The Intangible Costs of Hacks Like HBO, Netflix, Sony (and What You Can Do About Them)
Posted on by Zuly GonzalezCategories Computer Security, SecurityLeave a comment on The Intangible Costs of Hacks Like HBO, Netflix, Sony (and What You Can Do About Them)

Browser Isolation Prevents Media and Entertainment Cyber Attacks

In the pantheon of hacks and corporate fallout from them, well-publicized hacks like HBO, Netflix and Sony have been in the spotlight for quite some time. As is the case with any data breach, such hacks have costs associated with legal reviews, security remediation, and forensic investigations. Whether driven by money, mischief, malice or just plain mistakes, it has unfortunately become a cost of doing business today.

What often goes unnoticed is the toll such incidents take on media partners who, in order to comply with the media giant’s security requirements, tend to take extreme measures that hurt productivity and reduce profitability. Amidst this cyber-chaos, can companies protect themselves by improving their security posture while lowering operational costs and driving productivity and profitability?

A guest article that I wrote for the M&E Journal talks about what those intangible costs are and how some of those costs can be mitigated to achieve higher employee productivity while lowering costs and driving profitability.

In the article I discuss:

  • Why media studios get hacked
  • The direct costs associated with media studios getting hacked
  • The indirect costs associated with media studios getting hacked
  • How Remote Browser Isolation prevents media studio breaches

You can read my article on the MESA website here. Or view the full PDF version here.

If you’d like to learn more about how Remote Browser Isolation can help your studio meet MPAA compliance around internet access, download our free white paper Isolated Web Browsing in Compliance With the MPAA Content Security Program.

Why Sandboxes Will Never Be As Secure As Remote Browser Isolation
Why Sandboxes Will Never Be As Secure As Remote Browser Isolation
Posted on by Beau AdkinsCategories Computer Security, Featured, Light Point Web, Security, Web SecurityLeave a comment on Why Sandboxes Will Never Be As Secure As Remote Browser Isolation

Google ChromeA few months back, Google released details about a Google Chrome vulnerability being exploited in the wild. While the details about the Chrome vulnerability were informative, what I personally found interesting was the details about a second vulnerability in Microsoft Windows that was being exploited in tandem with this vulnerability.

As you may know, Google Chrome uses a security sandbox around the Chrome renderer processes as a way to mitigate any exploit in the browser. The thought is that if/when the Chrome browser gets exploited, the security sandbox can stop the exploit code from causing any damage to the host system.

For this particular security release, it says that a use-after-free bug in Chrome was being used to exploit the Chrome browser. Then, it used this second bug in Microsoft Windows to escape the sandbox.

This highlights one of the main weaknesses of sandbox technology in general. In one approach, an attacker can try to escape a sandbox by finding a flaw in the sandbox itself. If a sandbox is really well designed (as the Chrome sandbox is), this can be a daunting task. But, due to how sandboxes work, attackers could always just exploit the host operating system kernel instead, like they did in this particular attack. This is oftentimes an easier way to escape a sandbox, since the attackers can leverage the much larger attack surface of the OS kernel.

Remote Browser Isolation, like used in Light Point Web, takes the concept of a security sandbox to the next level. Instead of using the operating system to try to isolate a risky browser process, we move the browsing process off of the system entirely. This makes it impossible for exploit code to even attempt to attack the user’s local operating system. Attacks like the one discussed here are completely mitigated when using Light Point Web, even if you are using a vulnerable version of Chrome and/or Windows.

Zuly Gonzalez Light Point Security Techno Security Conference 2019
Presenting at the 2019 Techno Security & Digital Forensics Conference
Posted on by Zuly GonzalezCategories Computer Security, Events, Security, Web SecurityLeave a comment on Presenting at the 2019 Techno Security & Digital Forensics Conference

Zuly Gonzalez Light Point Security Techno Security Conference 2019

I will be speaking at the Techno Security & Digital Forensics Conference next week. I’m looking forward to it. This will mark my third consecutive year speaking at the conference, and it is always a good time. Partly because it’s held at Myrtle Beach (how can you go wrong with that!), and partly because everyone that attends the conference is friendly and easy going.

The conference runs June 2-5, 2019 at the Marriott Resort at Grande Dunes with most of the sessions happening on the 3rd and 4th of June. My presentation is on June 3 from 1:30 PM – 2:20 PM. Here’s the abstract:

Protecting Your Identity When Performing Online Investigations

The web is a powerful tool for criminal investigators who use it to gather information about criminals, and learn about their activities, interests and motivations. However, online investigators need to take extra precautions to hide their identities, and protect themselves and their organizations from the criminals they are targeting. Many of the tools used today by investigators to anonymize their online identities can inadvertently reveal information about them, and tip their hands during a critical investigation. In this session, you will learn about the various tools you can use to browse the web anonymously, how to use them properly, and the pitfalls of each.

If you’d like to attend the conference, you can register here. Use our promo code SPK19 to get a 30% discount on registration.

Light Point Security Wins InfoSec Award For Browser Isolation
Light Point Security Wins the 2019 InfoSec Award for Browser Isolation
Posted on by Zuly GonzalezCategories Light Point Security Update, SecurityLeave a comment on Light Point Security Wins the 2019 InfoSec Award for Browser Isolation

Light Point Security Wins InfoSec Award For Browser IsolationI am pleased to share that Light Point Security has won the Cyber Defense Magazine (CDM) 2019 InfoSec Award for the Browser Isolation category. CDM evaluated nearly 3,000 cybersecurity companies and selected winners in several different technology categories. Light Point Security was the only company recognized in the Browser Isolation category.

CDM selected Light Point Security as the top Browser Isolation company for being an innovative player, having great executives, and offering new and unique technology.

It’s rewarding to be recognized as an industry leader, and receiving this award demonstrates Light Point Web’s power and proficiency at defeating web-based malware.

To read the full press release, click here: Light Point Security Wins the 2019 InfoSec Award for Browser Isolation

Phishing
Large Scale Spear Phishing Attack on U.S. Credit Unions
Posted on by Beau AdkinsCategories Blurb, Computer Security, Light Point Web, Opinion, Security, Web SecurityLeave a comment on Large Scale Spear Phishing Attack on U.S. Credit Unions

PhishingI recently read an interesting Krebs on Security article about a large scale, coordinated spear phishing attack on U.S. Credit Union anti-money laundering officers. The primary goal of this phishing attack was to get the victim to click on a malicious link, which in itself is nothing new or particularly interesting. However, what was interesting was the method the attackers used to get there.

First, they used typical spear phishing tactics, such as customizing their emails to the specific target, and making each email appear to be from a known, trusted contact. But instead of simply putting the malicious link in the email, they instead attached a PDF claiming to be a money laundering/fraud report, which is something the targeted victim handles as part of their job.

The attached PDF itself was not malicious, so no AV scanner would flag it. However, the PDF did include a malicious link. I haven’t seen any specific information about what happens when the link is clicked, but as a security professional, you have to assume it could lead to full system compromise in the worst case.

So why didn’t the attackers simply put the link in the email? The obvious answer is to circumvent legacy email URL rewriting tools, which are not very effective. However, I believe there was more to it than that. I believe they were taking the extra step of embedding the link in a PDF in an effort to gradually build trust with the victims long enough for them to let their guard down to click the link.

If the victim opens a new email and the first thing they see is a link, red flags are flying in their head. All their prior security training is screaming at them to start looking more closely at the email to see if it is legit or not. But if they open an email, and everything looks normal, they will lower their guard. “Oh, it’s yet another fraud report I have to deal with…” When they open the PDF attachment, and THEN see the link they need to click, maybe they have already moved past the being suspicious stage and just want to get it taken care of.

I can’t say for sure that is what the attackers were thinking, but it makes sense to me.

Luckily though, as most phishing emails do, these emails contained lots of grammatical errors, which should raise the suspicion level even higher. High enough that the whole link-in-a-PDF tactic couldn’t neutralize.

The official guidance to these credit union employees (and most computer users in general) is to simply not click links in suspicious emails. But when done right, a malicious email doesn’t look suspicious at all. So what then? This is exactly the reason we built our Remote Browser Isolation solution, Light Point Web. Any Light Point Web user that clicked on one of these malicious links, even if they are embedded in a PDF, would not have been at risk.

Learn more about Remote Browser Isolation

Light Point Security Cybersecurity Innovator of the Year Award Finalist
Light Point Security is Named a Finalist for the Cybersecurity Innovator of the Year Award
Posted on by Zuly GonzalezCategories Light Point Security UpdateLeave a comment on Light Point Security is Named a Finalist for the Cybersecurity Innovator of the Year Award

Light Point Security Cybersecurity Innovator of the Year Award FinalistWe are excited to announce that Light Point Security has been named a finalist for the Cybersecurity Innovator of the Year Award by the Cybersecurity Association of Maryland, Inc. (CAMI). The Cybersecurity Innovator of the Year Award is awarded to a Maryland company that has demonstrated exceptional innovation with a technology designed to protect organizations from cyber threats. Light Point Security is one of three finalists selected for this award.

CAMI is a Maryland nonprofit organization dedicated to the growth of Maryland’s cybersecurity industry. The winner of the award will be announced on April 11, 2019 during CAMI’s annual awards celebration at the Live! Casino & Hotel in Hanover, MD.

It’s a huge honor to be recognized as a cybersecurity innovator in the State of Maryland where there’s such a large number of strong and innovative cybersecurity companies. To be recognized as one of the top three cybersecurity companies in our state is a great accomplishment we are very proud of.

In addition to being recognized as a finalist for the Cybersecurity Innovator of the Year Award, Light Point Security is also a finalist for the People’s Choice Award and the Best of Baltimore County Award. The Best of Baltimore County Award will be presented to the top cybersecurity company headquartered in Baltimore County, MD. The People’s Choice Award gives the community an opportunity to vote for their favorite company. The company that receives the most votes online by 4pm on April 11, 2019 will be named the winner of the People’s Choice Award.

Join the fun and help Light Point Security win the People’s Choice Award by voting for us here.

To learn more about the Cybersecurity Innovator of the Year Award and view the full press release, click here.

Zuly Gonzalez Techno Security Conference 2018
Don’t Let the Hunter Become the Hunted – Protect Your Online Research Network Intelligently
Posted on by Zuly GonzalezCategories Computer Security, Events, Featured, Light Point Security Update, Security, Web SecurityLeave a comment on Don’t Let the Hunter Become the Hunted – Protect Your Online Research Network Intelligently

Techno Security Conference logoOn Friday I received the good news that my talk was accepted for this year’s Techno Security & Digital Forensics Conference. The topic of my 2019 talk will be on maintaining privacy and anonymity while browsing the web. More to come on that later.

In the meantime, I wanted to celebrate the occasion by sharing my 2018 Techno Security & Digital Forensics Conference presentation. Scar de Courcier, Senior Editor at Forensic Focus, recorded my 2018 presentation titled Don’t Let the Hunter Become the Hunted – Protect Your Online Research Network Intelligently, and posted the video and transcript on the Forensic Focus website, the web’s leading digital forensics portal for computer forensics and eDiscovery professionals. My talk focused on ways web-based malware can infiltrate an organization’s network and offered advice on how to protect against those threats. (Shameless plug: Our Remote Browser Isolation technology provides protection from all web-based malware in a user-friendly way so that users are empowered to browse fearlessly.)

Here’s the abstract of my 2018 talk: Online research of publicly accessible websites is a source for a practically infinite amount of data. But who knows what sorts of malicious software (malware) is lurking on the other side of every link you click. A malware infection in your research lab’s network can have devastating effects for your organization, ranging from data theft and leakage, ransomware infections, or simply destruction of your data and equipment. If your data is stolen and leaked to the wrong people, it may be you that is being investigated by your targets! This session will discuss the malware risks you are exposed to when doing online research as well as some cutting edge new ways to protect your network from online malware threats.

And here’s the video of the presentation. For a full transcript of the presentation, and to learn more about Forensic Focus, check out their website.

New Malvertising Campaign Uses Steganography to Bypass Detection
Posted on by Beau AdkinsCategories Blurb, Opinion, Web Security1 Comment on New Malvertising Campaign Uses Steganography to Bypass Detection

SteganographyI recently came across an interesting article from ZDNet that discusses a rather clever way malvertisers are sneaking malicious JavaScript into their ads.

To give a quick background, malvertising is when malware authors craft a malicious web advertisement, and then trick legitimate ad networks into placing the ad. When they pull it off, it allows their malware to be hosted on some of the biggest, most trusted, and highly trafficked websites on the net.

This is bad for ad networks, so they are at the front line trying to stop this from happening. They have rules about what each submitted ad’s scripts are, and are not, allowed to do. But JavaScript can be highly obfuscated, making it possible for bad things to slip through the cracks, and make it onto trusted, reputable sites.

The previously mentioned article details the relatively new malvertising group called VeryMal. In order to get their malicious scripts past the ad network filters, VeryMal used Steganography to embed the malicious JavaScript into a normal image file included in the ad. Once a victim browsed to a website and the ad was loaded on their system, VeryMal used a different script that had already passed the ad network’s review to pull the malicious script out of the image, and execute it.

The details about what exactly this malicious script did is irrelevant to this post. The main point I want to highlight is that detection-based security can always be fooled if you understand the algorithm well enough. Building a detection algorithm that can reliably detect malicious code hidden within an image is impossible. The only hope the ad network had to detect this was if they were looking for JavaScript being built dynamically on the client and disallowing that. But even if they start doing that, cyber criminals will always come up with a new way to avoid any specific detection algorithm.

This is the reason Light Point Security uses isolation-based security to protect our customers. The concept behind Browser Isolation is to prevent all web content from executing locally on the user’s computer by moving it to an isolated, remote environment. Instead of relying on detecting malware in order to provide security, Browser Isolation assumes all web content is malicious and prevents any of it from ever reaching the user’s computer in the first place. If there’s no way for web content to reach the user’s computer, then there’s no way for web-based malware to reach it either. This is all done while preserving the user experience.

Learn more about Remote Browser Isolation

Microsoft Releases Emergency Patch for Internet Explorer to Address Critical Vulnerability
Posted on by Beau AdkinsCategories Blurb, Computer Security, Light Point Web, Security, Web SecurityLeave a comment on Microsoft Releases Emergency Patch for Internet Explorer to Address Critical Vulnerability

Internet ExplorerBrowser vendors releasing patches to address discovered vulnerabilities is nothing new and happens all the time. However, it is much more interesting when an emergency patch is released because the browser vendor has discovered a vulnerability that is actively being used by attackers.

This is one of those cases. Because of the security implications, there are still very little details released on the vulnerability itself. Dubbed CVE-2018-8653, this vulnerability looks to be a flaw in IE’s JavaScript engine. This means a user could fall victim to it just by loading an infected website, no other interaction is necessary. These are the most dangerous types of threats.

According to the CVE details, this vulnerability has been in place for many years. Even versions of IE9 are affected. Who knows how long attackers have been using this vulnerability to infect users’ computers. The patch has been released for this specific threat, so IE users should update immediately.

But for those that want off of the endless browser patch cycle that constantly leaves them exposed to unknown threats like this, take a look at our Remote Browser, Light Point Web. Anyone using Light Point Web, even with the affected versions of Internet Explorer, is not susceptible to any browser-based threats, known or unknown, past, present and future.

How to Overcome the Pitfalls of Using Tor
Posted on by Zuly GonzalezCategories Blurb, How To, Light Point Web, Web SecurityLeave a comment on How to Overcome the Pitfalls of Using Tor

The idea of surfing the web without leaving a trace using tools like Tor may sound great at first. But for all the benefits that Tor brings to the table, there are still several ways that it falls short.

The Onion Router, commonly known as Tor, provides anonymity by bouncing your web requests off of several relays which will cause slow response times, and in turn lead to a bad user experience. Tor network is also susceptible to common attacks including browser fingerprinting. And using certain browser plug-ins, like Flash, may compromise anonymity while browsing in Tor. Furthermore, anonymity is not always guaranteed, especially if you violate the rules spelled out on the Tor website and/or do not follow the outlined best practices.

In an article posted on The Windows Club, author Pavithra Bhat explores several alternatives to Tor that can protect users’ privacy better than a standard browser, while also allowing them to surf the web at faster speeds. Read the full article here.

In the blog, Pavithra recommends options like I2P, FreeNet, and Disconnect, however, they too come with their own drawbacks, the most significant of which is that they may seriously fall short of protecting the user’s online security. For example, none of those alternatives can fully protect the user against malware, ransomware, zero-day or other web-based threats. Once the user’s machine is compromised, the user’s privacy gets tossed out the window, thus defeating the purpose of using such tools in the first place.

Anonymous web browsing has very real use cases for corporate users and the good news is that there is a solution that can provide corporate users the security they need while maintaining high standards with the browsing experience that users have come to expect.

Remote Browser Isolation offers the best of both worlds – it reliably protects your identity, makes getting to all your users’ favorite web destinations fast and easy, and  guarantees that your corporate network will not be exposed to any web-based threats. It accomplishes this by running a full browser outside of your network in an isolated virtual environment. This keeps any website resources from ever entering your network, which not only hides your identity, but also ensures you are never infected with malicious website content.

While the Tor browser has its place in the world of online privacy, alternatives like Remote Browser Isolation are a simpler, more effective way of protecting a large number of enterprise users, all packaged into a single, easy to manage solution.

 

Learn more about Remote Browser Isolation

Newly Discovered Chrome Vulnerability Could Lead to Full System Compromise with No User Interaction
Posted on by Beau AdkinsCategories Blurb, Computer Security, Featured, Light Point Web, Security, Web SecurityLeave a comment on Newly Discovered Chrome Vulnerability Could Lead to Full System Compromise with No User Interaction

Google Chrome

Recently it was announced that the Tencent Blade Team found a severe vulnerability in SQLite that could lead to Remote Code Execution. SQLite is an open-source lightweight database library used in a very large number of other applications that need some sort of database functionality.

One such application is the Chrome web browser. Chrome includes an implementation of a non-standard web technology called WebSQL, which is basically just a Javascript interface to SQLite. So an attacker could use this vulnerability to pass a carefully crafted SQL statement to SQLite through WebSQL to compromise any person using an affected browser that visited their malware site or viewed their malicious ad. Just loading the infected website would be enough for full system compromise, the victim wouldn’t have to click anything at all.

This is a great example of how powerful Light Point Web and Remote Browser Isolation are. Who knows how long this vulnerability has been out there, and how many cyber-criminals or nation-states had found it before the Tencent Blade team’s announcement. But for users of Light Point Web, it doesn’t matter. Even if they were using the affected versions of Chrome to browse sites that were actively exploiting this vulnerability, they were never in any danger from it. How great is that?

This is a pretty serious vulnerability, but luckily the issue has been fixed in SQLite, and Chrome has been updated to use this fixed version of SQLite as of version 71. However, what are the odds that this is the last browser vulnerability left, and browsers are now actually safe to use without Light Point Web? Spoiler Alert: the answer is 0%.

How To Protect Your Business From Ransomware Without Restricting Employees
Posted on by Zuly GonzalezCategories Blurb, Security, Web SecurityLeave a comment on How To Protect Your Business From Ransomware Without Restricting Employees

The internet has seen a lot of different malware variants pop up over the years, but few of them have had quite the financial and technical impact as the one on every security professional’s lips in 2018: Ransomware. But what is ransomware exactly, and what makes it so much more devastating to businesses than any other malware that has come before it?

According to a recent blog post from IBM’s SecurityIntelligence division, ransomware is defined as “…malware that holds your data hostage and demands payment for release”. In the post IBM talks about the various attack vectors that ransomware can use to infiltrate a corporate network, including phishing emails and web-based infection pathways. Read the full article here.

IBM suggests that the best ways to protect against ransomware threats is to constantly update your network with the latest security patches, teach employees how to spot potential scam emails or links, and have a threat response team trained and ready to go in case the first two lines of defense fail. However, the author also suggests limiting the functionality of your users’ workstations, such as disabling Flash (that may be necessary for some business web apps to function properly), which can result in lost productivity and continued headaches for your network security team if implemented improperly or with too many restrictions.

This is exactly where solutions like Remote Browser Isolation (RBI) can help. RBI allows your employees to retain many of the same freedoms they’ve become accustomed to when it comes to how they use and browse the web, while also securing your network against the threat that major ransomware variants like WannaCry pose.

RBI is both simple to implement and highly effective against the threat vectors that bad actors rely on most frequently to deliver ransomware infected payloads to enterprise networks. RBI also offers a host of additional features that help protect your users’ privacy and security in the era of rapidly evolving ransomware threats.

Learn more about Remote Browser Isolation

Endpoint Security Solutions Challenged by Zero-Day and Fileless Attacks
Posted on by Zuly GonzalezCategories Computer Security, Security, Web SecurityLeave a comment on Endpoint Security Solutions Challenged by Zero-Day and Fileless Attacks

As the world of malware continues to evolve at a relentless pace, IT departments globally are struggling to keep up. Today, fileless attacks and zero-day exploits are appearing more frequently, and traditional AV solutions and detection methods are failing to prevent infections the way they used to.

According to a recent article posted by Help Net Security, the challenges that endpoint security specialists face in this fight are significant. In a survey by the Ponemon Institute and Barkly that polled 660 IT and security professionals, they found that 64 percent of organizations experienced a successful endpoint attack in 2018, which represented a 20 percent increase from the same 12-month period last year. Furthermore, 63 percent of individuals surveyed stated that the frequency of endpoint attacks has increased in the past 12 months. Read the full article here.

Most importantly, respondents estimated that the current AV implementations active on their networks were only capable of blocking 43 percent of incoming attacks.

In response to this problem some organizations have resorted to focusing more on quickly detecting and responding to attacks instead of preventing them. However, the prospects of this solution working are bleak at best, given the results of the 2018 Cost of Data Breach Study by Ponemon, which found that the average time to detect and contain a mega breach was 365 days – almost 100 days longer than a smaller scale breach (266 days).

This begs the question: what potential solutions are out there which can mitigate the threat that zero-day and fileless attacks pose without affecting employee productivity or adding unnecessary burden on the on-site IT staff? Options like Remote Browser Isolation present a secure alternative to traditional antivirus detection methods.

Remote Browser Isolation can help close the gap between post-infection detection techniques, which may not detect all attacks, and the proactive threat hunting approach that may leave the corporate network vulnerable for weeks before the threat is detected and neutralized. By isolating an employee’s browser activity in an external virtual environment that exists outside of your corporate network, any breach attempts that are launched against that user via a web browser, whether they are zero-day, fileless, or run of the mill attacks, can be stopped before they can even enter the corporate network. By implementing Remote Browser Isolation, your IT department can reduce the management overhead while simultaneously making it easier for your users to browse the web safely, securely, and without the limitations that other protection methods might place on their daily browsing habits.

Learn More About Remote Browser Isolation

How to Balance Employee Freedom With the Needs of Corporate Security
Posted on by Zuly GonzalezCategories Computer Security, Featured, How To, Web SecurityLeave a comment on How to Balance Employee Freedom With the Needs of Corporate Security

Today’s employees prefer to use a wide range of web apps in the office in order to get the absolute most out of their workday. For example, they manage their calendar with Google Calendar, check their emails through Office 365, chat with fellow employees using Slack, watch videos over YouTube, have conference calls over Zoom or store and share files using Dropbox.

The idea of allowing employees access to various web applications they need to maximize their productivity may sound like a good one at first, but often this level of freedom can create a host of headaches for a company’s security department. The problem is further exacerbated when security teams have to worry about securing access to such web apps over multiple web browsers for every employee on every device.

Web Browsers Are a Necessary Evil

Gartner estimates that 98% of all external information security attacks happen over the public internet, and 80% of those attacks are carried out through end users’ web browsers. With browsers at the center of so much corporate activity, it’s no surprise that browsers are the most likely place for cyber-attacks to happen.

Oftentimes, to keep things simple, the IT department will block entire categories of websites, including many of the essential sites that employees need to do their job effectively. Contrary to popular belief, no good comes out of being so heavy handed with blocking sites. First, the inability to access sites to do their job leads to employee productivity loss, and second, enterprise networks are still vulnerable since blocking sites doesn’t eliminate the threat of web-based malware that can be introduced through typically “safe” sites. To make matters worse, some organizations even take the extreme measure of blocking internet access altogether, which has obvious productivity concerns.

Then what is the best way to mitigate the threat of browser-based attacks while still providing employees with all the flexibility they need to be productive on a daily basis?

Remote Browser Isolation Provides a Solution

The solution to keeping your network safe while allowing unrestricted access to the web and work flexibility is Remote Browser Isolation. Remote isolated web browsing brings the best of both worlds into one seamless, easy to use solution that lets employees browse the web with complete freedom while also protecting your network from any browser-based threats.

Remote Browser Isolation moves your web browsing activity off the corporate network entirely, and into a remote virtual environment. This means that no web content ever enters the corporate network, so if any infected links or files are encountered, they are unable to cause any damage.

Furthermore, Remote Browser Isolation enables truly anonymous browsing capabilities that protect a user’s identity when browsing the web.

Conclusion

Today, the internet is the go-to source for information, productivity tools, commerce, socialization and business communication. The rapid emergence and use of social media, news sites, web apps and other business sites in the workplace, whether for personal or business use, have made the web browser one of the most likely places for cyber-attacks to happen. Every new website that is allowed into the corporate network potentially introduces a whole new range of attack vectors that security teams need to worry about. Remote Browser Isolation alleviates these security concerns while still allowing employees access to a wide range of websites and web applications in the office in order to get the absolute most out of their workday.

Learn More About Remote Browser Isolation

Web Isolation Technology Prevents Web Browser Forensic Data From Falling Into the Wrong Hands
Posted on by Zuly GonzalezCategories How ToLeave a comment on Web Isolation Technology Prevents Web Browser Forensic Data From Falling Into the Wrong Hands

There is a wealth of information available online, and web browsers are the primary way we access it. Just as web browsers help us learn about the world, the world (both good and bad actors) can learn a lot about us by looking at our web browsers. An easy way to protect browsing data is with Browser Isolation technology.

Protect Your Browsing Data

Web browsers store a host of valuable information about a user’s surfing habits and usage patterns. Protecting browsing data has become a necessity in today’s digital landscape. In his recent article, author Barry Shteiman describes the different ways that enterprises can use the data collected by web browsers to help quantify the nature, scale, and scope of any potential threat, including insider threats. Read the full article here.

For example, in a post-breach investigation, investigators can use web browser forensics to collect vital evidence of the user’s activities and motivations to understand if a cyber-crime was committed. Aside from the more obvious pieces of information like web browsing history and autofill options, more specific breadcrumbs left by the user during their sessions like cookies, alternate email logins, and file download histories can be used to more accurately piece together a picture of the ‘person of interest’.

But, in the same way, that the good guys (a member of an organization’s own network security team) can use this information to identify an insider threat, it can also be used against them if this data happens to fall into the wrong hands. Web browsing exposes your organization to web-based malware attacks that can allow unfettered access to this data to bad actors who will, in turn, use it for far more nefarious purposes.

Isolated Browsing Protects Your Network

To prevent malware from being delivered from the web to your corporate network via phishing links or other browser-based exploits, consider using security solutions like Remote Browser Isolation. With Browser Isolation technology, users’ browsing activities are moved to an environment that’s completely separated from their organization’s network. Web Isolation technology keeps malware trapped in an isolated environment, where it is safely contained and disposed of. This prevents any kind of corporate data, including users’ browser data, from being exposed to potential hackers, while allowing users to freely surf the web.

Learn More About Remote Browser Isolation

If You Use Your Web Browser’s Incognito Mode We’ve Got Bad News
Posted on by Zuly GonzalezCategories Computer Security, Security, Web SecurityLeave a comment on If You Use Your Web Browser’s Incognito Mode We’ve Got Bad News

We place our trust in simple browser features like Chrome’s ‘incognito browser mode’ with an expectation that it will work as advertised and protect our privacy. Sadly, it doesn’t.

The incognito browsing mode, or the ‘private browsing mode’ as it is also known, has become the go-to method that amateurs rely on to protect their privacy and keep their internet browsing history a secret. But while the private browsing mode is good enough for preventing local cookie tracking or saving of autofill details, it falls short in dozens of other ways that matter most in keeping your information truly private and secure. For example, the private browsing mode cannot prevent browsers from giving away your geographical location, nor can it prevent viruses and malware from infecting your computer.

In an article posted on IFLScience.com, Aliyah Kovner blames the major browser providers for not doing a good job with their disclosures, which makes it difficult for their users to comprehend what these features actually can and cannot do. Read the full article here.

Though the article doesn’t offer a solution, it does bring up two very important points – (1) the majority of users out there want an easy, convenient and reliable way to protect their privacy while browsing the web and (2) even if the major browser providers improve their disclosures, people are not likely to read them, which means that they will likely still not understand the limitations of these features..

This poses a big challenge for companies that not only need to protect their users’ privacy, but also need to ensure that their corporate network is secure from threats like malware and ransomware.

Enterprises need a solution that can address both the privacy concerns of their users and the security concerns of their security teams. What they need is a solution called Remote Browser Isolation that can not only enable truly anonymous web browsing, but can also ensure the security of their network against web-based malware threats, and much more.

Learn more about Anonymous Web Browsing with Remote Browser Isolation

Light Point Security CEO to Speak at the Techno Security & Digital Forensics Conference
Posted on by JudyCategories Events, Light Point Security Update, Security, Web Security1 Comment on Light Point Security CEO to Speak at the Techno Security & Digital Forensics Conference

Zuly Gonzalez CEO Light Point SecurityI’m happy to share that Light Point Security CEO, Zuly Gonzalez, will be speaking at the 2018 Techno Security & Digital Forensics Conference about how malware can infiltrate an organization’s network and how to protect against these threats. This is Zuly’s second year presenting at this conference and we are looking forward to another great show of making new connections and learning from the best.

The Techno Security & Digital Forensics Conference will be held June 3-6, 2018 in Myrtle Beach, SC. Zuly’s presentation is scheduled for Monday, June 4, 2018 10:30am – 11:20am. If you’d like to join us at the conference and attend Zuly’s presentation, you can register here. We hope you’ll join us!

Presentation Information

Don’t Let the Hunter Become the Hunted – Protect Your Online Research Network Intelligently

Online research of publicly accessible websites is a source for a practically infinite amount of data. But who knows what sorts of malicious software (malware) is lurking on the other side of every link you click. A malware infection in your research lab’s network can have devastating effects for your organization, ranging from data theft and leakage, ransomware infections, or simply destruction of your data and equipment. If your data is stolen and leaked to the wrong people, it may be you that is being investigated by your targets! This session will discuss the malware risks you are exposed to when doing online research as well as some cutting edge new ways to protect your network from online malware threats.

Light Point Security Sponsors MESA HITS Spring 2018
Posted on by Beau AdkinsCategories Events, Light Point Security UpdateLeave a comment on Light Point Security Sponsors MESA HITS Spring 2018

In mid May Light Point Security sponsored and attended the MESA HITS Spring 2018 event in Los Angeles. The Hollywood IT Summit (HITS) brings together IT technologists from all the major Hollywood studios, independent content creators and their supporting information technology partners.

During the event our team met Jeffrey Stansfield from Advantage Video Systems. Jeffrey learned about Light Point Web, our browser isolation solution, and decided to create a short video interview highlighting its value.

Enjoy!

Webinar: How to Prevent WannaCry and Other Web Threats
Posted on by JudyCategories Events, Light Point Web, Security, Web SecurityLeave a comment on Webinar: How to Prevent WannaCry and Other Web Threats

Light Point Web prevents WannaCry and other ransomwareIn a matter of days, the WannaCry ransomware outbreak infected more than 230,000 computers in 150 countries. It impacted healthcare organizations, universities, government agencies, and many others, including FedEx. If you are concerned about the WannaCry ransomware and other similar attacks, join us for this informative webinar.

Light Point Security is hosting a joint webinar with partner, ELEVI Associates, today May 18 at 1pm EST. This educational webinar will explain the causes of ransomware and the devastating effects it can have on an organization. Learn about remote browser isolation technology and how it protects organizations from ransomware and other web-based threats.

Join us by signing up for the webinar here.

Register Now

Light Point Security CEO Invited to Speak at the Pentagon
Posted on by JudyCategories Events, Featured, Light Point Security UpdateLeave a comment on Light Point Security CEO Invited to Speak at the Pentagon

Zuly Gonzalez Speaks at the PentagonWe were privileged to have the Pentagon invite Light Point Security CEO, Zuly Gonzalez, as a keynote speaker for its JSP Cybersecurity Forum.

The Joint Service Provider (JSP) provides the full range of information technology equipment, services, solutions, and customer support to the Office of the Secretary of Defense, the Office of the Deputy Chief Management Officer, and WHS to meet mission and business requirements.

Zuly presented at the Pentagon yesterday on the topic of cybersecurity innovations and how Remote Browser Isolation is changing the game for the better and giving organizations the power to completely eliminate their web-based malware problems once and for all.

We were honored to have been invited to speak at such a prestigious event.

You may view the full press release here.

Light Point Security Founders Featured in the Baltimore Sun
Posted on by JudyCategories Light Point Security UpdateLeave a comment on Light Point Security Founders Featured in the Baltimore Sun
Zuly Gonzalez CEO of Light Point Security and former NSA cybersecurity expert
Zuly Gonzalez, CEO of Light Point Security, is pictured in her office space. (Algerina Perna / Baltimore Sun)

Light Point Security founders, Zuly Gonzalez and Beau Adkins, were featured in The Baltimore Sun this week! The story “Maryland’s federal workforce offers state a source of cyber entrepreneurs” highlights a few Maryland-based cybersecurity companies, their founders and how they got started. Here’s an excerpt from the story:

Zuly Gonzalez and Beau Adkins worked in the digital trenches at the National Security Agency for more than a decade.

Gonzalez designed computer protection systems and Adkins figured out how to penetrate such barriers. Their light bulb moment came when they decided to apply their expertise to the commercial sector and founded their company, Light Point Security.

“We kind of melded both his offensive mindset of hacking and attacking and my mindset of defending. He knew how easy it was to hack and get into networks,” Gonzalez said. “So we basically thought about what would it take to really stop Beau from getting into a computer.”

Numerous businesses in Maryland’s growing cybersecurity industry were founded by former government workers or government contractors, and count such workers among their current and prospective employees.

The full article by Baltimore Sun reporter Sarah Gantz can be viewed on The Baltimore Sun website here.

Webinar: Full Browser Isolation with Threat-Free Downloads via Content Disarm and Reconstruction
Posted on by JudyCategories Events, Light Point Web, Press ReleaseLeave a comment on Webinar: Full Browser Isolation with Threat-Free Downloads via Content Disarm and Reconstruction

OPSWAT LogoAs our customers know, we are constantly increasing the value of Light Point Web by adding new features and functionality. In a joint effort with our partner OPSWAT, Light Point Web, which provides unmatched protection from web, document and email based malware, will enhance its current document-based malware protection capabilities by integrating OPSWAT’s Content Disarm and Reconstruction (CDR) technology into its platform.

Register Now

The new CDR (file sanitization) technology strips exploitable content from files for a complete threat-free browsing experience. By integrating OPSWAT’s CDR engines into Light Point Web all downloaded files will be thoroughly scanned and/or sanitized before the user’s local machine receives them. The integration will not impact the end users’ productivity, since all sanitized files will be reconstructed with all their functionality and usability intact. This joint solution provides users 100% malware prevention from malicious websites through Light Point Security’s Full Isolation technology and comprehensive malware protection from malicious file downloads through OPSWAT’s file sanitization and multi-scanning engines.

We are very excited about this new feature and will be hosting a joint webinar with OPSWAT to showcase the technology and discuss how this joint solution provides organizations complete end-to-end protection from malware without compromising user experience. The webinar is scheduled for Tuesday April 11, 2017 from 1:00 – 1:30pm EDT. We encourage all to attend, and you can sign up for the webinar here.

Visit the press release page for a full description of the joint integration.

Register Now

Light Point Security Grows Revenue by Over 450% in 2016
Posted on by Zuly GonzalezCategories Light Point Security UpdateLeave a comment on Light Point Security Grows Revenue by Over 450% in 2016

As another year closes, and a new one begins, I wanted to share with you Light Point Security’s amazing success over the last year. 2016 was an exceptional year for us, and I am incredibly proud of our team and everything they have accomplished.

Over the last year we grew our revenue by over 450%, expanded our presence in our key industry verticals, and achieved other key milestones. The full press release with our 2016 highlights can be found here.

Thank you all for your continued support as we continue to share our unique and innovative technology. We will bring safe web browsing to the world.

Ransomware’s Devastating Effects on the Healthcare Industry [Infographic]
Posted on by Zuly GonzalezCategories Resources, Security, Web Security1 Comment on Ransomware’s Devastating Effects on the Healthcare Industry [Infographic]

healthcare ransomware effects infographicRansomware has taken its toll on the healthcare industry. With new attacks seemingly every week, are you prepared to fight back, and protect your organization and your patient’s protected health information (PHI)?

As we mentioned previously in Why Ransomware Gangs Love the Healthcare Industry, ransomware is projected to grow 670%, and the healthcare industry has the highest cost per record stolen of any industry at $363 per stolen record. And with your patient’s lives in your hands, the stakes couldn’t be higher.

This infographic highlights the devastating effects ransomware and security breaches have had on the healthcare industry. (Click on the image for a full-sized version.) Are you protected?

Please share to spread the word!

Not into sharing infographics? Tweet these statistics instead:

  • The cost of cyberattacks to U.S. health systems over 5 years is $305 billion. [tweet this]
  • Cyber criminals to collect $1 billion in ransomware payments in 2016. [tweet this]
  • The cost per stolen healthcare record is $363. [tweet this]
  • Healthcare is 4 times more likely to be impacted by advanced malware than the avg industry. [tweet this]
  • Healthcare is 4.5 times more likely to be impacted by ransomware than the avg industry. [tweet this]
  • There are 340% more security incidents and attacks in healthcare than the average industry. [tweet this]
  • Ransomware attacks are projected to grow 670%! [tweet this]
  • Healthcare records are 10 times more valuable than credit card details on the black market. [tweet this]

Looking for more? Check out this article for more interesting statistics and information on ransomware in the healthcare industry.

And to learn how the most flexible Remote Browser Isolation solution on the market can protect your healthcare organization, contact us today.

Embed This Image On Your Site (copy code below):

Will You Be the Next Health System Held for Ransom?
Posted on by Zuly GonzalezCategories Events, Security, Web SecurityLeave a comment on Will You Be the Next Health System Held for Ransom?

This is going to be a great panel! I’ll be moderating a panel for the 2016 CyberMaryland Conference on the topic of preventing ransomware in healthcare. We have a dynamic and engaging group of panelists comprised of CISOs and CIOs with decades of experience in the healthcare industry. They’ll be sharing stories and best practices to help you protect your organization from ransomware and other cyber threats. Come ready to learn!

The 2016 CyberMaryland Conference will be held Oct 20-21, 2016 in Baltimore, MD. Our panel is scheduled for Friday Oct 21, 2016 1:45pm – 2:45pm. I hope you’ll join us as this promises to be an engaging panel.

If you haven’t registered for the conference yet, use our discount code TCMdGuest for a 25% discount.

If you have any topics or questions you’d like our panel to discuss, send them our way. You can email your questions or topic suggestions to info@lightpointsecurity.com, or tweet us at @LightPointSec and use the hashtag #CyberMD2016.

Panel Information

Will You Be the Next Health System Held for Ransom?

All healthcare organizations should have anti-virus and firewalls in place – but that’s just not enough in today’s ever evolving world. As attackers grow more and more sophisticated, and ransomware becomes the new normal, healthcare organizations are struggling to keep up.

Hear from an expert panel of healthcare CIOs and CISOs on best practices for keeping ePHI out of the wrong hands, as well as innovative technologies that can be used to avoid becoming the next ransomware victim. Together they have decades of experience managing and securing healthcare networks, and will share practical ways you can secure yours.

Moderator
Zuly Gonzalez, Co-founder and CEO, Light Point Security

Panelists
Chad Wilson, Director of Information Security, Children’s National Medical Center
James Parren Courtney, SSSE Certified Chief Information Security Officer, University of Maryland Medical System
Darren Lacey, Chief Information Security Officer, Johns Hopkins University
Chris Panagiotopoulos, Chief Technology Officer, LifeBridge Health

Healthcare Ransomware Prevention CyberMaryland 2016 Panel

 

Join Light Point Security at WOW Women of the World Baltimore
Posted on by Zuly GonzalezCategories EventsLeave a comment on Join Light Point Security at WOW Women of the World Baltimore

Zuly Gonzalez, Light Point Security CEO, participates in WOW Women of the WorldWOW (Women of the World) is a global movement of festivals that celebrates women as a force for positive change. It offers a powerful forum for discussion and action on issues important to women. WOW was launched in 2011 in London, and since then WOW festivals have engaged and inspired over one million women across five continents and cities.

The WOW Baltimore Partnership is bringing Women of the World to Baltimore, and I’m proud to be part of this great event. I’ll be participating on a very fun and engaging panel with other women entrepreneurs to share our experiences starting and running a business. We’ll be sharing our stories, giving advice to other women entrepreneurs, and more importantly inspiring other women to “just do it!”

WOW Baltimore will be held on October 7-8, 2016 on the campus of Notre Dame of Maryland University. I hope you’ll join us for this 2 day inspirational event! To register, click here.

Panel Information

Risky Business: Women Entrepreneurs
Friday, October 7
11:00 am – 12:00 pm
LeClerc Auditorium

Starting a business can be scary. No one wants to fail. We will hear how these women business owners took a leap and found their true direction — on their own terms.

Moderator
Deborah Tillett – President and Executive Director, Emerging Technology Centers

Panelists
Zuly Gonzalez – CEO and Co-Founder, Light Point Security
Rosalind Holsey – Owner and Lead Designer, Studio 7 The Salon LLC
Michele Tsucalas – Owner and Founder, Michele’s Granola
Donna Stevenson – President and CEO, Early Morning Software, Inc.

Insider vs. Outsider: What’s the Greater Security Risk?
Posted on by Zuly GonzalezCategories SecurityLeave a comment on Insider vs. Outsider: What’s the Greater Security Risk?

Beau Adkins - CEO of Light Point SecurityThe Digital Guardian asked 47 security experts to discuss what they think is a bigger threat to an organization, an insider or an outsider. Light Point Security’s CTO, Beau Adkins, was invited to participate on the panel of security experts to discuss what he has seen over the course of his career. Here’s what he had to say:

“In my experience, the biggest threat to a company’s data is posed by…”

Insiders. However, they are most often not deliberately a threat. Outsiders are the ones who have bad intentions, but they don’t have access. Network restrictions are usually strong enough to keep them out. So instead they focus their efforts on tricking unsuspecting insiders into opening the doors for them. And once inside, they are indistinguishable from the insiders.

Employee web browsing is one of the most used pathways to accomplish this. Outsiders set up a website capable of exploiting any computer that browses to it, then they send emails to the insiders that entice them to click a link to that site. Most employees will not take the bait, but it just takes one person to give in to curiosity and click the link.

Malicious outsiders are very good at this. They can craft emails that look like they are from someone within the company and reference projects or people that the recipient knows. It can be very difficult to tell these emails are not legitimate. With a little perseverance, it’s just a matter of time before someone clicks.

Because of this, efforts to protect the company from malicious outsiders can only go so far. Companies today must prioritize protecting against threats from their own insiders. One employee clicking the wrong link doesn’t have to put the whole company at risk.

Check out what the other experts had to say by reading the full article on Digital Guardian.

Why Ransomware Gangs Love the Healthcare Industry
Posted on by Zuly GonzalezCategories Computer Security, Security, Web Security1 Comment on Why Ransomware Gangs Love the Healthcare Industry

Ransomware Costs Healthcare MillionsRansomware. It’s the latest buzzword, and everyone is talking about it, especially in healthcare.

Ransomware has become increasingly prevalent over the last year because it’s been so successful for the bad guys. According to the FBI, cyber criminals are on pace to collect $1 billion from ransomware payments in 2016. And data breach response insurance provider, Beazley, projects ransomware attacks will grow 670% from 2014 to 2016. That’s insane!

The statistics for the healthcare industry are even grimmer. Healthcare is the most breached industry. It sees 340% more security incidents and attacks than the average industry, and is more than 200% more likely to encounter data theft. Healthcare is 4 times more likely to be impacted by advanced malware than any other industry, and is 4.5 times more likely to be impacted by ransomware. And healthcare is 74% more likely to be impacted by phishing attacks than any other sector.

The Impact of Ransomware on Healthcare

A successful breach on a healthcare organization can mean:

  1. the loss of money,
  2. the loss of brand reputation,
  3. the loss of Protected Health Information (PHI), and sadly
  4. the potential loss of life.

According to the Ponemon Institute’s 2015 Cost of Data Breach Study, the healthcare industry has the highest cost per record stolen of any industry at $363 per stolen record.

Unique to the healthcare industry, the impact of malware isn’t just a matter of losing money. As dramatic as it may sound, people’s lives are at stake. What happens if a hospital’s systems are down because of malware or a ransomware attack, and they can’t provide emergency services to a patient? Could that patient lose their life? Or could the delay in service cause additional health complications for that patient?

As an example, when MedStar was recently locked out of their systems as a result of a ransomware attack, they were unable to provide radiation treatment to cancer patients for several days. This is serious!

What Makes Healthcare a Prime Target

There are 3 main reasons why the healthcare sector is targeted so much by cyber criminals.

  1. Healthcare records contain the most valuable information. The data healthcare organizations store on patients includes personal identities and medical histories, which makes it a very complete data set. This is a goldmine for identity thieves. This is why healthcare records are about 10 times more valuable than credit card details on the black market.
  2. Healthcare data doesn’t change. Unlike other types of data cyber criminals steal, patient data stored by healthcare organizations can’t be easily changed. If your credit card company gets breached, you can easily change your username and password, and get a new credit card number. No big deal. But if your hospital gets breached, you can’t just go get a new social security number. Compromised health information can haunt you for a lifetime.
  3. Healthcare organizations don’t prioritize security. Because the healthcare sector in general hasn’t kept up-to-date with modern security practices like other industries have, attacks on them are more likely to be successful. If you compare healthcare to the financial industry, for example, the financial industry has devoted so many resources to protecting their data that attackers would rather focus on softer targets, like healthcare.

Luckily, Light Point Security’s isolated remote browser can protect healthcare organizations from ransomware and other web-based malware. Our Full Isolation technology is the strongest in the industry, and offers the best user experience. Contact us today to learn how we can keep your data safe.

Zuly Gonzalez Recognized As One of Maryland’s Women in Technology Leaders
Posted on by Zuly GonzalezCategories Light Point Security UpdateLeave a comment on Zuly Gonzalez Recognized As One of Maryland’s Women in Technology Leaders

Zuly Gonzalez Women in Tech Leader in MarylandI’m honored to be in such great company. The Maryland Department of Commerce published a list of 18 women that are leading the charge for women in technology in The State. They recognized standout women leading technology companies, conducting critical government work in technology, and breaking new ground in developing new technologies. I’m flattered to have been included in the list, and will continue to lead the way in cybersecurity.

According to the article, CompTIA’s Cyberstates analysis ranks Maryland second in the ratio of female to male workers in IT occupations (24%).

You can see the full list of Maryland’s women in tech leaders here.

Who would you recognize as a female leader in technology?

 

Tech Faceplant: Dropbox Infinite
Posted on by Beau AdkinsCategories Computer Security, Opinion, SecurityLeave a comment on Tech Faceplant: Dropbox Infinite

Dropbox Project InfiniteLast month, Dropbox pulled back the curtains on their next new major feature, titled “Dropbox Infinite”. However, the details about how they were going to implement this feature left the majority of the audience dumbfounded. This is another one of those occasions where tech companies make a decision against the outcries of their customers, and even in the face of that backlash, just chug happily along.

Dropbox Infinite sounds like a pretty cool idea. It would make your Dropbox storage area appear as its own drive in your OS. It’s an idea that few people would complain about. However, when Dropbox revealed that they would implement this with kernel mode extensions, people’s heads started exploding.

By implementing this in the kernel, it puts the user’s system security at much higher risk than if it were implemented in user-mode. When code runs in the kernel, it has complete system access. It can read, write, or delete any file. If malware gets a foothold in your computer’s kernel, then it’s no longer your computer. Any programming mistake in the kernel means the whole system crashes (the infamous Blue Screen of Death). For these reasons, users should be wary of every piece of code they allow to run there. A product like Dropbox, used to manage remote shared file backups, seems like a poor candidate for kernel level code. It would be like Microsoft announcing the next version of Internet Explorer will run primarily in the kernel. It would be the worst idea in the history of computing.

The Dropbox article mentioned an open-source project called FUSE, which could have been used to implement this in user-mode. But they scrapped that idea because it incurred an extra kernel-mode context switch which has performance implications. Like a commenter observed, the performance of a context switch is practically nonexistent compared to the cost of performing network operations with the Dropbox servers.

The article received numerous comments, which were mostly negative. A common theme in those comments was the hope that this feature was optional. Dropbox never clarified if this was mandatory or not. If they make it mandatory, it will be an enormous faceplant. It’s quite obvious that the users are not ready for it. Maybe one day they will be, but not today. Forcing it on users now will only hurt Dropbox.

Sadly, this sort of thing happens all the time. Tech companies come up with an idea that they believe their users will go gaga over. But when they announce it, it is met with vitriol. Instead of just admitting a mistake and scrapping the idea, they double down, and shove it down their users’ throats anyway. Think Windows Metro or Chrome removing support for plugins. Listen to your customers. If you announce a new product change that causes your customers to threaten to leave, its not too late to go back to the drawing board.

Light Point Security CEO Discusses Cybersecurity and Terrorism Prevention
Posted on by Beau AdkinsCategories Computer Security, Opinion, SecurityLeave a comment on Light Point Security CEO Discusses Cybersecurity and Terrorism Prevention

Zuly Gonzalez discusses cybersecurity and terrorismLight Point Security CEO, Zuly Gonzalez, was interviewed on the Emmy Award winning Live TV show Fresh Outlook, which aired on Saturday April 2, 2016 at 2pm ET. Fresh Outlook is a weekly talk show that airs every Saturday Live, and examines a variety of topics and current events.

Zuly discussed Apple vs the FBI, encryption, terrorism, and how to protect yourself from cyber threats, among other topics. For example, she was asked why if less skilled adversaries are able to hack into devices, does the FBI with all of the resources at their disposal have such a hard time getting into the encrypted iPhone of one of the San Bernardino terrorists. Zuly talked about how not all things are equal and that a combination of skill level and protection mechanisms must be taken into account when comparing successful and unsuccessful attacks. She also discussed the importance of the data being protected and how consumers should also value their data. Zuly also touched on the irony of Apple asking the FBI for help in strengthening their protections.

It was an informative segment with several other security experts on the panel. The segment is below for your viewing pleasure.

Two Ways Google Chrome Sacrifices Security in the Name of Speed
Posted on by Beau AdkinsCategories Computer Security, Security, Web SecurityLeave a comment on Two Ways Google Chrome Sacrifices Security in the Name of Speed

Google ChromeGoogle Chrome is now the most popular web browser in the world, with an estimated 45% of all website views. Google claims that security is a top priority, which is why they push frequent, automatic updates and use a sandbox. But an even higher priority for Google is speed.

Sometimes they need to make the choice between speed and security, and this article lists two cases where they chose a minimal speed improvement at the expense of introducing a much larger security risk.

Prerendering

Prerendering is a technology used in Chrome that can make pages appear to load faster. For example, if you browse to http://example1.com and that page includes a link tag like “<link rel=”prerender” href=”http://example2.com”>”, Chrome will automatically and silently load example2.com in the background while you are viewing example1.com. The hope is that the next link you click will be to example2.com, so the browser can display it instantly, making things seem faster.

The most likely place you see this feature in use is on google.com. Based on a user’s search terms, they may decide there is a very high likelihood that they can anticipate which link the user will click next. In that case, they can mark that link to be prerendered, so the page appears to load faster.

Google Chrome itself can also decide to prerender pages. If you start typing “reddit” into the URL bar, there is a decent chance that Chrome will begin prerendering reddit.com in the hopes that is what you were in the process of typing.

What’s so Bad About Prerendering?

  1. Exposure to malware: When a page is prerendered, it has limitations. It can’t initiate downloads, or play audio. But it can execute scripts, and that is all that is needed for a malicious site to infect your computer. Because of prerendering, you can be infected by a site just because a link to it appears in a Google search results page, or you typed something similar to it in the Chrome address bar. You don’t even need to visit the page anymore.
  2. Loss of privacy: When Chrome prerenders a page, it exposes your IP address and browser information to the website. For users performing sensitive online research, this can be a big deal. Some users need to learn about a company or organization without tipping their target off about it. Because of prerendering, just Googling the name of the target will likely expose them.

How to Turn Off Chrome Prerendering

  1. Open the Chrome Settings by clicking the 3 horizontal lines icon in the top-right of Chrome and choose “Settings”.
  2. Scroll to the bottom and click “Show advanced settings”.
  3. Under “Privacy”, uncheck the box labeled “Prefetch resources to load pages more quickly”.

Disable Chrome Prerendering

Automatic Downloads

By default, Google Chrome is configured to automatically download any file that a website decides to push to you. In the interest of speed, instead of asking you if you want to accept a download, it will happily download it immediately, into the “Downloads” folder of your user profile.

The obvious threat here is that malware can get downloaded without your permission. But just downloading a malicious file isn’t actually enough to infect you. You have to execute it somehow.

After the download completes, it will show up in a box in the bottom left corner of Chrome, until the user dismisses it. If the user clicks the box for a download, Chrome will open that file. If this file is malicious, there is a good chance you will be infected.

However, this attack method is weak because it requires the user to decide to click that box. A more sinister approach involves the use of DLL hijacking. When a Windows executable loads, it often also loads a set of DLL files that it requires. These DLLs can be specified with an absolute path (like C:\Windows\System32\user32.dll) or with just a name (like user32.dll). When the DLL is specified with just a name, Windows will search for a DLL with the right name across a few different places. The first place it looks is the same directory as the executable.

An attacker can then create a malicious DLL with the same name as a common Windows DLL, like user32.dll, kernel32.dll, or UxTheme.dll. Chrome will happily automatically download this DLL into the user’s Downloads directory. After that, it’s just a matter of time before the user downloads a legitimate executable (into their Downloads directory) that doesn’t specify an absolute path to the DLL, and when the user executes it, the malicious DLL gets loaded and the user is infected.

How to Turn Off Automatic Downloads

  1. Open the Chrome Settings by clicking the 3 horizontal lines icon in the top-right of Chrome and choose “Settings”.
  2. Scroll to the bottom and click “Show advanced settings”.
  3. Under “Downloads”, check the box labeled “Ask where to save each file before downloading”.

Disable Chrome Automatic Downloads

Light Point Web Protects Against Both of These Threats

Light Point Web protects against these, and other security issues commonly seen in web browsers. Learn how our secure remote browser can protect your home or business.

When NSA employees leave to start their own companies
Posted on by Zuly GonzalezCategories Light Point Security Update, StartupsLeave a comment on When NSA employees leave to start their own companies
Zuly Gonzalez and Beau Adkins founders of Light Point Security and former NSA employees
Zuly Gonzalez and Beau Adkins are co-founders of Light Point Security. (Lloyd Fox / Baltimore Sun)

In October, Ian Duncan, intelligence and military reporter for the Baltimore Sun, interviewed me for a story about former NSA employees that left the Agency to start their own companies. Titled “When NSA employees leave to start their own companies,” the story looks at several Agency entrepreneurs and examines the challenges facing the NSA in retaining the top notch talent they helped to train. It’s an interesting read and I thought it was worth sharing here on the blog. Below is an excerpt from the story.

Adam Fuchs and his small team labored for years inside the National Security Agency on a system that would enable analysts to access vast troves of intelligence data and spot hidden patterns.

“We very much had a startup feel,” Fuchs said. The team worked in an office at Fort Meade with ideas scrawled across whiteboards and old furniture scattered around.

Their work helped analysts identify terrorist groups. But the ordinarily secretive NSA did something else with the technology: Figuring that others could make use of it, too, the agency released it to the world for free.

And that was when those who had built the tool saw an opportunity. Half eventually left the agency to develop it on the outside. Fuchs and others founded a company.

Their departure exemplifies a challenge facing the NSA: The agency spends years training some of the nation’s brightest minds in cutting-edge skills only to watch them take those skills to more lucrative jobs in the private sector.

You can read the full story on the Baltimore Sun’s website here.

Powered By Women: Meet Maryland’s Female Tech Leaders
Posted on by Zuly GonzalezCategories Light Point Security Update, StartupsLeave a comment on Powered By Women: Meet Maryland’s Female Tech Leaders

Zuly Gonzalez CEO Light Point SecurityI’m honored to have been recognized by The Daily Record as one of Maryland’s top female leaders in the tech industry. The Daily Record’s latest edition of the Path to Excellence magazine featured the top female leaders in tech in the State, including myself. They profiled each one of us, and asked us to share quick tips for the upcoming generation of women leaders in Maryland.

Below is an excerpt from the story, but please head on over to The Daily Record’s website to read the full article.

 

 

Women make up roughly 37.9 percent of Maryland’s technology workforce, according to data from the state’s Department of Commerce. Educators and experts attribute the disparity to as far back as middle school, when many young girls lose interest in science and math. You’ll learn more about the reasons for this drop off on page 14. In this issue of Path to Excellence, you’ll meet several of the women who are leading the state’s tech industry. They are leading some of the state’s most innovative companies as they improve cybersecurity, health care and help to grow the next generation of female leadership in the tech industry.

 

Zuly Gonzalez | Light Point Security
Zuly Gonzalez is the co-founder and CEO of Light Point Security, based in Catonsville.
She co-founded the firm to solve the biggest program in cybersecurity today: web-based malware.
Gonzalez has more than 10 years of experience in the U.S. federal government working to secure national security information systems.

CEO Zuly Gonzalez to Speak at the 2015 Entrepreneur Expo
Posted on by Zuly GonzalezCategories Events, Light Point Security UpdateLeave a comment on CEO Zuly Gonzalez to Speak at the 2015 Entrepreneur Expo

TEDCO 2015 Entrepreneur ExpoI am pleased to share that TEDCO has asked me to speak at their annual Entrepreneur Expo on the topic of cybersecurity technology and trends along with CyberPoint CEO Karl Gumtow. TEDCO’s 2015 Entrepreneur Expo will take place Tuesday, November 17, 2015 at the BWI Marriott (1743 W Nursery Rd, Linthicum Heights, MD 21090). TEDCO has put together a great program and line up of speakers, and I hope you will join us for what is sure to be an educational and inspirational day of community building.

My Session Information

Track: Tech Trends
Session Title: Seeing All in Cyber-Security
Time: 1:35 – 2:05

Description: The format will be the smaller company “interviewing” the larger company on cybersecurity technology and trends. We’ll be discussing topics like what is the hottest thing in the market, how do large companies see the market, where do they and other large corporations find technologies, what are they looking for, where do they look and more.

Session Timeline:
Introduction of speakers – 1-2 min
Interview – 15 min
Q&A from the audience – 10 min

Have any cybersecurity technology questions or topics you’d like us to discuss? Tweet us at @LightPointSec using the hashtag #E2E15 with your topics.

To register for the 2015 Entrepreneur Expo click here.

Light Point Security CEO, Zuly Gonzalez, to Speak at CyberMaryland 2015
Posted on by Beau AdkinsCategories Events, SecurityLeave a comment on Light Point Security CEO, Zuly Gonzalez, to Speak at CyberMaryland 2015

Our CEO, Zuly Gonzalez, will be speaking at the CyberMaryland 2015 Conference later this week. She will join other cybersecurity founders on a panel discussion about their experiences with the Northrop Grumman and bwtech@UMBC CYNC Program as part of the conference’s Cyber Innovation Track. If you will be attending the CyberMaryland Conference, stop by Room 303 on Thursday, October 29 from 9:45am – 10:30am to hear about industry partnerships and the benefits they provide to growing cybersecurity companies.

If you plan to attend the conference, but haven’t registered yet, use our discount code SpeakerGuest to receive a 25% discount off of your registration.

Presentation Information

Model of a Successful Industry Partnership – Northrop Grumman at bwtech@UMBC Cyber Incubator: CYNC Program

The Northrop Grumman Cync Program is a unique partnership between Northrop Grumman and the bwtech@UMBC Cyber Incubator, with an eye towards commercializing technology to protect the nation from a growing range of cyber threats. The Northrop Grumman Cync Program builds on bwtech@UMBC’s successful business-incubation framework by offering a scholarship program for companies with the most promising cybersecurity solutions. Selected participants are able to draw on UMBC’s extensive research resources, bwtech’s programming and entrepreneurial services, and Northrop Grumman’s technical and business advisory support to further the development and market readiness of CYNC company technologies. Hear from four innovative product companies currently in CYNC and members of the CYNC Executive Committee.

Moderator
Ellen Hemmerly, Executive Director and President, UMBC Research Park Corporation and Special Assistant to the Vice President for Institutional Advancement at UMBC

Speakers
Mike Gormley, Vice President for Government Services, Ayasdi
Christopher Valentino, Director, Contract Research and Development Cyber Solutions Division, Northrop Grumman Information Systems
Tim Gooch, CEO and Executive Director, iWebGate
Gregg Smith, CEO, OptioLabs
Zuly Gonzalez, Co-founder and CEO, Light Point Security
Dr. Jennifer Reynolds, Director of Venture Creation, bwtech@UMBC

Zuly Gonzalez at the CyberMaryland 2015 Conference

The Cybersecurity 500 Recognizes Light Point Security As One of the Top Innovators in the World
Posted on by Zuly GonzalezCategories Light Point Security Update, SecurityLeave a comment on The Cybersecurity 500 Recognizes Light Point Security As One of the Top Innovators in the World

Light Point Security Top 500 Cybersecurity Company In The WorldI am excited to share that Light Point Security has been named one of the top 500 cybersecurity companies in the world. How exciting and cool is that! We are honored that our Browser Isolation technology is being recognized at a global scale. Cybersecurity Ventures released their Q3 2015 edition of the Cybersecurity 500, which is a global compilation of the world’s hottest and most innovative cybersecurity companies, and we are thrilled to be included among the best of the best.

The Cybersecurity 500 companies were selected based solely on merit – companies could not apply to get on the list, nor could they pay to get on it. The criteria used to select the 500 companies includes:

  • Cybersecurity Sector (market category)
  • Problem(s) Solved
  • Customer Base
  • Feedback from CISOs and Decision Makers
  • Feedback from IT Security Evaluators & Recommenders
  • Company Growth
  • Media Coverage
  • Notable Implementations
  • Founder and Management Pedigree

The full press release can be found here.

Light Point Security Ranked 471 On The Cybersecurity 500

Why Light Point Security is all about ‘isolation’
Posted on by Zuly GonzalezCategories Light Point Security Update, Security, Web SecurityLeave a comment on Why Light Point Security is all about ‘isolation’

Why Light Point Security is all about ‘isolation’Stephen Babcock, the Lead Reporter for Technical.ly Baltimore, recently interviewed me for a feature story on “Why Light Point Security is all about ‘isolation’” where we discussed Light Point Security’s technology, why isolation is better than detection and our latest partnerships. In case any of you missed it, below is an excerpt from the story.

 

 

Light Point Security is looking to pick up some new customers.

The cybersecurity firm, which is based out of bwtech@UMBC, recently inked a pair of new deals that are designed to grow the customer base, said CEO Zuly Gonzalez.

The five-person company makes a product called Light Point Web, which protects users’ computers from malware by providing a separate server for browsing. That separate server ensures that malware never reaches the users’ computer.

Gonzalez said it’s a different approach from other cybersecurity products, which rely on algorithms to detect potential threats.

“There’s so much new bad stuff being created everyday that these algorithms can’t keep up,” Gonzalez said. “We take a different approach. Our security is based on isolation.”

You can read the full story on Technical.ly Baltimore’s website here.

Light Point Security Partnership With Raven Data Technologies Provides MSPs With Additional Hosting Option
Posted on by Zuly GonzalezCategories Light Point Security Update, Light Point WebLeave a comment on Light Point Security Partnership With Raven Data Technologies Provides MSPs With Additional Hosting Option

Raven Data Technologies and Light Point Security Partner to deliver hosting for MSPsWe are excited to announce our partnership with Raven Data Technologies, an IT Solutions Company serving the MD, DC, VA, and PA region that specializes in providing security services to Managed Service Providers (MSPs). Raven Data Technologies combines decades of IT experience, risk management, and network security to deliver enterprise level IT solutions to businesses of any size, and we are thrilled that they have chosen to include Light Point Web Enterprise among their best-in-class managed security software offerings.

Light Point Web is a browser plugin that provides malware-free web browsing by transparently launching browsing sessions on a server-based virtual environment, thus preventing any website content (and possible malware) from ever reaching your computer.

Light Point Web offers flexible deployment options for every need: a cloud version for those that don’t want to deal with the hassle of maintaining their own servers, an on-premise version for enterprises that want more control, and now with our Raven Data Technologies partnership, a third-party hosted solution for Managed Service Providers that want to provide their clients with unmatched web security but don’t want to set up and maintain their own Light Point Web servers.

After vetting the Raven Data Technologies team we have selected them as our hosting partner for MSPs for their extensive security expertise and their vast knowledge of MSPs and their needs. Raven Data Technologies will now serve as our hosting partner for MSPs by hosting and maintaining the Light Point Web server infrastructure for them. Raven Data will also provide them with value added services, like technical support and client- and server-side upgrades.

To learn more about Raven Data Technologies and how they can help you secure your business, visit their website or follow them on Twitter.

Baltimore County Awards Light Point Security $105,000 Through Their Boost Fund
Posted on by Zuly GonzalezCategories Light Point Security Update1 Comment on Baltimore County Awards Light Point Security $105,000 Through Their Boost Fund

Light Point Security Recipient of Boost Fund ProgramBaltimore County, Maryland announced the winners of their inaugural Boost Fund Program, and we are thrilled to announce that Light Point Security, the pioneer of Browser Isolation technology, is among them!

The Baltimore County Boost Fund Program provides small, minority-owned, women-owned and/or veteran-owned businesses in Baltimore County with capital to boost their businesses and economic growth in the County.

Light Point Security is happy to have received $105,000 through the Boost program, and we look forward to putting it to good use.

The seven recipients of the Boost Fund were announced by Baltimore County Executive Kevin Kamenetz and UMBC President Dr. Freeman A. Hrabowski, III during a press conference at bwtech@UMBC.

We congratulate the other six winners and wish them much success in growing their companies!

Thank you Baltimore County for your continued support of Light Point Security!

Light Point Security Awarded $105,000 From the Boost Fund

 

Light Point Web Integrates With Metascan Online to Protect Against Malicious Downloads
Posted on by Beau AdkinsCategories Computer Security, Light Point Security Update, Light Point Web, Security, Web SecurityLeave a comment on Light Point Web Integrates With Metascan Online to Protect Against Malicious Downloads

OPSWAT LogoWe recently added a new feature to our Remote Browser Isolation product, Light Point Web, that warrants some extra recognition. We have added a server-side integration with OPSWAT’s Metascan Online service to provide yet another best-in-class layer of security for our users.

Metascan Online is a cloud service that can scan files with over 40 anti-virus engines, and do so in a matter of seconds. The fact that Metascan Online uses so many anti-virus engines is important. Just because one anti-virus engine claims that a file is safe, it doesn’t mean it is. It could be safe… or it could just be that this is a newer virus that has not been identified by that anti-virus vendor yet. It is actually common for new malware to only be identified by a small number of the anti-virus engines. With Metascan Online using so many anti-virus engines, we can get a much greater level of confidence that a safe file is indeed safe.

With our integration with Metascan Online, our users will get an extra level of assurance that every file they download is safe without having to wait around for the results. We offer this service for no extra charge for our cloud users.

How Does It Work?

When a user wants to download a file, Light Point Web will ask for their permission. If they say yes, that file will be downloaded to the Light Point Web server. Light Point Web will then ask Metascan Online to scan that file. If it is safe, the file is streamed to the user’s computer and the user is informed of the scan results.

LPS download no threats detected

If, on the other hand, the file is found to be malicious, the download is blocked and a message informs the user why.

LPS download threat detected

This all happens seamlessly to the user, so no extra work is required by the user to get this additional layer of protection.

Coming soon: If a file is found to be malicious, the dialog will also include a link to the scan results so that you can see further details on the threat detected and which engines detected it.

Enterprise Options

For our enterprise customers, we offer a couple of options: Metascan Online or Metascan on-premises. OPSWAT offers both a cloud version and an on-premise version of Metascan. This gives our enterprise customers the flexibility of choosing the option that works best for them.

If you are interested in learning more about how Light Point Web protects you while browsing the web, contact us, or sign up for a free trial to experience worry free web browsing for yourself.

Light Point Security CEO to Present at Columbia TechBreakfast
Posted on by Zuly GonzalezCategories Events, Light Point Security Update, Light Point WebLeave a comment on Light Point Security CEO to Present at Columbia TechBreakfast

Light Point Security to present at TechBreakfast eventWe’re excited to be presenting at the Columbia TechBreakfast tomorrow morning. TechBreakfast is a national organization with over 4,700 members in just the DC, Maryland, Virginia area, and over 7,000 members nationwide, with events in Silicon Valley, New York City, Austin, Philadelphia, and Boston, among others. TechBreakfast is a monthly demo-style event where entrepreneurs, techies, developers, designers, business people, and interested people see showcases on cool new technology in a demo format and interact with each other. The presenters have 7 minutes to demo and showcase their technology, followed by 3 minutes of Q&A from the audience.

We’re thrilled to have been selected to present at the TechBreakfast event in Columbia, MD tomorrow July 9 from 8:00am to 9:30am at the Loyola Columbia campus (8890 McGaw Rd #130, Columbia, MD). We demoed Light Point Security’s flagship product, Light Point Web, at last year’s Columbia TechBreakfast and had a lot of fun. We’re looking forward to giving the audience an update since last year and demonstrating Light Point Web’s new capabilities.

We hope you’ll join us. You can register to attend the free event here. Won’t be able to make it? Don’t despair. We’ll also be presenting at the Baltimore and Annapolis TechBreakfasts this fall.

Light Point Security Named Finalist for 2014 Maryland Incubator Company of the Year
Posted on by Beau AdkinsCategories Light Point Security UpdateLeave a comment on Light Point Security Named Finalist for 2014 Maryland Incubator Company of the Year

Maryland ICOY 2014We are pleased to announce that Light Point Security, the Browser Isolation pioneer, has been chosen as a finalist for this year’s Maryland Incubator Company of the Year (ICOY) Awards for the Best Cyber Security Company category. The Maryland ICOY awards support current clients and graduates of Maryland incubators by helping increase awareness and visibility for promising young companies.

The finalists were chosen by a team of more than 3 dozen industry experts and investors. The winners will be announced at the ICOY awards ceremony, which will be held at the American Visionary Art Museum in Baltimore on Tuesday, June 10.

We are thrilled that Light Point Security continues to receive industry recognition for the amazing work we are doing to stop web-based threats.

Light Point Security Named 2014 Emerging Tech Company of the Year by the Howard Tech Council
Posted on by Zuly GonzalezCategories UncategorizedLeave a comment on Light Point Security Named 2014 Emerging Tech Company of the Year by the Howard Tech Council

Light Point Security named 2014 Emerging Tech Company of the Year by the HTC

We are pleased to announce that the Howard Tech Council (HTC) has named Light Point Security the 2014 Emerging Tech Company of the Year! It’s a great honor to be recognized for a second year in a row by the HTC Tech Awards. Last year we took home the prize of Cybersecurity Company of the Year.

The Howard Tech Council is at the epicenter of the local tech community, and fuels innovation throughout Howard County and Central Maryland. Light Point Security is a proud and active member of the HTC.

Light Point Security, Browser Isolation pioneer, will be featured during this year’s HTC Tech Awards Ceremony at the Johns Hopkins Applied Physics Lab Kossiakoff Center on May 28. This year’s keynote speaker is Christine Furstoss, the Technical Director for Manufacturing and Materials Technologies based at GE’s Global Research Center in Niskayuna, New York. She is responsible for working with leadership and R&D teams across the company, as well as with strategic partners, to assess, set strategy for growth, and implement critical process and materials developments for industry-leading products and manufacturing. In addition to working with the product teams across the company, Christine leads approximately 450 researchers at GE Global Research.

Please join us in what is sure to be a fun and engaging night as we celebrate another great year for our team at Light Point Security.

Light Point Security Named Top 3 Cybersecurity Company in the InvestMaryland Challenge
Posted on by Zuly GonzalezCategories Events, Light Point Security Update1 Comment on Light Point Security Named Top 3 Cybersecurity Company in the InvestMaryland Challenge

Light Point Security named top 3 cybersecurity company in the InvestMaryland Challenge We are very excited to announce that Light Point Security, the Browser Isolation pioneer, has advanced to the final 3 cybersecurity companies in the InvestMaryland Challenge! The InvestMaryland Challenge is a national business competition that will award $100,000 to the winner.

A total of 260 companies applied across four categories: Information Technology, Cybersecurity, Life Sciences and General. The most innovative company from each of the four categories will be selected to win the $100,000 grand prize.

The winner will be announced on May 19 during the InvestMaryland Challenge Awards Ceremony at the National Aquarium in Baltimore. The awards ceremony will feature Maryland Governor Martin O’Malley and DBED Secretary Dominick Murray. A reception, remarks from public officials and the presentation of awards will be followed by an opportunity to explore the aquarium.

We hope you will join us at the awards ceremony as we celebrate Light Point Security’s success as one of the nation’s top cybersecurity companies!

The Weakest Link in Your Company’s Security
Posted on by Joanie NelsonCategories Computer Security, SecurityLeave a comment on The Weakest Link in Your Company’s Security

Employees are the weakest link in your securityAre your employees creating a security risk in your company? Did you know that employees were the second highest cause for data breaches, after criminal attacks? Here are some common ways well-meaning employees can cause data breaches:

1. E-mail

People are quick to trust banks, universities, and friends, and will instinctively want to open the email and click on the link. Even when the mail filter sends the e-mail to the junk/spam folder, employees have been known to open that email anyway, because the subject line has caught their interest.

Not only are employees targets, but contractors working for companies are targets as well. It was recently noted that the massive Target breach last year was initiated through a phishing e-mail to Target contractors working for an HVAC company. This incident is proof that when employees open emails, not only is your company data at risk, but your customer data is as well.

2. Links

Shortened links can fool anyone, especially when it seems it’s from a trusted source, such as a news source. It’s always a good idea for employees to expand the shortened link to see where it’s taking them, before clicking on the link.

3. Ads

Online advertising is growing every year, and with that growth comes more malware. How easy is it to accidentally click on an ad? It’s very easy! I did this two weeks ago on accident. I have been a Mac user for 6 years and my previous time using Windows had been nearly erased from my memory. I felt clumsy bumping around that operating system. When I went to go download an open source program for a class, I hit download. And then I hit run. As I was watching it load, within 15 seconds I knew this was not the program I needed, but it was too late. I had loaded mysearchdial and it was proud to be on my computer. It didn’t want to leave. Luckily, it was just that and nothing more nefarious.

On my Mac, the ad above the real download link was something unrelated to the page. I could easily tell the difference.

Ad on my Mac. Notice it’s a Google link. An obvious Google link.
Ad on Windows.

On Windows, I was easily fooled. Had I paid more attention, I would have noticed it was an ad. If I had squinted my eyes more I would have seen the word advertisement. Imagine how easy it is for an employee to do this and possibly cause a major issue for their company, not to mention their customers.

What Can a Business Do to Protect Against Employee Missteps?

Security training and awareness for employees can go a long way. Some may not know to leave the junk mail in the junk mail folder. They may not be able to help their curiosity because the subject line or link is just too enticing. If it seems too good to be true, you’re probably right. A simple training meeting could bring the needed security awareness to the company and possibly mitigate employee negligence.

However, while security awareness training is helpful, it’s not enough on its own. The hard truth is that your employees will never care as much about your company’s security as you do. If they receive an especially enticing link, and even if they have been trained to ignore it, they may still feel it’s worth the risk to take a quick peek.

And in a perfect world where all your employees followed all of their training perfectly, they can still be putting your company’s security at risk. For example, earlier I stated that shortened links should be expanded before clicking. What if it points to a well-known, reputable news site? Their training would say it’s safe to click. But even the most well-known, most reputable sites can and have been hacked to spread malware to its visitors. This is a problem that goes way beyond training and trust.

This is the problem that we solve. When employees use Light Point Web, your security no longer depends on training and trust. Light Point Web can allow your employees to browse the web without any sites reaching your computers. So the most dangerous site in the world poses no more threat than the safest site in the world. You can set policies to say what types of files employees can download, from what sources, or stop them from downloading anything at all. Clicking links in email will automatically launch it in Light Point Web, because it integrates seamlessly into your standard browsers.

If you are interested in learning more about how Light Point Web can protect your business, contact us.

As cyber attacks multiply, so do insurance policies that cover damages
Posted on by Zuly GonzalezCategories Computer Security, Light Point Security Update, SecurityLeave a comment on As cyber attacks multiply, so do insurance policies that cover damages

Baltimore Business Journal interviews Zuly GonzalezRyan McDonald, the Digital Producer for the Baltimore Business Journal, recently interviewed me for the publication’s latest cybersecurity story, “As cyber attacks multiply, so do insurance policies that cover damages,” where he discusses the pros and cons of purchasing cybersecurity insurance and how to go about it. I thought it was worth sharing here on our blog in case any of you missed it. Below is an excerpt from the story.

 

In the wake of high-profile security breaches that have affected major companies and universities, a growing number of firms are pushing a relatively new product for businesses: cyber security insurance.

American International Group Inc. is the latest big name to introduce a new offering. AIG this week announced it has started offering cyber security insurance to cover property damage and bodily injury.

“More insurance companies are jumping on that bandwagon and starting to offer cyber insurance,” Zuly Gonzalez, CEO of Baltimore-based cyber firm Light Point Security said.

The question for businesses is whether such policies are worth the money.

While purchasing cyber insurance could help your business alleviate some of the damages associated with a possible security breach, it may not be the right fit for every business owner.

“You have to make a decision on where you fit in terms of your risk profile,” Gonzalez said.

Companies should take the time to research the costs and benefits of cyber insurance, she said

You can read the full story on the Baltimore Business Journal’s website here.

The Use of Booth Babes – a Marketing Tactic Past Its Prime
Posted on by Zuly GonzalezCategories OpinionLeave a comment on The Use of Booth Babes – a Marketing Tactic Past Its Prime

Please welcome Joanie Nelson! Joanie is our Marketing Assistant and since this is her first post on the site I thought I would give her a proper welcome. You’ll be seeing more posts from Joanie in the coming weeks.

There have been discussions among security professionals over the last week on the practice of using booth babes at tradeshows to attract foot traffic. We’ve also been discussing the issue internally and I asked Joanie to share her thoughts in a blog post. What follows is her post.

The number of booth babes at RSA is too damn high

The concept of “booth babes” has been around since 1967, when the first Consumer Electronics Show was held in New York City. Back then, they were known as “CES Guides,” a title that has been replaced with a less discerning one, “booth babes.” Since then, the marketing ploy has drifted into other technology trade shows and events, such as RSA.

Chenxi Wang, Ph.D., is the VP for Market Intelligence at Intel Security. She and many others are tired of this “old school” practice and she wants change. Tired of seeing booth babes year after year show up at the RSA conference, this year in particular, she was wholly turned off by the booth babes. After a year of controversial stories and news directly affecting the security sector, she was surprised to still see booth babes. She took to her blog, where she states her case for why booth babes need to go. Instead of the yearly rants and commentary on the presence of booth babes, she wants actual change. For women who are wanting to enter IT (like myself) and for future generations of girls, changing the dialogue could represent a powerful change in dynamic.

The security industry is dominated by men, something that is widely known. The purpose of these conferences is for companies to show off their new products and solutions. In 2014, the norm for conferences and trade shows should be to focus on the product and not market to majority using booth babes. At what point do companies realize they aren’t promoting their brand, but they are hurting their brand when they objectify a gender.

Winn Schwartau made his opinion known last year after the 2013 RSA Conference, where he states that he is, “offended that vendors can come up with amazing technologies but still find it necessary to resort to tickling the male amygdala to attract traffic to their booths.” He also states what is probably a more popular thought on this marketing technique in the security sector, is that most people are more interested in the technology and don’t want to see scantily clad women at booths.

Moreover, using these booth babes to draw in people, often brings the lower level professional, who isn’t there to buy services, but to check out the booth babes. Spencer Chen noticed this, when he put the booth babe marketing tactic to use. He found that his theory that booth babes don’t bring in more deals, leads, or foot traffic to be true.

For the security industry, it’s fair to say that most professionals want to be impressed by the technology. They want to know more about it and in detail. When wanting to know how a product can help protect your business or interests, who can take a woman in platform shoes and barely there clothing very seriously? In fact, it’s fair to assume most security professionals at RSA or another technology event would see through this kind of marketing and wonder what’s wrong with this product that they put it behind booth babes and not market it for a more technical oriented crowd; a crowd intelligent enough to see through the booth babes.

The bottom line on booth babes is they don’t add value to a booth. The focus should always be on the product. Attention should never be taken away from the brilliance of a solution. Staffing knowledgeable people, whether men or women, should be priority for companies who want to sell their technology to people who understand technology.

Light Point Security Selected As a Finalist in the 2014 InvestMaryland Challenge
Posted on by Beau AdkinsCategories Light Point Security UpdateLeave a comment on Light Point Security Selected As a Finalist in the 2014 InvestMaryland Challenge

Light Point Security advances in the InvestMaryland ChallengeWe are excited to announce that our Browser Isolation company, Light Point Security, has advanced to the final 6 companies of the InvestMaryland Challenge in the Cybersecurity category. The InvestMaryland Challenge is a national business competition aiming to help fund promising startups. This year there are 4 categories, and one winner will be chosen from each. Each winner will receive a $100,000 grant.

A total of 260 companies applied this year across four catagories: Information Technology, Cybersecurity, Life Sciences and General. A total of 41 finalists are still in the running for the 4 top prizes.

The next phase of the competition will be a face-to-face pitch to the judges. Each company will give a 15 minute presentation, followed by a 10 minute Q&A session. The final winners will be announced at an awards ceremony in April.

We are honored to have been selected as a finalist in the competition, and there are still a lot of great companies in the running. Please wish us luck!

Say Hello to Our New CEO – Zuly Gonzalez
Posted on by Beau AdkinsCategories Light Point Security UpdateLeave a comment on Say Hello to Our New CEO – Zuly Gonzalez
Zuly Gonzalez - CEO of Light Point Security
Zuly Gonzalez – CEO

When I first had the idea for what is now Light Point Web years ago, I knew that I needed a partner to help me turn it into a business. Zuly Gonzalez joined me as that partner, and her initial role was as our CFO. After things got rolling with our company, it quickly became obvious that she could do much more than that. So we refocused our roles: I would be the CEO and CTO, and she would be the COO and CFO.

But if you have ever met or talked to Zuly, you will know she never fails to impress. She has been doing a lot of public speaking for our company, she talks to customers, she coordinates sales, pilots, and partnerships, and she keeps us in the news.

In short, she has become the face of the company. Light Point Security is a high tech company on the bleeding edge of the next wave of computer security. As such, my role as CTO leaves me with no time to perform the CEO role. All these things combined left me with a decision to make with an obvious answer.

I have decided to step down as the official CEO of Light Point Security, and name Zuly Gonzalez as the new CEO.

These roles are better suited to each of our skillsets. Zuly has been performing above and beyond as our COO, so if she keeps doing what she has been, she will be a terrific CEO. I can now stay focused on what I do best; making technical innovations and keeping our customers safe online.

Please send your congratulations and wishes of good luck to Zuly on Twitter at @ZulyGonz.

Light Point Security: One of Maryland’s Cyber Warriors
Posted on by Zuly GonzalezCategories Light Point Security Update, Security, StartupsLeave a comment on Light Point Security: One of Maryland’s Cyber Warriors

Light Point Security is one of Maryland's hottest cybersecurity companiesThe CyberMaryland initiative published a very nice booklet titled “CyberMaryland: Meet Maryland’s Cyber Warriors” that showcases the many resources, opportunities and companies in Maryland’s cybersecurity ecosystem. The booklet was promoted during last week’s CyberMaryland 2013 Conference and will also be available at the RSA 2014 Conference.

Part of the booklet focused on showcasing Maryland’s hottest cybersecurity companies, and Light Point Security was one of the few companies chosen. We are honored to be mentioned alongside some of Maryland’s most successful cybersecurity companies like Sourcefire (who was acquired by Cisco for $2.7 billion just a few days ago), Tenable and Lockheed Martin.

Our CEO, Beau Adkins, sat down for a one-on-one interview with CyberMaryland. Below is the interview.

Q: How did you start out – what is the “backstory”?

A: We started Light Point Security because we recognized that the security industry was in desperate need of true innovation.

My co-founder, Zuly Gonzalez, and I are both former NSA employees with over 23 years of combined experience in offensive and defensive security. At NSA we worked on some of the most challenging security problems facing our nation. We realized that our national security was in jeopardy if the security industry kept going down the same path of attempting to detect malware after it had already reached the network.

We also saw how the impact of malware went well beyond the initial infection, in some cases causing companies to go out of business. We saw a huge opportunity, had the right skills to solve the problem and cared deeply about solving it. This lead to our decision to leave our secure government jobs to start Light Point Security, and create a product that truly protects you from web-based malware. We are dedicated to changing the way security professionals think about security.

Q: Who are your customers?

A: Our customers are enterprises in industries that deal with sensitive, confidential or proprietary information. For example, the financial, banking and defense industries. We have also had great success working with companies offering products that complement Light Point Web Enterprise.

Q: What makes you stand out from your competition?

A: Computer security hasn’t changed much in the last decade. Current security products rely on detecting malware in order to protect the user. The problem with this approach is that the rate of growth at which malware is being created on a daily basis makes it impossible for these detection-based products to keep up. As a result, malware easily evades these defenses and wreaks havoc on an enterprise.

Instead of trying to detect malicious software, our award-winning product assumes all web content is malicious and isolates it in a disposable container where it can do no harm. Furthermore, it happens automatically and invisibly to the employee, and without the need for constant updates. Light Point Web Enterprise requires no change in user behavior, no user training and no additional programs for the employee to deal with. They simply browse the web the way they always have, but with a level of protection no other security product can offer.

Q: Where do you see the company in 3 or 5 years?

A: Light Point Security will be a nationally recognized name in enterprise security, and a leader in the isolation-based security space. Light Point Security will be a center of cybersecurity innovation in Maryland, with a suite of products to protect our customers from even the most advanced malware. With a company culture that encourages innovation, Light Point Security will be the place where security professionals from all over the country will want to work.

Q: Why is Maryland so important to your organization?

A: Being headquartered in Maryland is the ideal location for cybersecurity companies. Fort Meade, other federal installations and top notch universities have been attracting cybersecurity talent to the state for years. With the high demand that is being placed on cybersecurity experts, hiring the best of the best can be challenging, but it is crucial to the success of a company. Tapping into Maryland’s thriving community of security professionals gives Light Point Security a competitive edge.

In addition, the abundance of cybersecurity resources, like the bwtech@UMBC Cyber Incubator, and Maryland’s dedication to growing the cybersecurity industry in the state means that there is no better place in the country to start and grow a business like ours.

 Light Point Security one of Maryland's cyber warriors

Light Point Security Advances to the Final 5 of the Wall Street Journal’s Startup of the Year
Posted on by Zuly GonzalezCategories Light Point Security Update, Startups3 Comments on Light Point Security Advances to the Final 5 of the Wall Street Journal’s Startup of the Year

Light Point Security Wall Street Journal Startup of the YearAs most of you know, Light Point Security was one of 24 companies selected to participate in the Wall Street Journal’s Startup of the Year series. Since the series launched on June 24, we’ve participated in several tasks and have had to endure 3 elimination rounds. We are happy to report that we survived the latest elimination round on Sept 26! This puts Light Point Security, the Browser Isolation pioneer, in the top 5 most innovative and risk-taking startups in the nation according to the WSJ. We are pretty darn proud of that!

Many thanks to everyone that has supported us through out this competition! You can catch up on all our videos by going to Light Point Security’s profile page on the WSJ. And while you’re at it, please take a second to vote for Light Point Security. We would love your vote!

Here’s the video announcing the final 5 companies of the Wall Street Journal Startup of the Year:

Light Point Security CEO to Moderate CyberMaryland 2013 Panel on Cybersecurity Innovation and Trends
Posted on by Zuly GonzalezCategories Events, Light Point Security Update, Security1 Comment on Light Point Security CEO to Moderate CyberMaryland 2013 Panel on Cybersecurity Innovation and Trends

CyberMaryland 2013 Light Point Security Panel

We’re looking forward to the CyberMaryland 2013 Conference being held Oct 8 – 9 at the Baltimore Convention Center in Baltimore, MD. CyberMaryland is a unique conference spanning two days during Cybersecurity Awareness Month that will address the biggest challenges facing America, including future innovation to meet the security challenges facing our country; collaboration across industry, government and educational institutions; and the development of a generation of cyber-warriors.

Not only will it be an opportunity for us to catch up with old friends, but our CEO, Beau Adkins, will be moderating an excellent panel on cybersecurity innovation and future trends. The idea for the panel stemmed from the fact that we wanted to get some of the best minds in security together to have a candid discussion on the current issues facing the industry and how they see innovation and trends evolving over time to combat the threat.

Panel Title

What’s Here, What’s Coming and What to Do About It

Panel Abstract

Listen in on a lively discussion of today’s and tomorrow’s trends in cyber security led by a panel of the area’s top minds in the field. The panel will include CISOs, founders of cyber security contracting companies and creators of next generation cyber security products from the healthcare, finance, government and commercial sectors. Learn what these individuals see every day and what they do to protect against them. Find out what they expect to encounter in the months and years ahead, and what they are doing to prepare.

Each panelist will take a deep dive into today’s threat landscape for their industry and share the tactics they employ to protect against them. They will discuss the current trends and innovations occurring within the industry and share their predictions of what’s to come in the next few years.

Panelists

  • Moderator – Beau Adkins, Co-founder and CEO at Light Point Security
  • Panelist #1 – Jason Taule, Chief Security and Privacy Officer at FEi Systems
  • Panelist #2 – John Harmon, Partner at Tactical Network Solutions
  • Panelist #3 – Jeff Huegel, Executive Director, Cloud, Hosting and Applications Security at ATT
  • Panelist #4 – Dana Pickett, CISO and CPO at Allegis Group

Panel Format

  • Introduction: What is cybersecurity? (3 – 5 minutes)
  • Panelist introductions (5 minutes)
  • Panelist discussion
  • Questions from audience (10 – 15 minutes)
  • Closing remarks (5 – 10 minutes)

Panel Time

Wednesday October 9, 2013 11:15am – 12:00pm

Do you have a specific question or particular topic you would like to hear the panelists discuss? Submit your questions and topic suggestions to us via Twitter or email. Looking forward to our panel? Let us know on Twitter using hashtag #CyberMD2013.

Register for the conference here. If you are a full-time college student you can attend the conference for free if you register by Oct 1 and use discount code UMstudent.

Light Point Security Advances to Final 10 in Wall Street Journal’s Startup of the Year
Posted on by Beau AdkinsCategories Light Point Security Update1 Comment on Light Point Security Advances to Final 10 in Wall Street Journal’s Startup of the Year

Light Point Security selected as a WSJ Startup of the YearAs we mentioned before, the Wall Street Journal selected Light Point Security, the Browser Isolation pioneer, as a contender for their inaugural Startup of the Year competition. When the WSJ Startup of the Year series launched in June Light Point Security was one of only 24 startups, chosen from more than 500 companies across the country. We are excited to announce that Light Point Security has advanced to the final 10 remaining companies!

The first round of eliminations went from 24 companies down to 20. In the second round of eliminations, the WSJ editors narrowed the field down from 20 companies to 10. Here is a short video from the Wall Street Journal announcing the final 10 companies.

We are honored and very excited to have made it this far in the competition. Take a look at our profile page on the WSJ site to see our behind the scenes videos. And be sure to take a second to vote for us!

SmartCEO Magazine Talks to Beau Adkins About Overcoming Challenges
Posted on by Zuly GonzalezCategories Light Point Security UpdateLeave a comment on SmartCEO Magazine Talks to Beau Adkins About Overcoming Challenges

SmartCEO LogoSmartCEO magazine recently published a story about how real CEOs overcome the challenges they face day-to-day. Our own CEO, Beau Adkins, was featured in the story. SmartCEO is an exclusive community of CEOs and business executives, highly regarded mentors and well-respected thought leaders whose experiences benefit their own organizations and the communities in which they serve. SmartCEO’s mission is to educate and inspire the business community.

Beau was asked about some of the most common challenges he faces day-to-day at our Browser Isolation company, Light Point Security, and how he overcomes them. His answers are below…

Beau Adkins in SmartCEO MagazineWhen we first approach people at shows or when giving demos, I can tell they think we are just going to show them something they have seen 1,000 times before. But when we show them we are actually doing something that hasn’t been done before, their eyes light up, and they start getting excited. The other challenge is that the security industry is totally based on trust. Customers have to trust that you have the ability to do what you say you can. If someone doesn’t have a very high level of trust in your company, there is no way they will buy your product. This trust takes a long time to build.

The old adage, “Build a better mousetrap, and the world will beat a path to your door,” is flat-out wrong. Building a better mousetrap is comparatively easy. The hard part is getting anyone to care.

Another surprise to me is the importance of networking. For a technical introvert like me, the thought of going to an event to meet and talk to strangers makes me shudder. But I have learned that this is something you have to do. When you build a network of people you know and, more importantly, people that know you, it starts to pay off. Eventually you will have a large group of people you can call on for help when you need it. These people may also come across an opportunity that is perfect for you, so they can connect you to the opportunity.

Light Point Security Named One of the Coolest Security Startups of 2013
Posted on by Zuly GonzalezCategories Light Point Security UpdateLeave a comment on Light Point Security Named One of the Coolest Security Startups of 2013

CRN MagazineWe were very excited to learn that Light Point Security was named one of the 10 coolest security startups of 2013 by CRN Magazine. Most of the awards we receive are the result of applications we have actively submitted. This one, however, was a complete surprise to us. We weren’t even aware of the fact that CRN was considering us for this award. It’s a very good feeling to wake up one morning and find out you won an award you weren’t expecting. It’s nice to know that national outlets are noticing and recognizing the innovations of Light Point Security.

Thank you to CRN and Robert Westervelt for the honor and for recognizing our Browser Isolation company!

Light Point Security named one of the coolest security startups of 2013

Building a Cybersecurity Startup in Maryland
Posted on by Zuly GonzalezCategories Events, Light Point Security Update, Security, StartupsLeave a comment on Building a Cybersecurity Startup in Maryland

Technically Baltimore Cybersecurity EventI was invited to speak last week at Technically Baltimore’s event on Growing Maryland’s Cybersecurity Industry. They invited a series of speakers to give 4 – 5 minute lightning talks on a variety of topics that explore the growing cybersecurity industry in Maryland. The goal was to discuss how we can grow Maryland’s cybersecurity industry to create more jobs.

The event took place at CyberPoint’s beautiful Inner Harbor location in Baltimore. It was very well organized, and I very much enjoyed attending and speaking.

In my presentation I shared the story behind Light Point Security, and talked about what it’s like to build a cybersecurity startup in Maryland. I mentioned the good resources Maryland has to offer for cybersecurity companies, and also shared my thoughts on what Maryland is lacking to truly become the cybersecurity leader in the country.

As I said in my talk, the one area where I think Maryland is lacking is in funding opportunities for very early stage companies. We definitely have the intellectual resources in this region to compete with the likes of Silicon Valley, but we need to make more financial resources available to very early stage companies if we really want to be competitive with the West coast. I feel this is the last ingredient needed to make Maryland the unrivaled leader in cybersecurity.

Here’s a video of my 5 minute talk:

Also, take a look at this nice write up by Technically Baltimore on my presentation.

Light Point Security Selected As a Wall Street Journal Startup of the Year
Posted on by Zuly GonzalezCategories Light Point Security Update2 Comments on Light Point Security Selected As a Wall Street Journal Startup of the Year

Light Point Security selected as a WSJ Startup of the YearWe are very excited to announce that Light Point Security, the Browser Isolation pioneer, has been selected by The Wall Street Journal to participate in their “WSJ Startup of the Year” documentary! The documentary will be an online video series hosted on the Wall Street Journal website that tracks the progress of 24 startups over the course of 5 months. The 24 startups were selected from over 500 applications, and Light Point Security was one of the lucky few!

As part of the WSJ Startup of the Year documentary we will be paired with high profile and experienced mentors, like Sir Richard Branson, Founder of Virgin Group, Steve Case, Chairman of Startup America and co-founder and former CEO of AOL, and Steve Blank, eight-time serial entrepreneur and co-founder of E.piphany. We are thrilled and excited that we will have such great minds thinking about our business, giving us advice and helping us with our toughest challenges. It’s not every day startup founders get an opportunity to have one-on-one discussions with some of the brightest minds in the startup world!

As part of the series we will be creating our own videos where we will discuss our current issues, lessons learned and a multitude of other topics. We will also have the opportunity to contribute guest blog posts to the Wall Street Journal’s “The Accelerators” blog.

The WSJ Startup of the Year series is an elimination style competition where at the end of the 5 months one startup will be named the WSJ Startup of the Year. Please support us by voting yes for our startup here.

You can read the full press release here.

Here’s our first WSJ Startup of the Year video where we introduce ourselves and the company. Enjoy!

Light Point Security’s Springboard Dolphin Tank Pitch and Startup Showcase at Day of Fosterly 2013
Posted on by Zuly GonzalezCategories Events, Light Point Security Update, StartupsLeave a comment on Light Point Security’s Springboard Dolphin Tank Pitch and Startup Showcase at Day of Fosterly 2013

Light Point Security at Day of Fosterly 2013We had the great opportunity of participating at the Day of Fosterly event on May 4. The Day of Fosterly conference is a full day of collaborative entrepreneurship for anyone interested in starting, growing, or exiting a business. The day was jam packed with panels, workshops, speakers and lots and lots of networking.

Light Point Security was selected to participate in two of the day’s best events: Springboard Enterprises’ Dolphin Tank and the Startup Showcase.

Springboard Enterprises’ Dolphin Tank

Springboard Enterprises’ Dolphin Tank was the first event of the day. Unlike ABC’s Shark Tank, in the Dolphin Tank entrepreneurs share their ideas without the fear that the audience will tear them to shreds. Immediately after concluding a two minute elevator pitch in front of an expert panel and a live audience, the entrepreneurs will receive feedback to help improve their pitch. It is an interactive, fast-pitch session with no slides – just the entrepreneur speaking.

Light Point Security was one of just six companies pre-selected by a group of judges to pitch in the Dolphin Tank. I (Zuly) gave the two minute company pitch and received some great feedback from the panelists. I even received some offers to connect us with potential partners.

Startup Showcase

Wrapping up the day’s activities was the Startup Showcase and Reception. It was a one and a half hour session designed to showcase the region’s hottest startups. The companies invited to participate in the Startup Showcase were pre-selected by the Fosterly team, and given a table to demo their products and showcase what make makes them so special.

Light Point Security was one of the hot startups invited to participate in the Startup Showcase. We gave lots of demos, and spoke to a wide range of folks spanning from cyber security executives to investors to other entrepreneurs. We received lots of positive feedback during our demos.

Our Thoughts

We were really impressed with the overall quality of the day. The Fosterly team managed to attract high quality speakers and attendees, which made networking at the event extremely valuable. And they did a great job organizing interesting and valuable sessions for entrepreneurs. It was a great way to connect with the local startup community, and build new relationships.

The Light Point Security team got a lot out of attending the Day of Fosterly. I hope they do it again next year, and I would encourage all local entrepreneurs to attend.

Light Point Security Presents at the NVTC Entrepreneur Spotlight Event
Posted on by Zuly GonzalezCategories Events, Light Point Security Update, StartupsLeave a comment on Light Point Security Presents at the NVTC Entrepreneur Spotlight Event

Light Point Security presents at NVTC Entrepreneur SpotlightWe are pleased to announce that Light Point Security was selected by the Northern Virginia Technology Council (NVTC) to present at their Entrepreneur Spotlight event on May 2, 2013 at Ernst & Young in McLean, VA.

Entrepreneur Spotlight provides early stage startups an opportunity to present their concept in front of an audience of accredited investors. The Entrepreneur Spotlight program allows investors to hear from exciting and innovative startups, and focuses on companies that are truly in the startup phase and may only be looking for small amounts of funding.

Light Point Security was one of only 5 startups selected for this great opportunity. During the event, we were given 5 minutes to present our business, followed by a 10 minute Q&A session from a panel of investors.

Light Point Security to Present at Mid-Atlantic Venture Association’s TechBUZZ Spring 2013 Event
Posted on by Zuly GonzalezCategories Events, Light Point Security Update, StartupsLeave a comment on Light Point Security to Present at Mid-Atlantic Venture Association’s TechBUZZ Spring 2013 Event

Light Point Security to present at TechBUZZ Spring 2013We are pleased to announce that the Mid-Atlantic Venture Association (MAVA) selected Light Point Security out of more than 125 companies to present at their TechBUZZ Spring 2013 event.

TechBUZZ is the area’s premier event where MAVA shines the spotlight on the Mid-Atlantic’s hottest up-and-coming early stage technology companies. It brings together entrepreneurs and active investors to connect with one another and celebrate the strength of the tech scene in our region. TechBUZZ was launched by MAVA as a half-day seed stage conference preceding its annual Capital Connection, which features growth and later stage companies.

TechBUZZ Spring 2013 will be held on April 23 at the Bethesda Blues and Jazz Supper Club in Bethesda, Maryland. Fifteen other hot, early stage companies will join us on the TechBUZZ stage. The event will also feature stories from local Rock Stars, John Bracken of Speek and Justin Langseth of Zoomdata, as they share what they’ve learned since making their market debut at TechBUZZ in May 2012.

Please join us at this exciting event as we share our story, and engage with the local startup community. As a bonus, use discount code TBDISCLIGHTPT for $10 off any registration level! Click here to register.

You can read the full press release here.

Hope to see you there!

Microsoft Names Light Point Security BizSpark Startup of the Day
Posted on by Zuly GonzalezCategories Light Point Security UpdateLeave a comment on Microsoft Names Light Point Security BizSpark Startup of the Day

Microsoft Names Light Point Security BizSpark Startup of the DayWe are pleased to announce that Microsoft has named Light Point Security BizSpark Startup of the Day.

The Microsoft BizSpark program provides software, visibility and a support community of partners, investors and mentors to promising startups at no charge. BizSpark has more than 50,000 startups in 100 countries across 6 continents. We are proud Microsoft selected Light Point Security out of the 50,000 plus BizSpark startups for this exclusive honor.

As a BizSpark Startup of the Day, and Browser Isolation pioneer, Light Point Security is featured on the BizSpark homepage. Zuly also did an interview with the BizSpark team on culture and business advice for other startup founders. The interview covered:

  • Starting a business is an endless cycle of learning and correcting.
  • Having happy customers is crucial.
  • Integrating technology into the business plan.
  • Making the world a better place.
  • What makes someone startup material.
  • Dealing with work-life balance challenges in your startup.
  • The key characteristic of an entrepreneur.

You can read the full interview here.

Securing Your WordPress Site: Top Plugins
Posted on by Beau AdkinsCategories How To, Security, Web Security4 Comments on Securing Your WordPress Site: Top Plugins

WordPress LogoWordPress is huge. It is currently the most popular blogging system in use, and it manages 22% of all new websites. We use it for our site, and I would personally recommend it to anyone thinking of creating a new website.

However, because it is so popular, it becomes a target for hackers. Right now, automated bots are crawling the web looking for WordPress sites to attack. If you take some time to protect yourself, you can greatly reduce your chances of having a problem.

With that, I decided it would be useful to share some of the tips and tricks I have learned to protect our site. There is too much for one blog post, so I will release others over time, but I will start with the most important ones.

So, here are my recommendations for the 4 best WordPress security plugins. All WordPress plugins are easy to install, but some may take some time to configure correctly.

  1. WordPress File Monitor Plus. This plugin is used to alert you anytime a file on your site changes. When a WordPress site gets hacked, what actually happens is the attacker adds one or more files to your site, or they alter one that is already there. A WordPress installation consists of hundreds of files, so it’s very easy to blend in and not be noticed. But with just one file, attackers have the ability to change your site however they want, including attacking your site’s visitors with malware, and eventually getting you banned from Google.

    WordPress File Monitor Plus will regularly check your WordPress installation for new files, deleted files, and changed files. If it finds anything, it will send you an email with details. It is your responsibility to read these emails to see if any changes are unexpected. For example, uploading a new image, or upgrading a plugin will cause an alert. If you see something you can’t explain, investigate it immediately. This plugin will not stop you from being hacked, it will only let you know when you are attacked, and help you clean it up.

    Out of the box, this one is pretty easy to set up. You just tell it how often to scan your files. But most likely, you will want to tell it which files to not scan. For example, if you have a caching plugin, it will cause the File Monitor to tell you things over and over. The best plan is to set it up with no excludes, and when the alerts start coming in, you can identify which directories to not pay attention to anymore. Eventually, it will only tell you about important changes.

  2. Limit Login Attempts. This plugin protects you from automated password guessers. If you install this plugin, it will let you configure how many tries someone gets at logging into your WordPress site before they are locked out for some amount of time. The guess count and lockout time are configurable. If someone guesses incorrectly too many times, you will be sent an email about it, and they will be stopped from trying again for some amount of time.

    So how useful is this? You would be surprised. Once you install this plugin, you will find out that there are automated bots that will find WordPress sites, and try to brute force the password. Without this plugin, they will eventually guess it. Depending on the speed of your server, they could guess hundreds of passwords a second. With this plugin installed, they may get 6 guesses every 2 days.

    This plugin is simple to install and configure. So you have no excuse.

  3. Secure WordPress. This plugin is more of a hardener. It does a lot of little things to make an attackers life harder. While none of these things make it impossible to be hacked, they will make hacking your site harder than hacking someone else’s, and that is usually enough.

  4. TimThumb Vulnerability Scanner. There is a library called TimThumb that people use to dynamically create thumbnail images for websites. It is used by millions of sites. In 2011, a vulnerability was discovered in it that allowed attackers to easily take over any site using it. The vulnerability has been corrected, but sadly old versions are still out there years later. This vulnerability is probably still the most common way WordPress sites get hacked. This plugin will automatically determine if you are using an out of date version of TimThumb, and if so, it will upgrade it for you.

Please let me know if these recommendations helped you, or if you know a WordPress plugin that belongs on this list.

Light Point Security to Present at TechBreakfast Event
Posted on by Zuly GonzalezCategories Events, Light Point Security Update, Light Point Web, StartupsLeave a comment on Light Point Security to Present at TechBreakfast Event

Light Point Security to present at TechBreakfast eventWe are excited to be presenting a short overview and demo of Light Point Web Enterprise at this month’s TechBreakfast event in Columbia, MD.

TechBreakfast is a monthly breakfast in Baltimore, Columbia, DC, and Northern Virginia where almost 2,000 (as of this writing the group is 3 people shy of hitting 2,000 members) entrepreneurs, techies, developers, designers and business people see showcases on cool new technology in a demo format and interact with each other. It’s “Show and Tell for Adults” where people show the innovative technology they are working on.

The format is limited to a 7 minute pitch/demo, followed by a 3 minute Q&A session. Our presentation will be similar to the one we gave at the RSA Conference 2013 Innovation Sandbox event, so those that missed RSA can catch it then. We’ll also give a live demo of Light Point Web Enterprise in action.

This month’s Columbia TechBreakfast is being held on March 12 from 8:00am to 10:00am at the Loyola Columbia campus (8890 McGaw Rd #130, Columbia, MD). Best of all it’s free to attend. Please stop by if you’re interested in connecting with us directly, or would like to learn more about Light Point Web Enterprise.

Light Point Security Advances to Round 3 of the InvestMaryland Challenge
Posted on by Beau AdkinsCategories Light Point Security UpdateLeave a comment on Light Point Security Advances to Round 3 of the InvestMaryland Challenge

Light Point Security advances in the InvestMaryland ChallengeWe are excited to announce that our Browser Isolation company, Light Point Security, has advanced to Round 3 of the InvestMaryland Challenge  in the IT category. This places Light Point Security in the final 10 to win an award of $100,000. The InvestMaryland Challenge is a business competition hosted by the State of Maryland. One winner will be selected from each of three categories, and each winner receives $100,000.

A total of 259 companies applied to the challenge. In the first round it was narrowed down to about 20 companies for each category. In the second round it was narrowed down to the top 10 in each category. The  third and final round will be judged in a face-to-face interview on Mar 5. Each company will have 15 minutes to pitch their company to a panel of judges, followed by a 10 minute Q&A session. The winner of each category will be announced on April 15 at the Governor’s Cup Awards Ceremony.

There are still a lot of good companies in the running, and we are proud to be among them. Good luck to all the finalists!

RSA Conference 2013 Names Light Point Security Finalist for Most Innovative Company
Posted on by Zuly GonzalezCategories Events, Light Point Security Update, SecurityLeave a comment on RSA Conference 2013 Names Light Point Security Finalist for Most Innovative Company

Light Point Security to present at RSA Conference 2013 Innovation SandboxWe are pleased to announce that Light Point Security has been named by RSA Conference 2013 as one of the top 10 most innovative security companies.

On February 25, Light Point Security, along with the other 9 finalists, will present at RSA Conference’s 2013 Innovation Sandbox program for a chance to be named Most Innovative Company at RSA Conference 2013. Innovation Sandbox is a gathering of venture capitalists, entrepreneurs and security professionals pioneering the future of information security. The finalists represent new technologies and strategies with the potential to transform the future of information security.

We are thrilled to be among the most innovative security companies, and we’re looking forward to attending RSA and presenting at the Innovation Sandbox. You can read the full press release here.

You can follow the action on Twitter with the hashtag #innovationsandbox or by following us at @LightPointSec.

If you’ll be at RSA, and would like to connect with us, drop us a line at info@lightpointsecurity.com.

Light Point Security Advances to Round 2 of the InvestMaryland Challenge
Posted on by Zuly GonzalezCategories Light Point Security Update, Startups1 Comment on Light Point Security Advances to Round 2 of the InvestMaryland Challenge

Light Point Security advances in the InvestMaryland ChallengeWe are excited to announce that our Browser Isolation company, Light Point Security, has advanced to Round 2 of the InvestMaryland Challenge. The InvestMaryland Challenge is a business competition hosted by the State of Maryland. They will select one winner from each of the three categories (IT Hardware & Software, Life Science and General), and each winner will receive $100,000. The Challenge will also give away a host of other prizes, like grants in specific areas, incubator space and professional services.

A total of 259 companies applied to the Challenge. In Round 1, they narrowed the field to about 20 companies per category, and Light Point Security was selected as one of the top 20 companies in the IT Hardware & Software category. For Round 2, we were asked to submit a business plan. A few of the Round 2 companies will advance to Round 3, where the winners will be selected.

There are a lot of good companies in the running, and we are proud to be among them. Good luck to all the finalists!

Light Point Web 2.1 Released
Posted on by Beau AdkinsCategories Light Point Security Update, Light Point WebLeave a comment on Light Point Web 2.1 Released

Light Point Web Malware ProtectionLight Point Security has just released Light Point Web 2.1. The 2.1 release contains lots of improvements, but the main goal was to lay the ground work for the enterprise version of our Remote Browser Isolation solution, Light Point Web Enterprise.

Light Point Web Enterprise

Previously, if you wanted to use Light Point Web, you had to connect to the Light Point Web servers running in our cloud. There are positives and potential drawbacks to this approach.

Positives of Cloud Servers
  1. The user gets anonymous browsing.
  2. The user only has to install a plugin to their browser.
  3. All server-side maintenance is handled by us.
Potential Drawbacks of Cloud Servers
  1. The user’s browsing session is occuring on a computer owned by someone else, outside of the user’s network.
  2. The distance between a user and distant cloud servers may potentially introduce latency to page loading and a user’s interactions with a page if the user is located in a region with poor cloud coverage, e.g. Africa.

Drawback #1 may not be a problem for everyone. In fact, it may actually be a positive for some customers. If an enterprise does not want to rely on a third party to host employee browsing sessions, Light Point Web Enterprise solves this problem by allowing an enterprise to host a Light Point Web server inside their network, solely for the use of their employees. As a bonus, because the server is now inside their intranet, this eliminates drawback #2 as well.

Enterprises can now get Non-persistent Desktop Browsing (known as NPDB) using our dual-layered virtualization, running on a server only they have access to.

Other Improvements

There were countless other improvements made that will enhance both the consumer and enterprise versions of Light Point Web. These include:

  • Numerous processor usage optimizations. This improvement consists of both client and server optimizations. First, algorithms in the client code were optimized to reduce processor usage and improve speed. Second, on the server we made changes to the processor scheduling to give quicker response times to user interactions.
  • Better font rendering. Previously we used the default fonts built into our Linux servers. However, most websites are designed with Windows fonts in mind. This caused words on sites to be rendered too wide, which sometimes lead to incorrect alignment of certain web page elements. We now use official Windows fonts, which results in sites being rendered the way they were designed to.
  • The ability for a user to select the best compression levels for their Internet connection speed. We now allow users to choose higher compression for slower links, and less compression for faster links. This results in the optimal performance for both cases.
  • The ability for a user to force a disconnection to the server. Previously, to end your connection with the Light Point Web server you had to either close all browser tabs using Light Point Web, or wait for the inactivity timer to disconnect you. We now added a menu item that allows a user to disconnect when they want while saving their state, so it can be resumed later.
  • Updated server-side browsing engine.
  • Updates to remain compatible with newer Firefox releases.

If you are interested in learning more about Light Point Web Enterprise, please contact us here.

Best Startup Quotes From Business of Software 2012
Posted on by Zuly GonzalezCategories Business of Software, Startups2 Comments on Best Startup Quotes From Business of Software 2012
Business of Software 2012
Image credit: Mark Littlewood

Beau and I attended the Business of Software 2012 conference. Business of Software is the best conference I have ever attended. It’s 2.5 days of awesome, intense talks given by the best of the best in the startup scene. This year the speakers included Kathy Sierra, Bob Dorf, Jason Cohen, Noah Kagan, Peldi and Dharmesh Shah.

The attendee list is also impressive. I’ve learned just as much talking to the attendees as I have listening to the speakers. I highly recommend the conference to anyone in the software business.

These are the 37 best quotes from the conference.

Kathy Sierra

  • Build something so desirable that people just have to have it. [tweet this]
  • Gamification is rarely helpful in building a sustainable business. [tweet this]
  • Gamification is a form of bribery, not loyalty. [tweet this]
  • Don’t confuse buying from gamification with loyalty. [tweet this]
  • Your product needs to be sustainably desirable without bribery or coercion. [tweet this]
  • Quality doesn’t drive desirability. [tweet this]
  • Word of mouth drives desirability. [tweet this]
  • Strive for user awesomeness, not app awesomeness. [tweet this]
  • The key attributes of a successful app don’t live in the app, they live in the user. [tweet this]
  • It’s all about making your users badass. [tweet this]

Paul Kenny

  • There’s more to learn from a qualified no than an unqualified yes. [tweet this]
  • If you win the argument, you lose the sale. [tweet this]

Dharmesh Shah

  • Before you gamify your product, decrapify it. [tweet this]
  • Work on a problem you care enough about that you’d be happy even if someone else solved it. [tweet this]
  • Build the kind of company you want to work in. [tweet this]
  • You don’t just want customers. You want crazy, loyal fans. [tweet this]
  • Technical switching costs should be low, and emotional switching costs should be high. [tweet this]

Adii Pienaar

  • Invest in branding, because it’s free. [tweet this]
  • Customer service is cheap marketing. [tweet this]
  • Diving into the deep end is the best way to learn. [tweet this]
  • Instead of being put into a box, create your own box. [tweet this]

Bob Dorf

  • If you sell band-aids, find bleeding people on the street. They won’t care about the branding. [tweet this]
  • There are no facts inside your office building. You have to get out and talk to your customers! [tweet this]
  • Without rampant enthusiasm from your customers, the odds are overwhelming you are going to fail. [tweet this]
  • Business plans belong in the creative writing department, not the business development department. [tweet this]
  • Always be innovating. [tweet this]

Michael Trafton

  • Culture is the personality of your company. Most companies have a split personality. [tweet this]
  • If you don’t design your culture, your employees will do it for you. [tweet this]

Jason Cohen

  • When what you are testing for is rare, the results are overwhelmingly wrong. [tweet this]
  • Crowds are useful in objectivity, and destructive in creativity. [tweet this]
  • Test theories, not headlines. [tweet this]

Peldi Guilizzoni

  • Surround yourself with excellence. Make yourself the dumbest person in the room. [tweet this]
  • Be a good citizen. If you don’t want people to screw with you, don’t screw with them. [tweet this]
  • Laws are like features – easy to add, hard to take away. [tweet this]

Noah Kagan

  • Marketing is only good if your product doesn’t suck. [tweet this]
  • You’ll make the most money when you don’t focus on money. [tweet this]
  • It doesn’t take a lot to be exceptional, because the bar is so low. [tweet this]

Do you have a favorite startup quote? Share it with us in the comments.

The Motivation Behind Malware
Posted on by Beau AdkinsCategories Light Point Web, Security, Web SecurityLeave a comment on The Motivation Behind Malware

Money from malwareLast night I came across a sobering article from Brian Krebs of KrebsOnSecurity. The article talked about a specific crimeware author that is advertising that he is in the market to buy fresh new browser exploits, but the article had much more information than just that.

The Value of an Exploit Kit

For some background, a crimeware gang has written an exploit kit named Blackhole. Its purpose is to exploit vulnerabilities in web browsers to install a malware payload on victims’ computers. The Blackhole kit itself doesn’t much care what the payload is. Instead, the author of Blackhole will lease his creation to others, and let them supply the malware.

Think about it like a delivery service. If I have a new piece of malware that I want installed on lots of computers around the world, I could pay to have Blackhole deliver it for me. Blackhole doesn’t need to know anything about what it is delivering, its job is only to get it delivered (yes, exactly like Jason Statham in The Transporter).

What is amazing about this is how much it costs to lease Blackhole. A three month license is $700, and a yearly license is $1,500. The creators will even provide hosting for you for $200/week or $500/month.

But that’s not all. The authors of Blackhole have built something even better, a second kit called the Cool Exploit Kit. From the article, it seems like the authors’ newest (and therefore most valuable) exploits are reserved for the Cool Exploit Kit. Only after an exploit becomes known is it moved to Blackhole. Access to the elite Cool Exploit Kit runs $10,000/month!

Additionally, the authors put out a statement that they want to buy more new exploits for browsers and browser plug-ins. They announced that they have set aside an initial budget of $100,000 to buy exploits and vulnerability proof-of-concepts. They stated that they are only interested in purchasing exploits that have not been published and that they will not release this information to the public either. Therefore, the targeted software will remain unpatched indefinitely.

The Motivation Behind Malware

There is only one reason why someone would spend that kind of money to get malware delivered – because it will pay for itself. The article showed that one specific cybergang’s income from just one flavor of ransomware was almost $400,000 a month.

This shows a very dangerous combination of facts. Getting malware onto a victim’s computer is worth a lot of money, so people will pay handsomely for new exploits to make that happen. This makes exploits worth a lot of money, so people will be motivated to continue creating them.

Our Mission

All of this reinforces our motivation here at Light Point Security. The web is now the most common way for malware authors to infect a victim’s computer. Unfortunately, in many cases, such as with the Cool Exploit Kit, cybercriminals use unpublished vulnerabilities in browsers and browser plugins to infect a victim’s computer with malware. By the time the vulnerability is discovered and fixed by the good guys, it is too late. The bad guys have infected tons of computers, and have moved on to the next vulnerability.

We are building Light Point Web to stop not some, not most, but all of these types of exploits – even the ones that have not been made public.

Light Point Security to Present at the CyberMaryland 2012 Conference
Posted on by Beau AdkinsCategories Events, Light Point Security Update, Light Point Web, SecurityLeave a comment on Light Point Security to Present at the CyberMaryland 2012 Conference

CyberMaryland 2012 conference

We are pleased to announce that we have been selected to present our technology at the CyberMaryland 2012 conference.

What Is CyberMaryland?

CyberMaryland is a cybersecurity conference held in Baltimore, MD for technology companies, business leaders, emerging professionals, policy makers, business innovators, entrepreneurs and federal, state, and local government personnel. The two-day conference features training sessions, an industry showcase, a live cyber challenge, and the Cyber Security Hall of Fame Induction Dinner. Not to mention networking!

The conference tracks are:

  • Cyber Innovation Track showcases future of cybersecurity products, new solutions, evolving technology, venture capital and rising stars.
  • Cyber Business Opportunities Track helps cybersecurity providers understand emerging growth opportunities, budgets, spending priorities, product requirements and specific government customer requirements.
  • Cyber Generation Track topics focus on preparing the next generation of cyber professionals, career preparedness and clearances, and talent development.

What Will Light Point Security Present?

We have been selected to demonstrate our product, Light Point Web, as part of their industry showcase session. We will have 45 minutes to give a presentation and demo of our technology to cybersecurity experts and enthusiasts. We will discuss some of Light Point Web’s newest features, and talk about how Light Point Web fits into a corporate environment. We will end the presentation with a five to ten minute live demo of Light Point Web.

We are pleased to have been selected for this honor, and we’re looking forward to the conference in general.

I hope some of you will join us at CyberMaryland!

Black Hat 2012 After Parties and Events
Posted on by Zuly GonzalezCategories Events, SecurityLeave a comment on Black Hat 2012 After Parties and Events

Black Hat USA wouldn’t be Black Hat USA without the after parties and free drinks. Here’s a list of the parties and other events being held at this year’s Black Hat.

After Parties

Solera Networks Blue Martini Party: Enjoy food, drinks, and challenge the Shadow Bar dancers to find out how low you can go.

When: July 25, 7:30pm-9:30pm
Where: Shadow Bar, Caesars Palace

Stonesoft Portal Party: Enjoy games, food and drinks, and great prizes.

When: July 25, 7:30pm
Where: Pisa Room, Caesars Palace

Mandiant M After Dark: Join Mandiant for an evening at the Shadow Bar in Caesars Palace.

When: July 24, 7:00pm-9:00pm
Where: Shadow Bar, Caesars Palace

Qualys Private Reception and Ultra Lounge: An evening of cocktails and fine cuisine, and networking with your peers. Special Guest Speaker: Howard Schmidt, Former White House Cybersecurity Coordinator

Private Reception: July 25, 7:30pm-9:00pm
Qualys Ultra Lounge: July 25, at 10:00pm-1:00am
Where: HYDE Bellagio

Life’s a Breach Party: Join Rapid7, FireMon and LogRhythm for some fun during Black Hat.

When: July 25th, 9:00pm-2:00am
Where: Rain Nightclub, The Palms Resort & Casino

RSA and NetWitness Party: Stop by booth #201 for your wrist band.

When: July 25, 8:00pm
Where: The Oak Nightclub, Mirage Hotel

PURE Party: Hosted by Accuvant LABS, Palo Alto Networks and WhiteHat Security. Featuring live music by DJ Paul Oakenfold.

When: July 25, 9:00pm-1:00am
Where: PURE Nightclub, Caesars Palace

The All In Party: Infosec networking reception and party.

The Reception: July 26, 9:00pm-12:00am
The Party: July 26, 12:00am-6:00am
Where: The Absolut Suite, Caesars Palace

FishNet Security Party: Join FireMon, Sourcefire, LogRhythm and Radware for drinks.

When: July 25, 8:00pm-12:00am
Where: The Beatles Revolution Lounge, Mirage Hotel

Other Events

Networking with Mandiant: Enjoy brunch, and meet-up with other Black Hat attendees and Mandiant folks.

When: July 25, 11:30am-2:00pm
Where: Trevi Room, Caesars Palace (adjacent to the exhibit hall, Octavius Ballroom)

Practical Malware Analysis Book Signing with Michael Sikorski & Andrew Honig: The first 25 people each day receive a free copy of the book. Be one of the first five people in line on Wednesday, July 25th and win an invitation to a very special VIP dinner with the author of Practical Malware Analysis, Michael Sikorski.

When: July 25 & 26, 1:00pm-2:00pm
Where: Trevi Room, Caesars Palace (adjacent to the exhibit hall, Octavius Ballroom)

If you are aware of other Black Hat parties being held this week, let us know in the comments. Do you plan on attending any of these events? If so, which ones?

Light Point Web Now Supports PDFs and Office Formats
Posted on by Beau AdkinsCategories Light Point Security Update, Light Point Web, Security, Web SecurityLeave a comment on Light Point Web Now Supports PDFs and Office Formats

Light Point Web Malware ProtectionUPDATE: The document viewing functionality in Light Point Web has been updated and no longer works as described in this article. For the most up to date information on Light Point Web, please check out our Remote Browser Isolation page.

Recently, we released an update to our servers that allow our users to view many popular document types through our Remote Browser, Light Point Web. To accomplish this, we are using the Google Docs Viewer. The Google Docs Viewer is a nifty little service from Google that can turn documents into normal webpages.

This addition will greatly enhance the security offered by Light Point Web. Previously, if a user of Light Point Web clicked on a link to a PDF file, the user would see our plugin screen. In order to view the document, the user would click the plugin screen, which would cause the user’s real browser to download and display the PDF file.

Light Point Web Plugin Screen
The Light Point Web Plugin Screen

While this functionality gave our users the ability to view PDFs and other files, it also exposed their computers to any malware that may have been hiding within that document since it required bypassing our security. PDF files can be very dangerous, as it is easy to embed malware within them. With this recent update, our users can now easily view documents without downloading them, which means these types of attacks will no longer be effective on our users.

How to Use the New Viewer

The new plugin viewer works automatically. Now, when you click a link to a supported file, such as a PDF, you will be sent to the Google Docs Viewer for that file. This gives you the ability to read the file without it ever touching your computer. At the top of each page there is a link under the “File” menu item to download the original file. Clicking that link takes you to the old plugin screen, which gives you the ability to open the file in your real browser, if you decide to.

Light Point Web Google Docs Viewer
Light Point Web with the Google Docs Viewer

What File Formats Are Supported?

There are quite a few file types supported by the Google Docs Viewer. Here is the full list. A quick rundown of the most common file types are:

  • Microsoft Word (.doc, .docx)
  • Microsoft Excel (.xls, .xlsx)
  • Microsoft PowerPoint (.ppt, .pptx)
  • Adobe PDF (.pdf)
  • PostScript (.eps, .ps)
  • Archives (.zip, .rar)

If you are interested in learning more about Light Point Web, please contact us for a demo.

Apps for Security Hackathon in DC
Posted on by Zuly GonzalezCategories Events, SecurityLeave a comment on Apps for Security Hackathon in DC

Apps for Security Hackathon

SINET and SAIC are hosting an Apps for Security hackathon in conjunction with the Amphion Forum in Washington, DC on June 27th from 9:00 AM to 6:00 PM. The goal of Apps for Security is to promote civic engagement, open innovation, and entrepreneurship while making us all safer and more secure in cyberspace.

They’ll spend the day building privacy and security enhancing apps leveraging the data, SDK, and APIs offered up by their data providers: Mocana, SAIC, and the Department of Homeland Security Science & Technology Directorate.

Regardless of skills or interest, they’re encouraging participation from people and organizations who would like to make a difference in privacy and security online. If you have ideas for creating a safer internet through open data, collaborative innovation, and a dash of entrepreneurship, then consider participating. And, if you have a prototype or proof of concept you’d like to work on at Apps for Security, bring the code and invite others to work with you on it.

Schedule
9:00am-10:00am    Welcome, Introductions, & Motivation
10:00am-11:30pm    Ideation: Unconference style workshops to flesh out ideas
11:30pm-5:00pm    Coding, Designing, Innovating
5:00pm-6:00pm    App Demonstration & Recognition of Achievements

Registration is free and you can register on their Eventbrite page.

Windows Live and Hotmail Account Upgrade Email Phishing Scam
Posted on by Zuly GonzalezCategories Security, Web SecurityLeave a comment on Windows Live and Hotmail Account Upgrade Email Phishing Scam

There’s a Windows Live and Hotmail email phishing scam going around. The email attempts to trick victims into disclosing their Windows Live credentials and other personal information by claiming that a Trojan has been detected in the user’s Windows Live folders. The fraudulent email claims that the personal information is needed to upgrade the user’s email account with a 1024-bit RSA key anti-virus firewall, and that if the user does not comply, their email account will be terminated.

Windows Live and Hotmail Email Phishing Scam: Account Upgrade!!(Verify Now)

This phishing email claims to come from the Windows Live™ team. However, the email address associated with the account is lbhughes100@msn.com – not exactly an email address I would expect to see from an official Windows Live communication. The subject line of the email is “Account Upgrade!!(Verify Now)”. Note the missing space between the second exclamation mark and the open parenthesis. That mistake was made by the spammers; it’s not a typo on my part.

The email reads as follows:

From: Windows Live™ TEAM (lbhughes100@msn.com)
Subject: Account Upgrade!!(Verify Now)

Dear Windows Live customer,

Windows Live™ MSN is faster, safer than ever before and filled with new ways to stay in touch. Storage space that grows with you means you shouldn’t have to worry about deleting your e-mail, and the new calendar makes it easy to share your schedule with family and friends. Due to increased spam and phishing activities globally, a DGTFX trojan virus has been detected in your windows live folders. Your email account will be upgraded with our new secure 1024-bit RSA key anti-virus firewall to prevent damage to our email servers and to your important files. Click your reply tab, fill the columns below and send back to us or your email account will be terminated to avoid spread of the virus.

* User Name:……………………………………..

* Password:……………………………………….

* Confirm Password:……………………………

* Year of Birth:…………………………………..

* Country Or Territory:………………………..

Note that your password will be encrypted with 1024-bit RSA keys for your password safety.

If you use Hotmail, MSN or Live! you’re using Windows Live. Your Hotmail address and password gives you access to the full suite of Windows Live services so you can stay connected with the people and things that matter to you online. Plan your next event, write a blog, create a discussion group, even get updates from other websites you use. – “Your Life, Your Stuff, All Together at Windows Live.” we wish to serve you better…

This Account Update will Improve our services to you.

You can access your Hotmail, Messenger and SkyDrive faster directly from your phone or phone’s web browser. For more info, see Get mail on your phone, Get Messenger on your phone, and Get SkyDrive on your phone. We remain focused on making Hotmail, Messenger, SkyDrive and your Windows PC the best that they can be. Note that this change has no impact on your ability to access Hotmail, Messenger, and Skydrive. Thanks for your understanding and patience as we update our services. Sincerely,

The Windows Live Team

Microsoft respects your privacy. To learn more, please read our online Privacy Statement.

Microsoft Corporation
One Microsoft Way
Redmond, WA 98052

There are six links in this phishing email. Two of the links point to home.live.com. The other four links point to URLs in the form of microsoft.windowslive.com/Key-*.

How to Identify a Phishing Email?

There are a few telltale signs that this is a phishing scam.

  1. It asks for personal information. No legitimate company, including Microsoft, will ever ask you for personal information via email. That includes your username, password and date of birth. This is the biggest red flag.
  2. It contains poor grammar, misspellings and looks unprofessional. If you receive an email claiming to be from a large enterprise, like Microsoft, with grammatical mistakes and misspellings, you can be sure it did not really originate from them. Large companies ensure that their emails look professional. In the case of this Windows Live phishing email, the subject line and from field are enough to give it away. Note the double exclamation marks and missing space in the subject line. Also note that the word ‘team’ in the from field is written in all capital letters. You don’t even need to click on the email to know it’s a scam.
  3. The sender’s email address is unprofessional. First, it’s from an MSN account, which anyone on the Internet can get for free, instead of from an official Microsoft domain. Second, the first part of the email address is ‘lbhughes100’, again very unprofessional looking (and suspicious).
  4. There is a sense of urgency. This pressures you into feeling like you need to take action right away, and do not have the time to research the legitimacy of it.

How to Protect Yourself From Phishing Emails?

Here are a few things you can do to protect your identity, and personal information, and avoid becoming a victim of phishing email scams.

  • If you receive an email message claiming to be from Hotmail, MSN or Windows Live, with the subject line Account Upgrade!!(Verify Now), or similar, do not open it and delete it immediately.
  • If you mistakenly open the email message, don’t click on any links in the email or download any attachments, and delete it right away.
  • To report spam, Hotmail users should click the “Junk” button. Non-Hotmail users should send an email to report_spam@hotmail.com, report_spam@msn.com or report_spam@live.com (depending on the originating mail domain: hotmail or msn or live), and attach a copy of the spam email.
  • Spread the word. Spammers get away with this because most people aren’t aware of these threats, so tell your friends by sharing a link to this post, or any other post on the topic.
  • Read and follow the most important steps for internet security to protect your computer from cybercrimes.

Have you received a similar email?

How Facebook’s Pay to Highlight Feature Can Lead to Scams
Posted on by Zuly GonzalezCategories Security, Web SecurityLeave a comment on How Facebook’s Pay to Highlight Feature Can Lead to Scams

Facebook Pay to Highlight FeatureAccording to TechCrunch, Facebook is testing a new feature. One which I believe will only increase the already huge number of scams and malware present on the social networking site.

The new feature would allow users to pay to “highlight” their status updates in their friends’ news feeds.

Facebook spokeswoman Mia Garlick said, “We’re constantly testing new features across the site. This particular test is simply to gauge people’s interest in this method of sharing with their friends.”

Facebook is getting desperate. Their revenue is declining as a result of more users accessing it via their mobile devices, which do not display ads. Their IPO was a complete failure, and will lead to several lawsuits. I don’t blame them for looking at new ways to monetize their platform. However, what they are doing with these “highlighted” status updates is dangerous.

How Does Facebook’s Highlight Feature Work?

Currently the Highlight option is only being tested with a small sample group of users. And, it is only available for personal accounts, not brand pages. If you are part of the test sample group, when you post an update on Facebook you’ll see the Highlight option next to the Like and comment buttons. Clicking on Highlight will display the message below – giving you the option to highlight (spam?) your update in your friends’ news feeds.

Facebook Pay to Highlight Status Feature

“Highlight an Important Post. Make sure friends see this.”

Highlighted posts may appear higher in the news feed, stay visible for longer, and appear to more friends and subscribers. However, they won’t have any visual indicators that will make them standout (i.e. you won’t know which posts have been paid for, and which haven’t).

Facebook is testing various price points for Highlight, ranging from free to $1 to $2.

How Can Facebook Highlight Lead to Scams?

The Highlight option is a bad idea. It will only lead to more spam, scams and malware on Facebook, and trust me, there is already plenty of it on the social networking site.

Highlighted Posts Are Not Highlighted!

Really? Facebook wants to introduce advertisements into users’ news feeds without identifying them as such? Nothing good can come of this.

Right now Facebook’s algorithm displays your average status update to only 12% of your FB friends. But, by paying a couple of dollars you can ensure that more of your friends see your posts. This seems harmless until you think about the kind of posts people would pay to expose to more users.

People aren’t going to pay to tell their old high school classmates they’re watching the Kardashians, or cleaning dog puke off the carpet. They will, however, pay a nominal fee to advertise their blog or share their affiliate links. Anything were they think they can make their $1 or $2 investment back is fair game.

Now that we have an idea of the kind of posts that will likely be highlighted, let’s consider the fact that these highlighted posts won’t standout, but instead will blend in with the rest of the posts. Not only is this a shady business practice, but even worse, it will lead to an increase in spam as spammers learn to abuse it – not exactly great user experience.

The idea that the Highlight feature will only be available to personal accounts, not business pages, doesn’t make the spam argument any less real. The fact is, scammers are already creating fake Facebook profiles to get away with a host of malicious activities on Facebook; ranging from survey scams to more dangerous deeds like spreading malware.

Facebook Charging Scams Galore

There was a well-known Facebook scam going around tricking users into believing that Facebook would start charging. Those that were tricked into “liking” these scammy Facebook pages became targets of spam and other scams by these perpetrators.

Even after Facebook publicly announced they would not charge users to use their service, many still fell victim to the scam. Imagine how much easier it would be to con users if Facebook did start charging to highlight status updates. If implemented, the Highlight feature would open the door for scammers to explore new twists on the old favorite, Facebook Will Start Charging Scam, and also increase their success rate by creating confusion around a known Facebook feature.

What’s Next for Facebook Highlight?

Facebook hasn’t released many details about the Highlight feature. It’s still too early to tell whether it will ever come to fruition, or how it will evolve. However, based on the information we have so far, implementing it will only serve to degrade the user experience on Facebook. Let’s hope this one goes the way of the dodo.

It’s worth noting that Facebook recently implemented a similar feature, which they are calling Promoted posts, for brand pages. However, Facebook has yet to implement the Highlight feature for personal accounts.

What do you think of the Highlight feature? Would you pay to highlight your posts?

Light Point Web 2.0 Released
Posted on by Beau AdkinsCategories Light Point Security Update, Light Point Web, Security, Web SecurityLeave a comment on Light Point Web 2.0 Released

Light Point Web Malware ProtectionUPDATE: The scrolling functionality in Light Point Web has been updated and no longer works as described in this article. For the most up to date information on Light Point Web, please check out our Remote Browser Isolation page.

Light Point Security has just released Light Point Web 2.0. The 2.0 release was basically the completion of the scrolling work started in the 1.2 update. Where 1.2 added client-side scrolling, 2.0 provides scroll-caching. Additionally, there were some client-side bug fixes to correct issues with the newest versions of Firefox.

If you are a current user, log in to lightpointweb.com to download the new installer.

What Is Scroll Caching?

As described in the 1.2 release post, when we added client-side scrolling, the user could now get instant scrolling feedback. The drawback, however, was that the user would simply see white for parts of the page that were just scrolling into view, but that the server had not yet told the client how to draw.

With scroll caching, the client software now sees much more of the webpage than the user can see in the browser. This lets the user instantly see the new parts of the page that are scrolling into view, without having to wait for an update from the server.

This change goes a long way towards making Light Point Web as seamless as can be. However, you may notice that some elements of some webpages behave differently. Some websites contain what are known as “fixed-position elements”. This means that if you scroll the page, these elements stay where they are. For example, the top-bar on Twitter.

Because we scroll the page as if its just a solid image, these fixed-position elements get scrolled as well. However, the server will quickly readjust, and correct your view. This is similar to how some smartphone and tablet browsers show fixed-position elements.

If you would like to try Light Point Web, contact us for a demo and free trial.

Twitter Now Supports Do Not Track Privacy Feature
Posted on by Zuly GonzalezCategories Security, Web SecurityLeave a comment on Twitter Now Supports Do Not Track Privacy Feature

Twitter Do Not TrackTwitter announced that it now supports the Do Not Track privacy feature in web browsers.

We commend Twitter for taking a step towards protecting their users’ privacy. In contrast to Twitter, other social networking sites collect and share as much of their users’ personal information as they can get their hands on. Some have also been making it increasingly hard for their users to figure out where the privacy controls are and what they mean *cough* Facebook *cough*.

However, it’s not just social networking sites – most major websites track their visitors’ behavior and then sell or provide that information to other companies. Websites, advertisers and others use tracking to learn about your web browsing behavior, including what sites you visit, things you like, dislike and purchase.

What Is Do Not Track?

Do Not Track is a privacy feature introduced by Mozilla and Stanford researchers that users can set in their web browsers. When Do Not Track is enabled, your browser will tell advertising networks and other websites and applications that you want to opt-out of tracking. It does this by transmitting a Do Not Track HTTP header every time your data is requested from the web.

The downside to Do Not Track is that websites are not obligated to honor it. Some websites have agreed to honor it, while other websites have decided not to, and simply ignore the request. Only websites that have agreed to honor the setting will automatically stop tracking your behavior.

The Do Not Track feature is supported by Firefox 5+, Internet Explorer 9+, and Safari 5.1+.

How to Enable Do Not Track in Firefox

Turning on the Do Not Track option in Firefox is easy.

  1. In your Firefox browser click on Tools > Options.
  2. Go to the Privacy tab.
  3. Check “Tell websites I do not want to be tracked” under Tracking.

Do Not Track Firefox Privacy Feature

Why Does Twitter Track My Browsing Activities?

Twitter collects data about what websites you visit in order to tailor personalized suggestions of who to follow based on your interests. It is in Twitter’s interest to encourage you to follow as many interesting people as possible. This keeps you coming back.

In Twitter’s own words:

We determine the people you might enjoy following based on your recent visits to websites in the Twitter ecosystem (sites that have integrated Twitter buttons or widgets). Specifically, our feature works by suggesting people who are frequently followed by other Twitter users that visit the same websites.

How to Disable Twitter Tailored Suggestions

In addition to enabling the Do Not Track feature in your web browser, you can also tell Twitter you do not want to enable Tailored Suggestions on your account. Doing so will also stop Twitter from collecting data about the websites you visit. The difference between the two is that by enabling Do Not Track in your browser you are telling all websites that honor the request to stop tracking you. Disabling the Tailored Suggestions in your Twitter account only stops Twitter from tracking your behavior.

To disable the personalized Tailored Suggestions in your Twitter account, do the following:

  1. Login to Twitter.
  2. Go to the Settings page. You can get to the Settings page by clicking the drop down arrow located in the Twitter header.Twitter settings page
  3. Scroll down to Personalization, and uncheck “Tailor Twitter based on my recent website visits”.

Twitter Personalization Tailored Suggestions

Do Not Track Limitations

The Do Not Track browser setting is a nice feature, and I’d like to see it gain more traction. However, since honoring the request is strictly voluntary, it’s very limited in its effectiveness. As you can see from the official list of companies that honor it, the current list is extremely small.

If you are serious about protecting your privacy you should add other tools to your toolbox. Obviously I’m biased, but I would recommend you try our browser plugin, Light Point Web. With Light Point Web, no website will be able to track you across multiple sessions, because we force it by deleting all tracking cookies. Light Point Web also offers other benefits, like true malware protection. If you are interested, we offer a 30 day free trial, and signing up only takes a few seconds (no credit card required).

What do you think of Twitter’s move to honor the Do Not Track preference? Does it make you trust Twitter more? What other companies would you like to see supporting Do Not Track? Have you enabled Do Not Track in your browser?

58 Best Startup Quotes From MicroConf 2012 Day 2
Posted on by Zuly GonzalezCategories Events, Startups2 Comments on 58 Best Startup Quotes From MicroConf 2012 Day 2

These are the 58 best quotes from day 2 of MicroConf 2012 as tweeted by the attendees. MicroConf is a conference hosted by Rob Walling and Mike Taber focused on self-funded startups and single founder software companies. The speakers were Patrick McKenzie, Amy Hoy, Adii Pienaar, Dave Collins, Sarah Hatter, and Bill Bither. I also compiled a list of the best quotes from day 1 of MicroConf 2012.

Dave Collins – Software Promotions

Presentation: Google AdWords: Stop Losing & Start Exploiting (Really)

Bill Bither – Atalasoft

Presentation: How I Bootstrapped and Sold My Software Company By Maxing Out My Credit Cards

Sarah Hatter – CoSupport

Presentation: Cheap and Easy Customer Support

Amy Hoy – Freckle & UnicornFree.com

Presentation: If You Don’t Like Drunk Frat Boys, Don’t Open an Irish Pub… & Other Uncommon Ways to Rock

http://twitter.com/thatsbyme/status/197450226183839744

Adii Pienaar – Woothemes.com

Presentation: From Idea to 7 Figures in 2 years: The Story of Woothemes

Patrick McKenzie – Bingo Card Creator

Presentation: How to Engineer Marketing Success

If you made it this far, you’ll also enjoy the best quotes from MicroConf 2012 day 1 and the 48 best quotes from the Business of Software 2011.

MicroConf 2012 Day 1 Summary
Posted on by Zuly GonzalezCategories Events, StartupsLeave a comment on MicroConf 2012 Day 1 Summary

This is a summary of MicroConf 2012 day 1 as shared on Twitter by the attendees. MicroConf is a conference hosted by Rob Walling and Mike Taber focused on self-funded startups and single founder software companies. The speakers were Jason Cohen, Hiten Shah, Rob Walling, Peldi, Mike Taber, and Dan Martell. I hope you enjoy the insightful quotes from the speakers as much as I did.

If you like this, you will also enjoy reading the best quotes from day 2 of MicroConf 2012.

Jason Cohen – A Smart Bear & WP Engine

Presentation: Naked Business: How honesty makes you more money

“Brutal honesty is a differentiator in a world of common marketing lies.”

“Most websites lie.”

“Canon camera’s experiment: the more reviews (good or bad) you get, the more your sales go up.”

“When you buy a cheaper product people expect less, they’re okay with the differences.”

“Instead of a competitive analysis chart, list the things you’re great for, and not great for.”

“Proactive honesty: Truth in limitations earns you believability in advantages.”

“Copy the inspiration, not the content, of someone doing proactive honesty right.”

On beating the big guys: “When you’re trialling software, our tech support is a part of what you should trial.”

“Micropreneurs must use their advantages: All-in ability to take risks, speed, creative solutions and no legacy code.”

“Lying doesn’t help. It comes back to hurt your credibility. Why lie about your life’s work?”

“‘Be honest’ is everywhere, but rare. What people say isn’t what people do.”

Hiten Shah – CrazyEgg & KISSmetrics

Presentation: More Lessons I’ve Learned as a Serial Entrepreneur

http://twitter.com/#!/juneavila/status/197022616672935936

“Your success requires focus. When you focus, magic happens.”

http://twitter.com/#!/derrickreimer/status/197022924522270721

“Focus on metrics that matter. Vanity metrics will kill your business.”

http://twitter.com/#!/patio11/status/197023108799008768

“Don’t optimize for pageviews. 10k to 20k uniques a month can generate millions in revenue.”

http://twitter.com/#!/JasPanesar/status/197024396651659264

“Making money as a consultant doesn’t mean you’re furthering your life as an entrepreneur.”

http://twitter.com/#!/GrayAndy/status/197025457248546816

“Magic doesn’t just happen: you make your own luck.”

http://twitter.com/#!/JasPanesar/status/197025613545078784

“Marry the problem, not the solution.”

http://twitter.com/#!/dchurchville/status/197025501330681856

“Not focusing on customers means needing a magic combination of events to succeed.”

http://twitter.com/#!/JasPanesar/status/197027101617045505

“Don’t prove that your hypothesis is right, prove that it’s wrong.”

http://twitter.com/#!/JasPanesar/status/197028727392178176

“Understand: Who are your customers? Where do they hang out? How should you engage? What are their problems?”

http://twitter.com/#!/newfoo/status/197032265765765121

“There are MANY more ways to reach your customers than Twitter, FB and email.”

http://twitter.com/#!/JasPanesar/status/197032406505627649

“When you start getting bored, start analyzing the data and find the pain patterns to solve.”

http://twitter.com/#!/genejo/status/197033284474126336

“To be a successful entrepreneur you have to embrace the roller coaster, ask the right questions, and FOCUS.”

http://twitter.com/#!/derrickreimer/status/197032438835318785

“Frame your questions to potential customers around the problem, not the solution.”

http://twitter.com/#!/JasPanesar/status/197032092226433025

“The right growth hacker will have a burning desire to connect your target market with your must have solution.”

Rob Walling – SoftwareByRob.com & Start Small, Stay Small

Presentation: How to Be Profitable

http://twitter.com/#!/patio11/status/197061532289478657

“You can’t build a product with an LTV of $2…unless it’s an iPhone app.”

http://twitter.com/#!/andrewangus/status/197062986244960257

“Pushing failure into the future just costs you more money before you fail.”

http://twitter.com/#!/PatrickFoley/status/197063021628108801

“Hanging on longer to avoid failure does not equal success.”

http://twitter.com/#!/derrickreimer/status/197064045545787393

“Never try to build two products at once.”

http://twitter.com/#!/derrickreimer/status/197066034023383040

“Fulfilling demand is easier than creating it (educating the market).”

http://twitter.com/#!/dchurchville/status/197067765838905344

“Asking ‘What is your customer acquisition cost?’ is like asking ‘How much do you weigh?'”

http://twitter.com/#!/DavidYKay/status/197069267307466754

“If you know your competitor’s Lifetime Value (LTV) and Cost Per Acquisition (CPA) numbers, you can destroy them.”

http://twitter.com/#!/jackfoundation/status/197063427045343233

“Failure is not the end point.”

http://twitter.com/#!/PatrickFoley/status/197067113511403520

“Inbound marketing means finding places people search for stuff: Amazon, app stores, even Craigslist.”

http://twitter.com/#!/JasPanesar/status/197072969053384704

“Restructure your pricing based on the value your customers receive.”

http://twitter.com/#!/JasPanesar/status/197074057294909440

“What else can you offer your customers? If it’s hard to do, it might be valuable to them.”

http://twitter.com/#!/derrickreimer/status/197073650602614785

“Increase your LTV by 1) increasing retention, 2) increasing prices, and 3) selling more to existing customers.”

http://twitter.com/#!/JasPanesar/status/197074589837307904

“Increase upsells through: Support, Upgrades, Add-on Modules/Integrations, Added Services.”

http://twitter.com/#!/JasPanesar/status/197075674014564352

“Before raising prices, grandfather in existing customers plus market on your website for 2 weeks that prices are going up.”

Peldi Guilizzoni – Balsamiq

Presentation: Ask Me Anything

http://twitter.com/#!/JasPanesar/status/197081120628678656

“Give your software character, make it immediately recognizable.”

http://twitter.com/#!/JasPanesar/status/197081464720998400

“Feedback and community building is really important in the beginning.”

http://twitter.com/#!/icesar/status/197083098750533632

When to hire? Wait until you wake up sweating. ‘If I don’t hire someone today, I’m going to die.'”

http://twitter.com/#!/JasPanesar/status/197084216629010432

“Welcome your competitors to the race, everyone loves a horse race, and it cements you as the leader.”

http://twitter.com/#!/JasPanesar/status/197084992080326656

“Your job is to go to your team every morning and asking ‘What do you need?'”

http://twitter.com/#!/JasPanesar/status/197086251705319425

“Competing on features is very 90’s. Don’t compete on features.”

http://twitter.com/#!/DavidYKay/status/197088359854772224

“As the founder, you’re the generalist. Hire specialists to tackle the hard stuff and let them run.”

http://twitter.com/#!/lonroth/status/197088131516870656

“The main reason for doing all of this is to continue learning.”

Mike Taber – SingleFounder.com

Presentation: Losers Have Goals, Winners Have Systems

http://twitter.com/#!/mhmazur/status/197096971159347201

“My philosophy is that losers have goals and winners have systems.” – Scott Adams

http://twitter.com/#!/mhmazur/status/197098366381981697

“Pipeline most of your business using systems. Use goals to measure and correct those systems.”

http://twitter.com/#!/mhmazur/status/197100063812620288

“Set aside one full day each week to do marketing tasks.”

http://twitter.com/#!/mhmazur/status/197100434400354304

“By putting it on paper, you’re asking people to make an upfront commitment to say ‘Yes, I will pay for that.'”

Dan Martell – Clarity.fm

Presentation: Growth Hacking

http://twitter.com/#!/mhmazur/status/197104012120698880

“Am I working on my most meaningful and impactful stuff?”

http://twitter.com/#!/jackfoundation/status/197105535265411072

“Often Wrong. Never in Doubt.”

http://twitter.com/#!/mhmazur/status/197105859212488705

“What am I building, and do my customers actually care?”

http://twitter.com/#!/DavidYKay/status/197106545119608832

“If a customer says, “I got busy, but I’ll check out your product tomorrow.” It really means you didn’t truly solve their problem.”

http://twitter.com/#!/DavidYKay/status/197107122629120001

“If you can flatline at 15% weekly retention, you’re doing something good.”

http://twitter.com/#!/hnshah/status/197107574854782976

“Other People’s Networks (OPN) are networks you can leverage for growth.”

http://twitter.com/#!/jackfoundation/status/197111543350046720

“When you want to succeed as much as you want to breathe, you will have success.”

How to Botch a Security Vulnerability Discovery – WooThemes Case Study
Posted on by Zuly GonzalezCategories Case Study, Security, Web Security11 Comments on How to Botch a Security Vulnerability Discovery – WooThemes Case Study

Yesterday, Jason Gill disclosed a bug in the WooThemes WooFramework that allows any website visitor to run and see the output of any shortcode.

WooThemes is a popular WordPress theme maker that is used by thousands of websites. If you have a website powered by WooThemes, please update to the latest version right away.

This gives unauthenticated visitors the same power to execute code on the server as regular publishers have. WordPress installations with unsecured shortcodes (such as [php] which allows raw PHP code to be run) are vulnerable to serious attacks if WooThemes are installed, even if they are not the selected theme for the site.

It would be trivial to identify common insecure shortcodes and then attempt them against common WooThemes to attempt to run malicious code on the remote server.”

Jason goes on to say:

This is only “half” of the equation. I have already seen numerous hosting accounts compromised via a more malicious form of this attack which I have not published. In fact, finding a number of sites running WooThemes all compromised in the past 4 days via the contents of shortcode-generator/ lead me to take a quick look through the code to try to find the attack vector and I found this.

The response from the WooThemes folks to this security vulnerability was less than stellar. This is a case study into the mistakes made by WooThemes during this incident that should hopefully serve as a model for what not to do.

WooThemes Case Study

Mistake #1: Not providing a clear way to be contacted

Faceplant

After Jason disclosed this security vulnerability many people chastised him for doing so publicly, instead of privately contacting WooThemes. And while I agree with those sentiments, Jason points out that he searched for a security notice email address and didn’t find one. He added, “Even as a paying customer the only way to get support is via their public forum.”

In all fairness to WooThemes, I found this post providing customers with the techsupport@woothemes.com and support@woothemes.com email addresses. They also seem to be very responsive via their Twitter account. So, although maybe not ideal forms of reporting a security vulnerability, there were ways to contact them privately to at least initiate the discussion. Now, I don’t know if Jason attempted these options first, and simply received no response.

In any event, the point is that although the above support email addresses are available, WooThemes must not have presented them in a way that a person smart enough to discover a security vulnerability could find. This should have been clearly spelled out on their website.

Mistake #2: Quietly releasing a patch to a security vulnerability

This is by far the most egregious mistake. According to the WooThemes folks, they had already fixed the bug and released an update by the time Jason publicly disclosed it.

However, it appears that they neglected to announce this new update to their customers, which meant that many of them continued to use the vulnerable version. I found no mention of the update or details about the security vulnerability on the WooThemes blog. And they apparently neglected to alert their customers via email as well.

What’s the point of patching a security bug if you don’t inform your customers? If they are unaware of the need to update they are unlikely to do so. That helps no one.

Jason points to a single tweet made at 5:30am by WooThemes as the only announcement made to customers about the need to update. “We found a minor vulnerability in the WooFramework, which we’ve just fixed. Please update to the latest version ASAP!” However, that tweet pre-dates the date WooThemes claims the patch for this security bug was released. So, it’s highly unlikely that tweet was related to this security patch.

[blackbirdpie url=”https://twitter.com/#!/woothemes/status/192545687051829248″]

I don’t know why they neglected to inform customers about this. Maybe it was a simple oversight. Maybe it was intentional in the hopes that no one would notice. I don’t know. But the reason doesn’t really matter. What matters is that it happened, and the impression it gives current and potential customers about their security practices.

Mistake #3: Relying on their broken auto-updater

FaceplantThere’s no excuse for not alerting their existing customers of this security patch. However, their excuse seems to be that they rely on their auto-updater to push the updates to their customers. This is a flawed idea.

First of all, this requires their customers to 1) happen to log in to WordPress, and 2) care enough to install the update right away. This puts all the burden on their customers. This procedure may be fine for non-security related updates, but for critical security patches a business needs to be more proactive.

In fairness, usually it is the end user’s responsibility to install software updates. However, reputable businesses will inform their customers, as well as the general public, when a security update is released, what security issue it is fixing, and the severity of the vulnerability.

If people are unaware what the update is for, there is no urgency. Software updates sometimes break existing functionality. Therefore, unless it’s security related, there are those that don’t install updates right away.

“Additionally, even if the issue is patched, my link above still works – which means that the patch clearly isn’t working or hasn’t been applied to WooThemes own servers.”

Secondly, it just so happened that their auto-updater was broken during this time, and was not properly pushing out the updates. So, even if you did log in to WordPress (and usually install non-critical updates in a timely fashion) you would not have seen this update available.

The Perfect Storm

All of these mistakes combined, plus the fact that WooThemes’ servers have been under a DDoS attack for over twelve hours now is making for a very unpleasant time for the WooThemes folks.

The good news is that this has surely been such a trying time for them that they are unlikely to repeat these mistakes again. That means:

  1. Having a clear way for people to privately report security vulnerabilities.
  2. Promptly informing their customers when a security patch is available.
  3. Ensuring their updates are available to all customers.

Jason sums it up well:

The moral of this story is: WooThemes is a great company and makes a great product, but they have grown to the point where security needs to be a real concern. A proper channel to alert them of these issues, along with prompt and honest email notifications of updates to their customers (free and paid), and a publicly-accessible security/updates site (a la RedHat’s RHSA system) are all long overdue. This isn’t just a jab at WooThemes either – a review of almost any paid or free theme will surely come up with many issues like this.

What security lessons have you learned from your mistakes?

Tax Scam Uses Popular Education Credit to Trick Victims
Posted on by Zuly GonzalezCategories SecurityLeave a comment on Tax Scam Uses Popular Education Credit to Trick Victims

IRS logoThe IRS announced that it is actively investigating a tax scam seen in recent weeks related to the filing of tax returns claiming fraudulent refunds.

The scammers claim they can obtain for the victims a tax refund based on the American Opportunity Tax Credit, even if the victim was not enrolled in college. The scammers claim that refunds are available even if the victim went to school decades ago. There is also a variation of this scheme that claims the college credit is available to compensate people for paying taxes on groceries.

The scam promises refunds to people who have little or no income, and normally don’t have a tax filing requirement. They are targeting senior citizens, people with very low incomes and church members.

This scam ends up being expensive for the victims since the scammers charge exorbitant upfront fees to file these claims and are often long gone when victims discover they’ve been scammed. In addition, the victims must repay the IRS any refunds they received as a result of the fraudulent claim.

To avoid becoming a victim of this tax scam, the IRS says to look out for the following warning signs:

  • Claims of refunds based on false statements of entitlement to tax credits.
  • Unfamiliar for-profit tax services selling refund and credit schemes.
  • Internet solicitations that direct individuals to toll-free numbers and then solicit social security numbers.
  • Homemade flyers and brochures implying credits or refunds are available without proof of eligibility.
  • Offers of free money with no documentation required.
  • Promises of refunds for “Low Income – No Documents Tax Returns.”
  • Claims for the expired Economic Recovery Credit Program or for economic stimulus payments.
  • Unsolicited offers to prepare a return and split the refund.
  • Unfamiliar return preparation firms soliciting business from cities outside of the normal business or commuting area.
What Bootstrapped Startups Can Learn From Rick Santorum
Posted on by Zuly GonzalezCategories Case Study, StartupsLeave a comment on What Bootstrapped Startups Can Learn From Rick Santorum
U.S. Capitol building inauguration
Image credit: Alex Barth

Oftentimes we look to other startups’ successes and failures as a roadmap for our own ventures. While that’s a smart strategy, I think much can also be learned from outside the startup scene – something we rarely consider. This is an unconventional case study that looks outside of startups to gather useful lessons learned.

Politics aside, Rick Santorum’s recent rise in popularity has been a great feat, and one that deserves a closer analysis. There are three important lessons for bootstrapped startups in Santorum’s story.

Background

As recently as Dec 20, 2011, a Real Clear Politics average had Rick Santorum polling at 8.6% as the likely 2012 GOP nominee. And previous polls rarely had Santorum breaking the double digits mark, if ever. Fourteen days later, on Jan 3, 2012, Rick Santorum placed second in the 2012 GOP Iowa caucus with 24.5% of the votes. He came in second place to the long standing frontrunner by only 8 votes. It was touted as a major accomplishment for Santorum by many.

So, what happened? How did Santorum accomplish this? And what can bootstrapped startups learn from him? Let’s take a closer look.

Case Study: Rick Santorum

Lesson #1: Money Isn’t Everything

In the weeks leading up to the 2012 GOP Iowa caucus, the candidates spent millions of dollars in TV advertisements – a total of about $9.7 million.

Out of that $9.7 million, Rick Santorum spent the least on TV ads, coming in at a little less than $22,000. Compare that to Rick Perry, who alone spent over $4.5 million (and only received 10% of the votes). And even when you take into account money spent by external sources (i.e. not the candidates’ own pocket), Santorum’s total dollar amount spent on TV ads is second to last.

So, clearly, having lots of money at your disposal is not a recipe for success. Money helps, no doubt about it, but money without proper execution won’t get you very far. You need to convert that money into traffic, paying customers, and profit.

Let’s consider an example we’re probably all familiar with: Color.com.

Color raised $41 million pre-launch! That’s an astronomical amount of funding for such an early stage startup. Yet, by all accounts, they have been an absolute failure.

Why they failed is up for debate. There were probably several factors that led to their lackluster results, but why they failed isn’t important (at least not within the context of this blog post). The point is that they had $41 million at their disposal, and still failed.

Compare Color to Balsamiq, a bootstrapped startup that went from $0 to $2M in 27 months. Balsamiq’s success is a result of a great product, good customer service and hard work, which takes us to lesson #2.

Lesson #2: Hard Work Pays Off

Santorum proved that hard work pays off. Of all the 2012 candidates, Santorum spent the most amount of time on the ground in Iowa. He spent a total of 104 days in Iowa. He was one of only two candidates to visit all 99 counties in Iowa. He hosted 381 townhall meetings with the people of Iowa, and took the time to address concerns even if just a single person attended.

As a comparison, Rick Perry spent just 35 days in Iowa. And although he overspent his opponents in TV ads by several million dollars, he only secured 10% of the votes.

Rick Santorum worked hard, very hard, more than any other candidate did in Iowa, and he reaped the rewards.

Persistence and determination go hand in hand with hard work. Just a few days before the caucus, Santorum was polling in the single digits, and was written off by almost everyone. That has to be a demoralizing position to be in. Yet Santorum ignored the negativity and pushed ahead with a positive attitude. His perseverance paid off in a big way.

Patience is key, too. Those that give up easily at the first sign of trouble will never succeed. If it were easy, everyone would do it, right?

Lesson #3: Communicate With Your Audience

You must be a good communicator. You must effectively communicate your value proposition, and play up your strengths. You must be approachable, and willing to listen to your customers. Ask them questions, listen to their concerns, and show them how you can eliminate their pain.

But first, you need to know who your audience is. Who is your ideal customer? And who are you targeting your message to? This is an important first step that is often overlooked, and the answer isn’t always as obvious as we originally assume. If you can get this right, the rest will follow much easier.

Going back to Rick Santorum’s case study, Iowan demographics are well known. Evangelicals and social conservatives regularly make up more than 50% of GOP caucus goers. As a social conservative, Rick Santorum used that to his advantage in a big way.

Santorum spent a big portion of his time in Iowa talking about social issues. He built a cohesive message around social issues, and sold himself as a true social conservative. He compared himself to his competition, and properly explained how he was more of a social conservative than his opponents.

However, this wasn’t a one-way conversation. Santorum didn’t just plaster the airwaves with messages about his values. Instead, he made himself available to the people of Iowa, and discussed issues with them in person. He held 381 townhall meetings, and allowed them to ask him unrehearsed questions and push him for answers that made sense.

Lastly, Santorum garnered the support of key evangelical leaders in Iowa. These influential leaders spoke on his behalf, and steered many evangelicals towards him. Think of this as having testimonials on your sales website from industry leaders.

The End Result

These actions resulted in Santorum being 8 votes shy of first place in Iowa – a tremendous accomplishment for someone whose campaign was on life-support just weeks earlier.

That said, taking into account the volatility of this race, it’s likely Santorum’s popularity will fall – just like his opponents rose and then fell in popularity. I don’t think that makes his recent accomplishments any less admirable, but it is bonus lesson #4: Don’t fall asleep at the wheel.

Following Iowa, Santorum only spent 6 days on the ground in the following state’s primary (New Hampshire), which resulted in a fifth place placement for him. A somewhat recent startup example that comes to mind is Digg. Remember when everyone wanted to be on the front page of Digg?

Disclaimer: Light Point Security, LLC does not endorse Rick Santorum, or his political views. This is just an interesting story that has some lessons for bootstrapped startups.

Verizon Phishing Scam Email Alert
Posted on by Zuly GonzalezCategories Security, Web SecurityLeave a comment on Verizon Phishing Scam Email Alert

I came across a Verizon email warning customers about phishing scams, and decided to share it. I found it interesting since a lot of companies don’t take such proactive measures to warn their customers of the dangers of online scams. Most of the time these emails are sent after the fact – after a company is aware of an ongoing phishing scam. So here’s an attaboy to Verizon!

Below is the Verizon email, in its entirety.

Dear Verizon Customer:

At Verizon, we want to help you increase your awareness and safety online. We’re sending you and other customers this reminder about preventing your data from falling prey to phishing scams.

Simply being aware that phishing schemes may pop up at any time in your email inbox is probably the best way to avoid falling victim to them. Phishing scams involve an official-looking email, supposedly sent by a bank or other company you do business with, often claiming to alert you to a problem with your payment or financial account. The email may ask you to provide critical account information by replying to the email or clicking on embedded Web links which will take you to a Web site that may appear legitimate, but is actually a malicious Web site set up to steal your information.

Spotting a phishing email or a bogus Web site is not always easy. Sometimes, it contains obvious spelling or grammatical errors. In other cases, the errors are harder to spot and there are no visible signs of foul play.

Here is a recent example of a phishing attack:

Verizon Phishing Scam Example

To avoid getting hooked by such bogus emails, here are some tips to help safeguard your personal information:

  • Do not open suspicious emails. Look for misspellings, awkward requests or inconsistent grammar.
  • A Web site link included in an email can make getting to a Web site easy, but it can also be used to send you to a malicious Web site.
  • If you have doubts about the authenticity of an email, do not click on any links in the email – instead, type the Web site or Web page address into the ‘address bar’ of your browser.
  • Never type sensitive personal information, such as social security and/or driver license numbers or account numbers and/or passwords, in a reply email.
  • Use spam filters to block suspicious emails.
  • Use anti-virus and anti-malware software to automatically detect and eliminate malicious software.
  • The best practice when you find a phishing email is to either immediately delete it or report it to the company or organization being impersonated. Like Verizon’s abuse@verizon.net mailbox, many companies have set up an ‘abuse’ or ‘security’ mailbox to receive those reports and provide customer assistance.

Finally, in order to provide you with additional confidence in Verizon alert messages going forward, Verizon will be removing live ‘clickable’ links from any alert messages we send you regarding payment processing problems or credit card and/or bank account issues. You can continue to access and make changes to your account any time of the day or night at www.verizon.com.

Thank you for choosing Verizon.

Sincerely,

Verizon

How to Browse the Web Safe From Viruses for Free
Posted on by Beau AdkinsCategories Computer Security, Light Point Web, Resources, Security, Web SecurityLeave a comment on How to Browse the Web Safe From Viruses for Free

VirtualBoxToday, I’m going to walk you through the process of being able to browse the web in complete safety. The title of this post explicitly mentions “viruses”, but I’m using this as a more well-known moniker for the term “malware”. Malware is a more generic term which encompasses viruses, spyware, trojans, etc.

What I mean by “complete safety”, is that you do not have to worry about malware infecting your computer. It does not mean you are safe from being tricked into giving your banking passwords to a site that is only pretending to be your bank.

Step 1. Set up VirtualBox

The method I will be describing in this post relies on Virtual Machines for security. Think of a virtual machine as a fake computer inside your real computer. By using a virtual machine, you can perform tasks on a computer in a way that is completely isolated from your real computer. With this, you can browse the web inside the virtual machine, so that if you stumble on some malware, only the virtual machine will be infected. The virtual machine management software will also allow you to rollback all changes made to a virtual machine to a known state. Using these abilities correctly will allow you to browse in safety.

The first step is to install a virtual machine management software package, also known as a “hypervisor”. There are many different options for this, but I’m going to recommend VirtualBox. You can download and execute the installer from here. Just click the “VirtualBox x.x.x for Windows hosts” link (assuming you are using Windows). Once it is downloaded, just run the installer.

Step 2. Download Your Guest OS

Next, you will need an Operating System to use inside the Virtual Machine. You could install Windows as the Operating System, but you would need to buy a license. For a free alternative, I suggest installing Ubuntu. Ubuntu is a Linux-based Operating System. It is very high quality, and completely free.

When you download Ubuntu, you do not get an installer. Instead you get an “ISO” file. An ISO file is a bit-for-bit copy of a CD that you would use to install it on another computer. Its a rather large file. To start the download, go here and choose your version (either is fine). You need to remember where you download this file to.

Step 3. Set up Your Virtual Machine

Now that you have VirtualBox installed and an OS ISO file ready, you can create your first Virtual Machine. Start up VirtualBox (you probably have a shortcut on your desktop). Click the button at the top labeled “New”. Give your Virtual Machine a name, for example, “Browsing Machine”. Choose “Linux” as the Operating System, and the Version as “Ubuntu”.

Next, you need to select how much RAM to give this Virtual Machine. I would recommend 1 Gig at the least. Enter “1024” in the box labeled “MB”. This means 1024 Megabytes, which is equal to 1 Gigabyte. Note: you need to have more RAM than this on your computer. If you do not have more than a Gig of RAM on your computer, then unfortunately, you probably do not have system requirements to use virtual machines.

On the next screen, leave the default options (“Boot Hard Disk”, and “Create new hard disk”). Continue on to the “Hard Disk Storage Type” screen. Leave the default option of “Dynamically expanding storage”. On the next screen, leave the defaults in place and continue on.

VirtualBox SettingsOnce you get through all the options mentioned above, you will be returned to the main VirtualBox screen, but now you will see a new entry for your Virtual Machine in the pane on the left. Click on it to select it, and then click the “Settings” button at the top. In the settings dialog, select “Storage” in the left hand pane.

VirtualBox Settings Highlighted

In the center of the screen, click on the disk image labeled “Empty” under the “IDE Controller” entry. Next, on the right of the screen, click the disk icon next to the “CD/DVD Drive: IDE Secondary Master” entry, and in the popup, select “Choose a virtual CD/DVD disk file”. A file select dialog will appear. In this dialog, select the ISO file you downloaded in Step 2. Now click the “OK” button at the bottom of the settings dialog.

You are now back to the main VirtualBox screen again. You can now click the “Start” button at the top, to start your virtual machine. At this point a blank Virtual Machine will start, and it will begin the install process for your downloaded OS. It will ask you a lot of setup questions that I will not walk-through here.

When the Ubuntu setup process is finished it will tell you to eject the CD from the drive before continuing. Because this is a virtual machine attached to an ISO file, this is not possible. Ignore this, and keep going. You will see the virtual machine shut down, and then start up again. Once it has began starting again, click the “X” at the top right of the Virtual Machine’s window to close it. It will ask you how you want to close it. Choose “Power off the machine” and click “OK”. The virtual machine is now shut down.

VirtualBox Settings With ISO Mounted and Highlighted

Now that the virtual machine is off, we need to detach the ISO image we have set previously. Return to the settings screen, and on the left, select “Storage” as you had down previously. Next select the entry below the “IDE Controller” in the center. Finally, on the right, click the disk icon next to “CD/DVD Drive: IDE Secondary Master” and choose “Remove disk from virtual drive”. Finally, click “OK” at the bottom of the settings screen.

Step 4. Create a Restore Point

At this point, your Virtual Machine is a totally fresh install. You may want to take a moment to get the Virtual Machine customized to your liking. After you have done so, you should make a restore point, also called a “snap shot”. VirtualBox can use a snap shot to restore your virtual machine to a known state. For example, if you stumble upon an infected website, your virtual machine can become infected as well. But, you can then revert your virtual machine to its state from before the infection. It is like it never happened.

First, start your virtual machine using the “Start” button at the top of the VirtualBox window. Once your Virtual Machine starts, take a moment to do any one time customizations, such as installing a browser of your choice, upgrading software, etc. Once you are finished, shut the machine back down.

Back on the main VirtualBox window, on the upper right hand side of the screen, you will see an icon that looks like a camera, labeled “Snapshots”. Click this button to show you the snap shots. You will see an entry labled “Current State”. Just above it is another camera icon. Click it to take a snap shot. A dialog will appear that will ask for a name and description of this snap shot. Enter something useful meaningful to you, so you know what you have changed. Click “OK” to take the snap shot.

Once the snap shot is taken, you will see an entry with the name you choose for the snapshot, with a “Current State” entry below it. You now have your restore point.

Step 5. Browse the Web

You can now start your Virtual Machine and use it to browse the web whenever you want. The websites you visit in the virtual machine are isolated and separated from your actual computer. You may have some problems downloading files or printing things from within the virtual machine, so some tasks may have to be done on your real computer.

Step 6. Restore Your Snap Shot

Whenever you are done browsing, you should shutdown the virtual machine, and restore it to the snapshot created in step 4. The easiest way to do this is to simply click the “X” in the top right of the Virtual Machine to close the window. It will ask you how you want to close it. Choose “Power off the machine”, and check the box labeled “Restore current snapshot…”. This will turn off the Virtual Machine, and throw away all the changes you made since the snapshot was created.

Drawbacks of Using This Method

While this is an effective way to browse the web safely, it is not entirely painless. First off, using a virtual machine takes an enormous amount of resources. While the Virtual Machine is on, it will consume a large amount of memory, and maybe a lot of processing power.

Additionally, it can be frustrating to have your changes wiped out all the time. For example, if you add a bookmark to your browser, it will be lost when you revert.

It can also be annoying that it takes so much time to start the virtual machine. If you want to browse the web right now, waiting a minute or two for a virtual machine to start is painful.

Another Option

The method described above is basically the technology behind Light Point Web, except we do our best to shield you from the downsides just mentioned.

For example, we run the virtual machine on our computers, so your computer is not bogged down with it. We also integrate into your existing browser, so you are not prevented from changing settings in your browser or saving bookmarks.

Finally, our Virtual Machines are always running, so you do not need to wait for one to start when you are ready to browse.

If you are concerned about browser security, give this method a try. It is free, but it does take some time and effort. If you would rather someone else handle the work and headaches, give Light Point Web a try. We offer a free trial, so what do you have to lose?

Does Light Point Security Track Your Browsing? Absolutely Not!
Posted on by Zuly GonzalezCategories Computer Security, Light Point WebLeave a comment on Does Light Point Security Track Your Browsing? Absolutely Not!
No Red Sign
Image credit: net_efekt

No. Nope. N O.

We absolutely do not track our users’ activities online. In fact, that goes totally against what we stand for – to protect you while on the web.

I get this question a lot, so I’d like to clarify this in a blog post.

Some people I talk to don’t come right out and ask, but they do hint at it. The last such conversation I had was with a few male friends of mine. We were talking about Light Point Web, and as it often happens, it led to the topic of porn. We joked about how they could use Light Point Web to look at porn without getting viruses, but they quickly deflect it. As we continued to talk it became clear to me that they were afraid that Light Point Web would track their online activity, and that I would know they were looking at porn…something they didn’t want to happen.

What Does Light Point Web Track?

I want to be crystal clear, we do not track our users’ browsing activities. We make money by charging a subscription fee to use our service, not by selling your information.

We do, however, log one small thing. When a user attempts to connect to Light Point Web, our server will log the outcome of that attempt. This is the one and only time Light Point Web logs something.

During a connection attempt, the user’s computer will send the user’s username and password to the server.  One of three possible outcomes will be logged:

  1. If the server fails to read this information from the user, a parse error is logged, which will contain the user’s IP address.
  2. If there are no parse errors, the server can attempt to complete the connection. If this fails for any reason, this failure is logged with the user’s username and the reason for the failure. Examples include: incorrect username/password, no active subscription for the user, no available servers.
  3. The last possible outcome is a successful connection. In this case, we just log that a successful connection occurred with the user’s username.

Neither a user’s password, nor any browsing information is ever logged or exposed to human eyes.

Additionally, our user website, lightpointweb.com, will log unsuccessful log in attempts along with the username used, and IP address of the incoming connection. This is done to stop brute force password guessing attacks.

Why Log Connection Attempts?

The reason for logging this small bit of data is twofold.

  • Provide better customer support. If a customer contacts us with problems related to logging into his/her account, we can work to identify what the problem is, and fix it. And in general, it’s a way for us to detect if we are having critical failures on our end that need to be fixed right away.
  • Prevent unauthorized access to our service. By logging failed login attempts we can detect if someone is trying to brute force their way into fraudulently using our service. It’s also a way to detect Denial of Service attacks.

We Want to Protect You

We are here for you. We’re doing everything we can to protect you while on the web, and that includes your privacy.

You may not be aware of it, but every time you visit a website you are unknowingly trusting them with your privacy. You are trusting them not to track you. Unfortunately, many businesses make money by gathering, and sometimes selling, this data. Researchers at U.C. Berkeley recently discovered that popular websites like Hulu, Spotify, GigaOm, Etsy, and AOL’s About.me are using a tracking service that can’t be evaded – even when users block cookies, turn off storage in Flash, or use browsers’ incognito functions.

Not only does Light Point Web not track you, but it also prevents those other sites from tracking you.

I hope this clears up any privacy concerns about Light Point Web. If you have any unanswered questions, please contact us.

 

 

Managing Projects with Subversion and Trac: Free eBook
Posted on by Beau AdkinsCategories Business of Software, Events, Resources, Startups1 Comment on Managing Projects with Subversion and Trac: Free eBook
Beau Adkins Business of Software 2011
Image credit: Betsy Weber

Along with Zuly, I attended Business of Software (BoS2011) this year. This was my first time attending, and I have to say it was an intense 3 days; lots of learning and lots of networking. Although I had a good time and met a lot of really nice people, I’m glad to be back home programming. It was a bit draining for an introvert like myself.

Workshop sessions were held during BoS2011 by both speakers and attendees. Zuly held a workshop session with Ricardo Sanchez and Jason Cohen on Practicing Your Startup Pitch, which was well received.

I held a workshop on Managing Software Projects with Subversion and Trac. I designed the workshop so that it would be easy for novices to follow, but it also contains some advanced topics. I created a simple eBook for the workshop that walks you through step by step on setting up Subversion and Trac. You can download the Managing Software Projects with Subversion and Trac eBook for free.

If you download the eBook, I would love to hear what you think of it. Feel free to share your thoughts in the comments below, or contact me via email.

Business of Software 2011: 48 Tweetable Quotes
Posted on by Zuly GonzalezCategories Business of Software, Events, Startups3 Comments on Business of Software 2011: 48 Tweetable Quotes

This year I was fortunate enough to attend Business of Software (BoS2011) thanks to the kind folks at Stack Exchange. From time to time Stack Exchange sponsors community members to attend community related conferences. As an active participant on OnStartups Answers, I was selected to attend Business of Software this year, and I am very grateful for the opportunity.

Business of Software is a great conference, and I recommend anyone that can afford to do so, to attend. The speakers are excellent, and so is the networking. It’s an expensive conference, but well worth the cost. This year’s speaker lineup included Professor Clayton Christensen, Patrick McKenzie, Laura Fitton, Jason Cohen, and Alexis Ohanian.

I plan on summarizing a few of the presentations in future posts, but for now here are 48 tweetable quotes from the BoS2011 speakers.

Clayton Christensen

Clay Christensen Business of Software 2011
Image Credit: Betsy Weber

–    “Worry about the bottom when thinking about who can kill you.”
–    “Pick a fight where the giant is more motivated to flee than fight you.”
–    “The market to make something more affordable and simple is often times a bigger market.”
–    “A business unit is not designed to evolve.”
–    “The customer rarely buys what the company thinks it is selling him.” ~ Peter Drucker
–    “Help people do what they want to do even better.”
–    “Invest when you don’t need the results of the investment. Innovation is a long term investment.”

Jason Cohen

Jason Cohen Business of Software 2011
Image Credit: Betsy Weber

–    “Most people don’t do things that are difficult to do.”
–    “Honesty has to become a critical policy for every company on earth.” ~ Gary Vaynerchuk
–    “Honesty is big right now. See how we can spin that.” ~ Anderson cartoon
–    “My idea was to be as real and honest as possible.” ~ Howard Stern

Dharmesh Shah

Dharmesh Shah Business of Software 2011
Image Credit: © Software Promotions

–    “The purpose of your business is to create delighted customers.”
–    “High churn rates are scarier than clowns.”
–    “Don’t fall in love with your business model too early.”
–    “Pricing is hard. It’s very, very hard.” ~ Simester (MIT Professor)
–    “The price is always greener in your neighbor’s company.”
–    “Pricing is hard. Raising prices is even harder.”
–    “Assume customers are connected and united.”
–    “You want to get really good at choosing your customers.”
–    “You want the right features in both your product and your customers.”
–    “Strategic is code for we don’t have any data.”
–    “Not every insight needs to be counter-intuitive.”
–    “As code hackers we need to appreciate the value of business hackers.”
–    “Smart people will often get their asses kicked by other smart people that worked harder.”
–    “Generalists are great in the beginning. Specialists are great as you grow.”

Jeff Lawson

Jeff Lawson Business of Software 2011
Image Credit: Betsy Weber

–    “People are your customers.”
–    “Consumers are not rational. Businesses are rational.”
–    “Be proud and put a price on your SaaS.”
–    “Too many pricing options will result in lack of sales.”

Laura Fitton

Laura Fitton Business of Software 2011
Image Credit: © Software Promotions

–    Social media in two words: “Be useful.”
–    Social media in four words: “Listen. Learn. Care. Serve.”
–    “Make the customer the hero of your story.”
–    “Either do something worth writing, or write something worth doing.”
–    “Measure what matters.”
–    “You don’t just want a following. You want screaming, raging fans.”
–    “Use social media to solve a problem you are already spending time on.”
–    “You don’t get a prize for getting the most followers. You get a prize for growing your business.”

Josh Linkner

Josh Linkner Business of Software 2011
Image Credit: © Software Promotions

–    “Your job is to disrupt, or be disrupted.”
–    “Mistakes are the portals of discovery.”
–    “Being safe is the riskiest move of all.”
–    “From failures we learn. From successes we don’t.”

David Cancel

David Cancel Business of Software 2011
Image Credit: © Dirk Paessler

–    “Talking, reading and dreaming are worthless.”
–    “Data alone is useless.”
–    “Use data to validate your assumptions.”
–    “Optimize your business for learning, not data.”
–    “Always be testing.”
–    “We have a strategic plan. It’s doing things.”
–    “In God we trust. For the rest bring data.”

Also take a look at the top 11 tweetable quotes from last year’s Business of Software conference. And here’s a summary of BoS2010.

Did you attend BoS2011, or watch the live stream? If so, what were your favorite quotes? If not, do you have any other startup related quotes you’d like to share with us?

[Infographic] Twacked: When Good Twitter Accounts Go Bad
Posted on by Zuly GonzalezCategories Fun Friday, Security, Web SecurityLeave a comment on [Infographic] Twacked: When Good Twitter Accounts Go Bad

As Twitter’s user base grows so does the malicious activity on the social networking site. Malicious links spread easily on Twitter as a result of the widespread use of URL shortening services due to its 140 character limit.

In January 2010, Twitter banned 370 passwords for being too obvious, including 123456. As of July 2011, the list has grown to 401 banned passwords. Some of the latest hacked celebrity Twitter accounts include Lady Gaga, Ashton Kutcher, and Kim Kardashian. On September 10, 2011 the NBC News Twitter account was hacked and the perpetrators tweeted that ground zero had been attacked. On September 25, 2011 the USA Today account was hacked.

Veracode created this infographic that depicts some of these most recent high profile Twitter hacks.

Happy Friday, and enjoy!

Twitter Infographic

National Cyber Security Awareness Month Is Here
Posted on by Zuly GonzalezCategories Computer Security, Events, Resources, Security, Web SecurityLeave a comment on National Cyber Security Awareness Month Is Here

National Cybersecurity Awareness Month LogoOctober is National Cyber Security Awareness Month (NCAM). NCAM is sponsored by the Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC). October 2011 marks the eighth year NCAM has been organized.

Through a series of events across the country, National Cyber Security Awareness Month engages public and private sector partners to raise awareness and educate the public about cybersecurity. A listing of the events can be found here. They will also feature a different cybersecurity issue each week in October.

  • Week One: Emphasizes general cybersecurity awareness with events highlighting the Stop.Think.Connect. Campaign.
  • Week Two: Showcases the urgent need to develop cyber education programs to train the next generation cyber workforce.
  • Week Three: Focuses on national and local efforts to prevent identity theft and other cybercrimes.
  • Week Four: Highlights strategies small and medium sized business owners can use to bolster their own cybersecurity defenses.

We encourage everyone to become involved and participate in local NCAM events, but remember that Internet safety and security doesn’t end in October. You should practice Internet security all yearlong.

And what better way to kick off National Cyber Security Awareness Month than to sign-up for a free trial of Light Point Web, our malware protection software that lets you safely browse the web from the cloud.

Light Point Web 1.1 Released
Posted on by Beau AdkinsCategories Computer Security, Light Point Security Update, Light Point Web, Web SecurityLeave a comment on Light Point Web 1.1 Released

Light Point Web LogoUPDATE: The video streaming functionality in Light Point Web has been updated and no longer works as described in this article. For the most up to date information on Light Point Web, please check out our Remote Browser Isolation page.

Light Point Security has just released Light Point Web 1.1. While this version contains small usability related bug fixes, the main improvement is flash video playback.

Light Point Web 1.1 allows the user to view a flash video from a site they are viewing through Light Point Web. The flash video is played on the user’s local computer, not through Light Point Web. Because the flash video is played on the user’s computer, the user needs to be sure the video is trustworthy. While Light Point Web can’t protect your computer from a locally played video, at least we can give the user the ability to decide which videos can play and which ones can’t.

If you are a current user, just log back in to Light Point Web to download the new installer.

Known Problems

While this flash video functionality works for most sites, there are some sites and cases which still need work. In particular, YouTube videos do not play. We are working to identify the problems and fix them.

What’s Next?

While the video viewing solution should work for any embedded media, it will not work for non-embedded media, such as pdf files. We will be working to extend this functionality to non-embedded media in the near future.

If you would like to try Light Point Web, contact us for a free trial.

Events to Attend While at Black Hat USA 2011
Posted on by Zuly GonzalezCategories Computer Security, Events, SecurityLeave a comment on Events to Attend While at Black Hat USA 2011

Black Hat USA 2011 LogoThere are usually a lot of events scheduled the week of the Black Hat conference. I’ll be attending some of these events, and I encourage you to attend some as well. This is a list of after parties and Black Hat sponsored special events that will keep you busy all week.

Black Hat After Parties

MANDIANT Reception: Enjoy an assortment of hors d’oeuvres and drinks while getting the opportunity to chat with some of MANDIANT’s instructors and executives.

When: Aug 3, 8:00 p.m. – 10:00 p.m
Where: Shadow Bar Inside Caesar’s Palace

Rock-It To The Moon Party: Sponsored by Rapid7, EWF, FireMon, NitroSecurity and Veracode. Come for Dual Core, DJ, open bar and dessert.

When: Aug 3, 9:00pm – 2:00am
Where: Moon Nightclub at the Palms Fantasy Tower, 52nd Floor

FireMon and FishNet Security Party: Drinks, appetizers and some Salsa Dancing. Bring your business card to be entered into the raffle.

When: Aug 3, 9pm – 12am
Where: The Rhumbar at the Mirage

ModSecurity Happy Hour: A relaxed, social setting where you can meet the ModSecurity Project Team and other ModSecurity users face-to-face.  Anyone who uses or contributes to the project should stop by for some drinks and food.

When: Aug 3, 4pm – 6pm
Where: MunchBar at the Caesars Palace

EWF Meet & Greet: Network with your peers and enjoy a few drinks. Learn more about the Executive Women’s Forum and our Cyber Security School Challenge.

When: Aug 2, 6:00pm-8:30pm
Where: Caesar’s Palace – Pisa Room

SecurityTwits Meetup: This is a cash bar event. There will not be a guest list/sign-up process. Just show up. If there is room, you’ll get in.

When: 8:00pm till whenever
Where: The Artisan Hotel in the bar/pool area

Qualys Reception: Honoring their customers in a private reception of cocktails and fine cuisine.

When: Aug 3, 7:30pm
Where: Yellowtail Restaurant at the Bellagio

The Qualys & Dell SecureWorks Party: Enjoy a night of entertainment, cocktails & dancing. Open bar available from 10pm to 2am.

When: August 3, 10pm – 2am
Where: The Bank nightclub at the Bellagio

Absolute Madness: Sponsored by MAD Security, Core Security, NitroSecurity, and RedSeal Systems.

Where: Caesars Palace Suite

nCircle Party: Another after party.

When: Aug 3, 7:30pm
Where: Caesars Palace

NetWitness Party: Yet another after party.

When: Aug 3, 8pm – 12am
Where: Jet nightclub at the Mirage

Cisco Party: The registration site for the Cisco Customer Social Event at PURE Nightclub is now closed. If you would like to register for the event, visit Cisco in booth #305.

When: Aug 3, 8pm – 12am
Where: PURE Nightclub at Caesars Palace

Black Hat Special Events

Black Hat Arsenal: This year Black Hat will be offering a tool/demo area for independent researchers and the open source community to showcase their work and answer questions from conference attendees. This is not an exhibit space for big enterprise sized companies. You can find a description of the demos on the Black Hat website. And below is the schedule.

When: Aug 3-4, 10:00-18:00
Where: Caesars Palace: 4th Floor Promenade

Day 1

Black Hat Arsenal Day 1 Schedule

Day 2

Black Hat Arsenal Day 2 Schedule

Black Hat Circuit: The Black Hat Circuit will feature themed rooms from key exhibitors; offering conference delegates a venue to continue their technology conversations and networking activities. Participating Circuit sponsors will be providing food and drinks, along with opportunities to win prizes.

When: Aug 3, 19:00-22:00
Where: Caesars Palace: 3rd Floor

Hacker Court: Go behind the scenes with the Hacker Court team to discover what goes into preparing for a computer crime trial. This year, the Hacker Court team takes you behind the scenes to discuss just how much work is involved in preparing for a computer crime trial. This panel will discuss the lifecycle of prosecuting and defending against a computer crime charge: what constitutes a computer crime, how it affects businesses, how computer crime is detected and investigated, how a case is prepared and finally the theater known as Court.

When: Aug 3, 18:00-19:30

Pwnie Awards: The Pwnie Awards is an annual awards ceremony celebrating the achievements and failures of the security community over the past year. The award categories are:

  • Pwnie for Best Server-Side Bug
  • Pwnie for Best Client-Side Bug
  • Pwnie for Best Privilege Escalation Bug
  • Pwnie for Most Innovative Research
  • Pwnie for Lamest Vendor Response
  • Pwnie for Best Song
  • Pwnie for Most Epic FAIL
  • Pwnie for Lifetime Achievement
  • Pwnie for Epic Ownage

When: Aug 3, 18:15-19:30

Black Hat Store: Get Black Hat branded merchandise like t-shirts, jackets, mugs, barware, lab coats and more.

When: Aug 2 – 15:00-21:00, Aug 3-4 – 08:00-18:00
Where: Caesars Palace: Emperor’s Ballroom

This is by no means an exhaustive list. If you are aware of other events planned for the week that I have not listed, let us know in the comments. Do you plan on attending any of these events? If so, which ones?

 

FOSE 2011 Government IT Conference – My Thoughts
Posted on by Zuly GonzalezCategories Events, Opinion, SecurityLeave a comment on FOSE 2011 Government IT Conference – My Thoughts

FOSE Government IT Conference logoI attended the 2011 FOSE Conference and Exposition, which was held July 19 – 21 at the Walter E. Washington Convention Center in Washington DC. This is a summary of my overall experience.

What Is FOSE?

FOSE is a government Information Technology event hosted in DC every year that features IT products and services, and provides education on the latest IT trends. FOSE brings together federal, state, and local governments with industry partners to share experiences and evaluate new solutions.

FOSE offers a free exposition, as well as a paid conference portion. At the free expo there were over 250 vendors demonstrating their latest products and services. In addition to the vendor exposition, the conference portion also included educational tracks and conference-only keynotes. The four conference educational tracks were:

  • Cybersecurity, Network Defense, and Information Assurance: Strategies and technologies for protecting government information systems and the data that moves across them.
  • Information Management and Collaboration: Ways that new tools and approaches are improving enterprise-wide and federated decision making.
  • Next-Generation Infrastructure Strategies: Infrastructure strategies from desktop virtualization to cloud computing and everything in between.
  • Enabling the Mobile Government Workforce: Harnessing mobile web apps, social media and emerging wireless technologies for more effective government.

I attended the cybersecurity track. The two conference keynotes were:

  • Operation Trident Breach- Lessons Learned from FBI Global Cyber Crime Arrests: Representatives from the FBI, Metropolitan Police in the UK, Cyber Crime officials from the Netherlands and the Ukrainian Security Service explained their multi-year Zeus malware investigation which led to the arrest of over 100 criminals in the United States, United Kingdom, Moldova and the Ukraine on a variety of cyber related, money laundering, fraudulent passports and identify theft crimes. Additionally, they presented Open Source intelligence techniques used in investigating the network of financial crime based on the Zeus trojan.
  • The Federal IT Agenda in 2012: This presentation provided perspectives and insights to fellow CIOs, CISOs, and IT/Network managers in government about the direction of cyber security, data center consolidation and the move to cloud computing within agencies and what lessons there are to be learned.

My Thoughts on FOSE 2011

Zuly Gonzalez at FOSE 2011 Government IT ConferenceThe Good

From the conference tracks, to the keynote presentations, to the vendor exhibits, there was a lot going on at FOSE – more than one person could do at any given time.

I was impressed by the quality of some of the free sessions at FOSE. They offered four free keynote presentations, free workshops, free education sessions, and free vendor exhibits. I didn’t attend all of the free sessions since I registered for the paid conference talks, but of the ones I attended, most were fairly good. For instance, Steve Wozniak, co-founder of Apple, was one of the free keynote speakers this year. Steve talked about fostering creativity and innovation in any environment (including big enterprises), and shared his view on the revolution under way in mobile computing. It’s not everyday that you get to hear someone of that caliber speak in person. Other keynote speakers included General James E. Cartwright, Vice Chairman of the Joint Chiefs of Staff, and Dr. David McQueeney, Vice President of Software at IBM Research.

Of the paid conference sessions, some were really good, and some were just OK. I really enjoyed the Operation Trident Breach presentation where law enforcement officials discussed their multi-year Zeus malware investigation that led them to organized crime around the world. They discussed how Zeus was propagated, and how they used Facebook to identify some of the criminals.

Another interesting presentation was Mitigating the Next Stuxnet. In this presentation they discussed the history of the Stuxnet worm, how Stuxnet could have been mitigated, and steps the government can take to prevent cyber attacks of this magnitude.

I’ll summarize these presentations in future blog posts.

The Bad

The thing that stood out the most for me was how unorganized the event was. I wasn’t given any information when I registered other than where to go to pick up the agenda. When I did ask the onsite personnel a question, they weren’t able to help me. They were nice, and tried to be helpful, but for some reason even the onsite personnel were left in the dark. It turned out that registration was in one place, the agenda was handed out at a different place, and the conference swag was handed out at a third place. Now why these three things couldn’t have been handled in one place, I don’t know, but I do know it was a stupid way to set things up, especially when the attendees aren’t even told that this is the process.

One other minor, though understandable, annoyance was that every time I went into one of the conference talks, there was someone there policing the entrance and checking for badges. I understand the need to do this, but it was a bit annoying. It’s akin to having to show your receipt when leaving Wal-Mart.

Conclusion

Despite these issues I would consider attending the free expo portion next year. For one, since I have experience with the event now, I’ll be better prepared for next year. Second, it’s always interesting to see what new products and solutions are available, especially in the cybersecurity arena. Plus the expo is free, so there’s not a whole lot to lose, although parking in DC can get expensive (you could pay as much as $75 in parking for the 3 days). Lastly, in addition to the vendor booths at the expo, FOSE also offers free educational workshops and free keynote talks.

Will I attend the paid conference portion next year? I don’t know. It’ll depend on the topics and speakers.

FOSE Resources

I plan on summarizing a couple of the FOSE talks in future blog posts, but for the time being, take a look at these links.

Some of the FOSE talks were recorded, including Steve Wozniak’s keynote. You can view them here.

Did you attend FOSE? Have you attended in previous years? What did you think of it? What was your favorite part? Will you consider attending FOSE next year?

Why Antivirus Isn’t Enough
Posted on by Beau AdkinsCategories Computer Security, Light Point Web, Security, Web SecurityLeave a comment on Why Antivirus Isn’t Enough

Computer SecurityI have come to realize recently that almost all computer security products (including antivirus) are what I call “detection-based.” The problem though is that when (not if) the filter is wrong, the user’s security is compromised.

What Is Detection-Based Security?

A detection-based security product is any security product which roots its security in the premise that it can filter all the bad things that might happen away from the non-bad things. So for anything that a user tries to do, the security product first attempts to decide if that thing is bad. If it’s bad, the product will stop that thing from happening. Thus, the effectiveness of the product is totally dependent on the accuracy of the filter.

For example, antivirus software maintains a huge list of malware signatures that is used as it’s filter. Any time a process tries to run, or a file gets saved to your disk, the antivirus will compare it to all its known signatures. If a match is found, it must be bad, and the antivirus will stop it. This is why antivirus products are always downloading new signatures, and why out-of-date antivirus is not very effective.

Personal firewalls work in a similar way, except the filter list is mostly curated by the user. If an unknown program attempts to access the internet, the firewall will just ask the user if its OK or not. In this case, the correctness of the filter list is in the hands of the user.

In the realm of web browsing security, the technology is similar. One approach is used by very popular tools such as Web Of Trust (or WOT) and Google’s Safe Browsing. These products maintain a huge list of known websites, along with a trustworthiness score for each one. In WOT’s case, the trustworthiness scores are decided directly by its users. If one user says a certain website is bad, then that site’s score is lowered for all the users of WOT. In the case of Google’s Safe Browsing, the trustworthiness is decided by Google. In both cases, if a user tries to go to a site, the tool first determines the site’s trustworthiness, and if it is too low, the tool will try to stop the user from visiting the site.

The other tactic used in web browsing security is taken by NoScript. The makers of NoScript realize it is the scripting present in a webpage that poses the most danger to a user. For any website a user attempts to visit, the HTML will be fetched and rendered, but scripts will only run if a user has granted permission. By default NoScript will stop all scripts, and a user must manually build a list of trusted scripts. There are 2 related problems with this. First, scripting is heavily relied on these days for most of a website’s functionality. If the scripts are blocked, the sites just don’t work. The second problem is that it is too hard for a user to correctly decide if a script should be allowed or not.

What Alternative Is There?

A popular alternative is using a Virtual Machine. For web browsing, a lot of advanced users will create a virtual machine that they can use to browse the web. The advantage of doing this is two-fold. First, the dangerous task of web browsing is moved off of their real computer. Second, and equally as important, is that virtual machines allow the user to revert all the changes made to the machine to a known good state.

The virtual machine approach is very safe, but also very tedious. For one, starting a virtual machine can take a few minutes. When you are finished, you must then revert all your changes, which can also take a while. In addition, virtual machines take up a lot of resources, usually at least 1 Gigabyte of RAM. This can slow down your whole computer while it is active. The workflow goes like this:

  • A user decides to browse the web.
  • Wait a couple minutes while the virtual machine starts.
  • Browse the web.
  • Wait a minute while the virtual machine shuts down and reverts changes.
  • In addition, the user needs to keep their virtual machine up-to-date.

This is a good approach, but it is not for everyone. Light Point Web, our Remote Browser Isolation product, was created to give all users access to this level of safety, but without any of the tedium.

Light Point Security’s Approach

Light Point Security is a pioneer in Browser Isolation – an alternative to detection-based security. We believe that building a filter that can identify all the bad operations and to be right 100% of the time is simply impossible. Our approach to security is to move all potentially dangerous activities off of the user’s computer. By doing this, it doesn’t matter if something is good or bad. We can run it in a controlled environment that can be restored to a pristine state whenever we want.

Light Point Web lets you browse the web from our computers instead of yours. Using this approach, it is like each time you browse the web, you do it from a brand new computer that has never been used before, and when you are finished, you throw the computer away, never to be used again. If you think about it like this, it doesn’t matter how bad the sites are that you visit.

If you are interested in learning more about Light Point Web, please contact us here.

Light Point Web 1.0 Officially Released
Posted on by Beau AdkinsCategories Light Point Security Update, Light Point Web, StartupsLeave a comment on Light Point Web 1.0 Officially Released

Light Point Web LogoLight Point Security has released Light Point Web 1.0. Light Point Web gives users safe browsing, private browsing and anonymous browsing. No other product on the market can protect a user from web-based malware as thoroughly as our Remote Browser Isolation solution, Light Point Web.

What’s Next for Light Point Web?

Now that we have a version 1.0 product, and all supporting infrastructure in place, all our efforts will switch to getting the word out. This will be the hard part, as we have never ran marketing campaigns before.

It’s going to be a long, hard road, but we are excited about it, and can’t wait to see how well we can do.

If you would like to try Light Point Web, contact us for a demo and free trial.

Why Startups Require Passion
Posted on by Beau AdkinsCategories Light Point Web, Startups1 Comment on Why Startups Require Passion

The Emotional Rollercoaster of StartupsAsk anyone who has launched a startup before, and they will tell you it is the most violent emotional roller-coaster they have ever ridden. At times you will feel like you are on top of the world, and the next day feel completely doomed. It is probably the most terrifying thing I have ever done. If its so rough, why do it? I think the answer is passion.

Why Do You Need Passion

Like I said, launching a startup is rough. The low points are so bad, you need something to pull you through. This is also the best reason to have a co-founder to go through it with you. The low points are not as bad when you have someone there to talk you through it. Misery loves company I guess.

But I don’t think a good co-founder is enough. You need passion. If you are working on something you are barely interested in, just because you think it can make you rich, it’s just a matter of time before you give up. At some point, you are gonna hit a low point, and you are gonna just walk away.

An Example: The First Prototype of Light Point Web

I spent close to a year building Light Point Web, and it worked. I felt great. At one point I started doing some benchmarking of its performance, and I realized it would never be able to scale to a significant number of users. Panic set in. I was crushed. I tried and tried to fix it, but the technology was just too slow. Without passion, I would have given up for sure.

Instead, I searched for a new technology to build Light Point Web on. I found a solution that would fix the scaling problem, but the technology was never designed to be used like I needed it to. I worked and worked on adapting it to be usable in Light Point Web, and after a year, I had finally gotten back to where I was. There was no way anyone without passion could have put in that kind of work, when all the info in my face was saying it can’t be done.

How Do You Know If You Have Passion

In the past, most of my low points centered on getting the technology to work. These days, they are centered on wondering if people will actually buy it. A couple weeks ago, I was thinking about this problem, and what would happen if not enough people bought it for us to stay in business. The most obvious answer would be to just shut it down and move on to something else. But then I realized that Light Point Web solves a real problem in my life. There is no safer way to browse the web. I would rather just run it for myself than stop entirely. And I think that is a good way to define passion. Even if no one else in the world wanted it, would you keep at it, just for yourself.

An Added Benefit of Passion

When I realized that I would keep Light Point Web going, even if just for myself, it made me think that if I can be passionate about an idea, there is a better chance that other people will too. On the other hand, if you can’t get passionate about an idea, why would anyone else?

What do you think? Do you agree that you need passion, or do you think it will cloud your judgment in making the correct business decisions? Leave a comment below.

The Single Most Effective Way to Stop Malware
Posted on by Beau AdkinsCategories Computer Security, Security3 Comments on The Single Most Effective Way to Stop Malware

routerIn this article, I am going to tell you the single most effective thing you can do to keep your home computer free of viruses and other malware. Its very simple; something you only have to do once and never think of it again. Most likely you are already doing it.

So without any more suspense, the single most effective thing you can do to keep malware off of your computer is…use a router.

How Does Using a Router Keep Me Safe?

The explanation of how this a router keeps you safe gets a little technical, but I’ll try to make it as simple as I can.

To start, let me first explain what happens when you don’t have a router. This means whatever hardware is used to give you internet access (cable modem, dsl modem, etc) is plugged directly into your computer. When your computer connects to the internet (like when you initiate a dial-up connection for those who are still using dial-up, or just when your computer turns on for people with always on internet like cable and dsl), your Internet Service Provider (ISP) will give you an IP address. This IP address is like a house address for your computer. Any other computer on the internet can send packets of data to that address. Also, the format of an IP address is just 4 numbers between 0 and 255, so someone can easily guess a valid address, even if they don’t know who it belongs to.

The problem is that people commonly find flaws in the software running on computers. Once a flaw is found, unscrupulous people elsewhere on the internet will create software to exploit these flaws to allow them to infect the computer running it with malware. Once they have created this software, they turn it loose on the internet. It will then start exhaustively guessing IP addresses, and attempt to exploit whatever computer is at that IP address. So if one of these spreading programs guesses your IP address while you are running this flawed software, you are toast. The attackers now can do whatever they want with your computer. You didn’t even have to be using the computer. Just by turning your computer on you are exposing it to constant attacks.

How Does a Router Change Things?

Now, here is how the picture changes if you have a router. When you connect to the internet now, the IP address that your ISP gives you is taken by the router, not your computer. Instead, now the router will give your computer another IP address. However, the IP address given out by routers is in a range that is considered “unroutable”. It means the only computers that can send your computer information are other computers behind your router.

If an attackers malware spreading program tries to send you malware now, it goes to the router, and the router just ignores it.

If You Don’t Have a Router, Get One!

In the beginning of this article, I said you are probably already using a router. These days most people are. If you have Wi-Fi in your house, its from a router. If you have multiple computers in your home with internet, its probably from a router. I believe Verizon FIOS service comes with a router.

Sometimes You Can’t Use a Router

For people with dial-up, as far as I know, you can’t use a router. This connection is initiated directly from your computer, and I don’t know of a way to get a router to do this, but I haven’t really looked for it.

For people who are running servers on the internet, a router doesn’t really work. The point of a server is to accept connections from other computers, so a router would defeat the purpose. If you want to run a server in your home though, some routers will offer port forwarding capabilities. This lets you say that you allow some of this incoming traffic to be forwarded right to your computer. This can expose you to the some of the traffic you were trying to avoid in the first place, so be sure you know what you are doing if you do this.

Taking It to the Next Level

If you are looking to take things to the next level, for an added layer of security, look into Remote Browser Isolation. Remote Browser Isolation technology provides protection from all web-based malware.

This is what I think is the first step to computer security. Do you have something else that you consider more important/effective? Or do you agree with me? I welcome feedback in the comments.

NSA Recommendations for RSA SecurID Users After Cyber Intrusion
Posted on by Zuly GonzalezCategories Computer Security, Resources, Security8 Comments on NSA Recommendations for RSA SecurID Users After Cyber Intrusion

The National Security Agency (NSA) SignOn March 17, 2011, RSA announced that it had been the victim of a cyber intrusion, and as a result, information related to its SecurID product – a two-factor authentication device – had been compromised. According to RSA, the compromise does not lead to a direct attack on SecurID, but it does decrease its effectiveness.

In reaction to the RSA cyber intrusion, The National Security Agency (NSA) released Information Assurance Advisory No. IAA-003-2011: Recommended Actions for SecurID Users in Response to RSA Cyber Intrusion. This advisory expands on the information previously released by NSA via Information Assurance Alert No. IAR-001-2011: Mitigations for the RSA Cyber Intrusion, and provides additional guidance on:

  • The use of SecurID hard tokens and soft tokens
  • Fortifying the security profile of SecurID’s authentication factors
  • Measures to harden SecurID’s Authentication Manager

Here is a summary of NSA’s recommendations for SecurID customers.

The Use of SecurID Hard Tokens and Soft Tokens

RSA is exploring remediation strategies and best practices for its customers. However, implementation of these strategies may take some time. Customers should continue to work with RSA to develop short-term and long-term mitigations. Options include:

  • Continued use of hard tokens: In some circumstances, the risk of continued use of hard tokens may be deemed minimal.
  • Replacing hard tokens with soft tokens: For this option, an application is installed to generate a one-time password.

Fortifying the Authentication Factors

As a best practice, SecurID should not be used as the sole means of authentication. Recommendations on additional authentication measures and how to securely implement them are:

  • Augment SecurID with usernames and passwords: A relatively simple way to augment SecurID is to also require a user to log in to the system. This forces the adversary to compromise additional user information in order to gain access. Specific measures include the following:
    • Enable account login restrictions
    • Require users to phone-in before logging in
  • Augment SecurID with the DoD Common Access Card (CAC): A DoD customer could augment its existing SecurID system with the DoD CAC card, which is widely used across the DoD.
  • Perform regular audits of remote login activity: Enclaves should regularly audit login activities in order to identify unauthorized activity. Specific steps include:
    • Verify remote logins with each user
    • Analyze logs for unusual IP addresses
    • Analyze logs for failed login attempts
    • Notify users of last logins
  • Implement robust PIN policies: Implement strong policies for PIN and password usage and selection. The following should be considered:
    • Enforce the selection of robust PINs and passwords
    • Have users select new PINs and passwords and increase the frequency at which this needs to be performed
    • Implement quicker user lock-out after failed login attempts

Authentication Manager (AM) Hardening

These include:

  • Change default passwords
  • Install a system integrity checker
  • Only install valid software
  • Do not co-locate the AM with other services
  • Restrict Internet access from the AM
  • Limit user access to the AM
  • Baseline the AM network communications
  • Establish firewall rules to restrict network access to the AM
  • Limit user access to only a specific IP address or range of IP addresses
  • Restrict remote access to the AM

Additional Resources

Read NSA’s entire Information Assurance Advisory No. IAA-003-2011: Recommended Actions for SecurID Users in Response to RSA Cyber Intrusion here.

Read NSA’s entire Information Assurance Alert No. IAR-001-2011: Mitigations for the RSA Cyber Intrusion here.

Visit RSA’s SecurID Customer Resource Center, which provides links to SecurID information related to the attack, and where customers can tune in for updates.

In response to the RSA breach, the DHS issued the Technical Information Paper TIP-11-075-01 System Integrity Best Practices. This TIP calls for users to:

  • Enable strong logging
  • Limit remote access
  • Apply additional defense-in-depth techniques
  • Validate software

Were you affected by the SecurID compromise? Do you have additional resources to share with us? Let us know in the comments.

Light Point Web 0.8 Complete
Posted on by Beau AdkinsCategories Computer Security, Light Point Security Update, Light Point WebLeave a comment on Light Point Web 0.8 Complete

Light Point Web LogoWe have just wrapped up development and deployment of Light Point Web 0.8. We released 0.7 just over a month ago, so this release isn’t much different. Version 0.8 is mainly just fixing the issues we found with 0.7.

Light Point Web 0.7 Beta Results

How did the 0.7 beta go? There were 2 indirect problems we found immediately after beginning the beta. After we found them, we decided to cancel the beta to resolve them, and try again with 0.8.

Firefox 4.0

The first problem is that Firefox 4.0 was officially released just before we began the 0.7 beta. 0.7 only officially supported Firefox 3.6, and while Firefox 4.0 has been available as a beta for a very long time, I didn’t plan on putting the time to port it until 4.0 was officially released. By the time we started sending 0.7 beta installers, some of our beta testers had already upgraded, and therefore could not use it.

Misconfigured Servers

The other problem is that I had a misconfiguration in our cloud servers which caused the backend Light Point Web services to run slowly. If a user connected there would not be much difference, but after that user disconnected it could take upwards of an hour to prepare for the next user, instead of the minute it should have taken. While this preparation was going on, no other users could connect.

What’s New in Light Point Web 0.8?

New User Site

We have built a bare-bones website to be used only by our users. A user can go here to create a new account, change their passwords, download installers, etc. In previous versions, we would email our beta testers a link to an installer to download, and also send them a username and password we created for them. For security reasons, we did not want these services provided by our public facing site.

Firefox 4.0 Support

We now officially support Firefox 4.0. This transition was actually very easy (like 4 lines of code easy). I attribute this ease of this transition to the work I had put in for 0.7 cleaning up our Firefox extension in anticipation of exactly this. It worked VERY well.

More Robustness

Numerous small changes which will make Light Point Web be more reliable, be faster, and be just overall a more mature product.

What’s Next for Light Point Web?

We are getting REALLY close to having a Remote Browser Isolation product to sell. In fact, the only thing we are missing is having a system in place to take a payment. So that is our next goal.

In the meantime, if you would like to try out Light Point Web 0.8, head over to our contact us page, and let us know!

How to Protect Yourself From the Epsilon Security Breach
Posted on by Zuly GonzalezCategories Security, Web Security4 Comments on How to Protect Yourself From the Epsilon Security Breach

As most of you know by now Epsilon, one of the largest email marketing companies, was affected by a major security breach that resulted in the compromise of the email lists of some of its clients, including JPMorgan Chase, Capital One, TD Ameritrade, and Citi.

Epsilon released a statement announcing that approximately 2% of its client base was affected by the breach. This equates to about 50 of its approximately 2,500 clients being impacted. The names of the companies impacted by the breach are slowly being released by Epsilon (see a list below), and it is expected that the list will slowly grow over time.

The World Financial Network National Bank (WFNNB) is the latest to be affected by this security breach. WFNNB issues The Limited Credit Card, as well as many others. Here is the statement WFNNB released to its customers:

WFNNB Epsilon security breach email notification

Protecting Your Personal Information

Only the names and email addresses of customers have been compromised in most cases. This means that the threat is relatively low for those of us that practice good security. However, there is still a threat. Here is what you may see if you are the customer of one of the affected brands, and what you can do to protect yourself.

Spam. The most common issue you’ll face is an increase in spam. Although spam is annoying, it is not a huge security threat as long as you don’t open the emails. Keep in mind that most email services have fairly good spam filters, so even though there may be an increase in the amount of spam sent to you, you may not even notice it if your email spam filters are any good. This may be a good time to check your spam filter settings, and improve the security if you feel you’ve been getting too much spam lately.

Brute Force Password Attacks. There’s also the possibility that spammers could attempt to brute force passwords. Given a valid email address, spammers can run a script that will attempt to guess the password associated with that email address. Weak passwords are much more vulnerable to brute force attacks than strong passwords. Weak passwords are those that have few characters, contain dictionary words, contain names, contain no numbers or special characters, and are all lower case.

If you have a weak password, make sure you change it. This includes using your name, or a variation of it, as your password. Remember, in the case of the Epsilon security breach, the thieves also walked away with customer names, so that may be the first thing they try.

Targeted Phishing Attacks. The biggest threat will come from targeted phishing attacks, known as spear phishing. Phishing campaigns are common place for spammers, even if they don’t know if a particular person is affiliated with the brand they are targeting. In this case they have targeted customer lists for each brand, along with each customer’s name. This makes their job infinitely easier. Because customers expect to see emails from these companies, the email open rates will be much higher. And if the spammers can make the emails look legitimate by, for example, using the customer’s name, they will have a much higher success rate.

You can protect yourself from phishing attacks by not clicking on links in emails claiming to be from legitimate companies, like your bank. You should be even more skeptical if the email claims that you need to type in, or verify, your login credentials, or other personal information. Banks, credit card companies, and just about any other respectable company will never ask you for personal information via email. Instead of clicking on links contained in the email, type in your bank’s website URL directly in your browser, or call them to confirm the email.

Even better, to protect yourself against phishing and spear phishing attacks, use a Remote Browser Isolation solution for the best protection.

List of Affected Companies

This is the current list of companies that have been affected by the Epsilon breach. Look over the list, and be extra vigilant if you have given any of these companies your email address in the past. Please note that this is not an all inclusive list, as new companies are slowly being announced by Epsilon.

1-800-Flowers
AbeBooks
Air Miles
Ameriprise Financial
Beachbody
Bebe Stores
Best Buy
Brookstone
Capital One
Citi
City Market
Dell Australia
Dillons
Disney Destinations
Eddie Bauer
Eileen Fisher
Ethan Allen
Fred Meyer
Fry’s
Hilton Honors Program
Home Shopping Network (HSN)
Jay C
JPMorgan Chase
King Soopers
Kroger
Lacoste
LL Bean Visa Card
Marks & Spencer
Marriott Rewards
McKinsey & Company
MoneyGram
New York & Company
QFC
Ralphs
Red Roof Inn
Ritz-Carlton Rewards
Robert Half
Scottrade
Smith Brands
Target
TD Ameritrade
The College Board
TIAA-CREF
TiVo
US Bank
Verizon
Walgreens
World Financial Network National Bank (WFNNB)

Are you receiving more spam than usual because of the Epsilon security breach? Have other companies been affected by the breach that are not listed above? Let us know in the comments.

EMAIL UPDATES
Categories
FOLLOW US ON