The following are the outputs of the real-time captioning taken during the Tenth Annual Meeting of the Internet Governance Forum (IGF) in João Pessoa, Brazil, from 10 to 13 November 2015. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record.
>> MODERATOR: Good morning, everyone. This is keeping your credentials secure online. (inaudible) (low voice)
>> But describe the overall processes, but one of the things we know was that there were a lot of things that were happening. There is the overall life cycle in the management and what they're describing in the overall community and also to have the awareness of what is at risk will be affected overall over the lifetime.
>> (inaudible) we're having audio problems. And so (inaudible) I will come back to you. (inaudible) (static) are you there?
>> Okay. So my goal as security operations and (inaudible). The ugly consequence in that potential is compromised in certain levels.
>> Thank you. It's just a challenge (inaudible) but really doesn't work from a security perspective today and it forces the use every to take the security pass with the technology and (inaudible) in some ways. There's also new technology that's used more than just (inaudible). So only that's important for the devices. As we mentioned, there are other technologies and people using of
>> It's a closed network but has the afterhours confirmation for a whole lot of people and a way of bringing to the bed side at night. That's where we have to do the most careful work. And it feels like there are three very closely related, but separate problems here. One is how you determine that the person who you're talking to is the one that you think you're talking to. That sort of user authentication is subject to the kinds of technology that aviary is talking about and a lot of good practices to keep users from shooting themselves in the foot. It's probably best handled using a key volt sort of thing on a user's device where a user has a password that allows them to unlock different credentials for every service provider they're dealing with. Second question is: When the user is giving me as a service provider information, are they giving me more than I need? Are they giving me more than I should have? Are they giving me information that I can do something harmful to them with or if I lose that information, they'll be harmed in some other way. So there's no reason for me to have more than I need and that just represents a risk to me, a risk to the user, liability all the way around and the third is how do I predict the data against incursions. That's the thing we're seeing with registrars where hackers are breaking in and stealing an entire database with log in credentials and personal data for a lot of users. Using overlapping technology and practice is to solve them, they each serve a different class of problem.
>> We'll get that into more detail. We have a question queued up for Ben. Cedric, from your perspective, I guess you come from a different point of view. So I am just curious. You came a little bit late. Do kind of a quick introduction. From your perspective in the work that you've done on Mexico and the Latin America, what worries you most about credential management and when things go wrong?
>> CEDRIC LOREN: Yes, sir. My name is Cedric Loren. I am an attorney in Mexico. What I've seen in my practice is Mexico is at the stage where U.S. was in 2003. They've got a law they passed in 2010. That entered into 2012. Now three years later, they're not exactly at the U.S. stage. They're a little bit more backwards most ‑‑ most companies right now haven't ‑‑ although they have the obligation to notify that of breaches according to a person of that what, none of them has done so. The few that have done so have done so pursuant to stock exchange regulations.
It is very difficult to get statistics, to get numbers and precise information on the causes of the data breaches. Very difficult to say whether it's a problem at the management of the credentials, whether it's the company's fault, the data controllers fault, the user, the customers fault and how he or she or the company managed the credentials. If I've got time a little bit later on, I could talk about a few specific cases where the problem might have been the management of credential, but it may not. It's very difficult. We don't have very much information. There are two cases which I could talk because I personally detected the problem and I notified the entities involved. So the situation is pretty blurry right now, in Mexico at least. There are two other countries in Latin America that also have data protection laws that mandate companies to notify data breaches. But in the world apart from the U.S., the European union and the telecom sector, there are not many countries that do have data breaches notifications that (inaudible) to certain extent to have more precise information about the origin of data breaches.
>> MODERATOR: Great. We have a question for Ben and we will have questions directed to the audience in a second Ben, you can tell me from your perspective in terms of the recent attacks that you mentioned that took place between 2012 and 2013. You can give us general details if you can't speak about specifics and if these attacks have led to data breaches of any kind and how they get what is going on to that point. From your perspective, the GoDaddy.
>> Ben: We have seen numerous attacks from an operational perspective over the past few years that are attacking in some way, shape or form the credentials of (inaudible). One large and ongoing example is commonly known as the angler attack. Essentially what this is is it starts with a fishing of spear fishing attacks targeting the main registrants. So those would be in the form of e‑mails pretending to be either ICANN reminding people to update their who is contact information and perhaps the main renewal notice. And the registrants that fall for that essentially give their credentials to the fishing attack. They are compromised and are used to log in to the registrar's systems to create a record so that the attacks to legitimate domains and then the A‑records point to the malware delivery mechanisms. So then to follow the thread chain a little bit further, now you have a series of many thousands of legitimate main names that are still operating from the perspective of the registrant, but they also have additional (inaudible) that the registrants did not know about. And then those A‑records or sub‑domains are being used to distribute malware of many different kinds. We give someone information about this in several other attacks at several levels within the DNS infrastructure in the paper to write up on the angler attacks. As far as data breaches, that's kind of from the DNS perspective, that is the start if they breach (inaudible) (glitching) either because of passwords or fishing attacks and they use to leverage the main names that might be in that account for nefarious purposes.
>> MODERATOR: You may speak.
>> MERIKE: I'm sorry. I lost video. So is it my turn to speak?
>> MODERATOR: Yes.
>> MERIKE: One of the things we noticed in discussions with registrars and registries is there's also the issue of reuse of credentials. So, all employees, don't care if it's in the DNS organization space and registrars or registries for any type of organization, employees are accessing business‑related machines. I don't know if any of you have ever counted how many credentials you have. I did that a couple months ago and I realized I had 180 different credentials, when I counted everything. Our whole entire life is becoming something important on the internet. And many times how many of us will keep track of 180 credentials as Bill mentioned. You need to have a password credential password system. For my myself, I do reuse passwords for things that are not that important to me and where somebody got a hold of that credential and there wouldn't be a lot of damage; however, if you're in business types of environments, you really should have individual credentials, passwords and pass phrases to every single device that you access. That would be best practice so that you don't have fade shares. With multi‑factor authentication, that becomes a little bit of a different issue where you might be able to just remember one password and have a multi‑factor that can help create more security. But one of the things that we realized with all of these credentials that people are reusing that, you know, people have to be really cognizant of how they're creating these credentials and how they're being distributed, how they're being stored, how they're being backed up. You realize if people are using mobile devices to access certain sensitive areas, are they use anything Cloud back ups? Are these sensitive credentials somewhere in the Cloud where that gets compromised and again, you have fade sharing. How are you renewing the credentials? Do you have the practices in place that you are authenticating that individual properly to assure and ascertain that it is actually that individual who wants new credentials and not somebody impersonating them? How do you go about revoking them and how do you destroy old credentials? We have to pay attention to the whole life cycle of the whole credential document which this document was trying to bring forth. It has benefits to not only the DNS industry, but basically every industry that's out there. Thank you.
>> MODERATOR: Great. Thank you. What I want to do is maybe ask a question to you, Ted, and then maybe turn to the audience a question. What's the ID doing in this? Is there any innovation to try to improve the situation given how the severity the attacks have been in terms of what Microsoft may be doing and maybe Intel as well seeing that this is an issue that's getting worse and what are you doing perhaps in innovative technologies or approaches? I am curious to see what is coming down the pipe.
>> First and foremost, I wish I could tell you there is magic pixy dust that would come along and fix this problem. But I fear that I must disappoint both myself and the audience on the pixy dust question. When what you're doing is trying to manage a security relationship. The critical thing is what's the threat model you are trying to meet? So the first step is try and get people to go back and look at what the threat models they were trying to meet with some of these systems actually were. And I think she was just mentioning the fact that she reuses credentials on sites she doesn't care about. As a security professional, her threat model tells her there's functionally no threat. Somebody wanted a unique log in, it wasn't actually for a security purpose. It was for a log in purpose or for associating some form of understanding of which articles had already been red in ICSS. So one of the main thrusts of the ITF's work in security at this moment is data minimization. The amount of data shared at the minimum required to make a transaction happened. And so the advice we're giving at this point is hey, if you're collecting data, you don't use ‑‑ it's a liability as Bill pointed out either directly, there should be a breach as a potential source of spear fishing to somebody else. We have seen attacks where somebody can get your social from one provider and get your e‑mail from somebody else and then they build their way up from there. So data minimization of E‑thrusts efforts is something that I think will continue. The other point that I will make is we're trying very hard to get people to look at the internet as encrypted by default. There are issues by the internet, but it turns out it is also relevant here. People deploy interception proxies. What they're doing is creating another security target that can be compromised and which has a huge amount of contentious data in it. Not contentious data, but confidential data. As we move forward with that security effort to try and make well crafted end to end encrypted flows of the internet, we're actually also reducing this risk. But functionally, there never will anybody pixy dust for this. There are some wonderful things going on with two factor words not what you and know what you have, but what are you close to if you have both my lap top and my phone, maybe that's enough to get the Washington Post subscription that I really don't care about. But the core thing around the data security practices for credential management really is going to require the kind of work that's already gone into this best practices document.
>> Microsoft has been investing in encryption by default, encryption between the customer and the data center encryption when transmitting in data centers. We had started that before the enclosures. I am curious to see how they've expanded. We're big believers in multi‑factor authentication. When it's down, that's another point of failure frustrating customer and it's great if my phone can authenticate my laptop, but if rime just working from my phone and I don't have my laptop, that's a little bit more problematic. Lastly, I'm very concerned about best practices documents. The best practice document for protecting Microsoft active directory, which is your premium credential system is 500 pages. And I have read it and it spans detail from novices and CEOs down to security professionals, but it's a very detailed and daunting document and when people don't have a lot of people or the correct level of expertise, the proliferation of best practices document I think is a little bit concerns. We're seeing this with the Shaw one hash deprecation where a lot of my customers were not aware of the issue until we issued a blog post saying we might move up our deadline. People said move up what deadline? What does this mean for me? We live in a complicated system, a heterogenous system where you have suppliers that take dependencies upon each other. Even in Microsoft, if you are using one version, an older version of system center configuration manager and then windows changes its Shaw one hash policy, you may find the older version of your management software doesn't support the new certificates that are being enforced by Windows. So that's a Microsoft only solution. If you have a heterogenous system, you may find in actual process, you can't enforce some of these best practices because not all suppliers work together. So no. There's no pixy dust and possibly, you know, there's more issues that we haven't thought about because they're not necessarily technical. They may have technical under pinnings, but they come down to just the complexity of sourcing your technology providers.
>> I think on the topic of data breaches and securing data, the most important ‑‑ one of the most important practices is encryption and doing good encryption. One of the biggest challenges to adoption of strong encryption has been limited compute cycles. So slowing down performance of machines because the processing power that it takes to do encryption is fairly intense. So I think one of the contributions that Intel is making to that problem is to add compute cycles in the CPU to accelerate and allow for better encryption at the layers above. It's not pixy dust. There's lots of ‑‑ this is a defense and all security problems defense and depth set of problems where you need to deploy a lot of different solutions to solve problems because there's not one technical solution or policy solution that will address security problems, but being able to address the fundamental reason that people are challenged and deploying encryption. We believe it will help at least accelerate adoption on the end of encrypting data. There are other related hardware features that allow for encrypted key storage and authentication of applications within the hardware so that you can at least limit the sort of attack around specific applications and segment them off. So things like trusted hardware, trusted technologies will help solve different aspects of data security problems and allow for a little bit more trust and confidence in how to access that data. So those are technology solutions around protecting the data which are different than authenticating the user or managing a user's credentials. The policy aspect of data breach, I think, notification are interesting especially the recommendation and the second quarter round I kept making the data breach information from registrars. There's a lot of value in that depending on what kind of guidance. It is not always useful to tell people there's a problem if well isn't solutions provided to them. That is something to think through if ISOC hasn't done that. And also following it up with how people can do something about it is really important. So but I do transparency in the security spaces, you know, there's no security (inaudible). So I think that's a good recommendation to pursue.
>> MODERATOR: We had a question from a remote participant that you raised as well. I will go to Cedric. I will do that and then go to the audience. Some of you talked about the reporting of security breaches and the report was registries and registrars. Making the data breaches is more public. Is that going to change anything? Is that going to lead to a change of business practice? So it would be interesting to hear from you, Cedric, because you were talking about see something data breaches taking place in Mexico and Latin America. As a result of that, has anything changed?
>> CEDRIC LOREN: So far, it's a little bit too early to say. So far there have been about 8, 9 or 10 cases revealed publicly. Some of them have gone to the data protection authority for them to inquire. The ones that have been investigated by the Procuradoria in Mexico haven't been very public. The public has not been informed exactly of what has happened, but at least from the dire protection authority side for breach that happened in December last year, the authority hasn't released any information yet apart from seeing in a Facebook post of 3, 4 lines in March this year that it was investigating. There was another big breach involving a Mexican bank, EL NORTE. The breach of security did fine them for (inaudible) pesos, which is about $2 million. I detected personally and informed commissioner one of the seven commissioners of the unite and the situation was fixed pretty quickly and they did the good thing which is notify the 155 persons involved. They put it on a web server the scans of contest applicants who had to send their ID information. Everything had been scanned and included fingerprint, signature. What happened is they put information on web server, then relayed it to the official website and the information was on Bing, Yahoo and Google. It was another problem involving the department store in Liverpool which is a store like Macy's or Nordstrom. In that case, it was an inside job who released lots of information that although it doesn't involve directly credentials will help people to break into the credentials of several employees of the company involved. Credit card information, internal manuals revealing how the encryption system works, how the point of sale terminal worked, what kind of encryption is used, et cetera. All information can be used later to break into the company information to the company's users or employees credentials, et cetera. There was another case involving Mexico's major public university, the UNAM which I detected about a year and a half ago and I informed the university about. It might have involved credential management issue. There was another problem involving Mexico's Latin America's biggest telecommunication company Telemex, in which they hadn't updated for about a year and a half. Their web servers ‑‑ the web mail servers, the company affiliate of Telemexico TBG and it involved at least 2500 e‑mail accounts being indexed by Google and by putting the name of the person or her or his e‑mail. It was possible to access the inbox of that person's e‑mail account directly and even to send e‑mails on his or her behalf.
>> So it seems like a lot of cases.
>> CEDRIC LOREN: That data protection hasn't done much so far.
>> I saw a couple of hands in the audience.
>> MODERATOR: I'm just wondering if there's ‑‑ I have a question for a couple people in the audience, but is there any questions from the audience to the panel on topics that have been discussed. If you can just line up behind him and then we'll get three questions, please. Sir, your name, affiliation and your question.
>> BARRY LEIBA: I am Barry Leiba, applications director. I've heard a lot of talking about password vaults and how to manage all these credentials and that sort of thing. Even two factor authentication. When your thumb print unlocks your phone, but when your thumbprint is sent over the wire, it is just another password hard to type in. (no audio)
>> They want this to be a seemless experience. So you could make it a more complex process where the generation of the credential occurred at the time you wanted to use this service. It essentially was a very short‑lived credential that lasted through the period of time that it was active and then you had to restart. From a security professional perspective, there are some advantages to that, but from an easability, what it ends up looking like to the end user using this recreation is they have to start over every time. The service provider wants their relationship to the end user to be sticky. They want it to be kept. They want to be sure that the person that's using a credential is the same over time so that they can understand who their customer is and what it looks like. There is some work going on to try and create sort of the equivalent of four security for transactions, but as far as I know, it is still mostly research. I would be happy to hear stuff that's further along.
>> I don't have any big picture answers to what he said. Just to put some practical examples behind that because what the Internet industry tells us to do is to examine and try different practices and help develop best practices for the Internet service provider industry. And this question of authentication is a big one. One of the things that we've worked on and feel like we have a best practice around is the password rigger checking. So you're all familiar with the thing where you generate a password or make something up and it says sorry you don't have an upper case and a lower case and your dog's name. So sometimes this rigger checking can be very artificial and itself problematic because the things that's requiring can strain the size of the password space. If you know what it's requiring, which is generally easy to do because you go and you try creating an account and see what it tells you. So, what we do instead of that is we have piece of Java that runs in the customer's browser, in the user's browser that helps them figure out what the password is going to be before it gets sent over the wire and it is just checking how many bits of entropy in the string they have. And we only allow password validity equal to the time to crack the password that they put in. So for the vast majority of passwords that people first try because we do send back statistics and understand how this is working, but the vast majority that people try is the time to crack in the single digit mill seconds like five mill seconds to crack most passwords that people put in most of the time F. people are using a password vault, it is easy to create passwords that will take billions or trillions of years to crack. Sorry. No. Billions or trillions of available cycles and so forth. The issue is further out in time you get is what the law says is the computing cycles available are going to become cheaper. So there's a decaying curve here. There's a certain point you get to and I don't remember what it is. It's in the ‑‑ sorry. I'm not going to talk off the top of my head. There's a point beyond which making the password longer doesn't buy you as much additional time because the processors will get faster and faster and so forth. At that point, different solutions are just going to be necessary like passwords in any reasonable length. Passwords of under say hundreds or thousands of characters are not going to be useful anymore. So, this combination of giving people direct feedback about the strength of the password they've put in, not just it's a little bar and it's green or red, but actually telling them this is how long together take to crack this and not allowing them to use the same password beyond that time gives the same incentives that cause people to move to better password regimes. That's ‑‑
>> MODERATOR: We have a lot of questions. We had a second question from the floor and then after you, we have a remote question and then actually we have a question for a couple of people in the audience. So please, sir, your name and your question.
>> FLORIAN DANIEL: Hello. My name is Florian and I'm from the UHF. I understand encryption is important, but if encryption is safe enough, it's never 100% safe. I heard the example that sample phishing you're able to get the access to records is concerning. That's a user and power user and we should be able to identify phishing and able to send passwords to random people. Do you think it is more important to focus on the power users who have the ability to access the vast majority of important data like records that make their access more secure. So get rid of passwords and use something else. Somebody else, I think you already asked about more advanced identification systems like illogical sense or something like that. They're really focused on those power users instead of the common user.
>> MODERATOR: Great. Let me turn to Ben online if you want to try to address this question and maybe the ones raised earlier. Ben, maybe to you first.
>> Ben: Okay. I think it's a very good point and that's actually the genesis of why we started this work and this document is because in essence, anybody who has a domain name, who owns a domain name, many, many millions of those registrants out there is a power user. They have the ability to log into a simple interface with whatever registrar they chose to do, with and create or change the DNS settings for the domain name. But there's a techno logical barrier in that many of those billions of domain name owners don't realize that there is value intrinsic to the domain and therefore, they need to protect it, they need to think more about the security of their domain account. So a simple password is not nearly good enough. And that brings in responsibility from both ends the registrars need to be more cognizant of the value of credentials they're protecting and the registrants need to be more aware of the need for security and demand those types of additional security features from the registrars and registries they do business with. And that just hasn't been happening in large scale yet.
>> MODERATOR: Thank you. You want to comment?
>> Sure. Yes. So there's a couple points I want to make. One is that ‑‑ one of the things we brought out in the document is we created a table of all the different credentials between the different registrar, registry so that people would understand and be able to visualize all the different identities that are being utilized and think of what's really important in their environment. So, this is true for any business also. Look at where is access really critical and then put in the protections and the controls so that it's really important for somebody to gain unauthorized access and potentially impersonate either the application, the device or the machine. And we talk a lot. I think as most people think about credentials, they think about a password, but it's not just the password. Applications maybe identify, you know, to each other if they need access or machines. For example, there was this protocol, in my opinion, under utilized and basically use an IP address of the machine to actually authenticate to its peer. And people say wait a minute. I want to see the user behind the machine. You had a machine credential and you had a user and password credential. So really we need to understand what is being authenticated and how and then absolutely look at how to protect that as best as possible. Remember it's not only with credential management. Security is holistic. So you also have to look at monitors effectively so that you can determine whether or not there's a potential impersonation going on or whether or not somebody is gaining unauthorized access. I would also like to make the point that what is really necessary in the industry is not just telling people what to do, but how to do it because so many people talk about two factor authentication is the best way to go. Yet when somebody tries to do it in their environment, they might Google forever two factor authentication best practices and they get a thousand documents. So I had the good fortune of being invited to attend the tech workshop a couple months ago in Chile in Santiago. What I was extremely happy to see was that one the registries or rather ccTLDs they gave a presentation of how they implemented two factor authentication. They gave their thought process in terms of what worked for them, if a two‑factor mechanism was not available for whatever reason, how they handled that problem and also some of the gotchas they ran into, some of the mistakes they ran into early on and how they fixed it. I think as a community, we need to be much better to also help educate each other not only on what to do, but how to do it. That's all I want to say at this point.
>> MODERATOR: Great. Thank you. I have a question for somebody in the audience. I wanted to ask you if I'm not mistaken, you're with an association that represents a lot of small and hosting providers and ISPs. So from your perspective, some of the smaller players perhaps, do you see this as an issue affecting your community and if so to her point, what in terms of the users or maybe for the technical staff the smaller kind of firms to recognize the problem and try to be ahead of it.
>> I appreciate it. So not enough. And though I completely respect and appreciate all the tremendous efforts that are going into the organizations that are taking leads on making great strides in making sure that we are secure and very technical ways, at the ground level, we do have this issue where ‑‑ okay. When people build their businesses online using the Cloud, it is still pretty complicated. So they turn to the people down the street. They turn to people that they know in order to help them try and navigate the Cloud. The consult ants, some of them are not tremendously sophisticated. Some of them don't have a tremendous amount of knowledge to deal with them. I have seen situation where people say send me your password or your e‑mail and they're not using PGP because it is hard. People just explaining to a business person how you will set up an encryption on e‑mail, we're not there yet. A lot of the times, we can talk about very sophisticated ways of dealing with issues, but we still have very fundamental problems at ground level dealing with simple things like ‑‑ okay. You can't just say don't send your root password over e‑mail. Here are fundamental alternatives to doing that. They will give you the tools necessary in order to allow these non‑technical people to build their businesses, but do it in a way that still makes it easy enough for them to comply and keep things safe. We still need that outreach. It's not quite there yet. That's where I would like to see more in privacy and secured.
>> MODERATOR: A question for you.
>> Do you know good efforts that are going to aid very small businesses, these micro businesses in link the fundamentals of not just what to do but how security can be operationalized as a micro level?
>> MODERATOR: You want to take a stab at that and I will open it up for anyone else that wants to comment on that.
>> MERIKE: Unfortunately, I am not aware any of quick and easy guidelines. You can find some guidelines if you happen to stumble continue on the Internet somewhere where some operational person wrote a quick one or two pager in terms of here's what I ran into. And I really think as an industry, we need to do more of that to help the person and people with fundamental operational aspects especially for people that report very tech savvy and just explain to them what not to do because if they did certain practices like sending credentials out in the clear and as an example, there was a breach in one of the registrars or reseller just within the last 12 months. It was highly publicized that they were sending new credentials over text e‑mail. And I lot ever security colleagues of mine made a lot of fun of them whereas I said that's not the right thing to do. What we need to do is educate these people. They're not unfortunately in the right mindset to know that that's a bad thing. We need to do much more to help these people out. Yeah. That's my perspective.
>> MODERATOR: Great. Another comment here.
>> I believe in the common case here because what we're trying to do is to make this easy enough that it's not a significant barrier to people setting up these businesses. It's not a significant barrier to them managing their online presence or identity. What we need to do is make a lot of the systems confidential by default. So if somebody is sending information across an HTTP link, that's by default because that reduces both the risk to the end user and the cognitive burden they have to have to bear to make this actually more secure. I think when I look at the work that Intel and others are doing in multi‑factor authentication, here's the little button you wear on your shirt and when you open your phone, it is secure with that. It is a Motorola technology. But that sort of thing is actually meant to accomplish the security goal in a way that's simple enough to demonstrate in 10 seconds. And that when we think about educating people, we have to match that to lowering the barrier enough that the education really does fit in an elevator ride and the better we can make the systems in terms of default confidentiality and security so that they don't have to do anything to get that property, the better we can make the credential mechanisms so they can be explained in an elevator ride. The more likely we are to see all of this not be a barrier to online participation or business, et cetera. I also think that's not pixy dust and I know when I was talking earlier I said there is no pixy dust. It takes deployment and it takes a fairly serious amount of systems engineers on either side to make that work. You have to learn a new one for every provider. So in ICANN space, the work of ISOC, they can help insure there's enough openability within the systems that you can move providers so you don't have to move the vision of this. Interoperability, we can lower the barrier to actually using these practices.
>> MODERATOR: Thank you. I want to check if we had any remote questions. If we do, can we go to the remote question, please?
>> Thank you. We have remote participation from Robert Gonzalez from Huntington beach, California. (inaudible)
>> Can you please repeat the question about the last something password.
>> Is there anything in the words similar to the last password management that utilize your true steps, mobile app Microsoft account?
>> I'm afraid I don't know the answer to that. I'm sorry.
>> Okay. Thank you.
>> It is certainly very possible. A lost the technologies that are discussed here today are in place at Microsoft or in the works. I don't know the details of that particular one.
>> MODERATOR: We had a question from the floor.
>> Hello. My name is Allen. I'm from the youth IGF. You already talked about some ways that normal people have to protect themselves should be protected by people who are trying to break into their accounts. I'd like to know (inaudible) we could express to people how to protect themselves because generally people don't know technical things, but some tips that we can use to protect ourselves from being attacked by (inaudible), something like that.
>> MODERATOR: We have about 10 minutes. So you're talking about kind of tip and what I will maybe go around the panel in terms of resources. So are there ‑‑ what other organizations or resources or materials that your entity or your organization has that would be helpful not only for the end user, but also for the small and medium. So what can you suggest in regards to resources and other organizations that could help with the education piece. So maybe Cedric, we haven't heard from you in a while. I am just curious from your perspective in Latin America and I would say a user perspective, you know. Can you comment? Where should people go? You talk about the data protection authority. Is that the golden standard where everyone goes or do people go to your organization to find out more and what incentivizes them?
>> CEDRIC LOREN: The data protection authority in Mexico has released several good documents. One is for small and medium sized companies to implement the law which goes into a lot of detail and which is has a chapter with dedicated security measures. So the manual is specifically for those small and medium sized businesses. It also has released a 500 page document that explains how the certification, the security standards can be implemented to a person of the law making the correspondence between what the law says security measures would and be what those security standards say. I'm the President of I non‑profit organization and would release materials not so much right now on security. I personally push all my staff to use encryption PGP, for example. But most of the public is not very much aware of how to use it. I've got to say that although to contrast a little bit this gloomy perspective I gave that the banking industry has developed very strong standards. I do have an account with a U.S. bank and one or two with a Mexican bank and the Mexican bank has double the develop just to contrast a little bit. But the general public that's not much aware of how to use security measures, but there is good work being done by the data protection publish documents in that regard.
>> I'm afraid I don't have very good references or places to tell you to turn for information that's simply not my area of expertise. As far as tips, the vast majority of the problems that end users encounter are things they have through the web browser. Be very careful about clicking on links. When possible, type in URL to a destination regardless than just clicking on something that somebody else has presented to you, particularly an e‑mail. I try to use safe browsing mode in my browser whenever possible so that it is exposing less information about me than perhaps it would otherwise. This is an arm's race. All the advertisers and people doing malware are constantly trying to overcome the protections they get in browsers with more and more persistent cookies and so forth. So keep your browser up to date and don't store the passwords in the browser. Use a separate password management application. Use it to create your passwords, not just to store ones that you make up. As Ted has said, you don't need to put any huge amount of effort for things you're not going to use again where you're not disclosing any personal information, where there's no risk, but do be aware that these things certainly never go away. You give your password you make up to your supermarket in exchange for a little discount and the supermarket will get broken into dozens of times over the next few years. Most of this will go unacknowledged, but that password and user name will be correlated in databases that will be sold from one hacker to another hacker to another hacker. And even if that password was initially a well created one, that particular password will always be easy to guess from then on from anyone hacking.
>> MODERATOR: Great. Thanks. I ask for everyone to keep their comments short.
>> I think there are in addition to what Bill said. There's a lot of organizations in different countries who are specifically responsible for public awareness aspects of cybersecurity. So I think I would be happy to point to you some of those references. There's a role for public awareness for all kinds of safety and privacy issues. There is cooperation between government and the private sector has really stepped up over the years and you see sort of governments taking responsibility for launching the public awareness campaigns and the private sector taking responsibility for populating the system of the best practices along the lines and sort of things that Bill just described. I would be happy to point you to some of those resources that you might want to take back to your country and see if you can get something like that going.
>> MODERATOR: Mark from Microsoft.
>> Mark: Microsoft has many things in consulting and enterprise contract if you're a large company. I think that a lot of consumer protections will be regulated either starting in regulate, or in the public sector. We're always concerned about the proliferation of regulations and would like to keep them consolidated, but I think that's a good driver of user protection because the user doesn't need to think about it as much. They have implemented it in a way that protects them. And finally for end users, we do see in many places people are aware they should look at the URL, they should look at the e‑mail address and I think that universal acceptance which is the idea that internationalized e‑mails should be supported by all systems in the DNSE e‑mail providers, in your bank account, things like that. That will really add another level of security and awareness to users when they're no longer interacting with the internet in a script that is different from their Native language and they can look at it and inspect it and say that is legitimate because I can read the language and I see this is in Thai script and it does look legitimate.
>> So, in the course of a workshop yesterday, I happened to talk to one of the folks from the data protection in Argentina. I understand she's worked out a fair number of resources for both Argentina and in general under the privacy. They may also have material from Mexico. Correlation is a big issue. And earlier I said that doing a threat model analysis of what you're giving up to get the Washington Post or the L.A. paper or whatever, your equivalent is you have to realize that if that does become compromised, it becomes part of the metadata available to somebody that could be associated with your identity. So once again, that question of how you associate an identity with this has to be managed in the same way you manage your credential. If you use an e‑mail address in both your bank and the L.A. Times and you use your dog's name for the password for the L.A. Times, which is you don't care about that much, it still becomes part of the metadata. So an attacker to your financial things that might be able to find your password from a password recovery question. Your dog's name. These things become part of the Cloud information that a determined hacker can make about someone. Even if I don't think you're the victim or potential victim of spear fishing where somebody is working very hard to get your individual credentials, you have to understand that the overall amount of effort is they to put in to get something where it goes down every time you link a new credential to a single identity. So, as service providers, we have to think about how to problem better by making it possible to create accounts which actually don't use that kind of identity at all. In the mean time, you should consider the link an between those two as you decide what your threat model for a particular situation should be. Of
>> MODERATOR: Thank you. We could go on, but unfortunately, we have run out of time. I will make a quick comment. For those of you that are interested, I would like to make sure the conversation condition. For those of you using Twitter, hashtag WS13, which is the number for this workroom. If you have any comments, questions, you can post them there. I will stay around for 20 minutes if others want to comment. I can give the experts two minutes to speak. With the indulgence of the staff, I will stay. Merike, over to you.
>> MERIKE: Remember your credentials are now stored on your phone. So you want to understand whether or not you're using Cloud service to back that up and where your credentials are actually going where they can potentially be breached. Another aspect I want to bring up is I have a (inaudible) ID card. It embeds technology in our certificate base technology make its extremely simple for me to access a lot of services remotely. And so there was a lot of public/private partnerships that went into that. I think that's also something to look into because again, it is easier to actually use those ID cards and connect that to my computer where I don't have to remember a particular password or passphrase. That was my comment. Thank you.
>> MODERATOR: Ben, any quick comments?
>> Ben: I wanted to thank everybody for their participation. This is something that is near and dear to all of our hearts and mine. We do have as Robert mentioned other resources. We have external resource pointing in the document. Again, these are mostly from the operational perspective. If somebody is setting up a credential management system, there are resources there to identify best practices to think about storage guidelines of credentials and things like that. So I would encourage people to read those external resources in the document.
>> MODERATOR: With that, I would like to thank all the experts on stage that came in short notice. I appreciate you engaging in this conversation. I hope we can all stay in touch now. And again, I will be around for about 20 minutes. Any resources and any comments that were made, I will be sure to include them in the report as well. I thank all the experts and those that painted very early in the morning. So thanks to everyone.