STE WILLIAMS

5 DNS security risks that keep you up at night

Miscreants behind a cyberespionage campaign have changed their methods to take advantage of Java-based malware.

The Icefog APT (advanced persistent threat), discovered in September 2013, continues to be a problem, this time utilising a Java backdoor, according to the latest analysis of the threat by security researchers at Kaspersky Labs.

Analysts at the Russian security firm have observed three unique victims of “Javafog”, all of them in the US. One of the victims is a very large American independent oil and gas corporation, with operations in many other countries.

The threat first arose in 2011 with attacks against supply chain organisations to government institutions, military contractors, maritime and ship-building groups mainly in Japan and South Korea. This run of attacks featured spear phishing and malware targeting Mac and Windows machines as part of a hit-and-run campaign that didn’t rely on siphoning off information from victims over an extended period.

The attackers behind the campaign went dark, shutting down all known command-and-control servers, after their campaign was exposed last September, only to resurface with a new run of attacks using a different Java-based attack vector, detected by Kaspersky analysts over recent weeks.

Java-based malware is less widely used than either Windows or Mac executables, and can be harder to spot, according to Kasperky researchers. This added stealth could explain the switch by attackers to the write-once-run-anywhere programming language.

“We observed the attack commencing by exploiting a Microsoft Office vulnerability, followed by the attackers attempting to deploy and run Javafog, with a different CC,” Kaspersky researchers explain in a blog post on the latest manifestation of the threat. “We can assume that based on their experience, the attackers found the Java backdoor to be more stealthy and harder to notice, making it more attractive for long term operations.”

A detailed rundown of the Icefog use of a Java backdoor against US targets can be found in a blog post, complete with code snippets and samples, by Kaspersky Labs here.

All generations of the threat bear the hallmarks of state-manufactured malware rather than something geared towards conventional cybercrime but Kasperky Labs researchers are not speculating on its possible origins.

Dana Tamir, director of enterprise security at IBM-owned Trusteer, an IBM company, said Java has numerous vulnerabilities that can be exploited to deliver malware and compromise users’ machines.

“Because organisations can’t eliminate Java from their environments, it is not surprising that adversaries and cyber-criminals are using malicious Java code to infiltrate them.”

To prevent Java exploits and malware-based infiltrations, it is important to restrict execution only to known trusted Java files. Since organisations struggle to manage and maintain a complete list of all known trusted files, they should at least restrict execution to “files that have been signed by trusted vendors, or downloaded from trusted domains,” she added. ®

The Road to Enterprise PaaS

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/15/icefog_java_based_backdoor/

With security expertise continuing to be in short supply, managed and cloud services will play a greater role in securing companies in 2014.

Benefiting from the knowledge of managed security service providers–or the built-in expertise in existing cloud security services–can help non-technical companies build the infrastructure needed to stay secure. For more security-savvy companies, service providers can take over the day-to-day security drudge work, and allow internal security teams to focus on bigger security issues that may be affecting the company, says Neil MacDonald, a vice president and fellow at business-intelligence firm Gartner.

“If I’m an organization with limited resources, I would rather free up my security team’s time to focus on more advanced threats rather than the more routine things like log monitoring, firewall management and vulnerability management,” he says.

Whether a company pursues a managed security service, a cloud security service, or some hybrid with their existing capabilities depends largely on their own expertise and whether the organization already uses the cloud for existing business processes, says Rob Ayoub, research director for NSS Labs, a security consultancy.

“A lot of it depends on how they are using the cloud,” he says. “Are they using the cloud as an extension of their existing infrastructure? Or are they using the cloud and consuming services from the cloud as a way to expand their security capabilities or maybe because they do not have the in-house expertise.”

Whichever may be the case for your company, the following services could be in your future this year.

1. Cloud asset control
Most companies do not know how much they rely on the cloud, frequently underestimating the number of cloud services being used by employees. From its own customer data, for example, cloud-management provider Skyhigh Networks has found that the average firm uses approximately 550 cloud services.

In the past few years, a number of startups–such as CloudPassage, Netskope and Skyhigh Networks–have focused on the problem of taming the wild and varied adoption of cloud services. These cloud-application visibility services allow companies to discover what services they are using, the risk those services pose and then manage the threat, says Jim Reavis, co-founder and CEO of the Cloud Security Alliance.

“These types of services give you a pretty good visibility into what cloud services are in use, and allow companies to take the next step and implement controls,” he says.

2. Log management to incident detection
Many companies already use a service provider to collect and manage logs, archiving the data for compliance purposes. With an increasing focus on network and business visibility, companies need to turn those logs into information on what is happening in the network.

The category actually covers a spectrum of services, from log management to security information and event management (SIEM) systems to Big Data analytics. Once companies have their log monitoring in the cloud, there is no reason not to look at analyzing the data, says Gartner’s MacDonald.

“They can essentially tell you if you have been compromised,” he says. “That can be intensely interesting, especially if you are a smaller organization and you don’t have the resources to build a security operations center.”

[Companies need cloud providers to delineate responsibilities for the security of data, provide better security information, and encrypt data everywhere. See 5 Ways Cloud Services Can Soothe Security Fears In 2014.]

Eventually, a focus on detection will turn into a focus on response and shutting down attackers, making incident-response services–such as what may come from FireEye’s purchase of Mandiant–likely to significantly grow over the next few years

3. Identity Management
As companies rely on an increasing number of cloud providers, managing access to those services has become more complex. Identity and access management in the cloud makes a lot of sense for firms who use a large number of cloud services, says CSA’s Reavis.

“There is a real risk that employees duplicate their identities out on the Internet, and that raises the risk of a lateral attack, where a breach at one provider allows attacker to breach the employee’s other accounts,” he says.

4. Encryption
The revelations that the U.S. National Security Agency is collecting massive amounts of data from the Internet has caused more companies to pay attention to how their data is secured in the cloud. While locking down data at rest with encryption is a good idea, especially when it is outside the firewall, many companies had been relying on the security of their storage providers to protect the data.

While a number of cloud services focus on encrypting data in cloud services, CipherCloud and Voltage Security, the market is still nascent. That will likely change this year, as cloud services focusing on encryption and access-management grow, says NSS Labs’ Ayoub.

“I think identity and encryption are the two areas where were we will see a lot of adoption this year,” says Ayoub. “We need to focus on protecting who’s accessing the data, and we need to focus on protecting the data.”

5. Security testing in the cloud
Many companies have to focus on securing their software, not just their networks, whether the software is internally developed or comes from third parties. Outsourced application testing or application-testing in the cloud are able to find the most common bugs, can help train developers, and hold third-party software firms to a standard security assessment.

“Application security testing is more difficult work, but it is becoming better understood,” he says. “By using one of these vendors to test their applications or require that their supply-chain partners to test their applications, they can enhance their security.”

A number of companies offer application testing and assessment services in the cloud, including Cenzic, Cigital, Veracode, and Whitehat Security.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/services/five-security-services-to-consider-in-20/240165414

Hot on the heels of yesterday’s announcement that it’s launched a new £4 million campaign to help raise awareness of cyber security issues, the UK government has today urged small and medium-sized businesses (SMEs) to get more clued-up on cyber security.

It stresses that SMEs need to increase their protection online, not just for their own safety and that of their customers, but also because it could well present more business opportunities:

• 59% of consumers said they would be more inclined to shop online with a large brand, rather than a SME, because of concerns over cyber security
• 82% of consumers say they would buy more online from SMEs if these businesses were better at showing how well protected they are from cyber crime
• 3 out of 4 (77%) of procurement managers at large businesses say they require SMEs to prove their cyber security worth before they will be considered for selection as a supplier.

Security Minister James Brokenshire said:

Companies who have effective cyber security in place can gain an advantage over their competitors because they are trusted by their customers. If people are aware their data and details are safe they are more likely to do business with you.

The govenment quotes recent research on SME online safety which shows only:

• 46% regularly monitor their IT systems for breaches
• 48% restrict access to their IT networks
• 58% regularly use complex access passwords
• 66% regularly download the latest software updates
• 46% control the use of USB storage devices.

It’s clear that there is work to do, which is why the government is helping to educate SMEs with its new Cyber Streetwise website, which includes lots of tools to help keep everyone safer online.

Brokenshire comments:

The ‘Cyber Streetwise’ website is designed to provide SMEs with impartial advice and tips about how to make some simple but effective changes to improve their online security. This in turn will enhance their reputation, improve consumer confidence and ultimately, boost sales.

Sophos is helping to support Cyber Streetwise with content and advice on the Cyber Streetwise website, as well as a range of tools and tips to help educate people on its own site.

There’s even a ‘Threat hunter’ game to help you spot the threats that might be lying around on your desk.

And if you haven’t yet done so, you can assess the security of your network here.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/64MVnGZrPSk/

As expected Microsoft delivered four patches today covering Windows XP, 2003, 7, 2008 R2, Word and Dynamics. All four patches are rated important, the first time in memory that none of the fixes were critical.

The Word fix applies to all Windows versions and could result in remote code execution. (What does this mean?) The operating system fixes will require a reboot.

Adobe also released fixes today for Acrobat and Reader X and XI. This first update of 2014 for Adobe fixes three remote code execution vulnerabilities and should be considered a critical update.

You can get the updates from the integrated updater tool or from http://get.adobe.com/reader.

The big one today is Oracle’s quarterly update which it calls Critical Patch Update January 2014. As Duck commented, it is a bundle of fixes covering 144 different vulnerabilities.

Many Oracle products are covered, I am only going to highlight the most common ones here. You can view the complete list on Oracle’s security page.

Java has been updated, as expected, fixing 36 vulnerabilities, 34 of which are remotely exploitable without authentication.

If you don’t need Java, please turn if off in your browser. If you aren’t sure, turn if off in your browser… You can always reinstall. If you must have it installed, be sure to apply this update immediately.

Oracle also patched 18 vulnerabilities in MySQL, three remotely exploitable and 9 vulnerabilities in VirtualBox, four of which are remotely exploitable.

(Note: only older supported branches of VirtualBox get updates, namely versions 3.2, 4.0, 4.1 and 4.2. If you are already on the most recent branch, namely 4.3, you should already have 4.3.6, which remains the latest version.)

As always, we advise you to update as soon as you are able.

Follow @chetwisniewski

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Wo3Vkec9EcA/

5 DNS security risks that keep you up at night

The NSA has compromised almost 100,000 computers around the world in its quest to get its tentacles into air-gapped computers operated by adversaries such as the Chinese Army.

The revelation was made by the New York Times in a report published on Tuesday based on documents released by Edward Snowden.

The spy agency has penetrated these computers via “a secret technology that enables it to enter and alter data in computers even if they are not connected to the internet,” the NYT reports.

This tech has been in use since 2008 and uses a “covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards.”

These ghastly widgets sometimes pass data onto a briefcase-sized relay point named “Nightstand” that can be used up to eight miles away, and can feed data packets back to the compromised host. The tech is physically inserted by agents, component manufacturers, or unwitting people who have been pwned, we’re told.

Frequent targets of the uber-snoop tech include the Chinese Army, along with Russian military networks, trade institutes within the European Union, systems used by Mexican police and drug cartels, and folk in Saudi Arabia, India, and Pakistan.

Some of this sneaky gear was crucial to the “Olympic Games” cyber-attack program which successfully inserted the Stuxnet virus into Iranian nuclear facilities. ®

The Road to Enterprise PaaS

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/15/nsa_quantum_radio_compromize/

5 DNS security risks that keep you up at night

Flaws in Microsoft Word and Office Web Apps that allow hackers to execute malicious code on vulnerable systems have been fixed in Redmond’s latest monthly batch of security bug fixes.

In addition, two bugs at the kernel level of Windows XP and 7, and Server 2003 and 2008 R2, allow logged-in attackers to escalate their privileges to administrator-level. Security biz FireEye found the flaw in NDProxy.sys in XP and Server 2003 (MS14-002), which can be exploited if the system has “Routing and Remote Access” switched on.

The Win 7 and Server 2008 bug (MS14-003), found by a researcher called Xiaohong Shi, is triggered “when the Windows kernel-mode driver improperly uses window handle thread-owned objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.”

Meanwhile, members of the Google Security Team found and reported remote-code execution holes (MS14-001) in Microsoft Word 2003, 2007, 2010 and 2013 (including the RT build), plus Microsoft Office services and Web Apps on SharePoint Server 2010 and 2013, and Microsoft Web Apps Server 2013. A maliciously crafted Word document opened on a vulnerable system can exploit memory corruption vulnerabilities to run code as the logged-in user.

Finally, there’s a denial-of-service flaw in biz management tool Dynamics AX, which could be used to block access to a targeted server.

All four of the January fixes were rated by Redmond as “important”, which is third in Microsoft’s four risk levels. While the flaws this month are not critical, users and administrators are advised to apply the updates if possible.

Adobe, meanwhile, is urging anyone still using Reader and Flash Player to install updates for the software on Windows, OS X and Linux. The upgrade address flaws that could allow an attacker to remotely execute code on an vulnerable system. There are also updates for Adobe AIR on Windows, OS X and Android, and Adobe Acrobat for Windows and OS X.

Adobe and Microsoft have not seen anyone exploiting the aforementioned security holes in the wild. ®

The Road to Enterprise PaaS

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/15/january_microsoft_patch_tuesday/

For a peek at the IT security team of the future, consider the team at Cisco Systems or at OpenDNS: in both firms, the security team includes not only malware experts and researchers, but also data scientists with no security expertise whatsoever.

The surge in “big data” resources for vendors and large enterprises, a growing trend toward gathering internal event logs and external threat-intelligence feeds, has pressured some organizations to rethink the type of expertise they need in in their IT security department. Enter the math majors, most of whom weren’t schooled in Stuxnet or botnet traffic.

When Dan Hubbard, CTO at OpenDNS, started at his post two years ago, one of his goals was to rethink what a security research team should be. “One of the goals was to rethink if you could restart a security research team, what would be the absolute things you have to have to be competitive?” Hubbard says.

OpenDNS built on the existing team that was in place, but added a whole new generation of members. “Instead of hiring [more] reverse-engineers or malware researchers, we decided to augment [those experts] … [with] data scientists who understood massive amounts of data,” Hubbard says. That also meant adding algorithmic experts with PHDs in machinery, graph theory, some of whom had worked in genome research or fields unrelated to cybersecurity, he says.

The first-fruit of OpenDNS’s new-age team was its Security Graph, a free service for security researchers that provides them with access to OpenDNS’s Internet and DNS traffic data and analysis. The idea is to provide researchers with a more global view of malware, botnets, and advanced threats rather than just a snapshot or slice of the activity.

[Red October, PayPal phishing campaign connection discovered via new OpenDNS service for researchers. See OpenDNS Offers Security Researchers Free Service For Tracking Cybercrime, Cyberespionage.]

Today, one-third of OpenDNS’s security team are traditional “security geeks” or experts, and one-third are data scientists who work on math problems to analyze all of the data, Hubbard says.

Cisco also has expanded its security team with algorithmic experts in its Threat Research, Analysis, and Communications (TRAC) group. “We have a whole side of the team comprised of data scientists … They have no backgrounds in security,” says Levi Gundert, technical lead of the Cisco TRAC team. “Data is data to them. At the end of the day, we’re driving use case for them but they are managing the models and tools to quickly pull back data for analysis in an automated fashion.”

Gundert says the gap between the cultures—mainly how the two worlds can speak different languages in the context of security—is a work in progress. “When we increase communication and the opportunities to communicate, we’re seeing a lot more success. Without that, a lot gets lost in translation when shooting emails back and forth.”

He says the teams hold weekly phone calls to ensure both sides are understanding one another.

Times are changing for security geeks as big data and threat intel-sharing become part of the picture. The teams can’t work in isolation anymore: “The days of silo-ing teams has to go away. Even within research teams, you find a Web team, a vulnerability team, and an email team—they all need to come together,” OpenDNS’s Hubbard says.

Much of security research leads to protection when a new threat is discovered. Data scientists take a different approach: “A lot of the data scientists we have hired are looking at a problem before the attack happens,” he says.

Pairing together the security researcher and the data scientist is a powerful combination. “You’ve got someone who knows a ton about the security space and how threats work, and then you’ve got the math/data science person” working on crunching the data and they “feed off each other,” Hubbard says.

When OpenDNS teamed up with Kaspersky Lab to study the Red October attacks targeting diplomatic entities mainly in Eastern Europe and Central Asia, Kaspersky Lab had malware samples that they had reverse-engineered. “They are really good at that kind of stuff—they had recompiled the binary, but didn’t have the data or breadth of the network … so we helped build that.”

That hunger for security intelligence from internal logs and external threat-gathering services goes hand-in-hand with what many experts consider the Holy Grail of security — continuous monitoring — where organizations watch each and every move that goes on in and out of their networks in hopes of catching the bad stuff before it does real damage.

Tenable CEO and CTO Ron Gula says this need for big data gathering and crunching expertise has a lot to do with the evolution toward continuous monitoring. “I only see data scientists with bigger companies –with 10,000 and up or 5,000 and up employees — not at SMBs,” Gula says. “Big Fortune 500s and government agencies can measure their network in real-time and measure patch rates, for example, or tell you the number of systems patched within the last five days for the past 90 days.”

That’s what data scientists do, he says. “In my opinion, the reason they [organizations] are doing [data science] is because they are moving toward continuous monitoring,” Gula says.

OpenDNS’s Hubbard sees large enterprises gradually moving toward data scientists in their security teams as well, but to solve somewhat different problems than OpenDNS, Cisco, and other vendors are solving. A large enterprise security operations center typically has experienced cyberattacks for more than a decade, and in the process, purchased all different types of security tools to defend their environment. “In many cases, they have not deployed it right, and many of these solutions are disparate systems and there’s an information gap between all of them,” Hubbard says.

So some use tools like Splunk, for example, but many are struggling to apply context to the data they’re gathering. “Even with all of those pulling data into one central data store, it’s hard to understand that the receptionist’s computer is infected or the CEO’s computer” has been compromised, he says.

“The attacks are not identified and correct context isn’t applied to them,” he says. “Companies are hiring a big data scientist due to the business intelligence” they need to correlate, he says.

“It’s about turning data into information. Getting access to data is not hard. Applying the appropriate context to it is really important,” Hubbard says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/management/the-changing-face-of-the-it-security-tea/240165403

As expected Microsoft delivered four patches today covering Windows XP, 2003, 7, 2008 R2, Word and Dynamics. All four patches are rated important, the first time in memory that none of the fixes were critical.

The Word fix applies to all Windows versions and could result in remote code execution (What’s this mean?). The operating system fixes will require a reboot.

Adobe also released fixes today for Acrobat and Reader X and XI. This first update of 2014 for Adobe fixes three remote code execution vulnerabilities and should be considered a critical update.

You can get the updates from the integrated updater tool or from http://get.adobe.com/reader.

The big one today is Oracle’s quarterly update which it calls Critical Patch Update January 2014. As Duck commented, it is a bundle of fixes covering 144 different vulnerabilities.

Many Oracle products are covered, I am only going to highlight the most common ones here. You can view the complete list on Oracle’s security page.

Java has been updated, as expected, fixing 36 vulnerabilities, 34 of which are remotely exploitable without authentication.

If you don’t need Java, please remove it. If you aren’t sure, remove it… You can always reinstall. If you must have it installed, be sure to apply this update immediately.

Oracle also patched 18 vulnerabilities in MySQL, 3 remotely exploitable and 9 vulnerabilities in VirtualBox, 4 of which are remotely exploitable.

As always, we advise you to update as soon as you are able.

Follow @chetwisniewski

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/G22vCHppqsI/

5 DNS security risks that keep you up at night

The NSA has compromised almost 100,000 computers around the world in its quest to get its tentacles into air-gapped computers operated by adversaries such as the Chinese Army.

The revelation was made by the New York Times in a report published on Tuesday based on documents released by Edward Snowden.

The spy agency has penetrated these computers via “a secret technology that enables it to enter and alter data in computers even if they are not connected to the internet,” the NYT reports.

This tech has been in use since 2008 and uses a “covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards.”

These ghastly widgets sometimes pass data onto a briefcase-sized relay point named “Nightstand” that can be used up to eight miles away, and can feed data packets back to the compromised host. The tech is inserted by spies, component manufacturers, or by unwitting people that have been pwned.

Frequent targets of the uber-snoop tech include the Chinese Army, along with Russian military networks, trade institutes within the European Union, systems used by Mexican police and drug cartels, and folk in Saudi Arabia, India, and Pakistan.

Some of this sneaky gear was crucial to the “Olympic Games” cyber-attack program which successfully inserted the Stuxnet virus into Iranian nuclear facilities. ®

The Road to Enterprise PaaS

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/15/nsa_quantum_radio_compromize/

About a month from now, thousands of people are expected to descend on the Moscone Center in San Francisco for the annual RSA Conference.

Missing from this crowd, however, will be a relatively small number of security researchers and others that have publicly declared their intention to opt out due to controversy surrounding the security provider that shares the conference’s name. Since a Reuters report last year alleged that RSA – now a part of EMC – struck a deal with the National Security Agency to use a vulnerable encryption algorithm by default in one of its products, suspicion in the security community has led roughly a dozen of the more than 560 scheduled speakers to declare they are backing out of the event, and caused others to call for keynote speaker Stephen Colbert to do the same. Some have even spoken of a wider boycott of RSA products.

For others, though, the outrage being directed at the conference may be a misplaced overreaction.

“There is certainly some suspicion of potential impropriety, but we are very far from knowing what really happened,” says Rich Mogull, CEO of security advisory firm Securosis. “Even [reporter Joseph Menn’s] article indicated RSA may have been duped, not sold out.”

But the possibility of that type of collaboration – particularly involving a security vendor – was more than enough to give those who have pulled out pause.

“When I looked at the allegations, I thought, if these are true, it’s just wrong,” says Josh Thomas, partner and “chief breaker” at Atredis Partners.

“At least in the way my brain works, I look at RSA as they have one job,” he adds. “They advertise that they do one thing, and that is crypto. To me, crypto means security and it also means trust.”

Thomas is among the speakers that pulled out of the conference, as is Jeff Carr, CEO of Taia Global. According to Carr, people should ask themselves two questions: do they believe RSA Security collaborated to weaken BSAFE, and whether they think a boycott of RSA security products is warranted.

“If your answer is yes, then support a boycott of RSA Security,” he says.

An EMC spokesperson declined to comment on the controversy surrounding the conference or the prospect of customer ire impacting RSA’s place in the market.

However, Gartner analyst Jay Heiser says that concern about the integrity of U.S. technologies could spur on non-U.S. companies.

“If more allegations emerge about NSA attempts to manipulate the shape of security technology, it is only going to further encourage the growth of European, Asian, and South American security products,” he says.

“It’s more than a bit ironic that after all of the controversy over whether or not Huawei was shipping Chinese-government backdoors in their hardware that these substantive allegations appear about the US tech industry being influenced by the US Federal government,” he adds. “I don’t see any way to spin this into a positive marketing message for U.S. technology providers.”

David Monahan, senior analyst with Enterprise Management Associates, says the controversy has already started opening the door for other non-American companies.

“Look at Huawei’s advertising campaign around trusting them, despite the fact they stole Cisco’s technology,” he says. “Those companies are capitalizing on the event using FUD (Fear, Uncertainty and Doubt) to magnify the opportunity.”

“Either way, this is a lose-lose for RSA,” he says, adding that the perception of RSA’s skill and integrity have taken a hit. “The key is how quickly the people forget and let bygone’s be bygone’s. In this case, I think it will be a while and they will suffer both in reputation and revenue.”

“There is some related historical context on this,” he adds. “In the mid-70s, IBM’s implementation of [the] Lucifer encryption algorithm, subsequently named DES (Data Encryption Standard) after acceptance by NIST, was modified by NSA for security reasons prior to acceptance. That event started years of public scrutiny that impacted initial public acceptance and conspiracy theories. Ultimately, DES was exonerated and life went on.”

Security expert Rafal Los describes vendor and government collaboration on standards as an issue with multiple sides. Those that are paranoid of government involvement will actively work against it; while the pragmatic will continue to work towards industry standards while thinking twice about taking government input for granted.

“The rest will carry on as status quo, either trusting or not knowing any better,” he argues. “Standards are a funny thing – there’s this long-running joke about there being too many competing standards so industry professionals got together to fix the problem, and created another one. Jokes aside, I think overall standards will get a [closer] look going forward, for the foreseeable future. I’m just not certain what the lasting effect of something like this is.”

Los says he still plans to attend the conference, and is going forward with his talk about secure development metrics.

“I can honestly say I don’t believe I’ve seen enough to conclusively prove to me that RSA did anything wrong,” he adds. “However, the allegations are toxic. If this turns out to be true, it would be deeply troubling for the industry, and the trust that we have in RSA as a trust provider.”

Hugh Thompson, program chair for the conference, says the event is meant to be a neutral place for security experts to discuss what is happening in the industry.

“The conference has always been an independent, open forum for people to come together and talk about security,” he says.

“I think when you look at it as a security professional, there’s never been a more important time to get together with your peers and see what they’re doing, see what they’re planning, see how they’re reacting to these changes that are happening in the community because they are happening pretty [quickly].”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/authentication/rsa-conference-controversy-swirls-spurs/240165371