Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

01:46 PM
Dave Kearns
Dave Kearns
Connect Directly

Why I Pulled Out Of The RSA Conference

Dave Kearns can't abide RSA's reported dealings with the NSA or its suspect security practices.

[EDITOR'S NOTE: The opinions expressed in this Commentary are those of the author and do not reflect the position of InformationWeek or its parent company, UBM LLC.]

In early November, I was pleased to announce (via my Twitter feed, @dak3) that one of my proposals had been accepted for a presentation at the RSA Security Conference in San Francisco in February. I was very pleased, because this was my first acceptance (in three tries), and I know how hard it is to garner a spot on the agenda. Some years ago, I was the sole referee for the conference's identity management track. I reviewed more than 1,000 proposals, which I had to whittle down to 25, so that the event organizers could pick five that would actually make the agenda.

So it was with great reluctance that I've canceled my presentation in light of unsettling news reports about RSA's involvement with the US National Security Agency. Just before Christmas, Reuters published a story based on revelations from the papers and documents stolen by former NSA contractor Edward Snowden. "As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry."

The story cited a New York Times story that said the Snowden documents "show that the NSA created and promulgated a flawed formula for generating random numbers to create a 'back door' in encryption products." The flawed random number-generating algorithm, Dual Elliptic Curve, was reportedly installed as the default choice for RSA's BSafe package, a tool for developers to add encryption techniques to their products.

After the Reuters story, RSA, a unit of EMC, said in a blog post: "We have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use." I believe RSA. That's what really troubles me.

It troubles me because RSA did introduce a backdoor, though unknowingly, and made it the default choice. Security experts who have examined RSA's software package have confirmed that fact. RSA's statement doesn't deny taking $10 million from the NSA. It would appear that the NSA offered to sign a $10 million licensing contract -- provided, according to the Reuters report, that RSA made Dual Elliptic Curve the default. The Reuters report maintains that the NSA then used the evidence that RSA had chosen the algorithm to convince the National Institute of Standards and Technology to adopt it as the default method of random number generation.

This was a business decision, not a technology decision. If the Reuters story is true -- and RSA hasn't denied the crux of its allegations -- the security of RSA's customers and its customers' customers was put at risk for monetary gain. (When contacted via email, an EMC spokesman declined to respond to questions about the nature of the NSA's $10 million payment to RSA, or to a request for the company's reaction to threatened conference boycotts. More on the boycotts later.)

Even more telling for me was the widely reported compromise of RSA's SecureID hardware token in 2011. The company was compromised by a phishing attack, which led to a data breach in which the root keys of the SecureID algorithms were taken. This event led to attempted breaches (which may or may not have been successful) at US defense contractors such as Lockheed Martin, L3 Communications, and Northrop Grumman.

That a security vendor could so easily have its security breached is, at best, unfortunate. But taken alongside this latest set of allegations, it's too much to ask me to swallow.

I haven't been a fan of RSA since EMC took over (and pushed EMC execs into the management of all RSA divisions) and the people who had been the heart and soul of RSA began to leave. When the SecurID breach occurred, I urged readers to find another security partner. This latest revelation has led me not only to pull out of next month's RSA Conference, but also to stop supporting the purchase of RSA products. I leave that decision to you.

(Note to readers: InformationWeek's parent company, UBM LLC, owns Black Hat, an RSA Conference competitor, though UBM Tech editors regularly attend the RSA Conference. As we've reported here, at least nine leading information security and privacy experts now say they will boycott the conference.)

Though boycotting the conference won't have a big impact on EMC's bottom line, the resulting publicity will. Security is hard enough without having to worry that our suppliers -- either knowingly or unknowingly -- have aided those who wish to subvert our security measures.

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity management to a generation of technologists.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to leverage security data effectively in order to make informed decisions and spot areas of vulnerability (free registration required).

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
1/8/2014 | 2:53:29 PM
Why no one admits to deals with NSA
How many people realize that the reason no one ever admits to any deals or conversations with the NSA is that it is a felony to do so. Jail time, no trial, no defense allowed. Welcome to the Patriot Act and sedition act.
<<   <   Page 2 / 2
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 ( and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...
PUBLISHED: 2020-02-20
openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file whic...
PUBLISHED: 2020-02-20
Trend Micro Vulnerability Protection 2.0 is affected by a vulnerability that could allow an attack to use the product installer to load other DLL files located in the same directory.