Monday here at the show, as I've written before, is quiet. As far as RSAC is concerned, the only people here really are the vendors and their staff, a few press and analyst types, conference organizers, and the workers putting the expo hall together. I've always thought of this day as the calm before the storm.
RSAC isn't a hacker conference; it's a business conference. It's been around since 1991, and has grown quite a bit since then. Last year, nearly 30,000 people attended, along with more than 350 vendors.
Each year, RSAC has a conference theme (this year's theme is to challenge today's security thinking), but most of the talks and floor discussions center on events that happened over the previous twelve months.
2014 was a rocky year, with nearly a billion records compromised and dozens of security incidents that affected major corporations. 2014 also had a number of hacking techniques introduced.
WhiteHat Security compiled a massive list of techniques that were disclosed / discovered in 2014, and turned to a panel of experts and the security community in order to narrow that list down to ten items.
They've done the same thing every year for the last nine years, and it's a good reminder of the challenges that InfoSec faces on a daily basis.
It isn't surprising that Heartbleed, ShellShock, Poodle, Rosetta Flash, and Misfortune Cookie made the top five. Those bugs and the attacks that resulted from them generated plenty of headlines last year, and many of them are still topical today.
In a statement, Johnathan Kuskos, manager of WhiteHat's Threat Research Center said:
“Our number 1 and 2 spots differ from previous winners in the sense that they are extremely critical, arguably the 'worst of the worst' exploits that could ever occur, and they're terribly easy to exploit. Heartbleed is nigh untraceable, and Shellshock/Bashdoor is probably the easiest Remote Code Execution on a massive scale that’s ever occurred as it required no authentication and can also affect most Internet of Things embedded devices.”
Matt Johansen, the Threat Research Center's Sr. Manager, added:
"One of my favorites on the list which I'm glad made the cut to the Top 10 is Rosetta Flash. This tool, put out by Michele Spagnuolo, would create fake Adobe Flash (SWF) files which could force a website to perform arbitrary requests if uploaded under certain conditions. Many popular websites were vulnerable to this attack when it first came out and it certainly scrambled some people."
The Top 10 for 2014 is as follows:
- Rosetta Flash
- Residential Gateway (Misfortune Cookie)
- Hacking PayPal Accounts with 1 Click
- Google Two-Factor Authentication Bypass
- Apache Struts ClassLoader Manipulation Remote Code Execution and Blog Post
- Facebook hosted DDOS with notes app
- Covert Timing Channels based on HTTP Cache Headers
On Friday, both Johansen and Kuskos will present a talk on the Top 10 list at 0900 in Mascone West Room 3022.
Rapid7 changes Metasploit licensing requirements:
On the topic of hacking techniques, Rapid7 has had to make some changes due to newly altered laws here in the U.S. As of yesterday (Sunday, April 19), anyone outside of the outside of the U.S. and Canada wanting to use Metasploit Pro or Metasploit Community Edition will now be required to request a license and provide additional information "regarding themselves or their organization designation."
It’s important to note that this change in no way impacts the Metasploit Framework, only the Community and Pro editions are affected. Moreover, existing users of the Pro and Community editions are exempt from the licensing rules.
As to why these changes are occurring, the company said:
“Rapid7’s Metasploit products use encryption and, like other products that use such technologies, are subject to US export requirements. In addition, Metasploit and other intrusion software products are encountering increasing US and international regulatory review and restrictions. In compliance with these regulations, we need to change the process by which free and trial versions of Metasploit Pro and Community editions are obtained.”
Most everyone who applies for a license for a free Pro or Community edition will get their key, but the process will now take longer than has in the past.