Adam Shostack, Chris Hoff, David Mortman, James Atkinson, Peter Kuper, Source Boston

Friday Summary - May 8, 2009

By Adrian Lane

A lot of security related news this week in the mainstream press. What with Nuclear Secrets being a fringe benefit to eBay shopping. Other big names like McAfee exposing users to a CSRF and MI-6's operations nixed on a missing memory stick. With security this bad, who needs Chinese hackers? What gets me is the simple stuff that gets missed. Unencrypted hard drives and memory sticks. WTF? Fighter jet plans and power grid control systems on networks, directly or indirectly attached to the Internet? Whoever thought that was a good idea needs to be discovered and fired. Anyway, enough negativity, and you don't need to read my rants when there are this many good articles to read this week.

The funniest thing I saw all week was from last night: Rich and I were having dinner, waiting for the 10:00 PM premiere of the new Star Trek movie, when Rich decided he was going to have some fun and do some 'live #startrek' tweets. Not real, but live. Rich was on a roll as we started to joke about plot lines and just making up character twists and throwing BS on Twitter. I must say, he has Trekkie cred, because he knows a heck of a lot more than I do about the entire genre. We were having a great time just making $%(# up. After dinner we went to the theater and got dead center seats! We were not 5 minutes into the movie when one of Rich's tweets came alarmingly close to the real thing. Another 5 minutes, and Rich nailed another plot line. I am not going to say which ones, you will just have to go see the movie. Oh, and we both really liked it! A must-see for Star Trek fans. But for a little amusement, before you go to the movie, check Rich's tweets.

I know Rich said it last week, but I wanted to mention it again -- if you'd like to get our content via email instead of RSS, please head over and sign up for the Daily Digest, which goes out every night.

And now for the week in review:

Webcasts, Podcasts, Outside Writing, and Conferences

• Martin and Rich on the weekly Network Security Podcast.
• I did a series of three videos and an executive overview on DLP for Websense. It was kind of cool to go to a regular studio and have it professionally edited. The videos (each about 2 minutes long) and Executive Guide are designed to introduce technical or non-technical executives to DLP. It's all objective stuff, and cut-down versions of our more extensive materials.

Favorite Securosis Posts

• Rich: Adrian's post on Oracle's acquisition of Sun. I haven't seen anyone else take this perspective!
• Adrian: Rich's post on There are no Trusted Sites; the Security Edition. Poignant as always.

Favorite Outside Posts

• Adrian: With all that free time on his hands, Chris has been turning out some good stuff. His post on Cloud Security Will NOT Supplant Patching is dead on the mark.
• Rich: Rsnake's Silver Bullet Metric post.

Top News and Posts

• Big news this week was the Torpig Hijack. The paper is long but filled with interesting details.
• Interesting developments between AdBlock creator Wladimir Palant and NoScript creator Giorgio Maone.
• Yeah, but so what? We know it is possible, and we know someone will be motivated by fame or fortune and do it again. The problem is someone will eventually do it well.
• Ryan Naraine's coverage of the Google Chrome Security Flaws .
• Ron Gula of Tenable on understanding Vulnerability Assessment Results .
• I don't know what the availability of this device is, but MiFi looks pretty cool!.
• Handy tip on disk wiping .
• The Marriage of Figaro, oddly sans frogs.
• New NERC standards.
• Naraine and Dancho on PowerPoint ZeroDay.

Blog Comment of the Week

This week's best comment was from Nick in response to Spam Levels and Anti-Spam:

Since the McColo shutdown we have seen a gradual rise in spam only returning to pre-McColo levels about a month ago. We are a small fish and only deal with about 20,000 emails per day including spam. But I have not been able to recognize the "return to normal" that everyone was talking about several months ago.

I would actually estimate that after the shutdown, we have been sitting about 20% lower than usual, until this past month. Not including the first period of time after McColo.

–Adrian Lane

Friday Summary - April 17 2009

By Adrian Lane

The big news at Securosis this week was the launching of Project Quant! Not only are we excited about working with some of the team members at Microsoft, but we are going to be really pushing the boundaries of our Totally Transparent Research process. Rich has been furiously setting up the infrastructure all week to support the public discourse for the project, and he just got it finished in time for launch. We are grateful that there is a ton of interest out there as we have been getting numerous tweets and email on the subject, and well as a ton of press on the project from eWeek, Dark Reading, ZDNet, and Dennis Fisher at ThreatPost. Jeff Jones posted an announcement on his Security Blog, plus there is coverage by Peter Galli on Microsoft's Port 25 blog as well! There won't be a lot of content pushed out next week as we are crazy-busy next week, but this will be a full time effort come May.

On the personal side, I got a couple phone calls again this week. You know, the "My computer is doing FOO, and it stopped working" phone call from friends and family. As sure as the sun rises in the morning, I got another call today from a friend who has their machine infected with some form of malware. IE is completely locked, and when they try to use it now, all they get is an advertisement to purchase AV and anti-malware! After a few hours of someone in the family browsing risky sites and downloading music from dubious locations, it looked like they had managed to get infected with something that was not going to easily surrender. It passed the Eye Chart test, but I was not convinced that it was (or was not) Conficker.

The next question of course is "How do I fix it?" and my response is "stop doing what you did to get it infected in the first place!" The snappy retort does not make me very popular, but why fix it and have them do it again a week later? Almost immediately I feel bad for them and go ahead and fix it. Most of the people who call use their computer to run their business. This is how they make their living. They are hosed. They will lose two or three days of revenue and piss off their clients if they don't get back up and running ASAP. Can the virus be removed without permanent damage? Maybe, maybe not. A fresh install is probably the only way to be sure you got it. Serious education on what not to do is what it would take to keep it from happening again. Any way you slice it, this is a painful process.

There are a lot of commonalities across this group:

• They use IE 6.x on Windows.
• They do not make backups.
• They do not keep the original software media or software licenses.
• They use their machines for their business.
• Their machines run very slowly, and have for a long time.
• They browse -everywhere-.
• They have never met an email link they would not click.
• They download lots of applications and music.
• They install a lot of free Internet applications just to see what they are.
• They have never uninstalled a program.
• They do not run disk cleanup.
• They have Norton or McAfee.
• They have malware and adware on the machine.
• They do online banking.
• There is no password on the machine.
• The machine is multi-use by/for all family members.
• They have never looked at IE settings.
• They are unaware that there are other browsers.

I feel bad half the time, because I cannot fix the problem without a re-install. When I do re-install, getting the computer to where it was before the infection is a full day's work ... spread out over a week or more. Man do I have sympathy for the corporate IT guys who have to put up with this for a living! "Where are my bookmarks?" "Why does the computer do this?" "I can't print!" "Why is this over here when it used to be over there?" Part of me wants them to feel a little pain, in order for them to appreciate that performing every risky act on your computer has consequences, but what really needs to happen is some education for the home user. I have been on this topic for some time, and I feel fairly strongly about it. Enough so that I even bought "Security Mike's Guide to Internet Security" when it was still vapo-bookware to loan to family members to raise their awareness. Not that they would have read it before their computer imploded, but it would be there for them as they waited for InstallShield to complete its tasks. I know that security professionals need to help not just the vendors and IT organizations who have security challenges, but the end users as well. I am going to be cherry-picking a bunch of our old posts and putting them into the new Research Library for end user assistance and tips. Certainly not our focus, but something we will continue to build.

And now for the week in review:

Webcasts, Podcasts, Outside Writing, and Conferences:

• Martin and Rich on the weekly Network Security Podcast.
• Rich joined Amrit Williams of BigFix on the Beyond the Perimeter podcast.

Favorite Securosis Posts:

• Rich: Our guest post from Marker Advisors on A Financial Analyst's Perspective.
• Adrian: Pin Crackers post, raising some discussion points to Kim Zetter on the Wired Threat Level site in regards to "PIN cracking".

Favorite Outside Posts:

• Adrian: I liked Ronald McCarthy's down-to-earth discussion of Ubuntu Security.
• Rich: Alex's comments on Project Quant. Don't worry Alex, we are all armed with 'Multitools' and chewing gum!

Top News and Posts:

• An Examination of the Twitter Worm.
• The Verizion Data Breach report is out. It's good. Read it when you get the chance, but some of the editorial posts are advised as well, such as ...
• Mortman's Initial thoughts on the Verizion 2009 DBIR.
• Thoma Bravo is buying Entrust. For about 1.2x revenue. Entrust has solid products and a fairly stable revenue stream from their government sales. I know the stock is dangerously low, revenues are down, times are tough, but $114M seems low.
• Backbone Hacking Tools to be Unleashed.
• Pirate Bay Verdict in: Guilty
• Microsoft Security Bulletin. Mostly standard fixes, but for me, I have to ask the question: how the %@$! could Wordpad allow remote code to execute under ANY circumstances?
• Nice article on SC Magazine about hackers who were busted in Romania by Romanian authorities and the FBI for credit card fraud. Must have been getting out of hand if the FBI got involved. Since when do pharmaceutical companies store end user credit card data? Have they begun to sell direct?

Blog Comment of the Week:

This week's best comment was from ds in response to Rich's post on Security Inevitabilities:

Despite PCI, we will move off credit card numbers to a more secure transaction system. It may not be chip and PIN, but it definitely wont be magnetic strips.

...and we'll still have CC Fraud because there won't be an infrastructure to allow every possible transaction to be a cardholder present equivelant, so we will still need some way for credit card data to be human interpreted and communicated.

–Adrian Lane

Guest Post: It’s Not Just the Economy (A Financial Analyst’s Perspective)

By Rich

When I first started Securosis I was a little surprised at the number of due diligence and other investor-related projects that started flowing through the door. At Gartner we couldn't engage in these kinds of projects (for some very good reasons), but being independent allowed me more flexibility. Since then we've continued to work closely with a variety of investment partners and clients.

One of our partners is Marker Advisors, a boutique financial analysis and consulting firm here in Phoenix/Scottsdale. We like them for their dead-on analysis, and habit of buying us Mojitos on Friday afternoons. I wish I could tell you some of the stuff these guys are up to, but suffice it to say they have an extremely good pulse on the market. (We also suggest you follow Peter Kuper, who is blogging over at IANS and is another one of our favorite partners).

We asked the guys at Marker for their take on the security software market, and they were kind enough to let us post their response. Some of this information is counter-intuitive, and shows why the economy isn't the only issue the security market faces. We've broken it into two parts:

#

2008 was a tough year economically, but most software companies discovered ways to grow revenue. The 20 companies we are closest to and favor (what we call our "coverage" list) grew revenue 18% (organically) YoY in 2008; an outstanding performance given both the environment and an overall market that grew at less than half that pace. Our larger "universe" of the 75 software companies we follow grew ~16% (including acquisitions). However, growth in both groups slowed in the 2H08 to ~9% YoY. The big question that needs answering is at what rate will revenue grow in 2009, and then 2010? To best determine this answer, let's first take a look at why revenue grew last year:

1. New product cycles. The first major new product cycles since 1999/2001 spurred investment in 2006 > 2008. 2008 capped a multi-year reinvestment cycle, as many companies managed to finally complete the move to Web-based technologies (from client server) in most applications/infrastructure, as well as upgrade to the latest generation of IP networking products.
2. Existing vendor spend. Software companies with large customer bases were able to sell these new products (often at a discount) into a market that wanted to spend with existing vendors.
3. Add-ons increase ASPs. New add-on products (product line extensions) helped increase ASPs, as customers looked to improve the productivity and broaden the use of new installations.
4. Support costs increased. Many vendors pushed through 2007/2008 increases in maintenance and support charges, as pricing power shifted back to the vendors (for oh so short a time).
5. International growth. International growth helped overcome a relatively difficult U.S. market.
6. Budget Shifts. Budgets allocations shifted towards our favored sectors – Security, Web Content Management and Virtualization.
7. Weak dollar. The dollar's weakness pushed growth up in the 2H07 and the first half of 2008.
8. M&A boosts results. Acquisitions in late 2007 and early 2008 boosted 2008 revenue results by a couple of percent.

However, most of the factors that made 2008 a solid growth year are no longer present in 2009:

1. We are at the end of this decade's major product introductions. The next round of innovation appears to be focused on "cloud" computing, not data center computing. As customers evaluate where to install their next server and whether to rent or own software, they will spend less now. The economy will only make it easier to consider this a "transition" year.
2. The large customer bases that were heavily mined throughout 2008 are nearing exhaustion. Although they did not overspend like they did in 2000/2001, they are appropriately stocked.
3. Add-ons are slowing. Add-on products continue to get shipped, but it's going to be a slow year for innovation. There will be no major new product cycles until 2010-2011. Moreover, the future product cycles will be more cloud-based and subscription priced, so look for evolution in business models.
4. International growth will not be as much assistance in 2009, as EMEA, APAC and China all slow spending. We have picked up a growing number of channel checks that suggest all three regions are now slowing materially.
5. Budgets will shift towards a much smaller set of projects in 2009. If you are a strategic vendor and make the short list, the year will look decent (low double digit growth). If not, it will be a struggle (flat to declining revenue YoY). Security and WCM will continue to outperform, but ratcheted down a full notch. Applications will continue to underperform. Basic infrastructure will be mixed – virtualization will be solid, but communications and networking will be slowed by both "cloud computing" marketing and major vendor "next big thing" sales campaigns. It is no longer clear where organizations should invest... In their own data centers? Or should they outsource basic infrastructure like email, collaboration, and data services to the emerging cloud vendors? Or outsource it to their software vendors' SaaS offerings? 2009 will be a good time to evaluative these options, while not making a major investment decision.
6. It's hard to predict the dollar – however, it's unlikely to provide much tailwind given 1H08's prolonged weakness.
7. We believe acquisitions will pick up as the year progresses, as potential sellers understand we are in for a rough couple of years and valuations are not coming back strongly. In fact, we think many of the best investment opportunities will come in the form of M&A.

In December 2008, Street analysts had 2009 revenue growth at around 9% YoY for our coverage names, and close to that for our universe names. SaaS and virtualization companies have higher expected growth rates, and application companies lower growth rates. Today those same analysts have cut growth projections to around 5% YoY.

In examining the quarterly forecasts, it appears investors and analysts are looking for a 2H09 recovery in capital spending. The crux of our question is how could they possibly know that right now? We don't know either, but we think it more likely we don't see real recovery in software investment until 2010 or 2011, when there are new product cycles worth buying.

About Marker Advisors: Marker is a research consultancy firm specializing in the software industry. We work with senior company management as well as sophisticated industry investors to create shareholder value. We provide detailed market intelligence, business and product strategy, and M&A advisory services.

–Rich

The Hoff Co-Hosts The Network Security Podcast

By Rich

Martin was out of town this week and put our fine show into my trustworthy hands. A trust I quickly dashed as I invited Chris Hoff to join the show. We managed to avoid any significantly bad language, and both of use were completely sober. I think.

Chris and I started with a discussion of the latest national cybersecurity recommendations, moving on to the CheckFree attack, the DNSChanger trojan, DLP/DRM advances by Microsoft/EMC and McAfee/Liquid Machines, and finishing with one of our pontificating discussions about the cloud.

Here's the show, and the show notes: The Network Security Podcast, Episode 131, December 9, 2008.

Show Notes:

• The Commission on Cyber Security for the 44th Presidency releases their long-awaited report.
• CheckFree online bill payment redirected to a malicious site.
• The DNS Changer trojan starts it's own internal DHCP server.
• The future of DLP/information-centric security as Microsoft and EMC partner, then McAfee and Liquid Machines (and a few other vendors we talk about).

–Rich