We have near 100 attendees with us here today from across Latin America. Countries including Brazil, Argentina, Mexico and Peru are represented. Attendees span local and regional business and industry, government, academia, CERTs and security researcher communities. The thematic focus will range from e-crime attacks, the vulnerability economy and the regional threat landscape, cloud security, mobile security, embedded devices, social networks and the web 2.0 community, and last but surely not least, the Microsoft Security Response Center processes and integration of a Security Development Lifecycle. To learn about out the presenters taking the podium today, check out Celene’s announcement post for a deeper look.
In our continued efforts to evolve BlueHat and keep content innovative and relevant, we’ve taken an idea from our friends at H2HC and kicked off our event by hosting a panel entitled “Hackers and you”. We have invited Ivan Arce, co-founder of Core Security Technologies; Rodrigo Rubira Branco, Hacker to Hacker Conference (H2HC) organizer; local security researcher and previous BlueHat speaker, Manuel Caballero; You Sh0t the Sheriff (YSTS) conference organizer, Luiz Eduardo; Felix ‘FX’ Lindner, head of Recurity Labs and PH-Neutral fame; Damian Hasse, Principal Security Development Manager of the MSRC/MSEC; and Nico Waisman of Immunity to contribute their thoughts around the term “hacker” – what it means to be one, how it differs throughout regions, and how to keep “hackers” part of an effective enterprise security team. The panel was moderated by our own Andrew Cushman, senior director of Trustworthy Computing at Microsoft, and offered a variety of unique insights. There was a ton of good commentary, Rodrigo mentioned how the security researcher community really drove broad awareness and vendor responsiveness. FX spoke about how understanding a system is the best way for strong defense and highlighted approaches such as the Elevation of Privilege (Eop) card game produced by our SDL team. From the MSRC perspective, Damian shared how he’s made an effort to keep an active “hacker mindset” as part of an effective security team within Microsoft. Ivan closed the commentary by highlighting how BlueHat provides a platform for seemingly disparate groups of attendees to effectively engage where they may not otherwise have the opportunity to do so with typical formal communication methods. He encouraged all attendees to look to their neighbors in the audience and take advantage of such experiences to seize and create strategic, mutually beneficial opportunities.
We have strategically partnered with Security Week, a Microsoft hosted event put on by the local Microsoft office in the region. This partnership allows us to bring security and privacy information to local IT Pros, BDMs and Policy Makers. So far this Security Week Buenos Aires installment has reached more than 500 people, providing over 40 presentations throughout the course of the week.
If you haven’t seen the recent posts by BlueHat Security Forum members, check out Manuel Caballero and FX’s insights and stay tuned for future updates. Nothing like bringing the legitimate security space of Latin America together and creating a melting pot of new ideas and relationship-bridging! This might even beat the lomo! J
*Postings are provided "AS IS" with no warranties, and confers no rights.*
RSA got its name from the very roots of what protects our data on the Internet. Rivest, Shamir and Adleman are a trio of cryptographers whose findings still underpin the vast majority of today's Internet and e-commerce transactions. Their public-key RSA algorithm is used to protect just about any information that is transferred securely across the Internet. It is one of the most widely used public key algorithms and applies in those cases where you don’t have the ability to exchange a unique password with every party you wish to communicate with in advance.
It is of no surprise then that RSA started 19 years ago as an event that focused heavily on cryptography. Over the years, it gradually changed, and today it is much wider in scope, with an especially remarkable vendor area. While this is not the place where we run into most of the security researchers we work with on a daily basis, it is a great venue to learn what is happening on the vendor end of things.
Talks at RSA can be divided in two categories: massive keynotes that attract a large audience and discuss some of the bigger topics of the day, and smaller breakout sessions that cover very specific issues and can be as technical as most of the more technical conferences. Breakout sessions are often accompanied by even smaller meetings, the ad hoc peer-to-peer sessions that are set up and bring together likeminded folks wanting to discuss a topic more in privacy and with a few beers.
A big thing for Microsoft was the presence of our corporate vice president of Trustworthy Computing, Scott Charney. He presented on the Microsoft vision for end-to-end trust: getting to a safer, more secure Internet. Scott’s talk exposed the interesting dilemma of choosing between two things that matter to us all: anonymity and accountability on the Internet. Talking to some of the attendees after his talk, I understood that they were especially intrigued by the U-Prove technology, which was announced during his talk. U-Prove allows people to disclose only minimal identifying information to applications and services when they access them using an ID-Token. This technology helps bridge that gap, and bring us closer to an Internet where attackers can get caught and individuals can maintain their anonymity.
Other interesting keynotes dealt specifically with that accountability question: how do we, as individuals, corporations, or nations deal with cyber attacks? Interestingly from that point of view was a large government presence. Any black hats in the audience would have felt intimidated in presentations by Howard Schmidt, the newly appointed US Cybersecurity Coordinator, and Janet Napolitano from the Department of Homeland Security.
Going back to the roots of the conference, I also really liked the Cryptographer’s Panel. Earlier on in the conference, whilst prowling the conference book store, I had picked up a little novel with a rather interesting title, “Tetraktys”. It turned out to be a very interesting read that fit in with the conference crowd perfectly, covering a young graduate that roves across lost temples, chases secret societies, and most aptly, attempts to prevent the factoring of the RSA protocol. To my surprise, the author’s name popped up as moderator of the panel. Ari Juels did a great job on the panel getting several cryptographic pioneers, Whitfield Diffie, Martin Hellman, Ronald Rivest, Adi Shamir, and Brian Snow (of NSA fame) to tell their often-amusing stories. Quite interesting was Brian Snow’s recommendation on slowing down the current SHA3 selection process. Given the rapid evolution in common hash functions such as MD5, this is of particular interest to us. An interesting discussion also erupted at the end about academic versus government research in cryptography. This inspired a lively war of words, a must see!
The breakout sessions also did not disappoint. Much more practically focused than the keynotes, several of them focused on modern malware and rootkits, and how they really pose a threat. While many did not directly cover product vulnerabilities, RSA presentations do tend to bubble up what the researcher community is looking at, and left us with some interesting ideas. While the cloud and the advanced persistent threat were readily present with many presenters, some of the more intriguing ones covered the backdooring of active code runtime applications and the time artifacts left on the file system when editing or viewing files.
I especially liked F-Secure’s discussion on the evolution of rootkits. They went back to Pakistani Brain, an old memory-resident boot-sector infecting virus, and showed how many of its techniques are very similar to those of more modern rootkits. This was especially interesting to me, as Brain’s reputation was one of the things that initially brought me into the information security community!
Microsoft actually had a pretty large presence at RSA. Katie Moussouris and Bryan Sullivan presented on the various tools Microsoft has written while building the Security Development Lifecycle. If you are interested in BinScope, MiniFuzz or the SDL Threat Modeling Tool, check out the preview of their presentation at the RSA web site. It was actually a big conference for the SDL team- Adam Shostack also launched a creative endeavor to threat modeling. Elevation of Privilege is a card game, designed to help anyone developing software get started threat modeling. Read more on how to play the game at the SDL blog.
On Wednesday, Katie also showed off her second hat, joining into a lively debate on the future responsible disclosure. Together with her work in the SDL team, she’s also been a long standing member of the MSRC, developing quite a bit of Microsoft’s own disclosure policies.
Alas- circumstances caused me to miss the latter deliberation. Jonathan Ness, Bruce Dang, and I also presented a break-out session at the same time on Wednesday, covering the changes in five years of content-based attacks. These are the targeted attacks you may often hear about that exploit vulnerabilities in common productivity applications or PDF readers. We got great feedback from the audience, and got lucky! An interested audience member had set up a peer-to-peer session to discuss some of the things we reviewed and we had a great follow-up discussion with attendees that had similar interests.
Needless to say, some of these discussions went way into the evening. One of the great things of RSA is how varied the audience is. While most attendees are either customers or developers of security software, this community has incredibly clever individuals! Probably the best evenings of the conference were spent with some of the lead developers behind the many security products, talking about the principles behind their software. In recent years I have sometimes felt that many of the security products released were too complex and prone to deployment issues. It was refreshing to see that many vendors are going back to the roots, applying numbers, big but reliable numbers, to solving hard security questions.
See you at CanSecWest!
One of the questions I am often asked is regarding security updates for Windows systems that fail the Windows Genuine Advantage (WGA) check. In other words, who gets security updates? It’s an understandable question, and it has a very clear answer.
"Security updates are available to all systems."
It is just that simple. If Microsoft has provided a security update, you can install it on your system. This is still true even if your system fails the WGA validation check. There are also no WGA checks for service packs, update rollups, and important reliability and application compatibility updates. Paul Cooke, a Director in the Windows Client group, also stated this last year in his Windows Security Blog. On Windows Vista and Windows 7, available security updates can be accessed through Windows Update in Control Panel. On Windows XP, systems that fail a WGA check can still access security updates through Automatic Updates.
Keeping all Windows systems current on their security updates is a big part of keeping a healthy Windows ecosystem. After all, Conficker and Blaster don’t check for WGA. If you don’t have the right security updates, they just compromise your system and then spread to other systems. While a large part of my job is responding to vulnerability reports, it is always better to have proactively helped users stay secure.
So if you have ever wondered, now you know. You can always get security updates regardless of WGA validation. We at the MSRC are completely committed to ensuring our security updates go out to as many of our users as possible. So install those security updates without fear, and if you happen to run into me at a conference and want to hear everything else I do, just let me know. It is a story I love to tell. Just make sure you have an hour or two to spare. :-]