On the second full day of RSA Conference 2018 in San Francisco, news items focused on more deep-tech issues like iOS vulnerabilities, security best practices and the future of blockchain.
Here are a few stories that were making the rounds in the Moscone Center’s North and South Halls.
Thwarting an iOS flaw
Symantec researchers generated some media buzz at RSA Conference with their presentation about a security flaw in the iOS operating system that they flagged back in July of 2017. The flaw wasn’t revealed until yesterday, when WIRED posted an early-morning story in advance of the researchers’ presentation at RSAC.
Adi Sharabani, senior VP of Modern OS Security at Symantec, discussed how a security team noticed that hackers could have taken control of iOS devices when users charging devices click yes to a prompt that says “Trust This Computer?” The scheme is referred to as “trustjacking.” Symantec alerted Apple to the vulnerability, and Sharabani added that he believes the issue was never exploited by attackers in the wild.
“We reported this to Apple in mid-July 2017, before the release of iOS 11,” Sharabani told eWEEK. “Following our report, Apple added a requirement to authenticate by entering a PIN code or equivalent in iOS 11 in order to trust a new computer, mitigating one of the potential attack vectors.”
This pen’s running out of ink
Meanwhile, another researcher told an RSAC audience that it’s time to kill the age-old security practice of “pen testing.” Short for penetration tests, these are done to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities.
In a conference session, Adrian Sanabria, director of research at Savage Security, said pen tests were effective in the ‘90s, when “everything that you could use to hack into an organization was pretty much going to be discovered in a pen test. The landscape is vastly different these days.”
Sanabria said while pen tests are getting better, security professionals’ ability to use information they glean to apply creative solutions to security problems hasn’t kept pace. He said the tests are not making organizations safer because they focus on finding issues rather than fixing them.
Riffing on blockchain
Cryptography and cryptocurrency were the focus of a panel at RSA, with experts weighing in on when and where blockchain should be used.
Ron Rivest, an MIT professor, described voting as a bad fit for blockchain. “You want to make sure the voters have the ability to know their vote was recorded properly,” he said, and blockchain makes providing verification of that difficult. So, maybe scratch that as a solution to voter fraud issues that’ll enter the discussion leading up to the 2020 elections.
Adi Shamir, Borman professor of computer science at The Weizmann Institute in Israel, said though the tech is overhyped, it can be used one day to guarantee the validity of digital signatures once quantum computing picks up. “In the future, one way to use blockchain to guarantee the security of digital signatures is to simply prove the signature was generated today before quantum computers were available,” he said.
Another security researcher, Paul Kocher, said though blockchain is an interesting tool, it’s not necessarily a business.
Striking a pose
Like other conferences, RSAC isn’t just a gathering of industry wonks throwing around acronyms. It’s a place where companies have some fun promoting their organizations. Two of the funnier company representatives roaming the trade show floor were a fox and a magician.
The magician stood outside a booth offering a “security cloud [that] detects web and email-based threats as they emerge.” Federof represented a cloud company called Cyren that, he said, helps companies stay ahead of advanced cyberthreats.
Then, there was ZeroFOX, a PAN client that had a rep donning a giant fox suit. The security firm’s fox strutted his stuff in Mashable and SecureWorld.