You are here

RSA Conference 2020: Nice to see you, but don’t shake my hand

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

The RSA Conference just squeaked in under the wire, before the avalanche of tech conferences that canceled for fear of Covid-19. This year’s affair was a bit less touchy-feely, in deference to those unwilling to share manual germs.

And there was plenty of talk about viruses, as well as other malware. Plus all the other usual infosec/cyber chatter.

Here’s a quick flavor, Security Blogwatch-style. Even though we stayed at home this year.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: John mocks.

[ Learn how to supercharge your behavioral analytics with CrowdStrike EDR in this April 28 Webinar. Plus: See TechBeacon's Guide to a Modern Security Operations Center ]

Could I get a lime?

What’s the craic? Shaun Nichols kicks us off this year—'I give fusion power a higher chance of succeeding than quantum computing' says the R in the RSA:

As they do every year … Ron Rivest (the R in RSA), Adi Shamir (the S), and Whit Diffie (of Diffie–Hellman key exchange fame) … took the stage in San Francisco for the RSA Conference's crypto panel. … Shamir explained his absence from last year's conference [saying] he spent six months waiting for permission to enter the country. … "Whoever is in charge of processing (in the US) should be replaced."

"I hope people building quantum computers fail," Rivest offered. [He] told the conference he has serious doubts about whether quantum computers will ever be realized, particularly at the size and scale needed to break … encryption algorithms. … "I am not sure it can be done."

Rivest was similarly dubious about blockchain, [saying it’s] "the wrong security technology for voting, I like to think of it as bringing a combination lock to a kitchen fire," … noting that paper ballots are still considered essential for secure voting. … "Voting is not a place where you need high-tech for it to work."

Diffie said he was not surprised the CIA had managed to infiltrate and bug a commercial security tool [Crypto AG]. "Intelligence is not about playing fair, it is about succeeding. That is what this operation did with amazing success."

But QC is OK, right? Rich Felker approves this message:

[Quantum computing] theoretically shouldn't work. [It] requires scaling of machine size or measurement precision unboundedly to solve any hard classical problem.

Tell me a story. Hey, Lily Hay Newman—How a Hacker's Mom Broke Into a Prison—and the Warden's Computer :

John Strand breaks into things for a living. As a penetration tester, he gets hired by organizations to attack their defenses, helping reveal weaknesses before actual bad guys find them.

In July 2014, prepping for a pen test of a South Dakota correctional facility, he took a decidedly different tack: He sent his mom. … "She approached me one day, and said … 'I want to break in somewhere,' " says Strand … this week at the RSA cybersecurity conference. … "And it's my mom, so what am I supposed to say?"

She told the guards at the entrance that she was conducting a surprise health inspection and they not only allowed her in, but let her keep her cell phone, with which she recorded the entire operation. … She was even allowed to roam the prison alone, giving her ample time to take photos and plant … malicious USB sticks [that] would beacon back to her … colleagues and give them access to the prison's systems.

Then she handed … the prison director … a specially prepared USB drive. … When the prison boss clicked, he inadvertently gave [researchers] access to his computer.

In 2016, Rita died. … She never had a chance to do another pen test. Strand declined to say which prison his mother infiltrated, only that it has since shut down.

What happened next? Raïs Lall Mohamed only imagines, because he can [You’re fired—Ed.]:

I can only imagine the interrogation the next actual health inspector got.

Is that a full moon? Patrick Howell O'Neill howled out in terror—A billion Wi-Fi devices suffer from a newly discovered security flaw:

More than a billion internet-connected devices—including Apple's iPhone and Amazon's Echo—are affected by a security vulnerability that could allow hackers to spy on traffic. … The flaw [was] discovered by the cybersecurity firm ESET.

This could mean victims are vulnerable to eavesdropping, [but] software updates and other layers of security will likely prevent this attack from having catastrophic results. … The vulnerability, dubbed Kr00k by researchers, affects devices with Wi-Fi chips by Broadcom and Cypress.

However, a lot of private communication on your Wi-Fi network should still be safe because of encryption used by websites themselves. So keep calm, salute the folks finding these problems, and carry on.

In a nutshell, though? hax 109 offers this precis:

You send something over the wi-fi. A few packets are queued in a buffer on the wi-fi card.

While the card is still transmitting the data, the attacker sends a (forged) deauth management frame to your card, signaling that it got disconnected from the AP (or vice versa that the client disconnected if the attack is carried out against an access point). The card then clears the keys which belonged to that session, but erroneously keeps transmitting the data in its internal buffer.

This data is encrypted with the blanked key (all zeros), so the attacker can just capture the frames and trivially decrypt them.

And Dan Goodin has—Stealing advanced nations’ Mac malware isn’t hard:

At the RSA Security conference this week, a former hacker for the [NSA] demonstrated an approach that’s often more effective: stealing and then repurposing a rival’s code. [It] can be a smarter and less resource-intensive approach for deploying ransomware, remote access spy tools, and other types of malicious code [especially] repurposing of advanced code written by government-sponsored hackers.

The repurposing caused the malware to report to command servers belonging to [Patrick] Wardle rather than the servers designated by the developers. [It] allowed him to use well-developed and fully featured applications to install his own malicious payloads, obtain screenshots and other sensitive data from compromised Macs, and carry out other nefarious actions written into the malware.

Wardle used a hex editor to change the original version’s hard-coded control server domain to the address of the server under his control. [His] control server had to, among other things, encrypt [the payload] with the same key and cipher he observed during his analysis.

Malware repurposing is [not] unique to Mac. … This kind of recycling works against any operating system or platform. … “The idea is to let those with more time, money, and resources do all the hard work,” … Wardle said.

So what have we learned? kot-begemot-uk practices pedagogy:

Any “researcher” trying to attribute something to CIA, KGB, GRU, Mossad, etc., on the grounds of “they are using the same malware” should be tarred, dipped in feathers and manure and made to start and sign any of his articles with a suitable picture of him covered in feathers and bull**** similar to the one they spread.

Alternatively they should start with a disclaimer of who is paying them for the propaganda hatchet job.

Meanwhile, a shocked @Grifter801 is running the conference SOC:

1,712. … That's the number of unique email accounts passing their account credentials in the clear on the #RSAC network … in 2020. Seriously.

The moral of the story?

See you next year—assuming we survive the pandemic.

[ Explore the challenges and opportunities facing Security Operations Centers with TechBeacon's Guide. Plus: Get the State of SecOps Report ]

And finally

John Oliver: Before he was famous (2005-ish)

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Simon Schoeters (cc:by)

[ GDPR, CCPA and privacy. TechBeacon's new guide rounds up what your team needs to know. Plus: Get the Best Practices for GDPR and CCPA Compliance white paper. ]