Another RSA Conference has come and gone. I had the privilege of getting a full “delegate” pass this year, which meant that I had access to attend the sessions, so I’ll try to describe the sessions I attended below. Due to several conflicting meetings and other commitments, I didn’t make it to quite as many sessions as I anticipated, and barely made it to the exhibit floor.
My overall observation is that the RSA conference, as a whole, continues to be very healthy. There was a wide range of technical sessions, and the exhibit floor (what I saw of it) was sizable and very active. One thing that I noticed is that more of the sessions seemed to be panel discussions this year than in the past. I tend to get more out of the individual or 2-person team talks because I find them to be more focused, in comparison with the panels that are often unscripted and more driven by the questions of whoever is in the audience.
Lifestyle Hacking: Social Networks and Gen Y Meet Security and Privacy
This panel discussion, sponsored by IEEE Security and Privacy Magazine, was led by Gary McGraw, CTO of Cigital, and included Gillian Hayes of UC Irvine, Jim Routh of Archer technologies, Avi Rubin of Johns Hopkins University, and Dr. Kim De Vries of CSU Stanaslaus.
The session began with some role-playing to illustrate the problems associated with enforcing rules in a corporate environment, e.g., rules against use of social networking sites at work. Many good (and not so good) reasons were illustrated for bypassing the rules. Discussion topics:
- Do controls encourage breaking rules? Is hacking around controls a “gateway drug”?
- How do you define productivity?
- How do you balance maximum productivity against tools that do genuinely cause productivity loss?
- What is the motivation for 20-somethings to access social networking sites?
- Is there a line between purely social interaction and professional interaction?
- Is there a parallel to the history of phones in the workplace?
Employees can be very creative; there was a story about an employee who was investigated because of his heavy network bandwidth usage. It turned out he had created a tunnel to his home ISP and was streaming movies to his work computer while he worked. He lost his job for this, but his manager was disappointed because this employee was the most productive in his group!
Behaviors start very early, in school. Most corporate sites that block Facebook do so out of productivity concerns rather than security concerns. But it’s increasingly being recognized that there is no separation of work and social activities these days.
Interesting comment from an audience member: His employer had been keeping security incidents quiet internally, as is common practice. Now they publicize incidents (with names and other specifics removed) and have found that it helps let their employees know why the rules exist.
Banking Malware -- All Your Bank Accounts Belong to Us
This panel discussion was moderated by Pat Peterson of Cisco, and included Michael Barrett, the CISO of PayPal, Adrian Flagg, an Information Security Threat Manager, and Laura Mather of Silver Tail Systems. I joined the session in progress following an offsite meeting.
The Australians have a model/organization, the Australian Internet Security Initiative (AISI), for shutting down malware nodes that should be a model to others in the world. Apparently the FCC gets in the way of this in the US: Service providers know where many of the infected and botnet control nodes are, but they are often prohibited from doing anything about them.
A new term for me: whales (big phish), referring to getting CEO or CFO credentials for corporate banking. I wonder if someone should point out that whales are mammals!
Laura Mather talked about man in the browser attacks. These are very dangerous — they stay dormant until a bank account is accessed and then silently hijack the session to transfer money out of the account. Some of them are even sophisticated enough that they will rewrite the display of the account balance to hide their tracks. Behavioral analysis is the primary defense.
Internet Explorer version 6 is seen as a significant security threat. Banks are getting more assertive in telling people to upgrade, and some will probably refuse to work with IE6 soon.
How Multi-Fault Injection Breaks the Security of Smart Cards
The presenter, Mark Witteman of Riscure, discussed methods by which smart cards might be compromised. The attacks he described primarily involved the focusing of IR lasers on the chip to induce a fault. Some chips that are shielded from the top can be attacked from the bottom (through the substrate) by this method. The goal is to get the processor to skip an instruction or to change the result in a conditional. Very time consuming, especially so if the code is written defensively (random delays, etc.). A 32-bit chip might require 32 beams!
There is a paper on this at http:/www.riscure.com/fileadmin/images/Docs/Paper_Side_Channel_Patterns.pdf
In a strange way, it is reassuring that it is necessary to resort to such exotic means to compromise these cards.
Electronic Identity: Who are You… and When Does it Matter?
This was a Legal Track panel discussion led by Rebecca Nielsen of Booz Allen, with David Navetta of InfoLawGroup LLP, Arshad Noor of StrongAuth, and John Tomaszewski of TRUSTe.
They discussed a lawsuit regarding a 500K loss from a corporate bank account… a user (CFO, I think) was fooled into giving up 2-factor credentials. The claim is that the bank should have used contextual clues to stop the transfer (unusually large transfer from strange IP addresses). I heard more about this suit later at the conference; it’s probably worth tracking.
Someone in the audience asked a question about the red flags rule. Red flags refer to criteria that are used to determine if someone might be faking their identity or doing something otherwise fraudulent. For example, someone trying to open a bank account while there is a credit check on their account might trip a red flag. Companies in certain sectors are required to have programs to identify red flags and detect when they have been crossed. This is sometimes considered the “other side” of breach notification requirements.
Legal Risks of User- and Enterprise-Oriented Identity Management Systems
This was another Legal Track presentation by an attorney and a professor at University of Washington.
User-oriented identity management is more complex due to the difficulty in having a basis for a trust decision by the relying party (which has no contractual relationship with the identity provider, so perhaps no recourse). In some cases, the contractual relationship between user and identity provider may shield the provider from all risks.
Enterprise-oriented identity management still has too many barriers. We need standard contracts for allocating risk in federation.
What can users actually handle, and do they recognize risks of URL-based identity schemes? This is referred to as a dancing pig security problem (the name comes from Ed Felten’s observation, “Give users a choice between security and a dancing pig, and they’ll pick the dancing pig every time”).
Notice and consent information privacy problems: Increased transferability of information will lead to commoditization of personal information.
They spoke of a choice of an identity management model between enterprise-oriented and user-oriented. They feel that hybrid is a better fit.
The American Bar Association in 2009 organized an Identity Management Legal Task Force. This is an open project; one does not need to be an ABA member or even a lawyer to participate. They are looking for participants. They are identifying legal issues in connection with development, implementation, and use of federated identity management systems, and discussing legal models to address those issues. They are also developing model terms and contracts for use by the parties.
Botnets Gone Wild! Captured, Observed, Unraveled, Exterminated
This session, presented by Cisco’s Pat Peterson and Henry Stern, discussed the ease with which someone can use available tools to set up a botnet.
A very modest initial outlay is required: about $2500 for infrastructure (cloud machines to collect data), Zeus (data theft trojan) software, exploit software, and to drive traffic to your site.
Zeus includes some very nice tools allowing the not-particularly-technical to do things like add fields (e.g., ATM PIN) to web forms and collecting the results.
Fragus is exploit software costing about $800. It exploits specific vulnerabilities in software such as PDF readers to install the Zeus software. A “frag” is a term for a successful exploit.
A movie showed the installation of the Zeus software, and the only indication was a briefly displayed indicator that the anti-virus software and auto-updates from Microsoft has been turned off.
Botnet software known as “Cutwail” can then be used to drive traffic to the site by sending phishing messages to prompt execution of the Fragus exploited software, and the bad guy is in business.
It’s far too easy to do all of this.
Virtualization Security: Challenges and Solutions
Steve Orrin, Director of Security Solutions at Intel, gave an excellent session on the state of security in the world of virtualization. He wasn’t talking particularly about cloud computing, but he said that many aspects of virtualization apply there too.
A new term for me is “consumerization“: This is the practice by some companies of setting up a controlled corporate environment within a VM on their employees’ own hardware. In some cases the corporate environment VM might be configured to only run signed code.
HyperJacking is the injection of a rogue hypervisor on top of hardware and getting access to everything! It generally requires physical access or a severely compromised virtualization layer. This is largely a theoretical attack but is dealt with by Intel Trusted Execution Technology (TXT), which provides a chain of trust from hardware to the hypervisor.
VM Hopping/Guest Jumping is the leveraging of one virtual machine to attack another. Remember that hypervisor is software; both Xen and VMWare have had vulnerabilities in the past.
It is important to recognize that network communication between VMs never goes into the physical world. Consider that a VM could go into promiscuous mode and listen to everything. Network firewalls don’t apply; spoofing is easier too. His guidance was to segment virtual machines, putting applications similar in value (and trust) on the same hardware. As is common practice, put databases on separate machines. Another possibility is to use a firewall VM (VMSafe, etc.).
VM migration (VMotion, etc.) — Be aware that VMs move in the clear. A man-in-the-middle can sniff sensitive data, manipulate services, possibly even inject a rootkit! This could be dealt with through encryption, but PKI would be needed for flexibility. One could also isolate this traffic using a different network or VLAN to minimize the opportunity attacks, as recommended by VMWare Best Practices Guide.
VM management — One needs to consider how to get patches pushed to VMs that aren’t currently running. Configuresoft (now part of EMC), Catbird, and McAfee have solutions in this area.
Forensics, and VM Record/Play — Originally created as debugging tools, these can provide an opportunity to observe attempts to compromise VMs.
General Dynamics High Assurance Platform (HAP) — HAP provides a high degree of isolation between virtual machines. This is certified to run multiple US Government classification levels simultaneously.
Virtual Machine Sandboxing — Extremely fast spawning of new virtual machines (35 usec) provides opportunities to create new sandboxes on the fly. This is an open source project at http://isolated-exec.sourceforge.net.