Last year, it seemed as though Sourcefire could do no wrong.

The company behind the popular Snort IDS tool had received a mostly positive response from industry experts for its move to go public, and Chief Technology Officer Martin Roesch started talking about acquiring other technologies. The vendor got more positive reviews when it announced it was acquiring ClamAV.

But yesterday brought word that Sourcefire’s recent path wasn’t producing the expected financial results. The company announced that E. Wayne Jackson, the vendor’s CEO and chairman, was stepping down.

News of Jackson’s sudden departure came Wednesday, the same day the company announced a net loss of $6.5 million for fiscal 2007.

In a conference call with investors Wednesday, Jackson said he was proud of having taken Sourcefire from its beginnings as a small start-up to its current status as a large, public company. “Having successfully completed this important phase of Sourcefire’s history as well as its IPO, I indicated to the board that now is the appropriate time to transition to new leadership that will take the company to the next level as I take on new opportunities and challenges. I look forward to continuing to work with my colleagues at Sourcefire to ensure a smooth transition,” he said.

In addition to the 2007 loss, Sourcefire said it expects to post a larger loss in the first quarter of 2008 than analysts had been expecting.

As expected, the news has generated some buzz in the blogosphere.

StillSecure Chief Strategy Officer Alan Shimel wrote in his blog that Jackson has done a great job of taking Sourcefire from a good open source project to a public company. As much as Roesch is the lightening bolt and thought leader over there, he wrote, Jackson brought a steady hand and sense of maturity to the company.

“With a new CEO search underway, I would imagine they are going to look for someone with public company CEO experience to help guide Sourcefire through a rocky market and make up for a history of missing street expectations,” Shimel wrote. Of Sourcefire’s losses, he said, “Tough luck for a company that actually is executing. I think it has more to do with setting the right expectations with the street than it does with the companies market share and such.”

Mike Rothman, president and principal analyst of Security Incite, wrote in his blog that after missing the first two quarters since being public and just eeking out greatly reduced expectations since then, one must wonder if Jackson was “tossed out of the car at a high rate of speed.”

Ultimately, he wrote, there needs to be a reassessment of the entire IPS market to determine “if there is any there there.”

“Rumors abound of another dedicated IPS company getting out of the hardware business and with TippingPoint being spun out at some point from 3Com, you have to wonder whether any of these dogs will hunt over the mid-term. The answer is a resounding no,” he wrote. “Mr. Market is speaking and stand-alone is not on the menu. They all seem to want combination platters, which is yet another sign of the maturity of the network security business.”

Rothman makes a good point. A lot of the market consolidation we’ve seen in the last couple years is a result of consumers demanding those combination platters, especially when security is being baked into the larger IT infrastructure products.

The latest Sourcefire news may indeed be another sign that standalone security vendors are in danger of going the way of the dinosaur, but I wouldn’t count this company out just yet.

Sourcefire produces technology many big operations have come to rely on, including the U.S. Defense Department. Remember, the national security implications of Snort going under new ownership derailed plans for Sourcefire to be acquired by Check Point Software Technologies Inc.

Snort fans want this company to stay independent. Hopefully, the vendor will navigate its way out of this latest rough patch.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Finjan released an interesting report today about a database it uncovered with more than 8,700 harvested FTP account credentials — including username, password and server address — that are apparently in the hands of the digital underground.

The vendor says these stolen credentials allow the bad guys to inject crimeware into servers and in turn infect end users. Stolen accounts include those of Fortune-level global companies in a wide range of industries such as manufacturing, telecom, media, online retail, IT and government agencies. The stolen FTP accounts include some of the world’s top 100 domains as ranked by Alexa.com.

“Software-as-a-Service has been evolving for sometime, but until now, it has been applied only to legitimate applications. With this new trading application, cybercriminals have an instant ’solution’ to their ‘problem’ of gaining access to FTP credentials and thus infecting both the legitimate websites and its unsuspecting visitors. All of this can be easily achieved with just one push of a button,” Finjan CTO Yuval Ben-Itzhak said in a press release.

Social networking sites, which are as popular as Nickelback and even more annoying, have become favorite playgrounds for malware authors and attackers. We’ve seen attacks using both Facebook and MySpace as a launching pad in recent months, and now it’s Orkut’s turn again. Orkut is Google’s homegrown social networking platform and Symantec researchers have discovered a new worm that is spreading through Orkut by using malicious “scraps” to infect users’ machines. Scraps are graphics and other pieces of content that users employ to communicate with their friends on the site.

The new worm that Symantec is monitoring sends a malicious scrap to all of the people in an infected user’s address book, asking them to click on an image that is supposedly a Flash movie. But, of course, one the user clicks on the link, he is redirected to a malicious site that proceeds to install a number of separate pieces of malware on his machine. The different threats are downloaded from several different domains, and the worm has a couple of other interesting capabilities.

What is interesting in this attack is a redirection URL used to fool Orkut. Orkut shows a CAPTCHA image for human validation whenever any user posts a scrap containing a link and an image. However, CAPTCHA is not used if the URL and image both come from any of the Google domains. This worm uses a redirected URL request from Google video to redirect to the malicious website and escape the CAPTCHA checks.

If you haven’t already blocked access to social networking sites on your network, now might be the time to do it. There’s not much of a legitimate business case to be made for using Facebook or Orkut at work and it looks like attackers have begun to turn their attention to these sites as an easy way to infect large numbers of PCs in a short amount of time.

PR campaigns that involve cold hard cash always interest me. Panda Software is issuing a challenge to companies to test its network scanning software. Executives there are so confident that they will find malware that they are offering the first 10 companies that compete in the contest a $10,000 prize if the scan produces no results.

What will the scan look for? Just about everything.
• Trojans
• Worms
• Hacking Tools
• Viruses
• Spyware
• Adware
• Root-Kits
• Backdoor Tools
• Bots
• Dialers
• Vulnerabilities (exploits, etc)

I’m willing to bet that very few companies will be winning the prize. End-users probably have some spyware or adware on their machines. The definition of what exactly is adware is hazy as well.

Companies that win are subject to verification and audit processes and the company’s continued compliance with the official rules.

Does your firm qualify? Companies must be located in the U.S. The computer network must consist of 150 or more physical computers. All computers on the network must have been connected to the network and to the Internet consistently for no less than six months prior to the Challenge.

And oh yeah, the companies’ core businesses must not involve pornography or gambling. Those firms probably don’t need the extra $10k anyway.

Earlier today my colleague Rob Westervelt wrote about VMware’s plans to unveil what it calls VMsafe — a partnership program with Symantec, McAfee, the Internet Security Systems division of IBM, EMC’s RSA security division, and Check Point Software Technologies. The security risks and benefits associated with virtualization is a subject very much on our minds these days.

In recent weeks I’ve been interviewing many security experts about virtualization for an article I’m putting together, and along the way I’ve come across quite a few blogs that focus on the subject. Here are just a few of them:

Petri IT Knowledgebase: The people behind this site cover much more than just virtualization, but when they do turn their attention to the subject they do it well. Here’s an excerpt from the most recent entry on virtualization, from expert David Davis: “A lot of people think that if you virtualize, let’s say, a Windows 2003 Server, that virtualized system should be secure because it is completely separate from the VMware ESX Server operating system and it could be, potentially “protected” by VMware ESX Server. This is not true and there are a lot of things you need to know about virtualization security.” He goes on to offer plenty of helpful advice on how to properly secure virtualized servers.

Virtualization for Everyone: This site, among other things, keeps track of the latest virtualization news, with commentary throughout. Its latest entry, in fact, is on VMsafe.

Rational Survivability: This is the blog of security specialist Christofer Hoff. It covers all aspects of security, but the latest entry is about what looks like a pretty useful research paper from Andreas Antonopoulous from Nemertes called “A risk analysis of large-scaled and dynamic virtual server environments.” By the way, Chris, I’m interested in talking to you about this if you have time.

Smart Security: This is the blog of Dharmesh Mehta, a security specialist based in India. His latest entry asks the question: Is virtualization secure? Here’s a bit of what he has to say about that: “Virtual machines are sometimes thought of as impenetrable barriers between the guest and host, but in reality they’re (usually) just another layer of software between you and the attacker. As with any complex application, it would be naive to think such a large codebase could be written without some serious bugs creeping in. If any of those bugs are exploitable, attackers restricted to the guest could potentially break out onto the host machine.”

Do a Google blog search on the subject and you’ll find many more sites to sift through.

Now, as I said earlier, I’ve been doing a lot of interviews with security experts about this, but to date I’ve been unlucky in my attempts to connect with an IT administrator or two who might be willing to talk about their own virtualization security experiences.

And so this is my plea for someone out there to come forward. This article will explore the pain points and successes of virtualization and it simply won’t be complete without the user experience.

Thanks.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

A lot of security pros have pondered the security complexities introduced into an environment that uses virtualization software. Researchers have pounced. They’ve been looking under the hatch and we anticipate some interesting reports on the issue of security vulnerabilities associated with virtualization products in the coming weeks and months. We’ve already written about some of the security issues and how VMware will—or is trying to address them. They seemed downright irritated by questions about security complexities at last year’s VMworld users conference.

Today, however VMware is trying to be a step ahead of the critics with what it calls VMsafe. It’s a partnership program with Symantec, McAfee, the Internet Security Systems division of IBM, EMC’s RSA security divison, and Check Point Software Technologies.

Shhh! This is supposed to be a big secret apparently. A Reuters wire story attributes the news to unnamed sources. VMware plans to unveil the initiative next week at the VMworld Europe users conference in Cannes, France.

Technorati Tags: Virtualization, VMware, VMsafe, virtualization+security

One of the more interesting presentations during the first day of the Black Hat DC conference on Wednesday was a demonstration of a cheap, quick method for capturing and decrypting calls made on the GSM cell phone network. Security researchers David Hulton and Steve Miller showed a standing-room only crowd how they’ve been able to use commodity hardware to implement what they say is the first practical attack on the algorithm used to encrypt GSM calls, A5/1. The attack involves capturing some known plaintext and then using that and some other elements to compute the encryption key.

There have been a number of other theoretical attacks on the encryption algorithm proposed in recent years, but Hulton said the technique that he and Miller developed is the only real practical method for capturing and deciphering GSM calls. “A lot of other attacks are academic BS,” he said.

Miller also pointed out a number of security problems in the GSM platform as a whole, including the fact that encryption keys are reused for as many as 16 calls. “There is no security on GSM,” Miller said.

A 25-year-old man in Japan was arrested after an Internet service provider complained to authorities that he was clogging the pipeline with huge amounts of spam.

Police told local media that Yuki Shiina allegedly sent out over 2 billion unsolicited emails. It is believed he bought 600,000 email addresses off the internet for 100,000 yen (US $927) and earned over 2 million yen (US $18,540) through the spam campaign.

Shiina broke Japanese laws by allegedly faking sender information on emails in an attempt to avoid detection.

Will these arrests do any good? Sophos believes so.

The vendor’s evangelist, Graham Cluley, a senior technology consultant, said police are increasingly cracking down on spammers.

“No-one who hears about a single person believed to have sent 2.2 billion spam emails can be in any doubt as to the scale of the problem, and it’s essential for a clear message to be sent out that the police are serious about catching the criminals responsible,” Cluley said in a press release.

Cluley is right that we’re hearing more publicly about spammer arrests. Last May, U.S. investigators arrested Robert Alan Soloway after years of investigations. Some experts said that it could result in a short-term dip in the volume of spam. There was a short term dip, but it was mainly associated with the summer months.

In November another “Bot Roast” was announced by the FBI. Eight people were arrested and charged in that campaign.

Has spam been reduced? Nope.

The fur has been flying this week over whether Congress should extend the life of a controversial surveillance law or let it expire tonight.

The firestorm surrounding the Foreign Intelligence Surveillance Amendments Act (FISA) is just the latest battleground in a debate that has raged throughout the war on terror — whether the threat of another attack on U.S. soil justifies unfettered government surveillance of most of its citizens in hopes of finding the few evil seeds that hide among us.

As my colleague Dennis Fisher wrote this week, the bill would grant retroactive immunity to telecoms that aided in President Bush’s warrantless wiretapping program. The bill’s passage would effectively prevent the public from ever discovering the details of that program, privacy experts told Dennis. In a follow-up posting in this blog, Dennis noted the increased likelihood that Congress will let the current extension expire tonight rather than try to work out a compromise between separate bills passed by the House and Senate that would extend the legislation for several years.

“Democrats in the House, who are opposed to a provision in the Senate version of the bill that would grant retroactive immunity to telecoms that aided in President Bush’s warrantless wiretapping program, apparently decided simply to not act on the legislation,” he wrote. “Bush and Republican Congressmen ripped the Democrats for their decision, saying that it places the country at greater risk of terrorist attack.”

I must admit I’m torn on the issue. On the one hand, we are in a war where a small band of radicals are hiding in the shadows, bent on unleashing more death and destruction, including the variety where nuclear and biological weapons may be used. There’s a reasonable argument to be made that wiretapping is a necessary evil to catch enemies who play by unconventional rules.

On the other hand, I have no doubt the Bush Administration has used the threat as an excuse to trample on our basic rights, stoking our fear to get public approval. It’s maddening to me when people are duped, by their fear, into giving the government carte blanche to invade any private space it wants in the name of security. That’s what the terrorists want, isn’t it?

Here’s what some bloggers have to say:

Phantom Lady, a conservative FISA bill supporter and keeper of the Frustrated Incorporated blog, ripped at Sen. Hillary Clinton for not showing up to vote on the issue, Sen. Barack Obama for voting against it (though she praised him for at least showing up to vote); and she praised Sen. John McCain for voting for it. In the entry, she uses this nugget from the Rush Limbaugh website:

“Congratulations to Senator McCain. He made sure he was there while fighting off this challenge from Governor Huckabee. He voted to preserve the powers of the intelligence agency in the executive branch to defend and protect this country. Also, hats off to Senator Obama. He showed up. He voted. He voted against it. In so doing, he demonstrated he is not fit to lead this country as commander-in-chief. He has voted against every reasonable authority that has come before him in the form of legislation in terms of intelligence and protecting this country. But at least Obama showed up. At least he voted. At least he told the country he’s incompetent.”

A blogger named Scarecrow took the opposite view in the Firedoglake blog, writing that House Democrats finally said enough and called George Bush’s bluff. “The President had threatened to leave the country in an intelligence blackout if Congress did not accede to his demands for sweeping warrantless surveillance and telecom immunity,” Scarecrow wrote. “But this time, for the first time, Democrats said, “we don’t believe you.” That moment of courage may well define the fall campaign.”

Errington Thompson wrote in the Where’s the Outrage blog that the House has finally stood firm and that it’s confusing as to why the Senate bowed to the White House.

“Mr. Bush’s rhetoric is simply tiresome,” Thompson wrote. “The terrorists this and the terrorist that. Are we so lame that we can’t do anything without trying to figure out what the terrorists will do? Hell, don’t we need to be more worried about our own homegrown crazies?”

I realize this week’s topic runs astray of what I usually set out to do — write about the latest IT security issues and point to blogs where IT pros can go for guidance. But this is a case where telecoms are helping the government in what many consider an invasion of privacy. The reach of the telecoms stretches to practically every enterprise, and that’s where there IT shops face a potential security quandary.

A big part of IT security is about keeping hackers from breaking into company networks and accessing sensitive information. But what do you do when it’s the government breaking in, all in the name of national security?

Please share your thoughts on this one.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

It now appears as though the Congress will allow the current extension to the controversial surveillance law to expire on Friday night rather than try to work out a compromise between separate bills passed by the House and Senate that would extend the legislation for several years. Democrats in the House, who are opposed to a provision in the Senate version of the bill that would grant retroactive immunity to telecoms that aided in President Bush’s warrantless wiretapping program, apparently decided simply to not act on the legislation. Bush and Republican Congressmen ripped the Democrats for their decision, saying that it places the country at greater risk of terrorist attack. From The Washington Post:

At a hastily convened press briefing on the South Lawn, Bush said he would delay his planned trip to Africa this weekend if he is needed in the capital to work on or sign a surveillance bill.

“I urge congressional leaders to let the will of the House and the American people prevail and vote on the Senate bill before adjourning for their recess,” Bush said. “Failure to act would harm our ability to monitor new terrorist activities and could re-open dangerous gaps in our intelligence.”

Though the Democrats have decided to leave for a week-long recess, there is still a slight chance that a compromise could be reached by party leaders. But for right now, it looks like the surveillance law is a dead issue.