Building World Class Security Products with Privacy by Design1. ©2018 AppBugs, Inc. All Rights Reserved.
Building World Class Security
Products with Privacy by Design
Steve Tout
CEO
VeriClouds
@stevetout
2. ©2018 AppBugs, Inc. All Rights Reserved.
All information contained in this presentation and all information
provided by the speaker is for informational purposes only.
Neither VeriClouds nor the speaker is an attorney and, as such,
no advice in this presentation is intended to be — or should be
considered to be — legal advice.
3. ©2018 AppBugs, Inc. All Rights Reserved.
THE BIG IDEA
Identity theft and account takeover fraud cost consumers $21 billion in 2017.
Cyber crime damage costs to hit $6 trillion annually by 2021.
Large part of the problem is the billions of credential data sets available for sale on the dark web and online.
GOVERNMENTS ARE NOT AS SAFE AS THEY SHOULD BE. THINK OPM.
COMPANIES ARE NOT AS SAFE AS THEY COULD BE. THINK YAHOO.
TODAY’S SECURITY IS NOT SECURE. THINK EQUIFAX.
4. ©2018 AppBugs, Inc. All Rights Reserved.
We wanted to build something
different
•We are all victims now
•It’s not enough to ask
HaveIBeenPwned?
•How at risk are my
users and is my
organization?
5. ©2018 AppBugs, Inc. All Rights Reserved.
Credential analytics
• Collect
• Detect
• Protect
9 billion breached credentials
Toxic Waste or
Threat Intelligence?
6. ©2018 AppBugs, Inc. All Rights Reserved.
Privacy by design
1. Proactive not Reactive; Preventative not Remedial
2. Privacy as the default setting
3. Privacy embedded into Design
4. Full Functionality – Positive-Sum, not Zero Sum
5. End-to-End Security – Full Lifecycle Protection
6. Visibility and Transparency
7. Respect for User Privacy – Keep it User-Centric
The 7 Foundational Principles of Privacy by Design
Dennedy, Fox, & Finneran (2014) The Privacy Engineer’s Manifesto: Getting from Policy to Code to QA to Value.
8. ©2018 AppBugs, Inc. All Rights Reserved.
NIST SP 800-63B
• Passwords obtained from previous breach corpuses.
• Dictionary words.
• Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
• Context specific words, such as the name of the service, the username,
and derivatives thereof.
Recently published NIST (National Institute of Standards and Technology) Digital Identity
Guidelines recommends a list of important verification steps when updating the password for a
given account. Specifically, that verifiers SHALL compare the prospective secret (i.e., the account
password) against a list that contains values known to be commonly-used, expected, or
compromised. For example, the list MAY include (but is not limited to):
9. ©2018 AppBugs, Inc. All Rights Reserved.
Obtain Password
Perform Hash on Password
Modify Hashed Password
Transmit Modified Password
Search Modified Password
MATCH?
Transmit Identified Password
Provide Notification
Receive Identified Password
Compare Identified Password
to Password
MATCH?
Provide Notification
Receive Modified Password
NO
YES
YES
NO
PROVISION OF RISK INFORMATION ASSOCIATED WITH COMPROMISED ACCOUNTS
Patent Pending
Author: Rui Wang, Ph.D.
Published Date: 07/05/2018
10. ©2018 AppBugs, Inc. All Rights Reserved.
Hardware enforced encryption
Enhances the privacy of sensitive credential data at
the design level
• hardware enforced crypto boundary with
SGX
Helps defend against internal and external attackers
• malware running on the host machine
• malicious cloud providers
• rogue employees
Credential data are totally UNUSABLE if they are
dumped
• data have been sealed/encrypted by SGX
• data can only be used on the SGX-enabled
CPU
Making stolen credentials of online accounts and blockchain identities UNUSABLE and UNHACKABLE
Hardware enforced encryption (SGX)
hosted with cloud scale economics
11. ©2018 AppBugs, Inc. All Rights Reserved.
Is VeriClouds breaking any laws?
• Criminal intent is a necessary element of all criminal liability. Without
the requisite criminal intent, VeriClouds does not and cannot commit
any crimes.
• VeriClouds operates in the open and prides itself on transparency and
disclosure. Unlike criminal (or even dishonest) organizations, its
officers and employees each have long histories of employment and
experience in the security-research industry.
• RCW 9A.90.030(10). VeriClouds services are used “primarily to promote
security and safety.” The ability to monitor for compromised
credentials and to notify individuals when their credentials have been
leaked helps prevent additional security breaches and lowers risk.
There is unlikely to be a credible argument that VeriClouds engages in
something other than white hat security research.
12. ©2018 AppBugs, Inc. All Rights Reserved.
Satisfying GDPR regulations
• for the performance of a contract or legal obligation;
• to protect the vital interests of the data subject;
• for a task in the public interest;
• or where processing is necessary for the legitimate interests
of the controller.
According to GDPR Article 6, personal information collection may proceed for the following purposes:
https://www.kuppingercole.com/blog/tolbert/will-your-
security-solutions-violate-gdpr
13. ©2018 AppBugs, Inc. All Rights Reserved.
Summary
• Make privacy by design a first principle
• Be proactive, not reactive, about user privacy
• Anonymize data wherever possible
• Keep master clear stores physically separated from
production environments
• Check with vendors about what information they
collect and how it is treated
14. ©2018 AppBugs, Inc. All Rights Reserved.
Thank you!
@stevetout
For more information visit www.vericlouds.com