Walking the Floor at RSA Conference 2014

http://www.rsaconference.com/events/us14 This years RSA computer security conference event at the Muscone Center in San Fransisco California seemed even bigger than last year.  Walking the entire vendor floor can easily take more than a day since you will undoubtedly be distracted by assertive booth staff on your journey in the carnival like atmosphere.

Walking down the endless isles, it’s easy to get the feeling that security comes in a box, blue boxes, orange boxes, purple boxes.  But there are so many boxes, which box is the box that’s going to solve my security problem?  I can hear Dr. Seuss ringing in my head, “security, it doesn’t come in boxes or bags, it doesn’t come with ribbons or tags…”.  Much is we love to hate vendors we certainly do need them and their products.  RSA is clearly one of the largest security spectacles I have ever witnessed and I think that’s just the way RSA likes it.  I gathered a few photo’s on my journey of the vendor floor I thought I would share.

My first stop was the National Security Agency (NSA).  I was surprised with the recent press around the agency they decided to show up.  I was even more surprised to see such a large presence.  It’s difficult to tell from the photo but the circular banner must be 40 ft in diameter (approximately 12 meters).

Incidentally, last year I stopped by the NSA booth and I was admiring their Enigma machine (photo on right).  I ran into Professor Dan Boneh who leads Stanford’s Computer Science and Electrical Engineering departments.  I know Dan from the yearly security and privacy workshops he hosts.  Dan had someone else with him and asked me if I’d like to meet Ron Rivest.  I said, “Ron Rivest, like the R in RSA?  He said, “Yes, that Rivest”.  (Squirrel moment)  I forgot all about the Enigma machine and spoke with Dan Boneh and Ron Rivest for awhile.  When our conversation was over, I moved on, forgetting about the machine.  This year, the Enigma was back, and I took some time to have a good look.

The NSA employee I was speaking with works in the NSA’s history museum.  The Enigma is museum property and is an original used in the war but the wooden case is a replica.  While we were discussing details of the machine, someone passed behind me on the floor and shouted a loud, “boo”.  I didn’t notice any reaction from the NSA employee so I tried to lighten the moment and said, “I bet you receive reactions all the time like that working in the museum”.  I think it’s a tough time to be an NSA employee at the moment and I’m sure NSA booth duty at the conference was not easy this year.

In addition to the NSA, the Federal Bureau of Investigations (FBI) had a booth at the conference.  I had a conversation with one of the agents to discuss processes for working with authorities on cyber crimes.  For anyone curious, FBI manages relationships for cyber security to the private sector through an organization called InfraGard.  InfraGard is not a branch of the FBI or government but they can place you in contact with proper law enforcement authorities if you suspect a computer crime.  For corporations, most concerns are usually escalated either through or in conjunction with company Legal staff.  Exercise some good judgement, InfraGard and the FBI are busy.  Don’t expect them to unleash the packet sniffing blood hounds for your Mom’s infected PC.  On the other hand, if you suspect significant cyber crime has occurred InfraGard is a resource to place you in contact with proper authorities.  In the past, I attended several meetings of InfraGard’s Austin Texas chapter but never decided to join.  I was a slightly too paranoid for such associations in my earlier days. 

Continuing my journey, I came upon Bit9’s booth and Richard Clark was speaking on security.  I wondered how many in the audience knew Richard Clark and how many were just standing there because everyone else was standing there.  I met Richard Clark several years ago in Washington DC just after he published his Scorpion’s Gate book.  I’m like a security Forest Gump, a case of being in the right place at the right time.  Richard Clark has been speaking at vendor engagements on these conference circuits for awhile.

Next, I ran into Shape Security and Michael Coates.  Michael is also the OWASP President.  Ok, see the good looking guy on the right?  That’s not me, I’m the guy on the left.  Right is Michael.  Michael and I talked for awhile and he helped me understand how Shape technology works.  Keep your eye on Shape Security.  It looks like promising technology.

Prior to Shape Security, Michael lead security for Mozilla Project and the Firefox browser.  We’ve definitely had a few lively security discussions over the last couple of years.  Last year, Michael helped me launch our very first security track at Oracle’s JavaOne developer’s conference – Securing Java.

On the left, I met with a dear colleague I have known for some time.  Only after I softened him up with some conversation did he agree to let me post his picture.  He would be grumpy if I shared much more.  This person is the quintessential security hacker, leather hat, pony tail, sandals, and plays the harmonica – very well I might add.  I own a harmonica but I am prohibited from practicing within the city limits.
 
Thanks to my manager, Donald Smith, and Oracle staff for your support.  Security is always pulling the fire alarms with last minute requests.  Thanks to the many security leaders who shared their time and conversations with me at the event.

–Milton

RSA Security Conference USA 2014

http://www.rsaconference.com/events/us14 Next week, February, 24-28, 2014 is the big RSA conference in San Fransisco California.  I was not originally planning to attend the event.  Frankly, I didn’t see any business benefit for me.  About 1.5 months prior, I  began receiving requests from colleagues to meet at the event.  I quickly changed my plans, grabbed an expo pass, and booked a hotel room.

I’m also invited to speak on a Symantec panel, “Securing Code & Apps”.  On the panel I will highlight some of the Java platform security improvements as they relate to code-siging.  Recently, we released Java 7 Update 51 (January 2014) we changed the defaults to require signed Applet code – a significant improvement.  Legacy unsigned code is still supported but not by default.  From my perspective, the panel is a good opportunity to educate attendees on platform changes.

For someone who was not planning to attend, I sure have plenty to do.  I’m excited to see colleges again, honored to participate a panel, and most of all welcome the opportunity to educate on security.  See you at RSA.

–Milton

The War for Your Mobile Pwn

Photo: Security Researcher Kyle Willhoit, Courtesy of NBCNEWS
[Updated on, February 7, 2014]

It’s possible the news report may not be accurate.  Robert Graham of Errata Security posts his opinions,
 “That NBC story 100% fraudulent”.  I’m interested to see if other researchers provide their opinion.

Mark Nunnikhoven (Twitter @marknca) and Kyle Willhoit (Twitter @lowcalspam) security researchers at Trend Micro (Twitter @TrendMicro) comment on the news segment in two blog posts, “Remember the Audience” and “Details Behind the NBC Honeypots: Part 2”.

[Original Post, January 28, 2014]

[Original Post, February 6, 2014]

NBCNEWS reporter Richard Engel (Twitter @RichardEngel) describes the security situation on the ground in Sochi for those traveling to the 2014 Olympic events.  Engel working with security researcher Kyle Willhoit, executed a series of security experiments designed to measure the length of time it takes hackers to compromise decoy laptops and phones loaded with fake information.  You won’t like the results, there are broad security implications for all mobile device users.  If you have not watched the NBCNEWS Nightly News segment, (video) “Hacked Within Minutes: Sochi Visitors Face Internet Minefield”, you should take a look.

During the segment Engel describes their security experiments and concludes, “malicious software hijacked our phone, before we even finished our coffee”.  The point is that popular mobile devices are easily penetrated and exploited for personal gain by computer hackers in Sochi.  The security problem is attributed to local Sochi factors like, proliferation of skilled computer hackers, inadequate investment in law enforcement, and a strong criminal underworld.

 “Malicious software hijacked our phone, before we even finished our coffee.”[Richard Engel, NBCNEWS]

I appreciated the news segment but the problem with mobile security is not unique to Sochi.  If your phone can be hacked in Sochi – it can be hacked anywhere.  The skill of hackers, investments in law enforcement, and number of criminals should be irrelevant factors.  Technology has been around for years to ensure secure communications between distant endpoints.  Strong security begins on your mobile device and is a manufacturing design choice.
When swimming in known shark infested waters, we don’t wait to see sharks before we jump into the protective shark cage.  In the same sense, the Internet infrastructure is a known hostile environment.  If mobile security problems are less obvious in the United States than Sochi it’s not a positive indicator of a strong security posture.  Highlighting security weaknesses in Sochi serves to elevate public awareness to lack of shark cages along with a critical dependency of no sharks for maintaining confidence in mobile security posture.
–Milton