And now it’s time for a commercial message. I was selected to be a Peer2Peer session facilitator for the 2012 RSA conference, taking place February 27-March 2 in San Francisco. My session is entitled Improving Security Policy: What Works? The session will occur February 29 at 8am, more details are at this link.

I plan to facilitate discussions about both what is wrong with Security Policy, and what works to improve it. Google’s new privacy policy will likely come up in discussion, along with some of my notions on prioritizing policy.

I invite all those who have had to write policy, read policy, and/or put policy into practice to attend. It should be a good discussion, and when we’re done I expect everyone will have learned some things that they can put into place the next time they are writing or editing security policy.

If you’re interested in online security, you’ve probably heard about HBGary.

If you haven’t, here’s a brief rundown with a few links:
A security firm, HBGary (or, more accurately, HBGary’s subsidiary HBGary Federal) announced that they had discovered the names of some of the supposed ringleaders of the “hacktivist” organization Anonymous.
This “angered the hive” and – rather than the generally low-risk and unsophisticated DDOS attacks for which Anonymous is better known – Anonymous used a combination of social engineering, SQL Exploits, and password cracking to compromise one of HBGary’s servers. They leveraged that to get into multiple servers, ultimately gaining access to HBGary’s email and no few internal documents – including business plans and proposals to potential clients.
Anonymous then published the information they found – all of it. This embarrassed and scared off most, if all, of HBGary’s potential clients, ruined ongoing negotiations, and exposed activities which indicated questionable ethics and which might be illegal.
HBGary’s actions after this compromise might charitably be called “unfocussed” or possibly “unplanned”. “Foolish” or “Crazy” would possibly be more accurate. The HBGary CEO even engaged with some Anonymous members via IRC, to dubious results. Perhaps the best testament to this incident is the current state of HBGary Federal’s website.

Remarkably, there aren’t any new lessons to be learned here.
HBGary Federal’s first mistake was in taunting Anonymous: no matter how secure you think you are, you’re better off WITHOUT people trying to break down the gates.

The second mistake was in underestimating the enemy. Although Anonymous as a group has mostly engaged in DDOS attacks, they did so using a modified version of a professional load-testing tool: clearly some of their members have always had access to such tools and the ability to modify them. In other words, at least some of Anonymous are clearly highly capable.

The third mistake – or rather, set of mistakes – was likely the most common. HBGary’s infrastructure wasn’t properly secured. They were vulnerable to social engineering, and an important server could be compromised with an SQL injection exploit, and – worst of all – the attackers were able to use that one compromise to access nearly everything else. This is not a very good security posture, especially for a security firm.

Lastly, they didn’t have a recovery strategy. While this sort of compromise is one of the worst-case scenarios, it clearly behooves a company to plan for it, at least in a general fashion, and respond in an organized fashion which helps rebuild client trust and reduce the damage.

While these aren’t new lessons, it’s still worthwhile to look them over again: don’t encourage attacks, maintain a realistic awareness of the attackers you’re facing, harden your infrastructure, and have a recovery plan. Remember that it CAN happen to you, and act accordingly.

Greetings from the 2011 RSA Conference in rainy San Francisco, CA. Yesterday I attended the opening keynotes of the conference, and a certain statement by RSA’s Art Coviello caught my ear and needs some further discussion.

The conference opened with a fantastic video called “Giants Among Us” which provided a brief chronicle of the rise of public key cryptography, from Martin Hellman, Whitfield Diffie, and Ralph Merkel, to Ron Rivest, Adi Shamir, and Leonard Adelman. It was well produced and is worth a watch. Note: updated link to HD version.

Art Coviello then came out and started his talk with a brief history of the 20 years of the RSA Conference, which was entertaining in its own right. He brought up classic confrontations, amusing talk titles, and showed the advance in both the number of talks and the amount of marketing over the years. During this session, Art showed a chart which displayed the number of talks about public key infrastructure (PKI) over the years.

Note: it turns out that 2001 really was the “Year of the PKI”, and it’s not always next year. This chart was a bit of an eye-opener, especially for me – a long time PKI evangelist. (No wonder those proposed talks aren’t being accepted!) At the conclusion of this discussion, Art made the following comment:

While smart cards and PKI never achieved the ubiquity we thought, they’ll continue to play a major role in security, especially PKI in cloud computing…

Here is where I definitely need to disagree. There is a difference between ubiquity and commodity. PKI’s ubiquity cannot be measured by the number of product vendors on the show floor, or talks offered at the conference – it can only be measured by the deployment and use of actual X.509 certificates throughout the world.

Some examples: If you have used SSL or TLS, you have used a PKI. If you have used a web service, such as SAML, you have used a PKI. If you have used a virtual private network (VPN) solution, you have used a PKI. If you have used Microsoft Remote Desktop, Active Directory, or any number of other crucial back-end services which use public key cryptography, you have used a PKI.

PKI is ubiquitous. It just isn’t getting in the way as much anymore.

Chances are, if you read 10 articles or blog posts about the 2010 RSA conference, you will hear the term “cloud computing” ten times. The cloud was clearly the dominant theme of most of the presentations, product demonstrations, and discussions which took place at the Moscone Center in the first week of March 2010. However, another theme was nearly equally present in presentations and discussions: Cybercrime.

(more…)

As I mentioned in an earlier post, the 2010 RSA Conference Keynote addresses have been posted online and I’m linking some of my favorites from the 2010 conference. You can view an interactive webcast, view the video, or even listen/download audio-only podcasts of the keynote presentations. It is often hard to follow the keynotes in the first day, so I’m just going to mention the highlights from the rest of the week.

• Tuesday’s keynote by Philippe Courtot, Chairman & CEO of Qualys was a pretty good one, and should have been given prior to some of the other keynotes since it provided a bit of a primer on cloud computing. He discusses some basics around cloud computing and what it will likely become in the future.
• It is always important to hear what the Government has to say, so Janet Napolitano’s brief remarks are worth watching.
• Tired of pure security talk? Catch a good presentation and discussion on emerging brain-computer interfaces by Dr. John Donoghue.
• While I think Art Coviello’s keynotes have been getting better over the years, I always preferred the first day keynotes by Jim Bidzos. We were fortunate to get a keynote presentation from him this year about security and trust on the Internet.
• And finally, the always entertaining Hugh Thompson provides a look at the steps forward and back in security over the last year and interviews a few individuals including Craig Newmark from craigslist and Steve Wozniak.

Keep an eye on the 2010 RSA Conference website, especially if you were an attendee/delegate. Over the coming weeks and months they often make some of the most highly valued discussions and presentations available for viewing. It is a good way to stay connected to the themes of the year even if you couldn’t be at the conference.

I know this post is a bit delayed, but this is a good opportunity to take advantage of the fact that the 2010 RSA Conference Keynote addresses have been posted online.  You can view an interactive webcast, view the video, or even listen/download audio-only podcasts of the keynote presentations.  Some of my favorites from this past RSA conference included:

• Art Coviello’s keynote continued on his theme from last year for the increasing need of companies and competitors to work together to secure the cloud,  He made an initial announcement of the collaboration between EMC (including RSA and newly acquired Archer), Intel, and VMWare to provide mechanisms to trust (and therefore help meet compliance requirements) the physical and virtual hardware elements of a cloud-based computing infrastructure. He also brought up an extremely good point: the transition to cloud-based computing is inevitable, and rather than wringing our hands about how difficult it will be to secure, we should see this transition as an opportunity to change the way security is performed and delivered.  It was a traditional type of message for Mr. Coviello, but one that resonated with me better than his keynotes in previous years.
• Scott Charney’s keynote was focused on what Microsoft is doing to help us achieve end-to-end trust.  It was interesting to hear that Scott has been at Microsoft for eight years which is about the exact same amount of time since Bill Gates’ trustworthy computing initiative was started. While Microsoft has often been hammered for making mistakes with security, it is clear that the last eight years have seen terrific improvement.  He similarly delivered a message including some new efforts Microsoft is involved in, and indicated that collaboration was the key to success in the security arena.  A great quote from that presentation:

And every now and then I juxtapose my four and a half year old with my 80-year old mother, in part because they behave so much alike it just astounds me. But let me tell you one way they also behave alike. My four and a half year old has learned to navigate with a mouse, and it’s just great to watch. He navigates to the mouse, up pops this security dialogue. He can’t read. He doesn’t understand it. He clicks okay.Then I go to my mom. She’s got a PhD in education. She gets the dialogue box. She can read, she doesn’t understand it, and she clicks okay. Okay? We can’t do it that way anymore.

• The Cryptographer’s Panel included a new member this year, Brian Snow from the NSA.  If you watch nothing else, you should watch this for the broad scope of education, information, and entertainment it provides. Having the perspective of the NSA added is an interesting one, and it is clear from the ensuing discussion that neither the academic community (represented best by Ron Rivest and Adi Shamir) still doesn’t trust the NSA, and the NSA believes it still has a leg up on everyone when it comes to cryptographic advances.
• Some brief remarks from Howard Schmidt, White House CyberSecurity Coordinator. He gave a powerful analogy between how cybersecurity is evolving compared to how firefighting evolved.  He also provided some updates about what the current administration is doing in the area of cybersecurity, building on the presentation by Melissa Hathaway last year.

Overall the 2010 keynote presentations were among the better first day of keynotes in all the 10 RSA conferences I’ve attended.  The above presentations were my favorites, and I hope you can spend some time to watch them!

As you may already know, I’m attending the 2010 RSA Conference in San Francisco, CA.  I’ve been spending so much time talking with vendors, going to keynote talks and going to track sessions I haven’t had much time to finish writing and editing any full blog posts yet.  Rather than rush to publish, I want to take my time and write up my thoughts and experiences fully.  As a result, there will probably be a number of delayed posts in the coming days and weeks about my experiences here.  For now, I’ll leave you with these teasers from my first day at RSA:

• Art Coviello (RSA) believes that the emergence of cloud computing will be our opportunity as an industry to turn the way security is delivered inside out.
• Paul Maritz (VMWare) thinks the formula for embracing cloud computing is simple: improve efficiency, improve agility, improve security.
• Mark Benioff (salesforce.com) stated Lotus Notes was conceived before Mark Zuckerberg was; enterprise software needs to change, and become more like Facebook.
• As evidenced by having Brian Snow, NSA on the Cryptographers Panel: the commercial and academic communities still have a lot of distrust and suspicion of the NSA.

Other items I’ll be writing about: a lunch I had with F-Secure’s Mikko Hypponen where he discussed cyber crime, and a session I attended called “Winnovation- Security Zen through Disruptive Innovation and Cloud Computing”.  Stay tuned!