above) are higher or lower than the costs of managing, cleaning, and protecting against malware and unauthorized software (#2 above). On average, companies put about 75% of their users in bucket #1 and remove admin rights, leaving the other 25% of users in bucket #2, with admin rights.

But these results really aren't practical and don't meet the goals of the organization. Because IT needs more flexibility. And users need more flexibility. Why should a user who is locked down not be allowed to install the Adobe Acrobat Reader themselves if that is a well-known, trouble-free, and perfectly reasonable application to install? Why does IT need to get involved every time that happens?

The truth is: they don't. They shouldn't. Your protection strategy should be more flexible than that, and that is exactly where whitelisting comes in. Authorize users to install specific apps. Nothing else gets through.

If your users' behaviors and needs are complex... if you don't want to be babysitting them every time they need a simple non-standard installation done... then you are probably ready to look at enterprise application writelisting.

What Do Apple, Adobe, Microsoft, and Gotuit Have In Common?

Patrick Donovan

VP Marketing

Posted by patrick on Mar 27th, 2008 12:55 PM

Answer - we each have products that were selected, along with six other companies, in the 2008 Streaming Media Editor’s Picks. This annual list, recently published in the 2008 Streaming Media Industry Sourcebook and online at streamingmedia.com here, highlights “the top ten products and services in the streaming and online video industries in the last year.”

Are You Ready for Enterprise Application Whitelisting? Part 3

I'm writing my third posting in a series called "Are You Ready for Enterprise Application Whitelisting?" The purpose of these posts as I've mentioned previously is to help IT people understand if their processes and organization are advanced and mature enough to be ready for implementing whitelisting - and basically only letting software run on corporate PCs that has been pre-authorized.

My previous posts covered a couple questions, including "Is your IT staff stretched too thin?" and "Do you need better auditing, reporting, and compliance?" Both of these questions are related to the needs of the organization and the services IT provides. But our next checkpoint asks about the maturity of the systems that IT uses to manage PCs. So here it is:

Question 3: Are adequate software delivery (SMS, WSUS) systems in place?

So why do we ask this question? Well the reason is because if you have implemented good, strong processes for delivering software easily and efficiently to desktops, you are pretty much at the point where the next logical step for control would be to whitelist the software on those PCs.

Think about it this way. Most company's IT processes have matured over the years along a relatively consistent pattern:

Provisioning / Imaging: Make it easy to get a standard image of the operating system and core applications when a new PC is issued to an employee, without taking a lot of time.
Deployment / Delivery: Get new applications or updates to applications out to all the users without having an army of IT people carry CDs to each workstation one by one.
Patch Management: Every time a new vulnerability or exploit is announced, vendors rush to deliver patches. A smooth patch management process means you don't have to scramble to protect your PCs.

So once you have these three components, you have effectively achieved total control over pushing software out to your PCs. So what's next for you? What are you looking to achieve after control over "pushed software?"

The answer is control over "pulled software." Users will receive their provisioned PCs and use the apps that are pushed to them... but then they will get on the Internet and start downloading their own apps. And as powerful as your software deployment processes are, most organizations can not reach 100% coverage of the apps that their users need. So you have to rely on users being able to download apps for themselves so you don't have to send IT people to every user whenever they need something.

And now you've opened Pandora's box. Because you can't control what your users will install...

... unless you whitelist.

Because when you whitelist, you authorize your users to download certain apps, but they can't get whatever they want. This gives you control.

Use Metadata To Win Your Office Pool – SI FilmRoom by Gotuit

Patrick Donovan

VP Marketing

Posted by patrick on Mar 18th, 2008 09:10 PM

Yesterday, we went live with our latest product with Sports Illustrated – the 2008 NCAA Men’s Basketball FilmRoom, sponsored by RadioShack. This is our sixth video product with SI, with more planned for the upcoming months.

Just in time for people filling out their brackets, this SI FilmRoom showcases regular season highlights of the teams in this year’s NCAA college basketball tournament. Gotuit metadata presents multiple views into the video library to let the viewer take the path that is most interesting to them.

The Ultimate Study Guide - Student-Defined Lecture Remixes

Patrick Donovan

VP Marketing

Posted by patrick on Feb 22nd, 2008 05:12 PM

This week, we were extremely proud to announce our entry into the Educational video market with Carleton University in Ottawa, Ontario. Carleton University has a long history of using video to augment the students’ learning process, and for the past three years has offered all its courses through its video on demand service.

Are You Ready for Enterprise Application Whitelisting? Part 2

This is my second posting in a series that is meant to help you determine if you are ready for enterprise application whitelisting. For the uninitiated, application whitelisting is a method of operating a PC environment that only lets authorized software run. That means unless you (as the IT department of a company or an organization) allow an application to run, it is prohibited from executing on a computer.

These days solution providers like Bit9 (the leader in Enterprise Application Whitelisting) are paving the way for companies to implement a whitelisting strategy that is easy and effective - and one that can really have an impact in how you secure your desktops and data.

But many companies are asking themselves: am I ready for application whitelisting? To help answer this, my previous post asked the question "Is your IT staff stretched too thin?"

Here is the second question you can ask yourself to determine if you are ready for enterprise application whitelisting.

Question 2: Do you need better auditing, reporting & compliance?

There has been a veritable explosion in requirements placed on companies to inventory and audit their software environments. Driving these demands are a number of different activities ranging from regulations to industry guidelines to software vendors. But one thing is for sure - companies can no longer afford to not know what is happening on their corporate desktops and laptops.

Let's look at a few specific examples of where compliance is being pushed into IT:

PCI Compliance: organizations that accept payment cards including credit cards and debit cards (primarily retail, finance, healthcare, and many more) are subject to these industry requirements to ensure the integrity of any computing system that handles payment card information (credit card numbers, accounts, etc.)
Sarbanes-Oxley: Public comapnies in the United States must ensure that their financial systems have not been tampered with and the integrity of the financial reporting data remains in tact.
HIPAA: Hospitals, physicians, health insurance companies, and other health-related industries are required by law to protect the privacy of patients' information and history, ensuring that only authorized individuals and systems can access access any specific information.
Federal Desktop Core Configuration (FDCC): Federal agencies in the United States are now required by the OMB (Office of Management & Budget) to harden their Windows desktops to a very specific and detailed Windows configuration.
Software Vendor Licensing: Large software companies have been stepping up the fight against piracy by conducting large-scale audits of their customers to identify any gap between how many copies of a software product are in use and how many the company had paid for. This often results in an unexpected, but sizeable "true-up."
Computer Forensics: With so much data being produced and transmitted throughout organizations, many are finding it in their interest to create a forensics capability. You can hope you don't need it, but in the case of lawsuits, disgruntled employees, and other unpleasant events, it can be very useful to understand who did what and when.
Consolidation: As companies merge and acquire, IT departments end up being responsible for multiple redundant systems. Many of them become forgotten - although the company still pays a heavy maintenance stream. So knowing what is actually in use can reap significant savings in software costs.

What's happening at many companies is that they are finding themselves under the demands of several of these drivers at once. Take as an example a large, public retailer - they will have to adhere to rules and guidelines put forth by the PCI Council, SOX, and their software vendors... maybe others as well.

Precisely because of these overlapping requirements, companies are proceeding along two simultaneous paths:

Simplify the data trail with a single, multi-purpose audit stream.
Enforce more, audit less by putting better controls around the desktop that limit policy violations and vastly reduce the data processing involved in demonstrating compliance.

Application whitelisting is a critical activity for both of these because having a rich inventory of the applications in use, and being able to prevent unauthorized software from being used can greatly reduce the cost of getting to compliance and systematically proving it on a regular basis.

So if you are under pressure to audit and report on the software in your environment and to prove that your computers are in compliance, you have met criteria #2 for being ready for Enterprise Application Whitelisting.

Are You Ready for Enterprise Application Whitelisting? Part 1

Over the past few months we've been reading more and more about how application whitelisting solutions - like Bit9's - may end up becoming the de facto mechanism for securing corporate Windows PCs in the near future.

So let's assume for a moment that yes, application whitelisting is the wave of the future and yes, you will be basing your security strategy on only allowing software that you know and trust to run in your environment. The next obvious question is...

Are you ready for it?

What can you do to prepare for running an environment where people can only use company-authorized software? In the next few postings I'll present some ways to assess your readiness for enterprise application whitelisting.

Without further ado, here's the first question you can ask yourself to determine if you are ready for whitelisting.

Question 1: Is your IT staff stretched too thin?

If you have got an IT staff that is too busy "fighting fires" on users' systems and cleaning up after messy software downloads or ugly malware incidents, you are probably aching to get more control over your desktops. After all - your IT staff's time is too valuable to be spent on every little problem that comes up. There are bigger fish to fry, like when you are going to deploy Windows Vista, or how to consolidate computing resources across the enterprise, or how to achieve PCI, SOX, and HIPAA compliance.

Yet many IT departments simply get behind the 8-ball with respect to their desktop infrastructure. As users' computers age, the software on them drifts so that they look very different from how they looked when they were first provisioned. Those inconsistencies cause problems in everything from security to auditability to software licensing costs.

But imagine for a minute what would happen if you could eliminate those inconsistencies. If you could ensure that a software you provisioned did not drift from your original copy of it - and only software you approved or authorized was allowed to run on it.

Wouldn't this make your job so much easier? Wouldn't it reduce the number of problems you have to deal with on a monthly and even daily basis? You bet it would! And customers who have implemented application whitelisting are realizing every day how much more productive they can be when they aren't spending all their times firefighting.

So if you think your IT staff hasn't got the time to address the initiatives it should be... you are probably ready for enterprise application whitelisting!

Gotuit Unleashed - Our Views On Broadband Video

Patrick Donovan

VP Marketing

Posted by patrick on Feb 1st, 2008 02:08 PM

Welcome to our first post at Gotuit Unleashed. In this space, we will informally share our views on the best and worst practices to unleashing a video library. Our target audience is anyone in the business of engaging an audience with stored video, across entertainment, education, and enterprise categories. This post will give you a quick summary of Gotuit’s approach towards video metadata.

The Tug-Of-War for Desktop Control

If you haven't seen it, there was a really well-written and in-depth article on Information Week last week about Who Really Owns the PC in a corporate setting - the user, or the company.

I loved reading this article because at Bit9 this is exactly the dilemma we are helping companies solve. A flexible solution that can give flexible control to IT so users have a lot of freedom, but IT still maintains the ability to keep the system's integrity maintained and security in line.

One of the most important points made in this article is the need for better communication between IT and the business units who run software. They need to discuss what applications are important, why, what risks are involved, and how IT can best support those applications the business needs.

Although it sounds very basic - it's very difficult to do with today's Windows operating system. There is so little visibility into what users are doing on their local PCs, and when using group policy or managing administrative privileges - all decisions are made locally to each PC, and therefore very difficult to roll up and spot trends and exceptions.

So what? Well - what that all means is - there are no tools that automate communciation. IT has no ability to monitor, dicsover, or be proactive (or reactive even) when it comes to what business users are doing. As important as regular face-to-face meetings are to discuss this - and we certainly believe that level of communication is critical to achieve a more controlled enviornment - it must be accompanied by the right information systems to make everything easy and build trust. Otherwise there is too much opportunity for misinformation, misunderstandings, and mistakes.

What do you think? Please comment on this post and let me know!

Kaspersky, Bit9, and Whitelisting

We had some exciting news to report today. Bit9 has teamed up with Kaspersky, one of the leaders in antivirus solutions, to integrate our whitelisting technology into future Kaspersky products. Here's some information directly from our news release:

Specifically, Kaspersky Lab will leverage the Bit9 Knowledgebase, the largest collection of actionable intelligence about the world's software, including commercial applications, open-source software, drivers, libraries, and malware, currently comprising more than 4 billion files and growing by up to 50 million records a day. This software identification service helps users understand what applications, good and potentially malicious, are on their desktops, laptops, and servers.

So you may ask - why would Kaspersky need Bit9? Well obviously there is a lot going around these days about whitelisting and clearly Kaspersky - a technological leader in the sapce - is eager to introduce the capability.

Without speaking for Kaspersky, I think this is an incredibly important step for threat research. Any antivirus or security entity that tries to identify malicious software is facing the growing challenge now that malware is getting custom, targeting, it's changing all the time, and it doesn't behave in obviously malicious ways. So that means threat researchers have to do more malware testing and more regression testing to make sure they are properly identifying the bad guys.

But if you think about the positive security model - consider anything unknown as malicious, until you can demonstrate it isn't - well it's a much easier thing to do as long as you have a good source of known goodware.

And that's where Bit9's software identification service comes in. No one has invested in developing a knowledgebase as rich and detailed as Bit9 - and it can be tremendously valuable to help navigate the ever-changing waters of malicious software research. Though Kaspersky has not yet disclosed their product strategy, I for one am very excited to see what happens when they incorporate this information and technology into theirs.

What do you think? Submit a comment and let's discuss!

The Top 10 Most Vulnerable Applications for 2007

We've just released our top 10 list of the most vulnerable applications for 2007. This is the second year we've put the list together, and it is focused on those applications that users tend to download. These apps are often very difficult for IT to see, let alone patch, and therefore represent unexpected and unquantified vulnerabilities in an enterprise IT environment.

To make it onto the list, the following criteria must be met. Each application:

Must run on Microsoft Windows
Must be well-known in the consumer space and frequently downloaded by individuals.
Must not be classified as malicious by enterprise IT organizations or security vendors
Must contain at least one critical vulnerability:

first reported in June 2006 or after,
registered in the U.S. National Institute of Standards and Technology’s (NIST) official vulnerability database at http://nvd.nist.gov, and
with a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).

Relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.

It is important to note that in most cases, the vendor or publisher of the applications on this list has already produced a patch for the particular vulnerability or vulnerabilities reported here. But at a company, there is usually no way that IT can ensure that the patch has been properly applied - that's requirement #5 on the list of criteria above.

Last year when we released this list, a lot of people commented on how we left off so much Microsoft software - some even going so far as to say that Microsoft sponsored this research! So let me be clear - this is entirely produced and financed by Bit9. The reason most Microsoft software doesn't make the list is because by now most companies have a pretty good process in place for identifying, patching, and fixing vulnerable Microsoft software. The same can not be said for apps like Firefox, iTunes, and other packages.

You can download the full list of vulnerable applications here which includes the specific versions, the vendors' solutions, the nature of the vulnerabilities, and references to the CVE numbers for the identified vulnerabilities. Also, you can learn what to do to help protect your company from vulnerable applications like these.

So without further ado, here are the apps on the list. Do you have a comment about it? Please submit!

Yahoo! Messenger 8.1.0.239 and earlier
Apple QuickTime 7.2
Mozilla Firefox 2.0.0.6
Microsoft Windows Live (MSN) Messenger 7.0, 8.0
EMC VMware Player (and other products) 2.0, 1.0.4
Apple iTunes 7.3.2
Intuit QuickBooks Online Edition 9 and earlier
Sun Java Runtime 1.6.0_X
Yahoo! Widgets 4.0.5 and previous
Ask.com Toolbar 4.0.2.53 and previous

Interesting Whitelisting and Desktop Security Discussions

There's been a lot of discussions about whitelisting lately. I thought I'd share a few of the ones I have been reading:

Sign Me Up For Whitelisting by Jason Brooks
Whitelisting and Elegence by Larry Seltzer
Delist This Security Idea by Jim Rapoza
Antivirus Whitelisting: The Bad and Good by Mary Landesman
With the Right Tools and Perspective, Whitelisting Can Work by Andrew Garcia

Antivirus: Protecting Against Yesterday's Malware!

When you buy a security product, do you want to know how well it did against malware that was out last year? Or do you want to know how well it protect you from attacks in the future? The answer is obvious.

Well apparently organizations like AV-Test.org think you don't care about malware that will come out tomorrow... or even what is out there today. It may shock you to learn how they have been conducting their testing. They basically pre-load a pile of malware on a PC and stick an antivirus solution against it. Effectiveness is measured by how much malware is found and stopped.

So basically - when malware comes onto the machine through an email... when a known vulnerability is patched... when a user visits a webpage that contains a drive-by... all these attacks mean nothing against the test.

Nor does any malware that is coming out today. Or tomorrow. Or even just a couple of days ago. Because the malware that is used for the testing is an old sample that the AV vendors have every opportunity to write specific signatures for. That doesn't represent the way your PCs when they are actually on the Internet. It's a joke!

Here's an article from The Register that is describing how finally, people are thinking about considering a different testing approach that incorporates additional aspects of desktop security like behavioral HIPS and patching and firewalls. It's about time.

Still, how can you trust the results of a test that can't even tell you something so simple as "how infected does a computer on the Internet get with a given protection scheme?"

If you ask me - this is what is wrong with the endpoint security industry today. Too many people patting themselves on the back for fighting malware, and not attention paid to real-world effectiveness.

What do you think? Please comment...

Desktop Security and Operations Are Converging… Are IT Professionals?

Much has been said on the topic of the convergence of IT Security and IT Operations. We all see the trend - or steady march now - towards an integrated business function where security is built into every process and aspect of how information technology is managed at a company.

The security industry welcomes this because, let's face it, it's a fight to get people to pay attention to security. System admins too often view security as an afterthought, and one that is rarely prioritized the way it ought to be.

But what few people in the security industry seem to realize is that IT security has become too complex for most administrators on the operational side. Malicious software has become so hard to detect - and malicious behavior is so hard to distinguish from legitimate behavior - that the amount of attention a typical admin must pay to overseeing security audit trails and policies is overwhelming.

Let's look more at the situation on the desktop. Think of how many layers of security now exist on a PC: antivirus, antispyware, personal firewall, HIPS, popup-blockers, URL filtering... the list goes on. Each of these tools has its own security policy, its own set of audits and reports, its own management interface. And as IT security organizations succeed in pushing these tools onto enterprise desktops, it is the IT operations group that has to deal with it all.

Even where agents and consoles are integrated or combined, each technology has its own unique philosophy - meaning that the policies require specialization to properly implement. And after all, it is the implementation of the policy that determines how well the underlying assets are protected. A nuclear power plant can have all the right precautionary procedures in place, but if the workers refuse to follow them... meltdown.

So what is the real effect on an IT organization and its security effectiveness? If security is too complex to manage, IT admins either set policies too loosely (so what's the point of the security layer) or they make too many configuration errors (which often eliminates security benefits). Plus, the specialization required to operate these tools means additional training, additional headcount, or similar impact on cost and operation. This trend is sadly only getting worse.

That's where whitelisting comes in. Whitelisting represents a complete reversal in thinking. The skillset required to identify a "good" or "authorized" piece of software is far more common in existing IT organizations. Customer like that - it's easy for them to implement, it sets a higher security baseline, and significantly reduces the threat surface they need to devote attention to.

There has been a lot of discussion lately about whitelisting as a security technology. Several experts appear to be questioning its effectiveness against emerging threats (a point I am happy to argue, by the way). They claim that whitelisting simply can not substitute for the many researchers who devote their lives to identifying malicious software.

But I put the question back to the industry: if the technology we create to identify malicious software is too complex for people to use - have we really done our jobs? Have we successfully crossed from the theoretical to the practical? Are we really protecting people? Personally, I don't think so. That's what whitelisting represents for me - and for many of our customers - the most practical way to converge desktop security and operations.

Who Knew "The GAP" Was In Their Endpoint Security?

Another data breach... this time at the Gap Inc. The company has reported that personal information for 800,000 job applicants went out the door with two stolen laptops. Sadly, they are just the latest organization to have to deal with this problem.

Here's a great site (attrition.org) that lists major data loss and data leakage events. Scroll through this list and you'll be amazed at how many companies are still getting on here.

I ran some quick calculations about the data on the site and here are some interesting results:

Data breaches have affected in excess of 230 million accounts (those are just the ones they can estimate)
So far in 2007, about 75% more people have been affected by a data leakage event than in 2006 (the year is not over)
The number of recorded breaches has been going up exponentially for the past few years - until this year, when the number appears to dip a little. Of course the year is not over, but the average number of stolen accounts per incident is dramateically higher.
The top 3 types of data stolen are: Credit Cards (104M), Social Security Numbers (68 M), and email addresses (30M)

Will this unfortuante event help spur other companies to better protect their desktops and laptops? I can't say I know the answer. But as a consumer I know what the answer should be. Companies have got to get more control over their computers and over my personal information.

Whitelist-Based Desktop Lockdown: Never Say Never

In the September 2007 issue of VirusBulletin, our CSO Ian Poynter wrote a response to an opinion piece that was originally written by Dr. Vesselin Bontchev in the previous issue of the magazine. You need to be a subscriber to VirusBulletin to read both pieces (register!), but the substance of the discussion centers on whitelisting and was driven by this comment thread on The Register.

Dr. Bontchev took the position in his article that whitelisting will never replace antivirus as a basic security technology. My response? Never is a long time. Here are some other well-known "never's" (and I paraphrase):

There will never be a market for more than 5 computers in the world.
-- Thomas Watson, chairman of IBM, 1943

A PC will never need more than 640K of memory.
-- Bill Gates, founder of Microsoft, 1981

There will never be a reason anyone would want a computer in their home.
-- Ken Olson, president, chairman and founder of Digital Equipment Corp., 1977

And my favorite:

"Guitar music is on the way out."
-- Decca Recording Co. rejecting the Beatles, 1962

I thought the comments to the Register article were fascinating because they reveal why people are so concerned about the concept of a whitelist. Let me summarize the top fears as I interpreted them in that thread:

A dominant vendor controlling the whitelist would stifle competition in the marketplace – particularly from open-source projects and small vendors – by not including them in the whitelist.
There’s simply too much software out there to make a whitelist efficient.
Viruses that don’t run as executables could not be stopped by a whitelist

Let me address each of these briefly:

A dominant vendor controlling the whitelist would stifle the marketplace

The intellectual in me recognizes that people are concerned with a specific overall model, so let me state this clearly: whitelist-based security should not be implemented with a centrally-managed list of “good” software that is maintained by a single vendor. Bit9 certainly doesn’t work this way and never has. The whitelist itself should be maintained by the customer, a community, or even an individual PC owner. That way you decide what software should and shouldn’t run.

The idea behind whitelisting is to move to a computer management model where the software on the PC is controlled. So rather than being a wide-open platform where any software can be launched by a user or another piece of software, a whitelist-based security model only allows the stuff you want to run. And often that includes non-malicious software you don’t own, want, or need.

Now, the cynic in me says “Don’t you realize that this is already happening?!” The antivirus companies collect and distribute signatures that label software as malicious. There have been cases where spyware companies have fought that verdict and won. On the flip side, there are legitimate companies out whose behaviors have been questioned as getting a free ride from the AV companies (we all know about Sony and Windows Genuine Advantage).

There’s simply too much software out there to make a whitelist efficient.

It’s true there is a lot of software on the Internet. As I write this, our Bit9 Knowledgebase which crawls the web to identify and assess software has cataloged over 4.3 billion software files that make up some 9 million applications… and it grows by about 50 million files every day. Those numbers may sound extreme – but remember, you will only run a tiny, tiny fraction of these, even in a large organization.

I think the confusion comes from a key difference in the way a whitelist model works as compared with a blacklist model. Remember, with a blacklist model like antivirus, the system is looking trying to match every file on a PC against one of the million or so known signatures for malware.

On the contrary, with whitelists, the system is only trying to match files against what’s on the whitelist. A typical PC has about 10,000 executable files on it, but because of the commonalities between PCs, even a large organization typically won’t have more than a couple hundred thousand unique executable files across the entire organization. So the set of data you are comparing against is only about 1/5-1/10 the size of the malware signature set. Plus all the files on the PC need to be re-assessed every time the blacklist gets updated with new signatures. Not so with whitelists - enforcement is a simple check at program launch time.

The only time the 4.3 billion files come in is when new software comes into your environment. Then you have to identify it (you can use the knowledgebase for that) and decide whether to approve it or not. And this is a highly automated, very efficient process… but I’ll save that for another post.

Viruses that don’t run as executables could not be stopped by a whitelist

Finally, there’s the concern from the Register comments that a whitelist can’t stop every attack – in particular, those that don’t run as executables. One again, the cynic in me says that neither do antivirus solutions stop every attack – no security solution stops every attack -- that’s why the industry promotes layered security in the first place.

But what does a good application control solution stop?

Any type of exploit delivering any type of payload
A product with a known vulnerability that is being exploited
Older versions of applications that are not up to patch specifications
The installation of rootkits, botnets, and other software that is virtually undetectable once it does get installed

As part of your security strategy, this provides significantly more flexibility and power than anything currently in your arsenal.

So there it is. Read VirusBulletin – it’s worth it. And let me know what you think!

How Whitelists Can Protect Your Enterprise

A new podcast from Enterprise Systems Journal looks at how whitelisting works and examines its benefits with Brian Gladstein, Bit9’s Director of Product Marketing. Whitelisting is an approach used to secure enterprise computing systems by specifying which applications and devices are allowed to operate. All the rest -- unknown and unapproved applications and devices -- are blocked. Unlike blacklisting, third-parties don’t dictate which software or processes are inappropriate. With whitelisting, no third-party policy updates are required. Untrusted software simply can’t install or run, even zero-day or zero-minute software. A broad whitelisting approach covers the applications the organization uses such that a typical user is not blocked while unauthorized software is always blocked. Thus, it’s not a matter of whether the file or device seems good or bad, but whether an organization decides it’s authorized to run. Companies are using whitelisting to increase compliance and manageability, while protecting their endpoints from spyware, viruses, worms, zero-day threats, botnets, rootkits, vulnerable applications, non-business and/or non-compliant applications, and unlicensed, unknown, or unauthorized applications or devices. To learn more about how whitelists can protect your enterprise, listen to the podcast at: http://www.bit9.com/resources/index.php#podcasts.

7 Ways High-Tech Criminals Compromise Your Computers

Did you know that high-tech criminals are exchanging goods on auction sites, leasing time on botnets, and renting lists of security companies’ IP addresses. Too often, their goal is access to one, specific enterprise network – maybe yours – that they can mine for marketable data. Robin Bloor, partner in noted industry analyst firm Hurwitz & Associates recent participated in a webcast called “Confidential Data for Sale: 7 Ways High-Tech Criminals Compromise Your Computers.”

Today’s hackers are after your enterprise data, and the tools and services they employ to get at it are supported by a sophisticated and fast-growing criminal industry. Even more surprising, and worrying, is how ineffective today’s standard enterprise security practices are at stopping these sophisticated attacks. Consider the following:

It takes many companies days or weeks to deploy a patch, yet a virus can morph into an undetectable state within a few hours.
For $200 you can buy a shrink-wrapped hacker’s software development kit (with updates).
There are more than 5 million PCs under the control of botnets.
Most of these viruses – if not all – can be stopped if PCs blocked unauthorized software.

4 out of 5 cardholder breaches occur at the point of sale

Did you know that 4 out of 5 cardholder data breaches occur at the point of sale?

As the technology used by merchants and their partners has evolved, card fraud has become more sophisticated, and any business that stores or transmits cardholder account data is a potential target. In response to this evolving threat, the major credit card companies have created a set of security standards, known as the Payment Card Industry Data Security Standards or PCI DSS, to protect their customers from security breaches and identity theft.

Merchants everywhere are under extreme pressure to comply with the PCI Data Security Standards or risk financial penalties and negative press. The key challenge is how to protect cardholder data on a point-of-sale (POS) system without a dedicated network connection or on-site IT staff to patch security vulnerabilities and update antivirus signatures.

A recent webinar hosted by Bit9, entitled “Achieving PCI Compliance at the Point of Sale,” detailed the challenges of securing a POS system, including identifying unauthorized software, locking down systems, auditing files, and preventing data leakage. For more information on achieving PCI compliance at the point of sale, including a free whitepaper, visit the Bit9 web site.

The WRONG Way to Stop USB Data Leakage

It doesn’t take much to get publicity these days. Lose one spreadsheet containing customer data, and your company’s name is almost guaranteed to be plastered all over the front page news. Data leakage is a serious issue that is expected to result in tens of millions of people receiving "data loss" notification letters this year. And compliance regulations, including SarBox, HIPAA, and Payment Card Industry (PCI), are bearing down on companies to prevent the loss of this information.

But what if you could audit every file copied to and from a portable storage device such as a USB key? Better yet, what if you could prevent the copying of confidential information to unauthorized devices?

A recent webinar hosted by Bit9, entitled “The WRONG Way to Stop USB Data Leakage,” detailed key issues on how to protect sensitive and proprietary data through strong device and application control policies.

Spam Increase Due to Russian Botnet

eWeek has written an article that offers an explanation for a recently observed 67% increase in overall spam volume since August. The cause seems to be a Russian hacker group controlling a massive and sophisticated botnet of 70,000 compromised hosts spanning 166 countries. It is built upon the SpamThru Trojan that I blogged about earlier. SpamThru is the malware which includes its own pirated full AV scanner to kill other malware, freeing up more machine resources for its own purposes. I wondered why SpamThru introduced this complex functionality into the wild, but now it seems clear. In the apparently profitable and booming spam email business, more machines and more CPU cycles means more profit. In fact, we see there is enough profit to fund many developers and botnet administrators.

This is another example of an "asymmetric warfare" situation in computer security. Even patched versions of modern OS's are vulnerable -- almost 50% of this new botnet is XP SP2. We know this because the botnet tracks everything extremely well. An attacker can find a single vulnerability in just a small time window, and that is enough to take the machine. And with modern rootkit technologies, one taken, no known general defense will reliably get the computer back or protect it again. Only a new proactive defenses, such as application control which protects against the first execution of unknown code, can stop new modern threats like this.

Vista Benefits Questionable

Jason Brooks from eWeek recently published a review for the final build of Vista that simultaneously praises and questions the slick new OS. Brooks observes that many of Vista’s most substantial new features can actually be implemented on Windows XP desktops using existing 3rd-party solutions. One prime example he singles out is Vista’s User Account Control which helps to lock down desktops and laptops. This means you don’t have to go through a large-scale Vista upgrade to achieve the benefits you seek.

SpamThru Trojan Installs Its Own AV Scanner

Like malware researcher Joe Stewart, I also thought I had seen it all, until I saw this article on the SpamThru trojan. It describes a trojan that bundles and installs its own AV scanner. Why would a trojan want to do that? The reason is that by blocking other malware, SpamThru is trying keep all the computer resources to itself. This is malware using anti-malware to dominate both the OS and the malware competitors. Since trojan installations are highly profitable, and in some cases technically legal, more resources can mean many more thousands of dollars that are "legally" earned. I don't know whether SpamThru is polymorphic or not. In other words, I don't know if it evades signature-based defenses by encrypting itself. But in any event, an effective graylist application control system can stop trojans from installing in the first place.

Apple Ships Ipods with Virus

Even music players are a potential vector for malware. Apple confirmed that they shipped a "small number" of video iPods with the RavMonE.exe virus, which affects Windows. You can read Apple's statement here. It's not clear how the virus made its way onto the iPods and Apple isn't telling. In any event, removable devices of any kind can easily carry malware, whether it's been installed deliberately or accidentally, so caution is always advisable.

Security Vendor's FUD Marketing

Eric Ogren blogs about security vendor's FUD marketing on Computerworld. Interestingly, he points out that "the intent is to create demand for security products, but I am beginning to think it does exactly the opposite by pointing out the futility of security products to stop attacks." Read more here.