Enigma 2020 Conference Program

In the panel, our four experts will discuss the background of "Crypto Wars" of the past, and thus how we got to our current situation; how this Crypto War is different from the last one(s); the international issues and where the present threats to encryption are coming from; and how we experts at large might measure the problem and see what other mitigations might help before we go shooting ourselves in the face.

Modern software development relies increasingly on code reuse in the form of third-party dependencies from the Open Source ecosystem. Although each programming language has its own tooling and culture, they all encourage a widespread model of adoption without detailed review, and of eager updates to new versions.

This transitive trust in the dependencies authors led to a string of high-profile availability issues and attacks: the recent rest-client Ruby gem compromise, the similar event-stream Node package compromise, the infamous left-pad incident, and many more. These episodes have patterns that we can learn from as an industry: they either involve attackers compromising the developer credentials and uploading new compromised versions, or they involve the ecosystem losing access to the contents of existing versions.

The new Go checksum database—deployed in 2019—was designed to secure the Go modules ecosystem without requiring any extra work by module authors, like extra key management. It provides a centralized log for the checksums of all versions of all public modules. It then deploys the same technology as Certificate Transparency to keep this central authority accountable. It does not introduce any new accounts that can be compromised, and it enables third-party auditors to offer new version notifications to authors. Finally, it's designed to be easily cacheable, enabling a tradeoff in resources and privacy, from simple proxies all the way to full mirrors that don't leak any information about what modules are in use.

This talk will look at the high level design of the checksum database, and how it can be applied to other software package ecosystems to help secure the software supply chain.

Stack Overflow helps software developers from all over the world get their daily programming tasks done. Knowledge and source code shared via this platform shape digital services and applications that are used by billions of people every day. The tremendous impact Stack Overflow has had on today's software urges us and many other researchers to investigate to what extent information security is part of the discussions on Stack Overflow, what the biggest security problems are, and how developers solve them.

Our results tell a story of two tales. In the first tale, Stack Overflow seems to be the source of all evil. It's responsible for unintentionally marketing and distributing severe software vulnerabilities we traced in high-profile applications installed by billions of people. It's been demonstrated that these vulnerabilities would allow practical attacks and theft of credentials, credit cards, and other private data. The second tale tells a complete opposite story, where Stack Overflow becomes one of the most usable and effective tools in helping developers get security right. The moral of both stories is that it only takes small design tweaks to get from one to the other.

We are deeply convinced that these kinds of modifications could have an enormous positive effect on software security in general due to the pervasive use of Stack Overflow. Therefore, we want to highlight the most important results from usable security research over the last years to set the ball rolling. These include identified major security problems, what impact they had on real-world applications, and how we modified Stack Overflow to effectively help people develop secure software.

Just like great escape artists captivate an innocent audience with perfectly measured and planned escapes, these extraordinary illusionists of the cyber world also aim for the same goal. Using meticulous, innovative maneuvers and their specially crafted malware pieces, they are able to analyze their surroundings to detect and evade sandbox environments. At this point, they can choose to conceal their real behavior to carry out their grand finale without being detected. But, how can we see beyond the surface? How can we harden our sandbox systems in order to prevent such evasion techniques?

In this talk, we are going to reveal the techniques used by these attackers to evade sandboxes and avoid being analyzed. We will walk you through the different approaches malware takes in order to achieve this and remain undetected. Additionally, we will show you unique malware samples to examine how they implement these techniques. Finally, we will demonstrate how, thanks to the use of MITRE ATT&CK Framework, we are able to document these techniques and improve our detection and analysis systems.

Most databases in use today have an implicit central trust model—the idea being that system operators have full privilege to access and manage the information being processed in order to perform their work. This poses a problem in at least two particular cases: one, when the workload contains highly sensitive or confidential information, and two, when data are being processed and stored on third-party infrastructure such as a public cloud provider. In a central (or server-side) trust model, a live database breach or leak from publicly-exposed backups or logs can be catastrophic. One approach to protect both data-at-rest and data-in-use is client-side end-to-end encryption, in which sensitive data are encrypted at the application level before ever being sent to the server. Unfortunately, for mature modern databases, few options for native client-side encryption have existed for developers, particularly in the open-source world.

This talk will present lessons learned from nearly two years of engineering work spanning every major programming language, hardware platform, and operating system, to bring simple, usable authenticated encryption as a first-class citizen to the most widely deployed NoSQL database in the world. Insights from simple use cases of small stand-alone servers to some of the most demanding global distributed mission systems will be discussed. We'll review promising emerging cryptography and discuss the practical impact to developers and system designers.

New technologies inevitably bring along new risks. Virtual Reality (VR) is one of those technologies that is slowly creeping into our daily digital lives, however, not much attention has been paid to the risks it brings along. As the industry looks towards mass adoption of Virtual Reality with an expected $40 billion market size and over 200 million active users by the year 2020, these new cyber attacks have already begun making headlines. Kavya Pearlman, founder of XR Safety Initiative is busy building processes, standards and finding novel cyberattacks to stay ahead of the bad guys that are coming for this rising new domain of Virtual Reality.

Given the existence of adversarial attacks and fairness biases, a question might arise if machine learning is useful for security at all. In this talk, we will discuss how to build robust machine learning systems to defend against real-world attacks. We focus on building machine learning-based malware detectors. We address the necessity of considering RoC curves where the FP rates need to lie well below 1%. Achieving this in the presence of a polluted ground truth set where 10–30% of data is unlabeled and 2–5% of labels are incorrect is a true challenge. When a dynamic model is built, testing it against a repository of malware is impossible, since most malware is ephemeral and may no longer exhibit the malicious property. Finally, we discuss how to model realistic adversaries for adversarial attacks and defenses.

In this lively panel, four browser privacy experts representing Brave, Edge, Firefox, and Chrome share their products' approaches toward enhancing privacy and describe their engineering efforts to avoid unintended consequences.

Privacy and security are cultural constructs. We process and interpret them differently depending on our cultural framework. As technology yields unprecedented access across borders, frameworks designed for a few markets are ultimately deployed globally. Yet we still face linguistic and cultural barriers. Explore the geo-cultural dimensions of privacy, security, and communication that frame the global data frontier, unlocking global innovation in products and on multicultural teams. Understand the cultural values associated with approaches to trust, timing, change management, and data privacy and security. This engaging and informative presentation decodes how cultural differences present themselves on multicultural teams and in cross-border business transactions as challenges, but provide the opportunity for innovation and global excellence.

Our presentation outlines several state-of-the-art technical strategies to enable data access for public interest research while complying with privacy regulations like the EU General Data Protection Regulation. Platforms often hold large-scale, high-quality datasets that researchers cannot compile on their own. While GDPR contains exemptions intended to allow platforms to share data with third-party researchers, regulatory "gray zones" that exist within the law—including the concept of data "anonymity," the role and obligation of so-called "data controllers" in public interest research, and the standards for informed consent—are hindering the sharing of substantive datasets. We examine technical strategies being considered to deal with these ambiguities while maintaining user privacy and control, discuss where these strategies are useful and where they fall short, and what challenges still need to be solved. Finally, we propose a set of potential industry standards, both technical and philosophical, that companies, researchers, and users around the world can employ to ensure the privacy and security of data for public interest research.

Data anonymization focuses on hiding specific fields of records. Adversaries, however, view the records as a collection of fields and see what they can glean from the unanonymized fields that will impart information about the anonymized fields. In reality, the problem is one of relationships—which relationships can be exploited to reveal anonymized information. There is always some external information that enables the relationships to be uncovered. This talk examines the question of relationships and their role in anonymizing and deanonymizing data, and treat this as a problem of risk—can the adversaries characterize that external data and find it?

The concept of privacy by design (PbD) is more than 20 years old and a common element in both regulatory and technical discussions. While many strategies for Privacy by Design focuses on product development with a traditional waterfall-style methodology, today's current agile development process does not follow the historically clear cut and distinct design, planning, implementation, and release phases. Many privacy risk mitigation strategies are created for the waterfall-style methodology and focus on the planning phase. The implementation phase consists of taking the planned actions with the hopes that they are enough to avoid the identified risks.

In an agile methodology, software is released in an iterative and feedback-driven fashion, which emphasizes short development cycles, continuous testing, user-centricity and greater simplicity of design. Agile programming practices allow developers across services to continuously tweak, remove or add new features using "build-measure-learn" feedback loops. This includes experimental features, minimum viable products, and alpha releases. While agility requires quick software development sprints, privacy analysis is usually a slow and time-consuming activity. In addition, technical privacy assessments are based on the architectural description of the system, but in agile development, there is often no grand design upfront and the documentation is limited. It might be possible to assess the privacy readiness of each feature, but when these features are combined, there is no guarantee that the service itself or the entire supply chain that underlies it fulfills all the privacy requirements. The latter is the case due to modular micro-service oriented architectures that are favored in current-day software ecosystems.

In this talk, we will demonstrate an approach to technical privacy where privacy by design is applied in a hyper-connected service environment. We will walk through some of the principles coming from GDPR, industry standards such as ISO29100 and Data Protection Authority guidelines. We will also demonstrate how those principles can be applied to a complex agile environment.

We want to open the door for a conversation on what exactly a public record is in today's digital age and how they can be used to prevent crimes, with an emphasis on gender-based crimes like sexual assault, domestic violence, and sexual harassment.

SecureDrop is a whistleblowing platform originally created in 2012 for journalists to accept leaked documents from anonymous sources. It's now currently in use by dozens of news organizations including NBC News, The Washington Post and The New York Times. The goals of the project are to (1) protect the identity of sources while also to (2) provide a secure environment for journalists to read documents and respond to sources. This talk is about is a new QubesOS-based (Xen) workstation for journalists and other users who need to open potentially malicious documents. The threat of journalists opening malware being submitted through a SecureDrop server is handled via compartmentalization, i.e. opening each potentially malicious document in a separate VM. As journalists are increasingly facing attacks—including those we've observed attempting to phish people through SecureDrop—this can make it significantly safer for them to work with source materials.

When in Doubt: The State of Informational Trust and Integrity
It is increasingly difficult to assess information and data integrity. While troll farms garner most of the attention, there is a global proliferation of actors leveraging disinformation tactics to achieve a wide variety of objectives. This panel will analyze the current landscape of actors, tactics, and targets, dispelling many of the growing misperceptions about disinformation while exploring the implications of the real and prominent threat to trust and data integrity. Through analysis of several campaigns, we will also offer insights and tips on how to spot disinformation, and discuss how the security and privacy community can play a role in revitalizing data integrity and subsequently the political, economic, and geopolitical systems which rely on it.

It is discussed in the media every day. It is the focus of congressional investigations and DEF CON villages. It is a core concern of our nation. Our democracy must be resistant to adversarial influences, both domestic and foreign.

Hundreds of millions vote on outdated computers that no cybersecurity professional trusts. Tens of millions vote with no paper ballot record. Government agencies responsible for the correctness and security of election computing systems—primarily the Election Assistance Commission (EAC) and National Institute of Standards and Technology (NIST)—are under-resourced. Elected officials and electoral officials already have their plates full with IT challenges such as database management and ransomware attacks. The costs of recertification make voting system vendors hesitant to make significant changes to their products, especially if they don't see universal demand across their customer base.

These groups understand that things can be better, but they need help.

This talk will explain in plain language (i) how we got to where we are today in elections in the USA, (ii) the aspects of the elections systems landscape that make change difficult, and (iii) practical actions we can take to break this cycle.

We will describe what we are doing in the Microsoft ElectionGuard project and in the DARPA SSITH project to help create a new generation of trustworthy election technologies.

Last Spring, EFF's Eva Galperin challenged anti-virus companies to take action against stalkerware, a class of software that can be covertly installed on a device and used to spy on communications. Marketing of this software is often aimed at abuses spouses, who use it as a tool to harass, control, and spy on their victims. This talk will cover the latest developments in combating stalkerware, including efforts by security companies, tech giants, academics, and the people who are doing the difficult work of supporting victims of domestic abuse as they try to escape their abusers.

When it comes to improving the state of defense in the cybercrime arms race, all too common advice is to be more proactive than reactive. However, close examination of the modus operandi of cybercriminals suggests a great deal of their pragmatism and adaptability to defensive moves. Among other blindspots, exploitable opportunities pursued by cybercriminals typically stem from flaws in the design, implementation, configuration, and deployment of systems. In essence, cybercriminals monetize these blindspots to stir the arms race in their favor.

Using a multi-faceted analysis of pre-packaged cybercrime tools called exploit kits, this talk argues and illustrates that defenders should as well be pragmatic and adaptive enough to turn the weakest links of cybercriminals into concrete opportunities to counter cybercrime. We use the exploit kit phenomenon to highlight how defenders could combine reactive, proactive, and offensive strategies towards pragmatic defense.

On the reactive front, we describe how seemingly simple yet identifying configuration and deployment artifacts are used to identify active exploit kits in the wild. On the offensive side, we illustrate how access to exploit kits source code is leveraged towards an automated infiltration and legally authorized takedown of live exploit kits. On the proactive front, we highlight how lessons learned from reactive and offensive strategies are combined toward real-time threat detection. The talk leaves the audience with key takeaways on pragmatic defense strategies in the face of an adaptive cybercriminal with motives and means.

Fighting spam, phishing, and other forms of abuse on the internet is typically seen as a detection problem: find signals that will identify the bad guys and then use these signals to block them. In this talk, I argue that the most difficult part of fighting abuse is not detecting and blocking the bad guys—it's figuring out whether they're there in the first place. What's the "background level" of spam and fake accounts? How can we figure out what our detection systems are missing? Which abuse problem is the most important one to work on right now?

In this talk, I will show how good measurement of abuse unlocks both prioritization of work and analysis of impact. I will present several approaches that Facebook's integrity teams have used to measure and prioritize their problems, including user reports, human labeling, and automated labeling, and offer scenarios in which each of these should and shouldn't be used.

I will also introduce the "Abuse Uncertainty Principle" which says that you can use a metric for measurement or detection, but not both. The Uncertainty Principle implies that measurement is never a finished project, but I will offer strategies for ensuring that your metrics are good enough to inform key decisions. Armed with these tools, you can go back to your product and find out how much abuse it's attracting, how good you are at stopping it, and where you need to invest next.