Cybersecurity News & Commentary - June 2017

The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.

June 5, 2017


ACDC Update: Active Cyber with an FBI Twist 

After a panel hosted by the IISP at Georgia Tech, Rep. Tom Graves (R-Ga.) updated and re-released a discussion draft of the Active Cyber Defense Certainty (ACDC) Act. For background, see last month's discussion of the original draft. The draft bill – not yet formally introduced to the U.S. Senate – would allow an individual to perform limited, "cyber defense" beyond and into networks not their own for the purposes of identifying attackers who illegally penetrated anyone’s network, improving defenses, or disrupting unauthorized activities.


IISP Analyst Yacin Nadji: "The 2.0 version is earned, with improvements including prohibiting financial injury to persons, looping in the FBI's National Cyber Investigative Joint Task Force, and having a sunset clause to force working out any kinks. Furthermore, the draft bill now includes some discussion of 'intermediary computers,' which was lacking before, but still needs some clarification. The main concerns I have are surrounding intermediary machines, backdoors, and reporting to the FBI.

"With respect to the first, it remains unclear what can be done if the 'attacker's machine' is yet another victim's machine (used in a botnet for example) that was compromised by the attacker. For example, can active measures be taken through another victim's machine to reach the true attacker? Can this be done ad infinitum? If the intermediary computer is also in the United States, must they agree with the initial victim to pursue further active measures? If victim #2 is in an uncooperative nation, can active measures pass through them surreptitiously? This part needs a massive overhaul. I'd recommend:

  • to allow surreptitious pass-through if the intermediary machine is not in cooperative territory,
  • to require both informing the intermediary that they are also a victim, and negotiate how to proceed, and
  • to update the FBI on additional 'hops.'

"Second, prohibiting backdoors needs more clarification. Does this prevent defenders from maintaining a presence on the attacker's machine while performing active measures? To continue with the analogy, perhaps this is more of an 'additional front door' than a backdoor, but we must be more precise. Read conservatively, this implies defenders must fully automate the attribution/disruption/monitoring processes, which is likely too difficult to do in practice. If not, it's unclear to me what this specifically prohibits.

"Finally, reporting to the FBI is a clear improvement, but may not prevent inconvenient or nightmarish scenarios. Consider if the attacker is already under investigation by the FBI and additional active measures by the victim may tip-off the attackers and impede the investigation. Is the FBI allowed to prevent retaliation by the victim if they fear it will damage their investigation? What if the FBI knows the attacker is a nation-state that would consider responding to cyberattacks kinetically? In attribution scenarios, careful and measured responses requiring checks and balances are likely to be more successful than erring on the side of rapid retaliation. I personally believe offensive operations—especially against nation-state actors that could have geopolitical ramifications—ought to require explicit approval."


PATCH(ing) the Public Disclosure Process

U.S. lawmakers responded to the WannaCry attack by introducing bicameral legislation, Protecting Our Ability to Counter Hacking Act of 2017 (PATCH Act). The bill, pending initial vote by U.S. House and Senate committees as of June 5, would mandate a consistent, decision-making framework for when to retain or disclose to the public known vulnerabilities in technology products, services, applications, and systems. The bill would create a federal review board – chaired by the Department of Homeland Security and comprised of agency heads from the intelligence community and others such as the Departments of State, Commerce, Energy and Treasury – to oversee government practices around vulnerability disclosure and report to Congress annually. A “vulnerability equities review process” and executive board of some form already exist as established during the Obama era, however, this bill will formalize and enforce greater transparency to the public.


IISP Analyst Holly Dragoo: "At first blush, the PATCH Act seems redundant to the institutions already in place, but formalizing a process and codifying accountability may be practical if not groundbreaking. Deeper analysis of what brought this bill to fruition suggests there needs to be a frank national dialogue about which offensive capabilities are necessary for cyber intelligence gathering. What this bill really reflects is public uncertainty (suspicion?) over widespread exploitations of known vulnerabilities (such as the recent WannaCry ransomware attacks and the Heartbleed attack from 2014 and, to a lesser extent, even the Snowden revelations of civilian privacy). The public likely is reticent to embrace any offensive cyber capability (covert or non) in this political climate. Yet, most people agree we benefit from, and should be conducting, some level of intelligence collection to inform our national policy decisions. Messaging from Washington should be clearer about what the trade-offs are when weighing intelligence value against public network defense."


Another Weakness in Windows Is the Undoing of WannaCry Encryption

Due to a security weakness in how Windows manages memory within the Windows 7 and Windows XP cryptographic library implementations, it is possible to recover secret key material that can be used to decrypt files taken hostage by WannaCry. “Wannakey” is a free and open-source tool that searches the memory space of the WannaCry malware process, looking for one of the secret prime numbers that can be used to decrypt user files. The Wannakey tool works because of a security weakness in Windows 7 and Windows XP that leaves some secret key material in memory, even after the key material should have been deleted.


IISP Analyst Joel Odom: "When dealing with sensitive data in a computer's memory, it is best practice to keep the sensitive data in memory for as short a period as possible and to erase the sensitive data from memory when it is no longer needed by overwriting it with irrelevant data.  This is metaphorically equivalent to shredding sensitive paper documents before you throw them into the trash.  The WannaCry malware properly uses the CryptReleaseContext Windows function to delete sensitive key material, but the implementations of this function in Windows 7 and Windows XP do not actually "shred" the secret key material as one would expect.  That weakness is what allows the Wannakey tool to search WannaCry's memory for one of the prime factors used to generate the secret RSA key that can be used to recover files that were illegally encrypted by WannaCry.”


Executive Order Outlines White House Cybersecurity Priorities

President Trump issued an Executive Order (EO) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, detailing five core tenets:  1) Agency responsibility for major breaches of their respective networks; 2) Executive branch support for securing critical infrastructure networks; 3) Defense and resiliency of the civilian Internet against cyberattackers; 4) International partnership for cyberthreat information sharing; 5) Promotion of cybersecurity education and workforce development.


IISP Analyst Holly Dragoo: "Given the strife over previous executive orders, it’s not surprising to see some hype generated over this one; particularly over the clause that places accountability for the defense of agency networks squarely on the shoulders of senior executives. This is not really an unreasonable clause, however, and somewhat overdue. It may be the fastest way to see (desperately needed) widespread upgrades to network security across the government. Leadership accountability does happen already in a reactive way of sorts, with heavy media scrutiny and/or public resignations in the aftermath of a mega breach (e.g. the Office of Personnel Management hack), but marking it down as policy will force proactive changes that too often have been relegated to the back burner.

"The delay in issuing this EO, after multiple previous drafts had been leaked, was most assuredly so new White House cybersecurity advisor Rob Joyce could review and approve its verbiage. His background as a former NSA executive with exposure to both offensive and defensive cybersecurity matters certainly informs his perspectives well. This EO makes sense. There are no un-fundable mandates or unenforceable aspects to the EO, albeit with some lofty deterrence goals. Benign sections request informational reviews/reports from department heads and acknowledge the legitimate need for international threat sharing. Meanwhile, addressing the desperate cries for qualified industry professionals validates that the private sector was heard. Critics say the EO is all talk with no action and no funding, and that is true. Funding will be a better measure of determining what White House priorities really are in this space. Taken in the context of the stream of other EOs issued from the White House, all in all, it’s not bad or terribly disruptive for a first quarter effort on a complex topic."