It smoothly switches from hibernation to power on and vise versa, ready to serve me when I am looking for a nearby Japanese restaurant, business address, or my Gmail account.
I also installed a copy of MobileMe client (by Apple) on it, keeping my business folders in sync on my S10, 3 Windows PCs  and my MacBook.

So far, all is great. The S10 comes with Norton Internet Security Suite 2009 ready to be enabled/installed.  When I did that, I ran into some major challenges (I do not like the words “issue”, “problem” and “risk” :-)). The Atom processor on my S10 is great for running Windows XP and my applications, but it was never designed to run these additional multiple security applications included in the Symantec security suite (to be accurate, nor any other vendor’s security suite) such as: Anti Virus, Anti Spyware, Web and email proxies, intrusion detection and prevention, Anti Spam, Anti Phishing, etc.

I immediately noticed a significant performance hit on my second reboot after getting all the recent Security Suite updates. At that point, I learned how I can really enjoy my S10.

The secret is to completely remove the Security Suite and disable Windows XP updates. Yes, this sounds like preparing my S10 to be shot dead on my next Internet connection, but this is the only way to really enjoy both performance and the great mobility of the handy S10.

I am not preaching to practice “unsafe surfing” by not using  a security tool at all, but as you know, I don’t have to pay for a Yoggie Gatekeeper that perfectly fills the security gap that I created.  The S10 has a 34mm ExpressCard slot which is perfect for the Gatekeeper Card. The only drawback is that Lenovo saved some space and made the 34 mm slot shorter than the PCI standard, causing my Gatekeeper to stick out about 10 mm of its form factor, but this is something I am ready to trade with no need to run the Internet Security Suite that makes my S10 almost non usable.

The Windows XP updates are still missing, but I am trying to be selective and cherry pick only these that I find very critical that the firewall and 13 other security applications in Gatekeeper may miss.

So as the CEO of the hair growth company said in the TV commercial: “I am not just the company president, but I am also a user” 

Cheers,
Shlomo.

ShareThis

This has nothing to do with my post today, except that I just cannot tell you how I can “see everyone else, while no one can see me”. Well, not exactly. They see my Gatekeeper for Mac mini-computer and my MacBook is hiding behind it (I have my own DHCP Server on the Gatekeeper) – sorry, I cannot avoid mentioning it

So, I am looking around and I see more Mac users than Windows-based PC users. This is not a real statistic, but the interesting point is that it’s no longer only students or young people. You start to see the suit and tie crowd using these computers, connecting to their corporate servers, “VPNing”, doing their corporate work that was totally dominated by Windows till not long ago.

This is in line with recent publications from analysts showing that since switching to Intel processors, Mac entered the corporate world, and is increasing its presence there. It is still a one digit % number, but this brings a new challenge to corporate IT. Many of these Mac owners, are very senior employees (only senior people can decide to get a non standard corporate PC). They also expect IT to support it.

Mac didn’t suffer from many Viruses and Malware attacks in the past. But, as the Mac is starting to be used by senior corporate people, it becomes an attractive target, very well selected, for identify theft, hacking into financial information and sources, getting credit card information, and do what hackers do today to Windows based PCs.  OS X is not really more secure than Windows Vista, it was just less popular.

For IT, this is a huge headache, not only do they lack experience and knowledge in these systems as well as lacking tools and infrastructure to provide adequate service, but Apple and the security vendors are not ready to provide them with security infrastructure and solutions.

IT doesn’t have a security response team that is gathering information from Mac security experts, building procedures and tools, and providing real-time answers to Mac related security vulnerabilities. All that they have with Windows based PCs is missing with the Mac.

In addition, over 15 years of progress in Windows security is missing in OS X and it takes time to catch up. Meanwhile, corporate exposure is growing, and the hackers, using strong hunting instincts, are closing in.

Apple, is trying to close this security gap, and be proactive. Last Monday, Apple announced Safari 4.0, a release that fixes more than 50 vulnerabilities in the browser. I believe that Apple is trying to increase its effort and investment in security, however, they have a long way to go, and more importantly, it really requires to change some of the Apple culture and vision – which is the more difficult task.

So, it’s not that I wish for Apple to change its culture, but instead, upon entering the corporate world, I expect Apple to grow-up a bit security-wise, and step up to the challenge.

Meanwhile, I am using my MacBook with Gatekeeper Card.

Cheers,
Shlomo.

ShareThis

I am frequently asked by Yoggie customers and prospects about this performance hit. Everyone knows that Anti Virus software slows down the PC, but providing a simple answer, is a challenge. The public records for this number varies from 15% to 55% depending on the test equipotent, lab setup and the “age” of the Anti Virus software. The latter is probably the most critical one and is controlled by the Anti Virus vendor and the end user. This means that an Anti Virus released in 2007 and running on a PC for 2 years (I.e. 2 years old) will have a very different performance hit on the PC, comparing to Anti Virus that is “only” 6 month old.

The reason is related to the fact that the Anti Virus “update” doesn’t include just new Virus signatures. Many of these daily updates include new DLL (Dynamic Load Library = computer execution code) files designed to fight specific Virus families or instance that cannot be covered using the current Anti Virus algorithms and require a specific code to effectively detect and remove such new Viruses.  As a result, older Anti Virus programs,  include hundreds of DLL files (Anti Virus may have 5 – 10 daily updates) acting as a collection of patches. These patches lack overall system optimization and may be seen as spaghetti code that dramatically slows down the Anti Virus execution performance.

Everyone knows that when first using a PC with fresh Windows OS, it runs well with satisfying performance.  However, 9 – 12 months after, the PC starts to slow down and 1-2 years after, the PC is very slow.  Windows OS contributes to this effect, however, the Anti Virus spaghetti effect is a major contributor to this effect, presenting a growing problem that current technology presents no remedy to.

As a side tip, one can understand that he better completely uninstall his Anti Virus of previous year and install a brand new version from the current year. By doing just that, one should expect better performance during the next months to come.

It is very clear that a new direction is needed. Some security companies are trying to “milk” their current technology that is generating significant revenues during last decade. While other security companies keep their R&D teams very busy in leading the industry with breaking new technologies. These companies are usually smaller ones, maybe startup companies that try to come up with a fresh vision and different a way to solve the problem.

As a founder of two security companies that recognize the paradigm shift in the security market, I appreciate creative thinking, but when it comes to security I also know that a solution always gets back  to the 3 basic laws of security.

Any breakthrough technology that tries to present a security “leap frog” step must obey these 3 laws or it will end up in the security marketplace waste basket and forgotten dead startups.

So, I started with description of the 3 basic laws of security in Part I and I’m returning to the same basic rules now.   Every brand new technology that is presented needs to be verified so it architecturally supports multiple lines of defense, that it applies different algorithms/technologies in every security line and that it is seeking maximum “security depth” between each security line.

Lets check Yoggie’s Gatekeeper product line against the 3 basic laws of security:

1.    Use of multiple line of defense: Gatekeeper comes with 13 built-in security applications.  Few, such as IDS/IPS work on the packet level and others such as Anti Spyware work on layer 7 extracting file  content and running file-level scanning.  Each presents a different line of defense. The IDS checks the packet stream, looking for matches with the DB of streams.  The Anti Spyware obtains a complete file from the Layer 7 proxy, performs content analysis to detect the true file type and applies a specific scanner to find a known Spyware file signature within the file structure/content. Moreover, the Gatekeeper as a whole acts as an integrated security line within the system, where the other security lines are installed inside the actual PC OS you are trying to protect.

2.    Yoggie’s Gatekeeper uses different technology within its built-in security lines. The IDS technology is very different than the Anti Spyware technology specified above. Also the Gatekeeper technology (content scanning) is different than the Host PC security application (i.e. Windows/Mac based Anti Virus)  which is scanning run-time code.

3.    Yoggie’s Gatekeeper detects and stops the attack and threat before it lands inside the protected PC OS. This means that the PC security application will not see screened attacks stopped by the Gatekeeper. That constitutes a “security depth” between the Gatekeeper and the PC. Moreover, the Gatekeeper hides the PC using NAT technology making it invisible to the other PCs that are connected to the same public network.

Needless to say that the 3 basic laws of security are not everything needed in security systems. Corporate IT requires policy enforcement mechanism, management, reporting tools ,etc. But the 3 laws provide an efficient and successful tool to check any security system and to allow maximum security with minimal redundancy.

That’s for today; stay tuned for additional topics, soon.

Cheers,
Shlomo.

ShareThis

Lets have a deep look on the scope of the Anti Virus challenges. The graph below shows how the number of signatures within the DB is growing. Today, most of the DB sizes range from 50MB to 60MB in RAM. The better job the Anti Virus company is doing, fewer signatures covers more Malware, meaning smaller memory footprint and lower CPU cycles consumption.

Source: Kaspersky Lab Virus Statistics

However, if this trend continues, within 3-4 years the size of the DB will reach 1GByte. It’s hard to see that PC users will agree to pay the toll of the largest PC application. Needless to mention how long it will take a PC to startup and how slow Windows will be. A huge application will scan every file operation, local or in the network, against a huge DB…

So, most of the AV companies are rushing these days to the open warm arms of In The Cloud Security (ITCS) technology. What is so promising about ITCS?

First, how does it work? A collection of servers (cloud) store the large signature DB and powerful scanner. CPU and memory resources can easily be added to the cloud to maintain high performance with no effect to service availability. Most of end users have high speed connection to the internet, which will be used by a “thin” AV client installed on the PC. The thin AV client, will create a checksum for every file (instead of scanning for known Malware signature) and will send the checksum to the cloud. The cloud will check if a file with the specific checksum has signature of known Malware. If such match found, the thin client will notify of Malware attempt and will delete the file. If there is no known Malware associated with the checksum, the file will be loaded, executed or opened on the PC.

The result is a small fingerprint on the PC (little memory consumption) regardless the size of the signature DB. Assuming high-speed network and powerful cloud, a performance improvement may be achieved also.

Where is the drawback?

The above technology is very good at outbreak time. However, the nature of the internet refer to millions of new file born every day. There are many new programs, scripts, HTML pages (need to be scanned too), potential email phising and SPAM, etc. If the client reaches a new file, the cloud may not have its checksum ready. In such case the cloud or the client needs to download the entire file, scan it, return the result and store the new checksum and scan result. Since this happens very often, such delay may be presented every day reducing the effectiveness of the cloud.

One way in which Anti Virus companies want to mitigate this drawback, is by adding a long white list to the cloud. The file white list will have checksum of non Malware files and will be maintained on daily basis. They are also considering adding proactive scanning which adds a lot of false positives. The combination of white list and proactive scanning may improve the solution, reduce the symptoms but not really fixing the problem.

So, again, what does all of this have to do with the 3 laws of security and what does it have to do with Yoggie?

For that, you will need to read Part III of this blog thread

Stay tuned and, Part III will come soon.

Cheers, Shlomo.

ShareThis

It was only a question of time to reach the point of half a million Malware signatures in the DB. That requires too much RAM on the PC and will demand too much of its CPU cycles to operate. Today, most of the industry experts will agree with the vision of Finjan 96: we need more security, we need it differently and we cannot pay the current toll to implement.

So, where do we go from here? Back to basics. The following 3 principles are the 3 laws/pillars of any security system. It can be a military line of defense, it can be vault security and it can definitely be Internet Security:

Law #1: Use multiple lines of defense
Law #2: Use different security technology/strategy in every line of defense
Law #3: Seek maximum “depth” between each security line

Law #1 and #2 refer to the fact that every security line is like a net with certain holes. Using multiple nets, each with different holes, assure that they cover for each other making the combined meshed net, with far less security holes, or in other words, shrinking the security holes.  This is true, only if one is using different security technology on every line of defense, assuring that each will have different security holes, otherwise, the effort is useless and the additional defense line are redundant.

Law #3 requires “security depth” in between each security line. It represents the attempt to keep the attack far from its target. This is easy to understand when guarding a country border and less clear to understand in Internet Security or Computing Security. So, as an example let’s refer to securing a corporation from internet Malware.  Nowadays, most employees enjoy access to the Internet from their corporate computers. It is the IT’s role to assure maximum security for these PCs reducing to minimum the risk presented by the Internet. A close look at a typical corporation shows that IT deploys at least two security lines. One at the Gateway level, where Firewall, Intrusion Detection and Prevention Systems (IDS/IPS) are deployed, continue with Web and Mail Proxies equipped with Anti Virus, Anti Spyware, Anti SPAM and Anti Phising systems.  This line of defense, screens the traffic arriving from the Internet before it is transferred to the PC connected to the Corporate network. This is Defense Line #1. The technology used is “content inspection” from the packet level up to and above the application level. IT also deploys a second line of defense. It is a host based security running an Internet Security suite on every PC.  It can be Norton Internet Security, McAfee Internet Security or any other Security Suite from manufacturers such as Trend Micro, Kaspersky, etc. This is Defense Line #2. It is used during runtime on the PC and intercepts execution of every application or code arriving from the internet checking it against Malware Signature DB to detect a known attack.  It is easy to see that Line #2 uses different technology than Line #1 and therefore obeys to Laws #1 and #2 mentioned above. The fact that the traffic from the internet first faces the IT Line #1 and only after being screened continues inside and lands on the PC and Line #2 provides a “security depth”. It also means that the threat and the attacks that are stopped by Line #1 never reach Line #2 or the PC, again constituting a “security depth” or “security zone” that  stops the attacks far from its target.

So, what I am suggesting in this blog post, is that in order to successfully defend a PC and its resources/information from Malware on the internet, a security system is required; one that implements effectively the above 3 basic laws of security. This means that we need to use different security technologies, deployed over different security lines with “security depth” in between them, which makes the entire solution effective, while minimizing the performance toll on the PC CPU. Does it sound like asking too much? Well, if you do not seek something, you will never get it.

I strongly believe that the days of adding thousands of Malware signatures to an already huge DB, hoping that this will be the best technology to fight Malware – is an old,  overstretched strategy that is facing the wall.  Also, alternative solutions that do not follow the 3 basic Laws of security, will fail, by definition, to meet the challenge of exploding Malware on the Internet.

Stay tuned, Part II will come soon.

Meanwhile, please feel free to comment and post suggestions, questions, etc.
Cheers, Shlomo.

ShareThis

You now may be curious - “What are they cooking over there for so long?” and I will try to direct you to places you might find new Yoggie offerings soon.
And it’s not that we are done with the existing Gatekeeper product. You probably know that recently (just a few weeks ago) the Online Anonymity application was added to all our install base.
Every Gatekeeper now includes application number 13 (or 14 for the Gatekeeper Pro line) which provides an integrated TOR client and servers (http://www.torproject.org/). This means that all the traffic departing from the Gatekeeper is encrypted all the way up to the last TOR server that decrypt the information and issues a local connection to the requested Web server. It even allows the user to select country IP and to appear as an IP address from a specific geographic location. For example, a user connecting from Starbucks at Boston, can appear to a German Web Site as a German user with a German IP address, etc.

Who needs it?
If you surf from a public network (wireless or wired) and you want to make sure that no one around will sniff your web activity.
Or if you want to see how a US Web site appears to US user, while you are actually in London or anywhere outside the USA for instance.

Yes, using TOR on the way to the destination Web server will probably introduce some slowdown but:
1. It may be your only way to view locale-dependent content on that Web server. Surfing from a remote country may hide local content.
2. Each time you enable the online anonymity function of the Gatekeeper, it establishes a new routing using different TOR servers, so performance may improve if you get powerful TOR servers assigned by the TOR network.

So, as you see, we keep improving and adding more functionality to the Gatekeeper, and we are busy extending our product line offering. To keep you returning to this blog to read the next news, I will not mention the products today, but will tell you it’s in the field of data security and specifically in securing removable storage.

That’s it for today. Please do not hesitate to contact me with queries, request for information, etc. and I will do my best, to get back quickly,

Cheers,
Shlomo.

ShareThis

Well, this is really part of the idea. I mean, not that Yoggie is nuts, but that having hackers breaking into our system, is something that we believe can help, help us to improve our products, and therefore help everyone. Some people may think, “a bunch of naives…” but while we understand that some may use it for a negative purpose, we are all going to benefit from those who will report Yoggie bugs and help us improve the overall security of our products.  Unfortunately we yet cannot open every piece of code, but over time, you should expect more and more to open up.

This is not the only reason for opening our Firewall platform.  Since day one of Yoggie, we are having so many amazing ideas on what can be done with it. So many applications could benefit from a miniature robust hardware platform, running Linux 2.6 and coupled with a Windows PC or Mac computer.  Many of these ideas, could be a great base for new companies, and as success requires focusing on the core expertise, we at Yoggie are forced to not do now, many of the things we can and may want.

What happened internally over the last 3 years at Yoggie, also happened externally with our great loyal customers. They come up with so many ideas of what to do and may challenge us asking to allow them to do it. Now, finally we address this internal and external desire.

Everyone can buy an Open Firewall hardware (Pico or SOHO) and start to develop their own application, share with everyone else their contribution and help us improve our platform, for the benefit of everyone.

BTW, one of the early applications we compiled and loaded into the Yoggie hardware is Asterisk. Many of you know this great digital PBX that can easily serve many IP Phones at home and small offices. In fact, one of our developers loaded it on Open Firewall SOHO and made calls out of it. We do not have it as a project in Yoggie, so I cannot have it loaded in the Yoggie Developer Community repository, however, I am sure that soon, some of you will do. The SOHO version comes with 2 RJ45 sockets, so you can easily connect the digital phone line to the “network” interface, and the IP headsets to the other connection, having a very rich and powerful full digital telephony system at a cost of $79.

Another example I saw, was activating the DNS server (already in the original pack) and use it in a home office to speed up DNS requests (no need to go to the ISP DNS for resolutions).

Think of a Linux box, and this is your new $49 or $79 miniature Linux box. BTW, the SOHO version comes with SD slot, so you can add many GB and mount them for extra storage. What to do with it, maybe a home Web server acting as media server.  You can open ports and forward external HTTP calls to this server only, and you can now let your family and friends access it from the outside.

You can have your personal Mail Server running there and again, have it fetching your email locally from 5 different web mail accounts and forwarding to a single mailbox.

If you have strong network expertise, I am sure you can use it to monitor and maybe manipulate network traffic for different use. You can divert traffic, hunt for specific traffic and implement many network based applications.

I am sure you may have more and better ideas. If you want to propose and share, please feel free to do so, beyond the developer forum, I will publish some here on my blog and will comment back.

That’s for today, please feel free to post your comments here, I will do my best to reply.

Cheers,
Shlomo.

ShareThis

The Gadget show is the most popular prime time gadget TV show in the UK!

Please vote for Yoggie (scroll down to Yoggie at the bottom). Feel free to watch the Yoggie appearances online.
Thank you for your support!

ShareThis

The new Gatekeeper Pico™ for Mac and Gatekeeper Card Pro™ for Mac, provide 12 internet security applications on a dedicated hardware platform that offloads security, improves productivity and protects users wherever they connect.

Special Time-Limited Offer: PRE-ORDER Gatekeeper Mac Version!

Both are available for pre-order today and will be shipped and available for sale from 1 December 2008 online at www.yoggie.com and soon at leading etailers and retailers.

Yoggie invites you to Pre-Order now and be among the first to own these exciting new products, for a special time-limited 20% discount off of the official price!

Read More and Pre-Order

ShareThis

Well.. The truth of the matter is that technically, Facebook is not exploited in any way. Yes, it’s a convenient platform for a virus to work with, but the virus is not using any vulnerability in Facebook itself.
The Facebook Virus is really a great example of how a virus, and a relatively simple one at that, can infect so many people by using a series of multiple attack tactics and a lot of “social engineering“.

The attack begins with a classic Phishing email attack. Many people are spammed by emails luring them into clicking a link claiming to be to Facebook.
Clicking on the link takes you to a Phishing Web site that looks exactly like Facebook, and even has a very similar domain name.
The user is asked to login, and enters his username and password credentials.
At that moment the trap has sprung and the attacker has complete control over the victim’s Facebook, since he can login as the user. This victim is “patient zero” in a sense.

The next step is the attacker logs into the victim’s Facebook and sends a message to all the victim’s friends – Providing a link to a “funny video”.
The Website looks almost exactly like YouTube and the user tries to play the video, triggering a message saying that the Flash player needs to be updated.
The user than downloads the “Flash player update” which is the actual payload of the whole attack – This is the malware. This malware, or spyware that opens your computer up completely and herds into a botnet.

To summarize:

While Facebook does indeed provide a great platform for viral distribution, the technical methods by which attackers reach their victims are anything but new. It’s simply an elegant combination of “good old” Phishing and social engineering. Each step could have maybe been detected by a clever user, but the combination of them works better on the target. The same spyware link could have just been sent in an email – but very few people would have clicked it. What makes it stronger is that a known and trusted friend on Facebook sent it. Moreover, you don’t just download anything, it’s simply a Flash update file that you need in order to see that great funny movie.
So nothing special technically here, but a great example for social engineering techniques.

This is how can you protect yourself from this attack:

1. Since the attack, as described above, is composed of several consecutive smaller attacks, your defense should be multi-layered as well. This attack can be stopped by your security measures in several different points. The phishing email can be detected as such and blocked, the phishing Web site can be detected as such and blocked and the spyware application itself can be detected by an anti-virus and stopped. You should have all these measure in place.
And how do we at Yoggie implement this? Simple. Yoggie’s products cram 12 different security applications to run inside the device. You have multiple engines protecting you transparently. This attack would be blocked at multiple different steps by Yoggie devices. Moreover, the attack itself was first detected and reported by Kaspersky, which is the anti-virus engine that Yoggie uses inside.

2. Make sure all your security measures are up to date!
This is super important – It’s not enough to have security measure in place. The security applications you use must always be updated otherwise they are useless.
In a worst-case-scenario, when your security measures would have failed to detect the Facebook attack at any other point – An updated anti-virus would already be familiar with the spyware’s signature and stop it dead in its tracks.
And how do we at Yoggie implement this? Even simpler. All Yoggie’s products automatically and transparently update all the different engines running inside. EVERY 5 MINUTES. And the user doesn’t even feel it is happening.

3. The most important and simplest advice is this – Never EVER click on anything before careful consideration. I can’t stress this enough. It can be a link in an email message. A link in an instant message. A Web link in Facebook. Always be suspicious of such links. Always check the browser’s status bar before actually clicking the link, to make sure the URL you will get to is indeed where you want to go.

Note: this post is based on researching the reported information online and not by first-hand analysis of the virus.

ShareThis