Top 10 hot topics at RSA 2010

Well, it's been a long week but RSA 2010 is now officially over. The chairs in the auditorium have been stacked, the expo is being torn down and delegates are disappearing home for another year.

All in all it's been a fascinating show. The quality of keynote speakers was very high, with only a few boring rants, and people have been both knowledgeable and willing to share. There have been spirited debates, in-depth seminars and, I'm willing to bet, more than a few inappropriate clinches at last night's Codebreakers Bash in City Hall.

You can find all the stories on the site but for the record here's our pick of the top talking points of the show. Any attendees might wish to add their views below.

Honourable Mention: Robots

Iain Thomson: Let's be honest, I wasn't expecting to get a story from this presentation but who can resist robots?

As it turns out the talk was really rather interesting. Dr. Singer from the Brookings Institute was inspirational about the future of robotics and the questions that it raised. From a security standpoint it's clear that a lot more of our physical security systems are going to be robotic in the future, but what really grabbed my attention was the ethics of using such technology.

It's pretty much a given that we're going to see the friendly building security guard replaced by a mechanical equivalent. However, how far are we going to let such machines be capable of independent action? That's the question that keeps me up at night.

Shaun Nichols: Pretty much all men love robots, especially robots with guns. Yes, they may be unstable and highly dangerous, but they're still really cool.

That said, I'd rather not see a robot guarding anything until researchers can at least ensure that the thing won't suffer a system error and start unloading into crowds of people.

The Singer keynote provided both an interesting outlook on the long-term future of robotics and a nice dose of reality on where the field actually was.

Honourable mention: Blacklisting and whitelisting

Shaun Nichols: How bad has malware gotten? Well, now instead of creating tools to filter out all the software you're not supposed to use (blacklisting) companies are pitching tools that only allow software that IS safe to use (whitelisting.)

Actually, whitelisting has been around for a while and is a pretty good way to increase both security and productivity. Many of the latest tools will scope out the network, make a profile and then make sure that no changes from that "clean" state can be made.

Additionally, the appliances can control who has access to what files and applications. The sizeable portion of data breaches stemming from error or malice by someone within the company was a popular topic at the show this year, and whitelisting controls can help to prevent much of that.

Iain Thomson: Based on what we've learnt from the show the idea of just going with whitelisting or blacklisting isn't the answer, we need to meld these two systems together.

The problem is how to do this in an effective way. Whitelisting can be useful but takes a lot of time, while blacklisting can have unfortunate problems with false positives and can also harm productivity. When out IT department shut off access to Facebook and Twitter we had to protest, since we get a fair few stories from those sites.

The combination approach has a lot to offer but the devil is in the details. We'll have to see what the security industry comes up with.

10. Government security

Iain Thomson: As ever the government was at RSA 2010 in force. There was some good news, like the release of some of the data behind CNCI and the Department of Homeland Security competition, but off the keynote stage the news was less good for the government.

It has become clear that very little has been done on computer security over the last year, because the right people haven't been involved. Howard Schmidt is trusted by everyone it seems and he gets technology. But he's the first person to really get things moving again since the resignation of Karen Evans as Administrator of the Office of Electronic Government and Information Technology.

Part of the problem is internal politics. Geeks are not good at politics, it's almost the polar opposite to the skills you need with dealing with IT. Evans was a great techie, who used logic and knowledge to force branches of government to change their ways and start taking IT security seriously. This made her hated by many, and some people in her department actually cheered when the news of the resignation was announced.

One team member went on the record to describe her as a bitch. I've no idea what she was like to work under but I do know that Tina Fey was right; bitches get stuff done. The US government needs more, not less, of these kinds of people.

Shaun Nichols: I was in favour of the US government attending RSA for no other reason than that the NSA had a World War II Enigma machine at their stand and I'm a bit of a computing history buff.

But expo attractions aside, the show was not especially encouraging for the US government. Much of the conversation was focused on cyberwarfare and more than one person suggested that the US was lagging far behind China and Russia in its ability to do battle on the digital front.

Given the secretive nature or the NSA and its digital operations, the government is probably much further along in its cyberwarfare capabilities than we are lead to believe, but hopefully the conference served as a wake-up call to the government that it needs to restore confidence in the security of the country's online infrastructure.

9. Targeted attacks

Shaun Nichols: We have a few variations on this one later down the list, but the general idea is that targeted attacks may be set to explode in a big way this year.

The idea is that infecting the system of one high-level executive is more valuable than infecting a few hundred consumer or academic PCs.

If you can get your malware on the right system or steal the right financial details, you can get away with hundreds of thousands of dollars or highly valuable corporate data. This system was recently used to swipe more than $400,000 from Kentucky's Bullitt County government.

Additionally, the social engineering on targeted attacks can be much more effective because the scam can be specially crafted for the individual target. All of this is leading experts to believe that the practice will become much more common in 2010.

Iain Thomson: I hate the term spear phishing, it's one of those buzzwords that proper hacks hate to use, but are compelled to do so (although credit to Shaun for avoiding the phrase.

Targeted attacks are going to be increasingly common now that malware gangs have perfected their money laundering techniques. Get the right bit of malware on the right computer in the accounts department and you can get seriously rich.

To complicate matters the information you need to launch a targeted attack is relatively easy to get hold of. Many companies publish email addresses and corporate profiles on their web sites and once you have a pool of email addresses it's pretty easy to work out what the contact details of your target are. Add in a false header from someone else in the company and you've a malware attack with a high chance of success.

8. Social media malware

Iain Thomson: Social media was high on the agenda at many of the sessions at the show but, while everyone acknowledged that there was a problem there were few ideas on how to solve it.

Social media like Facebook is a blessing to malware writers since it makes social engineering so much easier. You're more likely to click on a link if you know it comes from a friend and so redirecting people to sites that are laden with malware is less of a chore.

Now the easy way to solve this problem. Social networking sites could invest in some staff and check links, in the way that companies like google do. Sure, it will be expensive to set up but people really should start asking Mark Zuckerberg what he's doing with all the money Facebook is apparently generating, and that goes double for the management of Twitter.

Shaun Nichols: It's no secret that every day Facebook and Twitter are being viewed less as web services and more as online platforms and even operating systems. To that extent, social networking sites need to really step up their security efforts.

The process of creating a data-harvesting app on Facebook is almost trivial. Users will gladly hand over all of their information if they believe that they will get a fun new game or a list of people who have looked at their pages.

The blame isn't solely on the companies, either. Users need to start exercising more caution with how they use social networking. Just as you wouldn't install an application that looked dodgy, why would you allow a suspicious Facebook application to have access to your personal data. This is one area where the end users may be the ones that need to take charge, and to that extent, educating the public of the risks will be key.

7. Mobile malware

Shaun Nichols: Not long ago a phone wasn't used for much more than dialling and receiving calls. If you had a really fancy handset, you also could check your email.

In this new era of computing, however, the phone has become an extension of the computer. Web browsing, file transfers and playing media files are all common activities for modern handsets, making them viable target for malware infection.

In past years, mobile malware discussions at RSA were more in the realm of theory or proof-of-concept. This year, the discussion was really around what we should do now that it's here. Vendors went from talking about far-off mobile security offerings to talking about the finer points of a mobile security product.

Iain Thomson: Mobile malware has been around for a while now but it's not very effective and usually relies on the phone owner being stupid enough to download and install the malware themselves.

However, it's clear times are changing. The growth in the use of smartphones has opened up a new world of mobile internet access and e-commerce but the downside of that is that phones have become a more attractive target. Criminals follow the money and phones are very high up on their agendas.

From what we've heard Apple is doing better than most in this area. The App Store has proven very effective at blocking applications that host malicious content, something the Android app selling operation has been less than successful at. Nevertheless we saw both iPhones and Android devices getting hacked at the show and Symbian and Windows Mobile are also vulnerable.

6. Zeus

Iain Thomson: Zeus is the botnet du jour and you wouldn't have had to look far on the show floor to find someone with an opinion.

Zeus is the kind of malware that security types hate. It's very, very good at what it does and can be tough to beat. Once it's in your system it's as persistent as herpes and about as pleasant.

It's also very common and cheap. You can pick up a copy for as little as $700 and then spam it out to people and get a significant return. There are also free copies circulating on peer to peer and torrent networks, although more than one person here said that such pirated copies usually had other malware built in so that the infector becomes the infected.

The botnets created by Zeus are going to be with us for some time it seems, and from what we can see no-one's got a magic silver bullet to kill it.

Shaun Nichols: Zeus isn't really a botnet, nor is it an attack tool. It is a piece of malware that has some rather remarkable and insidious capabilities.

To make a long story short, Zeus can turn pretty much every web site into a phishing page. Once installed, the malware is able to inject code into HTML pages before the user can view them. You may actually be at your bank's web site, but rather than just asking for your username and log-in, the page may also ask for your account number and PIN code. Those extra fields are actually code injected into the page by Zeus. Additionally, when you try to send outgoing information, Zeus can intercept and store the information, rendering one-time password tools useless.

Combine all of this with an interface easy enough to operate by even a novice user, and you can see why so many people are worried about the Zeus botnet.

5. Operation Aurora

Shaun Nichols: As you might have guessed, the recent attacks on Google, Adobe and dozens of other firms were kind of a big deal at RSA.

Now known as "Operation Aurora," the incident is being considered by experts as not just a freak occurrence, but as the first of countless organized campaigns to infiltrate business systems and steal intellectual property.

The big appeal to convention goers was that the attacks concerned nearly every element of IT security. Could encrypted files keep hackers from stealing sensitive data? Would security appliances prevent phishing attacks? Would better anti-malware and patch management tools block the malware installation?

Given the wide reach of the attack and the highly-valuable nature of the targeted content, it's no wonder that Operation Aurora was on everyone's mind.

Iain Thomson: We're probably never going to learn the truth about Operation Aurora , but there were plenty of people willing to take a guess.

The prevailing view on the floor was that the attacks were government organised, although they were probably carried out by freelancers for a fee to provide aa good cover story if investigators get too close.

Certainly the targets were not something the traditional malware gangs would go for. They want cash, by the most direct means possible. The stealing of corporate data is usually only carried out by governments or businesses. Plus no malware gang really wants to know about political dissidents, unless someone is paying them to care.

We'll have to keep a close eye on the ramifications of Operation Aurora and I suspect there will be many twists and turns in the story ahead.

4. Commercial hacking

Iain Thomson: You can spot the clueless security PR person when they start talking about how people aren't hacking for fun any more, but are doing it for money. Please, this has been going on for nearly a decade.

But we're been spending several fascinating sessions this week listening to the latest information on the professionalism of the latest incarnation of malware creators. over the last ten years we're gone from simple, one or two man bands pulling minor heists but an organisational chart that would not look out of place in a legitimate software firm.

These gangs, of which the innocuous sounding Russian Business Network (RBN) is one of the biggest, use the standard business model, with a managing director and board of top people who decide strategy and direction and negotiate with other gangs for spare resources as needed.

Then there's the research and development division, where promising programmers are hired to create ever more complex malware. The operations division coordinates attacks and SEO poisoning and then a large number of base-level positions involved in turning online cash into physical profits by money muling, with many of these people not even aware they are involved in criminality.

These gangs can make millions a month and use that money to reinvest in expansion, as well as buying off local law enforcement to ensure no unpleasant surprises. They are going to be very tough to beat.

Shaun Nichols: This is an area that many people think is set to explode in the very near future.

Just about every company now has its most confidential documents online, and if you can place a piece of malware in the right spot or harvest the right credentials, one can literally obtain billions of dollars worth of information.

This is only compounded by the fact that many companies are looking to save money and simplify management by opting not to upgrade and instead using older, vulnerable components such as Internet Explorer 6 and unpatched versions of Windows XP. Such systems are now incredibly easy for malware writers to exploit, and running them is just asking for a security disaster.

3. Cloud Computing

Shaun Nichols: Last year it was the big issue. This year, cloud computing was still a big deal, but mostly because of the new questions it raised.

While last year everyone was talking about how cloud computing was going to take hold and change the nature of security, this year the question was what companies were supposed to do now that cloud computing has changed the nature of security.

It leads one to conclude that the rise of the cloud happened much faster than anyone expected. Now doubt the slow economy drew people to the attractive price structure, as did the drive to adopt more efficient systems and virtualise operations.

Whatever the reason, cloud computing is very much here and many security firms are trying to figure out what to do about it.

Iain Thomson: In his opening keynote RSA boss Art Coviello threw down a challenge to the industry to sort out cloud computing security. Based on what we've seen he might be waiting for some time yet.

With cloud computing the security of the internet connection is paramount, otherwise you're just left with a dead screen. But a close second is the security of the data that companies are entrusting to third party suppliers.

To an extent firms already have to make a choice to trust in their suppliers and the US government. Google doesn't talk about this much but users of its online applications have already opened up their data to the government, since under the terms of the Patriot Act the government has the right to access any server on US soil.

One thing from this week's show did however give me hope, and that's the involvement of the Jericho Forum. The forum has some of the brightest minds in computer security and if anyone can solve this problem it's them.

2. There is no security

Iain Thomson: Early on in the show I did a story about how the anti-virus industry was failing to pick up 10-30 per cent of malware attacks.

That evening I was at a meet and greet session with one of the biggest anti-virus vendor and was talking about this to the firm's chief technical officer, a marvelously outspoken chap - the kind we hacks love. I was expecting an angry denial and the reasons why. Instead he looked thoughtful for a second and said "Yes, that's fair enough. Signature based anti-virus is failing, and heuristics too."

Considering I used to use this company's security software on my own home system it was a tad unsettling to hear this but the more security professionals I spoke to this week had roughly the same response. While any sane person knows there's no such thing as absolute security I'd expected people to be a little more confident that the products they were selling could stop attackson a regular basis.

Now I don't want to get alarmist about it but this is going to be a serious problems. In the short term you could try using platforms seldom attacked, such as Apple or Linux. But, for at least the next decade, if you work in an office chances are you will be using a Windows system, and you'll be vulnerable.

Shaun Nichols: During a panel discussion at the show, famed security researcher Dan Kaminsky said "sometimes there are big problems that we've dealt with, and that's OK."

What's not okay is when big security problems are not dealt with, and we saw a lot of that this year at RSA. Everything from SSL certification to the basic security concepts of next-generation enterprise services was called into question, and the answers were few and far-between.

Fortunately, some of the smartest people on the planet are looking for ways to solve the issue. I have no doubt that some very solid solutions will be found, but in the meantime the enterprise community is less than enthused with current security protections. Which brings us to our #1 issue...

1. Trust

Shaun Nichols: If you followed all of the RSA keynotes, you would see that the one theme that popped up in nearly every address was trust. The onslaught of malware and other forms of attack have caused many companies to lose faith in their security protections and has left security vendors red-faced.

It's also perhaps the most troubling question to come out of the RSA conference this year. Technical issues can be addressed by developing faster and more accurate products. Performance problems can be solved by better research and retooled software.

Trust, however, is difficult to quantify and even harder to earn, especially when it has been lost before. A company can overcome buggy releases or a bad financial quarter, but it's much worse when users have more or less lost faith in your entire sector.

Cloud computing uptake has stalled recently in no small part because of security concerns. If not addressed, those concerns could bring the downfall of some pretty big names.

Iain Thomson: In so much of life trust is everything, and never more so than in security.

Your last point is a good one Shaun, we are seeing a lack of trust in security holding back adoption of cloud services but I fear we may have bigger problems than that. To my mind the entire banking sector has an enormous trust issue hanging over it. We're already seeing people stopping online banking for fear of online fraud and until the sector address those concerns the rot will continue.

However, there is also the wider issue of trust on the internet. The basic protocols of the internet were not designed with security in mind, the whole point was that connections should be simple and reliable. I fear that we may have to go back to the drawing board on internet protocols in order to have a measure of trust that connections are going to the right people.