Research

PayPal announced their Mobile PayPal offering this week. Really nothing new here from a technology standpoint as it leverages existing services and the Verisign/PayPal security key. Why I was interested in the release was the signal that they are putting more resources behind this market. I am still shocked that payment via cell phone did not catch on like wildfire in US. Look at adoption rates of cell phones, SMS, twitter and the like, and I would have bet that payment would have been right there with them. Small dollar, in context, person to person, embedded payments could be easily provided. I saw my first payment via cell phone method in 1996 through one of the major European cell phone providers. Built a system capable of providing ‘micro-payment’ over the phone in 1997. Nada. No interest from the public. Still, it would be far safer for me to pay for that thing I bought on eBay over the cell phone than using the Internet access for whatever hotel I am usually staying in. Need remains, so I am very interested in seeing how customers react to this recent announcement. There are plenty of other companies who offer quality service but struggle with adoption. Startups like Obopay have done a good job in building awareness and vendor relationships (with banks & telecommunications carriers) needed to succeed in this market. But while they may be winning the war with the tiny providers like CellPay, Paymate, TextPayMe and countless others, they are at a disadvantage in a couple of ways. First, these vendors typically build a new payment mechanism, unlike PayPal, who is simply a wrapper on existing infrastructure. Second, even if they do come up with a novel approach, most likely what they have done is build a blueprint for the larger providers as they are not large enough to make a market. After 10 years I think we have proven there is not going to be viral adoption, so the smaller players are going to have a very tough time if PayPal’s offering is adopted by their customers, something neither the banks nor the cell providers have been able to leverage. Now I am off for a long weekend. Have a great Thanksgiving Holiday! Share:

Martin and I are preparing for Thanksgiving, just like everyone else in America right now. I don’t know about you, but that primarily means I have five days of work to accomplish in three days of the week. So we didn’t organize a guest this week- instead we sat down together (1000 miles apart) and talked about some of the stories that caught our attention over the last couple of weeks. It’s a good show, and we’re out of here until after Turkey Day. Have a great Thanksgiving! Network Security Podcast, Episode 129, November 25 2008 Show notes: Security FAIL – But I changed my Twitter password… Gmail Security Flaw PoC Kernel Vulnerability found in Vista Final judgment: SCO owes Novell millions (plus interest) Decreasing security for perceived security – all in the name of compliance Managing Security in Economic Downturns The Julie Amero forensic analysis Share:

When I was with IPLocks in the 2004 time frame, we were exploring the possibility of selling our monitoring and assessment suite into the government. Friends and contacts made introductions, and we began investigating if there was a need for the solution, and if so, how we would approach tackling that type of relationship. While we knew dealing with the government would be tough, we felt that any organization that is sitting on piles of personally identifiable information and literally hundreds of thousands of databases would be a natural fit for our technology. After a few months of analysis process we decided we couldn’t do it. Too much in the way of time and resources, and too much uncertainty about what we needed to do. Going through the process was simply too long and too difficult for a small company like ours to undertake. We had a technology that could solve problems in different branches of the government, but this is not like the private sector where vendor meets customer, product meets need, and we write up a contract. There are far more demands and restrictions, and the more we learned, the more we felt we will missing basic knowledge of all of the steps in the process. Or even what the process was, for that matter, or which systems integrator we should approach, we did not know if we needed to focus on specific branches of the government, nor were we even aware of all of the accreditations and certifications our product would need to go through. The risk was too great and we walked away. This is a common problem and one to be expected. I run into vendors at every trade shows who are in the same boat; a desire and a good technology fit, not a clue as to where to start. A couple years ago, my friend Robert Rodriguez helped found the IT Security Entrepreneurs forum with the intention of tackling this type of problem and provide a way to “bridge the gap” between Federal agencies and private industry. From his perspective he saw both the desire from the vendors side to participate, but also the need from the government side to have security products that were, how do I say this, from the current decade. But the process does not favor this sort of innovation, rather it is the larger firms that can afford the time and resources to last through the effort, with the smaller and mid sized vendors getting filtered out. Smaller firms with innovative technologies typically cannot compete. Various arms of the US Government are supporting this effort to address the problem by offering educational resources and contacts, and the forum’s web site will host much of that information freely to the public. If you are serious about selling to the government, there is also a conference in March dedicated to this topic, and it is well worth the $400 fee. Past events have had a number of very good speakers from the security industry, academia, DHS and the US Military, along with some very eye-opening comments from the behind-the-scenes administrators who run the procurement side of the process. Once you understand the issues from the other side of the table, it makes things a lot clearer about what you need to do and why. Plus a lot of the VC, resellers and system integrators are in attendance, and they help small firms avoid common mistakes, wasted efforts and provide some plain speaking advice on what you need to do to sell to the government. If you have ever sifted through the online tomes of government requirements written in that special form of legal-ese, you know why that is of value. Share:

Last week I talked a bit on the decision by Microsoft to kill OneCare and release a new, free antivirus package later in 2009. Overall, I stated that I believe this will be good for consumers: I consider this an extremely positive development, and no surprise at all. Back when Microsoft first acquired an AV company I told clients and reporters that Microsoft would first offer a commercial service, then eventually include it in Windows. Antivirus and other malware protections are really something that should be included as an option in the operating system, but due to past indiscretions (antitrust) Microsoft is extremely careful about adding major functionality that competes with third party products. Not everyone shares my belief that this is a positive development for consumers. Kurt Wismer expressed it best: i doubt you need to be a rocket scientist to see the parallels between that scenario and what microsoft did back in the mid-90’s with internet explorer, and i don’t think i need to remind anyone that that was actually not good for users (it resulted in microsoft winning the first browser war and then, in the absence of credible competition, they literally stopped development/innovation for years) … what we don’t want or need is for microsoft (or anyone else, technically, though microsoft has the most potential due to their position) to win the consumer anti-malware war in any comparable sense… it’s bad on a number of different levels – not only is it likely to hurt innovation by taking out the little guys (who tend to be more innovative and less constrained by the this is the way we’ve always done things mindset), but it also creates another example of a technological monoculture… granted we’re only talking about the consumer market, but the consumer market is the low-hanging fruit as far as bot hosts go and while it may sound good to increase the percentage of those machines running av (as graham cluley suggests) if they’re all using the same av it makes it much, much easier for the malware author to create malware that can evade it… That’s an extremely reasonable argument, but I think the market around AV is different. Kurt assumes that there is innovation in today’s AV, and that the monoculture will make AV evasion easier. My belief is that we essentially have both conditions today (low innovation, easy evasion), and the nature of attacks will continue to change rapidly enough to exceed the current capabilities of AV. An attacker, right now, can easily create a virus to evade all current signature and heuristic based AV products. The barrier to entry is extremely low, with malware creation kits with these capabilities widely available. And while I think we are finally starting to see a little more innovation out of AV products, this innovation is external to the signature based system. Here’s why I think Morro will be very positive for consumers: Signature based AV, the main engine I suspect Morro runs on, is no longer overly effective and not where the real innovation will take place. Morro will be forced to innovate like any AV vendor due to the external pressures of the extensive user base of existing AV solutions, changing threats/attacks, and continued pressure from third party AV. Morro will force AV companies to innovate more. Morro essentially kills the signature based portion of the market, forcing the vendors to focus on other areas. The enterprise market will still lean toward third party products, even if AV is included for free in the OS, keeping the innovation pipeline open and ripe to cross back to the consumer market if Since the threat landscape is ever evolving I don’t think we’ll ever hit the same situation we did with Internet Explorer. Yes, we may have a relative monoculture for signatures, but those are easily evadable as it is. At a minimum, Morro will expand the coverage of up-to-date signature based AV and force third party companies to innovate. In a best case scenario, this then feeds back and forces Microsoft to innovate. The AV market isn’t like the browser market; it faces additional external pressures that prevent stagnation for very long. I personally feel the market stagnated for a few years even without Microsoft’s involvement, but it is in the midst of self correcting thanks to new/small vendor innovation, external threats, and customer demand (especially with regards to performance). Morro will only drive even more innovation and consumer benefits, even if it ever fails to innovate itself. Share:

Catching up from last week I saw this article in Techworld (from NetworkWorld) about an IETF meeting to discuss the impact of Dan Kaminsky’s DNS exploit and potential strategies for hardening DNS. The election season may be over, but it’s good to see politics still hard at work: One option is for the IETF to do nothing about the Kaminsky bug. Some participants at the DNS Extensions working group meeting this week referred to all of the proposals as a “hack” and argued against spending time developing one of them into a standard because it could delay DNSSEC deployment. Other participants said it was irresponsible for the IETF to do nothing about the Kaminsky bug because large sections of the DNS will never deploy DNSSEC. “We can do the hack and it might work in the short term, but when DNSSEC gets widely used, we’ll still be stuck with the hack,” said IETF participant Scott Rose, a DNSSEC expert with the US National Institute for Standards and Technology (NIST). Look, any change to DNS is huge and likely ugly, but it’s disappointing that there seems to be a large contingent that wants to use this situation to push the DNSSEC agenda without exploring other options. DNSSEC is massive, complex, ugly, and prone to its own failures. You can read more about DNSSEC problems at this older series over at Matasano (Part 1, Part 2, site currently experiencing some problems, should be back soon). The end of the article does offer some hope: The co-chairs of the DNS Extensions working group said they hope to make a decision on whether to change the DNS protocols in light of the Kaminsky bug before the group’s next meeting in March. ” We want to avoid creating a long-term problem that is caused by a hasty decision,” Sullivan said. “There are big reasons to be careful here. The DNS is a really old protocol and it is fundamental to the Internet. We’re not talking about patching software. We’re talking about patching a protocol. We want to make sure that whatever we do doesn’t break the Internet.” Good- at least the chairs understand that rushing headlong into DNSSEC may not be the answer. We might end up there anyway, but let’s make damn sure it’s the right thing to do first. Share:

I installed Parallels 4.0 on the iMac last week, upgraded my licenses and converted my bootable images to the new format. It took a while to do as the conversion process takes a long time. While the installation was trivial, I had 4 different bootable images to convert, which took a good 3 hours to migrate even though they were only a couple of gigabytes a piece and only have a handful of applications installed. But I had no problems and everything worked fine. There are a couple subtle changes to the interface that make management of the images a little easier. I have not witnessed the performance enhancements that are claimed to be present, but I have not had performance issues in the past, so your mileage may vary. As the build I used was the one provided right after the official announcement, I was expecting that a new one would be released soon to clear up some small issues that have popped up. Sure enough, build 4.0.3540.209168 popped up today. Problem is I cannot install it. The ‘Continue’ button is grayed out; tried a couple of times, but there are really no options other than to accept and continue, but still I cannot proceed. I cannot imagine something this simple not getting picked up by QA. Anyone else out there having this issue? Share:

Since I get asked this question a lot: Call yourself an analyst. Convince someone to call you an analyst. Business cards don’t hurt. (P.S.- Being a good analyst? Totally different story, although you still start the same way.) Share:

Experts: Cyber-crime as Destructive as Credit Crisis Bullshit. Share:

Last week the SBN died as Google decided to drop support for Feedburner groups during their transition of Feedburner to Google’s platform. Alan Shimel worked hard behind the scenes, and the new SBN is hosted over here at Lijit. Huge thanks to Alan and Lijit for saving the SBN, and please redirect your browsers and readers to http://security.lijitnetworks.com/. It’s a little rough right now, but more updates and fixes should be out soon. Share:

After this week, Rich and I are “Home for the Holidays”, with the last of the year’s travel behind us. We have started work on our Web Application Security Program, and in keeping with our dedication to transparency in our research, we will be posting research notes for comments here on the blog during the next couple of weeks. We’re the first to admit that more of our revenue comes from sponsors/vendors than end users, but we believe that total transparency in our research process can help weed out any overt or subconscious bias and keep us honest. And let’s face it- we want to give you free stuff, and this is the only way I can do that and keep all my dogs fed. Rich and I are looking forward to avoiding the airports during the holidays and we should be pumping out a ton of research to close out our year. Now on to the week’s security summary: Webcasts, Podcasts, Outside Writing, and Conferences: Rich was in Mi esota this week, meeting with clients and giving his DLP pitch, at a T-Wolves game before returning. (No, he didn’t wear a gorilla suit, and no flaming rings were involved). On the Network Security Podcast this week, Martin and Rich interviewed Glenn Fleishman on the recent WPA crack and more. CSO Magazine published seven of Rich’s predictions for 2009. Not one involves Hoff or SCADA. Rich wrote a TidBITS article on how the new anti-phishing features work (or don’t) in Safari. This one really isn’t Apple’s fault, he’s just not a fan of Extended Validation certificates, and hopes users don’t rely on a blacklist filter to completely protect themselves. Favorite Securosis Posts: Rich: Gives his perspective on the evolution of, and current challenges facing, Building a Web Application Security Program. Adrian: Rich’s post on Microsoft’s move to give AV away to Windows users. Favorite Outside Posts: Adrian: Amrit Williams’ humorous look at great Tech Failures. Rich: Gunnar Peterson’s lecture on security, economics, and breaches: The Economics of Finding and Fixing Vulnerabilities in Distributed Systems. I may not agree with all of it, but this is exactly the kind of perspective we need to develop more in security professionals. Top News: The big news all week has been the automobile manufacturers in Washington looking for bailout loans. The political game has been high drama, with both sides accusing each other of ineptitude. Oh yeah, that whole Stock Market bug-a-boo. Anyone think we will drop to 6k before this is all over? 5k? You didn’t own stocks, did you? Deja Vu all over again … IT functions being outsourced during tough economic conditions. What’s next, call centers in India? The Metasploit Framework, version 3.2 has been released. Not security related, but this parody of the real estate crisis is just too funny not to share. The Chinese Hacker Flowchart. Nothing new, but interesting anyway. Google is supporting OAuth for secure mashups. I’d like to dig into the model more and see if a malicious gadget can use this to compromise credentials. At a minimum, it will likely enable easier CSRF. We finally have users suspicious about installing desktop apps, but now we have to explain why online gadgets/widgets are also dangerous. Sigh. Massachusetts privacy law includes security standards. Most of which just require documentation, and other than encryption very little security. Blog Comment of the Week: From ‘ds’, on Building A Web Application Security Program: Looking forward to this series. I undertook this process last year with much success. It was something that benefited the business, with an ability to conduct testing more regularly than could be done with externals as well as more affordably. It also provided a nice career path for the technical team members and raised the profile of security as something more than just a specialized system administrator. We’ve gotten more “good press” with our business leadership on this than most anything else we’ve done. Share: