Wednesday, May 21, 2008

ID Theft in the news...

Infoworld took a look at Check Point Software's ZoneAlarm Forcefield, and ultimately walked away unimpressed.

Unfortunately, although ForceField does offer some real improvements over the other products I've reviewed, it wasn't enough to stop malware from infecting my test systems. In less than a minute, by clicking only my third malicious Web site link, my test system was silently compromised without so much as a chirp out of ForceField.
The writer admits to being skeptical about 'sandbox' security clients,

I've reviewed similar over-marketed and under-effective virtualized or "sandbox" security clients over the years (most notably GreenBorder, subsequently acquired by Google), all of which promised to provide superior protection against all malicious Internet threats.
Ultimately, our outlook is that previously proposed solutions fall short thanks to limited security features beyond 'site classification' (prompting the user that a site is safe or 'risky' based on white-list/black-list rules and inaccurate logic) and rudimentary key-logger defenses. No solution to date has offered network level protection, or a secure DNS/Directory to ensure that the user is going only to safe sites. No solution to date offered kernel-level security and the ability to defend itself from attack. SafeCentral is a different kind of sandbox. I hope we have a chance to get this reviewer and others to take a look at SafeCentral.

In other news, LifeLock is facing a new class-action lawsuit claiming that it has made false and misleading claims about the level of 'protection' it provides.

"While LifeLock has only publicly acknowledged that Davis' identity was compromised on one occasion, there are more than 20 driver's licenses that have been fraudulently obtained [using his personal information]," the suit states.

"Furthermore, a simple background check performed using Davis' Social Security number reveals that his entire personal profile has been compromised to the extent that the birth date associated with his Social Security number is Nov. 2, 1940, which would [inaccurately] make Davis 67 years old."
To be honest, I'm not sure this lawsuit has merit. I don't view the claims of LifeLock and the myriad of other 'identity insurers' to be PREVENTATIVE at all. They claim to help you discover identity fraud quickly, and mitigate the financial losses associated with a breach (though disguising it as protection). They do nothing to actually STOP identity theft from taking place. Ultimately, they're like an alarm system - it only goes off only after a crime has begun. A layered approach is best: start with good defensive measures to protect your identity from theft, and then layer on monitoring/insurance to buffer against a breach.

I'm not sure whether these articles help us by raising the 'noise-level' for the need for greater identity security, or hurt us by defining the problem as 'unsolvable' and establishing a poor reputation for companies associated with Identity Theft/Fraud solutions. Leave a comment and let me know your take.

Tuesday, May 13, 2008

Pain in the aaS?

I was forwarded this article from the Economist which outlines the new "as-a-service" model now being adapted by cyber criminals. The article makes an excellent point about the continuing migration of software from boxed discs to online services that we 'rent' or use as necessary, and points out the inevitable migration of that model to include malware. Want to conduct a denial-of-service attack on a website without having to build your own army of zombie PC's, or even having any hacking skills at all? You can. Just rent the access from an established cyber-criminal and you can 'borrow' their hack for your personal mission of destruction.

The tone of the article suggests that "as-a-service" is becoming a dirty word, which may be true. However, I think the term is accurate and that the model actually provides an opportunity for greater security. After all, with services living 'in the cloud' you're less prone to local attacks, and the effects are less likely to impact other applications. What's required is secure access to those 'in the cloud' services, so that each session becomes a trip into a secure portal isolated from everything else...I might know something that's a possible solution for that.

Monday, May 12, 2008

FBI Internet Crime Complaint Center (IC3) Report

I was reviewing the latest report from the FBI on internet crime, and found that the disturbing trend of skyrocketing losses continues, despite the number of claims holding relatively steady from it's peak in 2005. This confirms that the cyber-thieves are refining their tactics to focus on extracting more money from every breach or scam. The report includes all types of cyber-crime, but only tallies those that are reported to the IC3, so it's safe to presume that the actual numbers are much higher.

The report calculates that the 206,884 claims received via the IC3 website in 2007 resulted in more than $239 Million in losses. While only a small portion of the cases were specifically cited as 'Identity Theft', all were related to conducting business via criminal websites, email, or auctions. This reinforces the notion that email is a broken system, and that people really do fall for the "Nigerian Letter" scam (1.1% of complaints!). It also demonstrates that the general trust of the internet, websites, and email infrastructure is going to continue to decline, as users discover that there is really no way of knowing the origin of a message, or that they can be sure to visit the website they intend.

Perhaps most disappointing, as a current Florida resident, is the state's #2 position among the top homes for perpetrators. Thankfully I work for a security firm and my home Wi-Fi network is secured (as best as possible); you never know who the internet criminals are.

Thursday, May 8, 2008

SafeCentral Video Introduction

Just finished a brief SafeCentral introduction video, you can see it here.

I learned something in making these snippets: trust your instincts.  I wanted 3 segments outlining (1) the threats people face when transacting online, (2) the solution SafeCentral provides, and (3) a brief overview of the user experience; I also wanted each segment to be no longer than 1.5 minutes.  Trying to fit a complex technical discussion, demonstration, and value proposition into that timeframe forces you to plan a tight script.  However, when I actually sat down to record the sessions (which are live screen-captures, not over-dubs), I realized that winging it was a better and more natural way to go.

Friday, May 2, 2008

30 Years of SPAM

30 Years ago the world got its first taste of SPAM (not the meat product), though the small distribution to 400 recipients is hardly comparable to the BILLIONS of bogus messages sent today. I've often wrestled with the fundamental question of SPAM: "Are there people out there that actually respond to this stuff?", and I always come the same conclusion: "There must be, otherwise why would anyone do it?".

That depressing fact keeps the SPAM growing. However, I think the most profound and unfortunate effect of SPAM is NOT in the people who get scammed, the deluge of bogus mail filling up servers, nor the burden of trash traffic clogging the web. The most profound effect of SPAM is that it broke email. What should be an incredibly efficient, inexpensive and trustworthy tool for communication has been irreparably damaged. As a marketer, I'd love to be able to get a message to my audience via email, but there's virtually no way it will be heard among the noise. More importantly, as a security provider, I often NEED to get a message to my customers that addresses a critical security issue, and yet again the message will be lost in an inbox full of phony Viagra offers.

When you need to get a message to a large audience of people, it's nearly impossible to do it in a cost-effective and timely manner. Print/mail is expensive and slow, telephone calls are equally laborious, and traditional 'advertising' mediums don't allow you to target just your existing customers with an important message.

SPAMMERS have been crying wolf into the email village, and have guaranteed that no one will listen when real danger arises. That is the most unfortunate cost of SPAM.