Monday, January 8, 2018

2017: Year in Review

What a year! I can't even begin to remember everything that happened, but here are some highlights and lowlights.

  • After 20 years, I left Sun/Oracle and joined Intel as a Director of Software Engineering of Security Solutions Enablement for Data Center.  A long title that means my team works on security related projects, like Open Security Controller, that enable security on the Data Center. 
    • I worked at Intel 21 years before, as an intern in their Folsom Engineering Services group (as an admin for Win 3.1, WinNT, Win95, AIX, Irix, SunOS and Solaris).  It was oddly like like putting on a comfortable pair of shoes coming back, but at the same time a very different company. A much faster moving place, a more inclusive place and more inventive place.
    • My team has released two versions of Open Security Controller (0.6 and 0.8) this year! (like I said, fast moving!)
  • I was appointed to the City of Mountain View's Bicycle/Pedestrian Advisory Committee, where I get to advise the City Council on such things like: transit projects, walk-ability of new building projects, how to improve dangerous and deadly intersections, and where to spend budget to improve biking and walking.  It's pretty fun! The committee definitely has diverse opinions and I have found the last twelve months on the committee to be quite a learning experience.
  • I demonstrated, with my Oracle team, PKCS#11 and KMIP on Solaris at the RSA Conference Expo in San Francisco in February 2017.
  • I read 24 books, covering 7,937 pages.
  • I recorded the narration for 8 audio books for Learning Ally. These books are for the blind and others with reading disabilities.
  • I did a police ride-a-long with the Mountain View Police Department! I was amazed at the officers compassion, how well they treated the citizens and how they were quick to de-escalate a situation.  I watched an officer arrest a man who had been drinking "since the early morning" and then brandished a knife at another man at Walmart. The man was belligerent when first approached, yelling and gesticulating.  The officer used calm tones, did a quick and calm search, secured the gentleman and proceeded with his investigation. I watched a situation go from tense to calm in a heartbeat. Yes, I used the word calm repeatedly - but that is the best way to describe what the officer did.
  • I was on the Crypto Review Board for BlackHat USA, and got to attend!!
  • Additionally, I was on the program review boards for International Cryptographic Module Conference (ICMC) and GreHack!
  • I presented on PKCS#11 version 3.0 at ICMC.
  • I became secretary of the PKCS#11 technical committee, a role change from co-chair.
  • I reviewed scholarship applications for Learning Ally Scholars - every one of the students was incredible!
  • My husband and I celebrated 10 years of marriage in Sausalito, CA.
  • I saw all of my siblings and my parents this year! Most more than once! I didn't see enough of my nieces and nephews, though...  
  • I did a few more Murder Mysteries, did photography for a couple of shows, and sang with the Lyric Victorian Carolers.
  • Overall, I volunteered more than 179 hours.
  • I went skiing!
  • I stayed alive!
  • I lost my uncle, Dan Bubb, my Dad's brother, to pneumonia.
  • My dear friend Elisa was diagnosed with breast cancer in October and Comcast let her husband go from his job (along with the rest of his division) in December - just before Christmas.  Her battle continues, please consider donating.
  • I suffered a major health crisis myself - on my first day of work at Intel, where I learned another highlight: Intel is a compassionate company, they were there when I needed them and helped me to get back on my feet and hit the ground running in my new role!  And, I didn't die :)
Any lowlights or highlights for you?

Here's to 2018!

Saturday, December 16, 2017

Please Support Elisa's Battle Against Breast Cancer

Hi Folks - One of my best friends from the 3rd grade on had just moved into a new home in October with her family only to discover she had a very fast growing breast cancer. She discovered it via self exam and it tripled in size over a couple of weeks while she was prepping for chemotherapy.

To make matters worse, her husband (and his entire division) was let go from his job this week.

Elisa has been a stay at home mom for her special needs children for the last several years, so the family has lost their only income source while she is very sick with chemo treatments. Losing a job unexpectedly is never easy, but losing it 2 weeks before Christmas while your wife is trying to stay alive is absolutely devastating.

In addition to having cancer, Elisa has a degenerative genetic disorder (Ehlers-Danlos Syndrome) that already was causing many problems for her body. If you can give anything, please do. God bless.

Elisa and I in 6th grade.

When we both lived in Fort Wayne, IN, we were literally inseparable.  In the 6th grade we convinced our teachers that we could go to the other's classes (instead of our own) so we could wear this Halloween costume).

As to why it's Defeating Voldemort? Her children decided that was the tumor's name and because they love Harry Potter, they just know he can be defeated.

Her GoFundMe link can be found here.  Thank you, thank you, thank you.


Friday, November 10, 2017

Open Security Controller v 0.8.0 Released!

I am proud to announce that my team, and the OSC Community, have released the latest version of the Open Security Controller, version 0.8.0!

Open Security Controller (OSC) is a software-defined security orchestration solution that automates deployment of virtualized network security functions, like next-generation firewall, intrusion prevention systems and application data controllers.  This is our second release, and second release this year!

The new big features include:
  • OpenStack Ocata support, and we continue to support Newton as well
  • Kubernetes beta support - check it out and give us feedback
  • Neutron Service Function Chaining beta support
  • Multi-policy support
  • Expose IP/Mac addresses for security group members
  • Open source of our test automation!
Please do check out our release notes for more information, come on over to visit us on github, and join the community!

Job well done!

Sunday, October 22, 2017

Learning Ally: Books I've Narrated

Working with Learning Ally, I record textbooks and novels for the blind and dyslexic, along with others that learn differently.

I've been keeping this list on LinkedIn, but hit the LinkedIn character maximum. I didn't always keep track, so there may be a few more books. I started volunteering at Learning Ally in Palo Alto in August 2012, followed them to Menlo Park and am preparing to start volunteering from home.

When I started, we had physical books we read from and we've since moved to VoiceText (scanned texts) and PDF books. This makes it easier to start recording at home!

Here are the books that I've narrated over the years. I'll continue to add to this post as I complete more books.  The hours listed are total length of the finished narration. It takes usually 3 times as long recording and correcting to get that finished product.

Recorded in 2018
Recorded in 2017
  • Tales from a Not-So-Friendly Frenemy (Dork Diaries #11) (Rachel Renee Russell) (248 pages, 2.17 hours)
  • Tales from a Not-So-Fabulous Life (Dork Diaries #1) (Rachel Renee Russell) (282 pages, 3.08 hours)
  • The San Francisco Earthquake (I Survived #5) (Lauren Tarshis) (98 pages, 1.27 hours)
  • Shadows of Sherwood (Robyn Hoodlum #1) (Kekla Magoon) (356 pages, 7.48 hours)
  • Mythology (Edith Hamilton) (475 pages, 11.35 hours)
  • Carve the Mark (Veronica Roth) (467 pages, 12.14 hours)
  • Goosebumps Book 8: The Girl Who Cried Monster (138 pages, 2.50 hours)
  • Goosebumps Book 3: Monster Blood (R. L. Stine)
Recorded in 2016
  • Ink and Bone (Rachel Caine) (354 pages, 10.97 hours)
  • Dragons of Winter (James A. Owen) (389 pages, 9.38 hours)
  • Tru & Nelle (G. Neri) (328 pages, 4.70 hours)
  • City of Ice (Ken Yep) (362 pages, 8:47 hours)
  • Winter: The Lunar Chronicles (Marissa Meyer) (828 Pages, 20 hours)
Recorded in 2015
  • If You Could Be Mine (Sara Farizan) (248 Pages, 4:59 hours)
  • The Vanishing Game (Kate Kae Myers) (356 pages, 7:45 hours)
  • A Northern Light (Jennifer Donnely) (396 pages, 8:57 hours)
  • Liar Temptress Soldier Spy: Four Women Undercover in the Civil War (Karen Abbott) (513 pages, 12:20 hours)
  • The Spiritglass Charade (Collean Gleason) (360 pages)
  • Wicked Girls (Stephanie Hemphill) (389 pages)
Recorded in 2014
  • The Wicked and the Just (J. Anderson Coats) (342 pages, 7:30 hours)
  • The Spy Catchers of Maple Hill (311 pages)
  • California Driver Manual (106 pages, 4:15 hours) (Yes, DRIVER, not Driver's ... )
  • Unbroken: A Ruined Novel (Paula Morris) (295 pages)
  • Froi of the Exiles (Marlena Marchetta) (598 pages, 16:53 hours)
  • The Amazing Monty  (Johanna Hurwitz)
Recorded in 2013
  • Every Other Day (Jennifer Lynn Barnes)
  • The Last Dragonslayer (Jasper Fford)
  • The Red Convertible
  • Michael's Mystery
  • Inkheart

Wednesday, August 9, 2017

BHUSA17: Datacenter Orchestration Security and Insecurity: Assessing Kubernetes, Mesos, and Docker at Scale

Speaker: Dino Dai Zovi

This was a challenging session to take notes on, given the speed of the slides and the mountain of information, but suffice it to say - Docker and Kubernetes need security help and consistency!

Kubernetes (K8) is a young project, but very active. Many companies have full time engineers working on the project

The security mechanisms in K8 are all very new - only in alpha or beta, or less than 1 month old - seems like an add on.  For example, RBAC is enabled by default in K8 1.6, but many people turn it off to work with older versions.

But, because most security features are new, there are many private distros forked earlier that may be missing the security features entirely! And some will "dumb down" to successfully connect to older versions - so you may have the security feature, but it's not configured. Plenty of potential attacks distributed.

Tuesday, August 8, 2017

BHUSA17: Tracking Ransomware End to End

Only 37% of people backup their data, which leaves them open to ransomeware.

Victims are shown a URL to pay to get back their data. Posted in Tor, so the source is hard to take down. They will only accept BitCoin, so they can use the blockchain to see who paid and who didn't.

BitCoin is anonymous and irrefutable - cannot be reversed! If you find the ledger, you can go back and see who else was ransomed.  Gathering seeds from victim reports and synthetic victims means you have to pay a small amount to find out more about the network.

The researchers initial data was for 34 families with 154,000 ransomed files. by using clustering for dataset expansion to find other victims, they are now working with 300,000 files.  This one ransomware has made approximately $25,253,505 (low ball estimate) - so there's money to be made no doubt!

In 2017, ransomeware increased binary diversity in order to evade AVs.

Many victims don't have any BitCoin, so they buy it from "LocalBitCoins" site (think Craigslist for BitCoin).

BlackHat 2017
The researchers found that 90% of the transactions went through as a single transaction, 9% did not account for the transaction fees and a small percent are doing multiple transactions for unknown reasons.

Locky - a ransomeware family increased spread - started seeing it in infrastructure like hospitals. It was making about $1million/month!

Dridex, Locky and Cerber are all distributed via botnets. Cerber recruits low-tech criminals to help them make a consistent income of $200K/month.

Cerber includes real time chats to talk to customer "service" to help you simply recover certain files.

WannaCray seems more like wipeware, than ransomeware. Even if victims paid, the way it was done was hard to track that you did indeed pay and harder to get your files back.

The researchers have also seen a rise in NotPetya lately - another wipeware.

This is not going away. this is a multi-million dollar industry. Cerber has even introduced the concept of an affiliate model - so more people can "play".  yikes!

BHUSA17: Breaking Electronic Door Locks Like You're on CSI: Cyber

Colin O'Flynn  |  CEO/CTO, NewAE Technology, Inc. – won’t be focusing on “evil maid” problems or commercial locks, just residential. Yes, sometimes it’s easier to just knock down the door – but that’s not this talk. Looked at high security locks (for safes and residential) – high security are $300-$1000, residential are $100-$300.  Inside a keypad, there really isn’t a lot of electronics. From the front side of the lock, it’s hard to do any attacks to the back side.

With residential locks he can sometimes send messages to the back. For vendor A, there’s an easy method to add a new access code. There’s a way to turn that off, but how many people do?  Vendor B did not have this special bypass, but attackers can easily find the existing codes. The lock contained a Zwave radio for IoT, there’s a siren for the alarm (and a transformer to make it loud) and a motor driver. The researcher did not look into the Z-Wave attack vectors, just physical attacks. There is an accelerometer that can detect various levels of tampering. It will also alarm if you enter too many wrong PINs.  So, brute force is not a good plan.

The Vendor B lock has a front panel, so you can use a key or a screwdriver to lift off the front panel. Vendor A’s lock was not susceptible to the same attack. The issue with this attack vector, it would be difficult to replace the panel w/out being detected. There is a cable to send messages to the backend – you can send guesses! No timeout on the backend.  The front end has timers for how often you can put in PINS, no suck protection on the backend.  There is power to the lock – if you short out the power, the alarm will reset the code and disable the alarm.

We were treated to a live demo of the attack.

He built an attack modules – which can do a little over 120 tries/min. Searches 4-digit key space in ~85 minutes. It’s a pretty simple countdown from 9999, does 3 tries then resets lock to continue to try (and thus avoid the alarm).   Think you can set a 6 digit code to prevent this? Think again – once you find the correct first 4 digits, instead of giving you an error or an “okay” it gives you a delay, as it waits for the last 2 digits. Then you only have to brute force the final two.

Fixes: a timeout after wrong guesses, power-on delay, add circuitry to fix in the field.

Future work: look at Z-Wave, power analysis and a variety of other attacks.

Vendors have been very useful on working on a fix, and even doing overall security improvements.  You can check your lock at home by testing if the 30 second bad PIN happens if you reset the power (w/battery disconnect).