Saturday, October 23, 2010

Bit9 (and a bit of a rant about Infosec Pros!)

I have to tell you, every now and again I get a presentation from a product vendor that just makes me go "Wow. I wish I'd thought of that!" Bit9 was one of those.

During my travels I keep hearing the name Bit9, but hadn't really been exposed to their product. I attended a conference in January where they had a booth, but I hate those things. You can never have a serious talk. I guess they are a good way to get exposed to a lot of things and then circle back, but I always try and take notes on which to circle back on, and then either forget, or end up misplacing the literature.

Anyway, I did see Bit9 during the conference but didn't get to spend any time with them. When I returned, I forgot about them, only to be reminded a couple of months ago. So I set up a time, and offered my staff a lunch 'n learn.

Bit9 is a tool used (I'm sure they have others, but I loved this one) to identify installed malware on a system. More importantly, I was surprised to see that Bit9 is the brains behind some of my other favorite tools like Mandiant's MIR and is delivered by about a dozen others providing services. Interestingly enough (maybe I hadn't looked hard enough) I was under the impression that this space was wide open for exploitation with very little competition and a reasonable barrier to entry... meaning if I went to a VC for money to build the solution, a business case could be made, and I'd have enough of a run on my competition to be able to make a few bucks before they caught up. I still think that... the market for malware identification is still wide open and the AV vendors don't seem to have a clue.

Back to the point. Bit9 backends several malware identification tools with a database in a 'cloud' (marketing speak for two datacenters in Massachusetts). Regardless, the cloud is a massive repository of unique indicators each representing specific pieces of malware. The Bit9 tech is deployed to scan an environment using a client based system which compares files on a system to those in Bit9's database. The management console was, as you'd expect, pretty. Pretty without functional does no good, but in this case, the management console was totally functional. Running in a browser, it can be operated by any SOC or remote worker.

Bottom line: If you're looking for malware identification/remediation and whitelisting tools, save yourself some time. I've heard the name from some of the best companies in the world. Bit9 appears to have something real. I'd look at them first.

[rant]
In sitting with my team (and others I've worked with), it seems vendor presentations are peppered with questions like "You do X, why don't you do Y?"

This case was no different. Scope creep in vendor presentations is easy, and often takes away from the presentation. In this case, Bit9 has some really nice tech. They found their niche, filled it nicely, and are licensing the hell out of it to others who provide services in their space. Well done. What they didn't do was lose focus on their principle value proposition... finding malware on a host.

I'd love for one magic bullet solution. I'd drop it in my environment and turn it loose. It'd solve every problem I have, and those I haven't thought of yet. My users would be happy, it'd be free, and wouldn't require any maintenance... never going to happen.

Bit9 focuses on malware. Other technologies focus on other areas. Good management finds that first thing, with that first customer and puts it out of the park. Bad management finds thousands of customers and delivers mediocre solutions. I'm with Bit9.
[/rant]

Jeff

Invicea bake-off in a large company Internet isolation strategy

I had the opportunity to speak with a colleague last week. This gentleman is the CIO for a very large company and is in the middle of a bake-off between Invicea and another virtualization offering.

I'd discussed virtualization with him previously, but not in the form you're probably thinking. This is not a datacenter reduction strategy, rather an internet isolation strategy. He's trying to figure out a way to isolate his corporate network from the open internet.

My discussion started like this... "I'm interested in understanding how the Invincea test is working for you." His response? "No virtualization offering is worth anything by itself. Let me show you the what we wanted, what we did, and the architecture that we had to build behind it." In the end, this CIO built one reference architecture in which he tested two virualization strategies. Both were intended virtualize only Internet Explorer on the desktop.

His measures of success were easy to understand and very straight forward:

1. Isolate to the greatest extend, the internet from the corporate environment.
2. Do it with the least possible pain experienced in the end user experience.

I'd had a strategy discussion with him about a year ago. We discussed several options, including other virtualization applications, but also the use of simple terminal services, as well as a more simple idea.. issue everyone an iPhone. In the end, the iPhone dog didn't hunt and was dropped for discussions of the limitations of terminal services versus the implementation of an application virtualization strategy.

They've done a great job in that year, and now have about 1200 users in the pilot. Invincea had strengths and weakenesses, as did the other product. The other product has a significant price advantage, but is a tool developed for one thing, then used in another (therefore, no support for this particular use). Invincea on the other hand is a small company and therefore, more willing to accept development money and allow this large company to shape its product strategy.

Bottom line: No one application (including this wonderfully promising tech) is the cure-all. Remember defense in depth? Invincea handles only one of those layers, but with the right architecture in place provides a truly viable option. There are others however. Don't be afraid to look around. One company I talked with was experimenting with qmu! Others, VMWare, simple terminal services, etc. Do you homework. Do the architecture. And remember, in the end, nothing's cheap!

Jeff

Tuesday, September 07, 2010

Killed my SafeSocial account...

Great idea, not so good execution.

SafeSocial sent me the following:

"We have some cool news for you. Your parent, JEFFERY STUTZMAN, signed you up for something called SafeSocial.

You know how sometimes the adults in your life worry about you on the Internet because stuff can happen on sites like Facebook that isn’t safe? SafeSocial is a way for your parents to protect you and keep you safe without invading your personal space too much. It will make everybody's life easier."

I thought to my self, is this in language that my kids would respond to? Maybe. Regardless, after receiving this email telling me my parent (me) had some cool news, I decided to go back and look at the results. If I'm going to pay nine bucks a month for the service it needs to provide value. In this case, even though I have a couple of social networking accounts, SafeSocial didn't really do much for me. My five day trial period was up. I'll try it again later.

If anyone else has feedback on this service, my personal opinion? It's a great idea. I'd love to see it. I probably won't pay nine bucks a month for it, but would consider say, four or five.

Thoughts?
Jeff

Thursday, September 02, 2010

SafeSocial.com - Great idea! My thoughts...

I received an ad this morning for AOLSafeSocial. The idea is, parents can monitor their kids Facebook, Myspace, Twitter, etc., accounts via one portal, and the thing would both check the reputation of your child's online social network friends, and report any bad sites that your child may have been exposed to.

Having one new teen and another a bit younger, both knowing they're not allowed to have sex before their 42 (or I'm dead, whichever comes first) I had to try this.

Here's how it worked for me:

  1. I clicked the AOL link which took me to safesocial.com.
  2. The interface looked relatively sparse, but I did it anyway.
  3. I decided that since I too have social networking memberships, I'd try it on myself first to see how it went. I added my email and name to the 'who do you want to spy on' (my words not theirs) field and clicked submit.
  4. SafeSocial then sent me a link to my address telling me someone wants to monitor my social networking use. Do you really believe my 13 y/o daughter would consent to my monitoring her? (hint: not only no, but... you know the rest!)
  5. Since I was experimenting on me, I clicked 'agree'.
  6. Immediately SafeSocial squealed on me. It told me that I was on LinkedIn, which is not normally a site for kids. It then checked facebook and twitter.. both seemed ok (for now).
Couple of thoughts:
  • My daughter will never allow my monitoring, nor should she have the option. I pay for her service, she's a minor in my charge, and I should be able to monitor without her consent. Love the idea of the service, but would have preferred to see it be more seamless.
  • $9.99 isn't a bad price if the service actually delivers. I can say, I received multiple emails immediately upon signing on for the service.
Looking forward to seeing how this shakes out. My daughter is going to kill me!

Jeff

Thursday, July 29, 2010

Mobile threats?

Damn! I knew I should have attended Blackhat this year!!

------------------------------------------------------------------------------------------

"It collects your browsing history, text messages, your
phone's SIM card number, subscriber identification,
and even your voicemail password." -
mobile.venturebeat.com

http://mobile.venturebeat.com/2010/07/28/android-wallpaper-
app-that-steals-your-data-was-downloaded-by-millions/

questionable Android mobile wallpaper app that collects
your personal data and sends it to a mysterious site in
China, has been downloaded millions of times, according to
unearthed by mobile security firm Lookout.

That means that apps that seem good but are really
stealing your personal information are a big risk at a time
when mobile apps are exploding on smartphones, said John
Hering, chief executive, and Kevin MaHaffey, chief
technology officer at Lookout, in their talk at the Black Hat security
conference in Las Vegas today.

"Even good apps can be modified to turn bad after a lot
of people download it," MaHaffey said. "Users absolutely
have to pay attention to what they download. And developers
have to be responsible about the data that they
collect and how they use it."

The app in question came from Jackeey Wallpaper, and
was uploaded to the Android Market, where users can download
it and use it to decorate their phones that run the Google
Android operating system. It includes branded
wallpapers from My Little Pony and Star Wars, to
name just a couple.

It collects your browsing history, text messages,
your phone's SIM card number, subscriber identification,
and even your voicemail password. Itsends the data to a web site,
www.imnet.us. That site is evidently owned by
someone in Shenzhen, China. The app has been downloaded
anywhere from 1.1 million to 4.6 million times.
The exact number isn't known because the
Android Market doesn't offer precise data. The search
through the data showed that Jackeey Wallpaper and
another developer known as iceskysl@1sters! (which
could possibly be the same developer, as they use
similar code) were collecting personal data. The wallpaper
app asks for "phone info," but that isn't necessarily a clear warning.

The Lookout executives found the questionable app
as part of their App Genome Project. Lookout is a mobile
security firm, and it logged data from
more than 100,000 free Android and iPhone apps as part
of the project to analyze how apps behave. It found that the
apps access your personal data quite often. On Android, each
user is asked if they give their permission to access an app,
but on the iPhone, where Apple approves apps, no permission
is needed.

Roughly 47 percent of Android apps access some kind
of third-party code, while 23 percent of iPhone apps do.
The executives also found that many apps use third-party
software programs to do things such as feed ads into an app.
Often, developers unquestioningly use the software
development kits of those third parties in their apps,
even if they don't know what they do. In many
cases, there is a good reason for the use of personal information.
Ads, for instance, can be better targeted if the app knows a
user's location.

Hering said in a press conference afterward that he
believes both Google and Apple are on top of policing their
app stores, particularly when there are
known malware problems with apps. But it's unclear what
happens when apps behave as the wallpaper apps do,
where it's not clear why they are doing
what they are doing.

Wednesday, July 21, 2010

More on Invincea

Last night I had dinner with an old friend. As often times, the conversation rolls around to information security, and the new threats. One tactic for protecting against these new threats appears to be, at least on the surface, is virtualization. How can a company remove access to the Internet while maintaining the ability of those who require access, to get it in a safe way --all without killing the user experience to the point where they'll find alternative means of gaining access.

As mentioned before, I've seen pitches from VMWare, talks on using Med-V, thin client solutions --all of whom believe they have the answer. Not sure if they do, but one thing is for sure. My friend is the Director of Information Security for a very large company and they've doing a pilot/bake-off, and this little, out of no-where company called Invincea is actually one of the companies in the bake-off. Amazing. I can't wait to hear how this goes.

... More to follow on that.

A bit of advice for Invincea? Knock this one out of the park!

I'm liking what I'm hearing about this tiny company so far. I'm going to continue to track it. If anyone from the company is reading this (Dr. G did respond directly to me yesterday), I'd love to talk to a few reference companies!

JS

Monday, July 19, 2010

Anyone ever heard of Invincea?

I hadn't until just a few minutes ago. I was performing research for a consulting job for an investor who's considering making an investment in a security company. I'll sometimes do these on the side. Anyway, in this case I happened a cross a company called Invincea --using the words in their summary:

"Developed a patent-pending, revolutionary technology for protecting computer workstations from Internet attacks."

I love these words. Nothing thrills me more than patent-pending, revolutionary technology for protecting computers from Internet Attacks! Right now, I'm typing with sweaty palms and my hearts racing because the thought of new, patent pending revolutionary new software to protect my computer workstation from Internet attacks makes me, well, downright giddy!

So I read on... at the website (http://www.invincea.com/), I found a white paper. All startups have them. I was hoping to also find a list of reference customers I might contact while contemplating this paper. You see, the company is headed by the standard board of venture capital execs, but also by Dr. Anup Ghosh. That name might ring a bell for many reasons -DARPA program manager, NSA? That said, he's a smart guy and at first glance the company looked interesting. Now, while I haven't taken the time yet to look at the patent application, just reading the whitepaper tells me a little about the product:

1. It's revolutionary (their words not mine.. I'll stop making fun of them now ok?)

2. It uses virtualized browsers

3. It captures everything that happens during utilization of the browser during an attack

4. It sends everything from the virtualized session to a database somewhere (local or, as it states, in the cloud -I'm guessing Invincea is offering a managed service as well as software?)

Thoughts:

Virtualization seems to be a great buzzword for protecting from drive-by downloaded malware. I've seen a number of vendors (most of our favorites) pitch their wares on how good their product is in protecting from these threats. Some say the product can be reset at the close of each session (actually they all say that); some talk about how the virtual wall between the child and parent operating systems can't be broken (it's true, I've heard this before). Invincea however seems to be using a honeynet process in a virualized session. I like it. If you can't beat'em, set a smart trap for 'em. It seems to me, to be the best of both worlds -protection and collection; intel gain/loss (speaking in a purely network protective context of course!). 

What's next? I'm really interested in seeing some reference customers posted on the site. I've seen presentations on the technology before it became Invincea. I had doubts at the time. It looked to me to be far to much overhead to be powered on an already overburdened laptop, but what the hell. If it works, it could be good!

Back to you Dr.~!

Tuesday, March 30, 2010

I HATE COMCAST!!!

I hate Comcast!

I was paying a fee for a DVR from Comcast. Most of the time, many of the features didn't work. For example, the machine often froze, on demand NEVER worked, and on top of everything else, Comcast had to reset my system several times a month.. all for the high value, very low monthly price of $130.

So, I bought an Elgato Hybrid stick, inserted it in my trusty Mac Mini, hooked the whole thing up to my flat screen and off I went. All those ClearQam channels plus the local stuff. LOVE IT. The story gets better hang with me.

Comcast announced a few months ago that everything was going to digital.. and they did. My Elgato handled it nicely until... Comcast seemingly started encrypting more signals! I lost the Discovery Channel!

Finally over the weekend after missing Mike Rowe I broke down and bought a TiVo --only to find out that I need a multi-streaming CableCard --a PCMCIA card that plugs into the backend of the Tivo. So, on Sunday I enter into a chat session with a very nice Comcast rep who tells me "no problem! I'll ship you one.. or better yet, you have a Comcast office right around the corner from your apartment". If you go pick one up it'll save you ten dollars in shipping. I agreed.

So yesterday I took time over lunch and ran to the Comcast office. After waiting in line for twenty minutes the CSR told me that I had to schedule a service appointment. SHIT! FOILED AGAIN BY F*ING COMCAST! No appointments after 5! I have a secretary who scraps for every timeslot during my day and Comcast wants me to stay in the apartment waiting for one of their idiot flunky high school dropout (ahem) technicians? I asked if they could call so I could meet them... no. I didn't get a card. I didn't schedule a service appointment.

Today I called Comcast. I finally ended up with an appointment. The CSR on the phone put 'a note in the file' to tell them to call thirty minutes before they arrive. She couldn't promise anything. We'll see.

Poor customer service
High price
Low value programming
Three hour time slots required for delivery
Uneducated technicians (the last one sporting Appalachian goatee)

Let me say it again: I HATE COMCAST!!!

Jeff

Sunday, January 31, 2010

Is Google the new NSA?

Am I the only one worried about this?

I've been watching Hulu and keep seeing Google ads for Chrome.

Every time I turn around, I see ads for the Google Droid (cell phone).

Here's a question for you.. does anyone know how Google makes money? It's not the same as other phone manufacturers, or Apple, or netbook manufacturers. They make money by selling hardware and/or software, and take a cut from the cellular providers for every two year contract.

Google makes money by collecting and selling information. Of course they're going to make money on the device itself, and from a cut from the cellular providers, but their main source of revenue is from collecting information -YOUR information, and selling it to marketers, data miners, analysts, researchers, or anyone else who will pay.

Now we've all heard the stories of how much information NSA (and other SIGINT collection agencies in the world) collect, and how much they process but these agencies get what can be collected over the air. Google has a better source --the handset itself. Can you think of better way to understand individual user preferences, calling patterns, behaviors? I can't. It's the one electronic device that we use the most; we depend on to stay connected, and Google gets to see it all. Where exactly do all of those apps connect back to? How does the phone stay in touch with Google? How much information is being collected? Who uses this information? Try Googeling "Google versus NSA" and see how many results come back.

Now take this a step further.. Google, although being challenged by Microsoft's Bing owns the search market, is moving quickly with their 'Chrome' browser, owns the blog I'm publishing this on, owns YouTube (and all of it's subscribers), Google Earth, Mail, Wave, Google Voice, and endless apps that they collect information from, and now, Droid.

Silly, but I keep having visions of a movie from last summer "Eagle Eye" and the automated actions of a supercomputer who used information collected from all of these devices and software, analyzed it, and used it to control every movement Shia LeBouf and a second unwitting victim. In the movie they referred to this information as 'collective intelligence'.

The difference between Google and NSA? NSA has intelligence oversight. Google does not.

Am I the only one worried about this?