RSA Day 2

Attended an interesting presentation by Tom Ritter about BOINC (http://boinc.berkeley.edu/), an open source package used to harness spare computer power on people's PCs (like the @SETI project). Ritter demonstrated how BOINC could be used to factor RSA keys, crack passwords and do server log analysis. As a security consultant he uses these tools to help organizations beef up their security. BOINC can be used to try and crack user's weak passwords in an organization. Nothing like showing up and telling a user "I just cracked your password in 1 minute and here it is: ......". Other interesting tools for hacking include "John the Ripper" (http://www.openwall.com/john/ ) and hashcat (http://hashcat.net/hashcat/).

Walking the show floor I came across a real-live WWII German Enigma Machine, used to encrypt communciations for the Wehrmacht. I even got to press the buttons and play with dials.



Then a talk by Ira Winkler on mobile threats. The biggest threat may be now and certainly will be in future, allowing workers to bring their mobile devices to work, bypassing any established security protections. These devices give security professionals nightmares given the non-secure dimensions of things like Facebook.

At the end of Day2, an interesting talk by David Brooks, NY Times columnist and author, talking about social connections and happiness. Interesting study on happiness found that if you win $1 million in lottery, your happiness goes up but 6 months later, you are at same level of happiness than before winning the lottery. If you have car accident and are crippled, happiness goes down, but 6 months later, you are at same level of happiness than before accident. So how can we be happier? Answer: become lost in activities - i.e. programming, playing games, playing music, time with family and friends. Study shows that folks who meet once a month to pursue some activity (e.g. club), report higher level of happiness than others.

RSA 2012: Tuesday 2-28-2012 Recap

Keynote by Enrique Salem, CEO of Symantec, talking about Digital Natives - those born in the 1990s never knowing a non-web-connected world vs. Digital Immigrants, those of us who had to migrate to the Web and learn the language. Digital Natives are wired for social and as such create new challenges for security and a new of thinking about how to keep information "in" rather than keeping bad guys out. When everything is interconnected and linked, bad guys can get quite a complete picture of who you are and potentially use that to their advantage. Symantec looking ahead to software that is context-aware, policy aware, auto-encrypting and that can learn and adapt.

Award given to Texas Rep Mac Thornberry for his report on Cyber Security. Who is Mac Thornberry? Seems worth a look.

Math Award given for differential and linear cryptanalysis tool used to analyze goodness of block ciphers.

Then the always interesting Cryptographers Panel with Whitfield Diffie (of Diffie-Hillman Key Exchange Protocol) and two of the RSA founding father letters - Rivest and Shamir, talking about the state of crypto and the recent findings about weakness of some RSA keys, apparently attributable to the weakness of one or more random number generators. It ain't easy to crank out truly random numbers on a regular basis!
Also mentioned on the panel, a quote from Mike McConnell, former Admiral and head of NSA: "No company can ever really protect itself from attack". The assumption must be that "they are in and we have to live with it..". This led to discussion of how we need to apply science to the effectiveness of various defenses - what works, what does n0t. Shamir then made the comment "What happens when your cloud goes away, as it did recently when the government shut down a cloud provider and everyone's files were lost. Moral: even clouds need backup lest they turn to vapor..

Another interesting panel on Advanced Persistent Threats (acronym = APT). Conversations about new generation of attacks and attackers that don't go away, they keep coming, persistently to continue to test for vulnerabilities - sponsored by who knows, nation states, large criminal networks. Bottom line: folks with money and resources are active and it's necessary for companies to understand their role in their supply chain and how they may be targeted not for what they have but for what they have access to. In many ways its about "big data". New grads should understand how to work with and analyze big data - have some clue about tools such as Map Reduce and R, in addition to the basics: MySql and Object technology.

The Bruce Schneier session was packed, and Bruce was rockin as usual. He talked about new threats - not from the standpoint of bad guys out there but from us - how the rise of "big data" has led to aggregation of data about us, by Google, Apple, Amazon who are really advertising companies, desirous of gathering all they can about us, competing with each other to be "the" company that monetizes data about you. He sees this as a war against general purpose computing, where the devices we use will matter less and less since everything will be in the cloud. The net effect: we will be less secure. Check out his site: http://www.schneier.com/
and sign up for his crypto-gram newsletter. I picked up a copy of his new book: Liars and Outliers. [while writing this, I got an automated call asking me to press 1 to validate my Google 411 Listing. I didn't even know I had a Google 411 Listing! Beware Big Data!]

Some sites to check out:
Travis Goodspeed, respected security blogger:
http://travisgoodspeed.blogspot.com/

And for the well received Checklist for Secure Mobile Devices:
http://www.sans.org/score/mobile-device-checklist.php

Lots of concerns about the cloud, of course. Two recent events of interest:
1) Amazon XML Signature vulnerability
2) Dropbox authentication bypass (someone apparently turned off password checking on the weekend??)