Security Week 10: RSA Conference and Cybersecurity Awareness

The next cybersecurity conference RSA Conference 2020 was held in San Francisco last week, an event in which there is little more business than technology. Business features of the industry are no less important than technical ones, although this interaction is under the sign of a certain antagonism: business development managers say beautiful words, and techies are bored. Speaking of words: this is how the main topics of the RSA Conference evolved, the basis of a single conference over the past five years. In 2016, the main topic was IoT security, in 2017 - artificial intelligence, in 2018 - the lack of silver bullets and simple solutions in cyber defense, in 2019 - the problem of reputation.

In 2020, the president of RSAraised the topic of dividing into techies and businessmen, unexpectedly turning the grand opening into a discussion of the real problem, albeit in general terms: “Our affairs will be judged by what story will be told about them. And we want this to be a story about successful resistance to cyber threats, and not technical stories about cyber ping pong. ” That is: the community of IT-security is closed, it is incomprehensible to a person, and we need to change this. Share not only problems, but also successful solutions: "Reformat the culture from an elitist to an open one."


Beautiful words, but should we expect openness from techies - a big question. It's not about the nature of specific people, but about the features of the job, which require maximum concentration on small details, the same ping-pong. To broadcast victories in IT security, you must be able to explain them in words that are understandable to the public. At least formulate what to consider a victory. This is not always obtained, and for many industry participants this task is far from a priority. Who gives culture a new format is also a good question: most often the same non-technical management, whose representative is Rohit Gai, is engaged in this. It turns out that when he demands changes from the rostrum of the RSA Conference, is the requirement addressed to himself? This is an honorable task. Make cybersecurity clearermore precisely, it is necessary to help a realistic perception of this area of ​​knowledge. Otherwise, there are situations that we often observe recently: when cyber attacks and cyber defense are discussed on a political plane in complete isolation from the real situation.

We’ll briefly go over interesting speeches at the RSA Conference 2020. Cryptographer Bruce Schneier continued the topic of openness, but from a different angle: he suggests introducing a “hacking culture” (in this case, the ability to solve problems using non-standard methods) outside of IT. For example, in lawmaking or in tax policy. Otherwise, vulnerabilities in software are successfully found and closed, and gaps in the tax code remain there for years.


Researcher Patrick Wardle talked about cases of reverse engineering malware on the side of cybercriminals. Studying cyber attacks on Apple computers, he found examples where attackers take malicious code distributed by someone else and adapt it to their own needs. Checkmarx representatives told ( news , research ) about vulnerabilities in a smart robot vacuum cleaner. The vacuum cleaner is equipped with a video camera, so a successful hacking allows not only to observe the owners of the device, but also to change the observation point if necessary. Another IoT study focuses on vulnerabilities in the monitor for monitoring a child.

ESET found Kr00k vulnerability ( news , information oncompany’s website ) in Wi-Fi modules, which partially decrypts the traffic transmitted between devices. The modules produced by Broadcom and Cypress are used, which are used both in mobile phones and laptops, and in routers. Finally, the panel of cryptographers (a rudiment of the old days when the RSA Conference was a niche between the encryption experts) again went through the blockchain. Cryptographers do not like the cryptocurrency industry for assigning the prefix “crypto”, but in this case it was a question of using blockchain for elections. The representative of MIT Ronald Rivest presented the results of a certain analysis of opportunities, the conclusion from which is that paper ballots are more reliable. Even using the blockchain, it is difficult to create a software system for registering votes that could be trusted.

What else happened:

Critical Zero Day Vulnerability in Zyxel NAS and Firewalls. The exploit was discovered in open sale on the black market. The bug allows you to execute arbitrary code on the device, which by definition should be accessible from the network, gaining full control over it. The patch has been released for a large number of Zyxel devices, but not for all - some vulnerable NASs are no longer supported.

ThreatFabric has discovered a new version of the Cerberus Android Trojan, which is able to extract two-factor authentication codes from the Google Authenticator application.

Errorin integrating Paypal wallets with the Google Pay payment service, it allowed for a short time to steal funds without the owner’s knowledge. There are no details, but supposedly the attackers found a way to extract the data of virtual payment cards that are created when the service is linked to Google Pay.

A German researcher revealed a “malicious” iOS application that constantly monitors the clipboard available to all the programs on the phone. Researcher logic: if a credit card number is copied to the buffer, an attacker can steal it. Apple reaction: yes, but it's a clipboard. It should be available to all applications, otherwise it makes no sense.