RSA Conference Wrapup

March 08, 2010

RSA Conference Wrapup

Well another RSA Conference has come and gone. Lots of vendor noise about their product being the only secure one on the market, and other nonsense, as is to be expected. Although I did notice a bit of realism this year. It did seem like everyone had eaten a big helping of humble pie, which was refreshing. Even the sales guys weren.t making as hard as a pitch as I.m accustomed to. So all in all, it was a good time. Lots of drinking, lots of good conversation, and I even managed to sneak in and see Jeremiah.s presentation on the top 10 new webappsec vulns from 2009 (how he managed to fit that all into 50 minutes still boggles the mind). I didn.t make it to as many parties as I would have liked to this year - maybe I.m getting old, or maybe I started drinking too early. Either way.

One notable quote was from Howard Schmidt who said, .There is no cyberwar,. but I don.t think he ever defined what a cyberwar would look like - so I don.t know how decided we aren.t in the midst of one. Maybe he.s absolutely right and we aren.t in the middle of anything like a war (just the low rumble of espionage), but I.d like to hear his definition one way or another so that I can know when I should start being outraged.

But I wanted to do a quick writeup on the RSA Conference registration computers themselves, while I was thinking about it. For some reason, my entire life, I have just assumed programmers think the same way I do. Then I am always annoyed to find out they don.t. Physical security is tough, don.t get me wrong, but kiosks are one of those things you really need to be careful to protect from physical tampering and logical attacks. Anyway, I was sitting there waiting for one of the pages to load, and it was taking forever. Because there was no onscreen indicator that it was waiting, I started wondering if the form was even working at all, or if there was some dumb JS error or something else that would cause the page to never load. So I clicked on one of the links at the top in the navigation and it gave me a .Diagnose Connection Problems. error and worse yet, it popped out of the Kiosk mode. Never a good sign. It looks like protecting the application from most classes of attacks simply by disallowing outbound network access. Let.s assume there were no way around that for a second (and I.m not convinced of that, incidentally).

Most people would probably say that security is good enough. Any attack I could mount would be useless because I couldn.t exfiltrate the data off of that machine. Oh, but it.s not that simple. For that application to work it must be able to contact the site in question (the registration portal). That portal has access to a database. As such, the database itself is essentially dual-homed (on the Internet and on this Kiosk intranet). So all I should need is some JavaScript malware to steal people.s information as it pretends to register them, and instead log the data into my database fields. I can be somewhere else and check the records in the database for my account, and poof - I have access to whatever data I wanted to log. I can get JavaScript execution by simply typing it into the URL bar and just like magic, I have a way to steal conference registrant.s information. And there.s the cookies and any other tampering I might be able to do in the config options in IE. It.s definitely NOT a huge deal, but rather just another example of how it.s incredibly complex to build a truly secure browser based kiosk system that can defend against determined attackers. No identities were stolen in the making of this post. Now, back to work!

main page ATTRITION feedback