Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/8/2014
01:46 PM
Dave Kearns
Dave Kearns
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Why I Pulled Out Of The RSA Conference

Dave Kearns can't abide RSA's reported dealings with the NSA or its suspect security practices.

[EDITOR'S NOTE: The opinions expressed in this Commentary are those of the author and do not reflect the position of InformationWeek or its parent company, UBM LLC.]

In early November, I was pleased to announce (via my Twitter feed, @dak3) that one of my proposals had been accepted for a presentation at the RSA Security Conference in San Francisco in February. I was very pleased, because this was my first acceptance (in three tries), and I know how hard it is to garner a spot on the agenda. Some years ago, I was the sole referee for the conference's identity management track. I reviewed more than 1,000 proposals, which I had to whittle down to 25, so that the event organizers could pick five that would actually make the agenda.

So it was with great reluctance that I've canceled my presentation in light of unsettling news reports about RSA's involvement with the US National Security Agency. Just before Christmas, Reuters published a story based on revelations from the papers and documents stolen by former NSA contractor Edward Snowden. "As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry."

The story cited a New York Times story that said the Snowden documents "show that the NSA created and promulgated a flawed formula for generating random numbers to create a 'back door' in encryption products." The flawed random number-generating algorithm, Dual Elliptic Curve, was reportedly installed as the default choice for RSA's BSafe package, a tool for developers to add encryption techniques to their products.

After the Reuters story, RSA, a unit of EMC, said in a blog post: "We have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use." I believe RSA. That's what really troubles me.

It troubles me because RSA did introduce a backdoor, though unknowingly, and made it the default choice. Security experts who have examined RSA's software package have confirmed that fact. RSA's statement doesn't deny taking $10 million from the NSA. It would appear that the NSA offered to sign a $10 million licensing contract -- provided, according to the Reuters report, that RSA made Dual Elliptic Curve the default. The Reuters report maintains that the NSA then used the evidence that RSA had chosen the algorithm to convince the National Institute of Standards and Technology to adopt it as the default method of random number generation.

This was a business decision, not a technology decision. If the Reuters story is true -- and RSA hasn't denied the crux of its allegations -- the security of RSA's customers and its customers' customers was put at risk for monetary gain. (When contacted via email, an EMC spokesman declined to respond to questions about the nature of the NSA's $10 million payment to RSA, or to a request for the company's reaction to threatened conference boycotts. More on the boycotts later.)

Even more telling for me was the widely reported compromise of RSA's SecureID hardware token in 2011. The company was compromised by a phishing attack, which led to a data breach in which the root keys of the SecureID algorithms were taken. This event led to attempted breaches (which may or may not have been successful) at US defense contractors such as Lockheed Martin, L3 Communications, and Northrop Grumman.

That a security vendor could so easily have its security breached is, at best, unfortunate. But taken alongside this latest set of allegations, it's too much to ask me to swallow.

I haven't been a fan of RSA since EMC took over (and pushed EMC execs into the management of all RSA divisions) and the people who had been the heart and soul of RSA began to leave. When the SecurID breach occurred, I urged readers to find another security partner. This latest revelation has led me not only to pull out of next month's RSA Conference, but also to stop supporting the purchase of RSA products. I leave that decision to you.

(Note to readers: InformationWeek's parent company, UBM LLC, owns Black Hat, an RSA Conference competitor, though UBM Tech editors regularly attend the RSA Conference. As we've reported here, at least nine leading information security and privacy experts now say they will boycott the conference.)

Though boycotting the conference won't have a big impact on EMC's bottom line, the resulting publicity will. Security is hard enough without having to worry that our suppliers -- either knowingly or unknowingly -- have aided those who wish to subvert our security measures.

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity management to a generation of technologists.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to leverage security data effectively in order to make informed decisions and spot areas of vulnerability (free registration required).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
AnnieOhminus
50%
50%
AnnieOhminus,
User Rank: Apprentice
1/8/2014 | 2:53:29 PM
Why no one admits to deals with NSA
How many people realize that the reason no one ever admits to any deals or conversations with the NSA is that it is a felony to do so. Jail time, no trial, no defense allowed. Welcome to the Patriot Act and sedition act.
<<   <   Page 2 / 2
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8142
PUBLISHED: 2020-04-03
A security restriction bypass vulnerability has been discovered in Revive Adserver version &lt; 5.0.5 by HackerOne user hoangn144. Revive Adserver, like many other applications, requires the logged in user to type the current password in order to change the e-mail address or the password. It was how...
CVE-2020-8143
PUBLISHED: 2020-04-03
An Open Redirect vulnerability was discovered in Revive Adserver version &lt; 5.0.5 and reported by HackerOne user hoangn144. A remote attacker could trick logged-in users to open a specifically crafted link and have them redirected to any destination.The CSRF protection of the &acirc;&euro;&oelig;/...
CVE-2020-8147
PUBLISHED: 2020-04-03
Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using utils-extend.
CVE-2020-6994
PUBLISHED: 2020-04-03
A buffer overflow vulnerability was found in some devices of Hirschmann Automation and Control HiOS and HiSecOS. The vulnerability is due to improper parsing of URL arguments. An attacker could exploit this vulnerability by specially crafting HTTP requests to overflow an internal buffer. The followi...
CVE-2020-8637
PUBLISHED: 2020-04-03
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter.