January 30, 2016

Norse Corp., a Foster City, Calif. based cybersecurity firm that has attracted much attention from the news media and investors alike this past year, fired its chief executive officer this week amid a major shakeup that could spell the end of the company. The move comes just weeks after the company laid off almost 30 percent of its staff.

Sources close to the matter say Norse CEO Sam Glines was asked to step down by the company’s board of directors, with board member Howard Bain stepping in as interim CEO. Those sources say the company’s investors have told employees that they can show up for work on Monday but that there is no guarantee they will get paid if they do.

A snapshot of Norse's semi-live attack map.

A snapshot of Norse’s semi-live attack map.

Glines agreed earlier this month to an interview with KrebsOnSecurity but later canceled that engagement without explanation. Bain could not be immediately reached for comment.

Two sources at Norse said the company’s assets will be merged with Irvine, Ca. based networking firm SolarFlare, which has some of the same investors and investment capital as Norse. Neither Norse nor SolarFlare would comment for this story. Update, Feb. 1, 12:34 p.m. ET: SolarFlare CEO Russell Stern just pinged me to say that “there has been no transaction between Norse and SolarFlare.”

Original story: The pink slips that Norse issued just after New Years’s Day may have come as a shock to many employees, but perhaps the layoffs shouldn’t have been much of a surprise: A careful review of previous ventures launched by the company’s founders reveals a pattern of failed businesses, reverse mergers, shell companies and product promises that missed the mark by miles.

EYE CANDY

In the tech-heavy, geek-speak world of cybersecurity, infographics and other eye candy are king because they promise to make complicated and boring subjects accessible and sexy. And Norse’s much-vaunted interactive attack map is indeed some serious eye candy: It purports to track the source and destination of countless Internet attacks in near real-time, and shows what appear to be multicolored fireballs continuously arcing across the globe.

Norse says the data that feeds its online attack map come from a network of more than eight million online “sensors” — honeypot systems that the company has strategically installed at Internet properties in 47 countries around the globe to attract and record malicious and suspicious Internet traffic.

According to the company’s marketing literature, Norse’s sensors are designed to mimic a broad range of computer systems. For example, they might pretend to be a Web server when an automated attack or bot scans the system looking for Web server vulnerabilities. In other cases, those sensors might watch for Internet attack traffic that would typically only be seen by very specific machines, such as devices that manage complex manufacturing systems, power plants or other industrial control systems.

Several departing and senior Norse employees said the company’s attack data was certainly voluminous enough to build a business upon — if not especially sophisticated or uncommon. But most of those interviewed said Norse’s top leadership didn’t appear to be interested in or capable of building a strong product behind the data. More worryingly, those same people said there are serious questions about the validity of the data that informs the company’s core product.

UP IN SMOKE(S)

Norse Corp. and its fundamental technology arose from the ashes of several companies that appear to have been launched and then acquired by shell companies owned by Norse’s top executives — principally the company’s founder and chief technology officer Tommy Stiansen. Stiansen did not respond to multiple requests for comment.

This acquisition process, known as a “reverse merger” or “reverse takeover,” involves the acquisition of a public company by a private company so that the private company can bypass the lengthy and complex process of going public.

Reverse mergers are completely legal, but they can be abused to hide the investors in a company and to conceal certain liabilities of the acquired company, such as pending lawsuits or debt. In 2011, the U.S. Securities and Exchange Commission (SEC) issued a bulletin cautioning investors about plunking down investments in reverse mergers, warning that they may be prone to fraud and other abuses.

The founders of Norse Corp. got their start in 1998 with a company called Cyco.net (pronounced “psycho”). According to a press release issued at the time, “Cyco.net was a New Mexico based firm established to develop a network of cyber companies.”

“This site is a lighthearted destination that will be like the ‘People Magazine’ of the Internet,” said Richard Urrea, Cyco’s CEO, in a bizarre explanation of the company’s intentions. “This format has proven itself by providing Time Warner with over a billion dollars of ad revenue annually. That, combined with the CYCO.NET’s e-commerce and various affiliations, such as Amazon.com, could amount to three times that figure. Not a portal like Yahoo, the CYCO.NET will serve as the launch pad to rocket the Internet surfer into the deepest reaches of cyberspace.”

In 2003, Cyco.net acquired Orion Security Services, a company founded by Stiansen, Norse’s current CTO and founder and the one Norse executive who is actually from Norway. Orion was billed as a firm that provides secure computer network management solutions, as well as video surveillance systems via satellite communications.

The Orion acquisition reportedly came with $20 million in financing from a private equity firm called Cornell Capital Partners LP, which listed itself as a Cayman Islands exempt limited partnership whose business address was in Jersey City, NJ.

Cornell later changed its name to Yorkville Advisors, an entity that became the subject of an investigation by the U.S. Securities and Exchange Commission (SEC) and a subsequent lawsuit in which the company was accused of reporting “false and inflated values.”

Despite claims that Cyco.net was poised to “rocket into the deepest riches of cyberspace,” it somehow fell short of that destination and ended up selling cigarettes online instead. Perhaps inevitably, the company soon found itself the target of a lawsuit by several states led by the Washington state attorney general that accused the company of selling tobacco products to minors, failing to report cigarette sales and taxes, and for falsely advertising cigarettes as tax-free.

COPYRIGHT COPS

In 2005, Cyco.net changed its name to Nexicon, but only after acquiring by stock swap another creation by Stiansen — Pluto Communications — a company formed in 2002 and whose stated mission was to provide “operational billing solutions for telecom networks.” Again, Urrea would issue a press release charting a course for the company that would have almost no bearing on what it actually ended up doing.

“We are very excited that the transition from our old name and identity is now complete, and we can start to formally reposition our Company under the new brand name of Nexicon,” Urrea said. “After the divestiture of our former B2C company in 2003, we have laid the foundation for our new business model, offering all-in-one or issue-specific B2B management solutions for the billing, network control, and security industries.”

In June 2008, Sam Glines — who would one day become CEO of Norse Corp. — joined Nexicon and was later promoted to chief operating officer. By that time, Nexicon had morphed itself into an online copyright cop, marketing a technology they claimed could help detect and stop illegal file-sharing. The company’s “GetAmnesty” technology sent users a pop-up notice explaining that it was expensive to sue the user and even more expensive for the user to get sued. Recipients of these notices were advised to just click the button displayed and pay for the song and all would be forgiven.

In November 2008, Nexicon was acquired by Priviam, another shell company operated by Stiansen and Nexicon’s principals. Nexicon went on to sign Youtube.com and several entertainment studios as customers. But soon enough, reports began rolling in of rampant false-positives — Internet users receiving threatening legal notices from Nexicon that they were illegally sharing files when they actually weren’t. Nexicon/Priviam’s business began drying up, and it’s stock price plummeted.

In September 2011, the Securities and Exchange Commission revoked the company’s ability to trade its penny stock (then NXCO on the pink sheets), noting that the company had failed to file any periodic reports with the SEC since its inception. In June 2012, the SEC also revoked Priviam’s ability to trade its stock, citing the same compliance failings that led to the de-listing of Nexicon.

By the time the SEC revoked Nexicon’s trading ability, the company’s founders were already working to reinvent themselves yet again. In August 2011, they raised $50,000 in seed money from Capital Innovators to jump-start Norse Corp. A year later, Norse received $3.5 million in debt refinancing, and in December 2013 got its first big infusion of cash — $10 million from Oak Investment Partners. In September 2015, KPMG invested $11.4 million in the company.

Several former employees say Stiansen’s penchant for creating shell corporations served him well in building out Norse’s global sensor network. Some of the sensors are in countries where U.S. assets are heavily monitored, such as China. Those same insiders said Norse’s network of shell corporations also helped the company gain visibility into attack traffic in countries where it is forbidden for U.S. firms to do business, such as Iran and Syria.

THE MAN BEHIND THE CURTAIN

By 2014, Norse was throwing lavish parties at top Internet security conferences and luring dozens of smart security experts away from other firms. Among them was Mary Landesman, formerly a senior security researcher at Cisco Systems. Landesman said Norse had recently hired many of her friends in the cybersecurity business and had developed such a buzz in the industry that she recruited her son to come work alongside her at the company.

As a senior data scientist at Norse, Landesman’s job was to discover useful and interesting patterns in the real-time attack data that drove the company’s “cyber threat intelligence” offerings (including its eye candy online attack map referenced at the beginning of this story). By this time, former employees say Norse’s systems were collecting a whopping 140 terabytes of Internet attack and traffic data per day. To put that in perspective a single terabyte can hold approximately 1,000 copies of the Encyclopedia Britannica. The entire printed collection of the U.S. Library of Congress would take up about ten terabytes.

Landesman said she wasn’t actually given access to all that data until the fall of 2015 — seven months after being hired as Norse’s chief data scientist — and that when she got the chance to dig into it, she was disappointed: The information appeared to be little more than what one might glean from a Web server log — albeit millions of them around the world.

“The data isn’t great, and it’s pretty much the same thing as if you looked at Web server logs that had automated crawlers and scanning tools hitting it constantly,” Landesman said in an interview with KrebsOnSecurity. “But if you know how to look at it and bring in a bunch of third-party data and tools, the data is not without its merits, if not just based on the sheer size of it.”

Landesman and other current and former Norse employees said very few people at the company were permitted to see how Norse collected its sensor data, and that Norse founder Stiansen jealously guarded access to the back-end systems that gathered the information.

“With this latest round of layoffs, if Tommy got hit by a bus tomorrow I don’t think there would be a single person in the company left who understands how the whole thing works,” said one former employee at Norse who spoke on condition of anonymity.

SHOW ME THE DATA

Stuart McClure, president and founder of the cybersecurity firm Cylance, said he found out just how reluctant Stiansen could be to share Norse data when he visited Stiansen and the company’s offices in Northern California in late 2014. McClure said he went there to discuss collaborating with Norse on two upcoming reports: One examining Iran’s cyber warfare capabilities, and another about exactly who was responsible for the massive Nov. 2014 cyber attack on Sony Pictures Entertainment.

The FBI had already attributed the attack to North Korean hackers. But McClure was intrigued after Stiansen confidentially shared that Norse had reached a vastly different conclusion than the FBI: Norse had data suggesting the attack on Sony was the work of disgruntled former employees.

McClure said he recalls listening to Stiansen ramble on for hours about Norse’s suspicions and simultaneously dodging direct questions about how it had reached the conclusion that the Sony attack was an inside job.

“I just kept going back to them and said, ‘Tommy, show me the data.’ We wanted to work with them, but when they couldn’t or wouldn’t produce any data or facts to substantiate their work, we couldn’t proceed.”

After that experience, McClure said he decided not to work with Norse on either the Sony report or the Iran investigation. Cylance ended up releasing its own report on Iran’s cyber capabilities; that analysis — dubbed “Operation Cleaver” (PDF) — was later tacitly acknowledged in a confidential report by the FBI.

Conversely, Norse’s take on Iran’s cyber prowess (PDF) was trounced by critics as a deeply biased, headline-grabbing report. It came near the height of international negotiations over lifting nuclear sanctions against Iran, and Norse had teamed up with the American Enterprise Institute, a conservative think tank that has traditionally taken a hard line against threats or potential threats to the United States.

In its report, Norse said it saw a half-million attacks on industrial control systems by Iran in the previous 24 months — a 115 percent increase in attacks. But in a scathing analysis of Norse’s findings, critical infrastructure security expert Robert M. Lee said Norse’s claim of industrial control systems being attacked and implying it was definitively the Iranian government was disingenuous at best. Lee said he obtained an advanced copy of an earlier version of the report that was shared with unclassified government and private industry channels, and that the data in the report simply did not support its conclusions.

“The systems in question are fake systems….and the data obtained cannot be accurately used for attribution,” Lee wrote of Norse’s sensor network. “In essence, Norse identified scans from Iranian Internet locations against fake systems and announced them as attacks on industrial control systems by a foreign government. The Norse report’s claims of attacks on industrial control systems is wrong. The data is misleading. The attention it gained is damaging. And even though a real threat is identified it is done in a way that only damages national cybersecurity.”

FROM SMOKES TO SMOKE & MIRRORS?

KrebsOnSecurity interviewed almost a dozen current and former employees at Norse, as well as several outside investors who said they considered buying the firm. None but Landesman would speak on the record. Most said Norse’s data — the core of its offering — was solid, if prematurely marketed as a way to help banks and others detect and deflect cyber attacks.

“I think they just went to market with this a couple of years too soon,” said one former Norse employee who left on his own a few months prior to the January 2016 layoffs, in part because of concerns about the validity of the data that the company was using to justify some of its public threat reports. “It wasn’t all there, and I worried that they were finding what they wanted to find in the data. If you think about the network they built, that’s a lot of power.”

On Jan. 4, 2016, Landesman learned she and roughly two dozen other colleagues at Norse were being let go. The data scientist said she vetted Norse’s founders prior to joining the firm, but that it wasn’t until she was fired at the beginning of 2016 that she started doing deeper research into the company’s founders.

“I realized that, oh crap, I think this is a scam,” Landesman said. “They’re trying to draw this out and tap into whatever the buzzwords du jour there are, and have a product that’s going to meet that and suck in new investors.”

Calls to Norse investor KPMG International went unreturned. An outside PR firm for KPMG listed on the press release about the original $11.4 million funding for Norse referred my inquiry to a woman running an outside PR firm for Norse, who declined to talk on the record because she said she wasn’t sure whether her firm was still representing the tech company.

“These shell companies formed by [the company’s founders] bilked investors,” Landesman said. “Had anyone gone and investigated any of these partnerships they were espousing as being the next big thing, they would have realized this was all smoke and mirrors.”


206 thoughts on “Sources: Security Firm Norse Corp. Imploding

  1. Buzz

    Yes, that map is most definitely eye-candy. We had it up on a monitor to impress the ‘VIP’s’ that come through.

    It’s still showing all of the stuff it always has…

    http://map.norsecorp.com/

    1. SecurityPro2704

      You know I often wondered if the “information” on the map was even real.

      It just seemed too perfect. It looked pretty and all and I’ll admit I was impressed when I saw it for the first time on a NOC control room that I visited, but I was concerned about the true accuracy of the information.

      Heck that “real-time” map could have been generated just the same from a database of information that was stored and just looped over and over. No one looking at it would every know the difference.

  2. Anthony M. Freed

    Norse came to market with an unparalleled world-wide data collecting network on par with a tier 1 ISP which supported millions of emulations that looked like attractive targets to adversaries. The problem is in my opinion they never quite developed the ability to pan through the as much as 140 terabytes of data a day they collected and then distill it into actionable threat intelligence that would prove valuable to paying customers. The potential was there, but the maturity factor in product development was not.

    But that is not what ultimately spurred the demise of Norse.

    The leadership at Norse – specifically the CEO and CTO – embarked on a comedy of errors in late 2014 when trying to get some press from the Sony breach, and they continued to make mistake after mistake right up to the end. The CTO came to the marketing department absolutely convinced he had uncovered the Sony hackers – insiders who were disgruntled after layoffs. On his word alone the team engaged the media aggressively with the honest intention to demonstrate the power of the Norse network. When the time came to pony up the evidence, the CTO and CEO turned tail and left the SVP of marketing and the rest of the team dangling in the wind, looking like overzealous fools peddling snake oil. This was completely unfair and beyond irksome.

    The next mistake was the TLP briefing released to the intelligence community and others. It was factually unsubstantiated, full of spelling and grammatical errors, and was not even close to being on par with any serious intelligence report. The larger Pistachio Harvest report conducted with AEI was even worse, and amounted to nothing more than wild speculation backed up by even wilder imaginations. To their credit, the portions of the report AEI were responsible for were the only credible elements therein. Worse yet, I had arranged a briefing by Robert M. Lee with the CEO and CTO following the release of the TLP and begged them to let Rob provide feedback on Pistachio prior to its release. They declined without even a “thanks for the offer,” and that’s when I knew I needed to get out – even though it took several more months before I found a quality company that was a good fit.

    In the end I would chalk the failure of Norse up to immense hubris on the part of the CEO and CTO. They believed Norse was a special child, somehow touched by angels, and that they could do no wrong. They wanted Norse to be FireEye so badly they would stop at almost nothing to get on the front page of the New York Times and Fortune. They were reckless and did not manage the company’s funds well, spending on lavish parties, catered meals in the office daily, and flashy attempts to garner attention like renting a bunch of really expensive sports cars covered with Norse logos and driving them up and down the coast of California.

    Someone should write a case study on Norse as the “how not to build a startup into a successful company.”

    1. Adrian Sanabria

      WOW, Anthony, thanks for sharing your experiences! The most spectacular corporate failures can easily be transformed into important lessons for the industry – all we need are people brave enough to tell the honest story as they know it. This goes for corporate screw-ups just as much as it goes for security breaches.

      1. Anthony M. Freed

        Thanks Adrian. Normally I try not to inject myself into the news and maintain some neutrality but so many people reached out to me since Brian published this piece that I felt I had to offer some perspective from a former insider.

        Norse was and remains a painful but short chapter in my career, but I want to emphasize that there were some really talented people there across the organization, and they all deserve soft landings at viable companies.

        Everyone – please don’t hesitate to give them an interview for a key position because of their former association with Norse, as we were all victims of bad management at what could have been a great and unique undertaking.

    2. Teksquisite

      Wow Anthony = that certainly put major icing on the cake. I think they should sell their ASSets and pay all the employees their Q4 bonuses and commissions. . .

    3. CooloutAC

      I agree, I don’t believe the data was fake. Long story short they didn’t know how to capitalize on it. Its the same thing with fair play and e-sports in online gaming. Its very hard to make money with.

      The whole security industry is like a con game anyways,, because there really is no security. The wolves guard the henhouse and the whole infrastructure is riddled with holes, So the only way to be secure is to stop certain activities that make us vulnerable. These security guys like to say the user is the insecurity, well then they are the ones who can secure their systems by themselves and security pros would not be needed if true.

      So the security professionals that make the most money are the ones that are best at bs’n their clients. Its becoming the theme of our society in every industry. Money doesn’t talk and make the bs walk, the bs makes the money. Nothing was learned from enron or the housing bubble it seems. Too much politics.

      I don’t consider acting like a criminal hacker and exploiting systems security. Especially without consent. You are not a white hat!! What really needs to happen is more sharing of knowledge and computer education for society. Not the exploitation of them for bragging rights.

      Like I said though when north korea went black, I felt sony networks themselves were involved because I was looking at the norsemap and its the only time i saw them flashing all over the screen lmao.

      1. Anthony M. Freed

        A common misunderstanding about the Norse map is that it was showing real attacks against real targets in real time – the fact is that the map merely showed “attacks” including port scans against the Norse infrastructure which included around 7-8 million (from what I was told by superiors at Norse) emulations that looked like anything from a nanny-cam to a bank or hospital network. At no time could you see any “attacks” against any “targets” that were not deployed and controlled by Norse. Of course, the notion that one might think that activity aimed at the Seattle area while a DDoS against XBoxLive was occurring or similar was never discouraged because the illusion worked to the company’s advantage for added visibility. that said, the company did provide some customers with custom maps that displayed their own infrastructure for use in SOCs, and those would show real “attacks” against real “targets.”

    1. Jenko Hwong

      For the record, the above was not post by me. Whichever ex-employee is using my name, grow some balls and put your name next to your opinion.

      Jenko Hwong

  3. Priviam

    Testing to see if this is the word you are holding for review… priviam. If so doesn’t not look good for you the truth can’t be told in this.

    1. Retractcorrect

      Nexicon was never acquired. A product named NexiOne was acquired. I’ve been trying to post this but something keeps stopping it for moderation and somehow they aren’t getting approved. So let’s see if this factual statement gets through.

      1. Retractcorrect

        Hmmm. The plot thickens. AND now your also telling us Tommy and Sam Are time travelers? Cause that’s the Only was they could have gotten their start at a company they were never involved with back then. And Sam somehow has shell companies he’s never heard of? This whole article is a reach and quite frankly sloppy. The smart people who knows how disgruntled ex employees and fame seeking bloggers are will read through all this and know the truth.

  4. Teksquisite

    I’ve got a secret!
    What’s my line?
    To Tell the Truth: “Will the real [incognito] please stand up”?

  5. pleasestop

    This is just so sad for ALL those affected. Please there are others who are still trying to feed their children. Please all of you stop. Just stop this nonsense please.

  6. Nothing New Enron

    this is nothing new…reminds me of enron

    so is big data just a scam … threat intelligence etc from big data. is this the new flavor for the past few years…cloud then big data then what so people can invest in empty promises

  7. LittleGuy

    It’s interesting that Norse previously placed #4 on the Cyber Security Ventures top 500 list. They have now been removed from the list, silently.
    The #1 spot is taken by your old friends Root9B.

    I’ve heard from a number of people the reason for these companies ranking so well, despite a long standing poor reputation within the industry, is as they paid to be ranked highly.

  8. NotMe

    What makes the reporting awesome is the story that continues in the comments. Krebs is always a great read, but this time I have to thank all the people who had the grist to comment using their personal insight. Thank-you all for the informative read.

  9. OwlB

    When Norse claimed to have better intel than the FBI and NSA on Sony, that should have been a sign they were full of it for anyone not in a tinfoil hat. Too bad. There was a lot of work that was really good but now is suspect because of the Norse claims that were really bad. #sorryimnotsorry

  10. healthyskeptick

    The business wire states:

    “A Securities and Exchange (SEC) filing on the first organization meeting for the Board of Directors of Cyco.net, dated April 1, 1999 provides the following information…”

    April 1st.

    Serendipity?

Comments are closed.