Vulnerabilities / Threats
1/8/2014
01:46 PM
Dave Kearns
Dave Kearns
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Why I Pulled Out Of The RSA Conference

Dave Kearns can't abide RSA's reported dealings with the NSA or its suspect security practices.

[EDITOR'S NOTE: The opinions expressed in this Commentary are those of the author and do not reflect the position of InformationWeek or its parent company, UBM LLC.]

In early November, I was pleased to announce (via my Twitter feed, @dak3) that one of my proposals had been accepted for a presentation at the RSA Security Conference in San Francisco in February. I was very pleased, because this was my first acceptance (in three tries), and I know how hard it is to garner a spot on the agenda. Some years ago, I was the sole referee for the conference's identity management track. I reviewed more than 1,000 proposals, which I had to whittle down to 25, so that the event organizers could pick five that would actually make the agenda.

So it was with great reluctance that I've canceled my presentation in light of unsettling news reports about RSA's involvement with the US National Security Agency. Just before Christmas, Reuters published a story based on revelations from the papers and documents stolen by former NSA contractor Edward Snowden. "As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry."

The story cited a New York Times story that said the Snowden documents "show that the NSA created and promulgated a flawed formula for generating random numbers to create a 'back door' in encryption products." The flawed random number-generating algorithm, Dual Elliptic Curve, was reportedly installed as the default choice for RSA's BSafe package, a tool for developers to add encryption techniques to their products.

After the Reuters story, RSA, a unit of EMC, said in a blog post: "We have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use." I believe RSA. That's what really troubles me.

It troubles me because RSA did introduce a backdoor, though unknowingly, and made it the default choice. Security experts who have examined RSA's software package have confirmed that fact. RSA's statement doesn't deny taking $10 million from the NSA. It would appear that the NSA offered to sign a $10 million licensing contract -- provided, according to the Reuters report, that RSA made Dual Elliptic Curve the default. The Reuters report maintains that the NSA then used the evidence that RSA had chosen the algorithm to convince the National Institute of Standards and Technology to adopt it as the default method of random number generation.

This was a business decision, not a technology decision. If the Reuters story is true -- and RSA hasn't denied the crux of its allegations -- the security of RSA's customers and its customers' customers was put at risk for monetary gain. (When contacted via email, an EMC spokesman declined to respond to questions about the nature of the NSA's $10 million payment to RSA, or to a request for the company's reaction to threatened conference boycotts. More on the boycotts later.)

Even more telling for me was the widely reported compromise of RSA's SecureID hardware token in 2011. The company was compromised by a phishing attack, which led to a data breach in which the root keys of the SecureID algorithms were taken. This event led to attempted breaches (which may or may not have been successful) at US defense contractors such as Lockheed Martin, L3 Communications, and Northrop Grumman.

That a security vendor could so easily have its security breached is, at best, unfortunate. But taken alongside this latest set of allegations, it's too much to ask me to swallow.

I haven't been a fan of RSA since EMC took over (and pushed EMC execs into the management of all RSA divisions) and the people who had been the heart and soul of RSA began to leave. When the SecurID breach occurred, I urged readers to find another security partner. This latest revelation has led me not only to pull out of next month's RSA Conference, but also to stop supporting the purchase of RSA products. I leave that decision to you.

(Note to readers: InformationWeek's parent company, UBM LLC, owns Black Hat, an RSA Conference competitor, though UBM Tech editors regularly attend the RSA Conference. As we've reported here, at least nine leading information security and privacy experts now say they will boycott the conference.)

Though boycotting the conference won't have a big impact on EMC's bottom line, the resulting publicity will. Security is hard enough without having to worry that our suppliers -- either knowingly or unknowingly -- have aided those who wish to subvert our security measures.

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity management to a generation of technologists.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to leverage security data effectively in order to make informed decisions and spot areas of vulnerability (free registration required).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/21/2014 | 8:19:03 AM
Re: So if not RSA... >Let's discuss practical options
As you say, Stratustician, it is indeed rare that business organizations take a moral stance on how they contact business. But even though advocates of greater transparency in NSA security & privacy policy say it's not enough, the public outcry has moved the needle -- albeit microscopically - with President Obama's announcement last Friday of five changes in the US surveillance policy. One thing that is certain, as long the public pressure continue, so will  the public debate.
Stratustician
50%
50%
Stratustician,
User Rank: Strategist
1/20/2014 | 1:27:08 PM
Re: So if not RSA... >Let's discuss practical options
I honestly wish it was a valid way of business, but sadly the reality is that organizations only care about the bottom line often.  From a security perspective, many organizations will argue "They've worked for us until now" as we saw evidenced by the lack of real market change after their breach.  I'd love to think we will see companies take more moral stances about who they conduct business with, but sadly I don't see this becoming the norm.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/16/2014 | 10:31:05 AM
Re: So if not RSA... >Let's discuss practical options
@Stratustician That's a great question that is worthy of repeating. It  would be great to get a discussing going about the realities of taking a moral position about a product based on a vendor business decision. Is this even possible? 
Stratustician
50%
50%
Stratustician,
User Rank: Strategist
1/15/2014 | 1:36:42 PM
So if not RSA...
I applaud your moral stance to defend the principal behind data security, that it actually protects data from unauthorized access. When the RSA breach in 2011 happened, it should have sent lots of warning flags and yet I still see those tokens everywhere.  Its as if the industry say "Meh, we'll get over it".  I wonder what it will take for people to seriously consider what the NSA implications mean from an industry perspective when it comes to security solutions.  

Has anyone actually started to migrate off RSA and onto another solution?  What are you considering to move to and why?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/9/2014 | 12:03:27 PM
Re: Will the boycott be effective
I imagine there is probably some gag order imposed by the NSA on RSA about disclosing what was in the contract but I'm not not aware of any legislation that would prohibit officials of a private company from defending itself against such such serious and public accusations...  (That's what lawyers, PR firm and spin doctors are for). Whether that would shed any light on the situation is another questions...
Whoopty
50%
50%
Whoopty,
User Rank: Moderator
1/9/2014 | 11:51:55 AM
Re: Will the boycott be effective
Kudos to you sir for standing by your opinions, even though I'm sure it's a disappointment that you won't be speaking at the conference - for you and the audience. 

I do wonder though if the RSA would have been willing to say more about its NSA dealings if it wasn't no doubt clamped by secretive legislation?
dak3
50%
50%
dak3,
User Rank: Apprentice
1/8/2014 | 11:12:44 PM
Re: Will the boycott be effective
I can't speak for the others, and I know it's probably too late for those who've made their plans already to be able to back out without financial hardship, but for me it's enough that the dialog keeps going. Vendors have to learn to take their customers' security as their top priority. After all, if they aren't secure why should we believe their products are?
asksqn
100%
0%
asksqn,
User Rank: Apprentice
1/8/2014 | 5:15:07 PM
Blowback is warranted
Kudos for taking a stand against unwarranted surveillance and standing up for civil liberties. Perhaps if industry loses enough big name players in the federal government's obsession to turn the US into the old USSR, companies won't be so willing or so easily bought off to participate in the wholesale destruction of the Constitution.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
1/8/2014 | 4:46:08 PM
Re: Will the boycott be effective
Too bad there's no plausible way to boycott the entire telecom infrastructure. Third-parites are the weak link in communication privacy.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/8/2014 | 3:44:00 PM
Will the boycott be effective
Dave, I give you and the eight other security researchers credit for taking such a principaled stand -- and especially for taking the time to spell out the reasons behind your decision to boycott RSA. You column adds a lot of needed depth to the discussion about how technology companies and the government should engage when dealing with privacy and security matters that impact public safety. That said, what do you and the other boycotters believe would be the best outcome from your actions?  
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2006-1318
Published: 2014-09-19
Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."

CVE-2012-2588
Published: 2014-09-19
Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4) body in an SMTP e-mail message.

CVE-2012-6659
Published: 2014-09-19
Cross-site scripting (XSS) vulnerability in the admin interface in Phorum before 5.2.19 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-1391
Published: 2014-09-19
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding.

CVE-2014-3614
Published: 2014-09-19
Unspecified vulnerability in PowerDNS Recursor (aka pdns_recursor) 3.6.x before 3.6.1 allows remote attackers to cause a denial of service (crash) via an unknown sequence of malformed packets.

Best of the Web
Dark Reading Radio