[ISN] Internet security forces gather RSA conference draws teams to fight organized hackers

From: InfoSec News (alerts@private)
Date: Mon Feb 05 2007 - 23:19:22 PST


http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/02/05/BUGV1NT3UV1.DTL

By Dan Fost
Chronicle Staff Writer
February 5, 2007

As computers become more ubiquitous, so do the threats posed to computer 
users.

But as the pernicious nature of the threats grows, so does the industry 
that has arisen to combat them.

That industry will gather this week at Moscone Center in San Francisco 
for the RSA Conference, a chance to hear what the latest threats are -- 
and to see the latest tools to fight them.

What started 15 years ago as a gathering of 50 cryptographers at the 
Sofitel hotel in Redwood City has emerged into a major convention, with 
more than 15,000 people expected and 340 companies taking booths in the 
exhibit halls.

While cryptographers still occupy center stage -- including two from the 
team that discovered the RSA algorithm that led to the conference's name 
years ago -- they share it with such luminaries as Microsoft Corp. 
co-founder Bill Gates, Oracle Corp. CEO Larry Ellison and former U.S. 
Secretary of State Colin Powell.

Without the tools displayed at RSA, all of online commerce, and much of 
the behind-the-scenes work of banking, would be at risk of malicious 
attacks.

"Hackers have a new motivation. They are financially motivated," said 
Rowan Trollope, vice president of consumer products at Symantec Corp. of 
Cupertino, one of the leading consumer security software companies, 
along with McAfee Inc. of Santa Clara and Microsoft.

"They are professional software developers backed by organized crime. 
When you have that kind of operation, they are motivated to find 
vulnerabilities. These are not college kids with time on their hands. 
These are paid professionals."

That's because more money is now changing hands via computers. "It's 
like Willie Sutton, who said he robbed banks because that's where the 
money is," said Phil Dunkelberger, president and CEO of PGP Corp. of 
Palo Alto, an encryption and data security company. "More and more 
criminals are coming online because that's where the money is. Phishing 
scams are a lot more sophisticated."

Industry experts have identified several problems and trends that will 
be hot topics at the conference:

-- Rising complacency. "We have a crisis going on, but it's a silent 
crisis," said Trollope at Symantec. "Over the last couple of years, 
we've seen a decline in the number of visible worms and viruses that 
splash across the headlines of CNN. But the hackers didn't go away, they 
shifted their attention to a different approach. ... User attention on 
the need for security has waned. If you don't hear about these things 
every day, you think, maybe I don't need to get antivirus software or 
enforce my network code to secure my PC."

-- New Internet environment. More computing lives in what techies call 
"the cloud." Think of an e-mail account through Google, Yahoo or Hotmail 
that resides on a Web site somewhere, not on a desktop computer. Or 
software that's delivered "on-demand," or as a service, over the 
Internet. The convenience of such services has a major trade-off -- it 
could expose data to risk.

"Can you imagine if someone broke into your Web mail account?" asked 
Marc Gaffan, director of marketing for the consumer solutions group of 
RSA, the company that owns the conference. "They'd to some extent be 
able to recreate my identity."

On the other hand, Gaffan is not willing to trade the convenience for 
the risk, and he rationalizes, "Those companies likely have better 
security than my laptop."

-- Proliferation of mobile devices. With many more laptops, cell phones, 
game machines and handheld devices connecting to the Internet, each 
holding troves of personal information and subject to loss or theft, the 
potential holes have multiplied exponentially.

Ordinarily you would protect data by setting up firewalls in the network 
that protects your PC. That becomes a problem, though, when you are 
dealing with mobile devices.

"The industry has been trying to harden the perimeter with wireless 
networks, but with smart phones, you really don't have a perimeter any 
more," said Dunkelberger at PGP. "We say you have to defend the data -- 
encrypt the data, secure the data, make sure all business records are 
not exposed to criminals."

-- New types of threats that need new types of responses. It used to be 
that once a vulnerability was found in a software program, it would be a 
race over weeks to see if it could be plugged before a hacker broke 
through. But now the industry is seeing "zero hour" attacks, which 
exploit vulnerabilities almost immediately after they're discovered and 
well before the holes can be plugged.

Also worrisome, according to Trollope at Symantec, are "bespoke" threats 
that target small, specific groups of people. To counter these measures, 
the industry is adopting what it calls a "heuristics" approach that 
Trollope said can "find threats without having seen them. A scoring 
algorithm will tell us if a program is good or bad even if we haven't 
seen it before."

-- Challenge of passwords. As so many Web sites require passwords, it 
becomes impossible to remember them all. So people make their passwords 
all the same, or they write them in a file or on a post-it note on their 
computer -- none of which are secure. Sites are now coming up with new 
ways to tell if a person is who they say they are, and the solution 
sometimes requires unique passwords for each situation.

The challenge for the industry, Gaffan said, is to strike a balance 
between security and usability. "The key thing is to keep the user 
experience simple and easy most of the time," he said.

-- Microsoft's role. As always, the software giant stands astride the 
industry. With its Vista operating system at long last on sale, 
Microsoft is touting how much more secure computing can be. The company 
is also getting into turf dominated by Symantec and McAfee.

-- Needs of the 'physical security' industry. The physical security 
industry -- described as "guards, guns, gates, surveillance, locks, 
doors and access control systems" by Steve Hunt, founder of 4A 
International, a Chicago research firm for that industry -- is a 
$120-billion-a-year business that Hunt says "needs to embrace computers, 
software and networking in smarter and better ways.

"It's a very primitive and old-fashioned traditional industry," Hunt 
said. As companies discover technology, they will want to add things 
like digital video recorders to their lobbies, making them networked, 
secure and accessible from remote locations. That will add up to big 
bucks for tech companies.

-- Compliance. Congress, the states and other countries have passed laws 
requiring companies to be much more careful when handling sensitive 
data, and companies are looking to software to help manage compliance 
with the morass of new rules.

Companies will need to know, "What are the standards that all these 
things are setting?" said Sandra Toms LaPedis, area vice president and 
general manager of RSA Conferences. "Where are the things that if I'm 
compliant in France I might not be in the U.S., or vice versa?"

-- Authentication. How do you know someone is who they claim to be? 
Banks have required ATM cards for years, which LaPedis said is something 
physical that also requires some knowledge -- a password.

Similar systems are in the works for computers. "It could be your 
thumbprint, an iris scan or any variation off of that," she said.

In spite of all the threats, risks, challenges and bad guys out there, 
the industry manages to retain a classic optimism that it is solving 
problems and making life better.

RSA, which always has a historical and often unusual theme, is 
celebrating this year the Renaissance, specifically 15th century 
Renaissance man Leon Battista Alberti, whom RSA's Web site calls "the 
father of Western cryptology."

"We are living through a renaissance," LaPedis said. "It's that spirit 
of innovation that we are truly celebrating." RSA Conference highlights

-=-

When: Monday through Friday

Where: Moscone Center in San Francisco

Who: 15,000 people and 340 companies from the computer security industry

Key speeches: Microsoft co-founder Bill Gates, 8 a.m. Tuesday; Oracle 
CEO Larry Ellison, 2:45 p.m. Wednesday; former U.S. Secretary of State 
Colin Powell, 1:50 p.m. Friday.


______________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Mon Feb 05 2007 - 23:27:13 PST