Saturday, March 17, 2012

Marlinspike: Certificates have 'real problems'

By Tom Espiner, ZDNet UK, 16 March, 2012 17:10 Last year, hackers perpetrated a series of digital certificate compromises, striking at a deep level with potentially far-reaching effects both for internet users and the hacked companies. In March, news broke of a hack of Comodo, when an intruder obtained nine fraudulent digital certificates. Then in September it emerged that hundreds of thousands of Iranians may have had their Google communications intercepted after a compromise of Dutch certificate authority DigiNotar. DigiNotar declared itself bankrupt after the hack resulted in the Dutch government revoking trust in its certificates. Certificate authority GlobalSign stopped issuing certificates while it investigated a hack on its systems in September. It later found that its SSL certificate had been exposed during the attack on an external server. A major problem with certificate compromise is the undermining of trust in numerous security mechanisms. An attacker can set up a website that looks bona fide, and trick people into thinking they are visiting one website when it is in fact another. An attacker can also white-list malware on an operating system to gain full control of a device. Security technologist Moxie Marlinspike has come up with a technology called Convergence, designed to overcome the need for organisations to rely on digital certificates. He spoke to ZDNet UK about the technology, trust, and anonymity. Q: Last year a number of certificate authorities were compromised. Do you think the certificate authority model is broken? A: There are very real problems here. My thesis is that what we have now lacks what I call 'trust agility'. We've made a decision somewhere along the line to trust these organisations, and now it's very difficult for us to untrust them. So, they don't have a tremendous amount of incentive to continue engendering our goodwill, or behaving appropriately, or employing the best security practices. Why is it difficult to revoke trust in them? Comodo is a good example. Right now, Comodo should apply somewhere between a quarter and a fifth of the certificates on the internet. So if I, or a browser vendor, decides that they no longer trust Comodo, and remove them from their trust database, that means that that quarter to a fifth of the internet will basically break — you wouldn't be able to look at those websites any more, until they've all gotten different certificates from different certificate authorities. That's a really tough business decision for a browser vendor to make — that they're going to break a quarter to a fifth of the internet for their users, or, that they are somehow going to try and co-ordinate a quarter to a fifth of the internet to migrate to some other certificate authority. Read this AVG: Hacktivism is slowing down business Read more Your Convergence project seems to be making the trust model open source, or making a collective decision, through various different trusted authorities. The major objective is to provide trust agility: the idea that we still rely on third parties to certify a communication, but that you can untrust them at any time. You can make a decision to trust some organisation or set of organisations, but at any time you can revise that decision if you decide that they no longer warrant your trust. It does additionally provide properties that allow you to rely on organisations to collectively certify communications. So you can decide you don't want to trust any individual organisation, but five different organisations. If they all agree, then you consider that an indication to be certified. The system of notaries — doesn't that rely on some kind of user technical savvy, and is that beyond the purview of most people, and most employees of organisations? The way I see it is that ideally Convergence would be based in web browsers — web browsers using Convergence as the mechanism for certifying secure communications. The web browser would come with a default set of notaries, just like today a web browser comes with a default set of certificate organisations. Most users would never change their notaries, and they would depend on their browser to make those appropriate decisions for them. I think that's entirely reasonable. Users could decide to modify the notaries if they liked. How would you define a notary? A notary is very similar to a certificate authority. The only difference is that the trust relationship is inverted. Right now servers initiate a trust relationship with a certificate authority, which means that one server or website will make a decision about the organisation that's going to certify all the traffic for all users around the world, whereas notaries are selected by the client — the client initiates the trust relationship, first connecting to the notary and asking it to certify communications. The major problem with the model right now is that if the certificate authority is compromised, then that affects all users for all websites. With the certificate authority model, are there any particular security problems with servers initiating the trust relationship? The major problem with the model right now is that if the certificate authority is compromised, then that affects all users for all websites. They can continue to operate purely because even after a compromise it's difficult to untrust them. My problem with VeriSign as a manager of TLDs [top-level domains] is that I think it would be unwise to place all our trust there. Under the DNSSEC model there would be reduced trust agility. Even as unrealistic as it might be, today I can remove VeriSign from the trust database in my browser or my operating system, but I can never change the fact that they are the organisation that manages dot.com and .net domains. Are attacks on certificate authorities inevitably state sponsored? My intuition is that of the attacks that we've seen with organisations like Comodo and DigiNotar, [they] were not state-sponsored attacks. You have a not very bright hacker, based on......the statements that he made in his communiqu├ęs. The reason why I don't feel this is state sponsored is that: one, I'm sure there are state-sponsored attacks happening all the time, but most countries simply have their own certificate authority and so it's very easy for them to intercept secure communication — they don't have to hack anybody. Their ability to intercept communication is baked in. For really well-funded entities, like nation states that for whatever reason do not have their own certificate authorities — Iran, for example — they can just simply buy a certificate-authority certificate through a programme called GeoRoot, which is run by GeoTrust, which is owned by VeriSign. That would allow them to immediately have a certificate-authority certificate they could use to intercept any communications they want. With Convergence, the notaries could be guaranteed by security companies. Symantec is a security company that owns VeriSign SSL, so why not use Symantec as a trusted entity? Sure, it depends on who you trust. I feel that all security companies are not equal. Different people might trust different organisations for whatever reason. I feel there is some difference between collective trust versus [individual] trust. I feel like I can identify some sort of an organisation, where even if I might not trust each of them individually, and absolutely, I would trust their collective response. I would trust them not to be colluding with each other. I wanted to ask you about SOPA and PIPA. Do you think they're going to change the information security landscape? Do you think they are going to lead more people to try out encryption? It's possible. In terms of the information-security landscape, the lesson for me here, whether or not this stuff passes, is that it came close to passing, and that they are trying to pass legislation like this. A lot of people are looking at this legislation and thinking that the future of DNSSEC hangs in the balance. If this passes, then people are, "Oh, well, we shouldn't deploy DNSSEC, but if it doesn't pass, then we'll deploy DNSSEC." And to me, the question is its own answer. Read this T-Mobile: We intercepted secure email from phones Read more DNSSEC depends on trust in government. If governments are going to start messing with DNS responses, or intercepting DNS queries, they can very easily do that with DNSSEC. DNSSEC depends on a hierarchy of trust in centralised organisations that are either controlled by nation states through the cc top-level domains or by organisations that happen to be in the purview of the government through the global top-level domains. To me then the question is its own answer. If people are even thinking about doing this, then we shouldn't put our eggs in that basket. It's extremely likely that even if it doesn't happen now, then it will happen at some point in the future. We should be looking for entirely different solutions. I think of this kind of stuff from the perspective of a technologist. I'm not in a position to lobby for or against, and really I want nothing to do with it. On the technical side, if this kind of legislation did pass, it would only increase the development of a tamper-proof internet. People would immediately start working on solutions that would prevent people from tampering with the internet in this way. I guess that's a good thing? I think it's something we should do one way or the other. This is the writing on the wall — we're looking into the future with that legislation. We should be prepared. There is a lot of government interest in being able to look at communications. On the other hand, there are some compelling cases for people wanting to be anonymous and have anonymous communications, especially when they are trying to effect some kind of social change. What is your view on the balance between people wanting to effect social change and law enforcement wanting to intercept communications? My feeling is that right now, law enforcement is doing all right. Their mechanisms for intercepting communications are pretty extensive. This question is like, choose your team, and I know what team I'm on — I'm on team anonymity. Law enforcement has not built a lot of trust. If you look at the mechanisms they are using to intercept people's communications and trap people, it doesn't feel like they're really doing it appropriately. There's a lot of politics about this. If you look at what's been happening in the US with wire-tapping, it's totally insane. That kind of stuff is really driving people towards technical solutions that allow them to preserve their privacy. -------------------------------------------------------------------------------- Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Sunday, March 11, 2012

6 security companies to watch

Young companies' offerings range from content delivery networks to securing BYOD to multi-factor authentication

By Tim Greene, Network World
January 26, 2012 01:09 PM ET


This group of security companies includes several that want to capitalize on technology ideas that were originally devised to serve communities of special interest but could now take on a wider cybersecurity role. Fixmo, for example, has its roots in the National Security Agency where its mobile security makes it possible to run critical applications in sandboxes that are insulated from the rest of the machine, making them less likely to fall victim to malware that might have infected the device.

IN PICTURES: Hot security upstarts

MORE ON SECURITY: A quick look: The Megaupload Kim Dotcom hullabaloo

Or Emerging Threats Pro, which started off as an open source intrusion detection project that needed better-quality assurance to make the leap to widespread use in businesses and as an element of other security products.

And as is often the case with young companies, they form around individuals whose creative spark and energy bring new products to life. Sticking with Emerging Threats Pro, its founder, Matt Jonkman, is also president of the Open Information Security Foundation (OISF), which is working on the Suricata intrusion detection engine on which the commercial venture is based.

Also in this crop of companies to watch, Kenneth Weiss, the daddy of two-factor SecurID authentication, is hoping to make another winner with Universal Secure Registry's three-plus factor authentication. And Matthew and Prince Lee Holloway, both alumni of open source anti-spam Project Honeypot, are continuing their efforts to block junk Internet traffic with their content delivery network, CloudFlare.

Cisco Fellow Patrick Peterson is behind Agari, an email security company based on work Peterson started at IronPort before Cisco bought it. Still a Cisco fellow, he spends most of his time on the new venture.

Here are brief descriptions of a half-dozen security companies to watch, what they can do for enterprises and why they are worth keeping an eye on.

Agari
Headquarters: Palo Alto, Calif.
Founded: 2009, as Authentication Networks
Funding: $2.5 million Series A funding from Alloy Ventures with participation from Battery Ventures, First Round Capital and Greylock Partners
Leader: Cisco Fellow Patrick Peterson
Fun fact: The idea for Agari came out of research being done by IronPort when Cisco bought the company. Also, Agari means "to win" in Japanese.

Why we're following it: This email security service will block fake emails, a valuable means for cutting down on successful phishing attacks, but the company gets a leg up because it has support for its portal from AOL, Google, Microsoft and Yahoo, which will be put in place for their customers. Millions of customers will be using it without knowing it.

Key to the service is its accuracy in nailing malicious email without blocking legitimate messages, which company founder Patrick Peterson estimates at one false positive per million blocked messages.

The service can block emails being spoofed under the domain names of legitimate businesses, but also notifies businesses when their domain names are being hijacked to send phishing messages and emails with malicious attachments.

It's worthy of note because it plans to develop support for enterprise-grade email platforms such as Microsoft Exchange. And the company is working to expand support for its filtering to ISPs and telecom carriers in Europe to block the source of more malicious emails.

Success relies on cooperation of major service providers, and Agari has secured that broadly in the U.S. and is seeking it out in other regions. It is also being offered to the financial services industry via the financial services information sharing and analysis center (FS-ISAC), and the Financial Services Roundtable. Information about URLs that are sending illegitimate emails can be sent to takedown services, making a contribution to cleaning up the Internet in general.

Given its leadership, current industry support, road map and financial backing, Agari can be looked to as a means to help better control email-borne threats.

CloudFlare
Headquarters: San Francisco
Founded: 2010
Funding: $22.1 million from New Enterprise Associates, Pelion Venture Partners and Venrock
Leaders: Its three founders are CEO Matthew Prince and Lead Engineer Lee Holloway (both veterans of Project Honeypot), and Customer Experience executive Michelle Zatlyn.
Fun fact: The company started as a Harvard Business School project, and when its founders graduated they moved via U-Haul cross-country to San Francisco.

Why we're following it: There are lots of content-delivery networks, but this one offers a significant number of services free, weeding out bad traffic to websites, mitigating DDoS attacks and in the process cutting load times, on average, in half.

Preparation to use the service requires a simple change to customers' DNS settings to direct traffic through CloudFlare's network. No hardware, no software.

The company stores customers' static Web page content in its 13 nodes worldwide so it's closer to requesters and lowers latency. The service can store a limited version of Web pages that it can continue to serve from CloudFlare nodes should a customer's Web servers fail.

The company claims its filtering of bad requests can reduce the amount of traffic Web servers handle by 65%, making better use of Internet bandwidth.

Part of what's attractive about CloudFlare is that the founders come at CDN after it has already been well defined as a service network category, but they have the luxury of starting fresh with hardware and custom software that optimizes what they want to do.

Toss in that the founders have a demonstrated passion for eliminating spam and improving Web performance as shown by their participation in Project Honeypot, which tracks the IP addresses used to harvest email addresses that are then spammed. And they've managed to attract the attention of respected venture firms who have contributed more than $20 million.

Given all that, it's worth keeping an eye on CloudFlare to see what it comes up with in its planned enterprise version that was supposed to launch at the end of last quarter, but didn't. Nevertheless, when it does appear, it will be worth a look.

ge 3 of 5

CO3 Systems
Headquarters: Cambridge, Mass.
Founded: 2010
Funding: Fairhaven Capital, amount undisclosed
Leader: CEO John Bruce
Fun fact: The actual founder is shrouded in mystery, partly because he still works for a firm that had a need for the type of service CO3 offers due to repeated breaches, and he doesn't want to bring all that up again publicly. The company name is based on its three goals, all of which start with the letters "C-O": contain, control and comply.

Why we're following it: CO3 fills an ever-increasing need: how to respond quickly to all the legal reporting requirements that come into play after a business suffers a data loss.

The company offers software as a service that generates an action list of what businesses have to do to meet those requirements, drawing on its constantly updated database of what 46 states, three commonwealths and 14 federal agencies demand.

When customers suffer losses, they enter the nature of the breach into the service's Web portal, and the portal produces a list of what agencies need to be notified, how soon and the penalties if the deadlines aren't met. It also details how to contact the pertinent parties and the actual language of legislation and regulations that apply.

The alternative is to manually piece together the same information and map it to a spreadsheet, something that CO3 says is virtually impossible to do while also hitting all the deadlines; there just isn't enough time.

Given the trauma of having to make a public disclosure about a data loss, this service can get organizations quickly on track to do the requisite reporting, meeting their obligations and avoiding fines.

Breaches became commonplace and high-profile in 2011, and they are now viewed more as inevitabilities than they are as something that can be avoided. CO3 offers a service that could help businesses do the right thing in the eyes of the law. It bears watching to see what customers who fall victim and wind up having to use the service have to say about it.

Emerging Threats Pro
Headquarters: Lafayette, Ind.
Founded: 2010
Funding: Private
Leader: CEO Matt Jonkman, also president of the Open Information Security Foundation (OISF)
Fun fact: Suricata, the IDS engine developed via OISF and that underlies Emerging Threats, is funded by the Department of Homeland Security.

Why we're following it: Intrusion detection is a must-have in any layered network defense, and Emerging Threats Pro is weaving its way into the fabric of open source intrusion detection software, with the company's CEO Matt Jonkman as the driving force.

The IDS is based on the open source Suricata engine. The open source ruleset that goes along with Suricata comes from the Emerging Threats project. That is different from Emerging Threats Pro, which is a commercial enterprise set up to apply quality assurance to the Emerging Threats ruleset so it is more likely to find its way into commercial products. Jonkman says an open source community alone could not afford the equipment needed to do top-notch QA.

That sounds a lot like the relationship between the Snort IDS engine and Sourcefire, and it is. But Emerging Threats Pro touts its multi-threading support that effectively boosts the potential line speed of IDSs that use it. And the Emerging Threats rules are compatible with the Snort IDS engine, so they can be used to augment Snort as well as other IDS rulesets that incorporate Snort.

The company has a number of partners including Bridgeway Security, Critical Intelligence, Digital Pathways, Kaspersky Labs and Nitro Security, among others, which use Emerging Threats in various ways. Kaspersky, for instance, partners with Emerging Threats Pro to help expand its ruleset based on new malware it detects in its labs. It also uses the ruleset for its internal research.

Given its potential to work its way into a variety of commercial security platforms and its open source community that provides quick responses to new threats, Emerging Threats Pro is a company to watch.

Fixmo
Headquarters: Sterling, Va., and Toronto
Founded: 2009
Funding: $29.5 in Series B and C funding in 2011 from Extreme Venture Partners, Horizons Ventures, iNovia Capital, Kleiner Perkins Caufield Byers, Panorama Capital and Rho Ventures Canada
Leader: CEO and founder Rick Segal
|Fun fact: Core Fixmo technology was developed by the National Security Agency.

Why we're following it: As mobile devices increasingly make their way into corporate networks, it becomes more important to make sure they comply with security policies and stay that way.

Fixmo addresses this concern with software that continuously monitors mobile gear so it remains in authorized, trusted states, helping to prevent data loss and other security breaches. It also sets down audit trails to prove that devices maintained trusted state in order to satisfy regulators.

Perhaps more important, Fixmo addresses the problem of bring your own device: How does a business allow employees to access corporate resources via their personal device (smartphone, tablet, etc.) without exposing those resources to the dangers inherent in unrestricted private use of the device? An employee hitting websites in the absence of URL filtering and downloading unvetted apps could compromise the gear and therefore valuable company information. Or a compromised device could be used as a means to compromise the network to which the device connects.

Fixmo can partition these devices and create a secure sandbox in which corporate data is handled, ensuring that data can't be accessed by the rest of the machine, blocking it from potentially being compromised. The products are already being used by the Department of Defense to secure Android devices.

With these solid credentials and an infusion of $29.5 million last year, the company should have noteworthy expansion and enhancements soon.

Universal Secure Registry
Headquarters: Newton, Mass.
Founded: 2007
Funding: Private
Leader: Founder is Kenneth Weiss
Fun fact: Weiss is the creator of what is now the RSA SecurID two-factor authentication token.

Why we're following it: You can't have enough factors in multi-factor authentication, and Universal Security Registry is boosting the number to three-plus.

Kenneth Weiss, the founder of Universal Secure Registry, brings an impressive credential to the venture: He is the father of the two-factor authentication tokens known as SecurID.

With USR, he's upping his game with an additional biometric authentication factor that would be used to support electronic wallets. With the technology that he calls three-plus factor authentication, critical data used in transactions aren't stored on the phones. Rather, the multi-tiered authentication enables a connection to a server that stores customer data such as credit card numbers. That data is transmitted via a secure channel to a point-of-sale device.

Using the system, customers in the checkout line punch in passwords (something they know) followed by a randomly generated number from their phone (something they have) followed by reciting a phrase into the phone to create a voiceprint (something they are). If all three line up, customer data is sent to the point-of-sale device including a photo of the customer for the clerk to verify against the person standing there with the phone (that's the "plus").

The Universal Secure Registry could just as well be used for network logins. The constantly changing PIN generation is based on SecurID patents that are now in the public domain.

With the wide interest in digital wallets and Universal Secure Registry's goal of licensing the technology to others, it has the chance to become a widespread authentication tool that could give SecurID a run for its money.

The company is privately funded and has competition against some formidably well-heeled adversaries including Google, Visa, AT&T, Verizon and T-Mobile, the latter three of which are teaming up on a scheme called Isis.

Read more about security in Network World's Security section.