Cybersecurity News & Commentary - January 2017

The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.


January 2017 edition


GRIZZLY STEPPE Report Fails to Assist

The Department of Homeland Security (DHS)'s United States Computer Emergency Readiness Team (US CERT) and the Federal Bureau of Investigation (FBI) released a report late last month attributing the recent Democratic National Committee hack to Russian civilian and military Intelligence Services (RIS) -- naming the sequence of activity as "GRIZZLY STEPPE." According to Georgia Tech researcher Yacin Nadji, the public report fails to affirmatively attribute the threat to RIS and provide "indicators of compromise" (IOCs) that will effectively assist network operators with their own cyberdefense.


IISP Analyst Yacin Nadji: "Unfortunately, the report fails on both accounts. First, while many cybersecurity experts believe Russian hackers were involved, including myself, the report and accompanying media brouhaha reduce the technical credibility overall. For example, the Alternate Names include legitimate and well-known designations of campaigns (such as “APT28/29” and “COZYBEAR”), malware families that are not indicative of campaigns (such as BlackEnergy v3) as well as techniques used by malware authors (such as Powershell backdoor) and names of dynamic link libraries associated with infections (such as “twain_64.dll”). While this list starts off well, the pieces of evidence are confusing and unrelated, which is a bit disconcerting. The rest of the report is rather light on attribution details, describing instead high-level tactics and techniques used by many malware authors. Much of the report outlines common-sense mitigation strategies. This is generally good information, however, it has little to do with confirming or denying Russian involvement in this campaign.

Furthermore, the indicators of compromise (IOCs) that are included are noisy. Network operators simply cannot trust them blindly. The IOCs include Tor exit nodes (usable by anyone with a computer and the Internet), Yahoo infrastructure, sinkholes used by security researchers to track malicious activity, and Microsoft infrastructure, among others. The lack of scrubbing of some of these data suggests the report was possibly rushed. Poor or incomplete data is not helpful to anyone performing rigorous attribution. In contrast, Mandiant's APT1 report from February 2013 currently is considered by many to be the 'gold standard' of such products.

All this points to the demonstrable need for enhanced attribution technologies, an area our lab at Georgia Tech is now heavily invested in. Automating the attribution process will improve the ability to rapidly generate reports with less room for human error. That said, pointing fingers for cybercrime or other malicious activity is a serious affair and one that requires the necessary due diligence to avoid mistakes and ensure results are dispassionate and factual."

Uber's Data Privacy Again in the Crosshairs

Uber Technologies Inc. is again in the crosshairs of the data disclosure debate as New York City seeks more information about drivers’ activities.  The battle began with a public hearing last week that is another example of local government after more data about their citizens. This time, NYC wants disclosure of the address and time of every drop-off, citing a concern for driver fatigue and hourly caps on the workweek that is similar to the safety protections in place for airline flight crews. Uber and Lyft have had similar fights across the U.S., “invariably reaching the same conclusion each time: they should share less data than local governments want,” writes Bloomberg Technology..


IISP Analyst Holly Dragoo: "Having fatigue prevention in place is actually not a bad idea, but it’s not clear why the city needs access specifically to the addresses. It’s also not clear how the City would access, archive, or protect that information. Couldn’t the same goal be achieved by just having activity time logs paired up with a one-up number or customer ID to show uniqueness? Once a driver reached an activity cap for a day or week, then they could de-activate their revenue generating apps or some such shut-down feature. The need for the customer data here seems unnecessary. Ironic that Uber should be advocating for the privacy concerns of its staff and riders, though, with their noted use of the “God View” company tracking tool last year."

Bitcoin Surges Past Gold in Value

For the first time since its creation in 2008, a cryptocurrency has surpassed gold in value. The cryptocurrency market has seen an unprecedented climb during the past 30 days, in spite of expectations suggesting it would level out before hitting this milestone. Historically seen as esoteric money for “geeks and criminals,” common criticisms of Bitcoin (and similar cryptocurrency forms) are that it’s not based on any real commodity or universal standard. As such, the surge in value, together with a handful of new currencies (such as Hayek or Aurum) that are backed by gold, could do much to move the adoption rate of cryptocurrency into the mainstream.


IISP Analyst Holly Dragoo: "The climb in Bitcoin value over the holiday stretch is certainly interesting to see, but will likely take a tumble before long. The volatility in past years is not likely to go away overnight, especially with new exchanges popping up all the time, and the omnipresent threat of hackers and insider saboteurs. That said, more and more vendors are accepting bitcoin payments for everyday items, and the more widespread the usage, the more stable the currency becomes. Who knows? You might be paying your taxes in Bitcoin before the year is out!"

Malware Exploit Kits: a Rising Sign of Commoditization

The popular exploit kit Sundown received an update to further hide its malicious code. Sundown currently attacks users with vulnerabilities in Internet Explorer that rely on Adobe Flash or JavaScript. Now it hides its malicious code within the alpha channel of images to evade detection. (The alpha channel specifies an image's transparency, allowing attackers to hide exploit code in what otherwise appears to be a legitimate website ad, albeit with slight modifications). After successfully compromising a user, Sundown silently installs malware – currently, the banking trojan Chthonic, but it has been known to install cryptolocker variants in the past.


IISP Analyst Yacin Nadji: "Exploit kits are interesting because they highlight the commoditization of malicious activity. They are insights into popular techniques used in the underground economy at large. To clarify, an exploit kit is a tool sold to malware authors looking to efficiently build their infected user base. Rather than identify exploits themselves, rising botmasters can simply pay for an exploit kit, apply it to webpages (that they own or have compromised), and vulnerable users will become infected simply by viewing the website. What many outside the security community do not realize is that portions of the infection lifecycle have associated services or products in the criminal underground. With enough money, one can buy a kit to create malware and buy a kit to infect users with said malware. Batteries included."


Google Project Could Make Cryptographers Lazy

Google recently announced the release of Project Wycheproof, a suite of tests intended to detect common errors in cryptography implementations.  The project already has found a number of security problems in deployed products.  The Google announcement states, "With Project Wycheproof, developers and users now can check their libraries against a large number of known attacks without having to sift through hundreds of academic papers or become cryptographers themselves.


IISP Analyst Joel Odom: "It’s well said in cryptography that 'subtle mistakes can have catastrophic consequences'." Cryptography is difficult to do right, and seemingly minor implementation errors or scheme weaknesses often result in breaks.  My only concern about this project is that it could lead software engineers into a false sense of security regarding cryptographic implementations. I don't recommend implementing your own cryptography; it's smarter to use well-studied libraries, such as the cryptographic APIs offered by mainstream operating systems. Integrating Wycheproof into your automated testing in order to make sure that your libraries remain strong over your product lifecycle would be a smart way to trust but verify."


Can In-Flight Entertainment Systems Really Be Hacked?

Security Assessment firm IOActive published a report that discloses vulnerabilities in Panasonic in-flight entertainment systems. The IOActive announcement of the security problems includes a technical explanation of the vulnerabilities and a demonstration of three exploits including directly reading data from the system's database, reading arbitrary files from the system's file system, and bypassing the system's credit card check. Panasonic Avionics Corp. issued a response that asserts the IOActive report contains "a number of inaccurate and misleading statements about Panasonic’s systems.


IISP Analyst Joel Odom: "The IOActive report is a good example of how a security assessment works. The researcher started by tinkering with the Panasonic system and by doing online research to collect intelligence about the system's design. He then reverse-engineered the software to understand its behavior and identify vulnerabilities. Finally, he demonstrated exploits of the vulnerabilities that he discovered. As both IOActive and Panasonic say, it is unlikely that an attacker could compromise the entertainment system to control the aircraft, but there apparently is electronic interface between the control domain and the entertainment domain. This means that if there is some weakness in the isolation boundary between the control and entertainment domains (or that if some future change were to introduce a weakness), attacks on the aircraft control bus could become possible.  It is common in security for yesterday's hypothetical attacks to become tomorrow's reality."

Home Router Attacks Raise Questions about Pace of Product Development

In response to a vulnerability found by Dr. Web, an anti-virus and security company, NetGear announced a series of beta patches to its R6000, R7000, R8000, D6000, and D7000 routers. The vulnerability needed low technical skill to exploit, requiring only that a browser on the target network visit a malicious link pointed at the network’s router. Affected routers do not effectively check for command injection to their web admin interfaces. Commands appended to the request URL are executed immediately at root level, even if the user is not logged-in to the router. This kind of attack could easily be combined with phishing or even run on the target network as a guest. NetGear continues to investigate, but the full extent of affected products is not known at this time.


IISP Analyst Stone Tillotson: "This vulnerability is particularly frightening in that it affects a huge number of deployed networking devices. More frightening still is that a simple code injection attack was successful against a manufacturer of networking equipment. However, it can’t be considered surprising. As more devices are made web-aware, both in the Internet of Things and traditionally networked devices, they will become subjected to the same hacking intensity as corporate websites. The benefits are wide ranging, from illicit video surveillance to bitcoin mining, and the hackers are both motivated and talented. What’s not as wide ranging is the set of skill set of the home user needed to secure themselves  against such attacks. Further, manufacturers of low-cost, commodity devices are unlikely to spend the resources to secure hastily built gadgets, even if exploitable defects are found. The solution for the pharmaceutical industry was the FDA, but an IT analogue seems unlikely given the technical and political realities. The only clear conclusion this analyst can reach is that network security professionals should lobby for overtime."