Print
Listen
By Traditionally when security experts talk about snake oil products (i.e., security products that don't actually offer any security), they are usually only brave enough to call out products from dubious companies that make claims that are obviously false... almost always around cryptography. Few people call out venture-backed companies with well-known people on the management team.
Partially, this is because with most products, it's not so clear cut whether they are crapware. That is, the company's marketing department can always find someone happy with the product, and so it turns into a battle of credibility and opinion. The technical merits become secondary. A more common issue is that products do something to help, but they're not as awesome as their vendor would have you believe.
At the end of the day, if we say snake oil products are ones that don't do what the marketing leads the customer to believe it does, then many reputable security companies peddle snake oil.
For example, consider the company Trusteer. They're backed by the firm US Venture Partners. They have some seasoned veterans on their team, and some smart people. Plus, they have one big customer, Ing Direct, whom I'll assume is happy with them.
Trusteer's product is snake oil.
Their marketing claims that their product Rapport, "... protects login credentials and transactions, from desktop to Website, even if a computer is infected with malware." When I first heard this claim, I heard it directly from their President's mouth when he was explaining to me what they do (incidentally, I thought he was a good guy who genuinely believed in the marketing). I asked, "is this even going to work when malware writers start targeting your software?" He said "yes", that their technique will protect your personal info, no matter what infection is on your machine.
While there are a few ways you could make claims like that and have it be defensible, the solution they explained to me didn't sound like it would do that job. Basically, they put their code on your machine, and it obfuscates stuff. A determined attacker should eventually be able to figure out what that code is doing, and undo it or disable it.
The only way I can imagine them defending their technical claims is for them to say, "well, we sit in the kernel, and malware can't touch us if running with regular user privileges". But, in reality, there is plenty of malware that gets inside the kernel. Often, the bad guy just tricks the user into installing something with administrative privileges.
A few days ago, a friend sent me a link with a video where they show custom malware that has no problem defeating Trusteer's protection. The product does not do what the company claims.
If I were Trusteer, I'd counter this claim of snake oil by saying, "well, we never expected people to think it works all the time, just that it works most of the time". I wonder if Ing Direct knew that when they started offering their product. Because now, Ing Direct is going to its banking customers with a product that makes people feel like they don't have to worry about whether they're infected anymore. Why pay for AV, when the only thing you were worried about is identity theft?
Even if their marketing claims reflected the reality of their technology, I think it promotes a false sense of security. In short, trusting this product to do the job it claims to do only puts you at risk, particularly because it's not a huge stretch to think that, if you're going to get infected, it could easily be by something that can disable Trusteer's product. In fact, if enough people are using Trusteer's product, then that kind of malware would certainly get pretty common.
But, I suppose that, if you do understand the risks, it is better than nothing. Certainly, if you think you have a good chance of being infected, you shouldn't do online banking at all, you should worry about the infection. But if you don't think you are, then this product could actually help some of the time, when it turns out you actually were infected.
As you can see, the line between snake oil and a legitimate product is often a marketing claim. As a general rule of thumb, security companies want to make you think you're as secure as possible. Many of them are happy to lead you to believe that you're more secure than you actually are, which could end up putting you in a bad situation.
Therefore, it's generally worth doing your homework on security products you buy, to make sure you have at least a high-level understanding of the technical merits, and the drawbacks.
Subscribe to our Newsletters
O'Reilly on YouTube
O'Reilly on Twitter
O'Reilly on Facebook
News Feed
New Titles Feed
John,
While you claim you spoke with me and even quote me, I've never met you and you're apparently confusing me with someone else. If we spoke I would have told you that our strategy against attacks that try to disable or damage the service is to detect and react. There are various detection and reaction mechanisms operated by both Trusteer and the subscribing banks. Trusteer monitors attempts to disable our service and we react by silently deploying additional self-protection defenses. We do this only when these attacks are confirmed to be actually in the wild, threatening real customers. A second defense is to alert the subscribing website that a user's copy of the software may have been tampered with, so that the bank may react to a possible credential theft. Your video doesn't contradict any of our claims.
An objective and reputable member of the media or the journalist community would contact a vendor for comment before publishing a story based on a dubious video. Your readers should be aware that you are the CEO of a security vendor that tried to compete with Trusteer. Anyone with any sense of ethics would have disclosed that to their readers. I'm surprised that O'Reilly would allow you a forum to make an unsubstantiated attack on a competitor.
There are too many inaccuracies in your report and you obviously haven't read or chose to ignore how banks communicate Trusteer to their customers. Rest assured that banks are far more professional than you have suggested. They have tested Trusteer's service much more thoroughly than you suggested. They are familiar with the Trusteer service architecture, which is much more sophisticated than you assume.
The fact that the tester had to look for ways to disable the service before being able to run malware proves that the solution works and adds real value. The fact that you weren't aware of and haven't been able to detect our early warning signals against tampering proves that the solution works on a much greater scale. This is why 10 different financial institutions are already using this service successfully. While no solution is bullet proof and we keep improving, Trusteer has managed in a very short time to change the approach to desktop security. The various vendors that follow us with similar solutions are the ultimate validation to this approach.
Thank you
Mickey Boodaei
CEO
Trusteer
I updated the article to correctly reflect that I talked to the company's President, not CEO.
John
Mr Boodaei,
I've read your post and I've sincerely to say this is one of the most confusing posts I've ever seen. You've written many things that just confuse your readers, trying to hide the truth.
You talk about a number of layers of security, some monitors that report and SILENTLY react DEPLOYING ADDITIONAL SELF-PROTECTION DEFENSES, technology that reports attacks to the bank.
For fuck sake, what the hell are you trying to say? Self protection defenses?? Customer ID and password have been logged and most likely they have been sent to a remote website! The video clearly shows that!
Even if banks react after a while, who cover the gap between data theft and reaction? In the meanwhile all users data have been uploaded remotely and attackers could have already stolen money. What additional self protection defenses?!? Where are they? The attack shown in the video succesfully logged all datas!
What? You'll update your software if an in-the-wild attack is reported? God, after an attack is detected to be in the wild, milions of dollars could have been already stolen.
What? "The fact that the tester had to look for ways to disable the service before being able to run malware proves that the solution works and adds real value"? What the hell, what are you trying to say? There is a way to bypass your software. This is THE topic.
You claim your software guarantee data security EVEN IF THE PC IS INFECTED. This is simply NOT TRUE. That video shows why this is not good concept.
It would really have been better if you had written a post saying: "Yes, that video shows an attack that succesfully bypassed our defenses. Indeed we can't guarantee security if a pc is infected. But we'll try to fix the vulnerability reported".
Instead, you're still claiming what you can't guarantee.
Great. Congratulations.
Gee, what an interesting blog. The entire industry peddles snake oil!!
What do you say to an anti virus vendor who's virus definition is only good until someone takes a run time packer to the sample?
Same virus is undetected again in 10 seconds and redistributed.
Now that sir is false security and snake oil.
I should point out to everyone reading this, almost all crimeware in the wild do not use hook based key loggers (shown in this video). Hook based keyloggers can commonly be found in off the shelf commercial spy software such as Ardamax and Spector.
There is a different method of keylogging occurring in the wild and this video proves absolutely nothing.
See: http://en.wikipedia.org/wiki/Form_Grabber
Trusteer's product is junk, it has always been. No one at Trusteer knows anything about true Crimeware and how it operates, therefore they will never be able to properly defend against it.
Financial institutions that are using Rapport will still see instances of Crimeware related fraud and it's only a matter of time before they see the statistics that support this.
John Viega should not have reported on the posted video in the first place however.
There is no published paper discussing how the hacker bypasses the local hooking function of Rapport. Therefore how can you report this as you lack creditable source information?
Please don't tell me you think a 10 year old's flash video is creditable?
The person who posted this video has Milw0rm at his disposal anytime he feels like enlightening us.
Joe