Sex, Hacking, and Politics of Unicorns

I tend to try to deal with socially awkward situations using humor. It's a self-defense mechanism designed to prevent escalation in otherwise tense situations. So, when a well-meaning co-worker commented that my success as a woman in a male-dominated industry is a great testament to my capabilities, I replied that the real heroes are all the left-handed people who have succeeded despite their obvious disadvantages.

This response was obviously not delivered in seriousness, nor was it designed to be a constructive mechanism for dealing with the misunderstanding. The idea that the original comment could be misconstrued as an assumption that I must be 'better than average' as a woman in order to succeed among men probably didn't occur to the person who said it. The idea that this statement would be very awkward if applied to a racial minority probably didn't register, either. Likewise, issuing a reminder that my chosen profession has less to do with my sex than with my interests could have been offputting and taken as an unwarranted defensive reaction. But, while humor builds an interpersonal bridge in response to this misunderstanding, it doesn't resolve anything.

But, I am frustrated for my male colleagues who have been told that their failure not to single out my sex during meetings is a gross breach of professional etiquette in the world of modern gender politics. The obligatory "and gal, sorry about that, Heather" is intensely frustrating to me. Not only have I now been singled out to be stared at like an obscure specimen in a jar, but you are left to feel awkward about whether or not you and I are square. The positive side of this is, perhaps this awareness of my sex forces you to challenge unconscious biases that may exist.


Presenting at Conferences for Dummies

I was watching Defcon Unlocked Presentations and was inspired to blog about it.

The conversation centered around new people and especially women and minorities who feel like their message or their voice is unsuited for public consumption, especially at large conference venues. Many people who I greatly respect weighed in on this topic, and I'd recommend it for watching. This is my take.

Know your message. Cater to an audience. You're not an imposter. Inspire people. Take it seriously. Don't be afraid of failure. Know your support. Design with intent. Presenting is a skill.


Password Science 301 - Attacker tricks

In my last two posts (Password Science 101 and Password Science 201), I talked about password security from an introductory view, and hit on some of the math involved.

In this post, I'll talk a little bit about shortcuts that make the math easier, and talk about some of the actual techniques attackers use to attack passwords more efficiently. This isn't designed to be a comprehensive how-to for attackers to crack passwords. It's mainly designed to help the slightly math savvy and curious average person understand a little bit about the mindset of attacking a password.

Password Science - 201, the intermediate view

In Password Science 101, I gave a quick, very beginner introduction about what every person with a password can do to make a difference in security.

This post will be a longer post that talks a little more about the math and how it works, so that you can get a glimpse into the mind of an attacker and what an attacker sees when they want a password.

Password Science 101 - Password security for Everyone

There's always a lot of press coverage about passwords whenever someone gets hacked.

Since passwords are something that everyone has some personal control over, it's a worthy message to put out there. That's right. You can make a direct difference to the security of your banking information, your credit card number, or your dirty secrets on the Internet. But how?

This blog post will give you 5 easy tips you can use with your passwords to personally make a difference in online security.


Priorities, CVEs, and CVSS

Even after processes are shored up, there will still be a need to prioritize what needs to be fixed next. Hopefully, with vetted and working processes backing up remediation efforts, this clean up will be manageable.

What to do next? Overwhelming operational areas with a giant list will only create a log jam. But, if we're focused on finding every weakness and trying to establish priorities, is that doing the same to TVM groups?

Stop using your vulnerability scanner for patch auditing!

Patch auditing is important, and you should do it, but your vulnerability scanner or sevice can (and should) do so much more.

Patching is designed to address the things you know about (or should know about). What about the things you haven't considered?

At first, this sounds counter-intuitive, but consider the goal for doing a vulnerability scan: to identify unaddressed weaknesses. If you have a patch management program, you already know about patches. If it has gaps, you need to know that, of course. But, what about security baselines? If you focus on auditing your patch management to the exclusion of all else (the noisiest aspect of vulnerability assessment), you run the risk of exposure due to misconfigurations that can be far worse than the patches you've missed.


How do I prioritize what to fix?

I spent about six years in vulnerability management before I decided to go be a penetration tester. I was frustrated by having to rely on the analysis of others, and on generalized guesswork to determine what made the biggest threat to the organization. I thought that being able to focus on security research and practical penetration would open my eyes to the realities of offense in a way that would help me make the most sense of security as a discipline.

What I found out was enlightening.


CarolinaCon X Crypto Challenge Writeup

This year, I offered to run the crypto challenge at CarolinaCon X. I was offered the advice that very complex challenges were often met with frustration during the conference and it was requested that I make something that didn't require advanced mathematical degrees or a history of working with the NSA to solve ;)

This year, I offered to run the crypto challenge at CarolinaCon X. I was offered the advice that very complex challenges were often met with frustration during the conference and it was requested that I make something that didn't require advanced mathematical degrees or a history of working with the NSA to solve ;)

With that in mind, Jaku and Ryan Linn were both very generous and offered to help me. 

The below post is a writeup of the challenge, how it went, a solution, and some lessons learned. Don't scroll past the writeup header if you don't want spoilers.


Personalizing Data Security Part 3

In parts 1 and 2, we talked about various forms of security testing and evaluation by telling a story about a concerned parent purchasing (and evaluating) a car for the newly licensed teenaged daughter. Now, let's talk about the mechanic for a bit.

You, fortunately, have had a car before, and have had the opportunity to work with this mechanic before. He set your expectations, you’ve seen what he’s done before, and you generally have good reasons to trust him because you know what you want is what he is going to give you. You’ve already got a mutually established language. His services are clearly defined. You know what to expect.

What if you’ve never had a car before, and you don’t know any mechanics? 

Personalizing Data Security Part 2

Previously, we created a story that aligns data security with buying the best car for your only teenaged daughter. Now, let's explore the choice between vulnerability assessment and penetration testing - the consequences of your decision as a parent and car buyer.
Since you're tight on budget, you decide it's best to go with the thorough once-over. After all, if you opt for the test drive, you aren't going to find everything that's wrong, anyway. Your goal is to figure out how you should best spend your money now that you know your car has some flaws. Your objective is to figure out which flaws are the most serious, and address them with your wallet.

Personalizing Data Security Part 1

The problem with data security is that it isn't personal. Those who have the responsibility for security often don't have a personal stake. Sometimes, the issue is with jargon. So, let's have story time. What if your environment were a car? What if it wasn't someone else's data, but your child?

Let’s say you are a concerned parent. Your only daughter has just turned old enough to have her first car. You have shopped around for the right car to meet your needs and your budget, and you’ve bought something. But, now you need to make sure it’s safe. Not only does the law require you to meet certain requirements of auto safety, but would you feel terrible if something bad happened to your only daughter because you chose poorly? What about all of her friends who ride with her, and all the other people on the road?