Where's the real underground these days, behind the shadows of the ShadowCrew, the revenge of the now, for-profit script kiddies, or in the slowly shaping real Mafia's online ambitions? Moreover, is all this activity going on behind the Dark Web, or the WWW itself? Go through this fresh overview, emphasizing on today's script kiddies, 0days as a commodity, malware and DDoS on demand on the WWW itself, and perhaps a little bit of vendors' tolerated FUD.
In a previous post, I mentioned on the existence of the International Exploits Shop, the Xshop, basically a web module where 0days, and service support in terms of videos, PHP-based configuration etc. are provided to anyone willing to get hold of a 0day/zero-day vulnerability -- scary stuff, yet truly realistic concept that's directly bypassing today's infomediaries that purchase vulnerabilities.
I must admit I didn't do homework well enough to figure out that the Hack Shop has been changing quite some places for the last two years and having offered many other vulnerabilities, going beyond what I came across to two months ago -- the Internet offers a much wider set of potential buyers than from the three informediaries for the time being. As a reader gave me a hint, in the future images would protect that type of pages from crawling activities, and it's interesting to note that previous versions of the shop were doing exactly the same, while the last one I got tipped about, was using text on its pages. What's also important to mention is that these are the public propositions, ones placed on the WWW, and not the Dark Web, the one behind closed doors. Last month, Sophos mentioned on the existence of a multi-exploit kit for an unbelievably cheap price :
"A Russian website is selling a spyware kit for $15. The website promises an easy-to-deploy spyware that only requires users to trick their victims into visiting a malicious website. The website even offers technical support. Carole Theriault, senior security consultant at Sophos, says such websites invite script kiddies and other unskilled would-be hackers into the world of cybercrime for profit."
Rather interesting, WebSense Security Labs looked further, came up with the screenshots from the site itself, cut the last screenshot you can clearly see here (Disable adobe acrobat web capture, Disable opera user, Kill frame, Location lock, Referrer lock) but again spread the rumour of multi-exploit kit for sale at $15, of course for entering the for-profit cyber crime business -- a little bit of FUD, sure, but the sellers aren't still that very desperate I think.
So, I decided to look even further and now can easily conclude -- it depends where you're buying it from, I mean even the official site sells it at a price that way too high for an average script kiddie to get hold of multi-exploits pack -- whether outdated or not can be questioned as well. So, the kit officially goes for $300 and, $25 for updates, I also came across it for $95, but I bet they are a lot of people looking for naive wannabe exploiters out there. As you can see on these screenshots, it has the ability to encrypt HTML pages, parts of the page, and take precautions for curious folks trying to figure out more about the page in question, and it makes me wonder on how well would malicious HTML detection would perform here, if it does?
What's the outcome -- script kiddies with attitude are basically compiling toolsets of old exploits and building all-in-one malware kits. As you can even see, they are lazy enough not to keep an eye on its detection status, a sign of "growing" business for sure, yet the "underground" seems to Ph34r going to the Opera , so take your note.
I recently came across to a great article "The Return of the Web Mob" you can find more details on the topic as well, such as :
"I saw one case where an undetectable Trojan was offered for sale and the buyers were debating whether it was worth the price. They were doing competitive testing to ensure it actually worked as advertised," said Jim Melnick, a member of Dunham's team."
"In November 2005, Mashevsky discovered an attempt to hijack a botnet. [The] network of infected computers changed hands three times in one day. Criminals have realized that it is much simpler to obtain already-infected resources than to maintain their own botnets, or to spend money on buying parts of botnets which are already in use," he said."
"Dunham, who frequently briefs upper levels of federal cyber-security authorities on emerging threats, said there have been cases in Russia where mafia-style physical torture has been used to recruit hackers. If you become a known hacker and you start to cut into their profits, they'll come to your house, take you away and beat you to a pulp until you back off or join them. There have been documented cases of this," Dunham said."
While doing a recent research across the Russian and the Chinese domain, I came to the conclusion that every local scene has it's own underground, and that those that go as publicly as some do at the bottom line, make the headlines. However, Chinese users being collectivists, are still at the heroic stage of cyber dissidents slowly turning into wannabe hackers, and they have a chain of command, so to speak, that I can argue is more powerful than thought to be "well organized" like the ones in Russia, being individualists. There are even marketing campaigns going on in the form of surveys, trying to measure the bargaining point for 0day vulnerabilities I guess. This one says :
How much would you be willing to pay for an exploit?
$100-300
$300-500
$500-1000
over $1000
we write our own exploits :D
I get them for free
and offers trying to even add value to the purchase by offering a SMS flooder for free if you purchase the exploit. I mean, if you start thinking logically, bypassing the current intermediaries and their moody programs compared to one-to-one communication model with a possible buyer -- the entire idea behind disintermediation is the method of choice. Have 0days turned into an uncontrolled commodity that has to be somehow, at least, coordinated?!
In my recent Future trends of malware research, I mentioned how open-source malware would inevitably dominate, and how the concept will put even more pressure on AV vendors to figure out how to protect from unknown malicious code -- proactively. What I came across to was, customer-centric malware propositions, special features increase or decrease the final price, botnet sources for free download/purchase if modifications are made, free advices coming with the purchase, on demand vulnerabilities, spamming or spam harvesting services on demand, price comparison for malware samples, rootkits-enabled pieces of malware indeed show an increase of growth, DDoS on demand services are usually proposed with 30 mins of service "demo".
Bot's sources are also annoyingly available at the click of a button, as I verified over 20 working links with archives averaging 75MB.
Popular ones :
urxbot, spybot, sdbot, rxbot, rbot, phatbot, litmus, gtbot, forbot, evilbot, darkirc, agobot, jbot, microbot, blueyebot, icebot, q8bot, happybot, htmlinfectbot, gsys, epicbot, darkbot, r00fuz, panicattack
Who's to blame? It's not Russia for sure, and if it was it would mostly have to do with enforcement of current laws, yet the global media tends to stereotype to efficiently meet deadlines, instead of figuring out what is going on at the bottom line. When the U.S sees attacks coming from Chinese networks, it doesn't mean it's Chinese hackers attacking the U.S, but could be that sick North Korean ones are trying to increase tensions by spoofing their identities. Moreover, as I've mentioned it is logical to conclude that there are "undergrounds" on a national level, for instance for the last couple of years there's been a steady growth of defacements and phishing attackers from Brazil, Turkey, and of course China, I rarely come across anything else but "mention Russia and get over it" attitude.
In respect to the Chinese "underground", according a report not to be disclosed, and so I'm not as it's fully loaded with impressive information, the Chinese underground back in 2002 used to aggressively attack U.S government's and military targets while drinking Coke from McDonald's themed Coke glass :) courtesy of the China Eagle Union themselves. Their actions in coordination with the Honker Union of China, for instance, played a crucial role in active hacktivism and continue playing it even today.
Like it or not, the average script kiddie, or can we say sophisticated Generation Y teenagers, are well too informed, and obviously sellers of malicious services such as DDoS and malware on demand, than it used to be years ago. I feel it's not their knowledge that's increasing, but the number of connected computers with security illiterate users aiming to put themselves in a "stealth mode" while online in order not to get hacked, or as a friend put it, running in root mode and hiding behind firewalls - ah, the end user.
You can digitally fingerprint a malicious code when you have it, that's normal, but what happens when you don't, can you fight the concepts themselves? Ken Dunham comments on "mafia-style physical torture" are the reflection of people naming their malware MyDoom and begging for botnets if you take your time to go through the quotes from Ancheta's case.
Don't ph34r the teenagers, ph34r their immaturity, and ongoing recruitment practices by the Mafia itself.
Tuesday, April 25, 2006
Wild Wild Underground
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Monday, April 24, 2006
25 ways to distinguish yourself -- and be happy?
Totally out of the security world, yet very relevant inspirational tips for all readers feeling down, or looking for more sources of self-esteem. I've always believed that among the most important key factors for leadership is the ability to know yourself, and to understand the time dimensions of failure -- it's just a temporary event whenever it happens to occur. I also often debate on the pros and cons of corporate citizenship with friends, and try to emphasize on the mobility of today's workforce -- at least the way I see it. Is there any use of such an approach these days, and how should an enterprise go when attracting and retaining it's most valuable HR assets? Does the individual really count at the bottom line?
I think assets with attitude are the most valuable ones, given they never stop self-developing themselves. Going back to this very positive "manifesto" "You don't have to motivate me, just stop demotivating me" type of attitude is what you can greatly enjoy in these tips. Extremely well written key points, especially that "being part of the commodity crowd erodes your value", so true. These get updated all the time, so add them to your own unique ways of distinguishing yourself -- and being happy? :)
01. Care as if it's your own
02. Do your daily work with passion
03. Build strong relationships
04. Dream big!
05. Set the right expectations
06. Ask for help
07. Celebrate small victories
08. Set higher standards
09. Know your values
10. Pursue right memberships
11. Help people help themselves
12. Be a reader
13. Plan by outcomes
14. Think long-term
15. Embrace uncertainty with ease
16. Ask the right questions
17. Engage with a coach
18. Re relevant
19. Get back on your feet fast!
20. Lead a volunteer effort
21. Balance innovation and continuous improvement
22. Learn to sell -- your skills, not your soul or at least not on parts
23. Learn systems thinking
24. Walk away from free
25. Influence the influencers
I think assets with attitude are the most valuable ones, given they never stop self-developing themselves. Going back to this very positive "manifesto" "You don't have to motivate me, just stop demotivating me" type of attitude is what you can greatly enjoy in these tips. Extremely well written key points, especially that "being part of the commodity crowd erodes your value", so true. These get updated all the time, so add them to your own unique ways of distinguishing yourself -- and being happy? :)
01. Care as if it's your own
02. Do your daily work with passion
03. Build strong relationships
04. Dream big!
05. Set the right expectations
06. Ask for help
07. Celebrate small victories
08. Set higher standards
09. Know your values
10. Pursue right memberships
11. Help people help themselves
12. Be a reader
13. Plan by outcomes
14. Think long-term
15. Embrace uncertainty with ease
16. Ask the right questions
17. Engage with a coach
18. Re relevant
19. Get back on your feet fast!
20. Lead a volunteer effort
21. Balance innovation and continuous improvement
22. Learn to sell -- your skills, not your soul or at least not on parts
23. Learn systems thinking
24. Walk away from free
25. Influence the influencers
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Why's that radar screen not blinking over there?
Two days ago, the Russian News & Information Agency - Novosti, reported on how "Russian bombers flew undetected across Arctic" more from the article :
"Russian military planes flew undetected through the U.S. zone of the Arctic Ocean to Canada during recent military exercises, a senior Air Force commander said Saturday. The commander of the country's long-range strategic bombers, Lieutenant General Igor Khvorov, said the U.S. Air Force is now investigating why its military was unable to detect the Russian bombers. They were unable to detect the planes either with radars or visually," he said."
SpaceWar.com, and several other sites/agencies also picked up the story, still its truthfulness, excluding the lack of coverage, can always be questioned, as "by the end of the year, two more Tu-160s will be commissioned for the long-range strategic bomber fleet, Khorov said." So, while I agree with him on the visual confirmation issue, such an achievement is hell of an incentive for commissioning more planes, isn't it? Moreover, should the what used to be, the world's largest radar - The Over-The-Horizon Backscatter Radar have been scrapped given Iran's (and not only) nuclear ambitions, or the ongoing space warfare doctrine would be the logical successor in here?
Let's for instance assume it actually happened, and take the reverse approach -- it actually happened in Russia too, back in 1987, and it wasn't a senior air force commander that did it, if he did, but 19 years old Mathias Rust who landed on the Red Square itself.
More details will follow for sure, so stay tuned, meanwhile take a look at Google Earth's Community spot link on Mathias's landing.
UPDATE
Nice article on the topic, and a great quote as well "Scanning containers full of sneakers for a 'nuke in a box' is not a really thoughtful thing."
Technorati tags:
Military, Radar, Bomber
"Russian military planes flew undetected through the U.S. zone of the Arctic Ocean to Canada during recent military exercises, a senior Air Force commander said Saturday. The commander of the country's long-range strategic bombers, Lieutenant General Igor Khvorov, said the U.S. Air Force is now investigating why its military was unable to detect the Russian bombers. They were unable to detect the planes either with radars or visually," he said."
SpaceWar.com, and several other sites/agencies also picked up the story, still its truthfulness, excluding the lack of coverage, can always be questioned, as "by the end of the year, two more Tu-160s will be commissioned for the long-range strategic bomber fleet, Khorov said." So, while I agree with him on the visual confirmation issue, such an achievement is hell of an incentive for commissioning more planes, isn't it? Moreover, should the what used to be, the world's largest radar - The Over-The-Horizon Backscatter Radar have been scrapped given Iran's (and not only) nuclear ambitions, or the ongoing space warfare doctrine would be the logical successor in here?
Let's for instance assume it actually happened, and take the reverse approach -- it actually happened in Russia too, back in 1987, and it wasn't a senior air force commander that did it, if he did, but 19 years old Mathias Rust who landed on the Red Square itself.
More details will follow for sure, so stay tuned, meanwhile take a look at Google Earth's Community spot link on Mathias's landing.
UPDATE
Nice article on the topic, and a great quote as well "Scanning containers full of sneakers for a 'nuke in a box' is not a really thoughtful thing."
Technorati tags:
Military, Radar, Bomber
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Thursday, April 20, 2006
The anti virus industry's panacea - a virus recovery button
Just when I thought I've seen everything when it comes to malware, I was wrong as a PC vendor is trying to desperately position itself as one offering a feeling of security with the idea to strip its product and lower the customer price. The other day I came across to a fancy ad featuring Lenovo's ThinkVantage Virus Recovery Button, and promoting its usefulness even when there's no AV solution in place :
"Rescue and Recovery is a one button recovery and restore solution that includes a set of self recovery tools to help users diagnose, get help and recover from a virus or other system crashes quickly, even if the primary operating system will not boot and you are remote from your support team."
The video ad is indeed fascinating, and while their Embedded Security Subsystem 2.0 "locks your sensitive data behind hardware-based encryption", you'd better take advantage of their utilities options and try to avoid such a weak positioning in respect to malware. The Virus Recovery Button seems to be directly targeting the masses and totaly removing the complexity issue by introducing a button-based solution to malware -- dangerous as backups and their idea could have proven useful during the first generations of malware.
Anti virus signatures, response time, and various other proactive malware prevention approaches such as, IPS, buffer overflow protection are among today's most widely discussed approaches when dealing with malware, and of course, the principle of least privilege to user accounts. But why the anti virus button when it can be an anti-hacker one? I feel they'd better stick to their OEM agreements and find other ways to achieve competive advantage in pricing than providing a false sense of security.
In my recent "Malware - future trends" research I mentioned on the fully realistic scenario of having your security solution turn into a security problem itself. While this is nothing new, in this case we have a misjudged security proposition, as recovering to a pre-infection state doesn't necessariry mean confidentiality of sensitive personal/financial information wouldn't be breached by the time the user is aware of the infection, if it ever happens of course.
Moreover, Lenovo was recently under scrutiny as "The U.S.-China Economic Security Review Commission (USCC) argues that a foreign intelligence like that of the Communist Party of China (CPC) can use its power to get Lenovo to equip its machines with espionage devices. Lenovo has strongly declined that it is involved in any such activities", and while they eventually reached a consensus on using the machines on unclassified systems only, it doesn't mean they aren't exposed to a wide variety of threats going beyond China backdooring them, such as Zotob over border-screening systems at airports.
As a matter of fact, the rival PC/notebook propositions might still be owned by U.S companies, but are mostly assembled in China these days -- too much hype for nothing.
UPDATE - Sites that picked up the post
LinuxSecurity.com
MalwareHelp.org
Technorati tags:
Security, Malware, Anti-virus, Lenovo, Data Recovery
"Rescue and Recovery is a one button recovery and restore solution that includes a set of self recovery tools to help users diagnose, get help and recover from a virus or other system crashes quickly, even if the primary operating system will not boot and you are remote from your support team."
The video ad is indeed fascinating, and while their Embedded Security Subsystem 2.0 "locks your sensitive data behind hardware-based encryption", you'd better take advantage of their utilities options and try to avoid such a weak positioning in respect to malware. The Virus Recovery Button seems to be directly targeting the masses and totaly removing the complexity issue by introducing a button-based solution to malware -- dangerous as backups and their idea could have proven useful during the first generations of malware.
Anti virus signatures, response time, and various other proactive malware prevention approaches such as, IPS, buffer overflow protection are among today's most widely discussed approaches when dealing with malware, and of course, the principle of least privilege to user accounts. But why the anti virus button when it can be an anti-hacker one? I feel they'd better stick to their OEM agreements and find other ways to achieve competive advantage in pricing than providing a false sense of security.
In my recent "Malware - future trends" research I mentioned on the fully realistic scenario of having your security solution turn into a security problem itself. While this is nothing new, in this case we have a misjudged security proposition, as recovering to a pre-infection state doesn't necessariry mean confidentiality of sensitive personal/financial information wouldn't be breached by the time the user is aware of the infection, if it ever happens of course.
Moreover, Lenovo was recently under scrutiny as "The U.S.-China Economic Security Review Commission (USCC) argues that a foreign intelligence like that of the Communist Party of China (CPC) can use its power to get Lenovo to equip its machines with espionage devices. Lenovo has strongly declined that it is involved in any such activities", and while they eventually reached a consensus on using the machines on unclassified systems only, it doesn't mean they aren't exposed to a wide variety of threats going beyond China backdooring them, such as Zotob over border-screening systems at airports.
As a matter of fact, the rival PC/notebook propositions might still be owned by U.S companies, but are mostly assembled in China these days -- too much hype for nothing.
UPDATE - Sites that picked up the post
LinuxSecurity.com
MalwareHelp.org
Technorati tags:
Security, Malware, Anti-virus, Lenovo, Data Recovery
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Digital forensics - efficient data acquisition devices
Digital forensics have always been a hot market segment, whereas the need for a reliable network based forensics model given main Internet's insecurities such as source address spoofing and the lack of commonly accepted security events reporting practices is constantly growing as well. Information acqusition, analysis and interpretation in the most reliable and efficient way is often among the desired outcome -- and of course figure out what has been happenning at a given historical moment in time or in real-time if applicable.
In a previous post related to "Detecting intruders and where to look for" I mentioned lots of resources regarding the topic, and tools to take advantage of, if in need. In respect to cell phones and various related privacy issues, excluding the physical forensic analysis that could be successfully performed, there's a growing discussing on whether a "suspect's" physical location should be revealed though a mobile-phone carrier -- segmented requests are the most efficient and socially-conscious ones I think.
Today I came across to "Logicube CellDEK" a portable handset data extraction kit :
"The portable CellDEK® acquires data from over 160 of the most popular cell phones and PDA's. Built to perform in the field (not just in the lab), investigators can immediately gain acces to vital information. This saves days of waiting for crucial data to come back from a crime lab. The CellDEK software automatically performs forensic extraction of the following data: Handset Time and Date, Serial Numbers (IMEI, IMSI), Dialed Calls, Received Calls, Phonebook (both handset and SIM), SMS (both handset and SIM), Deleted SMS from SIM, Calendar, Memos, To Do Lists, Pictures, Video, and Audio."
Nothing surprising as there are many other freeware applications/ways to do cell phone forensics (full list can be found at Sergio Hernando's blog), but what made me an impression was its usefulness by covering over 160 models, portability due to its size and capabilities, and that up to 40 adapters may be stored in the system’s built-in rack. Some challenges I see to today's forensic investigators are the sophistication of publicly available encryption/steganographic tools, the Internet acting as a online HDD opening opportunities for dead-drop places, and communications that went over covert channels.
On my wislist however, has always been the company's Forensic MD5, as it basically "swallows" data in a timely manner -- a bad toy in the hands of a insider going beyond average types of removable media, and in moments where minutes count. As a matter of fact, a forensic investigator's sophistication and expertise doesn't really count when the Mafia is still catching up on how to encrypt. Still, I'm convinced how some of his "operatives" are into far more sophisticated methods of communication than he is.
Check out some more resources, and case studies on the topic as well :
How to Become a Cyber-Investigator
SANS Reading Room - Forensics
Digital Forensics Tool Testing Images
Computer Forensics for Lawyers
Forensic Analysis of the Windows Registry
Forensic Computing from a Computer Security perspective
Guidelines on PDA Forensics
Forensic Examination of a RIM (BlackBerry) Wireless Device
WebMail Forensics
iPod Forensics
Digital Music Device Forensics
Forensics and the GSM mobile telephone system
List of Printers Which Do or Don't Print Tracking Dots
Metasploit Anti-forensics homepage
UPDATE - Sites that picked up the story
LinuxSecurity.com
Technorati tags:
Security, Forensics, cyber-crime, Mobile Phone
In a previous post related to "Detecting intruders and where to look for" I mentioned lots of resources regarding the topic, and tools to take advantage of, if in need. In respect to cell phones and various related privacy issues, excluding the physical forensic analysis that could be successfully performed, there's a growing discussing on whether a "suspect's" physical location should be revealed though a mobile-phone carrier -- segmented requests are the most efficient and socially-conscious ones I think.
Today I came across to "Logicube CellDEK" a portable handset data extraction kit :
"The portable CellDEK® acquires data from over 160 of the most popular cell phones and PDA's. Built to perform in the field (not just in the lab), investigators can immediately gain acces to vital information. This saves days of waiting for crucial data to come back from a crime lab. The CellDEK software automatically performs forensic extraction of the following data: Handset Time and Date, Serial Numbers (IMEI, IMSI), Dialed Calls, Received Calls, Phonebook (both handset and SIM), SMS (both handset and SIM), Deleted SMS from SIM, Calendar, Memos, To Do Lists, Pictures, Video, and Audio."
Nothing surprising as there are many other freeware applications/ways to do cell phone forensics (full list can be found at Sergio Hernando's blog), but what made me an impression was its usefulness by covering over 160 models, portability due to its size and capabilities, and that up to 40 adapters may be stored in the system’s built-in rack. Some challenges I see to today's forensic investigators are the sophistication of publicly available encryption/steganographic tools, the Internet acting as a online HDD opening opportunities for dead-drop places, and communications that went over covert channels.
On my wislist however, has always been the company's Forensic MD5, as it basically "swallows" data in a timely manner -- a bad toy in the hands of a insider going beyond average types of removable media, and in moments where minutes count. As a matter of fact, a forensic investigator's sophistication and expertise doesn't really count when the Mafia is still catching up on how to encrypt. Still, I'm convinced how some of his "operatives" are into far more sophisticated methods of communication than he is.
Check out some more resources, and case studies on the topic as well :
How to Become a Cyber-Investigator
SANS Reading Room - Forensics
Digital Forensics Tool Testing Images
Computer Forensics for Lawyers
Forensic Analysis of the Windows Registry
Forensic Computing from a Computer Security perspective
Guidelines on PDA Forensics
Forensic Examination of a RIM (BlackBerry) Wireless Device
WebMail Forensics
iPod Forensics
Digital Music Device Forensics
Forensics and the GSM mobile telephone system
List of Printers Which Do or Don't Print Tracking Dots
Metasploit Anti-forensics homepage
UPDATE - Sites that picked up the story
LinuxSecurity.com
Technorati tags:
Security, Forensics, cyber-crime, Mobile Phone
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Tuesday, April 18, 2006
Spotting valuable investments in the information security market
Back in January I mentioned the possible acqusition of SiteAdvisor in my "Look who's gonna cash for evaluating the maliciousness of the Web?" post and it seems McAfee have realized the potential of this social-networking powered concept on a wide scale, and recently acquired SiteAdvisor -- this was meant to happen one way or another and with risk of being over-enthusiastic I feel I successfully spotted this one.
Next to SiteAdvisor's pros and cons that I commented on, I also provided a resourceful overview of some of the current malware crawling projects out there, to recently find out that WebRoot finally went public with the Phileas spyware crawler, and that Microsoft's Strider Crawler came up with the Typo-Control project -- great idea as a matter of fact. What are some of the current/future trends in the information security industry? Are the recent flood of acquisitions the result of cheaper hardware and the utilization of open-source software, thus cutting costs to the minimum while the idea still makes it to the market?
Have both, entry and exit barriers totally vanished so that anyone could get aspired of becoming a vendor without the brand at the first place? Excluding the big picture, it is amazing how uninformed both, end and corporate users are, yet another lack of incentive for security vendors to reach another level of solutions -- if it ain't broken, don't improve it.
Moreover, what would the effect be of achieving the utopian 100% security on both, the market and the world's economy? On one hand we have "the worst year" of cybercrime, whereas spending and salaries are booming, and they should be as the not knowing how much security is enough, but trying to achieve the most secured state is a driving factor for decades to come.
The bottom line is, the more insecurities, the more security spending, the higher the spending, the higher the growth, and with increasing purchasing power, corporate R&D, and government initiatives you have a fully working economic model -- going to war, or seeing terrorists everywhere is today's driving force for military/intelligence spending compared to the "Reds are everywhere" propaganda from both camps of course, back in the Cold War period. Fighting with inspired bureaucrats is always an issue as well.
The Ansoff's Product/Market Matrix often acts as the de-facto standard for developing business opportunities, that is, of course, if you're not lead by a visionary aim, promote an internal "everyday startup" atmosphere to stimulate creativity, or benchmark against competitors. On the majority of occassions a security vendor is looking for ways to diversify its solutions' portfolio, thus taking advantage of re-introduced product life cycles and new sources for revenues.
While there should be nothing wrong with that given a vendor is actually providing a reliable solution and support with it, I often argue on how marketable propositions centric business model is not good for the long-term competitiveness of the company in question.
It's the judgement and competitors myopia that I'm talking about. In respect to the current information security market trends, or let's pick up the anti virus solutions segment, that means loosing sight of the big picture with the help of the mainstream media -- cross refferenced malware names, "yet another" malware in the wild, or supposed to be Russian hacker selling his soul for E-gold(cut the stereotypes here and go through the majority of recent statistics to see where all that phishing, spam and malware is coming from), is a common weakness of a possible decision-maker looking for acquisitions. Focusing on both, current trends, and current competitions is the myopia that would prevent you from sensing the emerging ones, the ones that would improve your competitiveness at any time of execution of course.
The way we have been witnessing an overal shift towards a services based world economy in comparisson to a goods based one, in the informaiton security market services or solutions will inevitably profiliate in the upcoming future. When was the last time you heart someone saying "I don't need an anti-virus scanner, but an anti-virus solution, what's yours and how is it differentiated from the others I'm aware of"? Un-informed decisions, quick and cheap way to get away with the "security problem", or being totally brainwashed by a vendor's salesforce would result in enormous long-term TCO(total cost of ownership) problems, given someone actually figures a way to make the connection in here.
Some time ago, I came across a great article at CSOOnline.com "2 Vendor Megatrends and What They Mean to You" giving insight on two trends, namely, consolidation of security providers and convergence -- the interception between IT and physical security. And while it's great in respect to covering these current trends, I feel the article hasn't mentioned the 3rd one - Diversification. An excerpt :
"One trend is consolidation. "We're seeing the bigger players buying out many of the smaller companies. And I think the largest of the security firms are looking to provide a full range of enterprise services," says C. Warren Axelrod, director of global information security at Pershing, a Bank of New York Securities Group company. "The larger firms, like Internet Security Systems, Symantec and Computer Associates, are buying in many areas to complement what they have. They're basically vying for control of the security space." Axelrod is dead on, and consolidation is just as rampant among physical security vendors as it is in the IT world."
I feel consolidation is happening mainly because different market segments are constantly getting crowded and mainly because it's very, very hard to get a name in the information security market these days, so instead of run for your own IPO, compete against market players whose minor modification may ruin your entire idea, you'd better get acquired one way or another. @stake is an example of how skilled HR runs away from the acquirer, at least for me counting the HR as the driving force besides the brand.
More from the article :
"The second trend is convergence—the confluence of IT and physical security systems and vendors—which, in some sense, is another form of consolidation, only it's happening across the line that historically divided those two worlds."
Tangible security is often favored by investors as it targets the masses, and the most visible example besides perimeter based defenses are the hardware appliances themselves. These days, there isn't a single anti virus, anti spam or anti spyware solution provider without a hardware appliance, but what's to note is how their OEM agreements are still working and fully applicable, it's all about greed, or let's avoid the cliche and say profit maximization -- whatever the market requires the vendors deliver!
Very in-depth article, while I can argue that vendors are so desperate to "consolidate bids" on a national level, as they usually try to get as big part of the pie as possible. What's else to note is that the higher the market transparency, the more competitive the environment, thus greater competition which is always useful for the final user. In respect to heterogenity and homogenity of security solutions, and all-in-one propositions, the trade-offs are plain simple, cut total TCO by using a single vendor, get your entire infrastructure breached into by an attacker that would sooner or later find a vulnerability in it -- find the balance and try to avoid the myth that complexity results in insecurities, as it's a unique situation every time.
What we're witnessing acquisition-to-solution turn-around periods of several months in response to an emerging market - the IM one, mobile anti-virus scanners seem to be the "next big thing", whereas it would take quite some time for this segment to develop, still you'd better be among the first to respond to the interest and the fact that there are more mobile phones capable of getting infected with a virus, than PCs out there -- 3G, 4G, mobile banking would fuel the growth even more, and these are just among the few issues to keep in mind. In a previous post, I also mentioned on a creative use of security intelligence information in Sophos's Zombie Alert service, and a product-line extensions, namely McAfee's bot killing system. What no one pictured would happen is emerging these days - vulnerabilities turning into IP and the overal commercialization of the security vulnerabilities market, and getting paid for getting hacked is a growing trend as well -- much more's to come for sure.
The secrets to successful acquisitions?
- retain the HR that came with it, and better put something on the table at the first place
- don't try to cannibalize the culture there, Flickr is the perfect example out of the security market
- go beyond the mainstream media sources, and PR releases, use open source competitive intelligence tools in order not to miss an opportunity
- attend as much cons as possible to keep track of who's who and where's the industry heading to
- cost-effectively keep in touch with researchers, and an eye on their blogs, you never know who would be your early warning system for business development ideas
Try to stay on the top of security, not in line with it.
Technorati tags:
Security, Information Security, SiteAdvisor, McAfee, Investing, Investment, Market Trends, Economics
Next to SiteAdvisor's pros and cons that I commented on, I also provided a resourceful overview of some of the current malware crawling projects out there, to recently find out that WebRoot finally went public with the Phileas spyware crawler, and that Microsoft's Strider Crawler came up with the Typo-Control project -- great idea as a matter of fact. What are some of the current/future trends in the information security industry? Are the recent flood of acquisitions the result of cheaper hardware and the utilization of open-source software, thus cutting costs to the minimum while the idea still makes it to the market?
Have both, entry and exit barriers totally vanished so that anyone could get aspired of becoming a vendor without the brand at the first place? Excluding the big picture, it is amazing how uninformed both, end and corporate users are, yet another lack of incentive for security vendors to reach another level of solutions -- if it ain't broken, don't improve it.
Moreover, what would the effect be of achieving the utopian 100% security on both, the market and the world's economy? On one hand we have "the worst year" of cybercrime, whereas spending and salaries are booming, and they should be as the not knowing how much security is enough, but trying to achieve the most secured state is a driving factor for decades to come.
The bottom line is, the more insecurities, the more security spending, the higher the spending, the higher the growth, and with increasing purchasing power, corporate R&D, and government initiatives you have a fully working economic model -- going to war, or seeing terrorists everywhere is today's driving force for military/intelligence spending compared to the "Reds are everywhere" propaganda from both camps of course, back in the Cold War period. Fighting with inspired bureaucrats is always an issue as well.
The Ansoff's Product/Market Matrix often acts as the de-facto standard for developing business opportunities, that is, of course, if you're not lead by a visionary aim, promote an internal "everyday startup" atmosphere to stimulate creativity, or benchmark against competitors. On the majority of occassions a security vendor is looking for ways to diversify its solutions' portfolio, thus taking advantage of re-introduced product life cycles and new sources for revenues.
While there should be nothing wrong with that given a vendor is actually providing a reliable solution and support with it, I often argue on how marketable propositions centric business model is not good for the long-term competitiveness of the company in question.
It's the judgement and competitors myopia that I'm talking about. In respect to the current information security market trends, or let's pick up the anti virus solutions segment, that means loosing sight of the big picture with the help of the mainstream media -- cross refferenced malware names, "yet another" malware in the wild, or supposed to be Russian hacker selling his soul for E-gold(cut the stereotypes here and go through the majority of recent statistics to see where all that phishing, spam and malware is coming from), is a common weakness of a possible decision-maker looking for acquisitions. Focusing on both, current trends, and current competitions is the myopia that would prevent you from sensing the emerging ones, the ones that would improve your competitiveness at any time of execution of course.
The way we have been witnessing an overal shift towards a services based world economy in comparisson to a goods based one, in the informaiton security market services or solutions will inevitably profiliate in the upcoming future. When was the last time you heart someone saying "I don't need an anti-virus scanner, but an anti-virus solution, what's yours and how is it differentiated from the others I'm aware of"? Un-informed decisions, quick and cheap way to get away with the "security problem", or being totally brainwashed by a vendor's salesforce would result in enormous long-term TCO(total cost of ownership) problems, given someone actually figures a way to make the connection in here.
Some time ago, I came across a great article at CSOOnline.com "2 Vendor Megatrends and What They Mean to You" giving insight on two trends, namely, consolidation of security providers and convergence -- the interception between IT and physical security. And while it's great in respect to covering these current trends, I feel the article hasn't mentioned the 3rd one - Diversification. An excerpt :
"One trend is consolidation. "We're seeing the bigger players buying out many of the smaller companies. And I think the largest of the security firms are looking to provide a full range of enterprise services," says C. Warren Axelrod, director of global information security at Pershing, a Bank of New York Securities Group company. "The larger firms, like Internet Security Systems, Symantec and Computer Associates, are buying in many areas to complement what they have. They're basically vying for control of the security space." Axelrod is dead on, and consolidation is just as rampant among physical security vendors as it is in the IT world."
I feel consolidation is happening mainly because different market segments are constantly getting crowded and mainly because it's very, very hard to get a name in the information security market these days, so instead of run for your own IPO, compete against market players whose minor modification may ruin your entire idea, you'd better get acquired one way or another. @stake is an example of how skilled HR runs away from the acquirer, at least for me counting the HR as the driving force besides the brand.
More from the article :
"The second trend is convergence—the confluence of IT and physical security systems and vendors—which, in some sense, is another form of consolidation, only it's happening across the line that historically divided those two worlds."
Tangible security is often favored by investors as it targets the masses, and the most visible example besides perimeter based defenses are the hardware appliances themselves. These days, there isn't a single anti virus, anti spam or anti spyware solution provider without a hardware appliance, but what's to note is how their OEM agreements are still working and fully applicable, it's all about greed, or let's avoid the cliche and say profit maximization -- whatever the market requires the vendors deliver!
Very in-depth article, while I can argue that vendors are so desperate to "consolidate bids" on a national level, as they usually try to get as big part of the pie as possible. What's else to note is that the higher the market transparency, the more competitive the environment, thus greater competition which is always useful for the final user. In respect to heterogenity and homogenity of security solutions, and all-in-one propositions, the trade-offs are plain simple, cut total TCO by using a single vendor, get your entire infrastructure breached into by an attacker that would sooner or later find a vulnerability in it -- find the balance and try to avoid the myth that complexity results in insecurities, as it's a unique situation every time.
What we're witnessing acquisition-to-solution turn-around periods of several months in response to an emerging market - the IM one, mobile anti-virus scanners seem to be the "next big thing", whereas it would take quite some time for this segment to develop, still you'd better be among the first to respond to the interest and the fact that there are more mobile phones capable of getting infected with a virus, than PCs out there -- 3G, 4G, mobile banking would fuel the growth even more, and these are just among the few issues to keep in mind. In a previous post, I also mentioned on a creative use of security intelligence information in Sophos's Zombie Alert service, and a product-line extensions, namely McAfee's bot killing system. What no one pictured would happen is emerging these days - vulnerabilities turning into IP and the overal commercialization of the security vulnerabilities market, and getting paid for getting hacked is a growing trend as well -- much more's to come for sure.
The secrets to successful acquisitions?
- retain the HR that came with it, and better put something on the table at the first place
- don't try to cannibalize the culture there, Flickr is the perfect example out of the security market
- go beyond the mainstream media sources, and PR releases, use open source competitive intelligence tools in order not to miss an opportunity
- attend as much cons as possible to keep track of who's who and where's the industry heading to
- cost-effectively keep in touch with researchers, and an eye on their blogs, you never know who would be your early warning system for business development ideas
Try to stay on the top of security, not in line with it.
Technorati tags:
Security, Information Security, SiteAdvisor, McAfee, Investing, Investment, Market Trends, Economics
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Comments (Atom)