Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:21 PM
Connect Directly

Security Firm Strikes Back At Cenzic Patent Lawsuit Threat

NT Objectives files suit challenging claims it infringed on Cenzic's patent for "fault injection methods," security experts gathering proof of prior art

Cenzic is back on the legal warpath with another patent infringement lawsuit filed against a security company over Cenzic's patented "fault injection methods" technology. But this time the target of the lawsuit is challenging the validity of the patent.

NT Objectives, a small Web application scanning vendor, on Feb. 14 filed a lawsuit in the U.S. District Court in the Central District of California for a declaratory judgment of noninfringement, calling the patent invalid and unenforceable after Cenzic threatened litigation. Cenzic claims its patent, awarded in 2007, gives it exclusive rights to use the technology, and that after making "good faith attempts to resolve issues amicably" with NT Objectives, it decided to file a lawsuit late last week.

This isn't the first time Cenzic has sued a security firm over the use of this Web application vulnerability scanning technology: In August 2007, Cenzic filed a patent infringement suit against SPI Dyamics, which HP was in the process of acquiring. The suit put Web application security vendors and penetration testers on alert, and several hackers associated with the sla.ckers.org site demonstrated their displeasure with the patent at the time by exposing cross-site scripting flaws in Cenzic's website. HP later settled with Cenzic by signing a cross-licensing agreement. IBM also signed such an agreement nearly two years later with Cenzic.

At the heart of the Cenzic patent dispute is the so-called "prior art": Security experts argue that there are already some fault-injection tools that were released in the 2000-2001 time frame, well before Cenzic first filed for its patent, which would basically render the so-called Patent 232 moot. And critics say the patent is far too broad, covering the day-to-day tasks of most security scanners, penetration testing tools, and even that of the penetration testers themselves.

Neither Cenzic nor NT Objectives would comment on the cases, but some security researchers have begun rallying behind NT Objectives. A site called Stop Cenzic 232 Patent has been launched, and its author is calling for a Month of Prior Art on the technology at issue in the patent that will begin on April 1.

"Now this patent is of no concern if they used the patent 'defensively,' but Cenzic has chosen to go around chasing companies that create Web scanners for licensing money using this broad and unfortunately granted patent," blogged Enrique Sanchez Montellano.

Mantellano lists several products that could also be subject to Cenzic's patent claims because they employ the same method of injection, including Rapid7 Nexpose, Nessus, eEye Retia, McAfee Foundscan, nCircle Suite360, Qualys, Metasploit, Core Impact, and Burp Proxy.

According to a penetration tester familiar with the case and who requested anonymity, the way the patent is written, it could even apply to SQL injection and cross-site scripting attacks or pen tests. It could apply to any products that execute these techniques for bypassing normal security routines. "Even when I do this manually -- it would apply. So as a pen tester, I couldn't do that" according to the lawsuit, the source says.

Alan Shimel, CEO of The CISO Group, says he has heard from sources that Cenzic is "looking for seven figures" from NT Objectives.

"Initially, it looked like Cenzic was using the patent defensively. But now they are using it offensively," Shimel says. "This is just a lousy patent. There's a lot of prior art that should have been looked at before it was granted."

Meanwhile, among the Cenzic employees named in the patent when it was filed in 2002 include Greg Hoglund, founder and CEO of HBGary, whose company was targeted by the Anonymous hacking group.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...