The first day of RSA Conference Europe is already over! Arrived this morning (up at 4am to catch my train!), the first impression was very positive. This is the first time I attend this conference and it looks very professional. Honestly, I’m also happy to see that the mix between ties and t-shirts is well balanced. There are lot of “commercial” sponsors but the proposed sessions are split across ten tracks: Application and Development, Business, Governance, Hosts, “Hot Topics”, Network, Career Development, Threats, Services and Sponsor Case Studies (for a total of 70 sessions). Nothing to say about the organization: registration, luggage, Internet connectivity. Perfect!
The conference started with two keynotes. The first one, presented by Arthur Covelio and Chris Young – both from RSA (logically as it’s the main sponsor). They made a review of the existing threats on the Internet and how to deal with them. I liked the comparison with the boiling frog: If you put a frog in boiling water, it will immediately jump out but, if you put it in normal water and let it warm, it will stay and don’t detect the danger. The same may apply to us: be prepared to fight against emerging threats. The goal is to be pro-active and embrace the challenge using seven principles. A good security strategy must be defined!
The second keynote was presented by Herbert “Hugh” Thompson. This guy has excellent presentation skills. He explained that today everybody is sharing information on the Internet but we have to learn how to share them in the right way (Example: Twitter is full of unuseful messages and lot of them can be used to deduct personal stuff about you). Using lot of examples, he explained what’s a gateway data and how to exploit it to grab interesting information to be reuse to conduct attacks.
Then the track sessions really started. As there are always three or four tracks in the same time, it’s really difficult to make a choice based on a few lines of text. My first one was “Governments Face Up to the Cyber Security Challenge“. Honestly, I did not found this track interesting. Then the ENISA presented itself and their current projects. The ENISA (“European Network and Information Security Agency“) is a non-operational organization working for the EU institutions and produces good practices guide such as DNSSEC implementation or IPV6. They also try to cover the upcoming hot topics. They presented an introduction about cloud computing (the good and the bad points).
After a quick lunch, the afternoon started with an excellent presentation made by Brian Honan: “Knowing Me, Knowing You, How to Steal an Identity Using Google“. Brian explained how he was challenged by a journalist to steal her identify. Slides after slides, he explained how, using major social networking websites (Facebook, LinkedIn, MySpace, …), he successfully grabbed sensitive information, even a copy of a birth certificate! Brian also insisted on some important facts like not use the same user-name across websites, read carefully the terms of use. Sometime pictures can also reveal nice informations (like post-its with passwords ;-). Then, he made a review of some tools can be help to automate the research of personal information (like Maltego or pipl.com). Being social is a normal human behavior but there are good ways to communicate with your friends. Keep in mind: they can compromise you!
The next track was about DLP (“Data Loss Protection“). Three specialists first remembered what’s DLP (definition) and how to detect lost data: via content description (like CC or SS numbers) or via fingerprinting (based on scanned sensitive document patterns). The main discussion was about the deployment of a DLP solution into a company and privacy concerns. Indeed, today, there is an expansion of the private space at the work place. Before deploying a DLP, it’s mandatory to define a clear employer policy (endorsed by the management). I expected more from this track. The main are problem is a solution based on technical and legal aspects coming from the US and not really applicable to Europe. Sad!
Finally, the last presentation of the day was a very good one! Mike Hawkes, a developer of mobile applications, presented why mobile application must be secure and how it is difficult for the developers to reach the right security level. A very nice/bad example was the application used in London to pay your parking. First, you need a credit card (how do pay the people who don’t have one?). Second, to pay your place, you need to send your CC number via SMS (with extra information). It has already proven that GSM network can be sniffed! And finally, there are risks to find back your CC number in your sent-items folder! Marc explained a test made by the BBC: 80% of people receiving an application via Bluetooth accepted it even with warning messages! They simply trusted the “BBC”!
About the mobile application development, one of the major issue is the number of different mobiles, OS and network providers. Those providers even modify the phones behavior or profiles which adds a lot of complexity in the development process. During a development, the most part of the budget is assigned to tests and debugging. This was also a excellent track!
The hot topics for this edition are clearly: cloud computing and social networking with, respectively, three and five tracks about those subjects. That’s all for the first day. This evening, go to the Security Bloggers Meetup. Stay tuned!