A View From the #RSAC SOC – Part 2

In today’s world, cameras are just about everywhere – in stores, on the streets, inside of cars, and many other locations.   Now, imagine you are a bank employee and your bank had no cameras – would you feel secure?   Probably not.   The reality is that many organizations have no “security cameras” on their networks to adequately lookout for the bad guys.   At RSA Conference, we’ve had “cameras” on the public Wi-Fi for almost a week.

Leveraging RSA NetWitness®, we are able to quickly collect and analyze all packet data as it flows through the public Wi-Fi out to the Internet.   The purpose of this exercise is not to eavesdrop, but rather to point out insecurities we’ve found – even at the nation’s largest security conference. Managed by the RSA SOC team, we’ve been able to identify numerous security issues throughout the week.

With the week nearing an end what have we learned thus far? Our findings include items both amusing and serious.   One of the first issues were passwords sent in the clear. Some of them were ridiculously simple (such as “Password”), while others were extremely complex (upper case, lower case, symbols, etc.).   Regardless of password complexity, if it is in clear text, your data is easily compromised.

Emails are prolific, as you can imagine. Roughly 30 percent of the emails we observed during conference is unencrypted. In many cases, the mobile devices with email applications are simply not secure and send emails and attachments unencrypted.   In one case, we found an email that contained very sensitive travel information for a VIP attending the conference.   We were able to track down the sender, alert them, and help this user fix their email client configuration.

RSAC_SOC_blog3_fig1

 

Figure 1 Unencrypted sensitive email

The RSA SOC team also observed a machine on the network beaconing to an IP address in Shanghai, China, every sixty seconds. This traffic occurred over port 80, however, it was not HTTP traffic, but rather some kind of software. The IP address also had no domain name associated with it. From a network perspective, this behavior is consistent with undetected malware on a machine.

RSAC_SOC_blog3_fig2

 

Figure 2 Computer beaconing to Shanghai, China

Corporate laptops are leaking information as well.   Systems observed on the network have legitimately installed software trying to reach back to their internal servers, even though they are not on their internal corporate network.   Items identified include the corporation name, internal corporate IP addresses, along with the software application names (such as anti-virus). A motivated attacker could leverage this data to attack.

Finally, on a less serious note, love is in the air at RSA Conference. Users appear to be browsing profiles on dating sites, sending their significant others valentine emails, and yes – browsing adult websites.   Have fun, but stay safe, and secure your network traffic and applications!

Leave a Reply

Your email address will not be published. Required fields are marked *

No Comments