April 28, 2023
RSAC Week In Review, Github, Google vs CyptBot
In this Episode:
RSAC, a day after
?? Mark Miller, San Francisco, CA ↗
Chris Hughes – RSAC Week In Review
?? Chris Hughes, Virginia Beach, Virginia ↗
Trac Bannon – RSAC Week In Review
?? Tracy (Trac) Bannon, San Francisco , California ↗
https://www.rsaconference.com/usa
Enable GitHub Private Vulnerability Reporting at Scale
?? Edwin Kwan, Sydney, Australia ↗
GitHub now allows enabling private vulnerability reporting at scale
Google Takes Down CryptBot
?? Katy Craig, San Diego, California ↗
This Day in Tech History
?? Marcel Brown, St. Louis, Missouri ↗
http://thisdayintechhistory.com/04/28
http://thisdayintechhistory.com/04/29
Episode Transcription:
[00:00:00] Pokie Huang:
Hey, it’s 5:05 on Friday, April 28th, 2023. From The Sourced Podcast Network in New York City, this is your host, Pokie Huang. Stories in today’s episode come from Edwin Kwan in Sydney, Australia, Katy Craig in San Diego, California, Marcel Brown in St. Louis, Missouri. We’ll begin today’s episode with a couple of RSAC review segments from Trac Bannon, Chris Hughes and Mark Miller. Let’s get to it.
[00:00:37] Mark Miller:
This is Mark Miller calling in from Oakland, California the day after the conclusion of the RSA 2023 conference.
For those who didn’t attend RSAC this year, it appears that the conference is back in full swing. Estimates of attendance range from 30,000 to 40,000 people. With the cost of some hotel rooms topping out at $1,200 a night, it wouldn’t be a stretch to say the attendance numbers are not an exaggeration. Your social feed has probably been filled up all week with updates from the conference sessions. But I want to take a look at the value of the conference from a different angle that of the hallway track.
The most value I get from conferences like this is the face-to-face interaction with people I normally exchange messages with online. Being able to sit down for a few minutes with Sounil Yu, Shannon Leitz, and dozens of other people throughout the week, serves a twofold purpose.
First, just basic catch up in conversations. It’s nice to be able to spend some time over a cup of tea and talk things over things, that normally wouldn’t come across. In short text message bursts. They turn into full conversations about what people are really working on, hear the passion in their voice to gauge the true interest in their project and to get to know them a little bit better personally.
The second, and probably the most long-term effect of the hallway track is being introduced to new people. I’m a community builder. That’s what I do. That’s what companies pay me to do. The ability to be introduced to new people through people I trust gives credibility to the new person and to bring them into my circle of contacts.
When I attend conferences, that’s where I get the most value. My work in community allows me to take those new people and introduce them to my circle, give them speaking slots, and even offer them a chance to participate in the community through 5:05.
Speaking of which, thank you to all the 5:05 contributors who attended the conference this week. We had never met in person as a group. ,This is our hundred and 130th episode, so it’s about time we got together. I hope that helps you consider how to participate in large conferences beyond the typical keynotes and sessions.
The value for me is the hallway track, and I hope to see you in the hallway at our next event.
[00:03:17] Chris Hughes:
Chris Hughes here from Virginia Beach, Virginia. Wanted to drop an update as it were related to RSA Conference 2023. As I came back from the conference, I focused on some of the key themes and takeaways and items I saw emphasized among the vendors there.
Top of the list was easily AI enabled defense.
We’ve all seen headlines about the concerns around artificial intelligence and how it can be used by malicious actors, do a lot of nefarious activities. That said, as I walked the RSA conference floor, I saw many companies emphasizing AI in their products… everything from helping with vulnerability prioritization, to helping write more secure code, identify vulnerabilities in your environments. And then even the chief security officer of RSA himself took the stage and he was accompanied by an AI avatar. He went on to talk about the implications of AI on technology, cybersecurity, and society. And the AI avatar even stated that there’s zero chance of zero trust without the use of AI.
Another theme I saw was identity centric security. You know, we’ve all seen the push from the industry now to move towards zero trust, with identity now being a core focus… we’re now moving to an identity centric security model. And this was very evident as I walked the floor and saw the vendors emphasizing managing identities in complex, multi-cloud and hybrid cloud environments.
This included things like phishing resistant multifactor authentication, dynamic lease permissive access control in context of where automation to facilitate access and distributed remote workforces, for example.
Last up, another theme I saw a lot of was managing our complex modern attack surface or even attack surface reduction or exposure reduction, as I heard it called from many organizations.
This touch on everything from software supply chain attacks, third party risk management and API security. These themes were evident as I walked across the floor and saw a lot of the vendors focusing on helping organizations reduce their attack surface in their complex, modern environment.
And one negative takeaway, I guess fundamental to the way, RSA operates basically, is that, we all know that the average organization is using dozens of security tools in their program and in their portfolio. This can cause a lot of cognitive overload for security practitioners, lead to even more risk as we have tools that are not fully implemented, configured, and providing return on investment or driving down risk to the organization.
So walking the vendor floor, I saw that there was a proliferation of tools, and it can be very difficult for someone walking to floor to understand where each of these vendors fit into their portfolio and tooling… how can they rationalize existing tools to make place for new ones and so on.
That said, I thought overall was a really great event to see where the industry is headed, what the common themes are, and to bring together a community of practitioners to share insights and wisdom from their respective environments and organizations. Stay resilient out there.
[00:05:52] Tracy Bannon:
Hey everybody. This is Trac Bannon calling in from San Francisco Airport after a week at the RSA Conference.
There were more speaker tracks than prior years with tremendous focus on threat detection and predictive threat analysis. The buzz on the floor was less about technology and more about rekindling relationships after a strangely long pandemic season.
As someone who focuses and thrives on building and growing communities, it was fantastic to connect with so many other fellow 5:05 journalists, as well as other experts in security and DevSecOps.
From a technology perspective, the majority of the solutions and offerings were still focused at operations and detection once software or solutions were deployed. Much less AI than expected, though. However, this is good because we’re still in the embryonic phase, especially with the use of generative ai.
Passwordless, or password free is a buzzword that stands for simplifying MFA so that the end user is not as involved and less likely to succumb to man in the middle or other hijacking temps. At the end of the day though, your geolocation and credentials are still being passed back and forth.
On a personal note, I was surprised to see that the password vault vendors standing proudly with their heads held high even LastPass.
As we design and architect for the future, we’ll be using highly decoupled and distributed patterns, and there’s an importance of APIs that cannot be under spoken. This year, both speakers and vendors presented a good focus on APIs and protections for endpoints. That is a must for all enterprises.
I was very excited by some of the movement with SBOM and open source. There’s a new open source project called, TACOS, being spearheaded by a small company named Tide Lift, which is something we should be leaning in on and watching In the months to come. It addresses attestations.
I’ve been involved with distributed data solutions for some time, and one of the challenges has always been identifying and understanding the data ecosystem. There were multiple products and methodologies at RSA this year to discover data, classify it, and categorize it within the broader data ecosystem, as well as being able to secure it without centralizing it into a data swamp.
Many of us believe the need to shift security left and be secured by design. There were only two voices really being heard in this area. CISA and the Software Engineering Institute at Carnegie Mellon. Miter’s attack framework and other products created on behalf of the public good permeated the entire conference.
It’s funny that this is a security conference and that we should be thinking about DevSecOps, although we almost never heard it on the floor, with the exception of a special pre-conference day hosted by TechStrong called DevSecOps Connect. John Willis, Shannon Letz, Carolyn Wong, Chris Hughes, Katy Craig, DJ Schleen. Kadi Grigg, myself and other experts from the DevOps community were there. A special shout out to Alan Shimmel and Mark Miller for helping us to shift security left.
RSA is still the preeminent security conference globally. Very much worth the time for travel and the expense to be able to network, exchange ideas, and learn. I promise that if you attend, it will leave you with many things to noodle on.
[00:09:22] Edwin Kwan:
This is Edwin Kwan from Sydney, Australia.
GitHub recently announced that private vulnerability reporting is now generally available for enabling at scale. This functionality provides a way for security researchers to privately disclose security issues to the project’s maintainers without the risk of accidentally leaking vulnerability details.
This feature was first introduced in November, 2022, but can only be activated one repository at a time. It is recommended that owners of public repositories on GitHub should enable the private vulnerability reporting functionality, as this ensures that they provide a private method for security researchers to reach out to them.
[00:10:25] Katy Craig:
Tech giants like Google are making strides in the fight against cyber crime. In a recent development, Google obtained a court order that allows it to disrupt the operations of CryptBot malware, which has plagued over 670,000 computers worldwide in the past year.
This is Katy Craig in San Diego, California.
CryptBot is a sophisticated malware that has been stealing sensitive information from victims such as browser and social media credentials, browser history, credit cards, cookies, and more. The stolen data is then sold to threat actors for use in data breach campaigns impacting the security and privacy of countless individuals.
CryptBot has been around since 2019 with a global criminal enterprise supporting its distribution. Typically, it spreads through fake cracked software, including modified versions of popular software packages like Google Earth Pro or Google Chrome. This is where Google’s legal strategy came into play, targeting the distribution channels through computer fraud and abuse and trademark infringement complaints.
Now with this court order in hand, Google is in a position to disrupt Crip Bots operations, taking down its infrastructure, making it increasingly difficult for the malware to reach new victims and continue its data stealing activities. This is a significant victory for both cybersecurity and the users who rely on Google Services.
This is Katy Craig. Stay safe out there.
[00:12:18] Marcel Brown:
This is Marcel Brown, the most trusted name in technology, serving you up some technology history for April 28th and April 29th.
April 28th, 2003. Apple computer launches the iTunes music store. The store sells music for 99 cents a song for use with the Apple iPod and iTunes software. It is not the first service to sell digital music, but it will become the first to gain widespread popularity.
The service will be an instant success selling over 1 million songs in its first week and going on to change the music industry forever. The iTunes music store quickly became the number one music retailer in the United States, surpassing Walmart in 2008.
April 29th, 2004. The Sasser worm is released into the wild infecting over 1 million Windows, XP and Windows 2000 computers worldwide. Although the worm did not have an intentionally destructive payload, it caused many computers to slow down or crash and reboot repeatedly, along with clogging up network traffic.
Among the effects of the worm, the British Coast Guard had to resort to paper maps for the day. A French news agency lost satellite communication for hours,
delta Airlines had to delay or cancel many flights, and the University of Missouri had to disconnect its network from the internet.
Looks like 1 million PC users stepped into a big pile of sassy.
Ironically, it has been speculated that the author of Sasser, a German computer science student, Sven Jaschan, reverse engineered Microsoft’s patch for the LSAS vulnerability that was released earlier in the month in order to create the worm knowing that most computers would not have been patched and that it would spread quickly. He released the worm on this day, his 18th birthday.
Luckily for him, the German government determined that he had actually written the virus while he was 17. So while he was found guilty of computer sabotage, he was tried as a minor and given a 21 month suspended sentence. He now works as a security expert and consultant.
Now that’s sassy.
That’s been your technology history for today. For more, tune in next week and visit my website ThisDayInTechHistory.com.
[00:14:44] Pokie Huang:
That’s it for today’s open source and cybersecurity updates. For direct links to all stories and resources mentioned in today’s episode, go to 505Updates.com, where you can listen to our growing library of over 100 episodes. You can also download the transcript of all episodes for easy reference.
5:05 is a Sourced Networks Production with updates available Monday through Friday on your favorite audio streaming platform. Just search for “It’s 5:05!”. And please consider subscribing while you’re there.
Thank you to Mark Miller, Chris Hughes, Trac Bennon, Edwin Kwan, Katy Craig and Marcel Brown for today’s contributions. The Executive Producer is Mark Miller. The editor and the sound engineer is Pokie Huang. Music for today’s episode is by Blue Dot Sessions. We use Descript for spoken text editing and Audacity to layer in the soundscapes. The show distribution platform is provided by Captivate.fm. This is Pokie Huang. See you next Monday… at 5:05.