Hello again. Day 2 of RSA Europe 2008 was a busy one. I attended several sessions during the day and then the Security Catalyst, Security Bloggers, Security Twits get together happened that evening. This post will only talk about the day. The meet-up post will be later. Without further ado, let’s get to it.
‘The New Face of Cybercrime’ Film Screening and Executive Panel Discussion
Fortify commissioned the creation of a short film that explores what cybercrime looks like in today’s world. The film was well done and does a good job of showing that cybercrime is no longer about how many defacements malicious individuals can rack up. It isn’t about bragging rights on which systems were hacked. Cybercrime is big business these days.
Those perpetrating it are doing it for money. As such, they don’t want to get kicked out of you systems and don’t want anybody to know they are there. It is a different world and we need to be vigilant and focused if we are going to be successful in protecting our enterprises.
Blinded by Flash: Widespread Security Flash Developers Don’t See
Prajakta Jagdale, Security Researcher, Hewlett-Packard
Prajakta’s session was an interesting one. She showed us how most current problems we find in web apps also exist in Flash based applications. This includes things like XSS, cross-domain privilege escalation, data injection and others. She also showed some interseting things that can be done with some Action Script functions like onMetaData, a video related function, setClipboard, which does exactly what it says and runtime instantiation.
Of more concern is her finding of client side authentication and other client side issues in a disturbing percentage of applications.
The Future of Privacy
Bruce Schneier, Security Technologist and CTO, BT Counterpane
Bruce always has interesting things to say. I will share that most of what he talked about is stuff that he has been talking about in his essays and on his blog. That being said, here are a few nuggets that resonated with me.
- Data is a byproduct of the information age – systems are not generating scads and scads of data on you because they are malicious. It just happens as more and more facets of our lives are moderated by computers. Think about email, telephone calls, credit card purchases, books bought via Amazon. All of these generate data.
- Ephemeral data is now stored – In the past the conversation you had in the hall with your co-worker disappeared as soon as it was over. Now, with email, instant messaging, skype and other methods of electronic transport becoming more and more the primary method of communication, those conversations are sticking around.
- We aren’t in control of that data – We don’t have the ability to delete all the data that is being built up about us because we don’t control it. Again, this isn’t malicious, it’s just the way things are in the information age.
The rest of the keynote was quite interesting as he delved into many facets of what will be happening moving forward.
Herbert H. Thompson, Ph. D., Chief Security Strategist, Peope Security
Dr. Thompson gave a great talk that drove home even more that we are in an era where the motives of today’s attackers are no longer about the ‘cool’ factor. It is a business and we are being faced with well financed and motivated attackers who are interested in what we have as opposed to just wanting to take us down. He posits Five Laws of Hacker Economics which is worth a read. Good stuff.
Another good day at the conference.