Skip to main content

RSA Day 2

 Today was a great opportunity to see what RSA was all about. We walked over early to get badges and get checked in. The conference provided us with a decent swag pack, an RSA branded bag, water bottle (something I hadn't been able to find at any of the airports along the way), a notebook, a pen, a shirt, and for newbies, a "First Timer" pin. 

We stepped to grab breakfast and then hit up the talk track, I had stupidly "favorited" all my talks instead of "reserving" them so I had some quick choices to make. 

My line-up for the day ended up being: 

- Crypto to Kim Jong Un: Laundering Loot from the World's Fastest Heist - Geoff White, Penguin Random House

- Join the Mission to Strengthen the Industrial Ecosystem - Dawn Capelli, Dragos

- Agents of Chaos: Hactivism Spreads Fear, Disinformation, and Propaganda - Alexander Leslie, Recorded Future

- Common Good Cyber - A panel with an assorted cast including Craig Newmark, philanthropist and Craigslist founder

- Hiding in Plain Sight: Hunting Volt Typhoon Cyber Actors - A panel moderated by the FBI with speakers from Microsoft, CISA, and the NSA. 

Over all a decent line-up. 


Crypto to Kim Jong Un

Geoff kicked us off with a rousing story about the game Axie Infinity, something he likened to Tamagotchi meets WWE. Train the small cute Axolotls, make them fight, and win "Smooth Love Potion" to breed more powerful Axolotls. Unfortunately, Axie also decided that everything in this game needed to be for sale, plots of virtual land, Smooth Love potion, and Axie's. However, Axie knew the fees for ETH would prevent users from trading as freely as they would if no fees existed. So, Sky Mavis (the creators) decided to create a parallel block chain hosted on 9 computers. 4 they would have access to and 5 they wouldn't. This block chain would be sank with the real ethereum block chain infrequently to balance the ledgers and reduce fees. Unfortunately, (spoiler incoming) one of the computers Sky Mavis shouldn't have access to was accessible and North Korea was ultimately able to commit a Sybil attack in which attackers control 51+% of a distributed network. This allowed the attackers to pull off the largest and fastest attack in history at just over $625m. Even at its highest valuation, Mt. Gox was only around $400m and while Mt. Gox was big, it was slow, happening over years. Axie's attack happened in less than 2 minutes. More info is available in Geoff's book "The Lazarus Heist" and in the BBC Podcast.

Join the Mission to Strengthen the Industrial Ecosystem

Dawn Capelli, formerly of Rockwell, now Dragos, presented a series of tools that were available for OT networks, including vulnerability assessment, maturity and posture assessment, and OT specific tabletop exercises through the Community Defense Program and OT-CERT. The resources available include anonymized threat hunting, free use of the Dragos platform, and much more. Unfortunately, I asked a question at this session, "How does an IT Security person who hears the calls to defend the OT networks get a job doing just that? We've heard Sec. of State Blinken, we've heard CISA's Jen Easterly, we've even heard FBI Dir. Christopher Wray, all beat the war drum. How and where do I go work ot help? Disappointingly, I got the same answer that has been repeated over the last 6 months, "There are no jobs in this field." Frustratingly, Capelli suggested I should go become an OT systems integrator, and then lobby for internal change to the company I'm working at to encourage customers to choose a more security-minded vendor as a selling point. This was asinine as anyone with an IT career is not going to pivot into the junior factory work expected of OT engineers and integrators. 

Agents of Chaos

Alexander Leslie was an engaging speaker who shared at length about the challenges of tracking cyberactivists. He argued that over 90% of '"activist" groups active today, in the Russia-Ukraine and Israel-Hamas conflicts that less than 2% were classical activist groups, and the other ninety plus percent are abusing the loosely federated but well established activist brands.

Key takes 

Be aware of supposed hactivists, especially those who offer non-external/political reasons to their attacks, those whose volume and frequency of attacks is high, and those who claim to perform extremely costly or technical attacks. Even more so, don't change business direction or legitimize hacktivist brands by recognizing exaggerated or misleading reports of what hacktivists have accomplished. 

Common Good Cyber Initiative

Hosted by Philip Reitinger of Global Cyber Alliance, a group of fmr. policy makers, fintech, and philanthropists (notably Craig Newmark of Craigslist) explained that the internet is held together by shoestrings and bubble gum and no one was buy enough bubble gum. Each individual elaborated why their industry alone couldn't solve the issues at hand. (Would anyone really want the US Govt being the only sponsor/contributor to security research and backbone infrastructure? ) 

As an answer, the team introduced their Common Good Cyber Initiative, a private/public partnership where government, industry, and philanthropy can meet together and help fund these essential technologies. 

Interestingly, Craig Newmark, 71, has famously  stated he will give away all of his money before his death, and has given $100m to CGCI to date, mostly for the continued operation of Shadow Server. Craig also argued that patriotism isn't an outdated idea and that people had an obligation to the environment we live, work, and prosper in, to improve that environment.

Hiding in Plain Sight

Narrated and moderated by the FBI, this panel was literally packed with attendees should to shoulder. And who could blame them? This panel featured Microsoft, CISA, and the NSA giving a deep look at how Volt Typhoon operates. Key takeaways from the team included patching your edge devices, setting up logging with significant retention of logs, and doing advanced IAM to prevent users from working on non-normal systems or outside normal hours. This was one of the highlights of the conference so far. It should be noted that all panel members reiterated the need for a paper operations plan for when not if the Chinese break into your networks. Even more frustratingly, they reiterated that China is extremely good at what they do, and there are no indicators of compromise to point to. The VoltTyphoon attacks discussed are still ongoing and the FBI reported additionally infected machines as recently as this week.

After the talk tracks we hit up the Keynotes, with an opening by War Games star Matthew Broderick who shared how Reagan's viewing of the film resulted in the creation of the Computer Fraud and Abuse Act, among other legislation. (In researching this, much of Broderick's opening seems to be lifted from Bankston's article at New America, How Sci-Fi Like 'WarGames' Led to Real Policy During the Reagan Administration

Regardless, Broderick was engaging and riffed with the audience before introducing the Executive Chair of the RSA Conference, Hugh Thompson. Hugh shared a family story about descending from a storied line of Bahamanian light house keepers that understood what happens when the watchmen fail in their duties, encouraging the audience to take up the mantle and protect their domains. Hugh also shared about the real dangers of burnout plaguing the industry and then alluded to AI as a psuedo-fix for this issue, though the people in the trenches didn't seem to buy what he was selling, I know I didn't. 

Thompson left the stage to applause and introduced Secretary of State Antony Blinken. Secretary of State Blinken was probably one of the speakers I was most excited to hear from. And unfortunately the least interesting to listen to. He reiterated a lot of the work that the Biden admin is doing through the CHIPs act and the Inflation Reduction Acts but it seemed like a chatGPT cobbled together collection of sound bites rather than a cohesive speech to a collection of the world's foremost authorities on cyber security issues. I don't include myself in that latter statement but I didn't see anyone receiving value from the speech.

Popular posts from this blog

LibWebP (CVE-2023-4863)

Here is a non-exhaustive list of possible mitigations to prevent the exploitation of CVE 2023-4863 in the LibWebP library. This library has a heap buffer overflow available across all operating systems, most browsers, an exceptional number of Electron framework applications. This CVE is rated a 10 after previously being rated 8.8. This was due to an original disclosure from Google stating that Chrome was the only effected application. After investigation, it was discovered that all instances of the LibWebP library were vulnerable across all platforms. A similar CVE ( 2023-5217 ) is pending analysis for the VP8 webstream video format (a sister library to libwep.) As working proof-of-concepts are generally available to the public and Google and Apple both acknowledge threat actors and spyware vendors making use of the vulnerability, it is essential that you begin reviewing and patching all business critical applications. Patch Browsers, All of them All major and minor browsers acr

Show And Tell

Once a week, our security team gathers everyone into a meeting and shares the last week’s worth of security related news and any new security initiatives. This one hour may be the most valuable meeting we attend and has the greatest impact on successful security outcomes. What is it? We call ours a Security Show & Tell. (You can call it whatever fun and exciting name fits your corporate culture.) Regardless of the name, the goal is to set aside an hour each week to share three kinds of security stories and our response to them. Stories that are in the news. Stories that impact our work. Stories that impact our lives. Author’s Note: There’s some helpful tips below on how to gather these stories.  Why you should do it There’s a lot of great reasons to do this, but I want to drive home a few really important ones. How many times has this happened to you? You wake up, open , and begin scrolling only to find out that $Vendor has a nasty zero-day and organiza

Savory Dutch Babies

Ingredients: 1/4 Stick butter 1/2C AP flour 3/4C room temp milk 3 room temp eggs Salt pepper mace nutmeg allspice etc if you want it Blend it or whisk it until homogeneous  Put a castiron in a cold oven at 425°.  Remove when preheat finishes and melt in a 1\4 stick of butter.   Pour in batter.  Top with parm and fresh herbs.  Cook 15m.