Security Week 14: RSA Conference, Holed Advertising Networks, Alliances and Confrontation

Last week, the 27th RSA Conference Business Conference took place in San Francisco. Until the early 2000s, this event could be described as a highly specialized party of cryptographers, but gradually business content almost completely supplanted the technical one. Not everyone liked this format of the information security event. All week on twitter every now and then slipped caustic comments from technical experts, such as "RSA is going to be as productive as possible, if you lock yourself in a hotel room and work."

RSA - this is really a tusovka of managers, and it does not matter from which side - the supplier of security solutions or the client company. About cyber defense there they say "at a high level", in general terms, sometimes vague and vague. In general, it is possible to understand why techies from formulations like “the inclusiveness of diversification in building a new paradigm for information security” are so bombing. But there is nothing good in attempts to divide the near-IB-community into “ours” and “yours”. Firstly, there are too many dividers in our life. Secondly, the information technology industry (if you recall the same scandal around Facebook) ran into problems that, unfortunately, do not have a technical solution. Let's try to show examples.

Typical, spherical in vacuum, the RSA conference follows the following pattern: some fresh technical trend is chosen as the main theme of the event, around which keynote speeches of the most important guests (read, platinum sponsors) are built. This year the pattern has broken: the number and complexity of attacks grow, but to talk about it without immediately offering at least some product to protect, and preferably from all attacks at once, does not correspond to generally accepted business practices. And there is no solution to all problems on a global scale at once. On the very first day of the conference, obvious, but unconventional business words sounded: that there are no silver bullets (= universal tablets from cybercrime), there is a huge gap between the market need for information security specialists and their presence. A McAfee spokesman outlined a rather rigid parallel with the September 11 terrorist attacks: after them, safety in the civil aviation industry was enhanced not by magic and not by new breakthrough technology, but by many small improvements to the existing process - from banning liquids to reinforced cockpit doors.

Come on? No, the approach “to get something done, you need to work hard and hard” - it is generally correct, but it was somehow unexpected to hear it at the RSA Conference. Two years ago, practically the same people buzzing cheerfully about the incredible benefits of IoT and the bottomless security breaches, to which either the lerning, or the blockchain, or the nekstgen machine is almost screwed, and that very soon everything will be fine. And here it came out. I suppose that the source of such a wind of change is in the moods of corporate clients who are tired of hearing about another terrible APT in the absence of some kind of imputed opposition plan. It’s time to talk about solutions, and this wish applies to techies, usually looking only for problems. At least in the conference infrastructure itself: on the fourth day of the RSA Conference, someone discovered the base of a proprietary mobile application on the contractor’s servers in the public domain.
')

To be precise, not all user data leaked. And not necessarily users. But something was not as well protected as we would have liked.

Nevertheless, technical trends, though modestly, were outlined. This is data encryption wherever possible, including those that are idle and do not seem to give up. The reason for this is big data processing methods and correlation efficiency, when a truck of irrelevant input data is processed into information that is really dangerous in case of a leak. Machine learning in such a context is no longer viewed as a healing powder that will save everyone, but also as an attack tool. This is also the further automation of the monitoring systems for events in the corporate network - not for the sake of beautiful graphics (although for them too), but just to free up the time of living professionals for something more useful.

The desire to stop scaring the business with threats and seducing it with another radical tool from all cyber problems was shared by almost all of the congress delegates who spoke at the opening of the conference. Except Microsoft. Her representative Brad Smith could not resist the presentation of the Azure Sphere - a hardware platform for creating IoT devices running Linux (!) And tied to the Microsoft Azure cloud solution. Of course, the most secure security promised: integrity monitoring software, regular delivery of updates and so on. The hardware will be open, it is planned to make money on the cloud side of the solution. The news is interesting, if only for the first time that Microsoft will independently compile the development of a product based on the Linux kernel, and how it really takes off - well, we'll see.

Microsoft's second major announcement was the creation of a Cybersecurity Tech Accord alliance of 34 companies, including Cisco, Facebook, HP Enterprise and Trend Micro ( news ). The alliance was created to reduce the damage caused by cyber warfare to “civilians and companies” - its participants pledged not to help states develop cyber weapons and protect customers around the world from sophisticated cyber attacks. In a sense, this is an initiative in the style of "Bees against smoking in public places": a worthy goal, no doubt, but what does the bee have to do with it? But here we return to the beginning of the opus: any attempt to unite with a good goal is good news. The efficiency of such associations may be small, but in relations between people and in politics it is always like that, unlike technology.


Millions of mobile apps send open user data to users.

News Research

One of the Kaspersky Lab presentations at RSA was devoted to the security of personal data in mobile applications, more precisely, not even in the app itself, but in the advertising networks to which these applications are accessed. The expert of the “Laboratory”, Roman Unuchek, discovered that a lot of applications send in open form, without encryption, quite sensitive data, such as geolocation:


At the same time, the servers communicate with their servers via HTTPS. The problem is that the integration of advertising modules (for displaying banners and other things) is often done by copy-paste, and in some cases this “additional” functionality takes from 75% to 90% of application code. Since 2014, a giant sandbox for mobile applications has been operating in the “Laboratory”, which analyzes the network activity of 13 million app. Of these, as it turned out, about 4 million communicate with someone over an unprotected HTTP protocol. Further analysis of the most common advertising modules revealed an interesting picture: some advertising networks provide the ability to exchange information on HTTPS, but not all developers spend time searching for the right code. In other networks, it is not at all possible to send data using encryption. In another network, data exchange was not protected due to an error in the code, which was later corrected.



The problem, however, is not only in advertising networks. A number of applications send HTTP information to their own backend, including passwords:


This study is a good example of how to increase the security of a large number of users with as little effort as possible. Users also recommend nothing special, except for the widespread use of VPN. Do not carry the same phone with you without a SIM card and GPS, and only for App?

Let's finish with a small offtopic. Yesterday, Arstechnica published an interesting material about the continuing problems with the production of the mass-produced Tesla 3 electric car. It claims that Ilon Musk overestimated the possibilities of manufacturing automation and thus repeated the mistake of classic automakers made by them back in the 80s of the last century. Then, too, an attempt was made to automate everything at all, and also failed. Robots are important, but people can't do without people. Perhaps the same can be said about the information security industry: you can automate the routine, but some new ideas require human talent. At least for today it is. And even at the RSA conference, which tends to exaggerate the possibilities of technical innovations, this is recognized at the highest level, this is good news.

Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.