Cybersecurity News & Commentary - February 2017

The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.


February 6, 2017


Nations Prepare for Possibility of U.S.-like Election Hack

On March 15, Dutch citizens will be holding national elections for public office, and election officials have decided to count results by hand. This decision comes amid cybersecurity concerns brought up in the 2016 American election cycle, as several intelligence agencies claimed Russian hackers meddled with electoral integrity, affecting the outcome. Dutch officials have stated election equipment is outdated and insecure, making end tallies especially vulnerable to hacker manipulation. Based upon the eligible voting population in the Netherlands during 2012, that could mean counting 12.7 million ballots by hand.


IISP Analyst Holly Dragoo: "It’s interesting to see the effects of a cyberattack in one country drastically affect domestic policy in another country. Dutch Interior Minister Plasterk ought to be commended for authorizing this no-tech security measure; voting machines are riddled with vulnerabilities and have been criticized for decades. But…how realistic is this? Sweden counts election results manually, but they have a pool of registered voters totaling around 7.3 million people, whereas the Netherlands has around 12.7 million. Intuitively this just seems ripe for accidents or miscounts. Turns out, error rates in hand-counting ballots are known to be approximately 2%, which seems low, but could be very important in a close race like this one is expected to be. Given the time constraints of a March 15 election, an entire system upgrade is likely expensive and too cumbersome to roll out. Hand counting may be the best way to address security concerns. With the lack of vendor security in election equipment, it may even be a long-term solution, if an inconvenient one."

Credit Card Skimmers Become Chip ‘Shimmers’

The unauthorized disclosure of individual consumer financial information has been, and continues to be, a priority security concern for commercial enterprises. While the majority of recently published news articles revolve around large financial database breaches through sophisticated software and network malware attacks, in reality, a significant portion of credit card information theft still originates from physical security breaches of various credit card readers through the use of skimmer technology.  Doing a simple Google search for “credit card skimmer” reveals news articles written almost daily about the discovery of a skimmer.


IISP Analyst Chris M. Roberts: "Now, there are new devices, dubbed ‘shimmers’, which are being used to steal personal information from chip-enabled credit cards. Security is a never-ending game of cat and mouse. Credit card skimmers have been around almost as long as credit card readers themselves. During that time, they became more technologically advanced, while still managing to reduce their physical footprint. This reality, coupled with the fact that credit cards continue to store unencrypted personal data, continues to be the source of a significant portion of consumer financial fraud.  Skimmers (and shimmers) are easy to obtain, cheap to procure, nearly naked to the human eye, and extract the stolen data wirelessly -- reducing the chances of being caught. Credit card companies have been fighting back by adding EMV microprocessor chips to the cards to allow for enabling dynamic authentication. While this technology is a vast improvement, it has not stopped criminals from attempting to steal information. In many cases, your best protection is awareness. Always keep an eye out for something that looks or feels different when using your credit card, or just use cash."

Leaked Cybersecurity Executive Order Seeks Ambitious Timeline

President Trump’s draft executive order for cybersecurity was leaked to the Washington Post and published January 27, containing the first glimpse of his views on this field. As a draft, the verbiage is sure to change before being signed, but the spirit of the document likely will not. The order calls for short-term (60 day) assessments in the areas of: threats to U.S. critical infrastructure and national security systems, vulnerabilities to U.S. official networks, capabilities and limitations of U.S. cyber operations – to include workforce training and readiness, and ideas on how to incentivize the private sector into securing their networks. Different agency leaders are assigned to different reports, but staff participation from the Departments of Homeland Security, Defense, National Intelligence, and the National Security Agency (among others) are assured.


IISP Analyst Holly Dragoo: "As it stands, the order reads well and par for the course in a transitioning administration, with no surprises. It’s interesting to see a segment on incentivizing the private sector to secure their networks. Isn’t it enough incentive to not be hacked and/or prevent intellectual property theft? Surveying the initial capabilities of cyber defenses and relevant fungible assets is a wise first move – if coordinated well. However, the scale of such a review is massive if it is to be done in 60 days; hard to imagine anything delivered in that time frame as being terribly accurate, let alone coordinated across agencies. As Lawfare rightfully points out, a critical asset inventory is a necessary prerequisite before conducting any type of vulnerability assessment. Given the size of the participating agencies, it’s possible an inventory could take 60 days alone. Hopefully the draft doesn’t change much beyond where it needs to – the time periods allocated to the assessments – before signing."

Symantec Issues Invalid TLS Certificates (Again)

Security Researcher Andrew Ayer recently discovered that trusted certificate authority Symantec has issued another handful of invalid TLS certificates.  As Extreme Tech reports, "Nine of the certificates were issued without the permission or knowledge of the affected domain orders, while the other 99 were issued to companies with obviously faked data."  The certificates, which mainly appear to have been test certificates, have since been revoked, but the fact that the certificates were issued at all is worrying.‚Äč In 2015, Symantec's certificate issuance procedures received public scrutiny for similar improper issuance of invalid certificates.


IISP Analyst Joel Odom: "One of the hard parts about secure digital communications is authentication of the endpoints. Your computer can't tell if the bits that it is receiving were generated by the remote computer that you hope you are talking to, or by some malicious computer in the middle of your communications channel pretending to be the host you think you are talking to. This means that even if you establish encrypted communications, you still can't be sure that some attacker in the middle hasn't hijacked the connection unless you can use cryptography tricks to verify the identity of the remote computer.  This is where digital certificates come into play. A digital certificate is used to prove that the information received over the network is actually from the sender you think it's from. The public key infrastructure used by the Internet relies on trusted certificate authorities such as Symantec to issue only valid certificates. If certificate authorities issue certificates without following the rules, such as in this incident, communications are open to the kind of "man in the middle" attacks that I talk about above. Thanks to Google's certificate transparency project, which catalogs certificates and how they are being issued and used, the public now has a way to catch improper actions such as this."


Iran Leaks Censorship via BGP Hijacking

Iranian state-owned telecom TIC hijacked IP address space known to host numerous pornographic websites in early January. This was done using the Border Gateway Protocol (BGP), which is responsible for exchanging information to enable packets to be routed across the Internet. It was likely meant to be done only within Iran, but accidentally leaked to the world. Iran is no stranger to censoring the Internet for its citizens.


IISP Analyst Yacin Nadji: "Silliness aside, this article is interesting for a couple of reasons. First, it demonstrates that oppressive regimes are always looking for and testing new censorship techniques to stay ahead of the curve. Second, this serves as a nice reminder that BGP offers little protection to prevent hijacks. Briefly, BGP works where networks announce the IPs that they route to their peers and customers. As these messages propagate, one can construct a chain of networks a packet must travel through to get from IP A to IP B. Unfortunately, this is done without authentication so malicious announcements, like the one from Iran, can cause a network to hijack packets destined for another. Fortunately, these dramatic changes to Internet topology rarely go unnoticed."