RSAC 2015: RSA Conference (Day 1)

Monday here at the show, as I've written before, is quiet. As far as RSAC is concerned, the only people here really are the vendors and their staff, a few press and analyst types, conference organizers, and the workers putting the expo hall together. I've always thought of this day as the calm before the storm.

RSAC isn't a hacker conference; it's a business conference. It's been around since 1991, and has grown quite a bit since then. Last year, nearly 30,000 people attended, along with more than 350 vendors.

Each year, RSAC has a conference theme (this year's theme is to challenge today's security thinking), but most of the talks and floor discussions center on events that happened over the previous twelve months.

2014 was a rocky year, with nearly a billion records compromised and dozens of security incidents that affected major corporations. 2014 also had a number of hacking techniques introduced.

WhiteHat Security compiled a massive list of techniques that were disclosed / discovered in 2014, and turned to a panel of experts and the security community in order to narrow that list down to ten items.

They've done the same thing every year for the last nine years, and it's a good reminder of the challenges that InfoSec faces on a daily basis.

It isn't surprising that Heartbleed, ShellShock, Poodle, Rosetta Flash, and Misfortune Cookie made the top five. Those bugs and the attacks that resulted from them generated plenty of headlines last year, and many of them are still topical today.

In a statement, Johnathan Kuskos, manager of WhiteHat's Threat Research Center said:

"Our number 1 and 2 spots differ from previous winners in the sense that they are extremely critical, arguably the 'worst of the worst' exploits that could ever occur, and they're terribly easy to exploit. Heartbleed is nigh untraceable, and Shellshock/Bashdoor is probably the easiest Remote Code Execution on a massive scale that's ever occurred as it required no authentication and can also affect most Internet of Things embedded devices."

Matt Johansen, the Threat Research Center's Sr. Manager, added:

"One of my favorites on the list which I'm glad made the cut to the Top 10 is Rosetta Flash. This tool, put out by Michele Spagnuolo, would create fake Adobe Flash (SWF) files which could force a website to perform arbitrary requests if uploaded under certain conditions. Many popular websites were vulnerable to this attack when it first came out and it certainly scrambled some people."

The Top 10 for 2014 is as follows:

On Friday, both Johansen and Kuskos will present a talk on the Top 10 list at 0900 in Mascone West Room 3022.

Rapid7 changes Metasploit licensing requirements:

On the topic of hacking techniques, Rapid7 has had to make some changes due to newly altered laws here in the U.S. As of yesterday (Sunday, April 19), anyone outside of the outside of the U.S. and Canada wanting to use Metasploit Pro or Metasploit Community Edition will now be required to request a license and provide additional information "regarding themselves or their organization designation."

It's important to note that this change in no way impacts the Metasploit Framework, only the Community and Pro editions are affected. Moreover, existing users of the Pro and Community editions are exempt from the licensing rules.

As to why these changes are occurring, the company said:

"Rapid7's Metasploit products use encryption and, like other products that use such technologies, are subject to US export requirements. In addition, Metasploit and other intrusion software products are encountering increasing US and international regulatory review and restrictions. In compliance with these regulations, we need to change the process by which free and trial versions of Metasploit Pro and Community editions are obtained."

Most everyone who applies for a license for a free Pro or Community edition will get their key, but the process will now take longer than has in the past.

Join the CSO newsletter!

Error: Please check your email address.

Tags RSA ConferenceRSA 2015infosecsecurity industrysecurity

More about Rapid7West

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place