Cybersecurity News & Commentary - December 2016 edition

The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions that are driving our research, and new projects underway.


December 5, 2016

 

Professor and Chair Co-Authors Cybersecurity Recommendations for U.S. President

Annie Antón, professor and chair of the Georgia Tech School of Interactive Computing, served on the Commission on Enhancing National Cybersecurity, which issued its consensus report on Dec. 2 in Washington, D.C. It addresses six imperatives and offers action items that can be implemented by President-elect Donald Trump and his team. The commission was created in February by presidential executive order as part of the Cybersecurity National Action Plan. The group, which had been working since April, was tasked to make detailed recommendations on ways to strengthen cybersecurity in public and private sectors. Read a summary of Anton's recommendations:

 

U.K.'s Mass Surveillance Law Another Wrinkle in Trans-Continental Privacy

Aimed at thwarting terrorism, the new Investigatory Powers Act grants the British government broad electronic surveillance powers.  The law requires ISPs to maintain records of all British Internet users' browsing histories, allowing nearly 50 British government organizations access to those records via a centralized search tool, usually without judicial oversight.  The Act also requires technology companies to aid the British government in decrypting users' data and prevents the companies from disclosing those governmental demands for decryption.  Technology companies must inform the British government about security features of new products before they are released.  The law also provides a legal framework for bulk data interception and collection.

 

IISP Analyst Joel Odom: "This Act is noteworthy in that it indicates a national policy approach that could be pursued by others, and as the Irish Times rightly states in its headline, this raises well-founded fears of privacy loss. If this were adopted in the U.S., for example, it would mean Apple would have no recourse against the government’s mandate for a backdoor into its devices. It also would mean that dozens of federal agencies would have immediate access without subpeona to the records of every website you visited. While it’s unlikely such an extreme about-face of the law would hold muster in the United States, the justified concern here is that a close Western ally deemed the approach acceptable and it is in fact now the law. As noted in Georgia Tech’s 2017 Emerging Cyber Threats, Trends & Technologies Report, “the West is kind of backing into the same view that we have roundly criticized during peacetime in other venues."

 


Facebook and The Great Fake News Debate

Behind closed doors, Facebook employees have been having hard discussions about the alleged ‘fake news’ problem that likely had some influence over voters in the November election. An unspecified number of employees have formed a task force to review algorithms, policies, trending topic statistics and perceived lack of action since January 2015, when Facebook acknowledged they would ‘do better’ and instituted a tool for users to self-report dubious news stories. They also are working with third-party fact-checking groups to increase the detection of fake news. Since the November 2016 election, Facebook CEO Mark Zuckerberg has dismissed fake news as being only a small percentage of content, and has not publicly shared statistics on the effectiveness of the reporting tool or what other measures they have taken.

The head of Facebook’s news feed, Adam Mosseri, even acknowledged that, “We can’t read everything and check everything.” A damning article by BuzzFeed, however, shows that, “In the final three months of the U.S. Presidential campaign, the top-performing fake news stories on Facebook generated more reader engagement than the top stories from major news outlets such as The New York Times, Washington Post, NBC News,” etc. A source for Gizmodo confirmed that Facebook is equipped to stop fake news, but suggests decisions were made likely in fear of being perceived as politically biased, as right-wingers had alleged back in May. It’s not clear what the path forward is for the internal task force at this time, since they have not met with senior management yet, or if they will make public their findings.

 

IISP Analyst Holly Dragoo: "Good for Facebook employees for exploring the topic. They should be commended for encouraging discourse on a disquieting subject, and hopefully will engage in impactful exchange with senior management. That said, this issue cuts close to two much deeper concerns:  1) Facebook has not embraced its role as a fully-fledged media outlet, and 2) the election was unduly influenced by fake news from hyper-partisan sources and foreign powers.

"These ideas are not new, but Americans don’t seem to accept them; or at least they are not demanding explanations/accountability when they should. A Wired article from November states that fake news isn’t actually what won the election so much as Trump’s ability to embrace fundraising and “earned media” coverage (free press) using Facebook. Absolutely true, but again, to explain the election results that way shies away from the power of Facebook as a media outlet – not just for connecting socially with friends and family – and the fact that fake news was generated for deliberate crowd manipulation. Even Zuckerberg has painted himself into an awkward corner of having to explain why Facebook is a fantastic commercial platform for reaching consumers with its tremendous advertising power, but not responsible for affecting people’s political opinions.

"As we know, Zuckerberg has repeated the mantra that Facebook is “a tech company, not a media company… which conveniently ignores that technology is a platform for media delivery. To distinguish between the two concepts is not as controversial (or dramatic) as linking handgun manufacturers with deaths by gunshot, but logically similar. They are both products that enable delivery of blanks and substantive content. I’m not saying that we should introduce gun control or fine-tuned legalese into the dialogue, but (rather sensationally) trying to make a point: there is a correlation between Facebook and the media, and it’s time to stop denying it. Hopefully the employees’ internal debate will have some success toward accepting this."

 

Ransomware Doesn't Go for a Ride, but Response Takes Off

San Francisco was victimized when a hacker penetrated the city’s transit system and installed ransomware. Workstations in the SFMTA’s (San Francisco Municipal Transit Agency) offices booted to the message: “You Hacked, ALL Data Encrypted.” As a result, ticketing machines and gates were offline over the final weekend in November, with all rides being free. Officials at the SFMTA said shutting down fare collection was precautionary and the only systems identified as hacked were their office computers. The hacker demanded a payment of 100 bitcoin (approximately $73,000 at the time of writing) for encryption keys to the locked data. SFMTA officials balked at paying and opted to restore their office workstations from backups.

 

IISP Analyst Stone Tillotson: "SFMTA’s response is praiseworthy for several reasons: they immediately took action to mitigate the breach, notified authorities, customers, and maintained back-ups. Ransomware threats often go unreported, from large corporate breaches to home users, depriving the threat of the attention it deserves. By collaborating with authorities and notifying the public, SFMTA pushes at the door to reining in this threat. Especially laudable is SFMTA’s commitment to its back-up policy. With that safeguard in place, they were able to essentially shrug off the hacker’s demands, not only because they could restore their systems, but also because they could examine back-ups to verify that no sensitive user data was contained in the breached computers. Their response should be taken as a model for responsible breach policy."


PoisonTap: Owned or Obvious?

Samy Kamkar released a tool -- PoisonTap -- that given physical access to a USB port, one can siphon cookies and passwords, install a web backdoor, and allow external access to a local network's router. The implementation is extensive: it works on locked macOS and Windows machines, cheaply runs on a $5 Raspberry Pi Zero, appears to work outside of the box, and poisons numerous caches used by web browsers.

 

IISP Analyst Yacin Nadji: "While the tool generated a lot of journalism buzz, I doubt many security experts are surprised. If you've given an adversary physical access to your machine, you've already lost. With physical access, we already know an attacker can boot off a USB to retrieve sensitive information, surreptitiously install malware using a thumbdrive, and even retrieve disk encryption keys directly from RAM. Physical access is an exceptional case and end-users should be aware of the potential harm giving it away can cause.

"All that said, PoisonTap is nifty for a handful of reasons. The Dynamic Host Configuration Protocol (DHCP) response it uses to man-in-the-middle most of your traffic is done in a cute and potentially OS-agnostic way. Furthermore, it does so such that most users would not notice. Also, the command and control mechanism targets the browser itself using WebSockets, rather than installing a binary on the user's machine, which is much less likely to be detected by conventional antivirus. Attackers could also continue to exploit the user by targeting their (now accessible) router, or delivering modified versions of Javascript libraries most websites rely on. Samy's history with web hacking goes back over a decade, and this is where the interesting technical details are."

 


Mouse Rearranges Maze, Gets Cheese (… and Your Computer)  

A recently released exploit demonstrates a practical, if difficult, approach to overcoming two important obstacles in preventing buffer overflow exploits: address space layout randomization (ASLR) and data execution prevention (DEP). Buffer overflow exploits occur when malicious data is fed into a program beyond its ability to store. The extra data, or overflow, if carefully crafted, can contain executable instructions that run with the same permissions as the compromised program. ASLR and DEP work together by first ensuring that the memory space of a running program isn’t arranged in a predictable way and then by preventing data blocks from being treated as a runable instructions. Chris Evans, a security researcher, devised an attack in which a malicious file exploits a host program’s system calls to generate a predictable address space and then copy code hidden in the malicious file into executable memory. As a result, two main protections against buffer overflow exploits are bypassed.

 

IISP Analyst Stone Tillotson: "This exploit isn’t the first to bypass ASLR and DEP, but it’s unique in that it doesn’t require a scripted environment to interactively probe and then attack the vulnerable program. Instead, it relies heavily on source code analysis and predictable system behavior to craft an exploit for a particular program and operating system. The tailored nature of this exploit make it difficult to transfer to other platforms, but that’s offset by the danger of being able to insert malicious code in seemingly innocuous files. More broadly, this exploit might hint at a latent, dangerous technical debt: files and programs previously considered safe are now exploitable, and it remains to be seen how widely."

 

 


Microsoft Announces Strategic Hires Dedicated to Building a Working Quantum Computer

Microsoft Corporation has announced plans to move from quantum theorizing to quantum engineering. Their stated goal in hiring several quantum computing experts is to build a working quantum computer using topological qubits, though their detailed approach and timeline remain unknown.  The investment in practical quantum systems by a computing titan such as Microsoft evidences the probability that the not-too-distant future may see quantum computers capable of performing useful tasks that classical computers cannot perform.

 

IISP Analyst Joel Odom: "Quantum computing is exciting. Not only do we stand to be able to solve hard math problems such as those on which we base cryptography, but we can show that quantum computers will allow us to model systems (such as molecular interactions) that are otherwise intractable for classical computers. The thing is that it's tough to get your head around quantum computing because it requires an unusual way of reasoning. Classical computers simply manipulate bits using Boolean logic. A quantum computer replaces bits with 'qubits.' Like a classical bit, a qubit is an abstract unit of information, but, unlike a bit, it is a mix of 1 and 0 simultaneously. Furthermore, these 1 and 0 'mixtures' are represented by complex numbers and require a strange way of reasoning about probability. As a set of qubits move through quantum logic gates, the qubits evolve together in a superposition of many possible states, each state representing a possible outcome of the calculation, and each qubit is entangled with the other qubits involved in the calculation. It is in this superposition of states that the magic happens. As the quantum state evolves, all of the possible outcomes evolve simultaneously. It's like doing an unimaginable number of classical calculations at once. At the end of the quantum calculation, you measure the state of the evolved quantum system to read your result. If you have managed to preserve the integrity of the quantum system as it evolved (this is one of the hard problems in building a quantum computer), the final measurement gives you an answer to your quantum calculation. In addition to the engineering challenges involved in building a quantum computer, you have to invent your quantum algorithm so that the calculation yields a useful result that otherwise would be super difficult to calculate by pushing around classical 1s and 0s.  Despite these challenges, my guess is that we will see useful quantum computers in within a decade or two."

 


Wanted: Usable Security

Google's Chrome Security team intends to replace its lock icon to denote http(s) settings of websites with "Secure" in green for properly configured https, "Not secure" in gray for non-https sites, and "Not secure" in red for sites with improperly configured https. Recent research suggests that the current indicators are doing a poor job explaining to users the risks they face, for example, assuming red and green locks were both secure. These changes will highlight websites that have not moved to "https everywhere."

 

IISP Analyst Yacin Nadji: "I believe the security community—both from academia and industry—often ignore the user when designing or evaluating security tools. I enjoy seeing the recent focus on building and adapting solutions to user understanding, rather than slapping together a purely technical solution and calling it a day. It is important to note that using HTTPS exclusively, as the Chrome team believes we ought, would prevent many of the negative effects of PoisonTap.

"I encourage budding computer security researchers to consider end-users' and security practitioners' understanding to be a core component of their work. Consider a world where network and host detection improve to their limits. What is an effective means to infect a machine? Tricking or convincing the user. Social engineering will always work and is difficult to solve with solely technical means. We must consider end-users when designing security software and security practitioners when building investigative tools to improve our ability to combat threats."

 


Safe and Secure Holiday Shopping

Everyone knows to “look for the lock” in an https bar, use phishing filters, and have strong passwords for all web logins. There’s a myriad of websites covering tips and tricks for safe holiday shopping online, but as Manhattan District Attorney Cyrus Vance recently pointed out, (http://fortune.com/2016/11/20/jeh-johnson-phishing/ ) “Phishing – mundane as it is – is the biggest threat we face and need to tackle.” Here are some educational links to arm yourself this holiday shopping season technology: