RSA Conference Europe Day 2

RSA Conference Europe 2009

The second conference day started with a presentation of Jon Colombo about social engineering. Last year, he led a research in UK and unfortunately, as we might be feared, results were scary. Jon gave a complete definition of “social engineering” and explained why “information brokers” can so easily steal personal information: lack of defenses, “it happens” syndrom and people just don’t understand what’s behind the technologies they use everyday. It became a major threat, your security policy must take care of it. One of the key word is “awareness”. Jon also explained the “attack life cycle” based on the following steps:

  • Research,
  • Hook,
  • Play,
  • Exit.

The information broker can perform hunting or farming attacks. Hunting makes easy results within a short period of time. Farming is based on long term (like spying). Attacks can be of two types: targeted or opportunistic. Finally, Jon referred two interesting books for those who’d like to understand how the human behavior can be affected by social engineering:

The next track was about DNSSEC. Joe Gersch started from scratch and explained why the domain name system is so critical on the Internet. To explain the well-known hijacking attack, he gave a nice example: forty years ago, a phone operator upset by her boyfriend gave his phone number to all customers calling the operator service. Even if you deploy firewalls, IDS, IPS, the DNS will always be the Achille’s heel. After a presentation of DNSSEC, Joe explained why it is not well deployed at the moment: it’s complex, must be scalable and strong enough against failure. Interesting statistics: early adopters used 4 to 6 man-months to deploy DNSSEC and still require 1/2 full-time employee to maintain the infrastructure. The biggest problems are the key pair renewal every time a DNS zone changes and the amount of pairs to generate for ISP’s who maintain thousands of zones. What’s the status of DNSSEC today?

  • In Europe: .se, .cz, .uk, .nl (enum zone) are protected.
  • In the US: .org, .gov, .com, & .net (soon), root (this year).

To have a clear view of the DNSSEC deployment status, check out SecSpider.

A keynotes session followed. Microsoft presented some facts concerning the web surfers security (today, browsers are important targets). The FBI & SOCA (“Serious Organized Crime Agency“) presented a status of the “underground economy” (which covered the botnets, Fast flux, the RBN and the digital currency). Qualys presented its view of today’s security issues mainly based on cloud security (once again the “cloud”). Finally, CA explained how to implement IAM (“Identity & Access Management“) with a nice life demo. To remember: “the right people, the right access and the right data”. The goal is to found the perfect balance between those three components.

After a lunch with Craig Balding and Stefan Tanase, I attended a track presented by Anne Claydon about combating the fraud in banking industry. The description looked interesting but too much slides were full of numbers and graphics. Bad choice. At least, we learned that banks are really aware of the fraud risks and they deploy lot of tools and procedure to fight fraud. An interesting statistic: the number of stolen accounts increased by 38% in one year (due to the physhing and malware attacks).

Next, Ben Rothke explained how to build a SOC (“Security Operation Center”). With the growing numbers of attacks and the complexity of today’s IT infrastructure, millions of messages are generated every day. Some business fall under regulatory compliance and must take the appropriate measures. In most organizations, the current way of working in case of security incident is still based on an “action – reaction” schema. By having a SOC, incidents will be immediately investigated (better response times). A SOC has basically three functions (using tools like SIEM):

  • Alerting.
  • Reporting.
  • Forensic searches, investigations.

Then Ben reviewed the two ways to implement a SOC: insource or outsource with a comparison of both solutions (pro & con). This was the best track of the day!

Finally, I attended the Ari Takanen’s track about fuzzing. Ari reviewed basic principles like the windows of vulnerability (zero , limited and public exposure) and gave a good definition of “fuzzing”. Fuzzing can be used for two market types: tests & measurements (used by telecom operators) or pure security. Two types of fuzzing are: the web and protocol fuzzing. The second type is more and more used. Two techniques were covered: the mutation and the generation. Ari also explained how fuzzing can be integrated into the SDLC (“Software Development Life Cycle“) and how fuzzing can be used to perform performance tests.

To close this second day, I visited the Conference Central where all the sponsors present their solution with live demonstrations.

Click to enlarge
Click to enlarge


  1. Hello Mark,
    I’ve no practical experience with DNSSEC zones management. Thank you for your feedback. It’s valuable. If I understand correctly, you need to regenerate a key-pair every time the zone changes and zone of them change frequently. What about ISP’s managing thousands of zones?

  2. Somebody is exaggerating the time required to maintain a DNSSEC signed zone. I’ve maintained DNSSEC signed zones for a number of years now and I don’t spend more that 20 minutes a year on them. They get re-signed as required automatically by the nameserver. The key thing is to know what you are doing.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.