Month: July 2019

Inside the Backdoor Backlash

On July 24, 2019

Taking a more tangible view of encryption backdoors

US Attorney General William Barr gave a speech Tuesday morning in which he approached the topic of what he called “warrant-proof” encryption. His argument revives discussion about establishing encryption that can be broken or bypassed by law enforcement. Overall, the security community responded with the level of condemnation one might expect. However, looking through the various reactions, opportunity exists to make those arguments more compelling. More can be done convincing the voting public that this is an important issue.

Photo courtesy of The United States Department of Justice

Many of the responses to Barr’s speech echo previous statements about weakening encryption. They often focus on idealistic privacy concepts or ethereal encryption principles. Unfortunately, those arguments are easily countered with discussion of practicality over security ideals. Indeed, Barr brought out some of those points in his speech. Some cited policy and corruption concerns. They described worst case scenarios where law enforcement would abuse the capability. However, on the whole society still trusts in law enforcement and sees these abuse cases as fringe activities.

Even security pros don’t get it

Security and privacy professionals seem to struggle making compelling arguments on this topic. I myself struggled in a conversation earlier this year with a former member of the CIA. While I could talk about idealistic views, violations of fundamental encryption concepts, etc. I never felt I overcame the counter arguments. It ended as an agree to disagree situation. Furthermore, security professionals actually advocating that backdoors in encryption are not a big deal exemplify the need for a better argument. At least in my opinion.

So I searched my mind for ways we could re-frame the discussion. How can the security community create discussion focused on tangible risks? After all, in theory, weighing the risks ultimately drives decision making. If risk to the public outweighs the risk of not being able to decrypt potential evidence, then we can shape public opinion and in turn the policy making decisions by our politicians.

Centralized key storage and master keys

First we need to understand a fundamental concept of how encryption protects us. Current asymmetric encryption derives a level of security from the distributed storage of the private keys and the 1-to-1 relationship of public and private keys. The owner of the key pair is the only person who has access to the private key. One or multiple private keys impacts only a fraction of the public, from a global perspective. Replacing a small number of affected keys restores security.

Unfortunately, implementation of a backdoor would likely require either a centralized repository of private keys or a single master key. Either way, compromise of that repository or the master key would impact vast numbers of key pairs. The global impact would be tremendous. Compromise of a master key or private key repository would put millions of key pairs at risk.

Exploitation of attacks becomes trivial

Second, and building off this knowledge, the attack vectors against encryption would change. In current implementations, the distribution of private keys and the singular relationship of key pairs makes attacking the keys themselves a high effort, low reward approach. As a result, attackers focus on attacking the implementation of the encryption architecture itself. Weaknesses in encryption algorithms can be very difficult to discover. Even once discovered, executing padding oracle, side-chain, etc. attacks consumes a lot of time and effort for each key pair encountered.

With a backdoor, the attack vector shifts. Attackers could focus all attention on the back door itself. Suddenly, cracking a single repository or key would be a high-reward approach. If attackers find a flaw in the implementation of the back door or worse expose a master key or repository of private keys, exploitation of millions of key pairs would now require only nominal effort.

The door lock metaphor

When explaining this to non-security people, I’ve had success using the door lock analogy. Right now every door in the world has only one key that can open it and those keys are stored separately with their owners around the globe. Attackers aren’t going to try to find as many keys as they can and steal them. It would take a long time and have little reward. However, a master key or key repository allows attackers to focus their attacks on a single location. A successful attack gains them access to millions of doors all at once.

Additionally, as a result of the distribution of keys, attackers have to focus on cracking the lock itself. Even when we know a type of lock can be picked, each one has to be picked individually. That is a time and effort consuming process. If a back door is created, once the master key is stolen or repository is exposed, opening any lock in the world would be as easy as walking up and putting a key in.

As you see, none of this requires fringe case abuse by law enforcement to put the public at risk. The increased public risk extends directly from violation of core encryption concepts but links to quantifiable changes in risk to the public. This is the kind of argument we need to make. Ultimately, establishing a backdoor for encryption collapses two of the primary pillars that provide strength in our current encryption technologies. And that, is a big deal!

Corner office board room in a skyscraper

Get a Chair At the Big Table

By Alyssa Miller

On July 22, 2019

In Security Leadership

CISOs can drive the security discussion in the board room

Cyber security is increasingly becoming a top business concern for executives. A recent survey from The Conference Board found that US CEO’s rank cyber security as their top external concern for 2019. However, at a board level, security discussions with the CISO are relatively rare. Without this critical interaction, it can be challenging for a CISO to drive security strategy. Luckily, there are some steps security professionals can take to earn a spot at the table with the board.

Why aren’t CISOs being invited to the discussion?

Three women in a meeting — Photo by Tim Gouw on Unsplash

Numerous challenges stand in the way of a CISO getting in front of the board of directors. From reporting structure, to stereotypes about a CISO’s qualifications, security executives have many barriers to overcome. Understanding the challenges enables development of strategies to overcome them.

Organizational reporting structure

In most organizational reporting structures, the CISO reports to another executive below the CEO. As a result, organizations commonly view the CISO’s duties as a subset of another officer’s role. The board typically calls upon the higher ranking executive, commonly the CIO, COO, or CRO, if and when the discussion of security reaches the board room.

Perception of the CISO

A connotation that CISOs are too technical also plagues their ability to win a spot in the discussion. Developing a security strategy requires a significant level of technical knowledge. Indeed, CISOs sometimes struggle with presenting security strategy in terms that resonate with the board. Overcoming the stereotype of too technical for the board room challenges even the strongest CISO.

Security is scary

Despite the increased focus on security, all too often the board avoids topics of security. The complexities and uncertainty of cyber security makes it an untenable discussion point. Sure, directors want to keep the organization’s name out of the headlines. But at the same time, some treat cyber security like a toothache. Rather than go to the dentist, try to avoid even thinking about it. However, the problem doesn’t simply go away. Just like that tooth, ignoring it only makes things worse.

Earning a spot at the big table

Security leaders need to change the perception of the CISO role and make cyber security a regular topic for the board. This begins with establishing a level of credibility with higher ranking executives and the board. While this process takes time, establishing a solid report with the board ensures they’ll seek out the CISOs perspective.

Forget FUD, focus on the business

CISOs commonly make the mistake of presenting security in terms of Fear, Uncertainty, and Doubt (FUD). They share perspectives on the horrible things that could happen. However, playing off the fears of others does not motivate them to action, it causes them to avoid the conversation.

Instead, security leaders need to focus on how security strategy can improve existing business or enable new lines of business. For instance, demonstrating how an investment in Cloud Access Broker technology creates the ability to offer new cloud-based services, delivers a very compelling story line. Additionally, it demonstrates an understanding of the business beyond simply the technology.

Be prepared for the right questions

Responding with solid, tangible answers establishes expertise and confidence. In order to do so requires an understanding of how board members look at the business. Ultimately, when it comes to security, the board wants to know that appropriate measures are being taking to manage threats to the business.

Directors ask questions along the lines of “Could we get hacked today?” or “What would the impact be if we get hacked?” Answering these requires reading between the lines to understand what information they’re asking for. Fundamentally, they’re trying to assess risk and ensure that something is being done to address it. So share tangible efforts and programs that are in place, but do so in the context of critical business functions. Avoid talking about the latest technology you deployed, but instead describe the resiliance of business processes to recent publicized attacks.

Establish Visibility

Regular communication with the board can start without attendance at the meetings. CISOs should work with their top-level executives to establish a reporting cadence the with the board. A proactive approach, allows the CISO to shape the security strategy message and demonstrates competence and expertise. Furthermore, the regular cadence establishes visibility that builds a bridge into the board room over time. Ultimately, putting more security focused data in the hands of board members builds demand for further security discussion.

While it can be challenging, CISOs can drive the security discussion all the way up to the board of directors. Taking time to understand the board and their perspectives allows the CISO to exhibit their expertise and build confidence. Ultimately, as the board hears more from a competent CISO, their trust grows and their desire for interaction leads to a spot for the CISO at the big table.

Conquering Impostor Syndrome

By Alyssa Miller

On July 14, 2019

In Community, Inclusion

Recognize that you bring value to the discussion and be heard

One of the things I’ve always found incredible about the security community is the commitment to openly sharing information and discoveries. We have countless conferences, discussion medium, and publications devoted to sharing security related works. However, for many, seeing the massive contributions of others invokes a level of anxiety when seeking to establish they’re own contributions. The infamous impostor syndrome rears its ugly head and hold people back from getting involved.

My first experience with impostor syndrome

Woman hiding her eyes behind her braided hair — Photo by Sharon McCutcheon on Unsplash

My memories of my first experience with impostor syndrome are very clear. I was working as a Managing Consultant for a security firm and at that point had been in security as a penetration tester for eight years. While I had thought about speaking at a security conference on occasion but never really considered it a realistic goal. That is, until my director and a sales person encouraged me to submit a talk to a local conference our company was sponsoring.

I agreed, after all it was my boss telling me I should do this; and yet I was scared to death. I had seen some of the biggest names in our industry on stage at conferences, I had seen 0-day exploits announced at DEFCON, and here I was with nothing of the sort to contribute. Who am I to speak at anything? If I get accepted, they’ll all see that I’m just an average person and I’ll get laughed off the stage. All these thoughts went through my head, but I had to push through and create a talk, so that’s just what I did.

I had just come off a string of three separate application assessments where I had discovered various issues in OAuth2 implementations that created some significant vulnerabilities. I decided to put together a talk to discuss the proper implementation of OAuth2 and common failures that led to exploits. The talk got accepted, I delivered it (to a surprisingly full room), and I got some great feedback afterward.

A week or so later, I received a link with the video of my talk. I provided it to my director who suggested I send it out to our entire AppSec practice. While I received a number of gracious emails, the one that stood out in my mind came from a principal consultant who had spoken at a few conferences, including as part of a group at BlackHat USA. His response read, “A lot of hand waving here, nothing new or informative being shared”.

I was crushed. This was what I feared the most. An experienced conference speaker telling me my talk wasn’t worthy. I ignored all the good feedback I got at the conference, all the great emails I got from other consultants on our team, and I allowed this one email to confirm in my mind that I was a fraud.

Thankfully my director was an amazing leader who knew how to motivate me and he helped me see the truth. He pointed out how the email I got came from a consultant who himself was insecure and felt like an impostor. He helped me see the value of my talk and encouraged me to continue speaking. And that I have. I now speak regularly at conferences, and while I still have my bouts with impostor syndrome, I don’t let it hold me back. So I wanted to share some steps I’ve learned about how to overcome these feelings.

What causes impostor syndrome?

I’ve done a lot of self reflection on this along with a lot of reading and research. What I’ve found is that impostor syndrome is ultimately the result of feeling like one doesn’t belong. It’s this feeling that we’ve somehow stepped into a world where we are not like those around us and we’re somehow inferior as a result. When we perceive that the people around us are far more experienced, talented, or qualified than we are, those feelings come to the surface. For people in under-represented groups like people-of-color, women, those with disabilities, or LGBTQ+, the problems can be compounded since we can struggle to identify with our peers.

The problem stems from how we identify ourselves. We begin to establish our identity through labels when we are very young. Age, gender, race, job titles, etc. all play into how we identify who we are. We label others and often compare our labels with them. This is how social groups form. So when we follow a course of action in which we perceive that we’re stepping outside of those labels, our anxieties kick in. We fear that someone will figure out that we don’t wear that arbitrary label we’ve given them and they’ll see us as a fraud, that they’ll look at us and point us out as not a member of their group.

This is a very natural phenomenon in human social interactions. We place labels and gravitate toward those who we perceive as sharing the same labels we give ourselves. So how do we break down the barriers we place on ourselves? The following is the process I’ve come up with through my own self-analysis and research.

Acknowledge and combat those feelings

As you might suspect, the first step in overcoming the anxieties of impostor syndrome is to simply recognize that this is what we’re experiencing and combat it. When we begin to feel those fears, it’s important to look at those feelings and identify where they come from. How does the fear you’re experiencing related to a feeling of not belonging? Personally, I take a mental inventory of those.

The key to combating them is objectively identifying the positive accomplishments we’ve experienced. Those positive comments and emails I received were a perfect example. So find those elements, but be careful. Do this objectively. Do not assign a relative value to them, just simply acknowledge and appreciate them.

Let the feelings go

Once you’ve identified your feelings and where they come from, you can start to let them go. Sometimes what you feel will be tied to things you simply cannot control, like your gender, race, etc. Understand that those are not characteristics that impact your qualifications and so don’t allow them to make you feel inadequate.

Also recognize those feelings that result from comparing yourself to others. Humans fall into the trap of measuring our talents and skills in comparison to others. However, that’s not a valid way to measure. Instead, see your qualifications as an objective measure, you have certain skills or you don’t. When you find that feelings of inadequacy are the result of such comparisons, trust that they’re not an accurate measure of your abilities and let them go.

Analyze your process of success

Look back at where you’ve been. How did you get to where you are today? Did you just have one success after the next without experiencing challenges and failures? If you’re honest with yourself, the answer is no. Thomas Edison did not invent a working light bulb on his first attempt. Stop holding yourself to that standard. Those challenges and failures are how you learned and developed your skills. Accept them, be proud of them, and understand that you’ll experience more of them in your future and that is a good thing.

Set objective goals and measurements

Identify the goals you have in attempting what it is you’ve set out to do. If you’re thinking about speaking at a conference, perhaps your goal is to share information about some research you did. It may seem corny, but list those goals and how you plan to measure them. Then look back. Are they based on others’ reactions, feelings, etc? If so, those are not objective goals because they’re based on your perception of someone else’s feelings. So re-frame them into something that focuses solely on you and something that you can objectively measure. This ensures that when you accomplish those goals, you’ll be able to recognize it and celebrate it. It prevents you from letting feelings downplay the great things you achieve.

Everyone experiences impostor syndrome

Finally, understand and accept that everyone has these feelings from time to time. I’ve talked to some of my idols who tell me often of their own experiences of feeling “out of their league”. It’s in pushing ourselves to exist beyond our labels that we grow and conquer obstacles. That’s how each of us becomes great.

Accept that it’s OK not to know all the answers and that if you did, it would mean you’re not pushing yourself hard enough. Have faith that it is not only acceptable to reach out for help, but that this is actually an effective tool. It gives you the opportunity to get others’ perspectives and challenge your own biases on the topic. It is also a chance to establish relationships with others who may actually be fascinated by the work you’re doing.

In the end, we all build off of each others’ works. Collaboration drives the continued growth of our collective community. So rather than convince yourself that asking for help makes you less, embrace it as part of the process.

These are the steps that have worked for me and that I’ve found corroborated in other research I’ve done. Hopefully some of this resonates with you and is helpful. I’d love to see some comments from others on what has worked for you that I’ve not included above.

The Oxymoron of “Smart” Devices

By Alyssa Miller

On July 13, 2019

In IoT, Pentesting, Vulnerabilities

What a hair straightener can teach us about IoT Security

A recent article on Threat Posts provides details of a vulnerability in the Glamoriser Bluetooth Smart Straightener. The vulnerability is pretty significant. An attacker can fairly easily gain control of the hair straightener, turn the heating element up to max power, and potentially cause a fire. Discovery of this vulnerability provides us with a clear example of why manufacturers need to more calculating in their responses to the “smart” device trend.

Stock photo of the Glamoriser Bluetooth Smart Straightener — Researchers have found a security vulnerability in the Glamoriser Bluetooth Smart Straightener

According to product information on the Glamoriser website, the straightener comes with a mobile app that allows the user to control heat settings of the straightener for different types of styling and lock in a favorite setting. However, as it turns out (maybe not surprisingly), their implementation of this feature is anything but “smart”.

According to quotes from the researcher that discovered the vulnerability, Stuart Kennedy, the hair straightener’s Bluetooth Low Energy (BLE) connection lacks some of the basic security features most users have come to expect in Bluetooth devices. There is no pairing function in the straightener’s BLE implementation, meaning any device within range can connect and control the straightener. Sure, the risk may be fairly low due to the distance limitations of BLE, but the threat vector is very real.

An emblematic problem with IoT and Connected Devices

This certainly is not the first time that we’ve seen once innocuous home devices turned into a threat vector. Manufacturers have routinely enabled “smart” functionality but failed to implement basic security features. However, the risks associated with this example lend credence to the warnings of researchers regarding just how serious the problem could be.

As many in the security community already know, manufacturers with no history or previous experience with implementing connected technology are rushing to create “smart” devices. The resulting implementations are often filled with security and functionality gaps. Whether this is a result of a lack of expertise or the need for speed to market (or both) is debatable. But the trend of security issues in newly released “smart” devices is undeniable.

The hair straightener example also stands as a particularly poignant lesson in that the only discernible reason to have a mobile app seems to be just the ability to label their styling tool as “smart”. The desired feature set enabled by the mobile app, being able to identify and set the needed temperature based on hair type and desired style, could have just as easily been implemented without connectivity. Hair straighteners for years have had adjustable temperature controls. Couldn’t an app that allowed the user to look up the correct settings and then manually set them on the device have been enough? Have we really reached the point in lazy consumerism where we need the app to make that adjustment for us? Let alone to the detriment of someone’s safety?

Time To Stop and Think

Sure, smart home devices are all the rage right now. Connected IoT devices are touted as the latest innovations and everyone wants to get on that bandwagon. However, if manufacturers can’t concern themselves with the safety of their consumers, they must at least start considering the risks in terms of their own liability for implementing faulty devices with real security vulnerabilities. How much does the manufacturer stand to loose if they get sued when someone is hurt or killed as a result of a security flaw in their product? The case of the Glamoriser straightener provides the most tangible illustration of those risks we’ve seen to date.

With that risk comes the need for serious investment in R&D before simply launching a product. That investment needs to include analysis of the benefits of the new connected features against the risks of liability if those features turn out to be a security flaw. Manufacturers cannot afford to assume an immeasurable marketing edge will come from simply labeling their product as “smart”. Had such analysis been done in the case of the Glamoriser, it’s doubtful that the ability to set a temperature on the device from your phone would have demonstrated value in the marketplace that outweighed the potential liability of someone’s house being burned down. This isn’t a particularly challenging threat model to build, so how did they get it so wrong?

It seems most manufacturers only pay attention to the threats and risks of their products when there is a palpable demand from consumers. Unfortunately, consumers remain blissfully unaware of these risks until something catastrophic occurs and is publicized widely in the media. Even then market trends show we’re often willing to forgive and forget if it means we can own the latest innovative device. So we, as security researchers, have to find other ways to motivate manufacturers. So far this has proven to be a monumental task. The tide is shifting, more and more manufacturers are becoming aware of the risks and working with the security community. Sadly, it’s most often only after their failures or those of their competition are exposed.

Educating consumers and manufacturers alike seems to be one possible course of action. Security researchers have begun some outreach to the manufacturing community and we’ve made headway in certain markets like the automotive space. However, more can and must be done. There is opportunity for us to be more involved in the manufacturing community. We must look for ways not to scare manufacturers into doing better but to motivate them. Drawing the connections between producing secure products and expanding their business model is the key.

From a consumer perspective it is much the same. We’ve tried scaring people. We’ve talked about all the potential bad things that can happen. For consumers it’s a bunch of noise and they just want that cool new thing. So it’s time we start focusing on how their lives can be more convenient, more trendy, etc. by ensuring that they demand products that are secure and reject the early to market brands that blaze trails with questionable products. We need to make being securely connected the new hot thing.

Welcome Aboard

By Alyssa Miller

On July 12, 2019

In Application Security, Breaches, DevSecOps, Incident Response, Inclusion, IoT, Network Security, Pentesting, Policy, Red Teaming, Vulnerabilities

An Introduction of Epic Futility

OK well here I am interwebs!! After much encouragement from colleagues, friends, and acquaintances, I’ve launched a website and blog. As you’re likely aware, if you’ve found your way to this page, I’m very passionate about all things security and privacy related. It’s my career, it’s my passion, and most of all it’s something I love to share with others.

I’ve had a very a-typical journey into the world of security however. I’ll probably bore you in some other post with the full progression from my childhood interest in computers to my present day role as a security professional. But for now let me just share that what began as a hobby of playing with computers turned into a full-time job as a programmer which in turn lead to my entry into penetration testing and assessment work.

I have no delusions of grandeur. I am not the world’s greatest hacker, I am not some super security celebrity or highly touted “thought leader”. However, what I am is a person who really loves digging into technology, exposing how it works and how it fails, and sharing what I’ve learned with others. I’ve spoken at industry conferences, as you can see on this site. I’ve delivered various security assessments, training, and strategy guidance as part of my professional work. I’ve been featured in security publications and podcasts. I’m of course active on social media as well. But this is the first time that I own a dedicated space on the web to formally share my thoughts and opinions in written form.

Related to technology, security, and privacy, I also have a very powerful drive to correct what I see as a toxic environment in the tech and security communities. Women, People of Color, LGBTQ+ and other under-represented groups often find that the tech and security space is particularly unwelcoming. In security specifically, studies using the most liberal of criteria have found only around 20% of people in security roles are women. I believe that toxic environment is partly to blame. This is something I feel needs to change. I’m involved in multiple organizations that do work in this area, I speak on this topic as well, and so you’ll probably see posts from me focused on making our industry more inclusive as well.

So I hope you’ll enjoy. I hope you’ll reach out to me and share your own thoughts. I love to heard opposing viewpoints and discuss/debate at length as long as it’s done in a respectful and productive way. Thank you for visiting and please come back over and over!