Thought Leaders

Table of Contents


Amit Klein, CTO, Trusteer

Stephen Northcutt - September 27th, 2009

Amit Klein is Chief Technology Officer (CTO) of Trusteer, a provider of web browser security technology. He has agreed to share his information with the community as part of the Thought Leadership project and we certainly thank him for his time.


Amit, can you give us a bit of background, how did you get where you are today
?

Stephen, previously I was Chief Scientist of Cyota (acquired by RSA, now “RSA - The security division of EMC”), and prior to that I was a director of security and research at Sanctum (acquired by Watchfire, now part of IBM Rational division). Like yourself, I was fairly early to the party and have over 18 years of experience in information security, including five in online banking. I love to share my thoughts with people and have written over 30 papers on the topic of Internet security. I am very pleased that my work has been featured in Dr. Dobbs Journal and in CSI journal. I have presented at a number of conferences including Microsoft BlueHat v8, RSA US 2008, APWG 2007, OWASP EU 2006, CERT conference 2002, ISOC-IL 2006 and FM’99.


Wow, you do have a serious background in the field. I guess I mistimed RSA, I presented in 2007 and 2009. And, I have seen you in a bunch of print publications, what are some of the examples of press pickups?


The biggest event for me was being quoted in USAtoday, but I have also been interviewed by SCmagazine, CSO magazine, ComputerWorld and TechTarget.


Nice, and what is your college background, sounds like you got your start just a bit too early for a computer science degree?

I have a B.Sc. (cum laude) in Mathematics and Physics from the Hebrew University in Jerusalem, Israel and I am a graduate of the “Talpiot” IDF program.


Fantastic, Kathy and I are on our way to Israel in a month, my mother has always wanted to see Jerusalem and finally agreed to go. Talpiot, eh? That is pretty neat, I remember reading about that. Now, you mentioned writing, can you list a few of your papers please?

Here are some recent ones:

• Temporary user tracking in major browsers and Cross-domain information leakage and attacks, June 2009
http://www.trusteer.com/files/Temporary_User_Tracking_in_Major_Browsers.pdf

• Microsoft Windows DNS Stub Resolver Cache Poisoning, April 2008
http://www.trusteer.com/docs/Microsoft_Windows_resolver_DNS_cache_poisoning.pdf

• PowerDNS Recursor DNS Cache Poisoning, March 2008
http://www.trusteer.com/docs/PowerDNS_recursor_DNS_Cache_Poisoning.pdf

• OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability, February 2008
http://www.trusteer.com/docs/OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP_ID_Vulnerability.pdf

And you didn't ask, but here are some examples of presentations that I have given:

• OWASP AppSec Europe Conference 2006 – “HTTP Message Splitting, Smuggling and Other Animals” (Invited talk) http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt

• CERT 2002 Conference, "WWW Forensics" (Expert Track)
http://www.certconf.org/presentations/2002/Tracks2002Expert_files/WE1&2_files/frame.htm


Very impressive Amit, you certainly qualify as a thought leader! Can I ask a favor, please share your top three "must read" papers that are available on the web that you did not write.


“The browser security handbook” by Michal Zalewski – the most comprehensive compilation of browser security issues by one of the leading researchers on this topic.
http://code.google.com/p/browsersec/wiki/Main

“It’s the End of the Cache as We Know It” by Dan Kaminsky – a great treatise on a serious DNS protocol flaw which led to the most extensive and coordinated Internet security fix to date. This paper also provides an excellent analysis of the critical role DNS plays in the Internet’s infrastructure.
http://www.toorcon.org/tcx/1_Kaminsky.pdf

“A Cryptanalytic Time-Memory Trade-Off” by Martin E. Hellman – this 1980 paper forms the basis for the rainbow table technique of password cracking (though the latter includes several improvements over the original 1980 manuscript).
http://www-ee.stanford.edu/~hellman/publications/36.pdf


Thank you for doing that, Amit; now, how did it all start? How did you become interested in the field of information security?

In my early 20s I spent some time with Unix workstations. Two incidents led to my interest in computer security. Our sysadmin played a trick on newcomers by duping rookie users into authenticating to a fake Unix login screen. This prank emphasized to me the importance of establishing a trusted path between the user and the operating system. I also developed a prank of my own by modifying an executable on disk and replacing some strings. It was a very crude binary editing exercise, but it demonstrated the inherent lack of security in shared binaries and executables. These experiences led me down the security path I have traveled.


Have you worked on security products before the product you are working on today? If so, please list them and describe the highlights of some of these products.

I was one of the first employees at Sanctum (now part of IBM’s Rational division through the Watchfire acquisition), which was the first web application security vendor. I was promoted to director of security and research at Sanctum. In that capacity I managed Sanctum’s security team, which was responsible for the security content of Sanctum’s products, and also contributed to product design and architecture. Sanctum’s first product was AppShield, the first commercial web application firewall (version 1.0 shipped in late 1998). This was followed by AppScan, the first commercial web application vulnerability scanner (version 1.0 shipped in mid 2000).

In 2004 I joined Cyota (now part of RSA, the security division of EMC) as their chief scientist. At Cyota, I was deeply involved in the FraudAction service, which provides phishing and pharming take-down and forensics services.


What product are you working on today? What are some of its unique characteristics? What differentiates it from the competition?


Since I joined Trusteer in 2006, I’ve been working on Rapport, Trusteer’s flagship product. We have designed Rapport to secure online transactions between compromised desktops and trusted financial websites. Our product has applications beyond financial services, including e-commerce, healthcare and others. Most of Trusteer’s competitors are developing products that either assume the desktop machine is not infected and attempt to prevent future infections, or try to address a very narrow part of the problem such as keylogging. Rapport takes a holistic approach, assuming that the computer is already infected, and provides security for logins and transactions with the web sites it protects. We’ve developed some very advanced, patent-pending techniques that are entirely unique in the marketplace.


You know, there is something to be said for assuming systems are already infected, sometimes they come that way from the factory, for Pete's sake! What do you think the security products in your space will look like in two years, what will they be able to do?


For online desktop protection, products will have more integration with browsers and operating systems. They will be able to protect the user from attacks that arrive in many shapes and forms (via various web protocols, but also from the LAN and from USB devices and other detachable media sources). They will have a better understanding of transactions. They will enable the user to seamlessly move from machine to machine while providing continuous protection. They will evolve into authenticating the user and relaying this information. We will see products that are able to create secure islands within the desktop, in which secure communication, messaging, etc., can take place without the risks of spam, infection and eavesdropping.


Please share your impression of the defensive information community; are we making progress against the bad guys? Are we losing ground?


I think that right now, the number of bad guys is on the rise. We are seeing more sophisticated attacks, more cunning ways of infiltrating desktops, more stealth applied by malware to cover its tracks and to remain invisible, and ingenious ways to circumvent second factor authentication by combining technology and social engineering. The defensive information security vendors are certainly trying to keep up, but some business/technology models are showing signs that they are breaking down, e.g., signature based detection. These can’t keep up with the volume and sophistication of present day polymorphic malware. As such, I don’t see a major improvement in the near future, but we’re working on it.


Please share your thoughts concerning the most dangerous threats we will be facing in the next year to eighteen months?

My nightmare is what I call the “uber malware.” It is a collection of technologies and techniques that are already in use in various malware families (though typically a single form of malware doesn’t employ more than 1-2 such techniques), or that I can envision to be developed/used soon. A malware attack that combines the best distribution (0-day exploits, hidden sites, and compromised popular sites) and evasion methods (server side polymorphism, rootkit techniques, under-the-kernel residence, etc.) with a sophisticated payload (client-side logic for conducting transactions and wire transfers) would be devastating. This uber malware would be capable of defeating most current Internet defense mechanisms and could quickly siphon millions (or more) out of online banks.


What is your biggest source of frustration as a member of the defensive information community?

I’m frustrated with the gap between what a lot of security offerings expect their users to understand and do, and the ability of Joe Average to really understand and do what is being asked of him/her. Products that require users to make intelligent decisions and take proper actions when presented with a message such as “the file c:\windows\system32\shlwapi32.dll is about to be overwritten, and, oh, do you approve?” are missing the boat. Joe Average doesn’t know much about shlwapi32.dll, and whether it’s OK to overwrite it. Joe also doesn’t understand that the tiny SSL lock icon should be present, and should be part of the browser’s chrome (and not part of the page…). In short, a lot of vendors assume Joe Average is a literate computer user and a security-aware netizen, but this cannot be any further from reality. We need security mechanisms that are practical so that they will work for all users – not just for the developer in the nearby cubicle.


This has been fun Amit, I really appreciate your willingness to share your knowledge. One of the things we like to do with the thought leadership project is give our interview candidates a bully pulpit, a chance to share what is on their mind, what makes their heart burn even if it is totally unrelated to the rest of the interview. Please share the core message you want people to know.

Being a technologist and a security guy, I’m particularly frustrated with my wallet. It’s cramped with 20 (I just counted) plastic cards and similar cardboard cards from various companies and agencies – payment cards, gift cards, discount cards, driver’s license, etc. Naturally, my wallet is over 2 inches thick. This is ridiculous. All the information from those 20 cards can be easily packed into a single smart card (or some other standard). The technology is there. In fact it has been around for many years. I realize there are security issues associated with such a scheme, but I’m 100% sure we can solve them. It would make life so much easier in some respects (think about having only two copies of this one card – in case you lose one). I’m not talking about digital wallet for digital cash, mind you. The latter is a much bigger challenge. I’m merely suggesting that all those plastic cards could be merged into a single physical card. Perhaps that will be the focus of my next security project …


Well, if you take that project on and somehow think of me, drop me a note! And last, but so very important, can you tell us something about yourself, what do you do when you are not in front of a computer?


I am married, and as of earlier this year, a father to a very cute baby girl. So, when I’m not working, I’m with my wife and my daughter. As for hobbies, my usual suspects are classical music, reading, sci-fi and a bit of chess. My secret hobby is bird-watching. I’m no expert on this subject, but I do love going out on bird watching adventures, and thankfully I managed to get my wife hooked on doing this too. The fresh air, freedom, and simplicity provide a wonderful antidote to computer security. Some great security problem solving ideas have stemmed from these outings.