The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.
January 2017 edition
GRIZZLY STEPPE Report Fails to Assist
The Department of Homeland Security (DHS)'s United States Computer Emergency Readiness Team (US CERT) and the Federal Bureau of Investigation (FBI) released a report late last month attributing the recent Democratic National Committee hack to Russian civilian and military Intelligence Services (RIS) -- naming the sequence of activity as "GRIZZLY STEPPE." According to Georgia Tech researcher Yacin Nadji, the public report fails to affirmatively attribute the threat to RIS and provide "indicators of compromise" (IOCs) that will effectively assist network operators with their own cyberdefense.
- DHS News Release: https://www.dhs.gov/news/2016/12/30/executive-summary-grizzly-steppe-findings-homeland-security-assistant-secretary
- Joint DHS-FBI Report Summary: https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf
- Robert M. Lee Blog: http://www.robertmlee.org/critiques-of-the-dhsfbis-grizzly-steppe-report/
- The Intercept: https://theintercept.com/2017/01/04/the-u-s-government-thinks-thousands-of-russian-hackers-are-reading-my-blog-they-arent/
- Erratasec: http://blog.erratasec.com/2017/01/dear-obama-from-infosec.html
IISP Analyst Yacin Nadji: "Unfortunately, the report fails on both accounts. First, while many cybersecurity experts believe Russian hackers were involved, including myself, the report and accompanying media brouhaha reduce the technical credibility overall. For example, the Alternate Names include legitimate and well-known designations of campaigns (such as “APT28/29” and “COZYBEAR”), malware families that are not indicative of campaigns (such as BlackEnergy v3) as well as techniques used by malware authors (such as Powershell backdoor) and names of dynamic link libraries associated with infections (such as “twain_64.dll”). While this list starts off well, the pieces of evidence are confusing and unrelated, which is a bit disconcerting. The rest of the report is rather light on attribution details, describing instead high-level tactics and techniques used by many malware authors. Much of the report outlines common-sense mitigation strategies. This is generally good information, however, it has little to do with confirming or denying Russian involvement in this campaign.
Furthermore, the indicators of compromise (IOCs) that are included are noisy. Network operators simply cannot trust them blindly. The IOCs include Tor exit nodes (usable by anyone with a computer and the Internet), Yahoo infrastructure, sinkholes used by security researchers to track malicious activity, and Microsoft infrastructure, among others. The lack of scrubbing of some of these data suggests the report was possibly rushed. Poor or incomplete data is not helpful to anyone performing rigorous attribution. In contrast, Mandiant's APT1 report from February 2013 currently is considered by many to be the 'gold standard' of such products.
All this points to the demonstrable need for enhanced attribution technologies, an area our lab at Georgia Tech is now heavily invested in. Automating the attribution process will improve the ability to rapidly generate reports with less room for human error. That said, pointing fingers for cybercrime or other malicious activity is a serious affair and one that requires the necessary due diligence to avoid mistakes and ensure results are dispassionate and factual."
Uber's Data Privacy Again in the Crosshairs
Uber Technologies Inc. is again in the crosshairs of the data disclosure debate as New York City seeks more information about drivers’ activities. The battle began with a public hearing last week that is another example of local government after more data about their citizens. This time, NYC wants disclosure of the address and time of every drop-off, citing a concern for driver fatigue and hourly caps on the workweek that is similar to the safety protections in place for airline flight crews. Uber and Lyft have had similar fights across the U.S., “invariably reaching the same conclusion each time: they should share less data than local governments want,” writes Bloomberg Technology..
- Bloomberg Technology: https://www.bloomberg.com/news/articles/2017-01-05/uber-doesn-t-want-to-give-nyc-or-anyone-more-data
- Craine's New York: http://www.crainsnewyork.com/article/20170105/TECHNOLOGY/170109965/uber-prepares-for-battle-with-new-york-city-over-disclosure-rules
IISP Analyst Holly Dragoo: "Having fatigue prevention in place is actually not a bad idea, but it’s not clear why the city needs access specifically to the addresses. It’s also not clear how the City would access, archive, or protect that information. Couldn’t the same goal be achieved by just having activity time logs paired up with a one-up number or customer ID to show uniqueness? Once a driver reached an activity cap for a day or week, then they could de-activate their revenue generating apps or some such shut-down feature. The need for the customer data here seems unnecessary. Ironic that Uber should be advocating for the privacy concerns of its staff and riders, though, with their noted use of the “God View” company tracking tool last year."
Bitcoin Surges Past Gold in Value
For the first time since its creation in 2008, a cryptocurrency has surpassed gold in value. The cryptocurrency market has seen an unprecedented climb during the past 30 days, in spite of expectations suggesting it would level out before hitting this milestone. Historically seen as esoteric money for “geeks and criminals,” common criticisms of Bitcoin (and similar cryptocurrency forms) are that it’s not based on any real commodity or universal standard. As such, the surge in value, together with a handful of new currencies (such as Hayek or Aurum) that are backed by gold, could do much to move the adoption rate of cryptocurrency into the mainstream.
- Cryptocoins News: https://www.cryptocoinsnews.com/bitcoin-makes-history-reaches-gold-parity/
- CBS News: http://www.cbsnews.com/news/bitcoin-passes-1000-amid-growing-acceptance-of-cyber-currency/
- Gold Vault: https://goldvault.co/en/what-is-aurum-gold-coin
IISP Analyst Holly Dragoo: "The climb in Bitcoin value over the holiday stretch is certainly interesting to see, but will likely take a tumble before long. The volatility in past years is not likely to go away overnight, especially with new exchanges popping up all the time, and the omnipresent threat of hackers and insider saboteurs. That said, more and more vendors are accepting bitcoin payments for everyday items, and the more widespread the usage, the more stable the currency becomes. Who knows? You might be paying your taxes in Bitcoin before the year is out!"