Source Port News & Commentary

The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions that are driving our research, and new projects underway.

September 1, 2016

Long Encryption Keys No Longer Enough
Researchers Demonstrate that a Short Block Cipher Breaks TLS

Researchers from the French Institute for Research in Computer Science and Automation have demonstrated practical breaks of TLS (the protocol that secures most encrypted Internet traffic) when it is configured to use 64-bit block ciphers such as 3DES or Blowfish.  As demonstrated by the researchers, the attacks require over 700 GB of data to recover a secret session cookie, but that which is first practical in the lab will soon be practical in the wild, and attacks only improve.


IISP Analyst Joel Odom: "A block cipher is another tool in a cryptographer’s toolbox, two well-known examples of which are DES and AES.  Designed in the early 1970s, DES was the first strong block cipher published for public use. It was quickly apparent that DES had a significant flaw: the key length was only 56 bits, which is far too short to prevent brute-force attacks that involve guessing keys until you stumble upon the correct key. To remedy this, 3DES was invented. 3DES uses the same underlying algorithm as DES, but it applies DES three times with two different keys in order to expand the number of possible keys to make brute-force attacks impractical (there are variants on 3DES, but lengthening the key is the idea). As this story demonstrates, a long key is not enough. If your block cipher operates on blocks that are too short, you can learn enough input/output pairs that you can start to infer information about the bits that are supposed to be completely hidden by the cryptographic scheme that uses the block cipher. The authors demonstrate that the way that TLS uses block ciphers makes this kind of an attack practical."

The Costs of Zero Day

In a recent opinion piece on Lawfare, researcher Nicholas Weaver discusses the Cost of Using Zero-Days (exploits). He re-caps the significance of the Israeli-based “cyber war” company NSO Group’s efforts to compromise the iPhone of an outspoken human rights defender from the UAE, Ahmed Mansoor, and demonstrates the dual-edged nature of using zero-day exploits in such a public manner.


IISP Analyst Holly Dragoo: "It’s true, zero-days are the hand grenade of the cyber world; you have to use them in very measured, well-thought out ways, or they’re ineffective…especially since they are (generally) scarce and have a one-time use. They might be a guarantor of access to a difficult platform or hardened set of files, but if there’s even a semi-public aspect to that hack, you should count that exploit as unusable, as the vendor of the exploited product will likely develop a patch in days. This is what lends them to stockpiling; the perishable nature but high impact makes them effective, albeit expensive, tools. I wish Weaver could have further developed the concept he just briefly touches on in the article, on regulating zero-days. Not sure what he meant about that or how we would go about doing it, but it seems worth exploring publicly."

Four-fold Growth for Monero
Emerging digital currency popular in illicit economies

Bloomberg is reporting that emerging digital currency Monero has quadrupled in value since the end of July. Drug dealing websites have started driving traffic to the form of payment, perceiving a more secure alternative to Bitcoin. Monero obfuscates each transaction with cryptography to hide the origin and path of money exchanges. Its claims of being untraceable, plus a huge injection of private investment, are making it more accessible and by extension more popular, especially in illicit economies.


IISP Analyst Holly Dragoo: "Quadrupled, wow. Can that really only be from capital injection and website redirects? Seems dubious. Such growth of any anonymous payment system should be scrutinized. I’m of two opinions on this. On the one hand, we absolutely need secure, private digital transactions with ready access to funds; on the other, environments where law enforcement is not able to exist usually become lawless cesspools of criminal activity. Legal measures targeting finances are the most effective tool at combating global criminal networks such as human traffickers, drug lords, terrorists, or even state sponsored hackers. What is the security cost to having individual privacy? I’m not sure it’s worth it, but that is certainly oversimplifying the matter."


There's Money in Misery

Strategic partnerships, a mainstay approach of expanding one’s business, has finally filtered down to the hacking community. When a team of hackers working for the cybersecurity firm MedSec discovered that some of St. Jude Medical Inc.’s pacemakers and defibrillators had life-threatening security flaws, they allegedly contacted Muddy Water’s Capital to broker a fee-for-information deal. The deal, if proven, has startling implications for a new style of potential cybercrime and -- perhaps even more insidious -- incentivizing security professionals to withhold dangerous problems for profit. Given the arcane and often unrewarded nature of security research, we may see a near-term movement where hackers trade in their white hats for gray.


IISP Analyst Stone Tillotson: "Monetizing security flaws in this way is truly frightening. The blackmail and theft approaches favored by cybercriminals fall squarely within current law, but the movement toward vulnerability research skirts our normal safeguards. It puts patients at risk from a zero day exposure (necessary for the short selling position to work) and doesn’t directly violate any laws. More deeply, it also treads on stock manipulation since we know that no device is completely secure. Announcing vulnerabilities is easy, verifying them is hard, and in less of a span than that, a company’s stock could go into freefall. While it may be a futile gesture in the face of potential hedge fund sized payout, the security community needs to continue to encourage responsible disclosure; it really will save lives."


GPG Development Team Patches 18-Year-Old Bug

The GnuPG Project has recently fixed an 18-year-old bug in it’s popular cryptography product, GNU Privacy Guard.  The article states, “An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output.  This bug exists since 1998 in all GnuPG and Libgcrypt versions.


IISP Analyst Joel Odom: "Pseudo-random number generators (PRNGs) are a key tool in building a secure cryptosystem. They are used for generating unguessable keys, for generating single-use numbers (nonces), for generating prime numbers, and can be used as a building block for other cryptographic tools such as block ciphers. If, given any practical amount of output from the PRNG, an attacker can predict any of the future output bits of the generator, the PRNG is broken. (Actually, all that the attacker has to do is to show that the supposed PRNG output can be distinguished from truly random bits.) In this case it takes only 4,640 bits of output to predict 160 bits with complete confidence. This is a complete break of this PRNG implementation."


Make Sure Your Vote is Counted, and Hacked

The FBI is now investigating breaches into election systems in Arizona and Illinois, while Georgia's Secretary of State was appointed to the federal Election Infrastructure Cybersecurity Working Group led by the U.S. Department of Homeland Security. In May, the FBI alerted Arizona officials to a credible threat that systems had been hacked. The subsequent investigation discovered a county level breach that revealed confidential voter registration information. Then in June, hackers were able to gain access to Illinois’ state-wide voter registration database. While these compromises do not pose a credible threat to election outcomes, the stolen information could be used for identity or other fraud. It also reveals the extent to which cybercriminals will go to harvest information.


IISP Analyst Stone Tillotson: "State-level election systems have long had a reputation for lackluster security, running the gamut from insecure voting machines to the election agencies’ systems themselves. Given the value of this information, we can expect to see more breaches in the future, especially given that addressing their problems surely will be mired in bureaucracy. We’ve already seen this in the tepid state-level response to DHS Secretary Jeh Johnson’s call to prioritize election systems as critical infrastructure. And, while unlikely to sway any individual election, these kinds of breaches could continue to erode faith in election integrity and attendance at the ballot box."