Entries Tagged 'Security' ↓

Open source funding down 41% in Q3

The figures originally reported here were preliminary and have been revised for a formal CAOS report to be published in the first half of 2009. In the interests of accuracy this data has now been removed. For a full assessment of VC funding in 2007 see this post.

Sourcefire buys ClamAV

Sourcefire has bought the ClamAV project for an extraordinary, one-time charge in the third quarter of 2007 of between 9¢ and 12¢ per Sourcefire share. ClamAV is an open source project that has created an anti virus engine, packages that support its use on Linux, Unix, BSD and Win32, and a signature database that currently contains more than 147,000 signatures. It is by most estimates the most commonly used open source anti virus product in the world.

The deal covers the intellectual property, copyrights, logo, domain names, Sourceforge and Freshmeat areas, naming rights and other rights to Clam, the Open source anti virus engine and signature database. The ClamAV team – in particular Tomasz Kojm, will become Sourcefire employees and continue their management of the project on a day-to-day basis.

The 451 Take
This is an important deal with ramifications in the open source and proprietary software and enterprise security software industries. The acquisition, Sourcefire’s first since going public, extends and builds upon Sourcefire’s successful Snort efforts, proving the community/commercial hybrid model can not only work but work in such a way as to support a company which (current stock price woes aside) is publicly traded. Almost immediately Clam will begin to see engineering and technical support from the Sourcefire team, meaning that issues involved in Clam’s supply chain – detecting, identifying, writing signatures, testing and pushing out new signatures – will be streamlined and improved. We daresay that the Sourcefire team may learn a thing or two from the to-date under-funded Clam guys as well. Upkeep of Clam’s valuable network of mirrors will also be better funded and capable of being handled more systematically. This positions Sourcefire to release both commercial support options for ClamAV – a potentially lucrative activity, as well as to release a Unified Threat Management product sometime in 2008 – a move that could accelerate its moves into the growing SMB security business.

ClamAV Profile
Clam has seen more than 10 million downloads on SourceForge – and this represents only a percentage of total downloads, due to diverse sources of downloads sources for this application. Few open source projects have obtained this level of ubiquity. Regardless, ClamAV is one of a few ‘shining stars’ in the desktop open source space, and is one area that is ripe for the elusive SMB market. More than a million unique IP addresses download ClamAV updates daily from Clam’s 120 mirror servers located in 38 countries. Additionally several commercial products, notably Barracuda’s successful anti-malware appliances, use Clam.

Some reasons for its popularity are its independence, its cross platform capabilities and the fact that it works well with so many popular third party mail products, such as amavisd-new, several projects that support Sendmail, Postfix, QMail, Exim and others.

Despite its open source status, Clam has done a very effective job of providing support for malware detection within popular document formats such as MS Office and MacOffice files, HTML, RTF and PDF. Its virus database is updated several times a day, and as of version 0.90 update files are provided as differential updates as opposed to shoving down the whole kit and caboodle; an issue we have noted is of increasing concern to buyers of anti malware and which we have mentioned was one stated reason that a major Fortune 20 company we recently discussed in our Market Insight Service switched from Symantec to Sophos. Especially in the developing world, large anti virus update files choke precious bandwidth.

Clam supports on-access scanning for Linux and FreeBSD, and many of the additions to the last two versions have ben centered around its support of various and variously obscure archive formats, including of course Zip but also flavors of RAR, Tar, Gzip, Bzip2, OLE2 Cabinet, CHM, BinHex, SIS, etc, and built-in support for almost all mail file formats. Clam also offers built-in support for ELF executables and Portable Executable files compressed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others. Its lack of a real, marketable client-side agent (it does work with mail programs) is consistent with Sourcefire’s network-based agentless approach, and we believe that culturally there will be a great match here.

On its analyst call to discuss the acquisition, Sourcefire CEO and Chairman, Wayne Jackson, confirmed that all five of the founding team members will come over as employees of Sourcefire, and repeated Sourcefire’s commitment to keeping both the Clam source code and signature database open source. Jackson said that the Clam code license would eventually match that of Snort’s GPL2 license, discussed by Marty Roesch here. The company also announced that phase I of the integration would be commercial support, phase II, upon getting a clean copy of the Clam code would be a licenseable version for vendors wishing to release products based on Clam under non-GPL agreements, and phase III, in 2008, a gateway UTM product.

We will have more complete coverage throughout the day in our TechDealmaker service.

What this means for Clam

  • Immediately Clam will begin to see engineering and technical support from the Sourcefire team, meaning that issues involved in Clam’s supply chain – detecting, identifying, writing signatures, testing and pushing out news signatures – will be streamlined and improved. We daresay that the Sourcefire team may learn a thing or two from the to-date under-funded Clam guys as well.
  • Upkeep of Clam’s valuable network of mirrors will also be better funded and capable of being handled more systematically.
  • Still unclear is what this means to ClamAV OEM’s, such as Untangle, though we understand from Sourcefire that it intends to develop Clam as a license-friendly product provided that its flavor of the GPL 2 license (under which Snort is distributed) is adhered to.

What this means for Sourcefire

  • Upkeep of Clam’s valuable network of mirrors will also be better funded and capable of being handled more systematically. This positions Sourcefire to release both commercial support options for ClamAV – a potentially lucrative activity, as well as to release a Unified Threat Management product sometime in 2008 – a move that could accelerate its moves into the growing SMB security business.
  • Sourcefire continues to enjoy a great reputation with the open source community for the simple reason that it does what it promises to do: returns to the community the fruits of its labor improving Snort for use in its commercial project. This will further enhance Sourcefire’s open source cred (the usual zealots will shout about co-option).
  • Most important, this extends and builds upon Sourcefire’s successful Snort efforts, proving the community/commercial hybrid model can not only work but work in such a way as to support a company which (stock woes aside) is publicly traded).
  • This diversifies Sourcefire’s portfolio and illuminates a broader company vision as one of a few public ‘open source’ companies. This is good for the open source vendor community.
  • The worldwide network of mirrors provides Sourcefire with a greater network to push out more effectively and efficiently updates not just to Clam signatures but also Snort signatures.

What this means for Clam AV users and the product:

  • Continued support and updates, possibly even more than before with dedicated support and engineering on the payroll. Fixes to vulnerabilities and completed signatures may have a faster turnaround time.
  • More users, more ClamAV dominance in the open source anti-virus space, a bit more competition for Symantec, McAfee, etc.

BeCrypt, partnering with Juniper, launches USB-mounted US pre-invasion

Reading, England-based mobile device security vendor BeCrypt Data Security has released the BeCrypt Trusted Client (BTC), and announced a strategic partnership with Juniper Networks. We’re covering BeCrypt’s full strategy, history and background, as well as the competitive landscape for this type of product, in our Market Insight Service but think it deserves mention here because of its clever use of open source and off-the-shelf technologies to add value to an existing Juniper product.

Juniper will use BTC as an add-on to its Secure Access secure sockets layer virtual private network (SSL-VPN) technology, to create a product that targets enterprises wishing to grant secure remote acess to large numbers of users from unmanaged endpoints like their home personal computers. BeCrypt’s day job is selling full disk encryption products certified to protect data on laptops at the United Kingdom’s Ministry of Defence that has been classified up to ‘top secret’, and has begun the FIPS certification process (but has virtually no presence) in the US.

BTC should certainly be sufficient to put BeCrypt on the radar of US companies, and that is BeCrypt’s strategy. It will be of interest to companies seeking a relatively inexpensive business continuity product — and, if they also need full disk encryption, so much the better.

BTC looks at the problem of business continuity as one of needing to get as many of a government department or enterprise on line in times when travel to the office is impossible. The product would cover the legions of employees without corporate managed machines like laptops who are needed in support and logistical roles within the firm.

BTC comes on a bootable USB stick that contains a strictly limited version of BeCrypt’s operating system which was derived from the Knoppix live Linux distribution. On the disk is a browser interface, a Juniper SSL VPN client and sufficient drivers to get the user up and running in a VPN session and nothing more.

BeCrypt’s version of Knoppix offers the user no root access or access to the hard disk or peripherals other than mouse and keyboard, and controls where the user can surf by referring all TCP/IP traffic requests to the SSL VPN client. Copy protection is robust (again, details are available in our full report).

Its approach offers technical advantages over virtualized environments (like those from people like Red Cannon) though users may complain because USB-mounted Knoppix takes a good while to boot, even compared to Windows XP.

Clever use of off-the-shelf and open source technology makes BTC a fresh offering; the industrial strength full disk encryption product with which BeCrypt makes its real money will make BeCrypt a serious if small player in the US market.

But the barrier to entry for imitators in the BTC arena is low, both technically and financially. Those low barriers mean that BTC could be a Razor-board – a cool product quickly knocked off. Knockers could include everyone in the SSL VPN world and everyone in the mobile device security world.

Snort creator Sourcefire addresses lawsuit from rival NetClarity

On 25 October 2005 Sourcefire Inc, which makes internal security products and sponsors the open source Snort intrusion detection engine invented by its CTO, Marty Roesch, filed its intent to go public with the SEC. We’ve all been watching the prospective IPO with bated breath.

Sourcefire would be the first security IPO for some time, and its success – or, uh, not – will be a helpful indicator to vendors wondering whether going public is, once again, a viable exit. It’s also, we’re keenly aware, an IPO of a company which has demonstrated commitment to open source issues. If Sourcefire’s IPO goes well, it has the potential to energize companies innovating and supporting commercial adoption of open source.

In the Risks section of Sourcefire’s we – like some others – noticed mention of a lawsuit filed by PredatorWatch Inc (now NetClarity), that accuses Sourcefire, Roesch, and three general partners of Inflection Point Ventures of theft of intellectual property and unjust enrichment.

While Sourcefire’s products rely on a significant amount of proprietary technology, Snort still plays an important part of what Sourcefire does, and Sourcefire sponsors open source development of Snort. The lawsuit, however, does not relate to Snort, but rather to those proprietary technologies.

We’ve read the court filings and reviewed press releases from Sourcefire plus historical website caches from PredatorWatch’s websites. We have no opinion as to the merits of the case. We do note the irony of an open source company being sued over an intellectual property dispute.

In court filings, among other things, it seems that PredatorWatch is asking this question: Did Check Point discover anything in its due diligence – the process investigating the provenance of the technologies Check Point was buying – which might relate to the lawsuit?

The suit alleges that after PredatorWatch approached Inflection Point Ventures in June 2004 for an investment and possible partnership with Sourcefire, IPV called in Roesch to review PW’s technology. IPV admits PW gave it a slide deck marked ‘Corporate confidential and trade secret’ and ‘Copyright,’ and that PW CTO Gary Miliefsky presented it to IPV. It admits Miliefsky told IPV that PW had patent applications pending. PW claims the presentation contained confidential and proprietary trade secret information about architectural features and operational mechanics of its product. The suit claims that a year later, Sourcefire upgraded its RNA/3D system to provide this functionality.

The response in court filings is unambiguous: IPV denies showing the information to Roesch; Roesch denies the key conversation that Miliefsky says took place between them, and also denies seeing anything confidential of PW’s. Sourcefire denies all substantive accusations.

What got our attention in the first place was the S-1 filing, which says:

On May 22, 2006, we answered the plaintiff’s complaint and denied each and every count contained in the plaintiff’s complaint … Our defense of this litigation, regardless of the merits of the complaint, has been, and will likely continue to be, time consuming, extremely costly and a diversion of time and attention for our technical and management personnel. Through September 30, 2006, we have spent approximately $174,000 in legal fees and expenses on this litigation and expect to incur substantial additional expenses even if we ultimately prevail. In addition, publicity related to this litigation has in the past, and could likely in the future, have a negative impact on sales of our RNA products. Sales of our RNA product amounted to $4.5 million and $2.6 million for 2005 and the nine months ended September 30, 2006, respectively.

No party to the suit would comment for the Market Development report we published in our Market Insight Service yesterday.

The suit was filed on 22 February 2006, and initially listed Check Point as an equitable attachment’ defendant. Some time after Check Point pulled out of the deal on March 29, citing national security concerns by US regulators, Check Point’s name was dropped from the suit.

[Today, Check Point announced that CFIUS approved its $20m acquisition of Sourcefire competitor NFR Security.]

Regardless of this case, entirely as a separate principle, learning to manage IP during all stages of development is vitally important for any company, and will become increasingly more important – and more complicated – as enterprises adopt open source technologies.

Some great quotes on IDS from them what evade it…

Random quotes from a discussion on the Daily Dave pen testing list regarding the IPO of Sourcefire, the security company founded by Marty Roesch, the inventor of the Snort open source intrusion detection system (IDS). Priceless stuff, seeing comments on IDS from those who avoid it.

“Making IDS part of a defense in depth strategy is giving it some credit for actually providing defense, which it doesn’t do. The people who win the IDS game are the people who spend the least money on it. This is why security outsourcing makes money – it’s just as worthless as maintaining the IDS yourself, but it costs less. Likewise, Snort is a great IDS solution because it does nothing but it does it cheaper.”
— Dave Aitel

“…Defense in depth. It’s an extra barrier. You don’t not run an AV just because someone can write a custom virus it won’t detect. You run simple and automated systems that can deal with the 90% of threats that are easily managed in order to free up valuable human resource to look into the 10% that really do need to be understood. It does work; it’s just that, when working, it only has a limited role to fill and is not a one-stop-shop-one-size-fits-all-be-all-and-end-all-turnkey-security-solution. But then again, nothing is. Or at any rate, no automated system is. The only thing that really works for security is people. Lots and lots of people, looking at what’s going on and thinking about it and worrying about whether something’s wrong or not.
— Dave Korn

Enough people here know about how IDS’s don’t live up to nearly any expectations, or how they.. do? I personally don’t believe in them in any way, I would implement them once I am done with a lot of other security measures. Now, if I am to look at what they give me vs. another box for compromising which sits in a critical location… I am not sure what choice I’d make. For some reason, people equate Intrusion Detection to IDS devices. IDS devices are signature based and try to detect bad behaviour using, erm, a sniffer or equivalent. Intrusion detection is everything which will help detect an intrusion. IDS won’t unless it’s too late, and keep you busy while you’re at it.
— Gadi Evron

I think that you are throwing away a technology because of the fact it doesn’t live up to the hype the sales monkeys have spewed. While I will agree that IDS’ are not the end all be all, they do provide a very important layer within the defense in depth strategy. Yes you can evade them, and yes most companies want to just plug them in and forget about them, but that doesn’t make the idea wrong. I am a little biased,
— Kevin (BASE Project Lead)

Nobody says it needs to be a one-size-fits-all solution – it’s just that there is a difference between something which is capable of detecting/preventing only a bunch of known exploits vs. something which is capable of preventing a known class of attacks…
–Joanna Rutkowska

Introducing the CAOS Research Service

I am pleased the announce today the we have officially launched the 451 Commercial Adoption of Open Source (CAOS) Research Service and the first CAOS Report – “Stack and Deliver,” covering the open source stack provider space. For more details on these announcements, I invite you to take a look at the two press releases that were sent out today:

The 451 Group Introduces the 451 Commercial Adoption of Open Source (CAOS) Research Service

The 451 Group Cuts Through the ‘Single Throat to Choke’ Hype from Open Source Stack Providers in New Report

Many thanks go out to Dennis Callaghan, Chris Noble, and Nick Patience, for working with me on the first CAOS Report, as well as all of you who took part in the end user survey, vendor briefings, and discussions both on and off the record. Also, many thanks go out to Rachel Chalmers for so diligently covering the open source space for The 451 Group for years and years and also authoring our special report, Cashing in on open source software, which was published last December.

I will be blogging about the various components of the CAOS Research Service in the days ahead.

Anti-Sniping move on the pen test list, the Daily Dave

From the Daily Dave, a penetration testing mailing list which has seen a couple vendors snipe back and forth at one another recently about one claiming to have found an exploit in the other’s … uh, whatever. Dave Aitel, CTO of Immunity, Inc., in an effort to settle the issue objectively, writes:

You, the vendor, provide a Virtual Machine, Installer, appliance, or similar object. I run our new MS06-014 exploit through it and tell
everyone how you did. You can do it whenever you want – obviously the public will reward promptness with claps and lateness with jeers. You
don’t get the exploit until the next CANVAS release, which will obviously make it a lot easier.

Get it, Dave!

Argeniss Zero Day Exploit Pack

Cesar Cerrudo, CEO of security consultancy Argeniss – who’s written some seriously interesting papers including a recent one on Windows local shellcode injection, has just released a new version of his Argeniss Ultimate 0day Exploits Pack which run on the Canvas platform from Immunity Security. Canvas is LGPL; both are commercial software which come with complete source code.

Argeniss’ Professional version costs $2500 for five seats, which includes three months of updates (they come monthly, also with complete source code) and email support. Additional quarters of updates and support (you can drop in and out at will) cost $1,200. Now, while this is technically open source, there are usage limitations: it’s specifically for penetration testing and evaluation in a narrowly defined range, and you must sign a non-disclosure agreement and agreee not to reverse engineer it. An advanced version pre-releases zero day exploits prior to release in the monthly update cycle.

The current pack includes several pre and post auth zero-day exploits against Oracle Database Server ver 9i R1, R2 and 10g R1 and R2, plus Microsoft SQL Server, Exchange, Windows 2000 SP4 and others.

Gleg, Ltd also sells a zero-day exploit pack for Canvas, with zero-day exploits against Lotus Domino, Samba, Eufora, MySql, Solaris and others, but it appears to be a non-open source license. It costs $10,100 for the pack and three months of updates and support; additional quarters are $2,500.