The RSA Conference is typically a sprawling experience that fills multiple convention center buildings and spills out into adjacent hotels and meeting spaces. This year, however, attendees were more likely to contend with loading screens and dropped connections than with long lines for the escalator. Because of the ongoing COVID-19 pandemic, RSAC was online-only this year.
Instead of the Moscone Center in San Francisco, RSAC relied on a “virtual environment” where attendees could view talks and keynotes, usually in the form of pre-recorded video with questions being answered live in a text chat.
The experience was similar to Black Hat’s 2020 conference, which also moved online because of the coronavirus outbreak, and in our view went fairly smoothly. The bulk of RSAC, however, has always been its enormous show floors and the one-on-one interactions with security vendors. While the conference did have a digital alternative for the networking experiences the in-person event provided, it’s hard to imagine this new format overtaking the old one.
Here’s what we heard in some of the more interesting sessions.
Can Cryptocurrency Replace the Almighty Dollar?
Photo by Beata Zawrzel/NurPhoto via Getty Images
In 2010, an early Bitcoin miner exchanged 10,000 bitcoins for a couple of pizzas. At modern exchange rates, those pizzas would cost hundreds of millions of dollars today. The world seems to be more and more accepting of cryptocurrency. Could it replace the US dollar as the world’s currency reserve standard?
In his session, Dr. Kenneth Geers, External Communications Analyst for Very Good Security, traced a path through the history of the dollar and cryptocurrency to answer that very question.
The US dollar has been the world standard since the Bretton Woods agreement after WWII, and it retained that position even after it stopped backing every buck with gold. Countries whose own currency is unstable rely on the dollar, and international financial arrangements take place using dollars. The dollar is a known quantity.
Cryptocurrency, on the other hand, has been around for barely a decade. You can’t fold a Bitcoin and put it in your wallet, but a blockchain ledger recording Bitcoin transactions is more secure than dollars that exist only in double-entry bookkeeping ledgers.
Switching to a world where cryptocurrency is the reserve would create significantly more transparency, both in business and government. “But do governments actually want to be less corrupt?” asked Geers. “There is no doubt that cryptocurrency is a game changer,” he continued. “But in the near term, it will not replace the US dollar. In the long term anything is possible, but expect government resistance.”
Hacking Remote Controls
Most of us have a specific image of an “internet of things” device, but that might not include the remote that came with your cable box. Ofri Ziv and JJ Lehmann, VP of Research and Senior Researcher at Guardicore, respectively, demonstrated why it should. With some effort, they transformed a standard remote control into a listening device.
Their work, originally published in October 2020, focused on the XR11 remote control, which is bundled with some Xfinity cable boxes. There are two things about the XR11 that interested the researchers. First, it has a built-in microphone, so users can control their home entertainment systems by voice. Second, it made heavy use of radio frequency transmissions instead of the infrared signals on which remotes typically rely. RF transmissions do not require a line-of-sight connection, which gave the researchers the access they needed.
The team found that they could hijack a regular update request from the remote to the cable box with their own instructions. Once installed, it tricked the remote into thinking that the voice control button was being pressed, capturing all the audio within 15 feet of the remote with remarkable clarity. What’s truly impressive is that the team demonstrated they could carry out the attack from outside a house with the target remote inside—up to 65 feet away. It also didn’t require expensive equipment, just $30 radio transceiver.
Fortunately, the flaws the researchers discovered have already been patched. However, the researchers pointed out that attacks like these that rely on devices typically found in the home could impact corporations as well. After all, millions of people have left the office for the home office in the wake of COVID-19.
Hacking IoT: No Longer Easy, But Not Secure
“Embedded security is definitely getting better,” said Waylon Grange, a threat researcher at Stage 2 Security. “A lot of the easy wins aren’t there anymore.”
In his talk, Grange explained how he reverse-engineered and successfully attacked the Enphase home solar power system—a target chosen by Grange for no other reason than he was home a lot because of COVID-19 restrictions and noticed his neighbor having such a system installed.
What he found was that while the easy and obvious paths for an attacker to use were closed, they weren’t totally secured. For instance: encrypting firmware and not hardcoding the encryption key are good things. But Grange discovered that the Enphase traded a hardcoded key for a key that was calculated in a predictable way.
“The result is the same,” said Grange. “I know the [encryption] key.”
Likewise, Enphase avoided the trap of having a single password for all its devices. However, Grange discovered that the password was calculated using the device’s unique serial number, which was printed on the device, on its packaging, and was discoverable online.
Grange speculated that these sketchy security choices were made because someone was instructed what not to do, rather than on following best practices. His advice was that developers working on these problems should look around to see what other solutions exist, instead of trying to solve the problem themselves.
Learn to Use Your Password Manager!
There’s no way a modern netizen can apply a strong, unique password to every secure site without the help of a password manager. But even if you do install a password manager, you still have to use it correctly.
Stuart Schechter, Lecturer and Course Lead for UC Berkeley’s Usable Privacy and Security track, observed that while we can gather stats on password manager sales, we don’t know anything about how people are using them. His graduate students, represented in the RSAC talk by David Ng, took on the task of finding out.
All the benefits of using a password manager depend on three assumptions: We assume that users will memorize a strong password; that they’ll rely on the password manager’s ability to generate random passwords; and that they’ll change any passwords that are weak, re-used, or compromised. The grad student team worked up a study aimed at determining how valid these assumptions are.
Wouldn’t you know, it turns out that people just don’t do what they should. Few actually memorized a strong master password, and all too many re-used an existing password as the key to protect all their other secrets. All those in the study had access to a password manager dashboard reporting on weak, reused, and compromised passwords. Most of them agreed that some of their passwords really needed changing. And most of those offered one excuse or another for not taking care of the matter.
“Do not assume that people will choose strong master passwords,” Ng concluded. “Do not assume that they’ll use passwords created by the password manager. And do not assume that they’ll replace weak, reused, or compromised passwords, even when reminded.”
How about you? Are you using your password manager correctly?
The Future of Zoom Encryption
Zoom emerged as one of the big winners during the sudden lurch toward working from home many of us experienced last year. While the video-conferencing service has been used for everything from graduations to weddings to bargaining fair union contracts, it wasn’t always secure. At one point, Zoom was in hot water for resisting end-to-end encryption (E2EE), which would have afforded its users the maximum protection from surveillance. This was especially urgent as protests swept the globe, many of which were organized with Zoom.
Eventually, Zoom relented and instituted E2EE. But what happens now? Max Krohn, head of Security Engineering at Zoom, explained at RSAC that the company was working on a new implementation of its E2EE scheme that would be rolling out soon.
One of the biggest and most noticeable changes will be the use of third-party services to authenticate yourself with Zoom. In a corporate context, these would likely be a single sign-on providers. Krohn explained that this would move trust away from Zoom servers and have it rest with already-trusted services.
Krohn said Zoom is also working to make it easier and less of a headache to securely add and remove devices from your account without triggering security alerts. This, in addition to changing how participants exchange keys for meetings, is part of a larger effort to make Zoom more secure and tamper-resistant, but also easier to use. Interestingly, Krohn hinted that some of the work Zoom had done could be applied to asynchronous communications, like text messaging.
Recommended by Our Editors
Forget Human Hackers—AI Hackers Are Coming
TV and movies have trained us to think that hackers are on the edge socially. Scruffy guys in basements. Goth girls with amazing skillz. But all these stereotypes are human. Bruce Schneier, Grandmaster of Cryptography, thinks we need to be looking elsewhere. AI hackers can be extraordinarily effective, in larger part because they aren’t human.
“Any good AI system will naturally find hacks,” said Schneier. “They find novel solutions because they lack human context, and the consequence is that some of those solutions will break the expectations humans have—hence, a hack.” He noted that a hack can be anything that a system permits but that wasn’t anticipated by its designers. However, computer-related hacks are especially open to AI hackers.
Schneier’s concerns may sound farfetched, but machine learning—and malicious applications for AI—have come up several times at RSAC 2021. It seems this sci-fi concept is far from fiction.
SolarWinds Attack Is Worse Than We Thought
Photo by SUZANNE CORDEIRO/AFP via Getty Images
SolarWinds dominated the news cycles toward the end of 2020. Cyberattacks working through this supply-chain company affected untold business and government entities. And, as SolarWinds President and CEO Sudhakar Ramakrishna revealed at RSAC, these attacks started way earlier than we initially thought.
Ramakrishna explained that the entry point was the SolarWinds Orion software. Attackers compromised the SolarWinds system for distributing software updates, and used that to spread malware to its customers. And this was happening as early as January 2019.
Interviewed by Forrester VP Laura Koetzle, Ramakrishnan laid out just what happened, what SolarWinds is doing about it, and what he wishes the company had done differently. He concluded by underlining the severity of the attack, saying, “I do not wish something like this to happen to anybody in the industry.”
Biden Admin to Security Companies: Shape Up
Photo by MANDEL NGAN/AFP via Getty Images
Many of us heard President Biden mention cybersecurity in a recent speech in which he noted that the industry needs to do better, and that federal agencies will help ensure they do. RSAC attendees got the opportunity to learn more details about the administration’s plans thanks to a presentation by Anne Neuberger, the Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology on the National Security Council.
Neuberger pointed out the common practice of releasing software with “defects and vulnerabilities that developers are accepting as the norm, with the expectation that they can patch later.” She deemed this practice unacceptable.
She went on to suggest “requiring government vendors to build software in a secure development environment,” and reaffirmed that government agencies would partner with the industry. Neuberger noted President Biden’s order for a kind of “energy star” label that would help government select securely developed software, and stressed that the administration takes security seriously, especially security against ransomware.
Neuberger mentioned that quantum computing might serve to move security technology forward, but advances in this technology could seriously disrupt encryption and other existing technology. Modern encryption algorithms, including the well-known RSA algorithm, work because factoring the huge numbers involved could take thousands of years. In theory, a quantum computer could do that factoring in a vastly shorter time, rendering encryption toothless.
The Experts Speak
At the beginning of this conference, the organizers brought together a panel of security luminaries. Dubbed The Cryptographer’s Panel, this group included Ron Rivest and Adi Shamir, the R and S of the famed RSA (Rivest-Shamir-Adleman) algorithm. Whitfield Diffie, co-inventor of public key cryptography, spoke separately.
The panel covered a wide range of topics, including the recent interest in NFTs (Non-Fungible Tokens). Rivest mildly pooh-poohed the idea, noting that an NFT for a picture of a tulip is two steps removed from the reality of the tulip bulb you can hold in your hand. And yet, Shamir announced the sale of the original RSA document as an NFT; proceeds will go to charity.
As for quantum computing being the next big thing, the panelists didn’t agree. Rivest noted that research in quantum computing is a great way for physics departments to get other kinds of quantum research funded. Shamir pointed out that promises in this area haven’t materialized, and Professor Ross Anderson cast doubts on the very foundation of the technology.
A bearded and sharp-witted Whitfield Diffie closed out the panel separately. Among his barbs, Diffie identified the biggest challenge to security as “companies.” Asked for a bumper-sticker security slogan, he replied, “Unplug it, baby!” Diffie sent attendees off with food for thought, stating that he sees no way human freedom can survive as the ease and persistence of communication increases.