#RSAC2018: The infosec escalators we love to hate

It’s that time again: It’s the RSA Conference in San Francisco.

Home of empty promises, hawkish vendors, arm-wavy consultants, and harassed PR mavens. Some think it’s the place to see and be seen, but others can’t wait for it to be over for another year.

So what caught your humble blogwatcher’s eye this year? In this week’s Security Blogwatch, we traipse the Moscone Center so you don’t have to.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Chronological Westworld 

Gartner Magic Quadrant for Application Security Testing 2018

The silver lining on silver bullets

What’s the craic? Mark Albertson—RSA’s president sees cybersecurity silver linings while others hear music on the Titanic:

RSA Security LLC President Rohit Ghai delivered his opening keynote at the RSA Conference in San Francisco today with a surprisingly optimistic view of the trouble-plagued cybersecurity industry. … Ghai focused on what he called “silver linings.” These included security industry acceptance of an incremental approach that finally abandons an ultimate “silver bullet.”

However, Ghai’s remarks were followed by a parade of speakers, including noted cryptographers, company executives and the head of the Department of Homeland Security, who took a less sanguine view. … Paul Kocher, an independent security researcher who played a key role in the discovery of the microprocessor security flaw last year called Spectre [said,] “We still have a pretty big mess.”

In anticipation that the cybersecurity struggle will get harder, 34 technology companies announced The Cybersecurity Tech Accord.

The Cybersecurity whatnow? Nicholas Fearn—Thirty-four tech giants sign cyber security charter:

[At] the 2018 RSA Conference in San Francisco … firms such as Symantec, Facebook, SAP, HP, Nokia and Oracle [put] the final touches to the Cybersecurity Tech Accord.

Microsoft said the agreement represents the "operators of technologies that power the world's internet communication and information infrastructure".

Clear as mud? So Simon Sharwood says—No roadmap. No timeframe. No success metrics. Not much grip on reality, either:

Thirty-four technology companies inked a "Cybersecurity Tech Accord" … which they said represents "a public commitment … to protect and empower civilians online and to improve the security, stability and resilience of cyberspace." … But there is no sign of Apple, Lenovo, major SaaS players, AWS, Google or IBM.

The group's foundational document … does not detail how, or when, it will act. Nor … any detail or metric that participants will use to measure progress or success. [Nor any] hint that the 34 have considered risks, appropriate responses, or what resources are available.

And how seriously can we take a pledge to do good works on privacy when signatories include LinkedIn and Facebook?

Plenty of the [members] describe today's announcement as the first step on a road to … somewhere.

This reads like well-intentioned stuff that seems likely to lead to some lovely meetings and deliver some nice white-papers. [But] it's hard to see it making much difference to anyone.

Don'cha love marketing? Milton waxes excoriating:

These days it seems you can spot the malign influence of market***s simply by measuring the facts-to-words ratio of documents. This Accord[’s] … Fact:BS ratio is pitiful—signalling a bunch of half-hearted corporate bull****.

One can't help being reminded … that while the world obviously needs lavatory cleaners and prison warders and even … a few lawyers, it still benefits not one jot from the existence of marketing.

And RSAC is well-known for bringing guv’mint and industry together. Mark Joseph Marks’ word[You’re fired—Ed.]

A new cybersecurity strategy due out within days from the White House envisions [DHS] providing cybersecurity services directly to critical infrastructure providers, such as hospitals, airports and energy companies. … Homeland Security Secretary Kirstjen Nielsen described [it] as “security as a service.”

The strategy will contain five main pillars, Nielsen said: risk identification, threat reduction, reducing vulnerabilities, mitigating consequences, and enabling cyber outcomes. … She described it as mostly continuous with earlier cyber strategy documents from the Obama administration.

“We need to move, perhaps, more to a collective defense given the threats today,” she said.

The announcement came on the same day that Nielsen’s department and its United Kingdom counterpart warned about a Russian government hacking campaign targeting government and critical infrastructure systems.

But for the libertarians among us, there’ll always be blockchain. John Fontana—Cryptographers spank blockchain:

"Blockchain is often viewed as security pixie dust," said Ron Rivest, an MIT professor and the 'R' in RSA. The message is "any application you have can be made better and more secure with blockchain." Rivest said the technology has interesting properties … but it fails on scale, throughput and latency. … Rivest's peers on the panel added to the critique. He was joined on stage by Adi Shamir … Whitfield Diffie … Paul Kocher … and Moxie Marlinspike.

Shamir added the technology is "overhyped," but said it might be one way to guarantee the validity of digital signatures once quantum computing takes over.

The group also questioned the industry's obsession with increasing speeds at the expense of security.

Marlinspike also kicked Facebook in the rubber parts. Shaun Nichols reports Facebook is like Exxon:

The Cryptographers' Panel, an annual tradition at the event, this year included … Signal co-author Moxie Marlinspike.

"In many ways Facebook is the Exxon of our time, it is this indispensable tool that is a part of everyone's life that everyone also despises. … "It doesn't matter how many gallons of oil Exxon dumps in the ocean or how egregious Facebook's policies are."

Got your elevator pitch ready? Sharon @sbesser Besser has tips:

Common request at #RSAC from #CISO and #CIO: Don't use [artificial intelligence] and [machine learning] as the value prop and differentiator.
 
Talk to the point. If you can't explain without the buzzwords, you probably need to do a different solution.

Of course, the cognoscenti know to skip RSAC and instead attend the nearby Security BSides alt-con, amirite? Here’s Paul Wagenseil—Google Shares Plan to Kill Phishing Attacks:

Google and its partners are leading the move away from passwords and toward physical USB security keys, Google researchers Neal Mueller and Collin Frierson said at the BSides SF security conference. … Google itself distributed USB security keys to its own employees [four] years ago, with good results.

Mueller said, "We've had zero successful phishing attempts at Google." [But] that doesn't mean that phishers aren't trying.

Phishing is still a leading cause of data breaches, online theft and account takeovers. Mueller and Frierson said that a survey of Gmail data revealed 12 million people had fallen victim to successful phishing attacks in a single year.

Two-factor authentication (2FA) doesn't always help defeat phishing, especially if the second factor is a one-time passcode sent via SMS text message. … Even knowing the victim's phone number isn't necessary for a one-time break-in, Mueller and Frierson pointed out.

The FIDO Alliance is in the process of replacing its existing U2F (Universal Two-Factor) standard with what it calls FIDO 2. … Part of FIDO 2 is the upcoming WebAuthn standard. … "Security keys are much more user-friendly than a one-time password," Mueller said.

Iain Thomson agrees—So you’ve got a zero-day — do you sell to black, grey or white markets?:

Barely a decade ago the mere idea of selling vulnerabilities was highly controversial. Today the market is mature, but increasingly complicated.

Brian Gorenc … explained to the BSidesSF technology conference … how best to sell a bug. … The pwning of the Italian grey marketeers the Hacking Team in 2015 offered an excellent insight into the economics of this market. Countries like the Czech Republic, Bangladesh and Gulf States were paying Hacking Team tens of thousands of dollars a year.

So it’s clear researchers can play on both sides of the fence, disclosing some bugs for a quick and honest payout, but also reaping grey market profits. But there’s also the black market - selling directly to online scumbags.

However, this market is now under legislative attack. In the US State of Georgia, a now-passed extreme hacking law could criminalize researchers for doing their job.

And, of course, the best party is always the invite-only Security Bloggers Network awards. This anonymous interviewer talked to Jennifer Leggio:

Leggio has spent most of her career in PR or marketing for various infosec vendors, so she has plenty of views when it comes to how to – and not to – market information security companies and products.

Leggio’s main advice on how to how to market effectively in an industry which she agrees is filled with “a lot of noise”, is to remain true to what you do and focus on your strengths, not jumping on whatever trend the rest of the industry is following.

In collaboration with Alan Shimel and others, Leggio co-manages the security bloggers network, on its twelfth annual RSA meet-up. The security blogger awards that are presented at the meet-up have grown from something that “started as a bit of fun” to something that “is actually really important, and that shows the value of people educating industry. Winning an award has real accolade.”

The awards are community run and sponsored, and Leggio describes the magic of the blogger awards as “an intimate environment where people can talk without being marketed to.”

The moral of the story? 

Despite all the noise and flim-flam, infosec still begins and ends with people—people like you.

And finally …

Westworld season 1, but it's chronological

 Just in time for season 2


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Craig Howell (cc:by)

Gartner Magic Quadrant for Application Security Testing 2018
Topics: Security