Ten highlights from RSA and TrustyCon

The RSA Security Conference, held in San Francisco late last week, had a little more spice than usual: amongst the high-level keynotes and research, there was the controversy.

Nine speakers pulled out of the conference in protest against allegations that RSA, a division of EMC, was paid $10 million to accept the Dual EC DRBG algorithm compromised by the US National Security Agency.

The controversy didn't seem to harm attendee numbers - RSA Conf still drew a record 25,000 delegates. But the kerfuffle did spawn the TrustyCon event, where protesting speakers including F-Secure's Mikko Hypponen, the ACLU's Christopher Soghoian and Google's Adam Langley gave their withdrawn RSA talks. Seven hours of presentation footage recorded at the new conference, held during RSA's annual event, has been uploaded to YouTube.

And that wasn't the only protest - an incensed band of security and privacy pundits, calling themselves Code Pink, also rallied against RSA by booking out a nearby popular restaurant and banning RSA delegates and speakers from eating there.

The group handed out fliers and hung a banner from the Moscone Convention Center declaring that "RSA loves the NSA" . That banner was quickly removed by security guards.

Protests aside, there was lots of good geeky InfoSec content to get stuck into. Below are our top ten highlights from RSA and TrustyCon.

1. Microsoft defence tool bypassed
   
   Researchers at Bromium Labs revealed that Microsoft's Enhanced Mitigation Toolkit (EMET) could be completely bypassed. The bugs were later squashed by an update to EMET (version 5.0), launched during the RSA conference. That update introduced the Attack Surface Reduction feature and hardened Export Address Table Filtering.
    
2. RSA mobile app exposes personal details
   
   Among others, the mobile app developed for the conference made users vulnerable to man-in-the-middle attacks, where an attacker could inject additional code into the login sequence and phish credentials.
    
3. RSA blames NSA for security industry mistrust
   
   CEO Art Coviello gave a keynote and told delegates that "when or if the NSA blurs the line between its defensive and intelligence-gathering roles and exploits a position of trust, that's a problem."
    
4. Error reports uncover hacks at govt agency, telco
   
   Microsoft's Windows error reporting system Doctor Watson can be used to reveal failed zero-day attack campaigns, security software company Websense has discovered.
    
5. More than 100 flavours of malware are stealing Bitcoins
   
   For just $35, you can buy a popular, specialised malware tool that steals Bitcoins and other such electronic currency -- according to Dell SecureWorks' presentation at RSA Conf - and researchers have unearthed more than 100 different malware families that specialise in this form of theft.
    
6. IBM software vulnerabilities spiked in 2013
   
   Most code flaws still involve non-Microsoft products, and overall patching speed has improved, a study presented at RSA conference found.
    
7. New stock iPhones and iPads open to spying
   
   Information about which characters Apple users tap on their iPhones and iPads can be captured by applications - serving as the modern equivalent of a keylogger - that exploit a newly identified flaw in the latest iOS 7 firmware, reserachers told the RSA conference.
    
8. Lavabit case may be one of many in coming year
   
   Marcia Hoffman, a lawyer for Lavabit founder Ladar Levison, predicts that authorities will press more technology firms for information on users.
    
9. Redesigning NSA Programs to Protect Privacy - Professor Ed Felten
   
   A TrustyCon highlight - Felten blended a lucid discussion of statistics with practical computer science and crime fighting, all within a framework of respect for privacy, liberty and the US Bill of Rights.