tag:blogger.com,1999:blog-34589938533371155542024-02-19T02:11:40.118-05:00Security, beer, theater and biking!Valerie Fenwickhttp://www.blogger.com/profile/08527896668172818126noreply@blogger.comBlogger595125tag:blogger.com,1999:blog-3458993853337115554.post-60685731228633187442020-10-13T22:25:00.000-04:002020-10-13T22:25:21.889-04:00Learning Ally: Books I've NarratedWorking with <a href="http://learningally.org/">Learning Ally</a>, I record textbooks and novels for the blind and dyslexic, along with others that learn differently.<br />
<br />
I've been keeping this list on LinkedIn, but hit the LinkedIn character maximum. I didn't always keep track, so there may be a few more books. I started volunteering at Learning Ally in Palo Alto in August 2012, followed them to Menlo Park and am preparing to start volunteering from home.<br />
<br />
When I started, we had physical books we read from and we've since moved to VoiceText (scanned texts) and PDF books. This makes it easier to start recording at home!<br />
<br />
Here are the books that I've narrated over the years. I'll continue to add to this post as I complete more books. The hours listed are total length of the finished narration. It takes usually 3 times as long recording and correcting to get that finished product.<br />
<br />
<u>Recorded in 2020</u><br /><ul><li>The Toll (Book 3 in Arc of the Scythe Series, Neal Shusterman) (625 pages, 17:53 hours)</li><li>One Safe Place (Tania Unsworth) (296 pages, 6.82 hours)</li><li>Follow the Moon Home: A Tale of One Idea, Twenty Kids, and a Hundred Sea Turtles (Philippe Cousteau) (48 pages, 35 minutes)</li>
<li>A Perfect Score (Bob Buyea) (370 pages, multiple narrators. I narrated Randi.)</li>
</ul>
<br />
<u>Recorded in 2018</u><br />
<ul>
<li><a href="http://amzn.to/2oSGub0">Court of Fives</a> (Kate Elliot) (432 pages, 10.71 hours)<br /><u></u></li>
<li><a href="https://amzn.to/2LqGskA">Still Life with Tornado</a> (A.S. King) (296 pages, 8:48 hours)</li>
<li><a href="https://amzn.to/2L4B33z">Some Kind of Happiness</a> (Claire Legrand) (374 pages, 10.80 hours)</li>
<li><a href="https://amzn.to/2UvPNg5">Caraval</a> (Stephanie Garber) (407 pages, 10.13 hours)</li>
</ul>
<u>Recorded in 2017</u><br />
<ul>
<li><a href="http://amzn.to/2yGLpC6">Tales from a Not-So-Friendly Frenemy (Dork Diaries #11)</a> (Rachel Renee Russell) (248 pages, 2.17 hours) </li>
<li>Tales from a Not-So-Fabulous Life (Dork Diaries #1) (Rachel Renee Russell) (282 pages, 3.08 hours)</li>
<li>The San Francisco Earthquake (I Survived #5) (Lauren Tarshis) (98 pages, 1.27 hours)</li>
<li>Shadows of Sherwood (Robyn Hoodlum #1) (Kekla Magoon) (356 pages, 7.48 hours)</li>
<li>Mythology (Edith Hamilton) (475 pages, 11.35 hours)</li>
<li>Carve the Mark (Veronica Roth) (467 pages, 12.14 hours)</li>
<li>Goosebumps Book 8: The Girl Who Cried Monster (138 pages, 2.50 hours)</li>
<li>Goosebumps Book 3: Monster Blood (R. L. Stine)</li>
</ul>
<u>Recorded in 2016</u><br />
<ul>
<li>Ink and Bone (Rachel Caine) (354 pages, 10.97 hours)</li>
<li>Dragons of Winter (James A. Owen) (389 pages, 9.38 hours)</li>
<li>Tru & Nelle (G. Neri) (328 pages, 4.70 hours)</li>
<li>City of Ice (Ken Yep) (362 pages, 8:47 hours)</li>
<li>Winter: The Lunar Chronicles (Marissa Meyer) (828 Pages, 20 hours)</li>
</ul>
<u>Recorded in 2015</u><br />
<ul>
<li>If You Could Be Mine (Sara Farizan) (248 Pages, 4:59 hours)</li>
<li>The Vanishing Game (Kate Kae Myers) (356 pages, 7:45 hours)</li>
<li>A Northern Light (Jennifer Donnely) (396 pages, 8:57 hours)</li>
<li>Liar Temptress Soldier Spy: Four Women Undercover in the Civil War (Karen Abbott) (513 pages, 12:20 hours)</li>
<li>The Spiritglass Charade (Collean Gleason) (360 pages)</li>
<li>Wicked Girls (Stephanie Hemphill) (389 pages)</li>
</ul>
<u>Recorded in 2014</u><br />
<ul>
<li>The Wicked and the Just (J. Anderson Coats) (342 pages, 7:30 hours)</li>
<li>The Spy Catchers of Maple Hill (311 pages)</li>
<li>California Driver Manual (106 pages, 4:15 hours) (Yes, DRIVER, not Driver's ... )</li>
<li>Unbroken: A Ruined Novel (Paula Morris) (295 pages)</li>
<li>Froi of the Exiles (Marlena Marchetta) (598 pages, 16:53 hours)</li>
<li>The Amazing Monty (Johanna Hurwitz)</li>
</ul>
<u>Recorded in 2013</u><br />
<ul>
<li>Every Other Day (Jennifer Lynn Barnes)</li>
<li>The Last Dragonslayer (Jasper Fford)</li>
<li>The Red Convertible</li>
<li>Michael's Mystery</li>
<li>Inkheart</li>
</ul>
<br />
<br />
<br />Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0tag:blogger.com,1999:blog-3458993853337115554.post-90550606277627209472020-08-06T16:59:00.000-04:002020-08-06T16:59:16.863-04:00BH20: The Dark Side of the Cloud - How a Lack of EMR Security Controls Helped Amplify the Opioid CrisisMitchell Parker, CISO, Indiana University Health<div><br /></div><div>The Opioid crisis has caused mass addiction and broken up families and support systems. Why is this of interest to Black Hat? A major root cause of the crisis was due to underhanded manipulation of an Electronic Medical Record (EMR) system.</div><div><br /></div><div>Practice Fusion, now a division of Allscripts. They had advertisements in their EMR, which seemed like a violation of the Stark Act. Many smaller practices used them, because they couldn't afford better systems. Had over 100K customers at their peak.</div><div><br /></div><div>Many hospitals and small practices are losing money or barely staying afloat - so they were using this system, as it was 'free'.</div><div><br /></div><div>EMRs are digital version of paper records. They can be on mobile, desktop, browser or application - often with remote access, as physicians are overworked, too, and would rather complete their charting from home.</div><div><br /></div><div>EMRs need to be certified to be eligible for federal reimbursement, and are meant to be kept up to date. Lots of HIPAA violations are caught in the big EMR companies, so it's hard to say what's happening in the smaller providers. </div><div><br /></div><div>These systems tend to be lacking 2 factor authentication for system access, which means you can even get system administrator access this way. The physicians are overworked and focused on spending time with patients, not spending time on IT and compliance.</div><div><br /></div><div>Most of the revenue for Practice Fusion came from advertisements, even though it was a violation for Anti-Kickback Statute. They additionally marketed themselves to drug manufacturers as willing to customize clinical decision support alerts - Pharma Co. X paid $1M to add custom alerts to recommend extended release opioids. They were able to prove that doctors that saw this alert prescribed at a higher rate than those who did not.</div><div><br /></div><div>Death and Opioid abuse is not new, was impacting parts of our America as far back as the late 1990s.</div><div><br /></div><div>People died and became drug addicts because of a marketing department.</div><div><br /></div><div>To help stem this type of abuse, there are proposed changes to the Department of Health and human services regulations. Additionally, Mitchel would like to see diversion monitoring software and privacy monitoring. </div><div><br /></div><div>Additionally, recommending that doctors use the larger providers - those have already been set up to limit opioid prescriptions.</div><div><br /></div><div>Going forward, EMRs should have 2-factor auth, limited access and configuration change reporting. </div><div><br /></div><div>We tell our doctors everything about our lives, so this information must be protected. When that trust is broken, it is tragic.</div><div><div><br /></div><div><br /></div></div>Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0tag:blogger.com,1999:blog-3458993853337115554.post-79056758651158806062020-08-06T14:20:00.000-04:002020-08-06T14:20:14.072-04:00BH20: A Framework for Evaluating and Patching the Human Factor in CybersecurityRon Bitton, Principal Research Manager, Cyber Security Research Centre at Ben Gurion University<div><br /></div><div>Social engineering attacks go beyond just phishing and no longer limited to PCs, but most solutions don't distinguish between different types of attacks or platforms.</div><div><br /></div><div>The existing methods are based around self-reported measures, attack simulations, and training (with some mitigation).</div><div><br /></div><div>But the self-reported method is biased and resource intensive, so cannot be done continuously. The attack simulations are typically limited to classic phishing, and cannot be used to evaluate users vulnerability to other attack vectors. The training workshops are great, but unlikely to reflect the users normal behaviour - as they know they are in training. Additionally, employees are not big fans of forced training, and may not be engaged.</div><div><br /></div><div>Most technological mitigations are limited to specific environments (like the office, specific browser).</div><div><br /></div><div>The researchers have created a new toolkit: SafeMind. The researchers looked into specific areas of awareness models, and worked with other security researchers to help rate the importance of the criteria, which helped them narrow down the most critical areas to measure.</div><div><br /></div><div>Created an endpoint solution, attack simulator and network solution. The endpoint solution looks at a lot of things on the endpoint - sensors on social media activity, security settings, certificate management - to create a profile of the user. Using this profile, could target attack simulations for that user. </div><div><br /></div><div>Over 7 weeks they experimented on 162 subjects. They could see that those users with lower security knowledge were less successful at mitigating some attacks. Users self-reported behaviour may differ significantly from their actual behaviour, whereas their research could predict more accurately their actual behaviour.<div><br /></div></div>Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0tag:blogger.com,1999:blog-3458993853337115554.post-25607597040663655122020-08-06T12:56:00.000-04:002020-08-06T12:56:59.453-04:00BH20: Keynote: Hacking Public OpinionRenée DiResta, Research Manager, Stanford Internet Observatory<div><br /></div><div>Vocab background: Misinformation, the sharer thinks the information is true, and sharing out of trying to help people. Disinformation, the sharer knows the information is false. Propoganda is information that is created to make you feel and act a certain way (not always false). Finally, there's an agent of influence - someone acting on behalf of someone else (Nation State, etc). </div><div><br /></div><div>Dissemination is an important part of sharing information. In the past, someone would have to physically hand out flyers. This got easier with tv and radio, but still restricted. Then, we got zero-cost publishing with blogging - but attracting the audience was still tricky. Now we have social media - the feeds are designed for engagement and dissemination. </div><div><br /></div><div>Now we have a glut of material, no editors, no gatekeepers - just an algorithm that rates, ranks and disseminates. These algorithms are gameable, and the systems are open to everyone.</div><div><br /></div><div>We are now going beyond influencing public opinion to hacking public opinion. It's easy and cheap to create fake media companies and personas, it's how the platform was designed.</div><div><br /></div><div>We see distraction, persuasion, entrenchment (to highlight and exacerbate existing divisions), and then divide.</div><div><br /></div><div>Now our broadcast media feeds into social media - and it also flows in the reverse! Both of these can be easily influenced by bad actors.</div><div><br /></div><div>Renee then walked through a few examples from China - obvious government propaganda, less obvious and then "news" coming from a fabricated news company on twitter to make China look good. In addition, many Chinese news agencies have facebook pages - even though Facebook is banned in China. Why? To influence China's image in countries that do have access to Facebook, used recently to discredit Hong Kong protestors.</div><div><br /></div><div>She did a great breakdown, as well, on creation of twitter bots and figuring out their purposes - and also how effective they were (engagement, number of retweets, etc.)</div><div><br /></div><div>Memes are properties created for social media, and are easily digestible, identity focused. Often created by state actors to create more division - on both sides of the political spectrum.</div><div><br /></div><div>Great deep dive into the Russian interference in the 2016 election, with lots of great graphics.</div><div><br /></div><div>Well researched state agents will exploit divisions in our society using vulnerabilities in our information ecosystem. They will likely target voting machines again and to infiltrate groups. But most of all, they will aim to reduce trust in the US elections.</div><div><br /></div><div>The more these images and stories are spread, they start to influence and impact people, though direct measurement of impact on each individual is more difficult and will be part of further research. They can see disinformation jumping from one group to another, which seems to demonstrate people are believing it and feel strongly enough to reshare.</div><div><br /></div><div>An excellent talk - I highly recommend you catch it on YouTube when posted!</div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div>Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0tag:blogger.com,1999:blog-3458993853337115554.post-37278836413272746652020-08-05T18:08:00.000-04:002020-08-05T18:08:35.859-04:00BH20: Hacking the Voter: Lessons from a Decade of Russian Military OperationsNate Beach-Westmoreland, Head of Strategic Cyber Threat Intelligence, Booz Allen Hamilton<div><br /></div><div>Nate has been involved in elections since a youth. For background, read Russian's Military Doctrine that explains tactics, targets & timing of GRU operations. Long story short: they've been doing what they said they would do!</div><div><br /></div><div>This is not a new thing - been doing this at least since the 1970s. Many of the strategies haven't changed, either. what has changed is the technology and who is doing it. In the 1980s, it was the KGB and the Propaganda department.</div><div><br /></div><div>In the late 1990s, Russia switched to the tactic of Information Confrontation - the continuous competition over beliefs, opinions, perceptions and feelings to enable the furthering of states' agendas. This has been adopted by the Russian Military and is even documented on their website!</div><div><br /></div><div>The Information Confrontation has two sides: informational-psychological and informational-technical capabilities. These are used for more than just swaying an election. Moscow's preferred candidates have rarely won, but they did succeed at undermining the winner - making them weaker, less able to oppose Russia. </div><div><br /></div><div>Information conflict is both offensive and defensive - can demonstrate that "fair, free and democratic" societies are not desirable nor obtainable - So, Russians should stick with the status quo.</div><div><br /></div><div>Look at what happened in the Ukraine in 2014. Attacks against the Ukrainian election started a few days in advance, trying to destroy the vote counting system. They took over websites of officials, creating fake announcements that the system had been breached and then attacked the vote reporting site to show a fringe candidate as winning - all to delegitimize the actual election results.</div><div><br /></div><div><br /></div><div>Similarly in Bulgaria, the GRU launched an DDOS on voter registrar sites, so voters could not find their polling place.</div><div><br /></div><div>In France (2017), the GRU started phishing Macron's campaign, and started blasting Macron with all sorts of falsehoods about Macron's character. Even though they were easy to debunk, they built a story that Macron may be a seedy character. France has a ban on campaigning and commentary within 48 hours of the election, and released more falsehoods and private campaign documents right before.</div><div><br /></div><div>Similar things happened in Montenegro in 2016.</div><div><br /></div><div>Then in the US in 2016, similar tactics again: leaking internal campaign - time released to maximally inflame divisiveness. They started spreading fear about election infrastructure and threats of large scale fraud/vote rigging.</div><div><br /></div><div>When Russia is caught, they go on a "whataboutism" campaign - 'So, what, our athletes were doping, your athletes have done the same thing - what about those athletes?" How can you be angry about us trying to interfere in your election, when US does it to other countries? <br /><br /></div><div>As we've already seen Russia attack power grids, what would happen if they did it on an election day? Either in the US or other nations?</div><div><br /></div><div><br /></div>Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0tag:blogger.com,1999:blog-3458993853337115554.post-89524496710693829392020-08-05T16:13:00.002-04:002020-08-05T16:13:13.550-04:00BH20: We Went to Iowa and All We Got were These Felony Arrest RecordsJustin Wynn, Senior Security Consultant, Coalfire Systems<div>Gary Demercurio, Senior Manager, Coalfire Systems</div><div><br /></div><div>Client asked them to come on sight and test physical penetration and plantation of drone device. They were requested by the client to do the work at night/after hours. What was said later to the press by the client was very different. Originally it was night only, but they changed the contract later to add social engineering during the day. It wasn't just the pentesters on the phone with the client, but also their project manager, manager and another pen tester. </div><div><br /></div><div>They also received a letter of authorization that also asked them to begin on Sunday (when the court house is closed), so for the client later said they only wanted it to happen during business hours (courthouses are closed on weekends). The pentesters were given restrictions for each of the 5 buildings, like which floors are off limits, which data centers are in scope/out of scope. This was worked out building by building. The contract was more generic, and the scoping call was more detail (lesson learned: record your scoping call)!<br /><br />Charges were filed against each of them independently.</div><div><br /></div><div>Spent the day on Sunday scoping locations, during business hours they got tours (some public/free access, some with escorted tour).</div><div><br /></div><div>Started out Monday night at Judicial branch - a State Trooper came by (as expected), who said this was common practice and asked for a business card. They did get inside, got into the IT department and left a card on his desk. The contact from client sent a "can't wait to see how this was done", reviewed the overnight footage, and didn't say anything. Everything was seeming fine to the researchers.</div><div><br /></div><div>Started again on Tuesday night, breached 3 more buildings with no alarms. They knew the last building had an alarm, and were hoping they would set it off. they arrived at 11:30PM on Tuesday, did a brief walk around - could see the sheriff department across the street. They found an open door when they arrived - wow. They closed it, and then re-breached the door. they tried the default codes for the alarm, didn't work - so they decided to hang out and wait for the police to arrive. </div><div><br /></div><div>They wanted to make sure they did not scare the police, or get surprised, so they called out regularly as they were moving down to the ground floor. </div><div><br /></div><div>Then we got to watch the body cam footage from first officer on scene, and can hear the police talking, seemed fine with the researchers and they were told they were good to go.</div><div><br /></div><div>then the sheriff arrived.....and the police officers turn off their body cams. Suddenly sheriff said the client didn't have the authority to authorize the pen test (state vs county property), and decides to arrest them for burglary. </div><div><br /></div><div>Up until when the sheriff arrives, everyone was very professional, then suddenly everyone's attitude changes. Suddenly, the fact that they are penetrating with commonly available tools, they couldn't possibly be professionals (!?!?!?).</div><div><br /></div><div>Now being questioned about whether or not one of the testers was an actual marine, took a lot of pushing to get them to say they were under arrest. Finally got ahold of the client, to let them know they were in jail. Asked for help. "Andrew" was supposed to talk to the sheriff, but the sheriff won't budge because it's a county building - "nothing" can be done.</div><div><br /></div><div>Judge at arraignment was not pleased that they had been arrested breaking into her courthouse... thought their client would come and protect them, but instead noted they were a flight risk - set their bail at $50,000 (same as people are given for murders).</div><div><br /></div><div>This led into jurisdictional infighting. Client removed documents from Coalfire portal.</div><div><br /></div><div>They want someone to be responsible for this. Polk County DA was not going to charge the speakers, as he was aware that it was the three contacts from the client were at fault, but Polk County Sheriff was defensive of Dallas County Sheriff and threatens Coalfire CEO.</div><div><br /></div><div>While things are moving forward, in their favor, the Chief Justice dies and everything dies with them.</div><div><br /></div><div>Now they both have permanent felony records. Cannot get firearms.</div><div><br /></div><div>They have laws in the state that are more concerned with liability and less about the security of their infrastructure. Based on this, all offensive security has stopped in Iowa. </div><div><br /></div><div>They would like to get laws passed to prevent this from happening again - if you can help, reach out!</div><div><br /></div><div>[Q&A]</div><div><br /></div><div>Do you still have a felony record? Yes.</div><div><br /></div><div>Was the sheriff of Dallas County ever reprimanded? No.</div><div><br /></div>Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0tag:blogger.com,1999:blog-3458993853337115554.post-49862397436941061812020-08-05T14:41:00.001-04:002020-08-05T14:41:17.649-04:00BH20: Election Security: Securing America's FutureChris Krebs, Director, Cybersecurity & Infrastructure Security Agency (CISA)<br /><br /><div>About this time in 2016, it became very clear that Russia was intent on disrupting our election in several ways, including information disruption, election tampering, etc. There was an ad-hoc response pulled together, as it hadn't been clear this was going to happen in advance. The Russians did research and targeted attacks on all 50 states, but did not seem to be able to impact a vote via cyber means.</div><div><br /></div><div>Why was it an ad-hoc response? there was no dedicated approach on election security. The security research community was aware, but there was nothing dedicated at the federal level. Pulled it together last minute and provided a successful defense from a cyber security standpoint. Then a playbook was brought out now that others can study.</div><div><br /></div><div>What are the implications of what happened in 2016? it was a Sputnik type moment - for the first time, the Soviets had a way to reach out and touch us, geographic isolation was no longer in our favor. Now they could use cyber techniques to destabilize and election. gave the US heads up that we had a lot at stake in 2018 and 2020. </div><div><br /></div><div>We have 3 distinct advantages now: vibrant election security community, better understanding of risks, better visibility of what is happening with elections. Federal gov't is here to support state and local governments run their elections. Since 2016, pulled together and information sharing infrastructure. sharing threats, strategic and defense tactics. Been providing services / tech capabilities to partners in local government. Been working together to analyze trends and issues, helping others to buy-down risk with the tools & techniques that have been developed. </div><div><br /></div><div>We have a much better understanding now than we did in 2016 how different states and counties are running elections - we are listening to them about what their risks and issues are. One of the best risk management technique: paper. We are asking states to switch to a system that has a paper record. for 2020, we may hit 92% or higher with a paper trail. The paper trail is needed for audibility.</div><div><br /></div><div>We now have a much better understanding & visibility of what is happening in the election space and worked hard to develop trust with state & local election authorities. We've been able to provide tools, like intrusion detection, deployed across all 50 states (not necessarily all counties). </div><div><br /></div><div>Even with all these preparations, still more work to do - there could be more disruptions, we have Covid-19, and we need voters to be informed.</div><div><br /></div><div>Today, in 2020, the focused mission of NSA, Intelligence, etc - watching out for Russia, China, and other state actors targeting our infrastructure. Lots of scanning, but not seeing anything at the level we saw in 2016. But, still seeing too many ransomeware attacks of hospitals and financial institutions - do not want to see this happen to election systems. Helping with tools and techniques to protect these systems.</div><div><br /></div><div>Looking at the failover mechanisms - analog backups of voter registration databases, etc. we need to make sure that the voters can vote, no matter what. We also have provisional ballots as a backup.</div><div><br /></div><div>We have Albert Sensors (IDS), but we also need end point detection, capabilities on individual hosts. We have to continue to improve security at all levels.</div><div><br /></div><div>In terms of Covid, that's why he's here talking to us today. Covid will change how we do elections - we realized in February that Covid was going to change the voting process. We are, at the very least, going to need PPE for poll workers, sanitation procedures, etc. But not just about in-person voting, many states are adopting absentee & mail-in balloting. This takes time & money. States like New Jersey could not identify budget for doing things like upgrading their machines to have paper audit, but now they are moving to more mail-in system - so they may get the paper trail this year.</div><div><br /></div><div>It's quite possible that we won't know on November 3 who won the election. Please be patient. </div><div><br /></div><div>We need informed voters - something will change in the way you vote. May be a new polling location: schools & aged homes may not be available. Have a plan for how you will vote. Take advantage of early voting, absentee or mail-in. Be a part of the solution.</div><div><br /></div><div>[Q&A - Live Commentary section]</div><div><br /></div><div>Under the constitution, states will determine the time, place and manner of an election. Congress has a role here as well, but local & state has to carry the bulk of the burden. CISA and the intelligence committee are here to help and support. </div><div><br /></div><div>Couple of developments since this was recorded: have set up a vulnerability disclosure guidance, saw University of Chicago is providing free support to state & local election boards, and launching an end-point detection system pilot in 29 states.</div><div><br /></div><div>We are trying to help with debunking/prebunking of disinformation, in a balanced way. </div><div><br /></div><div>Last fall pushed out a state & local disinformation kit, so they can tailor to their local needs, and also leveraged that for Covid related disinformation. they launched the<a href="https://niccs.us-cert.gov/sites/default/files/documents/pdf/ncsam_understandingforeigninfluence_508.pdf" target="_blank"> War on Pineapple campaign</a>, benign and easy to understand. </div><div><br /></div><div>Working to help the states adjust and studying the equipment and risk controls, adjusting our approach to do more remote pen testing.</div><div><br /></div><div>Unfortunately for us, he can't discuss confidential information ;-)</div><div><br /></div><div>Be prepared, participate - we need 250K poll workers, and be patient!</div><div><br /></div>Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0tag:blogger.com,1999:blog-3458993853337115554.post-47916780645606698122020-08-05T13:09:00.000-04:002020-08-05T13:09:44.295-04:00BH20: Keynote: Stress-Testing Democracy: Election Integrity During a Global PandemicGreat intro from Dark Tangent (as per usual) - there are people attending from 117 different countries! Lots of great scholarships this year as well. <div><br /></div><div>It's strange attending from home - no laser show!</div><div><br /></div><div>Keynote Speaker: Matt Blaze, Georgetown University</div><div><br /></div><div>Early elections in the US used little technology - they were literally just in a room and raising hands, but that doesn't scale and it is also not secret. The earliest technology was simple paper ballots that were hand counted. As long as the ballot box wasn't tampered with, you could have high confidence your ballot was counted. It was also easy to observe/audit. </div><div><br /></div><div>We moved onto machine counted ballots or direct-recorded voting machines, and finally computers. The technology doesn't matter as much as the voters trust the technology and the outcome.</div><div><br /></div><div>It can be hard to get right - do to some conflicting requirements: secrecy and transparency. How do you audit and make sure everyone's vote was counted in the way they wanted it counted, but w/out disclosing how they voted? </div><div><br /></div><div>It is impossible to re-do an election. They need to be certified by a certain date and you cannot really do them again, there's not enough time to do it before transition of power should occur.</div><div><br /></div><div>The federal government doesn't have as much oversight over each state for a federal election as you might think - they are mostly run by counties, with guidance and standards set federally. There is no place to change everything nationwide. </div><div><br /></div><div>The ballots can (and usually do) vary even within the county - think about school board, city council, local ordinances, etc. In 2016, there were 178,217 distinct ballots in the US. Sixty percent of eligible voters participated in the election, 17% cast in-person in early voting and 24% was by mail, but the majority were still in person.</div><div><br /></div><div>In the US, we spend more money campaigning than on running the election itself.</div><div><br /></div><div>Traditional threats to voting: vote selling, ballot stuffing or mis-counting. Foreign state adversaries are also a threat, but they may not care about who wins - just that the process is disrupted and cast doubt on the legitimacy of the election.</div><div><br /></div><div>Taking a walk down memory lane: hanging chads! Florida was using a punch card system (aside: we used the same system in Santa Clara county when I moved here, except we didn't have the "assistance" of the physical ballot - I had to bring in my sample ballot so I'd know which holes to punch. In that case, since the Supreme Court stopped the count, we ended up with a certified election that nobody (but the winner) was satisfied - they did not feel their votes were counted.</div><div><br /></div><div>This debacle did lead to HAVA (Help America Vote Act) - mandated every one to change their voting equipment and did provide funding to purchase it. Unfortunately, improved tech wasn't widely available, Most common were DRE (Direct Recording) voting machines - it's computerized. This is different than the older model, where we used offline computers to tally the votes. These new machines are networked, and much more reliant on software.</div><div><br /></div><div>As you are aware - software is hard to secure. There are no general techniques to determine if it is correct and secure. SW is designed to be easily changed - maybe too easy, if you're not authorized and still able to make a change. This is a problem for these voting machines.</div><div><br /></div><div>E-voting, in practice, has a huge attack surface: firmware, software, networking protocols, USB drives floating around, non-technical poll workers, accidental deletion of records, viruses....</div><div><br /></div><div>Every current system that is out there now is terrible in at least one way, if not several. There is an exception from the DMCA to do security research on voting machines. This makes the DefCon voting village a lot of fun (and will be available this year as well). </div><div><br /></div><div>Some people are suggesting hand count all - but, there are just too many items per ballot. The amount of work to do a complete hand count is infeasible. </div><div><br /></div><div>The other extreme: the blockchain! But, it makes us much more dependent on the SW and the client (and what it puts in the blockchain). This does address tamper detection, but not prevention/recovery. Also, civil elections aren't a decentralized consensus process.</div><div><br /></div><div>There have been two important breakthroughs - first form Ron Rivest on Software Independence: a voting system is software independent if an undetected change or error in its software cannot cause an undetectable change or error in an election outcome. .... but not how to accomplish that. Stark came up with Risk-Limiting audits: statistical method to sample a subset of voting machines for post-election hand audit to ensure they reported correct results. if that fails, hand count the rest.</div><div><br /></div><div>You can learn more in the paper of "Securing the Vote" from the National Academy.</div><div><br /></div><div>Everything seemed like 2020 was going to go well... until... March. Who would've expected a global pandemic?</div><div><br /></div><div>When we think about voter disruption, you might not be able to get to the polling place due to travel or disability - you can get an absentee ballot (including "no excuse" ballot) - but, with the exception of states like Oregon, they are a small percentage.</div><div><br /></div><div>If there are local or regional emergencies, like an earthquake or hurricane, that may prevent polling places from opening. There was an election in NYC on September 11, 2001 - it was definitely disrupted and then highly contested. </div><div><br /></div><div>Postponing election is a very disruptive thing - have to figure out what that means for the US? Who then becomes president while we wait for the election? Are there other options?</div><div><br /></div><div>In an emergency, people may not be able to vote in their normal way: there may not be enough poll workers, they may be in the hospital, recently moved, etc. We are seeing increased pressure on the counties for this, in a time of decreased funding.</div><div><br /></div><div>Matt then did a great walkthrough of vote-by-mail, how signatures are verified and ballot processing. How do we scale this up? Exception handling can be very labor intensive, and there is high pressure on chain of custody. it's hard to know how many people will ask for absentee ballots - they may not have enough, and they can't just copy ballots - so there is a necessary lead time.</div><div><br /></div><div>how can you help? Volunteer as a poll worker, election judge, wherever your county needs assistance with this election.</div><div><br /></div>Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0tag:blogger.com,1999:blog-3458993853337115554.post-71034932685879732842019-05-17T12:47:00.000-04:002019-05-28T19:53:29.350-04:00ICMC19: At the Root of It All: The Cryptographic Underpinnings of Security <span id="docs-internal-guid-3d0a6d9b-7fff-013a-2b9d-0e405af6e366"><a href="https://icmconference.org/?speaker=karen-reinhardt" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Karen Reinhardt</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">, Director, Security Tools, Entrust Datacard
</span></span><br />
What is security without cryptography? That's how it used to be - we secured our computers with physical access control. That advanced to password files and access control lists, and then once we got on the network we had to advance to things like LDAP. We still relied heavily on routers and firewalls. But now that we are in the cloud... are those still effective?<br />
<br />
We know we will have issues - so we must do monitoring and detection (IDS, IPS, logging, log analysis, etc) - but that's only if things have gone wrong. But, wouldn't it be better to prevent the incident?<br />
<br />
We used to secure devices by being in a physically secure environment, then we introduced VPNs - which allowed us to pretend we were in the physically secure environment.... but now we have so many connected devices in our house filled with personal and professional identity information.<br />
<br />
Those identities are hot commodities! Ms. Reinhardt has worked many breaches and she notes the attackers are always going after the MS Active Directory.<br />
<br />
Now even ambulances are connected to the Internet - but please don't attack them, you could put someone's life at risk.<br />
<br />
Think about comparing crypto keys to nuts & bolts in construction. You need to use good quality nuts and bolts, and you need redundancy - our you could have a catastrophic failure (think about the recent crane collapse in Seattle).<br />
<br />
If we have a few bad keys here and there - we might still be okay, depending on what is being protected. But, what if we lose an entire algorithm? What if it happens before quantum computers? We have nothing to replace RSA and ECC right now - what if something happens to them? Should we be looking at older algorithms and ideas?<br />
<br />
You need to assume your algorithms are going to fail and you will need to get new keys and new algorithms out there. think about this as plumbing - need to be able to replace the pipes.<br />
<br />
If we lose RSA, you lose your entire chain of trust. We can't reasonably replace every device out there - all the thermostats, traffic signals, cars, etc. impossible.<br />
<br />
Good crypto alone is still not good enough - the attackers are still going to go after your users, your user directories, your insecure machines on your network, your kerberos golden ticket....We have to slow them down,<br />
<br />Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0Vancouver, BC, Canada49.2827291 -123.1207375000000249.1169156 -123.44346100000001 49.448542599999996 -122.79801400000002tag:blogger.com,1999:blog-3458993853337115554.post-77322515596310845122019-05-16T19:15:00.000-04:002019-05-16T19:15:35.727-04:00ICMC19: HW Equivalence Working Group<div style="background: 0px 0px rgb(239, 239, 239); border: 0px rgb(221, 221, 221); color: #333333; font-family: montserrat; font-size: 14px; margin-bottom: 20px; outline: 0px; padding: 0px; vertical-align: baseline;">
<a href="https://icmconference.org/?speaker=frenchc" style="background: 0px 0px; border: 0px rgb(221, 221, 221); color: #660000; margin: 0px; outline: 0px; padding: 0px; text-decoration-line: none; transition: color 300ms ease 0s, background-color 300ms ease 0s, opacity 300ms ease 0s; vertical-align: baseline;">Carolyn French</a>, Manager Cryptographic Module Validation Program, Canadian Centre for Cyber Security, Canada; <a href="https://icmconference.org/?speaker=nunezr" style="background: 0px 0px; border: 0px rgb(221, 221, 221); color: #660000; margin: 0px; outline: 0px; padding: 0px; text-decoration-line: none; transition: color 300ms ease 0s, background-color 300ms ease 0s, opacity 300ms ease 0s; vertical-align: baseline;">Renaudt Nunez</a>, IT Security Consultant, atsec, United States</div>
The working group will work towards a recommendation in the form ofa draft Implementation Guidance (IG) to the CMVP..<br />
<br />
Vendors often want to submit multiple hardware modules in the same report, and therefore on the same certificate. Under what conditions can the lab perform limited operational testing on the group of modules and still provide assurance that the right testing has happened?<br /><br />
The basic assumption is that IG 1.22 is already met (same crypto), but may have different number of cards, chips, memory config, etc. For example, if you changed from solid state drive to classic hard disk... did you really need to do more testing? Same for things like field replaceable and stationary accessories.<br />
<br />
The draft IG is out and they are looking for reviewers.Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0Vancouver, BC, Canada49.2827291 -123.1207375000000249.1169156 -123.44346100000001 49.448542599999996 -122.79801400000002tag:blogger.com,1999:blog-3458993853337115554.post-5007275724574949542019-05-16T15:09:00.000-04:002019-05-16T15:09:57.993-04:00ICMC19: KMIP vs PKCS#11: There is no Contest!<span id="docs-internal-guid-d200ed15-7fff-3ea0-5ebf-9558b41124f6"><a href="https://icmconference.org/?speaker=coxt" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Tony Cox</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">, VP Partners, Alliances and Standards, OASIS, Australia</span></span><br />
<span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span>
<span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Tony got a question in ICMC 2018 about "which of these two standards will win?" - the answer is BOTH. </span></span><br />
<span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span>
<span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The two standards have different scopes and areas of being useful, but both are standards based and should mean that they are vendor independent. Both standards have informative and normative documents updated by the technical committees.</span></span><br />
<span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span>
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 11pt; white-space: pre-wrap;">Tony gave a good overview of the </span><span style="font-size: 14.6667px; white-space: pre-wrap;">specifications</span><span style="font-size: 11pt; white-space: pre-wrap;">, including goals and documents, explaining it all - like what are profiles and what do they mean? Profiles help prove interoperability and do some baseline testing.</span></span></span></span><br />
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 11pt; white-space: pre-wrap;"><br /></span></span></span></span>
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 11pt; white-space: pre-wrap;">KMIP 2.0 is full of loads of new features - hashed passwords, OTP, delegated login, Re-Encrypt (looking forward to post quantum crypto) and PKSC#11 operation... In addition to new features, lots of improvements as well.</span></span></span></span><br />
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 11pt; white-space: pre-wrap;"><br /></span></span></span></span>
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 11pt; white-space: pre-wrap;">PKCS#11 3.0 - out for public review any day now... also has loads of new things! New algorithms, support for Login of a user and AEAD, better functionality support for interaction with KMIP (Like Unique Identifiers). This started from V2.40 errata 1.</span></span></span></span><br />
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 11pt; white-space: pre-wrap;"><br /></span></span></span></span>
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 11pt; white-space: pre-wrap;">Key Manager uses KMIP and HSMs leverage PKCS#11... they work together. Key Manager is higher volume key management, key sharing. An HSM wants to keep the keys locked in. </span></span></span></span><br />
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 11pt; white-space: pre-wrap;"><br /></span></span></span></span>
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 11pt; white-space: pre-wrap;">PKCS#11 over KMIP is essentially giving a standardized way to do PKSC#11 over a network. </span></span></span></span><br />
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 11pt; white-space: pre-wrap;"><br /></span></span></span></span>
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 11pt; white-space: pre-wrap;">The two standards are quite complementary and have many of the same individuals or companies working on both. In the end, by following the standards we are giving the market freedom of choice.</span></span></span></span><br />
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 11pt; white-space: pre-wrap;"><br /></span></span></span></span>
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 11pt; white-space: pre-wrap;"><br /></span></span></span></span>Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0Vancouver, BC, Canada49.2827291 -123.1207375000000249.1169156 -123.44346100000001 49.448542599999996 -122.79801400000002tag:blogger.com,1999:blog-3458993853337115554.post-53939469349429814172019-05-16T14:44:00.000-04:002019-05-16T14:44:50.078-04:00ICMC2019: Intel SGX's Open Source Approach to 3rd Party Attestation<span id="docs-internal-guid-8aea1b50-7fff-d938-0d9e-47e70cbcbd40"><a href="https://icmconference.org/?speaker=danzimmerman" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Dan Zimmerman</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">, Security Technologist, Intel, United States</span></span><br />
<span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span>
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 11pt; white-space: pre-wrap;">SGX is a set of CPU instructions that enable the creation of memory regions with security features called 'enclaves'. It has encrypted memory with strong access controls, updatable trusted computing base (TCB). Developers can leverage this to relocate sensitive code and data to the enclave, which has a per process trusted execution </span><span style="font-size: 14.6667px; white-space: pre-wrap;">environment</span><span style="font-size: 11pt; white-space: pre-wrap;"> (TEE).</span></span></span></span><br />
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 11pt; white-space: pre-wrap;"><br /></span></span></span></span>
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 11pt; white-space: pre-wrap;">Common use cases are key protection, confidential computing, and crypto module isolation.</span></span></span></span><br />
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 11pt; white-space: pre-wrap;"><br /></span></span></span></span>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">SGX Remote Attestation is a demonstration that software has been properly instantiated on a platform in good standing, fully patched and indeed in the enclave. Attestation evidence conveys identity of the software being attested, associated report data and details of the unmeasured state. </span></span><br />
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">The attestation service is truly verification as a service, using privacy preserving and based on enhanced privacy ID (EPID). This approach does require that you're online and connect to a service.</span></span><br />
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">
The newer approach is Datacenter Attestation Primitives (Intel SGX DCAP). It is datacenter and cloud service provider focused. Flexible provisioning and based on ECDSA signatures, a well known verification algorithm. Theses primitives allow for construction of on-prem attestation services. This will leverage flexible launch control on the new Intel SGX enabled platforms. And best of all, it's OpenSource! (that's how it got into the opensource track :-) )</span></span><br />
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Platform Certification Key (PCK) Retrieval. Intel issues a PCK Certificate for each of its processors at various TCBs. The retrieval tool will extract platform provisioning ID info for Intel PCS service requests. There is also a provisioning certification service and caching service.</span></span><br />
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">There is a quote generation library that has an API for generating attestation evidence for an Intel SGX based enclave, and of course a quote verification library.</span></span><br />
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">SGX Remote Attestation is important as a successful attestation provides increased confidence to Relying Parties prior to deploying secrets to application enclaves. It also allows for policy based decisions based on quote verification outcomes.</span></span><br />
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com1West Vancouver, BC V7S, Canada49.430141595180054 -123.1558938841104749.264352095180051 -123.47861738411046 49.595931095180056 -122.83317038411047tag:blogger.com,1999:blog-3458993853337115554.post-57369597319128960022019-05-16T14:10:00.000-04:002019-05-16T14:10:07.571-04:00ICMC19: IoT TLS: Why is it Hard?<span id="docs-internal-guid-2b93862f-7fff-f806-79c3-b8dbec1def1c"><a href="https://icmconference.org/?speaker=david-brown" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">David Brown</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">, Senior SW Engineer, Linaro, United States</span></span><br />
<span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span>
<span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">For reasons we can't really explain, we now have things like our lightbulbs, toasters and fridges on the Internet... now those devices are vulnerable to attack.</span></span><br />
<span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">5 worst examples: Jeep Hack, Mirai Botnet, Hackable Cardiac Devices, Owlet WiFi Baby Heart Monitor and Trendnet webcam hack. In the Jeep example, they had a lot of great controls in place, but not on who could update the firmware...</span></span><br />
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">James Mickens was quoted as Saying "IoT Security is not Interesting". It's not interesting, because it's not different. We already know how to secure devices... so we should do it! TLS is great - so let's just use that!</span></span><br />
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">But, we have some really tiny devices out there - smaller than a Raspberry Pi. They have maybe less than 10s of KB of Memory, and 10s MHz of CPU... how can we do TLS there?</span></span><br />
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">TLS has a way of specifying which cipher suites can be used during the handshake. It's hard to change what an IoT device is using, so how can a service just start rejecting something?</span></span><br />
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">One of the problems is that lots of folks do not implement TLS correctly - TLS done incorrectly is worse than not doing it at all.</span></span><br />
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">TLS requires memory, time and randomness - all things that are in short supply on IoT devices!</span></span><br />
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Some suggestions are to pursue stream abstraction or to put TLS under te socket API, but those don't really work. </span></span><br />
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Looking at Sockets + TLS now, Zephyr network API changes, JWT, time, MQTT... </span></span>Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0tag:blogger.com,1999:blog-3458993853337115554.post-56447171548181362182019-05-16T13:46:00.000-04:002019-05-16T13:46:59.002-04:00ICMC2019: Does Open-Source Cryptographic Software Work Correctly<span id="docs-internal-guid-7daf1655-7fff-5226-8ec4-eb5c2565d7b2"></span><br />
<h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 14pt;">
<span id="docs-internal-guid-f1bd3dfb-7fff-7012-414b-3ff269684b79" style="font-weight: normal;"><a href="https://icmconference.org/?speaker=bernsteind" style="text-decoration-line: none;"><span style="color: black; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Daniel J. Bernstein</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">, Research Professor, University of Illinois at Chicago, United States</span></span></h3>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Discussion on CVE-2018-0733 - an error in CRYPTO_memcmp function, where only the least significant bit of each byte are compared. It allows an attacker to forge messages that are lower than the guaranteed by the security claims. Yes, 2^16 is lower than 2^128.... only impacts PA-RISC</span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Take a look at CVE-2017-3738 ... It impacts Intel AVX2 montgomery multiplication procedure, but how likely is it to be exploited? According to the CVE - not likely, but where is the proof?</span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Eric Raymond noted, in 1999, that given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone. or less formally, 'given enough eyeballs, all bugs are shallow'.</span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">But, who are the beta-testers? Unhappy users? That's the model used by most social media companies nowadays.... </span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">And "almost every problem" is not "all bugs" ... what about exceptions? can't those be very devastating? How do we really know that we are really looking? Who is looking for the hard bugs?</span></span></div>
<div>
<br /></div>
<div>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">This seems to assume that developers like reviewing code - but in reality they like to write new code. The theory encourages people to release their code as fast as possible - but isn't that just releasing more bugs more quickly?</span></span></div>
<div>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">So then, does closed source stop attackers from finding bugs? Some certifications seem to award bonus points for not opening your code - but, why? How long does it really take an attacker to extract, disassemble and decompile the code? Sure, they're missing your comments, but they don't care.</span></span></div>
<div>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Closed source will scare away some "lazy" academics, but not attackers... just takes longer for you as a vendor to find out about the issue. </span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">There is also a belief that closed source makes you more money, but is that still true? Aren't there a lot of companies making money off of support?</span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Dan sees the only path forward through open source - it will build confidence in what we do. Cryptography is notoriously hard to review. Math makes for subtle bugs.... so do side-channel countermeasures. Don't even get started on post quantum... </span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">A big reason it's hard to review is due to our pursuit of speed, since it's often applied to large volumes of data. This leads to variations in crypto designs. Keccak code package has more than 20 implementations for different platforms - hard to review!</span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Google added hand written Cortex-A7 ASM to Linux kernel for Speck... even though people said Speck is not safe. Eventually switched to ChaCha... but created more hand written assembly.</span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">You can apply formal verification - code reviewer has to prove correctness. It's tedious, but not impossible - EverCrypt is starting to do this, but for the most simple crypto operations (but still have to worry about what the compiler might do... )</span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Testing is great - definitely test everything! How can we auto generate inputs, get lots of random inputs going through here - but you still may miss the "right" input that trips a bug. There are symbolic execution tools out there. (angr.io, for example)</span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-weight: normal;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0North Vancouver, BC V7K 3B2, Canada49.472994460304996 -123.1031593079447949.307301460305 -123.42588280794479 49.638687460304993 -122.7804358079448tag:blogger.com,1999:blog-3458993853337115554.post-66641209136202795072019-05-15T17:27:00.000-04:002019-05-15T17:27:35.743-04:00ICMC2019: Random Numbers, Entropy Sources, and You<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-525d93b2-7fff-4811-8c4b-eb528a7ad3d7"><a href="https://icmconference.org/?speaker=john-kelsey" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">John Kelsey</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">, Computer Scientist, NIST, United States</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">SP 800-90B - think about how random bits should be generated. </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">DRBG should always be between entropy source and the attackers. Entropy just gives you bits... with entropy (as per the sources promise).</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">SP 800-90B is not AIS31... though the two groups are talking.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Noise sources are where the entropy comes from, health tests verify the noise source and and conditioning.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Noise sources must be non-deterministic, often uses ring oscillators. You have to be able to describe this in detail. This is complicated, as many vendors are relying on someone else's noise source. They either don't know or there is an NDA around it - that won't get validated. Submitter also has to provide entropy estimate and a justification for that estimate.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Health tests - need to stay working to verify the entropy source continues to work after deployed in the field.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Conditioning is to improve the entropy. They are deterministic, so cannot add entropy... </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">IID = Independent and Identically Distributed - sample indepent of all others, independent of position in the sequence of samples. NIST will run statistical tests to try to disprove claim. If we can't disprove it, we assume it is true.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">If you don't claim to be IID, NIST will apply many different entropy estimators against sequential datasets. they will look for things like bias after restart. May get you rejected or a lower estimate of entropy, if issues are found. Would rather underestimate than overestimate!</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">But... black box statistical tests can't reliably measure entropy.... Ideally you need to design it right and document it and share with NIST (where available).</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Currently for conditioning you can choose: hash, HMAC, CMAC, CBC-MAC, DFs all from 800-90A. You can also roll your own. Or, just don't use it. </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Problems are: we can't impact performance too much, can't expect this level of expertise at the labs... </span></span></div>
Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0Vancouver, BC, Canada49.2827291 -123.1207375000000249.1169156 -123.44346100000001 49.448542599999996 -122.79801400000002tag:blogger.com,1999:blog-3458993853337115554.post-92032291702275864952019-05-15T14:32:00.000-04:002019-05-28T19:15:38.956-04:00ICMC19: Emerging Cryptography Trends in the Internet of Things<div>
<span id="docs-internal-guid-20562b7c-7fff-ed79-acb5-f7d90751d27c"></span><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span id="docs-internal-guid-20562b7c-7fff-ed79-acb5-f7d90751d27c"><a href="https://icmconference.org/?speaker=chuck-white" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Charles White</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">, CTO, Fornetix, United States</span></span></div>
<span id="docs-internal-guid-20562b7c-7fff-ed79-acb5-f7d90751d27c">
<div>
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
</span></div>
<div>
In a connected world, we need to think about security in new ways. There are a lot of IoT devices out there sensing... reading... waiting.... Cryptography is very similar to IoT! In the IoT landscape, we're starting to hear about Root of Trust, Data-in-Motion Encryption and Data-at-Rest Encryption.</div>
<div>
<br /></div>
<div>
Sensing vs Acting - acting has more requirements for encryption and authentication. Cryptography is Identity, Authentication and Authorization. There aren't users, logins, passwords... these are small devices that have little or no human interaction. Crypto has to be that user, per se.</div>
<div>
<br /></div>
<div>
It's all about the root of trust. When you are going from factory to someone's livingroom, the consumers need to know the device hasn't been tampered with. But crypto can also be used to establish sessions, exchange information and data securely, etc.</div>
<div>
<br /></div>
<div>
When we talk about IoT, there is a lot of data in motion. Hard drive encryption and radio encryption both use symmetric keys - this is something we should understand how to do. Protection needs to be balanced with other requirements, suhch as bandwidth and battery consumption.</div>
<div>
<br /></div>
<div>
We need to protect data at rest - we need to also allow access. Think about a mechanic trying to access data from the canbus. </div>
<div>
<br /></div>
<div>
We can look at turning our challenges into opportunities. Can we align disparate technologies? Could we orchestrate utilization and product strategy? What if we could do device attestation at scale? And make the orchestration of root of trust widely available?</div>
<div>
The next trend is how cryptography can orchestrate control and management. Need to rely on standards and interops, automating and simplifying.</div>
<div>
<br /></div>
<div>
Need to have a way to do key distribution and association for Narrow band IoT sensors, communications infrastructure and device management.</div>
<div>
<br /></div>
<div>
We already have the fundamentals and knowledge - need to apply to IoT in a way that makes sense.</div>
Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0tag:blogger.com,1999:blog-3458993853337115554.post-2762394034714131462019-05-15T14:00:00.000-04:002019-05-15T14:00:37.315-04:00ICMC19: FIPS 140-2 and the Cloud<span id="docs-internal-guid-f917fdd7-7fff-3eb0-e367-47b253efe0cf"></span><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://icmconference.org/?speaker=alanhalachmi" style="text-decoration-line: none;">Alan Halachmi</a></span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">, Sr. Manager, Solutions Architecture, Amazon, United States</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">FIPS 140-2 came out in May 2001... think about that, that was before Facebook, Gmail, etc - and way before cloud computing.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Right now validating on the cloud is impossible, as level 1 requires single operator mode - not how you will find things set up in the cloud. In fact, an IG on Operational Environment specifically notes that You cannot use things like AWS, MS Azure or Google cloud.... )</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">But - someone like Amazon can validate one of their services, as they are the sole operator.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The security landscape is in constant flux - making it difficult to keep a module validated. Performance is often impacted in validated modules - which is not tenable for Amazon.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Amazon wanted a framework that would allow real time advancement from validated environment to validated environment. We want to make it clear that it's a multi-party environment, and with that comes shared responsibility, but would require minimal coordination and be applied consistently between different application models. As much as possible, what to leverage existing investments.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">
There needs to be focus on automation and defining of relationships. Vendors need the ability to run their own FIPS 140 testing, so they can be assured that any changes they are making have not caused issues - then they can also test performance, etc. Fortunately, ACVP is creating a method for doing this automated testing! NIST approved!</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">We should look to another model for validation. Think about our history - humans used to come up with hypothesis and then prove them. After the 1970s, humans came up with the hypothesis and machines provde them. Could machines do both?</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Think about your surface area of your code - the most critcal code is in small areas (hypervisor, kernel, etc). Attackers have more time (OSes and machines deployed for years) and learned history from what worked in the past. Can we use formal methods for verification? Amazon has done one for TLS - it's on github. </span></span></div>
Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0Vancouver, BC, Canada49.2827291 -123.1207375000000249.1169156 -123.44346100000001 49.448542599999996 -122.79801400000002tag:blogger.com,1999:blog-3458993853337115554.post-42151996732022046352019-05-15T12:57:00.000-04:002019-05-28T17:41:18.817-04:00ICMC19: Keynote: Mary Ann Davidson<span id="docs-internal-guid-c0193567-7fff-0b7d-9b79-0cd116d1e02b"><span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><a href="https://icmconference.org/?speaker=mary-ann-davidson" style="text-decoration-line: none;"> </a>The opening remarks included another great cartoon from Atsec, a tribute to the new ACVP (Automated Certificate Validation Program) - very funny!</span></span><br />
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Matt Keller gave us an update on the CMUF (Crypto Module User Forum). They have several working groups that are contributing to new implementation guidance from NIST. Their goals are to share information and help move the standards forward. NIST also comes and gives updates, and the forum provides a way to share ideas and suggestions on navigating a validation.</span><br />
<span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<a href="https://icmconference.org/?speaker=mary-ann-davidson" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Mary Ann Davidson</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">, Chief Security Officer, Oracle Corp., "Keeping Up with the Joneses". When Ms. Davidson started in security, nobody cared (except PTLGA - Paranoid Three Letter Government Agencies). There was hardly any 3rd party software, except for crypto. Nobody cared, so it was a quiet job - like the Maytag repair man.... </span><br />
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">But things are changing. SW and HW are ubiquitous - you can even have an Internet connected fridge. 66% of applications code is now open source... need to keep up and understand the landscape.</span><br />
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span style="font-family: "arial";"><span style="font-size: 11pt; white-space: pre-wrap;">We need to keep up with new </span><span style="font-size: 14.6667px; white-space: pre-wrap;">threats</span><span style="font-size: 11pt; white-space: pre-wrap;">, market expectations, latest regulatory FDJ (framework du jour) and changes in the industry.</span></span></span><br />
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Hackers are moving towards hardware, so her ethical hacking team is focusing now on HW in addition to their SW work. HW hacking combined with IoT has greatly increased our area of attack.</span></span><br />
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">
Regulatory frameworks should not be tied to a specific technology or vendor. ("regulatory capture" - not a good thing).</span></span><br />
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Looking at market expectations - 3rd party code enables scarce resources to be used on innovation, not "building blocks" (ie cutting down trees to build your own house...). But, this creates a target for a hacker. Everyone loves free code, but nobody wants to invest in making it better.</span></span><br />
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Vendors need to know what is in their code - beware of 3rd party code that pulls in other code... need to understand it all. Should have fewer instances of 3rd party libraries in their code to minimize attack surfaces and simplify and lower cost of upgrade. That is, don't have 48 copies of one 3rd party library - have a central copy. </span></span><br />
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Department of Commerce (DoC) is working on a Software Bill of Materials - you will have to know, as a vendor, what is in your SW. But what does that buy you? Customers typically cannot replace third party libraries in code - they have a binary, or license forbids. Also, just having the vulnerable code doesn't mean you are using it in a vulnerable way. Lots of resources spent upgrading, even though it is irrelevant. Veracode noted that 95% of Java vulns in 3rd party code are NOT exploitable in the context of the application... </span></span><br />
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">What could we do instead? Be honest with your customers. Describe how we use the code. fix the worst issues the fastest. Need to have a way to teach the scanners about usage - ie - not vulnerable as being used. </span></span><br />
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Changes in industry can be distracting: "On prem/waterfall is so last year...". Need to keep the meaningful aspects as we move on, timelines still matter. We have to think about how long things like validations take - can't do all SW at the same time. Need to do the most relevant and do it as efficiently as possible. </span></span><br />
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">We need cloud agility in certifications. NIST has 2 working groups looking at doing FIPS for crypto in the cloud, but we need to do it faster.</span></span><br />
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Perfect storm of increased regulatory scrutiny and increased use of technology has led to greater risk management inquiries. Need to asses relevant risk management concerns. You wouldn't want or need to inspect a day care provider's vacation home... not relevant. </span></span><br />
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">People have asked Ms Davidson for things like: "we have the right to pen test any system in your network" "need patching status of every system in your network" ... etc. </span></span><br />
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">This is problematic because it's not germane to her particular risk management concerns. For example, she's often asked about "3 day patching" - even though the person asking knows it's not possible, but they still want it in a contract... </span></span><br />
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Mary Ann apparently makes a really good rhubarb crisp, but she's not going to force it as a standard... so don't ask her to do a non-standard certification, either. (though you may want to have some of her rhubarb crisp....)</span></span><br />
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Vendors need to be more public with what they are doing, otherwise customers will assume you're not doing something. Set up clear rules of engagement - makes the questions more relevant and the discussions more fruitful. Keep in mind that anything vague will be misinterpreted - needs to be challenged.</span></span><br />
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Remember - change is inevitable, embrace it and OWN it. Don't let others own the change agenda, or you won't like the result. Use only globally accepted standards where feasible instead of one-off "wants". Economics rule the world - know it, use it, own it!</span></span>Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0Vancouver, BC, Canada49.2827291 -123.1207375000000249.1169156 -123.44346100000001 49.448542599999996 -122.79801400000002tag:blogger.com,1999:blog-3458993853337115554.post-44992571976525541412018-10-09T00:22:00.004-04:002018-10-09T00:22:38.328-04:00BH18: Why so Spurious? How a Highly Error-Prone x86/x64 CPU "Feature" can be Abused to Achieve Local Privilege Escalation on Many Operating Systems<span id="docs-internal-guid-49ce9b24-7fff-6928-4f8a-7e4c8f7d01af"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Nemanja Mulasmajic and </span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Nicolas Peterson </span></span>are Anti-Cheat Engineers at Riot Games.<br />
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
This is about a hardware feature available in Intel and ARM
chips. The “feature” can be abused to achieve local privilege escalation.<o:p></o:p></div>
<div class="MsoNormal">
<br />CVE-2018-8897 – this is a local priv escalation – read and
write kernel memory from usermode. Execute usermode code with kernel
privileges. Affected Windows, Linux, MacOS, FreBSD and some Xen configurations.
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
To fully understand this, you’ll need to have some good
assembly knowledge and privilege models. In the standard model, Ring 1 and 2
are really never used, just Ring 3 (least privileged) to Ring 0 (most) (it is a
simplified view).<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Hardware breakpoints cannot typically be sent by userland,
though there are often ways to do it in syscalls. When an interrupt fires, it
transfers execution to an interrupt handler. Lookup is based off of the
interrupt descriptor table (IDT), which is registered by the OS.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Segmentation is a vestigial part of the x86 architecture now
that everything leverages paging.<span style="mso-spacerun: yes;"> </span>You
can still set arbitrary base addresses.<span style="mso-spacerun: yes;">
</span>The first 2 bits describe if you’re in kernel or user mode. Depending on
the mode of execution, the GS base means different things (it holds data
structures relevant to the mode of execution). If we’re coming from user mode,
we need to call SWAPGS to update to the equiv in kernel mode.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
MOV SS and POP SS force the processor to disable external
interrupts, NMIs and pending debug exceptions until the boundary of the
instruction following the SS load was reached. The intended purpose was to
prevent an interrupt from firing immediately after loading SS but before
loading a stack pointer.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
It was discovered while building a VM detection mechanism,
as VMs were being used to attack Anti-Cheat.. They thought – what if VMEXIT
occurs during a<span style="mso-spacerun: yes;"> </span>“blocking” period? Let’s
follow the CPUID… They started thinking about what would happen if they did
interrupts at unexpected times.<o:p></o:p></div>
<div class="MsoNormal">
So, what happens? Why did his machine crash?<span style="mso-spacerun: yes;"> </span>Before KiBreakpointTrap executes its first
instructions, the pending #DB is fired (which was suppressed by MOV SS) and
execution redirects to where KiBreakpointTrap, which sends execution back to
where it *thought* it should go – kernel (though it had come from user mode).<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Code can be found at github.com/nmulasmajic, if you aren’t
passed, system will crash.<span style="mso-spacerun: yes;"> </span>Showed demo
of 2 lines of assembly code putting a VM into a deadlock.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
They can avoid SWAPGS since Windows thinks they are coming
from kernelmode.<span style="mso-spacerun: yes;"> </span>WRGSBASE writes to the
GSBASE address, so use that!<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
They fired a #DB exception at unexpected location, and then
the kernel becomes confused. Handler thinks they are privileged, now they
control GSBASE.<span style="mso-spacerun: yes;"> </span>Now they just need to
find instructions to capitalize on this… <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Erroneously assumed there was no encoding for MOV SS, [RAX]
only immediate. It doesn’t dereference memory, but POP SS does dereference
stack memory. BUT… POP SS is only valid in 32-bit compatibility code segment.
On Intel chips, SYSCALL cannot be used in compatibility mode. So… focusing on
using INT # only.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
With the goal of writing memory, found that if they caused a
page fault (KiPageFualt) from kernelmode, they c ould call KeBugCHeckEx
again.<span style="mso-spacerun: yes;"> </span>This function dereferences GSBASE
memory, which is under their control… <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
It clobbers surrounding memory. Had to make one CPU “stuck”
to deal with writing to target location. Chose CPU1 since CPU0 had to service
other incoming interrupts from APIC. CPU1 endlessly page faults, goes to the
double fault handler when it runs out of stack space.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The goal was to load an unsigned driver. CPU0 does the
driver loading. They attempted to send TLB shootdowns, forcing CPU0 to wait on
the other CPUs by checking PacketBaerrier variable in its _KPCR. But, CPU1 is
in a dead spin… will never respond. But, “luckily” there was a pointer leak in
the +KPCR for any CPU, accessible from usermode. (the exploit does require a
minimum of 2 CPUS).<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
It is complicated, and it took the researchers more than a
month to make it work. So, they looked into the syscall handler –
KiSystemCall64. They registered in the IA32_LSTAR MSR. SYSCALL, unlike INT #,
will not immediately swap to kernel – actually made things easier. (Syscall
funcions similar to Int 3)<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Another cool demo <span style="font-family: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-symbol-font-family: Wingdings;"><span style="mso-char-type: symbol; mso-symbol-font-family: Wingdings;">J</span></span><o:p></o:p></div>
<div class="MsoNormal">
<span style="font-family: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-symbol-font-family: Wingdings;"><span style="mso-char-type: symbol; mso-symbol-font-family: Wingdings;"><br /></span></span></div>
<div class="MsoNormal">
A lot of this was patched in May. MS was very quick to
respond, and most OSes should be patched by now. You can’t abuse SYSCALL
anymore. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Lessons learned – want to make money on bug bounty? You need
a cool name and a good graphic for your vuln (pay a designer!), and don’t
forget a good soundtrack!<o:p></o:p></div>
Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0tag:blogger.com,1999:blog-3458993853337115554.post-3879202129102151392018-10-09T00:17:00.001-04:002018-10-09T00:17:08.465-04:00BH18: How I Learned to Stop Worrying and Love the SBOM<span id="docs-internal-guid-6a628f00-7fff-7fab-0fab-2379af3fa22f"><span style="font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;">Allan Friedman | Director of Cybersecurity, NTIA / US Department of Commerce</span></span></span><br />
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></span>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Vendors need to understand what they are shipping to the
customer, need to understand the risks in what is going out the door. You
cannot defend what you don’t know. Think about ingredients list on a box – if
you know you have an allergy, you can simply check the ingredients and make a
decision. Why should software/hardware we ship be any different?<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">There had been a bill before congress, requesting that there
always be an SBOM (SW Bill of Materials) for anything the US Government buys –
so they know what they are getting and how to take care of it. The bill was
DoA, but things are changing…<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">The Healthcare Sector has started getting behind that. Now
people in FDA and Washington are concerned about the supply chain. There should
not be health care way of doing this, automotive way of doing this, DoD way of
doing this… there should be one way.
That’s where the US Department </span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">of Commerce comes in. We don’t want this coming from a single
sector.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Committees are the best way to do this – they are consensus
based. That means it is stakeholder driven, no single person can derail. Think
about it like “I push, but I don’t steer”. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">We need Software Component Transparency. We need to compile
the data, share it and use it. Committee
kicked off on July 19 in DC. Some folks believe this is a solved problem, but
how do we make sure the existing data is machine readable? We can’t just say
‘use grep’. Ideally it could hook into tools we are already using.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br />First working group is tackling defining the problem.
Another is working on case studies and state of practice. Others on standards
and formats, healthcare proof of concept, and others.<o:p></o:p></span></div>
<span style="line-height: 107%;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span>
<span style="line-height: 107%;"><span style="font-family: Arial, Helvetica, sans-serif;">We need more people to understand and poke at
the idea of software transparency – it has real potential to improve resiliency
across different sectors.</span></span>Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0tag:blogger.com,1999:blog-3458993853337115554.post-57094730150746221872018-10-09T00:12:00.003-04:002018-10-09T00:12:40.094-04:00BH18: Keynote! Parisa Tabriz<div class="MsoNormal">
Jeff Moss, founder of Blackhat, started out the first session at the top of the conference, noting several countries have only one person from their
country here – Angola, Guadalupe, Greece, and several others. About half of the
world’s countries are represented here this year! Blackhat continues to offer
scholarships to encourage a younger audience to attend, who may not be able to
afford to. Over 200 scholarships were awarded this year!<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
To Jeff, it feels like the adversaries have strategies, and
we have tactics – that’s creating a gap. Think about address spoofing – it’s
allowed and turned on on popular mobile devices by default, though most
consumers don’t know what it is and why they should turn it off.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
With Adobe Flash going away, beliefs out there are this will
increase SPAM and change that landscape. We need to think about that.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><u>Parisa Tabriz, Director of Engineering, Google.</u></b><o:p></o:p></div>
<div class="MsoNormal">
Parisa has worked as a pen tester, engineer and more
recently as a manager. She has often felt she was playing a game of
“whack-a-mole” – how do we get away from this? Where the same vuln (or a
trivial variation of another vuln) pops up over and over. We have to be more
strategic in our defense.<o:p></o:p></div>
<div class="MsoNormal">
Blockchain is not going to solve our security problems. (no
matter what the vendors in the expo tell you…)<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
It is up to us to fix these issues. We can make great
strides here – but we have to realize our current approach is insufficient<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
We have to tackle the root cause, pick milestones and
celebrate and build out your coalition.
We need to invest in bold programs – building that coalition with people
outside of the security landscape.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
We cannot be satisfied with just fixing vulnerabilities. We
need to explore the cause and effect – what causes these issues. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Imagine a remote code execution (RCE) is found in your code
– yes, fix it, but figure out why it was introduced (the 5 Whys)<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Google has started Project Zero – Make 0-Day Hard. Project
Zero was formed in 2014, treats Google products like 3<sup>rd</sup> party.
Finding thousands of vulnerabilities. But they want to achieve the most defensive
impact from any vulnerabilities they find. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Team found that vendor response varied wildly in the
industry – and it never really aligned with consumer needs. There is a power
imbalance between security researcher and the big companies making the software.
Project Zero has set a 90 day release time line, which has removed the
negotiation between a researcher and the big company. A deadline driven
approach causes pain for the larger organizations that need to make big changes
– but it is leading to positive change at these companies. They are rallying
and making the necessary fixes internally.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
One vendor improved their patch response time by as much as
40%! 98% of the issues are fixed within the 90-day disclosure period – a huge
change! Unsure what all of those changes
are, but guessing it’s improved processes, creating security response teams,
etc.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
If you care about end user security, you need to be more
open. More transparency in Project Zero has allowed for more collaboration.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
We all need to increase collaboration – but this is hard
with corporate legal, process and policies. It’s important that we work to
change this culture.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The defenders are our unsung heroes – they don’t win awards,
often are not even recognized at their office. If they do their job well,
nobody notices.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
We lose steam in distraction driven work environments. We
have to project manage, and keep driving towards this goal.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
We need to change the status quo – if you’re not upsetting
anyone, then you’re not going to change the status quo.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
One project Google is doing to change the world is to move
people away from HTTP and to HTTPS on the web platform. Not just Google services, but the entire
world wide web. We wanted to see a web
that was by default secure – not opt-in secure. The old Chrome browser didn’t
make this as obvious to users which was the better website – something to work
on.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Browser standards come from many standards bodies, like
IETF, W3C, ISO, etc – and then people build browsers on top of those using
their own designs. Going to HTTPS is not as simple as flipping a switch – need
to worry about getting certificates, performance, managing the security, etc.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Did not want to create warning fatigue, or to have it be
inconsistently reported (that is, a site reported as insecure on Chrome, but
secure on another browser).<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Needed to roll out these changes gradually, with specific
milestones we could celebrate. Started with a TLSHaiku poetry competition,
which led to brainstorming. Shared ideas
publicly, got feedback from all over, and helped to build support internally at
Google to drive this. Published a paper on how to best warn users. Published papers regarding who was and was
not using HTTPS. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Started a grass root effort to help people migrate to HTTPS.
Celebrated big conversions publicly, recognizing good actors. Vendors were given a deadline to transition
to, with clear milestones to work against, and could move forward. Had to work
with certificate vendors to make it easier and cheaper to get certificates.<br /><br /><o:p></o:p></div>
<div class="MsoNormal">
Team ate homemade HTTPS cake and pie! It is important to
celebrate accomplishments, acknowledge the difficult work done. People need
purpose – it will drive and unify them.</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Chrome set out with an architecture that would protect a
malicious site from attacking your physical machine. But, now with lots of data
out there in the cloud, has grown the cross site data attacks. Google’s Chrome team started the Site
Isolation project in 2012 that prevented the data from moving that way.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
We need to continue to invest in ambitious proactive
defensive projects.<o:p></o:p></div>
<span style="font-family: "Calibri",sans-serif; font-size: 11.0pt; line-height: 107%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span>
<span style="font-family: "Calibri",sans-serif; font-size: 11.0pt; line-height: 107%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">Projects can fail for a variety of reasons –
management can kill the project, for example.
The site isolation project was originally estimated to be a year, but it
actually took six….. schedule delay at that level puts a bulls-eye on you. Another issue could be lack of peer support –
be a good team player and don’t be a jerk!</span>Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0tag:blogger.com,1999:blog-3458993853337115554.post-55391267889527381852018-08-09T19:35:00.001-04:002018-08-09T19:35:41.994-04:00BH18: Lowering the Bar: Deep Learning for Side Channel AnalysisJasper van Woudenberg, Riscure<br />
<br />
The old way of doing side channel analysis was to do leakage modeling to pull out keys from the signals. Started researching what happens if they use a neural network for the analysis.<br />
<br />
They still need to attach the scopes and wires to the device, can't get robots to do that, yet. They do several runs and look for variations in signal/power usage to find leakages from the patterns (and divergence of the patterns).<br />
<br />
Then we got a demo of some signal analysis - he made a mistake, and noted that is the problems with humans, we make mistakes.<br />
<br />
Understanding the power consumption can give you the results of X (X-or of Input and Key), then if we know input - we can get the key! Still a lot of work to do.<br />
<br />
In template analysis, you build models around various devices from power traces - then look for other devices using the same chipset, and then can start gathering input for analysis.<br />
<br />
The researchers than looked at improving their processes with Convolutional Neural Networks (CNNS). THere is the input layer (size is equal to number of samples), the convolutional layer (feature extractor + encoding), then Dense Layers (classifiers) and finally the output later. Convolutional layers are able to detect the features independently of their positions.<br />
<br />
There are a lot of visuals and live tracing, hard to capture here, but fascinating to watch :-)<br />
<br />
Caveat - don't give too much input, make the network is too big = or the model cannot actually learn and will not be able classify new things. (memorizes vs learning). Need to verify this with validation recall. <br />
<br />
Deep learning can really help with side channel analysis and it scales well. It does require network fiddling, but it's not that hard. This automation will help put a dent into better securing embedded devices.<br />
<br />
<br />Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0Las Vegas, NV, USA36.1699412 -115.1398295999999835.7602007 -115.78527659999999 36.579681699999995 -114.49438259999998tag:blogger.com,1999:blog-3458993853337115554.post-8879840550469900072018-08-09T18:16:00.001-04:002018-08-09T18:16:33.585-04:00BH18: Legal Liability for IoT Cybersecurity VulnerabilitiesIJay Palansky, Partner, Armstrong Teasdale<br />
<br />
IJay is not a cyber security expert, but he is a trial lawyer who handles complex commercial litigation, consumer protection, and class actions - usually representing the defendant.<br />
<br />
There is a difference between data breach and IoT vulns. They aren't handled the same. There is precedent on data breaches, but not really much on IoT devices. People have been radically underestimating the cost and volume of IoT lawsuits that are about to come. The conditions are going to be right for a wave of lawsuits.<br />
<br />
Think about policy. The rules are changing. It is hard to predict how this will play out, so it's hard to say how IoT companies should protect themselves. IJay likes this quote from Jeff Motz - "What would make 'defense greater than offense'..?" (Motz? maybe Moss?)<br />
<br />
People are trying to get the latest and greatest gadget out, to get the first to market advantage. Security slows this down. But if your'e not thinking about security devices up front, you are putting yourself at risk. If you get drawn into litigation or the media draws attention to it, you need to be able to answer to the media (or a judge) what you did to meet basic security requirements for that type of device. Think of avoiding the liability. Judges will look for who is the msot responsible.<br />
<br />
It's estimated that there will be 20 Billion connected devices by 2020.<br />
<br />
There are ridiculous items coming online all the time - like the water bottle that glows when you need to drink, the connected Moen shower to set temperature, and the worst the i.Con Smart Condom... oh boy.<br />
<br />
These devices have potential to harm, from privacy issues to physical harm. There can be ransomware, DDoS attacks, etc. These are reality - people are remotely hacking vehicles already.<br />
<br />
Plaintiffs' lawyers are watching and wating, they want to make sure they can get soemthing out of it financially. They need to be able to prove harm and attribution (who to blame). Most importantly, the plaintiffs' lawyers don't understand this technology (and neither do the judges), or how the laws here work.<br />
<br />
There is general agreement that the security of IoT devices is not where they should be. There will be lawsuits, once there are some, there will be more (those other attorneys will be watching).<br />
<br />
This is not the first time that product liability or other law has had to address new technology, but the interconnectedness involved in IoT is unique. They need to show who's fault it was - could get multiple defendants, and they will be so busy showing what the other defendant did wrong - doing the plaintiffs' lawyer's job for them. :-)<br />
<br />
There has been some enforcement by regulators, like the response to TRENDnet Webcam hack in Jan 2012, which resulted in a settlement in 2013.<br />
<br />
Some lawyers will be looking for opportunities to take up these cases, to help build a name and reputation.<br />
<br />
The Jeep hack was announced in 2015, then Chrysler recalled the vehicles. That's not where the story ends... there is a class action lawsuit moving forward still. (filed in 2016, but only approved yesterday to go forward). This is where things get interesting - nobody was hurt, but there was real potential of getting hurt. People thought they were buying a safe car, and they were not. What is the value?<br />
<br />
There is reputation loss, safety issues, and the cost of litigation that makes this all a problem. It's a burden and distraction on key employees that have to be deposed, find documents, etc.<br />
<br />
The engineers and experts get stressed about saying something that will hurt their company, or thinking that they did something wrong that hurt someone. That is a cost.<br />
<br />
IJay then walks us through law school in 10 minutes :-)<br />
<br />
You need to understand the legal risks and assocaited costs, so when you are making decisions on the right level of security.<br />
<br />
Damages vary by legal claim and the particular harm. Claims can be around things like negligence, fraud or fradulent omission, breach of warranty, strict product liability. These are all state law claims, not federal, which means there will be variance.<br />
<br />
Negligence means you have failed tot take "reasonable care" - often based on expert opinions. Think of the Pinto - they had design defects.<br />
<br />
Design defets could be around hardware or software, things like how passwords are handled.<br />
<br />
Breach of warranty is an issue as well - there are implied warranties, like of merchantability (assumption product is safe and usable) If you know you have an issue, and don't tell anyone - that's fraudulent omission.<br />
<br />
Keep in mind that state statutes are dsigned to be cosnumer friendly, with really broad defintiions.<br />
<br />
You need to minimally follow industry standards, but that may not be sufficient.<br />
<br />
Think about security at all stages of your design, be informed and ask the right questions, be paranoid and allocate risk. Test and document the testing you did, save it while you do the work. It will hep protect you. Be careful about words you use around your products, watch what you say in your advertisement and don't overstate what you do.<br />
<br />
You should also get litigation insurance and make sure it covers IoT.<br />
<br />
If it goes wrong - get a good lawyer who knows this area. Investigate the cause, inclding discussions with engineers.<br />
<br />
A wave of IoT hack and vuln litigation is coming - you need to be thinking about this now. Understand and use sound cybersecurity design and engineering principles. Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0Las Vegas, NV, USA36.1699412 -115.1398295999999835.7602007 -115.78527659999999 36.579681699999995 -114.49438259999998tag:blogger.com,1999:blog-3458993853337115554.post-59044514455813753082018-08-09T15:52:00.000-04:002018-08-09T15:52:38.513-04:00BH18: WebAssembly: A New World of Native Exploits on the BrowserJustin Engler, Technical Director, NCC Group<br />
Tyler Lukasiewicz, Security Consultant, NCC Group<br />
<br />
WASM (WebAssembly) allows you to take code written elsewhere and run it in a browser.<br />
<br />
Crypto minors and archive.org alike are starting to use web assembly.<br />
<br />
Browsix is a project to implement POSIX interfaces in the browswer, and JsLinux has an entire OS in the browser. eWASM is a solution for ethereum contracts (an alternative to solidity). (and a bunch of other cool things)><br />
<br />
Remember when... Java Applets used to claim the same things (sandboxing, virtualization, code in browser)...<br />
<br />
WebAssembly is a relatively small set of low-level instructions that are executed by browsers. It's a stack machine. You can push and pop things off the stack (to me the code looks a lot like lisp). We do a couple of walkthroughs of sample code - they created a table of function pointers (egads! it's like networking kernel programming).<br />
<br />
WASM in the browser - it can't do anything on it's own (can't read memory, write to screen, etc). If you want it to do anything, you need to import/export memory/functionality/etc. Memory can be shared across instances of Wasm.<br />
<br />
Emscripten will help you create .wasm binaries rom other C/C++ code, incldues buit-in C libraries, etc. Can also connect you to Java and JavaScript.<br />
<br />
Old exploits in C work in WASM, like format strings and integer overflows. WASM has it's own integer types, different from C, different than JavaScript. You need to be careful sending integers across boundaries (overflow).. Buffer overflows are an issue as well. If you try to go past your linear memory, you get a JS error - it doesn't work well, it's pretty ugly.<br />
<br />
You can now go from a BOF (Buffer Over Flow) to XSS. Emscripten's API allows devs to reference the DOM from C/C++. CHaracter arrays being written to the DOM create the possibilyt of DOM-based XSS and can use a user-tainted value to overwrite a safe value. This type of attack likely won't be caught by any standard XSS scanners. As JS has control of the WASM memory and tables, XSS should give us control of any running WASM.<br />
<br />
And this even creates new exploits here! We can now have a function pointer overflow. Emscripten has functions that run arbitrary code (emscripten_rn_script). Can take advantage of that as lont as it's loaded. They discovered that function tables are constant - across compilations and even on different machines.<br />
<br />
You don't necessarily to go after the XSS here, but could use functions written by the developers as long as it has the same signature as the real one.<br />
<br />
They also showed a service-side RCE (Remote Code Execution). Showed code in browser starting a process on the server.<br />
<br />
Many mitigations from C/C++ won't work on WASM. THey could use things like ASLR and could use some library hardening. Effective mitigations include control flow integrity and function definitions and indexing (prevents ROP-style gadgets).<br />
<br />
WASM did cover these in their security warning, in a buried paragraph. It should be mroe obvious.<br />
<br />
If you can avoid emscripten_run_script and friends, run the optimizer (removes automatically included functions that might have een useful for control flow attacks), use control flow integrity (but it may be slower) and you still have to fix your C bugs!<br />
<br />
There is whitepaper out - Security CHasms of WASMValerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0Las Vegas, NV, USA36.1699412 -115.1398295999999835.7602007 -115.78527659999999 36.579681699999995 -114.49438259999998tag:blogger.com,1999:blog-3458993853337115554.post-79835003930743611122018-08-09T14:51:00.000-04:002018-10-09T01:02:42.525-04:00BH18: AI & ML in Cyber Security - Why Algorithms are DangerousRaffael Marty, VP Corporate Strategy ForcePoint<br />
<br />
We don't truly have AI, yet. Algorithms are getting smarter, but experts are more important. Understand your data and algorithms before you do anything with them. It's important to invest in experts that know security.<br />
<br />
Raffael has been doing this (working in security) for a very long time, and then moved into big data. At Forcepoint, he's focusing on studying user behavior so that they can recognize when something bad is happening. ("The Human Point System")<br />
<br />
Machine learning is an algorithmic way to describe data. In supervised case, we are giving the system a lot of training data. Unsupervised, we give the system an optimization for it to solve. For "Deep Learning" - it is a newer machine learning algorithm. It eliminates the feature engineering step. Data mining is a set of methods to explore data automatically. And AI - "A program that doesn't simply classify or compute model parameters, but comes up with novel knowledge that a security analyst finds insightful" (not there, yet).<br />
<br />
Computers are now better than people at playing chess and Go, they are even getting better at designing effective drugs and for making things like Siri smarter.<br />
<br />
Machine learning is used in security, for things like detecting malware, spam detection, and finding pockets of bad IP addresses on the Internet in supervised cases, and more in unsupervised..<br />
<br />
There are several examples of AI failures in the field, like the Pentagon training AI to learn tanks (they used sunny pictures for "no tank" and cloudy with tanks, so the AI system assumed no tanks were in sunny weather... ooops!)<br />
<br />
Algorithms make assumptions about the data, they assume the data is clean (often is not), make assumptions about distribution of data and don't deal with outliers. The algorithms are too easy to use today - the process is more important than the algorithm. Algorithms do not take domain knowledge into account. Defining meaningful and representative distance functions, for example. Ports look like integers and algorithms make bad assumptions here about "distance"<br />
<br />
There is bias in the algorithms we are not aware of (example of translating "he is a nurse. she is a doctor" from English to Hungarian and back again... suddenly the genders are swapped! Now she is a nurse....)<br />
<br />
Too often assumptions are made based on a single customer's data, or learning from an infected data set, or simply missing data. Another example is an IDS that got confused by IKE traffic and classified it as a "UDP Bomb".<br />
<br />
There are dangers with deep learning use. Do not use if there is not enough or no quality labelled data, look out for things like time zones along with timezones. You need to have well trained domain experts and data scientists to oversee the implementation, and understand what was actually learned.<br />
Note - there are not a lot of individuals that understand security and data science, so make sure you build then a good, strong and cohesive team.<br />
<br />
You need to look out for adversarial input - you can add a small amount of noise to an image, for example, that a human cannot see, but can trick a computer into thinking a picture of a panda is really a gibbon.<br />
<br />
Deep learning - is it the solution to everything? Most security problems cannot be solved with deep learning (or supervised methods in general). We looked at a network graph - we might have lots of data, but not enough information or context nor labels - the dataset is actually no good.<br />
<br />
Can unsupervised data save us? Can we exploit the inherent structure within the adta to find anomalies and attacks? First we have to clean the data, engineer distance functions, analyze the data, etc...<br />
<br />
In one graphic, a destination port was misclassified as a source port (80!), and one bit of data had port 70000! While it's obvious to those of us with network knowledge that the data is messed up, it's not to the data scientists that looked at the data. (with this network data, the data scientists found "attacks" at port 0).<br />
<br />
Data science might classify port 443 as an "outlier" because it's "far" from port 80 - but to those of us who know, they are not "far" from each other technically.<br />
<br />
Different algorithms struggle with clustered data, the shape of the data. Even if you choose the "right" algorithm, you must understand the parameters<br />
<br />
If you get all of those things right, then you still need to interpret the data. Are the clusters good or bad? What is anomalous? <br />
<br />
There is another approach - probabilistic inference. Look at a Beysian Belief Networks. The first step is to build the graph, thinking about the objective and the observable behaviors. If the data is too complicated, may need to introduce "grouping nodes" and introduce the dependencies between the groups. After all the right steps, you still need to get expert opinions.<br />
<br />
Need to make sure you start with defining your use-cases, but by choosing an algorithm. ML is barely ever the solution to your problem. Use ensembles of algorithms and teach the algos to ask for input! You want it to have expert input and not make assumptions!<br />
<br />
Remember - "History is not a predictor, but knowledge is"<br />
<br />
<br />Valerie Fenwickhttp://www.blogger.com/profile/15799797222606030898noreply@blogger.com0Las Vegas, NV, USA36.1699412 -115.1398295999999835.7602007 -115.78527659999999 36.579681699999995 -114.49438259999998