RSA: Final Thoughts

SAN FRANCISCO—Attendance was down enough to dull what’s usually a loud roar to a low buzz in the cavernous expo hall at the RSA Security Conference last week. Yet, examples of innovation and security maturation were still in abundance. In particular, there was a lot of standards-based innovation around authentication, managing peoples’ online identities, encryption and data management.

“What the market is moving toward is end-to-end trust, both preventive and reactive,” said Scott Charney, Microsoft’s corporate VP of Trustworthy Computing, during a Tuesday morning keynote. “This includes root trust in the hardware store, and trust of the people requesting access, and protection of personal and confidential data.”

Vista includes full volume encryption with Trusted Bit Locker based on the Trusted Platform Module (chip security) framework, and has a browser application to accept only digitally signed data. For Windows 7, Microsoft has partnered with EMC/RSA for technology to create secure, peer-to-peer IPV6 log-in sessions using IPsec (Internet Protocol Security).

In another project, code-named ‘Sterling,’ Microsoft is developing an API for third parties to create an “identity meta system” akin to how birth certificates are used in the real world, according to Charney. (As I blogged previously, some security vendors are even looking at becoming the overall vetting service for online identities, akin to what Verisign does with digital certificates.)

There was also a lot of development around OATH (Initiative for Open Authentication), an open standard for two-factor authentication, which is happening on cards, tokens and phones, says Don Malloy, business developer manager at NagraID and marketing chair for OATH. 

Integration between applications and network security was also announced by security lifecycle management startup, Tufin Technologies, which released TOP (Tufin Open Platform) open APIs for developers. Already it partners with F5 and Blue Coat for policy management, and is deeply integrated with Check Point, Juniper, Cisco and Fortinet.

Also at the application level, another leap in database security appears to have happened, with database security vendor Secerno going beyond the external database firewall model we’re seeing today to include access controls, encryption management, and filtering at the database kernel level.

Improvements in Web and cloud application security are also beginning to emerge that go beyond the traditional Web application firewalls. Mykonos, at a classy reception atop the Sir Francis Drake Hotel, launched a secure end to end framework for Ajax application developers. It includes encryption, digital signatures, logging, and auditing against SQL injections, session hijacking and other common problems associated with Web applications.

Particularly during this economic downturn, this type of unsexy, low-level, standards-based development is exactly what the industry needs in order to emerge from the recession prepared for customer demands, says Tom Corn, VP of marketing for RSA.

“We’ve got to stop playing Whack-a-Mole with all these new security issues and solutions that come up,” he says. “We need to decouple authentication from individual applications to enforce policies that span identities, infrastructure and information controls.”

RSA First Impressions: Virtualization and Identity Innovations

SAN FRANCISCO—Virtualization as a security mechanism, starting with virtual vaulted machines for different levels of use, is one idea to come out of Symantec’s innovator’s meeting today at RSA.

In this model, there would be the primary VM the same as most computers today; least secure “playground” (players, peer to peer, etc.)” and super securest, preconfigured with minimal applications (o/s, browser) for use during the HTTPS session.  All this would roll over flawlessly without user notice … in fact they had to put up funny little icons to show when they were switching between Virtual Machines during the demonstration.

This is a backward take on what I’ve been thinking about security as a virtualization device in that it can hide the security software beneath the O/S and therefore not get rootkitted. They have plans to go there, too, but they started first with the virtual desktop piece.

I’m not thoroughly satisfied with their answer to my question on upkeep (patching, configuration) for the three machines: Their answer is the master is still controlled like they would a single physical machine with their auto updates turned on, etc. The necessary updates will hit them all where they apply, but somehow Symantec will have to ensure that the uber secure machine, at least, is continuously configured securely.

Symantec also had this idea of identity layer that would require a middleman to vet identities for uber secure accounts and later for the masses once we get all the standards, vendors and new layer of middlemen sorted out.  Symantec says customers are begging them to manage their identities.   In this model, Symantec would act like the master Verisign type service only deeper. But how is this different than the vetting type ID services in action today?

Think about dating sites, says Brian Hernacki, Symantec Architect. Serious customers would pay extra for a stamp or a star saying they’ve been vetted enough to know they’re not making things up.  So they’ll pay extra to be snooped upon?  Now that’s a turn of events.

Help! I'm Stuck in London and I've Been Robbed!

The scam got one of my daughter's college friends to send $300 to a total stranger in London. How? 

First the scammers somehow hijacked her Facebook account, then sent an urgent message to all her Facebook Friends. The message said she'd been robbed in London, had no money or passport and to please wire money. My daughter's sweetest of friends sent the money without question, which is what the scammers want. They want to elicit such a strong emotion that the recipient acts first, asks questions later.

Question are what I started asking after my daughter contacted me about the scam. An FBI spokesperson said they've recently received multiple complaints reporting their Facebook accounts and other e-mail accounts were being hijacked and mails sent to all the addresses in their email lists with the same or similar message.

Although it sounds suspiciously like a Facebook problem, a spokesperson from Facebook told me that this was a manual attack, these accounts are getting picked off one at a time. He also said that the accounts were likely taken over by someone who got their passwords somewhere else - most often through another online account  using the same email and password. This makes sense to some degree, as my daughter said she did have a problem with her Paypal account about a month earlier in which Paypal alerted her that her account had been "accessed by a third party."  And she used the same password and email address for both accounts.

But why, all of a sudden, this rash of these scams over Facebook specifically? I still hazard it might be a Facebook problem. 

But it's also just as likely that accounts were accessed through another hacked account, for example from a hacked Paypal account to a Facebook account. To me, that means that there is a secondary market for stolen credentials. In the primary market, financial information is phished and derived directly from compromised accounts. When the activity caught and the account closed, they then peddle the credentials off to somewhere labor is cheap. In this secondary market, they scour around for Facebook and email accounts that are used by the same people, test the credentials, and viola! they're in.

It's making my head spin.  

Bottom line is DON'T FALL for these scams. Second, if you use the same password for multiple accounts, you might want to rethink that. Or at the least, change passwords to all accounts using that password should one go awry.