RSA, aside from being the security arm of data and storage specialist EMC, has been hosting an annual security conference in the US for years which routinely attracts the best and brightest from the IT and security worlds including Bill Gates and Al Gore. Competing with the likes of Infosec in the UK, the European version of the event doesn't attract quite the same level of speakers as its US sibling but can still boast luminaries such as BT security iconoclast Bruce Schneier and last year's guest speaker, former fraudster-turned-security expert Frank Abagnale.
The organisers of the RSA Conference like to have a theme to pull all the disparate elements of the show together. Last year, the show was themed around the achievements of UK computing pioneer and codebreaker Alan Turing. This year's show continued the cryptographic theme but from the more esoteric perspective of novelist Edgar Allan Poe.
While Poe's The Gold Bug famously includes a cypher-based search for treasure, his tale of The Black Cat probably has more in common with the themes explored at this year's show. In the story, a man murders his wife while in the throes of trying to kill the family cat. The cat's plaintive meowing eventually gives away both crimes and Poe uses the story to illustrate the idea of the unintended consequences that wait in store for even the most effective strategist.
Jumping from the 19th-century to the present-day zeitgeist of social networking, the show included a warning about the consequences of interactive web sites on corporate security. While some CIOs might look to block access to Facebook through fears of lost productivity, the real concern should really be the exposure of so-called ‘gateway data', Herbert ‘Hugh' Thompson, chief security strategist for People Security and professor in the Computer Science department at Columbia University in New York, told RSA delegates. Thompson defines gateway data as innocuous information that, when disclosed, can be used to access secure systems. "You might never heard of a the term ‘gateway data' before but that's because I totally made it up," he said. "Basically it's data that seems harmless but when used properly can facilitate access to highly sensitive information."
An example of this is the biographical information used with most password reset schemes. Asking people for the name of a pet or their mother's maiden name made sense before social networks but now the clues needed to crack these questions is -often readily available via Facebook or other- social networking sites.
"How many people know this kind of information about people today or can find it out? It's pretty easy," said Thompson. "Even if your data hygiene is good, you might be collaterally exposed by someone else you know revealing the information through a social networking site."
To illustrate that his ideas are more than theory, Thompson recalled an experiment where he hacked into the email accounts of some complicit acquaintances using details gleaned from social networking sites and old CVs. US vice-president hopeful Sarah Palin had her Yahoo email account hacked in September 2008 using exactly these kind of techniques, according to Thompson.
Another form of gateway data which highlights the unintended consequences theme is "collective intelligence gateway data", which according to Thompson is data that can be picked from a variety of sources and combined to reveal sensitive information. "What happens if I see that five executives of a company all have 10 new recommendations on LinkedIn?," he asked. "It probably tells you they are looking for a job and probably says something about the stability of that company or that it might be about to be acquired."
A slow burner
The security issues thrown up social networking was also highlighted by another keynote speaker, chief executive of RSA Security, Art Coviello. He likened the -recent increase in interactive web sites and a simul-taneous rise in pervasive mobile computing as akin to the urban myth about the ease of boiling a frog alive as long as you turn the heat up slowly from cold.
"Not unlike the frog, we have been sitting in the pot while degrees of openness, and information growth have combined with evolving threats to stoke the fires and raise the temperature to uncomfortable levels," said Coviello. But while he observed- that there could be 15 billion devices communicating over the internet by 2015, the RSA boss said it was hopeless for CIOs and chief security officers to simply ban devices such as the iPhone from businesses: the future of security, he said, lay in adapting security strategies to include new threats.
Continuing the theme, the conference heard from Philip Reitinger, deputy under-secretary of the Homeland Security Department's National Protection and Programs Directorate (NPPD) - one of the key players in information security in the US government. One unintended consequence of escalating IT security threats facing Reitinger and other parts of the US government is the need to embrace the tactics of the enemy. This means hiring individuals with hacking experience, although Reitinger was keen to point out that every-one employed by Homeland Security has to pass security screening checks. "We have to know that they are going to have the people's interest at heart. That said, the good guys need to be able to put on their black-hat perspective," he said.
In a round-table event with reporters, Reitinger denied accusations of hypocrisy for embracing hacking while also prosecuting hackers such as the ongoing case of British NASA hacker Gary McKinnon. "You need to be able, in software development, to do things like threat monitoring so you can figure out, ‘How would I exploit this kind of system?'. You need to understand where the weaknesses are to do a good job of securing the system. Is there a tension there? Absolutely, but it is a line that we try to walk in the right way," he said.
Baring his soul
While some might view his actions as intentionally fraudulent, closing speaker Nick Leeson made it clear he believes his story is definitely one of an unintended consequence which ran into the millions.
The rogue trader, whose actions brought down Barings Bank in 1995, has now turned his hand to consulting. Against the recent backdrop of institutionalised fraud at some -financial institutions, his actions now seem less those of a rogue and more like the product of a failed system. "When an incident like that happens, it is convenient for a bank to have a scapegoat as it detracts from where the real problems are, which is that regulations are not good enough," he said.
Leeson claims the collapse was a side-effect of his attempts to dig himself out of a series of risky trades which management encouraged. Leeson's activity accumulated to losses of £827m which turned out to be three times the cash reserves of Barings.