December 20, 2017 | By Joel Odom
I love working in cybersecurity. Not only are the technical topics a lot of fun, but cybersecurity is an area where I feel like my work makes a meaningful impact for my project sponsors, for the students at Georgia Tech, and for the public at large. Also, to be completely frank, it's nice to know that I'm in a field that has so many problems to solve that I will never be out of a job. Hardly a week goes by where some aspect of computer security doesn't make headline news. Here are a few of my favorite stories from 2017.
Best Industry Response to a Vulnerability
A few weeks ago, I wrote about a vulnerability that allowed an attacker with USB access to infect a computer and take complete control of the system -- from the hardware layer up -- due to a weaknesses in Intel's Management Engine. I still think that having a "tiny homunculus computer" embedded on motherboards is a bad idea from a security standpoint, but kudos to Intel for their thorough response.
- Intel PCs Vulnerable to Attack Over USB: http://cyber.gatech.edu/intel-based-pcs-may-be-widely-vulnerable-attack-over-usb
- Intel Response: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
Worst Industry Response to a Breach
Early in the year, Holly Dragoo wrote about how, to their credit, Uber pushed back against New York City's request for private data about Uber customers. To their discredit, it recently emerged that Uber paid $100,000 in hush money to cover up a 2016 hack that revealed the private data of 57 million customers, including about 600,000 driver's licenses.
- Uber Privacy Data Again in the Crosshairs: https://cyber.gatech.edu/ubers-data-privacy-again-crosshairs
- Uber Pays to Hide Breach: http://www.zdnet.com/article/uber-paid-20-year-old-man-to-hide-data-breach-destroy-information/
Most Aggravating Cybersecurity Story
This award goes to the Equifax breach, which compromised the data of 143 million Americans, yet was not reported for months after its discovery. Now Equifax encourages consumers to embed themselves even more deeply in products and services provided by the credit industry (to protect themselves from the very failures of the credit industry). A decade ago, Professor Annie Anton warned Congress that overuse of social security numbers as identifiers would lead to trouble. Wenke Lee, co-director of the Institute for Information Security & Privacy, argues that it's time to employ better methods for authentication.
- Overuse of Social Security Numbers: https://apnews.com/47b70ffc0d3943719020efcb0badc1e6
- New Developments in User Authentication: https://cyber.gatech.edu/its-time-make-personal-data-meaningless
The runner up in the aggravating stories category is the meteoric rise of Bitcoin's value, which Holly Dragoo wrote about in January. Every time Bitcoin's value jumps another 500%, I relive the pain of having sold all of my Bitcoins in 2011; along with them I sold my ability to buy that private island I've always dreamed of.
- Bitcoin Surges: https://cyber.gatech.edu/bitcoin-surges-past-gold-value
Most Worrisome Cybersecurity Story
The power grid remains in the news year after year as being vulnerable to attack, and most of those in the industry that I have talked with about this problem believe that the problem is real. My understanding is that power companies are reluctant to upgrade vulnerable systems due to concerns that upgrades could negatively impact the availability of power service. That alone should tell us something...
- Congressional Report Finds Grid Vulnerable to Attack: https://cyber.gatech.edu/congressional-report-finds-grid-still-vulnerable-cyberattacks
Biggest Story in Cryptography
In March, I wrote about the death of SHA-1 -- a technique that uses 80 rounds of cryptographic operations to encrypt and secure the object. Cryptography buffs like to benchmark the strength of cryptographic primitives by calculating how many times in the lifespan of the universe it would take to crack the primitive with brute force. Unfortunately, theoretical and implementation weaknesses cut 100,000,000,000 years down to a couple of decades. Although once the gold standard of cryptographic hash functions, now the SHA-1 lives in the graveyard of broken primitives.
- First Collision of Cryptographic Technique Occurs: https://cyber.gatech.edu/rip-sha-1
Coolest Technical Attack
Back in March, Chris Roberts and I commented on an amazing attack on the fundamental architecture of microprocessors that defeats important protections on an array of processors from different vendors. The "AnC Attack" by researchers from VU Amsterdam exploits the physical hardware and the data leaked by memory management units. To quote a colleague, the attack "demonstrates how security is hard. Mitigations must be seriously contemplated to be effective, and even when they are, the complexity of microprocessors deceives our understanding."
Most Annoying Hack
I imagine that the conversation went something like this... Engineer Anne: "Let's enable wireless activation of the city's emergency sirens so that we can trigger them remotely in the event of a communications failure." Engineer Bob: "That seems like a good idea, but how are we going to secure the wireless protocol?" Engineer Anne: "Why do we need to do that? We can just use a proprietary system that is hard to reverse-engineer." Engineer Bob: "Good point, Anne. Besides, who would want to hack our emergency sirens anyway?"
- Hackers Activate Dallas Emergency Sirens: https://cyber.gatech.edu/hacked-emergency-infrastructure-dallas-lesson-its-too-late
Joel Odom leads a team of researchers focused on software security as branch head for the Cybersecurity, Information Protection, and Hardware Evaluation Research (CIPHER) Laboratory at the Georgia Tech Research Institute. He and his team research static and dynamic software analysis, software testing techniques, software reverse engineering, and software vulnerability discovery and mitigation.