Friday, October 10, 2014

GHC14: Security: Multiple Presentations - Another Perspective

Finding Doppelgangers: Taking Stylometry to the Underground

Sadia Afroz, UC Berkeley) is using stylometry to find who is interacting on underground forums (cybercrime forums).  You want to figure out what this guys is doing there in the first place and who really is doing the work.

Current research around deanonymizing users in social networks is focused around similar usernames - but if you really care about being anonymous, you won't fall for that trap.  The next thing to look at is similar activities or social networks.  For most people you can see that they will write a facebook post and a tweet on the same event/activity, so easy to find the match.  This doesn't work for underground user forums, though.  So, instead they are using Stylometry to analyze the writing style.

Stylometry is based on everyone has a unique writing style - unique in ways you are not aware of, so its hard to modify. To do this, you analyze frequency of punctuation and connector words, n-grams, etc. But, you need quite a large writing sample to analyze, the larger the better - but still can get some accuracy on small samples.

They looked at four forums, 1 in Russia (Antichat), 1 in English (BlackhatWorld) and 2 in German (Carders/L33tCrew).  People move from oe forum to another, but not always easy for researchers to get the full data sample.

Problems? These forums are not in English... often in l33tsp3ak (pwn3d).  Also, people aren't speaking with their natural voice, they are making sales pitches (more likely to overlap with other accounts that aren't actually the same person)..

They parsed l33tsp3ak using regular expressions, and additional parsing for "pitches" vs "conversation" (if there are no verbs and repeated things in lists, it's most likely a sales pitch and was eliminated).

Then it seems to be all about probability - what are they likelihood that  these are the same person.  Lots of analysis followed, like: do these accounts talk to each other or about each other? Are there similar Username, ICQ, Signature, Conatct information, Account information, Topics. Did they ever get banned? (moderators do not like multiple accounts for one account)

People can sell their accounts - accounts that have been established with a higher rank could be sold for more. Some people also want to "brand" so they can sell different things with each account (like CC numbers with one, marijuana with another).

You could avoid detection by writing less (lowering rank), or you could use their tool, Anonymouth :-)

From Phish to Phraud

 Presented by Kat Seymour, Bank of America, senior security analyst. talk started out great with a reference to Yoda. Every talk should have a reference to Yoda!

Phishing used to be around silly things like weight loss pills and male enhancement pills.  But, it's grown up - there's real money to be made here.$4.9 billion lost to phishers last year.

Attacks come from all over the place now - mobile, voicemail, emails, websites... and they've matured. No longer plain text filled with spelling errors, they now are stealing corporate branding and well written emails. They are stealing websites that aren't well watched/maintained.

Ms. Seymour can look at things in the URL to find out more about the phisher (and to help learn for suspicious patterns).  She can also find the IP address to do further research. Additionally, she can leverage the Internet Archive (aka the Way Back Machine) to see if the website has changed a lot recently (shows evidence of takeover).

She pays attention to referrers to their website - if a new referrer shows up quickly in their logs and then disappears?  It's likely a phishing site - so then she has to watch the accounts that logged in through there for suspicious activity (in addition to doing further research on the referring site).

It's not as simple as blocking IPs - she can't control your personal machines... and all of the places you might be coming from.

She needs to work with ISPs to block known phishing websites, but ISPs are spread all over the world  She can watch logs, traffic analysis and referrers - but the phishers are constantly coming up with new ways of  doing this.  Would be great to work with email providers to get them to watch out for this - but too diverse (some email providers are trying to address this, but difficult to coordinate).

Advice? Watch your statements, watch your statements, watch your statements!

GHC14: Passwords with Lorrie Faith Cranor

Lorie Faith Cranor, a professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University.

Who knew that Carnegie Mellon had a passwords research TEAM!? (looked to be about 10 people).

Lorrie Faith Cranor noted that everyone hates passwords, but no matter how much we hate them, text passwords are here to stay.  These types of passwords have a lot of attack vectors: shoulder-surfing, online attacks and offline attacks.

Offline attacks are difficult to protect against and are very effective and the cause of many publicized breaches.  Passwords are leaked hashed or encrypted and the computers an take BILLIONS of guesses per second, comparing hashes to find matches. Additionally, they exploit the common usage of the same password at mutliple sites.

CMU had rolled out a new password policy (number of numbers required, upper/lower case, allowed symbols, etc). Everyone hated the rules and blamed her (alas, IT department did not consult her). She asked them, though, where they got the rules from: NIST.  Sounds good - so looked into where NIST came up with their recommendations. Seems they came up with their rules based on what they thought would be a good idea, but had not done any tests on actual passwords.

System administrators don't want to get in trouble - they are going to use "best practices". If Dr. Cranor wants them to use something "better" - she has to prove it and get it published in a respected source.

How can you get passwords to study?

One of the easiest ways to get passwords is to ask users to come into your lab and create passwords for you - bu not everyone wants to walk into your lab to do this.  You can expand the reach by doing online and get thousands of passwords.  The problem?  You're asking people to NOT give you their real password, so this is not real data.

Another approach? Steal passwords. Of course, CMU cannot steal passwords - it's not ethical.  But, hackers like to post hacked password lists, so they can do research on some real passwords.

You can ask users to tell you about their passwords (where they put the special symbol, where do they put the number and capital letter, etc).

Or you can ask sysadmins for passwords, but they usually don't want to give these out. [VAF note: the sysadmin should NOT actually have access to the raw password?]

The passwords you get from leaked systems are often from throw-away sites, so not high quality.

Her lab was able to convince CMU to give them 25,000 real, high value passwords. Could compare these passwords to leaked and previous study data to see how relevant it was. These CMU passwords have the CMU password restrictions.  They also got the error logs:how often people logged in using the password, error rate for wrong passwords, and h ow often they changed - along with information about gender, age, ethnicity, etc.

To get this information took a LONG time.  Had to have two computers - one off of the Internet, locked in a room and not accessible by the researchers.  Researchers would write their tests and analysis scripts on a separate machine - then hand it over to the IT staff to run.  Black box testing.

How did they get these passwords that should've been hashed?  Many enterprises don't actually use hashes, they encrypt them with a system they can reverse so they can more easily deploy new systems. [VAF: ARGH!?!?!? what?!] So, at CMU they could decrypt the passwords (in the locked environment that the researchers did not have access to).

CMU Real Password Study

Dr. Cranor's team looked at things like how guessable the password was? Simple ones, like 1234 would be guessed in 4 tries. More complicated may be 'impossible'.

Since they had clear text passwords, they could run a guessability meter on them, as opposed to actually guessing them.  They could see that CS students createad the strongest passwords, business students did not create as good of passwords.

Could not find an effect for facutly vs student vs ethnicity made no difference in password strength, but men didmake a passwords that were 1.1x stronger than women.

You can make your password stronger by dong simple things - like adding a digit. If you put the digit at the beginning of your password, it was better than no digit - but not as good as having a digit in the middle. If you have multiple numbers in your password  - if you spread them out, it's harder to guess.

Password creation was annoying - if you're annoyed while doing it, though, you'll create a weaker password. :-)

They additionally took a look at leaked hash/cracked passwords - those were weaker than those created by sites like CMU that has an "annoying" password policy.

But, they could then compare the spread and diversity of their passwords collected in studies against real CMU passwords and found they were similar enough that her team could do further research with study passwords.

Large-Scale Online Experiment

Used Mechanical Turk - a site you can pay users to participate in your study (10 cents, a dollar, etc). Found this is a great way to do online studies, as Amazon has to manage credit cards, etc.

Asked participants to create passwords under randomly assigned constraints. They could see entropy estimates and guessability estimates. They could also see that people would drop out of the study the more difficult and onerous the password rules were.

NIST research has shown various password entropy estimates.  NIST notes that adding dictionary checks raises entropy and that having one with more rules (comprehensive 8) would be 24 bits of entropy.  Compared to "basic 16" (no dictionary check), they estimate the highest entropy.

Users only seem to use very few symbols (@ sign and ! are the most popular), even though many are available to them.

Found that in general, basic 16 could be pretty good - except for dumb users. Found these passwords quite easily: baseballbaseball, 123456789012345 and xxxxxxxxxxxxxxxx.  Oops!

Some minor restirctions will bring the basic 16 (which is less annoying to set and easier to remember) will make it stronger than a comprehensive 8 password.

Longer passwords though take longer to type... so that is annoying in a different way.

Recommended Policy?

Not sure - our password cracking algorithms are fine tuned to 8 character passwords, so just that they are having a hard time cracking 16 character passwords may not really be because it's harder, but rather because they have the wrong tools.

So... more research on N-grams (Google, book quotes, IMDB, song lyrics, etc) - now 16 character passwords become much easier to crack (Mybonnieliesovertheocean, ImsexyandIknowit#01).  Her students used this to win the DefCon password hacking context this year with their new tools.

Found that password meters can be frustrating - the same password gets different ratings on different meters, but they do make people make better passwords.


Did XKCD solve this all already?

So, Dr. Cranor's team studied this! Found that that the passphrases were not easier to remember, and people didn't like the random word passwords (but didn't like them any less than other password rules).  They tried a method of adding "auto correct" to the random word passwords, which helped people log in faster.

Research uncovered one of the most common words that appears in passswords: MONKEY! Why? Updated their password survey and asked any user that included "monkey" in their password and asked them WHY!? A: a lot of people have pets named Monkey or a friend nicknamed Monkey or... well, they just like monkeys.

As much as they've tried, they have not found a way to make users be random. More research... :-)

Interesting thing about Dr. Cranor? She made her dress and it's covered with discovered password graph (iloveyou in giant letters along the side).

Her team is starting to do more research on Mobile vs Desktop: users are seeming to avoid anything that involves shift key on mobile.

Interested in going to grad school and studying this? Join her team:

Question from audience: does changing passwords make them better?  No, her research shows that changing your password more frequently: you end up with a BAD password.  People do simple incremental changes to their passwords that make them easier to guess, particularly if the attacker has an "old" password.  The only time sysadmins should make users change their password is in response to a breach.

Password reuse: sure, for junk websites (newspapers, etc), but do NOT use that for work, bank, personal email. It's better to write them down (requires someone breaking into your house, as opposed to attacking a news site and then having access to your bank account).

This blog is syndicated from Security, Beer, Theater and Biking!

Thursday, October 9, 2014

GHC14: Security: Multiple Talks

With: Morgan Eisler, Shelly Bird, Runa A. Sandvik

Visualizing Privacy: Using (Usable) Short Form Privacy Policies

Morgan Eisler, @mogasaur, works at Lookout, a mobile security company.  This year over 2 billion people worldwide use the internet - more added every minute. Many (most?) of these are mobile devices.  Many companies have privacy policies, but only 12% of Internet users read privacy policies all the time - and only 20% of those that read them (even occassionally) understand them. Simply too long!

Facebook's privacy policy is longer than the constitution of the United States!

If nobody reads them, can we really say that the customers are making a choice? Certainly not an informed one. Users trust their providers - but, expectations rarely match, and can cause negative surprises that lead to loss of trust and loss of revenue.

Consider "Yo".  An app that you can share all of your contacts with, and it will send them push notifications - a literal "Yo".  The app became very popular, and was hacked over night - suddenly peoples phone numbers were no longer private.  This wasn't even an app created by a company - just a few friends having fun.

At Lookout, they made a really short form policy that you could view on just one page on a mobile device - but was it helpful?

It is important, but if people are not reading it - it's not really helpful. the NTIA does give guidelines here to help anyone create a privacy policy.

Lookout created a new short form policy that was quite simple - greyed out icons for things like "Government" to show that they were not showing their data with the Government.  For people they did share with, like "Carriers" - you could click on the icon and get more information.

Did usability studies and found that customers liked it - but did they understand it?  People, for example, weren't sure what the icon of  "user files" meant -  it looked like pictures. Did that mean it only applied to pictures?  Used usability studies to clear up some of the icons.

The Flattening of the Security Landscape and Implications for Privacy

Customers are like sheep (which is not at all like they are portrayed in movies). Sheep are stubborn and if you try to push them too hard, they scatter (enter picture of sheep dog working hard :).  Even though Shelly Bird isn't "in" security, when a security breach happens - customers come to her.  She has to pay attention to everything before deployment, like making sure the bios is up to date.

Shelly thinks of security as a bowl - a container to store and protect your data/applications/etc. Also, like a castle - defense in depth.

Ten years ago, during a deployment, a customer said she had to remove IPsec from all of the machines. Huh?  The router/switch engineers said: That's our job!  What about the "last mile"?  Same customer didn't want IPv6 - convinced their firewall would be confused and not able to process it.

Once Shelly got though all of this - then the Intrusion Detection folks were unhappy! They could no longer read the packets.

Essentially, fear of change.

Shelly could see that the more she could push the work down the stack - the faster things worked.  For example, high level app encrypting a disk took four hours, but letting the OS do it - two!

There are other bigger problems here - credentials! The government likes to authorized users to have something physical to prove their affiliations.  Shelly ended up with a dozen of these cards. Ugh.  Now they are moving them into the mobile device, using TPMs as a trust anchor.  This is claims based authentication, allowing business to move faster.

This is still very complicated, though, as the US Government doesn't even have trust across branches.

 People want to have multiple identities, people travel/move around and have different reasons for doing different transactions - lots of work to get this right.

The Data Brokers: Collecting, Analyzing and Selling Your Personal Information

Runa Sandvick works for Freedom the Press - they protect the press and help to inform the press of their rights. Like those that have been arrested in Ferguson for not moving fast enough.

While she often talking about NSA, today she's talking more about consumer privacy.

It's surprising how much companies know about you by just watching your patterns.  You are volunteering this information in exchange for a discount. Like the father that found out from Target that his daughter was pregnant. She wasn't even buying diapers or anything that obvious, but changed the products she was using in a way that indicated pregnancy to target.

But this stuff happens online, too, and we don't even know about it.

And this information isn't just kept by the one company you are shopping at - it's getting collected by data brokers.  For example, OfficeMax addressed a letter to a man with the title "Daughter Died in Car Crash". Where did they get that data? Why did they have that?

Data brokers sell lists of rape victims, alcoholics and erectile dysfunction sufferers.  Where are they getting this? Why are they collecting it?

When asked directly, data brokers talk about caring about privacy, but don't want to share things like: how to see what information they have about you? How to remove/correct information? How to decline to share?

How many people have read the privacy policy for GHC? No hands went up...Runa did read it for us, and wasn't happy with what she found.  Things like your resume could be shared with non-recruiters.  Privacy policy also notes that they will not use encryption, unless required by law, to protect your information.  She also used a tool, Disconnect, to see what sites were gathering information from users of the GHC website - there was a data broker there (New Relic, which does help you analyze your site traffic, but what is *their* privacy policy? will they share GHC stats with other orgs and corps?).

You can use Tor to protect yourself from these data brokers. The only way the site will know it's you is if you log in. There's no way for them, otherwise, to know who you are so they won't have anything to track against.  Runa only uses Chrome for cat photos. :-)

wow - this really goes beyond the annoying targeted banner ads!

GHC14: Accountability and Metrics for Gender Diversity

Panelists: Laszlo Bock, SVP People Operations, Google; Danielle Brown, Cheif of Staff, Intel; Theresa Kushner, VP of Enterprise Information Management, VMware; Denise Menelly, Shared Service Operations Eecutive for Global echnology and Operations, BofA; J, Sr Directoreanne Hultquist of Strategic Initiatives, ABI.

At BofA, they talk about metrics at all levels in all positions - this stuff is important.

Lazslo Block noted that they didn't release their diversity data for business reasons, but because this was just the right thing to do. Google needed to be open and honest about this.  Diverse teams are better, we know that. We were hesitant to release the numbers for the same reason as everyone else: we were afraid to get sued! Simply the right thing to do.

Danielle brown noted that releasing these numbers is an important part of the conversation. Intel has been releasing the data for 10 years, but perhaps a bit quietly in the past. By measuring we know where we stand and where we need to go.

Denise Menelly noted the importance of these numbers - they aren't just numbers, you have to have actions behind them.  Every senior level manager is expected to have a score card: budget, project schedule and how they are performing against gender diversity numbers.  Not only do the managers have to report, but they need to say what they are doing to continue to increment in the right direction. It's very important to see what is happening, even small changes are important and need to be watched.

VMware is data driven - so it was an easy, short conversation. Theresa Kushner showed her new CEO the numbers and he instantly said, "Yep, there's a problem - we need to do something about this". Then senior management has a new responsibility - measure, track. What you measure is what you look at - so make sure you're measuring the right things.  It's not just a number, you also have to change the culture - but how do you measure that?

 At Intel, we often found that women were working in isolation.  Trying to address this by creating networks for women that start when they start.  Making sure they immediately have a network of support.

At Google we're looking at unconscious bias - for example, if a man leaves early to pick up his kids, everything thinks "what a great dad!" When a woman does the same thing? "Figures".  "Our tech population is 83% men - they have to behave differently." The unconscious bias training is starting to make an anecdotal difference - people are now aware they are doing this. 94% of Googlers surveyed said they will now step up and say something if they see someone demonstrating unconscious bias.

Denise Menelly noted this is taking too long. While they won ABI award, she was surprised as she sees there is so much work to do.  You're leaders -NOT just your HR/Diversity people - your technical leaders need to support you to come to Grace Hopper Celebration.  There is an issue that women will look at a job description and not see themselves as qualified (where a man will, even though they have the same qualifications.

Sergey, when he first started Google wanted 50% of his interns to be women (they hired 4 total interns in their first year).  Sergey also has his door open to women - he realizes that they have a perspective that he just doesn't have.

At VMware the executives don't just need to mentor women, but rather sponsor them. The execs need to have a plan for doing this and have accountability for their actions.

At Intel, EVERY employee will get a bigger paycheck this year if Intel improves their gender diversity.

At Google, every manager with more than 100 people in their org gets a diversity report and a visit to discuss. There are company goals here, and when people fail to make progress it can cause reduction in pay.  Some people are convinced of this issue, some people are just wrong. We'll need to work on forcing them out or keeping their wrong opinions to themselves.  The rest, they're in the middle and we want them to have the epiphany.

At VMware, we are working on diversity because it's good for business, it's good for innovation and it's good for our product line.

Denise  from BofA noted, yes, there's a pipeline problem, but that's not the biggest issue. We need to focus on fixing the culture and retention and making this a better industry.

At Intel, it was believed that the "issue" was women were leaving mid career - but when they looked at data, that actually wasn't the issue! Focus was in the wrong place, Intel now working on promotion and advancements.  The lack of senior women wasn't caused by women leaving - it was caused by them getting stuck at mid level.

Lots of good questions about pay data, when will we see more break down of what these companies mean by "technical woman", if women aren't leaving - why are they stuck, etc.  Panelists answered them all honestly - unfortunately, I was in line to ask a question (but we ran out of time) so could not take  notes.

Great talk - very inspiring! What are you doing in your org?  Do you think this could be handled bottom up?

This post is syndicated from Security, Beer, Theater and Biking!

Wednesday, October 8, 2014

GHC14: Leadership Strategies for High Impact Women

Presented by JJ DiGeronimo

JJ started her career over 20 years go - not for the love of code, but because she was tired of working dead end minimum wage jobs.  Found a great place in her school and got great grades that landed her in a consulting job, allowing her to travel all over the world.

We have to continue to carry the baton, but we have to find a different way of doing this - we can't take care of all things all the time, and still have any energy left.  The more things she picked up in her career, in addition to taking care of her family, she couldn't see how she could maintain the current state of things - she simply was doing so much.  JJ spent a lot of her time over the years interviewing more senior more successful women to figure out how they were doing.

Women want more influence and impact - do something slightly different to have their voice heard.

Keep in mind - you're career is a game, no doubt about it. How do you keep moving yourselves forward and position yourself strategically?

And you never know where you'll find these opportunities!  JJ and her husband wanted to start a family, so traveling all over the world alone was not conducive to getting pregnant. So, she took a lateral move to a new position which she ended up loving and had a lot more influence than she had expected.

But, you shouldn't leave this up to chance. What do you need to do to get to where you want to be in the next 24 months?  You need to plan ahead of time. Do you need new connections, new knowledge, new customers, new partnerships and/or new opportunities.

JJ wanted a new job at VMware and was surprised when she got a call from the hiring manager saying they were not even going to include her in the interview cycle, because she didn't have the right skills.  JJ then analyzed the people that were in the position she wanted to be in and discovered her gaps, and worked on filling those over the next few months.

How do the successful women do it?  First of all, they are master schedulers - they have to be in control of their calendar.  JJ looked at this and made a list of all the things she was committed to - she came up with FIVE pages of things. That's just not sustainable.   She had to look at two things: who  was asking her to do this?  Did they align with where she wanted to go?

People are notorious for putting things on your list - especially if you're a doer.  If you're in this session or reading these notes - that's probably you!  Be careful and make sure that what you and your teams are doing are aligned with what you should be doing and how much enjoyment do you get out of this?  You have to protect your time - do not expect others to do so!

For example, somebody asked her to do an "easy" task of mentoring 24 women over the year.  When JJ analyzed what this meant, she realized it was a 75 hour commitment! She thought about it for 24 hours... and realized she just couldn't fit it in.  JJ asked what they were really trying to get - inspire women in their organization.  She suggested instead that she come to their quarterly meetings, talk to the group and spend time afterwards talking to interested women.  The org asking was thrilled and JJ changed the commitment from a 75 hour commitment to a 6 hour commitment that was going to be rewarding.

Your goal here should be to get things off of  your list. Delegation is your best friend, especially if you've already learned the lesson from the task - give someone else an opportunity to learn! Yes, it will take longer at first, but it will save you time long term and make you happier and free up your time to do the things you want to do.

It doesn't make sense for a well paid women to do all of her household chores - no matter what the world and your mother have told you.  Can you barter and trade for services?  For example, help your neighbor with their wifi network and see if they can do some cooking/baking for you.

If you aren't excited about something - don't sign up. Your help won't be appreciated if you aren't bringing energy to it.  By actually letting someone else take something over for you, you're giving them opportunities to shine.

To get control of your calendar, you need to introduce yourself to the word "No."

Don't let other people give you tasks (they are ALL urgent) that are going to cause you to fall behind on your "real" job (which is, really, just a collection of tasks).

Make sure you have a list of what tasks you're working on and their priorities - put them on your white board.  When your boss comes in with a super new important tasks, you can say, visually - where does it fit with all of these things?  Sometimes that can even let you remove tasks, when your boss has forgotten to tell you that something wasn't important anymore.

How do you get rid of the guilt?  You will have to drop things that you're going to wish you could do (like you might not be able to make *every* soccer game) - but let your family and co-workers have a voice, that can help alleviate the guilt. For example, "which of your upcoming games are the most important and you really want me there?"

Before you say yes, think about:
  • Do you understand the work ahead of you?
  • What other commitments would interfere?
  • Is this project in line with your goals?
  • If I do this, would it be for the right reasons?
  • How will it impact my other responsibilities and commitments?
  • who else needs to be involved to ensure scucess?
  • What would sueccess look like?
  • Am I the best person to be doing this?
How did JJ prepare for her job changes from sales to cloud? She blocked out time on her calendar 3 times a week reading new articles on the cloud. But how could she let folks know what she now new?  She started posting comments on the articles she read, she starting writing her own articles and started sharing more on LinkedIn.

JJ also started getting into new circles - both online and in real life.  From there, she could help other groups she hadn't previously worked with, helping her to build her credibility.

You need to seek clarity, guidance and perspective.  JJ's had a surprising number of people come to her for "mentorship", but it turns out that they hate their current job. That's not a job for a mentor - that's a job for a career coach to help you to find your right direction - THEN find a mentor.

Once you have a plan, make sure your desires are known.  Don't be afraid to apply for the job - even if you're not perfectly qualified.

To get more exposure and skills, join a non-profit board and improve your leadership skills.  JJ said this is something EVERYONE needs to do.

My takeaway?

Next week - I'm resetting my calendar, and starting over. My calendar is SOLID, I have no time to get to tasks that I need to.  This is hard, as I am a first line manager, so I need to have 1:1s with people on my team - but I can control that schedule more than I currently do.  In addition, since becoming a manager I find I am driven by my calendar - all sorts of appointments end up there, often back to back to back to back... I need to start blocking off time to do email, strategy, etc - in big enough clumps where I can get things accomplished.

Also, I've been working on putting priority lists on my whiteboard - but it's never completely up to date, and as it's a white board it's not that hard to do this - and I will! (part of that time block for prioritization).

I loved listening to the other women's take-aways: one women is going to get someone else to mow her lawn. Another is going to take some new risks. Another women was excited that she is not "alone" for having chosen CS for a degree for the money - there is no shame in wanting to provide for your family, and you can still find the passion. Yeses need to be curtailed. Do things you enjoy that make you excited wherever possible.

What do you think you can do to better streamline your life and professional career?

This post is syndicated from Security, beer, theater....