By Dan Fost
Chronicle Staff Writer
February 5, 2007
As computers become more ubiquitous, so do the threats posed to computer
But as the pernicious nature of the threats grows, so does the industry
that has arisen to combat them.
That industry will gather this week at Moscone Center in San Francisco
for the RSA Conference, a chance to hear what the latest threats are --
and to see the latest tools to fight them.
What started 15 years ago as a gathering of 50 cryptographers at the
Sofitel hotel in Redwood City has emerged into a major convention, with
more than 15,000 people expected and 340 companies taking booths in the
While cryptographers still occupy center stage -- including two from the
team that discovered the RSA algorithm that led to the conference's name
years ago -- they share it with such luminaries as Microsoft Corp.
co-founder Bill Gates, Oracle Corp. CEO Larry Ellison and former U.S.
Secretary of State Colin Powell.
Without the tools displayed at RSA, all of online commerce, and much of
the behind-the-scenes work of banking, would be at risk of malicious
"Hackers have a new motivation. They are financially motivated," said
Rowan Trollope, vice president of consumer products at Symantec Corp. of
Cupertino, one of the leading consumer security software companies,
along with McAfee Inc. of Santa Clara and Microsoft.
"They are professional software developers backed by organized crime.
When you have that kind of operation, they are motivated to find
vulnerabilities. These are not college kids with time on their hands.
These are paid professionals."
That's because more money is now changing hands via computers. "It's
like Willie Sutton, who said he robbed banks because that's where the
money is," said Phil Dunkelberger, president and CEO of PGP Corp. of
Palo Alto, an encryption and data security company. "More and more
criminals are coming online because that's where the money is. Phishing
scams are a lot more sophisticated."
Industry experts have identified several problems and trends that will
be hot topics at the conference:
-- Rising complacency. "We have a crisis going on, but it's a silent
crisis," said Trollope at Symantec. "Over the last couple of years,
we've seen a decline in the number of visible worms and viruses that
splash across the headlines of CNN. But the hackers didn't go away, they
shifted their attention to a different approach. ... User attention on
the need for security has waned. If you don't hear about these things
every day, you think, maybe I don't need to get antivirus software or
enforce my network code to secure my PC."
-- New Internet environment. More computing lives in what techies call
"the cloud." Think of an e-mail account through Google, Yahoo or Hotmail
that resides on a Web site somewhere, not on a desktop computer. Or
software that's delivered "on-demand," or as a service, over the
Internet. The convenience of such services has a major trade-off -- it
could expose data to risk.
"Can you imagine if someone broke into your Web mail account?" asked
Marc Gaffan, director of marketing for the consumer solutions group of
RSA, the company that owns the conference. "They'd to some extent be
able to recreate my identity."
On the other hand, Gaffan is not willing to trade the convenience for
the risk, and he rationalizes, "Those companies likely have better
security than my laptop."
-- Proliferation of mobile devices. With many more laptops, cell phones,
game machines and handheld devices connecting to the Internet, each
holding troves of personal information and subject to loss or theft, the
potential holes have multiplied exponentially.
Ordinarily you would protect data by setting up firewalls in the network
that protects your PC. That becomes a problem, though, when you are
dealing with mobile devices.
"The industry has been trying to harden the perimeter with wireless
networks, but with smart phones, you really don't have a perimeter any
more," said Dunkelberger at PGP. "We say you have to defend the data --
encrypt the data, secure the data, make sure all business records are
not exposed to criminals."
-- New types of threats that need new types of responses. It used to be
that once a vulnerability was found in a software program, it would be a
race over weeks to see if it could be plugged before a hacker broke
through. But now the industry is seeing "zero hour" attacks, which
exploit vulnerabilities almost immediately after they're discovered and
well before the holes can be plugged.
Also worrisome, according to Trollope at Symantec, are "bespoke" threats
that target small, specific groups of people. To counter these measures,
the industry is adopting what it calls a "heuristics" approach that
Trollope said can "find threats without having seen them. A scoring
algorithm will tell us if a program is good or bad even if we haven't
seen it before."
-- Challenge of passwords. As so many Web sites require passwords, it
becomes impossible to remember them all. So people make their passwords
all the same, or they write them in a file or on a post-it note on their
computer -- none of which are secure. Sites are now coming up with new
ways to tell if a person is who they say they are, and the solution
sometimes requires unique passwords for each situation.
The challenge for the industry, Gaffan said, is to strike a balance
between security and usability. "The key thing is to keep the user
experience simple and easy most of the time," he said.
-- Microsoft's role. As always, the software giant stands astride the
industry. With its Vista operating system at long last on sale,
Microsoft is touting how much more secure computing can be. The company
is also getting into turf dominated by Symantec and McAfee.
-- Needs of the 'physical security' industry. The physical security
industry -- described as "guards, guns, gates, surveillance, locks,
doors and access control systems" by Steve Hunt, founder of 4A
International, a Chicago research firm for that industry -- is a
$120-billion-a-year business that Hunt says "needs to embrace computers,
software and networking in smarter and better ways.
"It's a very primitive and old-fashioned traditional industry," Hunt
said. As companies discover technology, they will want to add things
like digital video recorders to their lobbies, making them networked,
secure and accessible from remote locations. That will add up to big
bucks for tech companies.
-- Compliance. Congress, the states and other countries have passed laws
requiring companies to be much more careful when handling sensitive
data, and companies are looking to software to help manage compliance
with the morass of new rules.
Companies will need to know, "What are the standards that all these
things are setting?" said Sandra Toms LaPedis, area vice president and
general manager of RSA Conferences. "Where are the things that if I'm
compliant in France I might not be in the U.S., or vice versa?"
-- Authentication. How do you know someone is who they claim to be?
Banks have required ATM cards for years, which LaPedis said is something
physical that also requires some knowledge -- a password.
Similar systems are in the works for computers. "It could be your
thumbprint, an iris scan or any variation off of that," she said.
In spite of all the threats, risks, challenges and bad guys out there,
the industry manages to retain a classic optimism that it is solving
problems and making life better.
RSA, which always has a historical and often unusual theme, is
celebrating this year the Renaissance, specifically 15th century
Renaissance man Leon Battista Alberti, whom RSA's Web site calls "the
father of Western cryptology."
"We are living through a renaissance," LaPedis said. "It's that spirit
of innovation that we are truly celebrating." RSA Conference highlights
When: Monday through Friday
Where: Moscone Center in San Francisco
Who: 15,000 people and 340 companies from the computer security industry
Key speeches: Microsoft co-founder Bill Gates, 8 a.m. Tuesday; Oracle
CEO Larry Ellison, 2:45 p.m. Wednesday; former U.S. Secretary of State
Colin Powell, 1:50 p.m. Friday.
Subscribe to the InfoSec News RSS Feed