It was a great week leading the RSA Conference Security Operations Center (SOC) Team consisting of RSA systems engineers, RSA Incident Response analysts and our partners at Cisco AMP Threat Grid.
The Security Operations Center previously monitored the Black Hat conference network, but this was a first-time exhibit at RSA Conference. The team signed onto the project not knowing what would be found or the impact we might have. We viewed the RSA Conference network as a nearly 180 degree difference from previous Black Hat conferences. The Black Hat network is a predominantly "bad" network with it being much more difficult to determine the "good bad" used in Black Hat training courses versus the "bad bad" where someone is testing the techniques they just learned in class at the expense of attendees. We approached RSA Conference as an educational opportunity, speaking to more than 700 hundred attendees about what we saw on the Moscone wireless network.
As security practitioners, we should be leading by example. Unfortunately, we saw a little too much. As mentioned in prior blog posts, thirty percent of all email traffic was unencrypted. One could say that the Valentine's Day emails were enlightening, but it was much more. It was not really about the emails sent at conference, but rather that the credentials used were also in clear text. This means that anyone capturing this traffic, at any location, would be able to login to that account and view all emails, steal your identity or lock you out. What was also interesting about this traffic were the passwords themselves. Clearly some had an indifference using variants of "password", but others used complex passwords. In other words, for a moment, they thought about security. Whether passwords are weak or strong, if the traffic is not secure the data contained therein is also not secure.
The RSA SOC team did uncover some rather sensitive information and, in working with the conference teams, reached out and corrected the situation onsite. I would encourage everyone to check the settings on their devices, and even check with the administrator of their back-end mail systems, to ensure that the correct configurations and protocols are being used.
Data leakage from attendees' devices was also prevalent. Whether insecure versions of SNMP, start-up scripts used to point to various applications on a private network, or rogue applications phoning home, information about the device and private networks were seen in the clear.
Another educational item for attendees revolves around smart devices and the applications we all love to install. For the most part, authentication to these devices were secure, meaning we were not seeing username and passwords, but the application data post authentication was readily available. Many people were checking their home web cams and there were quite a few people "swiping right" and these images and cam feeds were readily on display.
Bad Stuff? We did encounter "the bad" on the network and spent considerable time investigating these items. Traffic to C2 domains, LoJack installations, ransomware and lengthy URL connections were all investigated, but as one may expect at a security conference most were determined to be vendors performing demos from the expo floor.
Running a SOC at RSAC was a great opportunity to educate conference attendees about their privacy and devices, and to start thinking differently about the exposure their devices have on a public Wi-Fi network. A few attendees were found to have been "hacked" by a rogue access point, illustrating the importance of ensuring you are connecting to the right network. Anyone can trick users into connecting to a rogue access point only to have their traffic intercepted in a man-in-the-middle attack.
Being an advanced SOC team, we are hyper-aware of the data sensitivity we monitored during the week. To maintain user privacy we did not retain any data analyzed. All hard drives were destroyed onsite and are forever gone. Check out the destruction video!
Thanks to a great team for putting in a lot of hours and showing the powerful capabilities of RSA NetWitness® Platform and Cisco AMP Threat Grid.