You wouldn’t expect the organisers of a seminar on nuclear physics to hand out conference badges that were contaminated with dangerous levels of radioactivity.
You wouldn’t expect to attend a workplace health and safety training course in a conference centre where the fire exits had been padlocked shut.
But cybersecurity conferences can be a bit different – they certainly don’t always practise what they preach.
For example, at the RSA Conference (RSAC) 2010 in San Francisco, one of our colleagues – Graham Cluley, now an independent blogger – was asked to copy his presentation onto a USB key supplied by the organisers for collating speakers’ contributions.
When he inserted the USB drive into his Mac, Sophos Anti-Virus popped up, boop!, to alert him to Windows malware on the USB key.
He quickly figured out that the conference computer had no anti-virus at all, and that the same USB key had been in and out of numerous other presenters’ Windows computers already that day. (This story didn’t say much about those other presenters, either.)
At the AusCERT conference, in Queensland, Australia, also in 2010, one of the security vendors – it was IBM, and the company was nominated for a prestigious Pwnie award for this blunder) handed out USB keys with product marketing material on it…
…together with not one but two malware infections.
RSAC was back in the “do as I say not as I do” limelight again in 2014, issuing an official mobile app for the event that hooked into the event database so you could see the schedule of talks, with any last-minute updates or changes automatically shown.
Unfortunately, the database pulled down by the app also included details of all the other conference delegates who had registered to use the app so far – meaning that anyone who installed the app after you would get to see your details, too.
For many delegates, those details were probably public already – or at least easy to figure out or guess – so there wasn’t a huge amount of harm done, but it was still a peculiarly hypocritical cybersecurity blunder for a cybersecurity event company to make.
It happened again
Well, it looks as though it’s happened again: another insecure app published as part of an RSAC cybersecurity event.
At RSAC 2018, Twitter user @svblxyz found similar security problems to those of 2014 in this year’s conference app.
svbl (@svblxyz) April 20, 2018
Amongst other things, the app contained URLs from which database content could be downloaded, apparently including the real names of other mobile app users.
RSAC confirmed the breach in a tweet earlier today [at approximately 2018-04-20T06:00Z], admitting:
RSA Conference (@RSAConference) April 20, 2018
Our initial investigation shows that 114 first and last names of RSA Conference Mobile App users were improperly accessed. No other personal information was accessed, and we have every indication that the incident has been contained. We continue to take the matter seriously and monitor the situation.
With just 114 names leaked, and given that many conference delegates have probably mentioned their visit to the event publicly anyway, for example on social media or in an out-of-office email, this isn’t a particularly dangerous outcome.
But the leaked names are just a symptom, and it’s the underlying cause that’s worrying: there always seems to “be an app for that”, even when a well-designed web page would be just as good, and even when a well-designed web page already exists anyway.
What to do?
- As a user, assume the worst, and stick to the web whenever you can. A one-off app for a single event simply won’t have had the same security scrutiny as your browser, so why not simply prefer your browser?
- As an event organiser, assume the worst, and stick to the web whenever you can. If you need a way to get updated speaker lists and session timetables to delegates, consider publishing a standalone file, such as a PDF, that users can download if they want an offline copy. If you expect to published regular updates, use a simple solution such as an RSS feed so your users can easily find the latest version.
- As a mobile app developer, assume the worst, and put app security up front, ahead of looks. You can always improve the look and feel of an app later on, but you can’t get stolen or leaked data back later on: once breached, always breached.