Startups seek new ways to bolster enterprise, Web security

Demo Fall 2008: Established ideas get new twists to protect corporate date, user passwords, and even mobile phones

Welcome to Demo Fall 2008, where 72 young companies are vying for the attention of deal-hungry venture capitalists from North America, Europe, and Asia. With only six minutes to strut their stuff on stage, it's no surprise that the flashy, consumer-focused companies garner most of the attention.

But look closer. There's a strong contingent of startups displaying technologies that belong on the radar screen of the savvy IT manager, including a bevy of contenders sporting products and services to help IT plug data leaks, stamp out malicious applications, and protect mobile devices from theft.

[ Demo Fall 2008 focused much attention on Web collaboration, but there are signs that the Web 2.0 trend has peaked, as Galen Gruman reports. And check out the special report on Demo Fall 2008 and TechCrunch 50. ]

The following caught our attention, based on first impressions.

A nuanced approach to whitelisting
CoreTrace, a company founded by veterans of U.S. Air Force security services, claims to turn anti-malware protection on its head. "When there were only a limited number of threats, it made sense to blacklist them," says Wes Miller, senior technical product manager for the Austin-based firm. "But now, there are too many, evolving too fast for that approach to work."

Instead, CoreTrace offers its new Bouncer software, which automatically creates a whitelist of Windows desktop applications that are deemed to be legitimate and blocks applications that aren't on the list. IT can modify and manage that whitelist.

Whitelisting is not a new idea, of course. CoreTrace claims that its technology is differentiated by what it calls "trusted change," in essence a rules-based approach that adds a good deal of flexibility to its shield. Administrators can decide that software from a "trusted" source -- Adobe, for example -- can be installed, or they can decide how much discretion to give employees who need to add applications or services to their client.

Tracking IT's every move
Speaking of trust, Unity Solutions is beta testing a product for companies that don't, well, trust their IT staffs. Its Lanxoma software grabs and stores a screen shot of every action taken by IT staffers as they work on sensitive systems. One drawback: Lanxoma runs on Windows-based systems only.

Keeping control over documents you distribute
Fortressware offers a product that lets companies maintain control over sensitive documents even when the files are shared with outsiders. Companies can use the software to block printing, copying, and forwarding of the files. Data protection travels with the bits in a "capsule" that contains the rules decided on by the originators of the document, in much the same way that movies and music contain digital rights restrictions. Launched earlier this week, the beta product will support Windows users; support for Macintosh, Linux, and mobile users may or may not be available. You can register to download it from Fortressware's Web site.

A password keychain for the Web
Usable Security Systems addresses the problem posed to users by the necessity of remembering passwords for a multitude of sites. When it debuts next year, the UsableLogin Service will let users use one password for any number of sites. (CEO Rachna Dhamija estimates that the average user has about 25 accounts and logs in about eight times a day.)

UsableLogin creates a verifier, which is equivalent to a strong, complex password, and is unique for each site. It does this by cryptographically combining the person's codeword with data from separate sources, including the computer the person is using and Usable Security's servers. Usable Security does not store or save the codeword. The service works at any Web site that accepts passwords and works with any desktop operating system or browser. Some mobile browsers are supported, but not those like the Apple iPhone's that do not support Adobe Flash. Because the verifier is associated to a specific computer, you cannot log in to sites from other computers or devices without associating them to UsableLogin and your account.

The stolen phone that fights back
Ever had your BlackBerry or similar device stolen? Not only are you out the hardware, but any data you've stored on it could be in the hands of a bad guy. And who knows what bills he may try to run up on it? Enter Maverick Mobile, with software designed to protect mobile devices running the Symbian, Windows Mobile, or BlackBerry operating systems. (Apple's iPhone is on the road map.)

It works like this: The user installs the application on the device and sets up a contact number for a separate mobile device. Should a thief attempt to replace the device's SIM card (which gives it a new ID in the eyes of the phone company, but not in Maverick's eyes), all data on the device is encrypted and thus made useless. The application also captures the phone number of the new SIM card and transmits it to the secondary device. If the SIM card is not swapped out, the rightful owner can retrieve the stored contacts and send text message to his device that encrypts the data anyway -- and then sets off a shrieking alarm that can be silenced only by removing the battery.