Women in Information Security: Beth Cornils

Last time, I had fun talking with Victoria Walberg. She really understands cloud and IoT cybersecurity.This time, I got to speak to Beth Cornils. She has a pretty cool job that involves making IoT cars safe!Kim Crawley: Hi Beth! Tell me about what you do.Beth Cornils: I am a product manager for an autonomous vehicle company. Prior to that, I was the security product manager at Puppet.KC: What does Puppet do?BC: Puppet handles infrastructure as code, thereby allowing using to automate processes and make sure they are staying in their intended state. We layered on tracking changes and integrating with security companies such as CloudPassage, Cyberark, and Conjur.KC: Are the cars your current employer produces IoT?BC: At Polysync, we are more in the IoT category. We can build a car for users, but we tend to build the middleware such as harnesses. In testing , we use joysticks, so I have literally been a back seat driver in an enclosed space while testing code. It’s pretty amazing thinking about the math and safety issues we need to take into consideration when assessing autonomous driving. We noticed a lot of autonomous driving companies focus more of the flash. At Polysync, we’re working on safety-critical software for producing autonomous vehicles and providing tools and platforms to enable others to build safer autonomy systems.KC: What are the biggest cybersecurity risks of IoT cars?BC: In my opinion, there are a few things. In order to assess and get it right, you need to get your threat model right. Or as right as possible. Cars without autonomy have so many ins already. You need to be aware of those areas like GPS, Bluetooth, and personal cell phones. New cars are basically computers on wheels.Add on to that the self-driving aspect, which requires the Lidar, GPS sensors, and the other sensors or drivers to assess where the car is at any given time. All of which need to talk to each other. If you need to connect to WiFi while driving, make sure it’s random, at a minimum, and disconnect quickly.Where we sit, we have removed ourselves from the AI piece. This is where I worry about a lot of issues to come in. But we’re keeping it as simple as possible, and we’re aware of where people can hack in and are continuously improving accordingly. We can get some great tech out there soon. We just need to think of safety first. After all, we are literally creating code where if you mess up people can die. We are very aware of and take this seriously. Not only that, it’s super cool and so much fun to be part of.KC: How did you get into your field?BC: If by field you mean product, it was a long and rambling road.I started out doing data entry, which I hated! I felt there was a better way, so I built a database and had the third parties send their information electronically. Problem solved.From there, I was a data analyst using AS400s, and I worked at the help desk. After that, I went to a start up called Unicru where we handled the second largest number of SSNs after the social security administration, did data analysis, and ultimately became a product manager. Databases just make sense to me. I can’t explain it. They are just so logical. I was able to keep in my head the application layer’s data structure, our reporting data structure, and how they all connected. It drove the dev crazy that I wasn’t considered technical as I didn’t code, so I didn’t have access to the database.From there, I worked for a company that competed with Nielsen. My favorite project was working on the data for Obama’s second run, allowing them to save money doing targeted advertising. I’m pretty sure the Secret Service will come crashing into my house if I ever divulged any of that information. But Obama’s team was amazingly smart and wonderful to work with.From there, I went to Puppet, where I fell in love with ops and security people and their challenges. I decided to focus on security and how to make the two groups lives easier and get developers, operations, and security to be able to work together.Here is where I ended up finding an amazing group of women in infosec, some of whom put on TiaraCon during DEF CON last year. There is this realization that tech is 25% women, but infosec is 10%. That’s madness. So it became a passion to help women and under-represented groups feel supported, have a network, and not feel alone in the industry. I was lucky to find some amazing male allies who helped get the word out and who supported the cause with their money and their time.That’s a great group whom I wasn’t able to help with this year due to personal reasons. They changed their focus to strictly women as well as a name change to Diana Initiative. Lovely, lovely people.I was lucky to have amazing support from my dev team, CEO Luke Kanies, and several others in the company to learn, build, and get the word out about what Puppet was doing in the security realm. I was basically given free range by Luke to build the security offering. That’s a lot of trust. I did not take that lightly and felt honored that he trusted me to do the right thing.For reasons, I moved on and found autonomous driving vehicles. It’s such a great problem to solve. There is still the safety and security aspect, and the company I am at allows me to get my hands dirty and learn all aspects of the business. My boss is probably the best boss I’ve had in my career. The wonders of a 20 person start up.KC: Wow, that’s excellent. Given your experience with the Diana Initiative, how can more women be encouraged to enter databases and development?BC: I’m working on another project to do just that. I think the Diana Initiative will continue to be an amazing resource. They do networking, resume work, etc., and I expect they’ll continue next year at DEF CON. That’s a great resource.I’m also working with a group that’s trying to get off the ground called Technology Diversified. Our goal is to help women re-entering the workforce, potential drop-outs, and a broader range of under-represented groups to get the training, networking, and potential grants for education in tech and infosec. With Technology Diversified, we are hoping to have some sites, links, and easier ways for people to get in contact with each other regardless of location.For me, the best way was to try a few projects, fail, and find people who knew more than me. Participating in groups like Women in Tech or PyLadies. The groups are out there; talk to the people you trust in the industry, and they will help you find a way. But more resources are needed.Lastly, start following some of the amazingly technical women on Twitter. See who they follow and follow them. It doesn’t hurt to message someone and ask for advice. But don’t take it personally if they don’t get back to you. Some of these amazing women get more DMs then they can possibly read. Keep asking.So many people want new people to get in the industry and succeed.KC: Thanks so much for your time! And thanks for taking on this project.BC: Thank you, Kim! 

kim crawley

About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Terabytes Of US Military Social Media Spying S3 Data Exposed

Once again the old, default Amazon AWS S3 settings are catching people out, this time the US Military has left terabytes of social media spying S3 data exposed to everyone for years.

It’s not long ago since a Time Warner vendor and their sloppy AWS S3 config leaked over 4 million customer records and left S3 data exposed, and that’s not the only case – there’s plenty more.

Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing “dozens of terabytes” of social media posts and similar pages – all scraped from around the world by the US military to identify and profile persons of interest.

The archives were found by UpGuard’s veteran security-breach hunter Chris Vickery during a routine scan of open Amazon-hosted data silos, and the trio weren’t exactly hidden. The buckets were named centcom-backup, centcom-archive, and pacom-archive.

CENTCOM is the common abbreviation for the US Central Command, which controls army operations in the Middle East, North Africa and Central Asia. PACOM is the name for US Pacific Command, covering the rest of southern Asia, China and Australasia.

Vickery told The Register today he stumbled upon them by accident while running a scan for the word “COM” in publicly accessible S3 buckets. After refining his search, the CENTCOM archive popped up, and at first he thought it was related to Chinese multinational Tencent, but quickly realized it was a US military archive of astounding size.

“For the research I downloaded 400GB of samples but there were many terabytes of data up there,” he said. “It’s mainly compressed text files that can expand out by a factor of ten so there’s dozens and dozens of terabytes out there and that’s a conservative estimate.”

I’m curious to know if anyone else found these buckets before, I should hope being the US Military they at least have access logging turned on for these buckets, but considering the fact they were open to World – that may not be the case.

It just goes to show (as with MongoDB) you can’t trust people with lax defaults because most of the time developers wont change them.

Just one of the buckets contained 1.8 billion social media posts automatically fetched over the past eight years up to today. It mainly contains postings made in central Asia, however Vickery noted that some of the material is taken from comments made by American citizens.

The databases also reveal some interesting clues as to what this information is being used for. Documents make reference to the fact that the archive was collected as part of the US government’s Outpost program, which is a social media monitoring and influencing campaign designed to target overseas youths and steer them away from terrorism.

Vickery found the Outpost development configuration files in the archive, as well as Apache Lucene indexes of keywords designed to be used with the open-source search engine Elasticsearch. Another file refers to Coral, which may well be a reference to the US military’s Coral Reef data-mining program.

“Coral Reef is a way to analyze a major data source to provide the analyst the ability to mine significant amounts of data and provide suggestive associations between individuals to build out that social network,” Mark Kitz, technical director for the Army Distributed Common Ground System – Army, told the Armed Forces Communications and Electronics Association magazine Signal back in 2012.

“Previously, we would mine through those intelligence reports or whatever data would be available, and that would be very manual-intensive.”

I guess tools like this are just making it easier to find exposed buckets:

AWSBucketDump – AWS S3 Security Scanning Tool.

There is definitely going to be more of these cases popping up and more people jump on the cloud bandwagon without really understanding the security implications, “Hey the URL is not public so we don’t need to protect it because no one can find it” – etc.

Source: The Register

UK cyber security chief accuses Russia of attacks

Amid reports of Russian interference in the Brexit referendum, a UK government official said on Wednesday that Russian cyber operatives have attacked Britain’s media, telecommunications and energy sectors over the past year.
“Russia is seeking to undermine the international system. That much is clear,” Ciaran Martin, head of Britain’s National Cyber Security Centre (NCSC) said at a London tech conference.
Though Martin said Russia is among the hostile threats posing a growing threat, alongside that from “rampant criminality”, he declined to provide any details on the attacks.
“The Prime Minister sent Russia a clear message on Monday night – we know what you are doing, and you will not succeed,” he told the summit.
The centre has coordinated the government’s response to 590 significant incidents since its launch in 2016, although the government agency has not detailed which were linked to Russia.
“I can’t get into too much of the details of intelligence matters, but I can confirm that Russian interference, seen by the NCSC, has included attacks on the UK media, telecommunications and energy sectors.
Martin warned that the “international order as we know it is in danger of being eroded” amid a record number of detected cyber attacks and hacking attempts.
The remarks come after Prime Minister Theresa May on Monday accused Russia of spreading disinformation, echoing a heated debate in the United States over alleged Russian interference in the 2016 presidential election.
May on Monday accused Moscow of “seeking to weaponise information” and “sow discord in the West and undermine our institutions”.
Russia’s cyber activities include “deploying its state-run media organisations to plant fake stories and photo-shopped images”, she said in a speech.
Researchers at the University of Edinburgh concluded that 400 fake Twitter accounts believed to be run from Russia published posts about Brexit in an apparent attempt to influence the EU referendum.
Russia, though has strongly denied any election interference in the United States.