Cybersecurity News & Commentary - November 2017

The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.

November 1, 2017


Blame Russia or Blame Weak Algorithms Behind Your ‘Real News'

We’re now one year into allegations of “fake news,” which rose to prominence during last year’s Presidential election. Instead of arguing about which nation, social media service, or political party is to blame, it is time to realize that the algorithms behind “personalization” and “customization” preferences on the Internet can and are being hijacked. This is a matter that extends beyond content creation; this is about real cybersecurity vulnerabilities in the mechanics behind today’s Internet and apps...

Read the full piece by Wenke Lee, co-director of the Institute for Information Security & Privacy, professor, and John P. Imlay Jr., Chair in Software at the Georgia Tech School of Computer Science. 


Civil Society and Digital Free Trade: A Response

A letter that purports to speak for all of “global civil society” and attacks the prospect of a new e-commerce trade agreement, was circulated to negotiators preparing for the World Trade Organization’s 11th Ministerial meeting (MC11). The letter called the proposal “a dangerous and inappropriate new agenda.” There is a strong case to be made that free trade, while having complex distributional effects, improves consumer welfare overall and vitalizes developing economies. And it is hard to see why civil society should be defending protectionism and the associated regulations... We favor an open and honest debate about the merits of Internet-enabled trade in services -- a debate that should be evidence-based and not based on the false polarity between “big corporations” and “the people.”

Read the full piece by Milton Mueller, Professor at the Georgia Tech School of Public Policy.


EU Unites Against Cyberattacks

The EU Parliament is in negotiations to formally declare cyberattacks potentially sufficient to meet the threshold for invoking the mutual defense clause of the EU Treaty. If passed, the act would designate some cyberattacks as acts of war, allow for shared “aid and assistance” (unspecified) in the event of a cyberattack, and the doctrinal premise that an attack on one member state would be perceived as an attack on all member states – similar to the well-known Article 5 collective defense provisions in NATO.


IISP Analyst Holly Dragoo: EU membership is not identical to NATO, but they share many common members and NATO has started to address cyberspace issues; which is no doubt a source of influence for this declaration. This is a seachange for nation-state relations. Defining what constitutes an act of war in cyberspace – as opposed to intelligence operations – has confounded policymakers for more than a decade now. However, challenges now follow, such as: what are the criteria for determining one attack is an act of war over another attack, and how to coordinate a response protocol among members? Nonetheless, this is the first coherent step towards developing a credible deterrence strategy in cyberspace. Hopefully other states will follow suit soon."


Encryption Only as Strong as Its Implementation

State-of-the-art smartcards have been used by banks, large corporations, and governments to provide cryptographic protections of their data and user authentication.  A newly released vulnerability has been demonstrated to allow hackers to bypass data encryption and even two-factor authentication.  Using only a public portion of an encryption key, attackers can calculate the private encryption key of the user.  Once the private key is determined, hackers can impersonate individuals, decrypt data, and inject malware into signed software.  The flaw was discovered in code that has been in use since 2012 and is widely used by internationally trusted manufacturers. 


IISP Analyst Chris M. Roberts: ""This is yet another excellent reminder that no system or scheme should be considered fool proof. Despite these smartcards using large encryption keys (512-bit and 1024-bit), they were still able to be compromised.  This vulnerability is not in the encryption but rather in the implementation of the encryption. Implementation of vetted standards, both protocol level and security related are often the weakest points in communications schemes. For example, the latest major vulnerability against Bluetooth, BlueBorne, exploited vulnerabilities in the protocol implementation that occurs unencrypted. 

"It’s unclear how wide the surface area of this vulnerability is. Estimates range from millions of cards being issued hundreds of millions. Luckily, a solution to patch this vulnerability is in the works. Hopefully, embedded systems developers will begin to understand why they need to have their systems red-teamed for these types of vulnerabilities. In this case the patch may be able to be rolled out without relying on the user to install it but in many embedded systems, that is not the case.  The back and forth between security researchers and hackers is as strong as ever and won’t be ending any time soon."‚Äč



A new set of standards for border gateway protocol (BGP) routing on the Internet has been published by the Internet Engineering Task Force (IETF). It’s the first real attempt to secure the routing layer of the Internet from well-known BGP vulnerabilities in traffic flow control that can lead to disastrous effects. The U.S. Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) partnered together to develop the new Secure Inter-Domain Routing (SIDR) standards, using Resource Public Key Infrastructure (RPKI), BGP Origin Validation, and BGP Path Validation as a three-pronged approach to securing network pathways.


IISP Analyst Holly Dragoo: "Long overdue, these new standards will be a great if imperfect solution to the relatively infrequent but certainly plausible BGP hijacking attacks. We’ve seen relatively few of these types of attacks (where the attacker will redirect, copy, or drop traffic as it flows through corrupted routing tables), but haven’t seen meaningful attempts to close the loophole until now. It’s almost as if the powers that be relied on the number of attacks to remain low to justify inaction toward creating new standards since the protocol originated in the 1980s."


KRACK Breaks WiFi Security but All Is Not Lost

Researchers from KU Leuven in Belgium have disclosed a serious flaw in the WPA2 standard that allows attackers to break the encryption on WiFi networks. The flaw, dubbed KRACK, allows an attacker to trick WiFi clients into reusing cryptographic material in such a way that the attacker can decrypt the packets sent between a WiFi client and an access point. Because the flaw exists in the actual WPA2 standard, the security community believes that KRACK probably affects almost every WiFi device in existence. Major device and operating system vendors have already published patches that clients can install to prevent the attack.


IISP Analyst Joel Odom: "KRACK constitutes a complete break of WPA2 security. This means that an attacker can read (and often manipulate) the IP-level data of affected clients. Although that is a major problem, all is not lost. Applications that implement security properly adhere to the end-to-end principle for cryptography.  This means that data is encrypted for integrity and confidentiality at the application level, before the data ever reaches the TCP/IP level. An attacker who can use KRACK to read and control the IP packets still cannot compromise a properly-implemented secure network session, such sessions protected by TLS. In fact, once data leaves your local network, you have to assume that an attacker downstream of your connection can control your IP packets anyway. KRACK implies that you must confer this distrust onto your local WiFi network.
In addition to TLS, other defense-in-depth strategies can mitigate the impact of KRACK. For example, I typically use a VPN when I'm conducting business on any network away from the office. The same VPN technology that protects users on untrusted public networks also protects users who are vulnerable to KRACK.
The bad news is that not all applications use encryption properly. In their example video, the discoverers of KRACK demonstrate how an improperly configured website can be forced to downgrade a client’s connection so that the connection does not use encryption at all. Applications that don't properly validate TLS certificates or that don't use encryption are vulnerable. Devices that don't routinely receive patches, such as many IoT devices, will remain vulnerable indefinitely. The ability to control a client's WiFi connection also leaves users vulnerable to certain types of phishing attacks since attackers could potentially control client DNS queries. Thankfully, increased public attention to computer security in the last decade has advanced the deployment of strong cryptography, which users need to maintain security when attacks such as KRACK are discovered."


Enterprising Hackers Turn to Bitcoin

Cyber criminals have found a new avenue to instant riches: mining bitcoins. With the stratospheric rise in the cryptocurrency's value (up 650% in one year), the security firm Redlock reports that enterprising hackers have begun to compromise Amazon Web Services (AWS) accounts to mine bitcoins. The scalable nature of AWS cloud machines gives them an edge over the typical botnet and, by compromising business accounts, the extra processing power allocated might not raise any red flags. In the cases thus far identified, whatever data that might be present in the breached accounts appears to be of, at best, secondary value and is often ignored. This represents a reversal of the typical modus operandi, and with sudden changes like this, companies will need to adjust their threat matrices and skillsets accordingly.


IISP Analyst Stone Tillotson: "Hackers respond to incentives just like anyone else, and it shouldn't be too surprising literally making money is more appealing than fencing or ransoming data. But, Bitcoin's meteoric rise and the entailing results fuel questions about the wider direction of cybercrime. Given the quick pace of technological change and cybercrime's marriage to equally volatile currency markets, how will we predict where they go next? Cybersecurity personnel are a limited resource, so hardening every potential target isn't feasible. When rapidly changing incentives push hackers in new directions or bring them back to neglected targets, allocating one's security budget might start to resemble prognostication. Noting this problem starts with economics, economics itself might provide the solution. Microeconomics has been successfully applied to forecast terrorism, perhaps it's time to apply those insights to cybersecurity as well. Add to those insights organizational data and a bit of machine learning, a company might derive a much clearer picture of when and what might be at risk."


Comparing Regulatory Approaches for Driverless Cars

Australia's National Transport Commission (NTC) recently released a discussion paper concerning the imminent development and use of automated driving systems (ADS). These systems hold the promise of diminishing roadway fatalities, improving mobility for those unable to drive, reducing shipping costs, and so on. The Commission's report identifies areas of law to be amended, including enumeration of the legal responsibilities incurred by owners and operators of ADS enabled vehicles. The report signals a much bigger step into the needed regulatory changes than a similar, but more tentative, discussion paper released by the U.S. National Highway Transportation Safety Administration (NHTSA) in September. One omission in Australia's NTC's report, however, is the absence of cybersecurity guidelines, something present in the NHTSA report.


IISP Analyst Stone Tillotson: "When ADS vehicles begin whisking millions of people around, it will literally become a matter of life and death to ensure that their over-the-air updates are coming from the right party. Driving legislation worldwide will have to change in the near future, so these overdue discussions are showing their need more and more. Liability is one of the key questions at stake. When does a manufacturer have a duty to provide software updates? When does a driver have a duty to deploy them? A faulty turn signal may result in a ticket for faulty equipment; the blame is easy to assign and there's no valid reason to excuse it. This analogy doesn't pair well with equipment that has invisible faults, and with users who may have valid concerns about automatic updates. Tesla hacks have been demonstrated by security researchers multiple times now, so any driver could plausibly defend either allowing or blocking updates as satisfying their duty of care. This confusion is what we can hope both the NTC's and NHTSA's future regulations will resolve, but for now we can expect only the impending legal morass and a grim wait for more catastrophes."