RSA 2011 conference review

The 20th annual RSA Conference was held at the San Francisco Moscone Center in February.

The RSA conference began exclusively as a cryptography conference, taking its name from the three founders of the RSA algorithm: Ron Rivest, Adi Shamir and Leonard Adleman. The theme of RSA 2011 was ‘The Adventures of Alice & Bob’. Rivest first used these fictitious characters in 1978 to help explain the complex process of encryption. Later, Bruce Schneier – another institution in the cryptography world – added further characters, such as Mallory the Malicious Attacker and Eve the Eavesdropper, to help less technical professionals get a grasp of this deeply technical topic. Cartoons depicting these characters were played for entertainment throughout the conference week.

While the theme of the conference always reflects the world of cryptography, the event itself has evolved into a very comprehensive forum discussing the latest in security technologies, research, forensics, policies and regulations, trends, best practices, business concerns, and much more.

RSA generally attracts more than 12,000 attendees from around the world – delegates can choose between 14 presentation tracks, with over 250 speakers throughout the week. In keeping with the times, ‘Cloud Security’ was a new track added this year.

An exhibition runs alongside the conference, with over 330 exhibitors representing software, hardware, consulting, government and non-profit organizations.

The event also offers several keynote talks (17 this year) – many of which are given by representatives of the companies sponsoring the event.

In a talk entitled ‘Collective Defense: Collaborating to Create a Safer Internet’, Microsoft’s Trustworthy Computing Corporate Vice President, Scott Charney, suggested that we apply public health models to the Internet. The worldwide health community has a solid programme in place for educating about health risks, coordinating efforts to detect diseases and vaccinations to prevent diseases, and an international structure to respond when outbreaks occur. The application of such a model to Internet health would have enormous benefits, but would require sustained local and international collaboration.

Charney also focused on identity management. A shared and integrated domain creates huge problems when people and their activities are mingled. Anything we’ve ever done on the Internet is recordable and findable. Identity management is critical. We must build trusted stacks with strong identity management systems. As the threat world evolves, Microsoft continues to revise its Security Development Lifecycle (SDL).

RSA would not have been complete without hearing more about Stuxnet. And who better to offer that information than Symantec’s President and CEO, Enrique Salem.

Symantec played a crucial role in the identification and analysis of Stuxnet. The worm exploited four zero-day vulnerabilities, and Symantec helped uncover three of them. The threat has moved the game from espionage to sabotage and used the first rule of the art of war: deception. Salem noted that we’ve been expecting this sort of sophisticated, elaborate attack for many years. Now it is here and it is more sophisticated, dangerous and prevalent than anything we have seen before.

While SCADA attacks are not new, they are a threat to our economy, prosperity and our lives. We now know what is possible. More targeted attacks are coming, with the most dangerous ones targeting critical infrastructure. Salem noted that every day there are over two million different attacks and it takes skill to figure out which are real threats and which can safely be afforded less attention.

Dr Michio Kaku provided delegates with an enlightening presentation on the future of computers. Some of the advancements he predicts are cars driving themselves, and a home office in your glasses (or contact lenses) – blink and you go online!

Dr Kaku predicts that in 10 years’ time we will be able to identify people’s faces, know their biographies and translate their languages, all with a pair of smart glasses. According to Kaku, our clothing will contain all our medical records and particles in our homes will be able to diagnose health issues. Ultimately, he indicated, the augmented reality we see in movies like The Terminator will be in our own reality very soon.

With the amount of personal information being added to the Internet there will be more headaches for those working in security. (And can you imagine the opportunity for exploits?) Kaku also believes that Silicon Valley will become a rust belt by 2020 due to overheating and quantum leakage – the two problems facing Moore’s Law today. ‘Moore’s law will flatten out until physics can create quantum computers.’

Another popular keynote was ‘The Murder Room: Breaking the Coldest Cases’, presented by Michael Capuzzo, author of the book The Murder Room. Capuzzo discussed the crime-fighting Vidocq Society, along with two of its members: Bill Fleisher, a private investigator and former FBI agent, and Richard Walter, a forensic psychologist, who many consider to be the living Sherlock Holmes.

The Vidocq Society consists of forensic investigators, prosecutors, medical examiners, police officers, attorneys, and the world’s most successful detectives whose sole purpose is to solve cold-case murders. They are experts at decrypting crime scenes and mining data. These retired professionals use the skills they gained throughout their careers for the greater good. All their work is pro-bono with the belief that ‘virtue is its own reward’.

The Society’s success is due to having founded a network of the best of the best in criminal investigations. These are brilliant people who study invisible links, put puzzles together, keep track of what could seem like meaningless files, look for patterns, and think about the psychology of what motivates criminals. Their work closely maps to the anti-malware industry’s search for the bad guys on the Internet. Parallels exist in how the bad guys hide, their motives, and how they try to conceal their guilt. In fact, the Vidocq Society has been enlisted to create a system that uses the same subtypes employed in murder investigations to evaluate Internet stalking and other cybercrimes. They’ve been able to determine that, within 3.8 years, a fantasy-driven stalker will move from stalking on the Internet to attempting to kill the victim. As the Vidocq Society transfers its expertise to the cyber world, we should expect to hear more from them.

A panel entitled ‘Cyberwar, Cybersecurity, and the Challenges Ahead’ was led by James Lewis of the Center for Strategic and International Studies, with panel members: Michael Chertoff, Former United States Secretary of Homeland Security; Mike McConnell, Booz Allen Hamilton; and Bruce Schneier, BT.

The panel was asked why there is so much attention on cyber war. Schneier indicated that categorizing something as a ‘war’ is sexier than categorizing it as a cyber attack – it’s what sells and allows for bigger budgets. Overstating the threat is a good way to get people scared. These are big terms, and useful if you want to set up a cyber command. The panel’s consensus was that we are not engaged in cyber war – at risk of it, yes, but the situation now, while uncomfortable and dangerous, is not war.

The Russian denial of service attack against Georgia was brought up as an example of where we have observed an aspect of cyber war. Terrorists could be sophisticated enough to destroy major systems – when we are facing an attack, or one is under way, what can our governments do? We must create policies and procedures in advance.

With the entire globe riding on the same internet infrastructure we need to have better layers of defence. It was unanimously agreed that the solution was not a technology fix, but a framework model. Better legal and international policy is required, with a framework of rules, norms and laws.

We need more discussion, agreement, and treaties between nations. More countries need to talk with and trust each other so we can better deal with the cyber concerns together.

Arguably the most popular keynote was given by the former United States President, and founder of the William J. Clinton Foundation, Bill Clinton.

President Clinton is a very passionate speaker who talked about the challenges surrounding globalization and our interdependence on programs that do not focus on our core values. He spoke about the need to save our resources and focus on green technology to lessen our dependence on foreign oil.

Clinton said: ‘Throughout history, everything that has value is subject to being stolen or altered. Everyone in cyber security is like a modern day cop on a beat. You are dealing with human nature and an inevitable tendency to try to take advantage of whatever the latest object of value is.’

He also focused on the need to ensure that, as we invent new technologies, we have government policies in place and do our best to not repeat mistakes of the past.

The ‘Innovation Sandbox’ is a forum in which new companies showcase their technologies and compete for the title of ‘Most Innovative Company’. Invincea took home the 2011 title for its fully virtualized browser and PDF reader that seamlessly runs a virtual environment separately from the desktop operating system. This protects users against web-borne and PDF-embedded threats.

With so many talks to choose from, I decided to attend as many anti-malware industry presentations as I could.

Under ‘Hot Topics’ I found a panel entitled ‘The Digital Apocalypse: Fact or Fiction?’, which was moderated by John Pescatore of Gartner, with panellists: Dmitri Alperovitch, McAfee; Bob Dix, Juniper Networks; Mike Echols, Salt River Project; and Justin Peavey, Omegeo.

Key takeaways were that targeted attacks are politically motivated and are not sophisticated. Attacks are focused on integrity and availability, not on confidentiality, with the integrity attacks the most concerning. ‘An APT attacker wants you like a dog with a bone. It doesn’t matter how long it takes, they will keep trying.’

Another panel also proved interesting: ‘Breaking News! Up to the Minute Hacking Threats’ was moderated by investigative journalist Brian Krebs, with panellists: Eric Chien, Symantec; Wade Baker, Verizon Business; and Jeremiah Grossman, WhiteHat Security.

Grossman predicated that in 2012 every website will be vulnerable. Verizon has noted an upswing in customized malware and that organizations are simply not patching. Add that to the rise in zero-day threats and it is not a pretty picture. Today there is more visibility of new vulnerabilities, which helps to get the problems fixed sooner – software companies are generally providing fixes for vulnerabilities faster – but end-users are not installing them in a timely manner.

Krebs indicated that he is underwhelmed by mobile threats. New malware for Android is being seen at a rate of about one per week, but he predicted that Windows Phone 7 will become a bigger target. Further discussion centred on browser security, with panellists asserting that if the browser is not secure, the web is not secure – and that innovation must focus on increasing browser security.

Kaspersky’s Roel Schouwenberg presented a paper entitled ‘Adobe – Evaluating the World’s Number One Most Exploited Software’. He reported that in 2010 Q1, 48% of exploits used PDFs. Although the number of exploits using PDFs decreased throughout the rest of 2010, Adobe’s model to protect against persistent threats is not good enough. Adobe needs to force updates by changing to an auto-update model similar to that of Google Chrome where it is not possible to opt out. Schouwenberg applauded Microsoft as a ‘thought leader’. As the company has become more security-focused and its products more locked down, the bad guys have looked for other opportunities. Schouwenberg predicts that 2011 will be the year of Java – which has a big market and therefore will continue to be a big target.

‘The X Factor – Moving Threat Protection from Content to Context’ was a discussion moderated by Ambika Gadre of Cisco Systems, with panel members Mary Landesman, Cisco Systems, and Patrick Peterson, Authentication Metrics and Cisco Systems.

Spam volumes dropped dramatically in 2010 due to concerted botnet takedown efforts throughout the year However, spam volume does not equate to risk level. A decrease in spam does not mean there is less risk of malicious email. (It doesn’t mean there is more risk either – risk stays about the same.) For example, December 2010 was the lowest point in terms of spam volume, yet a very successful attack was carried out against .gov and .mil workers via an email disguised as a greeting card from the White House. The email contained a link to view the greeting card, which actually led to a variant of the Zeus trojan. This particular variant harvested .PDF, .DOC and .XLS files from victim computers. In the short time the attack was live, attackers managed to accrue a few gigabytes’ worth of stolen data.

Over the last ten years, malware has evolved from being prank-driven to being profit-motivated. In the next ten years, we are likely to see more malware used as a sabotage tool for political and global economic gain.

We cannot afford to approach the problem passively. An active approach is required by all, including deep analysis of system logs and having the expertise to spot suspicious behaviour and deal with it appropriately.

The bad guys are looking for interesting people and have the ability to customize their attacks accordingly. End-users should understand how to recognize and report suspicious behaviour, whether encountered via email or on the web. Administrators should ensure they are providing active forensic analysis of their systems and that there are processes in place that empower security teams to take appropriate and timely action.

The ‘Advanced Persistent Threats: War Stories from the Front Lines’ panel was moderated by McAfee’s Dmitri Alperovitch, with panel members: Heather Adkins, Google; George Kurtz, McAfee; Kevin Mandia, MANDIANT; and Adam Meyers, SRA International.

The threats we see today are not always advanced, but they are persistent. Mandia commented that simply labelling an attack ‘APT’ seems to get security professionals off the hook for not stopping it pre-attack. He also indicated that law firms and healthcare organizations appear to be the sectors that are least well prepared for these targeted attacks. Kurtz asserted that all major organizations currently have a hacker on their network and that it isn’t hard to get past layer 8 (humans).

The panel recommended that IT officers create a social footprint of their executives and see who is trying to profile them and accessing their information. Who is pulling down their bios? Their whitepapers? This will provide an indication of who is being targeted, as well as who is doing the attacking. It is about behaviour detection – not just malware detection. Mandia commented that hackers are not targeting operating systems, but people. These people just happen to be using Windows.

Companies need to implement DHCP, DNS and web access logging. Whole packet capture is not always optimal, but logging and analysis of activity – both coming and going – must be provided. User involvement and user education is also critical.

Mikko Hyppönen, F-Secure’s Chief Research Officer, presented a compelling talk, the highlight of which was the world premiere of a video documenting Mikko’s recent trip to Pakistan to meet the authors of Brain, the first PC virus, on the 25th anniversary of its release. The authors of the virus, brothers Basit and Amjad Alvi, had posted their names and address within the code, and Mikko found that they were still operating a (legitimate) business from the same address today.

Brain was not intended to destroy data, and the brothers said that they regret seeing the destructive behaviour of today’s malware. However, they said they believe that someone else would have written the first virus, had it not been them.

I could go on describing more presentations and keynotes but there simply isn’t enough room for all the content.

RSA is by far the best networking event across the security industry. Its attendees are a veritable Who’s Who in the worldwide security community. You’ll find everything from pre-conference training, deep technical content, peer-to-peer sessions and alliance summits, to working group meetings, professional development seminars, executive forums, and so much more. There is something here for everyone, including far too many social events that will have you hopping from one event to another every night. This is truly a conference not to be missed.