I will be presenting a talk at DEFCON next week, and I would appreciate any assistance I can get in the way of examples of wasted security dollars.
The title and abstract of the talk are:
The Information Security Industry: $3 Billion of Snake Oil
A raging fear of The Computer Evildoers has driven enterprises to the safety of the herd, buying whatever elixirs the big vendors peddle. Security consumers waste bilions of dollars on ineffective (but well integrated!) solutions. However, as technology users grow more sophisticated about security threats (often learning the hard way), opportunities will surface for innovative startups to deliver effective IT survival mechanisms. This talk will review the industry's blunders, and sources of opportunity.
So, please post or email examples of wasted security dollars, or opportunities you see for startups in data security today.
Thank you!
Friday, July 22, 2005
Wednesday, July 20, 2005
Accidental Philanthropy
This weekend I was a guest golfer at the prestigious Menlo Country Club in Woodside. It was a glorious day, with no one else in sight on this magnificently tended course (though I suspect that's because word had gotten around that a Jew was on premises).
On the front nine I shot a characteristically miserable 56, prompting my host to propose a wager on the back (5 stroke handicap for me, $10 per hole!) to benefit the winner's favorite charity. Anyway, something came over me (must have been the Golf Nutrition Bar) and I shot a 46 on the back, forcing me to actually identify for him the organization I most often support:
Americans United for the Separation of Church and State. If the religious right has its way, the US will become more of a theocratic state than any Middle Eastern regime. Must I really trust in God (as U.S. coins instruct me to do), or swear to tell the truth so help me God (can't I tell the truth all by myself)? Much more importantly, are we going to let superstitious politicians trample on women's rights, gay marriage, stem cell research, and a proper science education in public schools?
After hearing my chosen charity, the country club member politely asked me "er, What else do you like?" So I shared with him another pet cause:
Sierra Club. When my son was 5, he prevailed upon me to join the Sierra Club. After hearing from a door-to-door fundraiser about the prospect of new oil drilling in Alaska, he pulled out his piggy bank and contributed his own money. His advocacy for wildlife was passionate, compelling, and contagious.
My golfing host cut his losses and agreed to fund Sierra Club. Good thing, too, because my next suggestion would have been PETA...
On the front nine I shot a characteristically miserable 56, prompting my host to propose a wager on the back (5 stroke handicap for me, $10 per hole!) to benefit the winner's favorite charity. Anyway, something came over me (must have been the Golf Nutrition Bar) and I shot a 46 on the back, forcing me to actually identify for him the organization I most often support:
Americans United for the Separation of Church and State. If the religious right has its way, the US will become more of a theocratic state than any Middle Eastern regime. Must I really trust in God (as U.S. coins instruct me to do), or swear to tell the truth so help me God (can't I tell the truth all by myself)? Much more importantly, are we going to let superstitious politicians trample on women's rights, gay marriage, stem cell research, and a proper science education in public schools?
After hearing my chosen charity, the country club member politely asked me "er, What else do you like?" So I shared with him another pet cause:
Sierra Club. When my son was 5, he prevailed upon me to join the Sierra Club. After hearing from a door-to-door fundraiser about the prospect of new oil drilling in Alaska, he pulled out his piggy bank and contributed his own money. His advocacy for wildlife was passionate, compelling, and contagious.
My golfing host cut his losses and agreed to fund Sierra Club. Good thing, too, because my next suggestion would have been PETA...
Monday, July 18, 2005
Easy Pickings for Bank Robbers
I predicted it in my recent post "Doomsday Hackers and Evildoing Robots" but it hurts all the same...
Bank of America has announced adoption of Sitekey technology, developed by Passmark Security to combat ID theft. But Sitekey suffers from the classic misconception underlying so many security products that the attacker will not bother to adapt in any way to the defense (even to sweep juicy bank accounts). Rather than restore trust to online banking, Sitekey promises to confuse and inconvenience customers, instilling a false sense of security that will, when it quickly fails, further impede online banking.
Sitekey promises confidence that customers are logging into the genuine bank, not a spoof site, by asking customers to upload a "trusted image" that the bank will display when accessed from a "trusted computer". To establish trust on the device (because it's a fresh computer, or the cookies have been deleted, which happens quite often), SiteKey asks the customer some challenge questions. Passmark claims to prevent phishing because users will be trained not to provide passwords to spoof sites that can't display the trusted image.
So sometimes B-of-A will ask the questions and sometimes it won't, depending upon the cookies. Sometimes it shows the image right away, and sometimes it first asks the challenge questions. Somehow, the customer is supposed to understand all this, and the next time he or she is phished, figure out that something important (the image) is missing. So there's a lot of set up, and some rather generous predictions around customer sophistication.
The bigger problem, though, is that Sitekey utterly fails to defeat phishing or malware attacks. What stops phishers from simply logging into the bank at the same time that the victim is logged into the spoof site? The phishers pass the challenge questions from the bank to the customer, and shuttle the responses right back. The bank then exposes the trusted image to the phisher, which uses it to prompt the customer for the password.
And what about slipstreaming malware that simply waits on your PC for authentication to happen before passing your session to the thief? These attacks may be relatively uncommon today, but you can expect B-of-A to change that.
But wait, don't change banks so fast! According to the same AP article, Wachovia is rolling out a similarly vulnerable system, but one that is also wildly expensive to deploy and support. Wachovia will distribute tokens that display a different number every 60 seconds, so that Wachovia "knows" that the token holder, not a phisher, is logging in. Forget about the problems associated with dead batteries and lost tokens. Those nasty slipstreamers and man-in-the middle phishing attacks defeat this security system just as handily.
Whoever said Crime Doesn't Pay wasn't an ID thief in the year 2005. Until banks adopt all 3 of the following (easy and inexpensive) authentication methodologies, I'll continue to bank offline:
1. Authenticate the transaction
Don't let slipstreamers take over my validly opened online session only to execute unauthorized transactions.
2. Escalated Response
If my bank profiles transaction risk and escalates authentication based on that risk, I won't have to deal with inconvenient security mechanisms except when it really matters. And when it matters (e.g. cash transfers), I will be pleased to see the escalated security.
3. Multi-channel authentication
This method involves a computer that calls the customer on a separate network (POTS, cell phone, SMS) to prompt the customer for an authorization code. Unlike multi-factor authentication, multi-channel authentication is not defeatable by slipstreamers and man-in-the-middle attacks. It's also much less expensive, and can cheaply layer on biometric security by analyzing the voice pattern of the person at the other end of the phone line.
Bank of America has announced adoption of Sitekey technology, developed by Passmark Security to combat ID theft. But Sitekey suffers from the classic misconception underlying so many security products that the attacker will not bother to adapt in any way to the defense (even to sweep juicy bank accounts). Rather than restore trust to online banking, Sitekey promises to confuse and inconvenience customers, instilling a false sense of security that will, when it quickly fails, further impede online banking.
Sitekey promises confidence that customers are logging into the genuine bank, not a spoof site, by asking customers to upload a "trusted image" that the bank will display when accessed from a "trusted computer". To establish trust on the device (because it's a fresh computer, or the cookies have been deleted, which happens quite often), SiteKey asks the customer some challenge questions. Passmark claims to prevent phishing because users will be trained not to provide passwords to spoof sites that can't display the trusted image.
So sometimes B-of-A will ask the questions and sometimes it won't, depending upon the cookies. Sometimes it shows the image right away, and sometimes it first asks the challenge questions. Somehow, the customer is supposed to understand all this, and the next time he or she is phished, figure out that something important (the image) is missing. So there's a lot of set up, and some rather generous predictions around customer sophistication.
The bigger problem, though, is that Sitekey utterly fails to defeat phishing or malware attacks. What stops phishers from simply logging into the bank at the same time that the victim is logged into the spoof site? The phishers pass the challenge questions from the bank to the customer, and shuttle the responses right back. The bank then exposes the trusted image to the phisher, which uses it to prompt the customer for the password.
And what about slipstreaming malware that simply waits on your PC for authentication to happen before passing your session to the thief? These attacks may be relatively uncommon today, but you can expect B-of-A to change that.
But wait, don't change banks so fast! According to the same AP article, Wachovia is rolling out a similarly vulnerable system, but one that is also wildly expensive to deploy and support. Wachovia will distribute tokens that display a different number every 60 seconds, so that Wachovia "knows" that the token holder, not a phisher, is logging in. Forget about the problems associated with dead batteries and lost tokens. Those nasty slipstreamers and man-in-the middle phishing attacks defeat this security system just as handily.
Whoever said Crime Doesn't Pay wasn't an ID thief in the year 2005. Until banks adopt all 3 of the following (easy and inexpensive) authentication methodologies, I'll continue to bank offline:
1. Authenticate the transaction
Don't let slipstreamers take over my validly opened online session only to execute unauthorized transactions.
2. Escalated Response
If my bank profiles transaction risk and escalates authentication based on that risk, I won't have to deal with inconvenient security mechanisms except when it really matters. And when it matters (e.g. cash transfers), I will be pleased to see the escalated security.
3. Multi-channel authentication
This method involves a computer that calls the customer on a separate network (POTS, cell phone, SMS) to prompt the customer for an authorization code. Unlike multi-factor authentication, multi-channel authentication is not defeatable by slipstreamers and man-in-the-middle attacks. It's also much less expensive, and can cheaply layer on biometric security by analyzing the voice pattern of the person at the other end of the phone line.
Sunday, July 17, 2005
My Security Anti Road Map
Bessemer has funded 16 security startups--more than any other traditional VC firm--but there are some areas of security that even we have never funded, despite the large number of these projects getting funded elsewhere. These opportunities fall into my Anti Road Map (without which I could never focus on my real road map)...
Biometrics: too expensive to deploy in large communities, and still easily defeated by slipstreamers and man-in-the-middle malware (as explained in prior posting Doomsday Hackers and Evildoing Robots). And as Bruce Schneier points out, it's easy to change your password--but what do you once your retinal scan is compromised?
Homeland Security: long sales cycle, and hard to find enough commonality across governmental bodies to build repeatable businesses.
Single Sign On: requires way too much ongoing integration to be useful. Think about the last Universal Remote Control you bought--it ends up as just one more remote control on the coffee table. (The one promising exception may be Encentuate.)
Mobile firewalls: Eventually this will emerge as a real category but enterprises won't roll this out until (i) widespread attacks cause real pain, and (ii) mobile devices converge to one or two operating systems.
Enterprise Document Rights Management: Boy, we've seen some terrific work done in this area by startups like Authentica and Alchemedia (acquired by Finjan), but Microsoft will own this space. The embarassment from leaked documents is too episodic for users to regularly define permissions, and enterprise initiatives often lose steam, yielding to more chronic pain points. Plus, the damage is too intangible to quantify, limiting price.
Innovations in Cryptography: Does it matter whether it takes one billion computers or 100 billion computers to decrpyt a key? Cryptography today is the strong link in the chain--the key is simply not a vector of attack, nor will it be any time soon.
---
As a scientist and a skeptic, I welcome disagreement. Hopefully I have provoked some entrepeneurs among you to convince me I am wrong, either now by posting, or later on your IPO prospectus. Indeed, there is always room on Bessemer's Anti-Portfolio for the next great Enterprise DRM company!
Biometrics: too expensive to deploy in large communities, and still easily defeated by slipstreamers and man-in-the-middle malware (as explained in prior posting Doomsday Hackers and Evildoing Robots). And as Bruce Schneier points out, it's easy to change your password--but what do you once your retinal scan is compromised?
Homeland Security: long sales cycle, and hard to find enough commonality across governmental bodies to build repeatable businesses.
Single Sign On: requires way too much ongoing integration to be useful. Think about the last Universal Remote Control you bought--it ends up as just one more remote control on the coffee table. (The one promising exception may be Encentuate.)
Mobile firewalls: Eventually this will emerge as a real category but enterprises won't roll this out until (i) widespread attacks cause real pain, and (ii) mobile devices converge to one or two operating systems.
Enterprise Document Rights Management: Boy, we've seen some terrific work done in this area by startups like Authentica and Alchemedia (acquired by Finjan), but Microsoft will own this space. The embarassment from leaked documents is too episodic for users to regularly define permissions, and enterprise initiatives often lose steam, yielding to more chronic pain points. Plus, the damage is too intangible to quantify, limiting price.
Innovations in Cryptography: Does it matter whether it takes one billion computers or 100 billion computers to decrpyt a key? Cryptography today is the strong link in the chain--the key is simply not a vector of attack, nor will it be any time soon.
---
As a scientist and a skeptic, I welcome disagreement. Hopefully I have provoked some entrepeneurs among you to convince me I am wrong, either now by posting, or later on your IPO prospectus. Indeed, there is always room on Bessemer's Anti-Portfolio for the next great Enterprise DRM company!
Saturday, July 16, 2005
Calculate Your Ethical Quotient
This just in from my partner and Harvard Business School Professor Felda Hardymon...
This test only has one question, but it's a very important one. By giving an honest answer, you will discover where you stand morally. The test features an unlikely, completely fictional situation in which you will have to make a decision. Remember that your answer needs to be honest, yet spontaneous. Please scroll down slowly and give due consideration to each line...
You are in Florida, Miami to be specific. There is chaos all around you caused by a hurricane with severe flooding. This is a flood of biblical proportions. You are a photojournalist working for a major newspaper, and you're caught in the middle of this epic disaster, The situation is nearly hopeless. You're trying to shoot career-making photos. There are houses and people swirling around you, some disappearing under the water. Nature is unleashing all of its destructive fury. Suddenly you see a man floundering in the water. He is fighting for his life, trying not to be taken down with the debris. You move closer . . . somehow the man looks familiar. You suddenly realize who it is. It's George W. Bush! At the same time you notice that the raging waters are about to take him under...forever. You have two options--you can save the life of G.W. Bush or you can shoot a dramatic Pulitzer Prize winning photo, documenting the death of one of the world's most powerful men. So here's the question, and please give an honest answer: Would you select high contrast color film, or would you go with the classic simplicity of black and white?
This test only has one question, but it's a very important one. By giving an honest answer, you will discover where you stand morally. The test features an unlikely, completely fictional situation in which you will have to make a decision. Remember that your answer needs to be honest, yet spontaneous. Please scroll down slowly and give due consideration to each line...
You are in Florida, Miami to be specific. There is chaos all around you caused by a hurricane with severe flooding. This is a flood of biblical proportions. You are a photojournalist working for a major newspaper, and you're caught in the middle of this epic disaster, The situation is nearly hopeless. You're trying to shoot career-making photos. There are houses and people swirling around you, some disappearing under the water. Nature is unleashing all of its destructive fury. Suddenly you see a man floundering in the water. He is fighting for his life, trying not to be taken down with the debris. You move closer . . . somehow the man looks familiar. You suddenly realize who it is. It's George W. Bush! At the same time you notice that the raging waters are about to take him under...forever. You have two options--you can save the life of G.W. Bush or you can shoot a dramatic Pulitzer Prize winning photo, documenting the death of one of the world's most powerful men. So here's the question, and please give an honest answer: Would you select high contrast color film, or would you go with the classic simplicity of black and white?
Subscribe to:
Posts (Atom)