GHC15: Security from the Boardroom

What to Protect When You Can't Protect Everything?

Kelly Kitsch, Advisory Director of PwC

Unlimited funds don't come, unless you have a massive breach - and we'd all rather it not get to that.

Threats are complex and ever changing, we have to be able to adjust to protect our assets. Assets can be strategy related, branding, in progress patents, physical, etc.

Traditionally, people focus on perimeter security, but we need to really think about our high-impact assets.

The focus in the last few years have been focused on compliance - but compliance alone does not make you secure.

There is a new Economic Impact Analysis Methodology. First phase is to understand threat modeling, and the second (related) is what are your critical assets - physical and intellectual.

CIA: Confidentiality Integrity and Availability.  Use this to assess your risk.

Once you've identified the most critical assets, and can justify why they are so important, it will ease your ability to get funding.

Security and Privacy by Design: Moving from Concept to Implementation

Madhu Gupta, Head of Member Trust and Security Products of LinkedIn

How do we do this better when we build something from scratch? You know, for the next time we start a project.

At LinkedIn, they think of their guiding principles: Members First!  The three important values are clarity, consistency and control - and most importantly: trust.

Everyone at the company must understand that they are accountable for security and privacy. Look out for new features being launched, and make sure we have the right privacy controls before they launch.

How do you do this?

• Integrate security and privacy into product requirements
• Hold office hours so people can ask you questions
• Review our plans at product reviews
• Embed security chamption engineers
• Share externally

You can further improve this by dedicating a team to review, consult, etc.

And when people do it right - make a tshirt! Motivate and share your success.

Let the Games Begin (Cyber Security) 

 Linda Betz, Chief Information Security Officer of Travelers

Linda has to worry about strategic things AND worry about delivering. :-)

What's the game? Everyone wants to hack YOU.  So, as CISO, it's important to minimize this and make it not as bad. Need to find and resolve quickly.

This is expensive - the average cost of a breach is between $3.7M and $5.5M.

What tools do your opponents use?

They could be state sponsored actors, paid to rain down malware on top of you.

It could be an insider - whether placed as an attacker or just careless.

What are they after? Personally Identifiable Information? Intellectual Property? Or perhaps simply seeing if they can do it.  We also see denial of services - like a boycott, but the attacker is deciding that NOBODY can do business with you.

You have tools, too! Apply patches, security toolkits, tripwires, etc. You need to understand what's happening on your  network - use analytics, etc.

Leverage the NIST Cyber Framework to help guide.

Make sure you and your team have all the training you need for various certifications.

When things go off the rails, you can bring in the FBI, regulators, cyber incident response companies and even lawyers.

Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!

GHC15: Authorized But Anonymous: Taking Charge of Your Personal Data

Anna Lysyanskaya, Brown University got her PhD under Ron Rivest at MIT, and has received many awards.  She allows people to prove themselves without exposing themselves.

Online, not much thinking required :-)

I log in – therefore I am… provided nobody else has your credentials. How does she log in? Let her ount the ways… :-)

Basic: user name and password:

•  Pros: intuitive, human-memorizable (up to a point) 
•  Cons: not privacy preserving, insecure in so many ways

Many people reuse passwords, as there are too many to remember.  But, if one site is compromised… others can be, too.

With public key certificates

• Cons: not intuitive, not human memorizable, not privacy  preserving
• Pros: secure – your device would need to be hacked or stolen before your identity could be stolen...

What are digital signature schemes? You need two keys:

• Secret signing key SK(alice) allows Alice to sign and prove she is Alice    
• Public verification key PK(alice) allows anyone to verify.

To sign a message m, Alie uses SK(alice) to comput a signature O

When anyone wants to verify Alice’s signature on m, use her public key PK(alice).

Now you know what this is – but how does it work if I don’t have your public key?  What if someone sends you a fake public key?  You must rely on information you can trust. That’s why we allow others  to sign public keys. Like Anna’s key is signed with Brown university – make sure it’s not BOWRN university…

A certificate is when someone whose public key is well-known (e.g. Brown University) certificates that a public key belongs to a particular site/web server/person.

Your public certificate may contain additional information, like date of birth, gender, which buildings you're allowed to access....

So, they are not privacy preserving.

Even if you think, I don't have anything to hide!  Just because you think this, doesn't mean your not leaving a trace of information that you consider private (health care, past abortion, etc) that someone else may want to attack even if you're not a public figure.

For example, let's say you use a persistent ID to log into a newspaper, even if it's "secret" and not associated with your name, you are still identifiable. If you put in your zip code to look up weather? They know where you live. Look  up your horoscope, learns your date of birth. Based on the articles you read, they can accurately infer your gender.  Those three pieces of information - someone could find your real name.

We'd like to use anonymous credentials - where you can prove you're authorized, but cannot be tracked bake to you.

• Cons: not super intuitive, not human-doable (need a device to remember the credentials)
• Pros: secure - your device would need to hacked before your identity can be stolen - privacy-reserving

Okay, how do these work?  Underlying building block: zero-knowledge proofs. She gave us a neat graphic explanation with a 3 colored graph.

Anything that is provable at all can be provable in zero-knowledge proofs.

Now that we've been doing this for awhile, efficiency is approaching certificate based non-anonymous authentication.

The old New Yorker joke was: "Nobody knows on the Internet that you're a dog." - now, that's not true! Google knows everything about you. Facebook knows everything about you and your friends.

But what happens if something goes wrong?

Trust her, we can solve this with cool crypto :-)

Right now, you can't do this - as there's no provider that allows for things like anonymously watching a movie (and actually pay for it).

Why aren't software companies doing this?  They may not think users care about this. It's also a fast developing industry, so they may not have caught up, yet.

Things may change due to last week's European Court of Justice ruling may have some impact.

Come learn more at Brown! :-)

They have a CyberSecurity master's program - neat!

Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!

GHC15: Wednesday Keynote: Hilary Mason

 We are welcomed here by Telle Whitney herself - a good friend of Anita Borg, the woman who founded this conference.

The first GHC had only 500 women technologists - this year?  Twelve thousand people from over 60 countries. We have an increasing number of men. They are now experiencing here at this event what most of us experience every day - welcome to our world!

Alex Wolf, president of ACM, talked about ACM. It's a member society and the largest and oldest of such in the world. It has 110,000 members.  Why would you join a professional society?  We have so many means of interacting today on social media, in ways replacing parts of the role of professional society.  ACM is the pinnacle of technical stewardship. They published 22,000 articles last year alone!

ACM also wants to work to make a difference.  They do curriculum development around the world. Continuing their focus on education, they spun out a sub group CSTA - Computer Science Teacher's Association, focusing on K-12 teachers.

ACM also focuses on improving diversity. A group you'll see a lot of here is the ACM-W group.  They have a booth here, so please go meet them.

Now our keynote: Hilary Mason, Founder and CEO at Fast Forward Labs - a computer scientist, a data scientist and a CEO! Wow!

Redit - the best and worst of the Internet. Great quote on showing someone from the past what the neatest thing about the future: I have a device in my pocket that has the sum of all human knowledge, and I use it to look at cats and argue with strangers.  Note: technology has changed, but people are the same.

Machines are now starting to do things we previously believed were only in the domain of humans: art, writing poetry, using data to build better apps.  For examples, with FourSquare - it started just as a basic checkin, but now it knows what you like and don't, and can make food recommendations specifically for you based on your location.

Why is this happening now?  First and foremost, we can afford the compute power now!  We all have computers more powerful than an Eniac now in our pockets.

Everybody thinks their data is unique - but it turns out, human behaviour is predictable. This makes it easier to learn.

And finally - we have the data! Even if you didn't collect it, you can get access to it (ref: data.gov).

Technology is now so accessible and cheap: did research around... what's the cutest animal in the world?  The answer: the dog.

Years ago, Sony made an electronic dog - Aibo. In 2013, Sony stopped repairing them. But, people fell in love with their "dogs" - so now they are having funerals or their pets. Check out: A Robotic Dog's Mortality.

Our past impacts us: think about what happened to the A:  and B: drives on windows.  Where did we get 80 column screen width from?  Punch cards.  Where did we get code comments from? Yep, punch cards again.

Fifteen years ago, data science didn't exist.  So, when you think about what you're going to be doing in 5 years - think about where the industry will go.

A lot of startups have to rely on commodities - because inventing hardware, etc, along with a new business model and idea - can be too much.

But look out for things that are about to commoditize. For example, the price of hard drives is starting to drop - what interesting thing could you do now with lots of disk space you couldn't afford to do 5 years ago?

Look at Hadoop - you can be doing computations and not care where in the world they are happening.

The last thing: new data is constantly becoming available.

A dirty research secret? Many data analysis tools are trained on the English version of wikipedia, so many of these tools are better with English than other languages.

Her team has been doing research on real-estate ads - they've found that if a home is described as "cozy" it's 400 sq feet smaller than the average house.  Oddly, if it's described by agents as "large, open" etc - it's usually average or just below average. What they learned? If the agent is talking about size... they place is not large.

She talked about analyzing photos from instagram. It's not perfect: it identified all photos taken on the NYC subway as prison photos - oops! They had used pictures of prisons in the training set, but no subway photos.  It's funny, but as we're integrating this into our lives, we need to think about the impact of these errors.

Think thoughtfully of what we're going to build - together.

Careers in technology are hard to plan, as everything is changing so fast. Think about what direction you want to head into to create the world you want to live in!

What an inspiring and informative talk!

ABIE Award Winners!

Technical Leadership Award winner: Dr. Lydia Kavroki!  She's the Noah Harding professor of Computer Science and Nuroengineering in Houston. Shes a fellow in ACM and IEEE! Congratulations!

To learn more about ABI.local groups - how you can join or start, please see the Anita Borg website.

Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!

Raising Money For Valley Fire!

You may or may not have heard about the devastating Valley Fire in California, where over 76,067 acres have already burned. The fire is now 95% contained, but there are still nearly 3 thousand homes threatened by the fire. 1,307 homes have already been destroyed, with another 41 damaged.

These people have lost everything - many barely escaping with the skin on their backs. They had to evacuate so quickly, they had to leave behind pets and livestock, family pictures and heirlooms. Youtube has some pretty terrifying videos of the escapes.

The long drought we've had in California has hastened the spread.

Next weekend, on October 3rd, Mark is riding 100 miles in Levi Leipheimer's Levi's GranFondo. It's an excruciating ride, with major climbs. I am not in good enough shape to ride with him, so I will be working at the water rest stop at the top of the gnarliest climb - then serving beer in the afternoon as the riders finish their rides.  It's an all day event for us both - starting quite early in the morning.

The GranFondo always raises money for local charities - some of you may recall Levi's involvement with the American Lung Association (I got to ride my bike with him once!).  This year, 80% of the money raised will go to Valley Fire victims.  The rest to other local charities.

Please sponsor me!
https://fundraise.levisgranfondo.com/bubbva

Thanks!

Valerie

Silicon Valley: We Are Crushing Ourselves - or - Goodbye Fiesta del Mar

We're creating a mess that will haunt us for years. I don't know the solution, but I do know what I'm seeing and hearing are not okay.

Fiesta del Mar has been running in their Shoreline location for 24 years.  I first went there back in 1995 myself, when visiting the south bay.  I moved to Sunnyvale in 1996, and by 1999 I was in Mountain View - walking distance to Fiesta del Mar. I've moved several times since then - but every time I rented and even when I bought my house, I had the requirement of "I still have to be able to walk to Fiesta del Mar".

They are a successful family run business that serves amazing shrimp dishes and outstanding Mexican fare with the best margaritas in the Bay Area - all with a smile.  Everyone there knows my name, my favorite margaritas (La Yarona), and that they cannot possibly give me enough of their amazing salsas.  They are always packed, yet always quick with your food.

And they are closing on September 26, 2015

Huh?

They've lost their lease. Last I heard the new land owner was going to build an office building with a Panda Express and another Starbuck's.

We are losing a successful family business for a Panda Express (or some yet to be determined chain restaurant).

The manager of Fiesta del Mar is going to try to move as much of his staff as he can to the family's other restaurants in Mountain View - Fiesta del Mar II and Agave.  That's great of the family to do that, but it won't be the same.  Each of those establishments makes their salsa and sauces just a bit differently, the interiors are very different, and they are in the difficult to find parking downtown area. Yes, I walk - but my friends drive to Fiesta del Mar from all over the Bay Area.

La Costena, a burrito themed taqueria, lost their Mountain View Rengstorff location a couple of years back. I used to go there for an amazing burrito.  They were lucky and found another place on Middlefield - but in a completely different neighborhood.

DeeDee's Indian Buffet and Grocery lost their location a few years back, so an apartment building could be built - and never could find a suitable alternative location in Mountain View. So, guess how many Indian grocery stores Mountain View has now? Zero.

I've seen neighbors posting on NextDoor complaining about the sudden rise in RVs, buses, vans and cars on the street with people obviously living in them.  After Mountain View closed their last RV park...is this so shocking?  I used to live in the Forest Glenn town homes, and read in the paper that the landlord is evicting everyone to remodel, and raise the rents. I knew families that had lived there for 10 years or more. Where will they go?

Walking to the transit center the other day before 8AM, to take my companies corporate shuttle to work - I saw a man washing his hair and face in a water fountain in the park. He had a tube of toothpaste and toothbrush in his back pocket. He was dressed nicely, clearly getting ready for work - and clearly living somewhere without running water.

Houses in my neighborhood are being purchased by "investors" and left empty, or in one case turned into a Youth Hostel with bunk beds!  Families are losing their home for "investments".  One "gentleman" bragged on our neighborhood alias about how he will outbid any offer you get on your house, as he's collecting houses in our neighborhood so he can remake them in his "vision" - he already owns 5.

And just over the last two weeks, I've read with horror about the police arresting transients for stealing clothing! CLOTHING!  One man stole a shirt from Walgreen's, and was booked in the San Jose jail. Another stole a pair of shoes from Walmart (he did become violent when confronted) and again taken to jail.

Is there not a better place to take poor people who are homeless and desperate for clothing and shoes?

We are clearly not meeting our communities needs and we're in crisis.

I've loved Mountain View for their diverse cultures, nonchain restaurants and focus on community.

Can we get this back? How can we better serve those who do not have Silicon Valley paying jobs? Is there a place for us all?

GHC15: Call for Volunteer Bloggers and Note Takers!

It's that time of year again - we are looking for volunteer bloggers and note takers for the Grace Hopper Celebration of Women in Computing!  The conference will be held in Houston, TX and our theme is Our Time To Lead!

Not every one can make the trip - or make every session they are interested in - to that end, we need your help!  Are you an excellent note taker?  A passionate blogger? Then you can help us to share the conference with thousands of others around the globe by becoming an Online Community Blogger or Note-Taker.

The deadline to apply is September 18, 2015 - so please don't delay!

Please note: you must be already registered in order to participate. Volunteering as a note taker or blogger does not get you a registration, travel, hotel, etc. It's just a way to give back to this great organization!

Hope to see you there!  Valerie

This post is syndicated from Security, Beer, Theater and Biking!

BHUSA15: Black Hat Roundup

I just got back from my first Black Hat conference!  This may seem strange, that I've never been, but it always  seemed to expensive and many of the talks were repeated at DefCon.  My first DefCon was DC2 - I was still basically a kid. I could not drink nor gamble, but I had a blast year after year meeting super bright folks and learning neat hacks.  Learning what I did at DefCon has definitely shaped my career - there's no way I would've ended up in a more than two decades long career in computer security without it.

Did DC have it's down sides? Yes, definitely. As noted by a woman on the "Beyond the Gender Gap" panel, it gets tiring "proving it again" (and again) every time I would walk into the room at DefCon. "Who's your boyfriend?" "I'm single" "Or, so you're a scene whore?" "No" "Oh, then you're a fed!"

Then I would have to proceed to prove my technical prowess over and over again. (best advice for men came from that panel: never start with "who are you here with?", but rather "What do you do?") [Note: I did have a boyfriend my first couple of DefCons, and later a husband - who did not come, as he wasn't interested in the con, but I was at other times single.]

DefCon also had amazing moments - here we are at DC9 in 2001. Babies!  (I don't seem to have older pictures on my site - but I was there, usually with Artimage and Angus).

But, that didn't happen at Black Hat. Folks (men and women) spoke to me like a human. It was really nice.  Other than when I went to the bar to meet one of my friends Tuesday night, nobody started at my chest. I was able to attend two women focused luncheons and meet lots of interesting and smart security focused women.  Black Hat USA has a Code of Conduct, lots of staff, and plenty of time between sessions to network, charge batteries or go pee.

I want to thank Runa Sandvick who first of all gave an awesome talk on a wifi rifle (you know, we all need one) and gave me the free pass to attend!

Still surprising to see people drinking at 7:30 in the morning, and drinking EVERYWHERE (in the elevator a lot).  Coming from California, all the smoking was strange, too. A guy sat next to me in a session "vaping" pot - really? Can't wait until break?  Fortunately, the conference halls were non-smoking, so I escaped an asthma attack.

Overall, a very informative conference! I would highly recommend, for the very high caliber, true research talks.

Did you have a good time? Any stories to share?