WashingtonExec recently spoke with Lance Cottrell, chief scientist for Ntrepid Corporation. He discussed Ntrepid’s new web security product, Passages, its importance and how it came about. He explains why Passages is a vital tool for combating hacking and non-hacking vulnerabilities and how cyber threats to businesses go well beyond simple malware and hackers.
Cottrell is a privacy and security expert, entrepreneur, advisor, public speaker and investor. He has been at the cutting edge of Internet security, privacy and anonymity for approximately 20 years.Cottrell is also the founder of Anonymizer, now wholly owned by Ntrepid, as well as the author of the Mixmaster anonymous remailer. He is the founder of and a principal at Obscura Security and an advisor for Taia Global, Inc.
He is a former chief scientiest for Abraxas Corporation and holds a master’s degree in Physics from the University of California, San Diego and a bachelor’s degree in Physics from the University of California, Santa Cruz.
WashingtonExec: You recently announced a new web security product called Passages. Why do we need yet another security tool?
Lance Cottrell: Previous generations of security tools have focused on trying to keep attackers completely out of company networks, but the web has really stood that on its head. Firewalls have to allow data in from the website user’s visit, but that data often contains an attack against the users and their browsers. Web-based attacks are now the number one source of malware infection.
Despite the best efforts of the programmers, we are far from having browsers that are free from vulnerabilities; new kinds of active content, like HTML5, continue to make that task more difficult. A new security paradigm is emerging that focuses on robust resiliency rather than brittle exclusion. When, not if, malware compromises the browser, we need to ensure that it does not lead to loss of sensitive information or further compromise of valuable infrastructure. Additionally, we see growing awareness that current cyber threats to business go well beyond simple malware and hackers. In many cases a business can suffer substantial harm without any malware or hacker compromise at all.
WashingtonExec: That is very interesting. Can you give some examples of these non-hacking vulnerabilities?
Lance Cottrell: Imagine that you are working on a sensitive project. Inevitably you will need to research the issues and technologies involved. That research paints a very clear picture of your activities for the websites you visit to see. Or consider mergers and acquisitions, where your interest in a company, if known, would allow them to prepare and strengthen their negotiating position against you. If that company can see your executive team and investment bankers investigating them, they know just that.
We see some competitors get very aggressive, actually blocking or actively lying to their competitors. In many cases they will automatically show different prices or other misinformation when they recognize a competitor visiting their website.
This is not just limited to competitors. Prices, products, and other information are often targeted by country, region or language. Passages allows you to control where you appear to be, enabling you to get a complete picture of the information presented by websites. There are a host of costs to being tracked and identified on the Internet that don’t even fall into the typical definition of vulnerabilities.
WashingtonExec: Like what?
Lance Cottrell: Well, we have seen cases where fraud investigations have failed because the fraudsters have taken care to not defraud the identifiable investigators.
You might be targeted for attack because you are known to have something of value. Attackers are smart enough to save their best exploits for just the juiciest targets, ensuring that they are not detected by the anti-virus companies’ sweeps of the Internet. Because the attacks are not known, they are unlikely to be detected and very likely to succeed.
“In many cases a business can suffer substantial harm without any malware or hacker compromise at all.”
WashingtonExec: So, what is Passages, and how does it relate to these different kinds of threats?
Lance Cottrell: Passages is a combination of a secure browser in a virtual machine and an encrypted virtual private network (VPN). Each time you launch your browser, a whole virtual computer is launched within your real computer. The virtual computer is completely clean and is destroyed at the end of each session, with no possibility of any infection, tracking information or anything else surviving to trouble you. The virtual computer has no access to your local computer, so any malware is completely trapped. We also use a Linux operating system in the virtual machine to avoid the vast majority of malware.
Passages then establishes a VPN from the virtual machine out to our secure cloud in the Internet. That ensures there is no way for anything running in the virtual machine to have access to any service or server on your local network. The VPN also hides your identity, automatically preventing targeting of misinformation, attacks or gathering intelligence about your activities.
Finally there is the issue of downloaded files. These might be files that the user downloaded intentionally or that were “drive by downloads” by hostile websites. Rather than allowing these potentially dangerous files to be saved to your computer, Passages puts them in a secure cloud repository called SafeHold. The files there are scanned for malware, and can be downloaded to any computer. All this happens transparently to the user. All they see is a familiar Firefox browser on their desktop. Finally, we really focused on the enterprise when building Passages, so everything the users do is tracked and fed into our analytics tool for oversight, compliance and auditing.
“Attackers are smart enough to save their best exploits for just the juiciest targets, ensuring that they are not detected by the anti-virus companies’ sweeps of the Internet.”
WashingtonExec: Passages seems like a departure for Ntrepid. How did you come up with this product?
Lance Cottrell: For many years we have been building safe environments for Internet operations against the most sophisticated opponents and in the most hostile network environments around the world. Recently we realized that, while the missions of business are very different, many of the risks and requirements are the same. We took the technologies from our top of the line specialized tools and created a product that could bring maximum security to the Web for every business.
