RSA Conference Thoughts: Part III

As we get further into the week, my attention span is waning. So, today’s blog will be a bit lighter. Here are some things I observed this year.

1. There is an energy at the conference that has been missing during the past few conferences. You can tell that security is a hot field again.

2. I am surprised by the number of people I see in suits. As usual, most of the people in the hotel lobbies are wearing suits and there are a lot fewer suits in the conference itself. I’m wearing a suit, though, so I’m contributing to the trend.

3. There seem to be more small companies this year. It’s refreshing to not have all of the booths be from the incumbents.

4. There seems to be a higher proportion of women attendees this year.

Overall, it has been a very good show. I’ll be interested to hear others’ comments about how things went this year.

March 2, 2012 Posted by Laura Mather | General | rsa conference | Leave a Comment

Reasons to be Thankful

As 2011 begins to draw to a close, there are several things for which I am thankful.

First, I’m thankful to see that security budgets within government and other organizations have increased.  I am happy to know that my various assets and liberties are a high priority for protection.

Second, I am thankful to see risk management and information security teams working together more than a year ago.  They are fighting the same bad guys!  Cooperation will only make us more powerful!

Third, I’m thankful that there are really smart people out in the eco-system that are committed to fighting the various fraud and security attacks.

To that end, I’m thankful to all of you for everything you are doing to help bring more integrity to the internet/web/whatever we will call it in 2012!

November 23, 2011 Posted by Laura Mather | General, information security | Holidays, security | Leave a Comment

Why attacks differ based on geography

I’ve always been confused by why the bad guys target banks in the UK and South America so much differently than they target banks in the US.  In the UK and especially in Brazil you hear of extremely sophisticated attacks to steal or covertly use login credentials of unsuspecting consumers.  And yet, in the US, the bad guys seem to be most wily about how they get the money out of the account.

Last week I finally got an answer to this.

I was talking to a security expert from a bank in the UK and he explained how banks in the UK and banks in Brazil have been very stringent about protecting the “front door”.  Specifically, banks in both of these regions have deployed strong second factor technology, often require client-computer authentication, and do lots of things to make sure it is difficult for a third party to gain access to the account.  Because of this, the bad actors have had to develop extremely subtle attack vectors to get past these various protections (for example, Man in the Browser).

Another difference, I’m told, is that in the UK there are so many ex-patriots from other parts of the world that it is easy to both find mules and hide them.  This allows for a much easier time of transferring the money out.

In contrast – banks in the US have done some things to protect the front door but many of them put a lot of emphasis on protecting the moment of highest risk – when the money is transferred out.  So, the bad actors have to do a better job of disguising themselves at the time of transfer.

Hopefully this sheds some light on why there are different attacks geographically.  If you all have other differences, please let me know.

June 11, 2009 Posted by Laura Mather | General | Leave a Comment

Silver Tail “Best of Show” Video Available

The video demonstration from our Best of Show win at FinovateStartup09 is now available on through the silvertailsystems.com website and the FinovateStartup09 video website. Leading anti-fraud expert and company co-founder, Laura Mather, presented the Silver Tail Forensics product on stage at the conference. She highlighted a Man-in-the-Browser example, showcasing Silver Tail’s unique capability as the only commercial technology for online sites to detect this emerging threat and protect against business logic abuse.

Silver Tail was awarded, Best of Show, voted on by the 300+ attendees at the conference, made of up mostly of financial services firms. The selection was made based on the audience interest in the solution, the compelling need in the financial services market and the presentation given at the conference. Silver Tail was selected as the winner over 57 companies participating in the conference.

The 7 minute video is available here: http://www.finovate.com/startup09vid/silvertailsystems.html

June 3, 2009 Posted by Sherrick Murdoff | business logic abuse, General | award, Best of Show, business logic abuse, Man-in-the-Browser, video | Leave a Comment

Silver Tail Selected #2 on Top Tech Companies to Watch – Bank Technology News!

Silver Tail was selected as #2 in the “Top 10 Companies to Watch” by American Banker / Bank Technology News!! The Editor-in-Chief & author, Rebecca Sausner, did a fantastic job of describing what Silver Tail does in an easy to understand and accurate article. Rebecca further mentioned, “Silver Tail plans to federate its findings about attacks, allowing each of its customers to benefit from the experience of others.” From the feedback we get from customers, it sounds like the industry should band together to combat the the criminals in the same way the criminals band together to combat the industry.

It’s fantastic to see more awareness generated for the detection and disruption of online fraud, especially around business logic abuse. Also, we appreciate the support from Bill Bradway at Bradway Research. We agree that the pain our founders, Laura Mather and Mike Eynon, experienced at eBay and PayPal fighting online fraud gives them some street cred! No better way to build the right solution than to have that direct experience.

The Top 10 article is here. What great companies to be associated with in the Top 10 (Fidelity, Mastercard, Oracle…)!

The Silver Tail article is here.

BTW: This follows our recent Best of Show win at FinovateStartup09 in San Francisco, voted on by financial services firms. The financial services firms appear to be taking notice!

May 29, 2009 Posted by Sherrick Murdoff | business logic abuse, General | business logic abuse, Federation, financial services, Online Fraud, Top 10 | Leave a Comment

Who came up with the term phishing?

Does anyone out there know who came up with the term phishing?  I see references to it being a combination of “fishing” and “phreaking”, but I thought there was a government or industry group who first evangelized using the term.  Maybe it was the FTC or the FSTC?

I remember being at eBay and calling that type of fraud “spoofing” and being annoyed that the branding of the fraud had been changed.  In the end it was good to have a term like phishing that everyone could use.

Anyone remember who originally used (or evangelized) the term phishing?

May 13, 2009 Posted by Laura Mather | General, Phishing | 2 Comments

Blogging, again, from RSA Conference 2009

At the RSA Conference 2009 – day 2.

Normally blogging from a conference I try to be upbeat and positive on the speakers (I’m usually a glass-half-full guy), but I just can’t say I was wowed today by the keynotes. A lot about collaboration – can’t go wrong there. Definitely a couple mentions about how attacks are now directed at the application layer – can’t agree more, this is why we have Silver Tail. However, nothing inspiring. Anyone disagree?

Spent much of the day in meetings with potential customers and partners – great feedback and a lot of excitement about what we are doing and about our announcements yesterday. Personal note: I’ve noticed an interesting trend of many of my friends from the software development days are now in the security space – must be where all the innovation is happening!

Enjoyed Jeremiah Grossman‘s session on web hacking techniques, though a little technical for me – but I get the picture: the list of top web hacking techniques never goes away… don’t need to be too technical to understand that. Jeremiah filled a very large room in the last session of the day (5.40pm) – testament to the speaker.

I did discover a new (new to me) security news site, threatpost. Good format.

The after parties were in ernest, with even bigger ones scheduled for tomorrow night. See you there…

April 22, 2009 Posted by Sherrick Murdoff | General | rsa conference, threatpost | Leave a Comment

Silver Tail launched today!

Now its official: Silver Tail launched with several announcements today. Though we haven’t been completely silent (thank you for continuing to read our blog), we are now ready to take on the market and aggressively lead the fight against business logic abuse. Building this company and this market is not only fun, but rewarding when you see how our patent pending technology is helping companies reduce online fraud losses, protect their brand and increase customer trust.

I want to take a moment to thank our investors, Leapfrog Ventures, Seraph Group, Startup Capital Ventures and our individual investors. They are very supportive in our quest, well beyond the financial aspect. Their guidance has been critical in our growth!

And of course to our customers, without their demand for our solution and their patience now that its getting installed, we would not have the momentum we have today.

Stay tuned as more exciting announcements are coming…

April 20, 2009 Posted by Sherrick Murdoff | business logic abuse, General, Online Fraud, Trust | brand protection, business logic abuse, Online Fraud, Trust | Leave a Comment

Blogging from the Merchant Risk Council (MRC)

We are at the Merchant Risk Council (MRC) this week in Las Vegas.

Great welcome reception last night – attendance was sold out this year, which is a statement about the quality and importance of this conference. Pick your survey out there, online fraud is on the rise and people are concerned. Kudos to MRC for putting on such a strong showing in such economic times.

This morning Tom Ridge gave the keynote – a great mix of politics, e-commerce and generational commentary. He’s recently learned how to text his kids, by which they were shocked (good laugh for the crowd).

Tom outlined his concern that recent data breaches, phishing attacks, and even the fraud prevention attempts that web sites employ for all users (how many times do I have to tell you, “its me!”) provokes a feeling that the internet is not safe. This is bad for everyone. And when his view is, “the Internet is the most important piece of critical infrastructure we have in America,” we need every bit of trust in the Internet that we can get.

The quote I like best, “Better to manage risk before it manages you.” Think about it.

Another highlight was the presentation from David Moriarty at Apple – amazing data he has captured from Apple on their transaction fraud monitoring, diagnostics and anomaly detection. I liked the analogy to the Tom & Jerry cartoon – Tom continues to chase Jerry, through every scenario possible, with Jerry always finding another way to get the cheese. Chasing fraudsters is often a game of cat and mouse and no one plays it better than Tom & Jerry!

Business logic flaws got a mention from Trustwave, in their talk about hacking at the application level. I believe we will see more about business logic flaws and business logic abuse in future presentations at MRC.

Ori Eisen from 41st Parameter gave a mention to “know thy enemy” in order to fight back against fraud. Good advice. Thinking like a bad guy is a notion we exercise a lot at Silver Tail.

I witnessed considerable attention on fraud for the transaction (online purchase) – a very important process because that is where the money is. However, what if you could detect fraudulent behavior before the transaction is started? What if you could detect a fraudster based on their behavior on the website before they ever click to buy? Its a question that has generated a lot of interest in what Silver Tail is doing. Would like to hear your comments.

March 11, 2009 Posted by Sherrick Murdoff | business logic abuse, Business Logic Flaw, General, Online Fraud, Trust | business logic abuse, Business Logic Flaw, Fraud, merchant risk council, Online Fraud, tom ridge | Leave a Comment

Making the 20 Controls for Effective Cyber Defense Approachable

SANS has published “Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance”.  I must admit, I was pleasantly surprised by what was published.

My biggest concern prior to reading the draft was that since this document was supposed to be all-encompassing and was very likely “written by committee”, the guidance would end up being too complicated to understand, let alone implement.  I was wrong. 

The power in the document is that the recommendations are boiled down to 20 simple sentences.  Here they are:

Critical Controls Subject to Automated Measurement and Validation:

1. Inventory of Authorized and Unauthorized Hardware.
2. Inventory of Authorized and Unauthorized Software.
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
4. Secure Configurations of Network Devices Such as Firewalls and Routers.
5. Boundary Defense
6. Maintenance and Analysis of Complete Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based On Need to Know
10. Continuous Vulnerability Testing and Remediation
11. Dormant Account Monitoring and Control
12. Anti-Malware Defenses
13. Limitation and Control of Ports, Protocols and Services
14. Wireless Device Control
15. Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

1. Secure Network Engineering
2. Red Team Exercises
3. Incident Response Capability
4. Data Recovery Capability
5. Security Skills Assessment and Training to Fill Gaps

Of course, “Boundary Defense” is not as simple as those two words imply and there are a multitude of details behind each one of these “controls”.  There is definitely a lot to be proven out about whether or not most organizations (government and industry) will be able to make sense of these directives.  But I applaud the authors for at least attempting to make the initial pass at the document un-intimidating.

Security is a complex, acronym-laden practice that can be especially difficult for the uninitiated to approach, let alone tackle.  By keeping the initial steps of this directive relatively simple, the authors have taken the right approach: make people understand the task can be accomplished when they first start. 

And that’s another strength to the structure of the document.  Since it is presented as a webpage, when you get to the bottom, there are links to separate pages for each control.  As a CISO or CTO is working through the plan, they can look at one control at a time and determine how to move forward with it without being overwhelmed by the entire document.

This may be an advantage of the internet – we hide the complexity by making a 100 page book look like a 5 page website with a few links at the end.  If this helps people feel like the task at hand is attainable, that’s a good thing.

February 26, 2009 Posted by Laura Mather | Compliance, Data Loss, General, Prevention | Compliance, controls, government, SANS, security | Leave a Comment