How Rob Dodson Does an Accessibility Audit

Rob Dodson is a Google developer advocate on the polymer team. In addition to that, he specializes in accessibility via his a11ycasts podcasts. In this episode, Rob shows us how an accessibility audit works at a high level. It is by no means exhaustive, but will help you get the so-called “low hanging fruit.”

Can you easily TAB through your user experience?

  1. Can you navigate around the site using the tab key?
  2. Are there discernible style as you tab around? (bonus points: is it animated?)
  3. Is there a skip link to main content?
  4. Can you ensure there is no off-screen content that can be focused on?
A good accessibility audit can catch selectable content hidden from view, like in menus.
A good accessibility audit can catch selectable content hidden from view, like in menus.

Can you navigate the site via a screen reader and a keyboard?

  1. Do your image have proper “alt texts?”
  2. Do you have any custom elements or javascript interactivity that is missed by a screen reader?
  3. Can you use your custom controls with the keyboard?
  4. Can your screen reader (and keyboard navigation) work with modals, dialogs, popups, and other dynamically added elements?

Is Your Page Structure Accessible?

  1. Are there proper page headings?
  2. Are there appropriate “landmark elements” on the page using the role attribute?
The Web Rotor will show you page structure based on HTML tags or role attributes
The Web Rotor will show you page structure based on HTML tags or role attributes

With these, you can open up the Web Rotor with Ctrl+Option+U to see how it uses the page structure to summarize and navigate the page.

Color and Contrast

  1. Are there any sections with too low contrast between background and text?
  2. Are there any combinations of colors that might cause difficulty to a user with color blindness?

The aXe chrome extension and the Accessibility Developer Tools extensions can help with these issues.

Accessibility Regression Testing

  1. As your front end changes, do you have a process in place that will catch regressions in accessibility?
  2. Is this part of your build and deployment process? (You can use aXe core for this)

Protocol 47 Backscatter Increase in the Last Two Weeks

An Internet Storm Center forums user is reporting an increase in Protocol 47 traffic over the last two weeks. Researchers have detected this via backscatter IBR. Typically, this type of traffic is used for Generic Route Encapsulation (GRE). Many forms of VPN traffic are tunneled through GRE. An astute ISC commenter reports that the payloads don’t carry the correct headers to properly carry out the GRE->IP->GRE->IP attack.

Protocol 47 traffic increasing since late December 2016
Protocol 47 traffic increasing since late December 2016 (photo via ISC)

Possible Target: Taiwanese Chungwa Telco

By analyzing the backscatter traffic, the ISC community has determined that the majority of the targets are in Taiwan. The IP addresses are associated with a telco company called Chungwa. However, no information exists about an ongoing DDoS there. Finally, an update shows there are upticks via protocol 132 and 255 as well. These are Stream Control Transmission Protocol and Reserved/Unknown, respectively.

The Fight Against Signal Caused the Egyptian Government to Block All Google Traffic for a Hot Minute

Signal has begun using a practice called domain fronting to counter the Egyptian government’s censorship of their service. Instead of using Open Whisper servers and domains to send content, they are using the Google App Engine. This effectively hides traffic under an encrypted and trusted domain, masking it among the noise of Google traffic. What looks similar to Google searches, calendar requests, and document collaboration could now hold encrypted messages.

Domain fronting works… too well.

In order to combat this, Egypt would have to blacklist all Google traffic, which they did… for a little bit. A blog called Egyptian Chronicles reported that both Signal and Google have been intermittently going up and down over the last week or so.

Talk Notes: James Powell on How His Daughter Taught Him Social Engineering

James Powell is a senior software engineer at Cisco with a psychology degree. He has been fascinated with the mechanisms of social engineering and manipulation since a very young age. In this talk he compares and contrasts examples of how how daughter manipulates him into giving her chocolate and candy with examples of how companies, adversaries, and even pets manipulate victims.

You Are Always Being Manipulated.

Most of it is benign. This realization came from an unlikely source: his daughter. Children are amazing manipulators; they are goal-oriented and have the benefit of living somewhat outside of our societal moral/ethical framework. This extends to every moment in life. It all can be used as training because everybody is trying to use social engineering on you for better or worse.

The Good Guys?

These are your training partners and instructors. They will provide you the training while they try to get you to do good, or at least neutral, things, like give them candy or pet them.

  • Friends and Family
  • Pets
  • Corporations (sometimes)*

* James includes corporations here but really states they belong “on the fence”

The Bad Guys

These are people trying to find shortcuts and loopholes in your psychology to get you to do things you don’t want t

  • Scammers / Con Artists
  • Phishing, like the “whaling” attacks used against the DNC.
  • “Watering Hole” Attackers
  • Corporations (sometimes), by way of manipulative advertising

Attack One: Build Trust

This example social engineering begins by being cute and asking what seems to be a benign question.
This example social engineering begins by being cute and asking what seems to be a benign question.

His daughter asks “Papa, are you happy with me?” every day (building in repetition!) to which James will almost always reply, “Yes, of course!” His daughter says “Then I will have chocolate for dinner.”

Not a question. Just a statement and a conclusion. In the real world, this might look like the following:

This attempt is not so cute.
This attempt is not so cute.

“Dan from IT” is a great name to build trust. Dan sounds like a perfectly believable name. “IT” sounds trustworthy. Dan might say he’s here to help and upgrade security patches on your system. You might tell “Dan” that you already upgraded and he’d say “Great job!” to give you good feels, and then say “Just log into this website to verify.”

Defense 1: Be Cautious

This sounds like blanket advice but reminding yourself consciously of it will train you to take it as an active step. Be cautious. Slow down. Think about the situation you’re in. You’ve never logged into a website to verify your updates before, have you?

Defense 2: Trust but Verify

Just like James would ask his wife if it’s OK for his daughter to have candy for dinner, you should check with somebody else if you need to verify your updates via a website. Of course, they will tell you “you shouldn’t have to ask.” Ask anyway.

Attack Two: Developing Reciprocity

It's only a matter of second before she asks for candy. You'll see.
It’s only a matter of second before she asks for candy. You’ll see.

When people do something for you, it creates an imbalance and pressure for you to do something else in return. Reciprocity is the act of restoring this balance. This all holds true for children as well as adversaries.

James’ daughter will “clean,” reinforce by saying “look how clean I made it!” and then she will finally ask “Can I have candy?”

Defense One: Ask Yourself: “Do I Know This Person?”

Do you know them? In real life? How well do you know them? What are their motivations? Why should you trust what they’re giving you?

Defense Two: Beware More Give Than Take

Infomercials are superb examples of manipulation via "more give than take" with this one simple phrase.
Infomercials are superb examples of manipulation via “more give than take” with this one simple phrase.

From there, ask if this situation is more give than take? If so, then be even more cautious.

Attack Three: Create a Sense of Urgency

The infomercial above might end with a phrase like “you won’t find a better deal than this!” This may be true, but the function of such a claim is to create urgency. Bringing this back to James’ daughter, it might look a little more like this:

Creating a sense of urgency gets people to panic and respond because they want the alarm to stop. James tells a story of his daughter crying in public. When he rushes to her aid, first she consoles HIM, and then starts asking for things vaguely. “Can you get it for me?” While he’s still panicked, she can get candy, toys, chocolate, whatever.

In the “cyber” world, creating urgency might look more like this:

Lesson 1: Follow a Process

Do you have one? If so, start there by making one. Got it? Good.

Lesson 2: Remember Lesson 1

Seriously, all it takes is one person making one stupid mistake to bring everything crashing down.

Rules of Thumb against Social Engineering

Train Like You Fight

Bringing the talk full circle, remember the assertion at the beginning: Every moment in life is an opportunity to train yourself against social engineering. Luckily, most of life is a low-risk environment.

Reward Your Training Partners

In James’ case – if she successfully tricks him, she gets a piece of candy. All it takes for her to win is if he moves before he thinks – not even following through on fulfilling the request. The exception here is advertising and marketing. They’re already getting paid 😉

James ends the talk by reminding the audience that they are physically in the city of Las Vegas –  “one of the most well-oiled machines to get you to do things.” They’re also at DEF CON. The perfect training ground.

Talk Notes: Wesley George The Limits of the ORM

Wesley George is a Technical Lead for a Startup in Canada called Clearbanc. The impetus from this talk came from his trying to use the ORM for a complex query and marveling at how slow it was. Thus, he put together this talk based on his adventures in deeply diving into SQL.

An ORM is Cool, but…

ORMs shine when they remove boilerplate code. They provide decent aggregation, but generally only for single table solutions. However, for more complex tasks, using complex SQL queries in a relational database allows you to create extremely powerful and performant aggregations.

Example 1: Simple Signups by Month

You might start with some code that looks like this:

This would run extremely slow against a sufficiently large or complex dataset, so it behooves us to dive into the SQL to run the computation. However, writing complex SQL allows us to do this in a much more performant way.

The WITH keyword allows us to essentially create ephemeral tables for use in a query. They are similar to subqueries, except they result in a much simpler final SELECT statement at the end.

Example 2: User Engagement Change Segmented by Campaign

For this example, we won’t even attempt to use the ORM.

Annotators note: Sorry, I’m not gonna type out the SQL for all this…

Concerning Efficiency and Managing Complexity

The technology inside of a relational dataase represents decades of computer science research. However, as your data grows into the terabyte and petabyte range, you will need to manage your complexity. Wesley describes a method and a mentions a tool for this.

  • Data Warehousing is the process of storing intermediate aggregations or representations of the data on a periodic basis (hourly, daily, weekly, etc).
  • SQLAlchemy is a lower-level SQL python package, allowing a comfortable code-based medium between an ORM and raw queries.
SQL Alchemy provides an alternative to an ORM, allowing you to represent SQL-like queries in your code.
SQL Alchemy provides an alternative to an ORM, allowing you to represent SQL-like queries in your code.

Talk Notes: Andrew Goodwin on Django Channels for the Real Time Web

Andrew Godwin is a Django core developer who works at Eventbrite. In this talk he talks about Django for the Real-Time web, otherwise known as Django Channels.

The Traditional Method

The "old" way of sending and receiving requests, pre-WebSockets and Django Channels
The “old” way of sending and receiving requests, pre-WebSockets and Django Channels

Send a request, get a response. Even with HTTP2, you can still treat your code the same way in a WSGI-style request.

However, with Websockets, things change. You can send without receiving, receive without sending, leave sockets open for hours, whatever. It’s the “wild wild west.” In Andrew’s mind, the way Django should work with wesockets should follow the standard Django contract: Easy to use, secure by default, hard to break / deadlock, Python 2 & 3 compatible, and optional.

But… There Are Problems.

Python is… not good with concurrency, and Django is not asynchronous. At first glance, it might seem like the solution is something like message-passing via WSGI. However, WebSockets also have the additional features of events and broadcasting, which would require cross-thread or even cross process communication.

Enter Django Channels: Concepts

Channels sits between your user interface and Django and provides an asynchronous layer utilizing WebSockets.

Django Channels is a WebSockets package based on a few concepts.

  • Channels: named FIFO task queues
  • Groups: named sets of channels with add/remove/send operations
  • Messages: representations for HTTP and WebSocket operations.
This is new way - send a message and receive zero or more messages. Views become Consumers. Messages can also go to Sockets or Workers.
This is new way – send a message and receive zero or more messages. Views become Consumers. Messages can also go to Sockets or Workers.

With these concepts, you get 5 simple API endpoint operations:

  1. send('channel_name', {ponies: True})
  2. receive_many(['channel_one'], ['channel_two'])
  3. group_add('group_name', 'channel_name')
  4. group_discard('group_name', 'channel_name')
  5. send_group('group_name', {ponies: True})
Much like Consumers are views, we have routers.py, which is paralleled by urls.py
Much like Consumers are views, we have routers.py, which is paralleled by urls.py

Example: Live Blog

Suppose you want a blog where the readers can get new blog posts as they are published, without refreshing.

  1. The client opens a websocket when the page is opened, and that websocket is added to a group.
  2. When the BlogPost model is saved, we send the post to that group

Fully working example available on GitHub.

Example: Chat

The simplest chat: a person types a message, everybody gets it. This example is nearly identical to the above example but instead of using the save method on a model, we simply use the ws_receive method:

  1. The client opens a websocket when the page is opened, and that websocket is added to a group.
  2. When the BlogPost model is saved, we send the post to that group

Fully working example available on GitHub.

Other Cool Stuff!

The ASGI Specification

Now that there’s a WebSocket medium for Django, we need a standard way of structuring channels and messages. Enter ASGI. This is an API specification for channel layer backends, as well as a message format for HTTP and WebSockets. ASGI is perfectly compatible with WSGI, and a number of other technologies as well.

Scaling?

Interface servers scale horizontally, as do worker servers. Thus, the channel layer has to as well. Luckily Django Channels has consistent hash sharding built in. Andrew talks about how it will be part of Django soon, but it’s not quite mature enough yet.

DNC “Whaling” Hack in Alarming Detail via @pwnallthethings

For hackers using spearphishing as their method of attack, there are small bites and then there are whales. Whales are large value targets such as bankers, corporate executives, and of course high-ranking political officials such as John Podesta. This process of “whaling” is what allows hackers or groups of hackers such as APT28 and APT29 to gain access to DNC emails and infrastructure.

What follows is a breakdown of how the spearphishing attack on the DNC worked, with some great sleuthing from @pwnallthethings aka Matt Tait.

JusticeBeaver on Discovering and Triangulating Rogue Cell Towers

JusticeBeaver (Eric Escobar) is a security engineer at Barracuda Networks. He started as a civil engineer and moved to all things wireless networking. In this talk he discusses how to detect and locate a rogue cell tower, or IMSI catcher.

What is a Rogue Cell Tower?

A rogue cell tower is device that allows somebody, usually an authority of some sort, to do an “evil twin” attack on your phone by posing as a cell tower. Also known as IMSI Catchers, or cell-site simulators. Otherwise they are known by the brand name Stingray. According to the ACLU, 66 agencies and 24 states own Stingrays.  They are also used abroad.

These allow you to collect metadata from phones, but in some cases they can also downgrade your connection and by doing so get your calls, SMS, and data,

IMSI stands for International Mobile Subscriber Identity and it is a unique identifier for your phone
IMSI stands for International Mobile Subscriber Identity and it is a unique identifier for your phone

Why You Should Care?

These devices are extremely invasive. They are essentially one big net that can capture you, as a small fish.  Your phone connects automatically to the device with the strongest signal. All transmitted data is suspect – even TFA keys sent through SMS.

How Do You Detect an IMSI Catcher?

Cell towers broadcast data about themselves, and the values should remain constant. By comparing incoming data against a baseline over time,  If you detect deviations, it could be as simple as work being done on the network, OR it could be an IMSI catcher.

Examples:

  • A new cell tower
  • Country code mismatch
  • Mobile network code mismatch
  • Frequency mismatch
  • Location area code mismatch

How Do You Locate a Tower?

Once you notice an anomalous tower, you might want to figure out what it is. The best way to do this is to combine all available cell tower data with receive power and location, using a single sensor that can be moved.

Some Math and GIS software can give you some fancy maps.
Some Math and free GIS software can give you some fancy maps to locate a potential IMSI catcher.

Trilateration vs Triangulation

These are similar concepts but often confused. Essentially: Triangulation is the practice of using the intersection of strongest-signal angles of three detectors to zero in on a location. Trilateration, on the other hand, uses indirect data like signal strenth of at least three detectors to determine the location of a cell tower.

How to Build a Detector?

JusticeBeaver walks us through how to build a detector with $52 worth of parts:

Mega-hacked IMSI Catcher detector for $52
It’s a hack, but it works!

 

Getting Cell Tower Data: SIM 900 or Field Test Mode

The SIM 900 is an inexpensive device that gives you the broadcast data from the top 7 nearby towers. Engineering mode requires no SIM card, and it does not sniff data. You can also achieve this using Field Test Mode with your phones.

Typically, the SIM 900 will return data in this format, and the GPS will return data in this format. You can parse and store that in SQL or NoSQL, or whatever medium of your choice.

Beware the TV Tuner!

Depending on where you are, listening to raw GSM frames can be very illegal.

Once you Locate a Tower

You can send yourself a notification using Email, Twilio, or PushOver. If you get a notification, turn off your phone. Then you can start looking at the data.

2016 DNC Hack: A Joint Technical Report from FBI and DHS

On December 26, 2016, the FBI and DHS published a joint technical report called GRIZZLY STEPPE – Russian Malicious Cyber ActivityMany publications are referencing this document as proof of Russian involvement in recent high-profile data breaches, such as the DNC Hack the document focuses on.

However, the stated intent of the document is to share insights gained from studying and countering these attacks, so that other companies, organizations and agencies can properly prepare for them and mitigate any damage that happened as a result.

Although not its intention, the document does not hold any punches in attributing Russian Intelligence Services (RIS) in the DNC hack
Although not its intention, the document does not hold any punches in attributing Russian Intelligence Services (RIS) in the DNC hack

Main Actors: Advanced Persistent Threat 28 and 29

The document identifies two actors: one called Advanced Persistent Threat (APT) 28, and one called APT29. After gathering and analyzing data related to the susceptibility of their targets, both actors use spearphishing attacks to gain remote access to systems, using various methods to deceive and evade detection.

Suggested Mitigation

The document is accompanied by a list of IP addresses, YARA signatures, and file hashes (in CSV and XML format) associated with RIS actors, and suggests a full audit of such indicators of compromise (IOCs). It then lists the “usual suspects” when it comes to Web-based InfoSec: SQL injections, XSS attacks, and server misconfiguration.

I wont copy the full list here, you can see the PDF yourself. To its credit, it does contain over 3 dozen best practices when it comes to security, all of them valid and worthwhile

Enhancing Cybersecurity Posture Post-DNC Hack

The most interesting part of the document is near the end, titled “How to Enhance your Organization’s Cyber Security posture. I will  enumerate them here, because each one is notable. For better or worse, almost every single one of these posturings involve sharing (or receiving) information with (or from) a government agency.

  • Cyber Security Advisors (CSAs) are DHS personnel assigned to each of the 10 FEMA regions, tasked with cybersecurity preparedness, mitigation, and incident response.
  • Cyber Resilience Review (CRR) is a no-cost vulnerability assessment available for critical infrastructure sectors such as state or local governments.
  • Enhanced Cybersecurity Services (ECS) is a group that will actually share classified and sensitive threat models with with relevant professionals. Thus, critical infrastructure can be maintained and protected against novel attacks. 
  • The Cybersecurity Information Sharing and Collaboration Program (CISCP) is a program of voluntary information sharing between operators of critical infrastrcture and the Federal Govt.
  • Automated Indicator Sharing (AIS) is much like CISCP, but it is an automated system that is triggered by threat indicators. The locally-hosted system will participate in two-way data sharing with the DHS, uploading information and downloading new threat models.
  • The Cybersecurity Framework is a NIST-created tool that provides standards, guidelines, and practices for an IT infrastructure.

 

 

Irene Chen’s Beginner’s Guide to Deep Learning

Deep Learning, the endeavor to make computers as smart as humans, or even just its simpler cousin Machine Learning, can be incredibly overwhelming and daunting to learn. There’s either too much code or too much math. Luckily, Irene Chen wrote this talk for Beginners to learn the fundamentals of deep learning.

If these Talk Notes are useful to you, become a patron!

Deep Learning: Why Now?

Neural networks have been around since the 1970’s. Why the resurgence now? Three factors provide a new foundation for modern Deep Learning.

  1. Big data (aka the “fuel” of the rocket ship)
  2. Big processing power
  3. Robust neural networks  (aka the “engine” of the rocket ship)

 Because of this “perfect storm,” we are seeing a tremendous number of breakthroughs in ML / DL / AI. (i.e. AlphaGo)

Neural Networks: The Avocado Classifier

Neurons are the cells that comprise the human brain. Synapses connect neurons together. Computer scientists have modeled this with a simplified graph called a neural networks. In this graph, neurons are modeled with what are called nodes, and synapses are modeled with what are called edges.

Simple graph of a neural network, a crticial data structure to deep learning
Simple graph of a neural network

 

Note that some arrows are thicker than others – each edge has a weight which a measurement of the importance of data passing through. This is represented mathematically via a sigmoid function.

The hidden layers are everything between the input and output nodes.

Very simple example: Given an avocado and its height, “squishiness”, and the color of its skin, can you determine whether or not it is perfectly ripe? 

Forward Propagation is the standard execution model of the neural network, from input to output. Likewise, backwards propagation (or “backpropagation”) is when you work from output to input, changing weights and value of nodes and edges to improve your model.

Mathematical constructs used in deep learning
Mathematical constructs used in deep learning

 

To reduce errors, “tune” your parameters experimentally or by using the above math. Convergence is when your error rate is “good enough” based on the number of iterations.

Deep Learning Tools and Communities

  • Scikit-learn – very beginner friendly, contains a number of ML algorithms
  • Caffe – UC Berkeley’s computer vision library. Contains “Zoo,” a group of pre-trained models
  • Theano – Efficient GPU powered math
  • iPython Notebook (Jupyter) – great for interactive coding
  • Kaggle – Casual ML cooperative with contests and such

If these Talk Notes are useful to you, become a patron!