The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.
January 31, 2018
Looming Battle Over GDPR and the Purpose of Whois
In preparing for the advent of Europe's "General Data Protection Regulation," ICANN Corp. has solicited legal advice from Hamilton Advokatbyrå, a Swedish law firm, regarding possible conflicts between its Whois policies and European data protection law. The latest of these legal advice memos purports to explain how the processing of data by the Whois services might be changed “in order to become compliant with the GDPR. We have reviewed this memo. While it contains some important and astute observations, the conclusions it reaches are seriously muddled...
Read the full piece by Milton Mueller, Professor at the Georgia Tech School of Public Policy.
Fines for Faulty Net Defense in the UK
The United Kingdom will begin to impose fines if adequate efforts are not taken to secure critical infrastructure industries (such as electricity, transportation, water, energy, medical and telecommunications). Compliance will be monitored by the U.K.'s National Cyber Security Center (NCSC) and enforced by a self-reporting system with audits addressing sector-specific security needs. Fines can reach up to £17 million if organizations fail to enact appropriate preventative measures, but will not be imposed if industries have made measurable preventative efforts, worked with law enforcement and regulators, but sustained attacks anyway.
- Engadget: https://www.engadget.com/2018/01/29/uk-fine-cybersecurity-operators-essential-services/
- U.K. official announcement: https://www.gov.uk/government/news/government-acts-to-protect-essential-services-from-cyber-attack
IISP Analyst Holly Dragoo: "The driving forces behind this new fine structure are clearly related to the events surrounding the widespread WannaCry attacks last year. Effectiveness of the policy change is unclear though, especially as holding industries accountable for the losses they sustain beyond the cost of damage to their business is not going to slow down the number of breaches per year or deter attackers at all. Perhaps it is an attempt to pro-actively defray costs as the government will likely be tapped to help critical infrastructure out in the event of a major breach. At a minimum, however, it will force businesses that are behind the curve in cybersecurity to finally re-prioritize and start treating security as a chief concern vice afterthought."
Patch for Meltdown and Spectre? On Standby
Earlier in January, two critical vulnerabilities in Intel microchips were disclosed, Meltdown and Spectre. Although several patches have been made available, Intel advised customers on Jan. 23 not to apply firmware patches and instead wait for other updates due to reports of instability. The vulnerabilities continue.
- Meltdown: https://meltdownattack.com/meltdown.pdf
- Spectre: https://spectreattack.com/spectre.pdf
- Meltdown and Spectre patches: https://blog.barkly.com/meltdown-spectre-patches-list-windows-update-help
- Intel alert via CNet: https://www.cnet.com/news/intel-stops-some-chip-patches-unexpected-reboot-meltdown-spectre/
IISP Analyst Panagiotis Kintis: "What is special about Meltdown and Spectre is that they do not affect a single application or a specific protocol, but target modern processors and cause severe memory leaks. Unfortunately, 'modern' refers to almost every processor built since 1995, including the most popular architectures like Intel, AMD, and ARM.
The fact that a computer giant like Intel is 'taking its time' with fixing such a significant vulnerability is really concerning. Systems affected by Meltdown can immediately leak arbitrary data from memory and allow private data to exchange hands. Similarly, Spectre allows remote execution of code that can also leak memory to a third party. These both reminded me a lot of the chaos when the Heartbleed bug emerged, more than three years ago. The big difference is that Heartbleed was fixed with a simple change in the source code of OpenSSL that anybody could patch very easily. Meltdown and Spectre require much more work, from several different vendors, to make sure that processors -- the core of every computer system -- are not vulnerable anymore.
Moreover, the patch Intel provides, instead of being a transparent fix, requires the user to opt-in and enable it before it takes effect. This opt-in mechanism has raised significant criticism. Linus Torvalds publicly complained about Intel's approach, asking for something better. Even though his messages might be a little blunt, I am not sure he is completely wrong. We are facing two very important vulnerabilities, which can leak private data (like passwords, encryption keys, certificates, etc.) and we are asked to just wait. At the same time, the patches Intel has provided seem to affect CPU performance, making it slower than expected. Intel's solution to this issue was to make the customer choose between performance and security. By default, CPU's performance is not affected if the customer does not opt in the vulnerability fix. If the user chooses security though, they will have to forfeit performance.
We have been designing systems, protocols, and applications with performance and efficiency in mind. Security by design almost never has been the norm. We are victims of that approach and we have been trying to solve security problems for years, the cost of which is paramount. Today, Intel is contributing towards the former perspective. The question is, do customers understand how important the tradeoff is?"
IPv6 Around the World: A New Digital Divide?
Alain Durand, principal technologist at Internet Corporation for Assigned Names and Numbers (ICANN), visited Georgia Tech to explain problems surrounding global adoption of Internet Protocol version 6 (IPv6). Durand cautioned that "two Internets" will develop if more nations do not move to IPv6 -- a replacement for the IPv4 address space protocol that largely underlies Internet communication today. The imbalance could result in a situation where certain nations with adequate IPv6 adoption choose to turn off IPv4, and lose connectivity to the rest of the world.
- Internet Governance Project: https://www.internetgovernance.org/2018/01/24/research-talk-ipv6-deployment-around-the-world-a-new-digital-divide/
IISP Analyst Brenden Kuerbis: "In effect, running IPv6 and IPv4 added costs but added no value to the IPv4 Internet – no value, that is, until everyone adopts and we can turn off IPv4 and benefit from the larger address space. As Durand put it, the transition to the new standard created a “last-mover advantage.” We are now more than twenty years into that prolonged transition.... A transition to IPv6 confers substantial benefits to certain actors (e.g., wireless operators need to support rapid mobile growth), therefore they are willing to invest in and migrate to the new protocol. Other actors, e.g., end users in areas where the Internet is developing, might receive very little benefit from migrating therefore leading to free riding. This suggests that, among other possibilities, strategically finding ways to increase the network effects associated with IPv6, along with targeted subsidies to certain actors might be a policy prescription that could encourage migration. But there is much more to learn."
The Pentagon has revised the Nuclear Posture Review, a doctrinal document that outlines what conditions the U.S. is prepared to use nuclear weapons, to encompass cyberattacks. In the event of “devastating cyberattacks” (undefined) the U.S. is officially allowing for nuclear weapons to be included in the options available for responding to such an attack. This is an unprecedented move and has yet to secure final approval from senior officials.
- The New York Times: https://mobile.nytimes.com/2018/01/16/us/politics/pentagon-nuclear-review-cyberattack-trump.html?referer=https://t.co/0vMneps2tP?amp=1
IISP Analyst Holly Dragoo: "This is a substantive move away from traditional kinetic warfare focus towards 21st century fears. It’s upsetting to hear that cyberattacks could trigger a nuclear holocaust, but it shouldn’t be viewed in such extreme terms. Existing cyber norms and the Law of Armed Conflict (LoAC) inhibit disproportionate retaliatory attacks, making actual nuclear use in response to a cyberattack highly unlikely if not improbable. I think this is an attempt to provide options for unimaginable scenarios and, however misguided, strategically deter state-sponsored cyberattacks."
NIST to Demonstrate Automation of IoT Security
The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), recently launched its "Mitigating IoT-Based DDoS" project, which seeks to automatically control network access for IoT devices to protect the devices from exploitation and to mitigate the damage they could cause if exploited. The project uses "Manufacturer Usage Descriptions" (MUD), a proposed technology that would allow a device to describe its operating characteristics to a network so that the network may limit the device's communication capabilities. If successful, this would mean that an IoT device would be harder to compromise because it could not always be accessed in an unexpected manner. It also would mean that if a device should become compromised, it could not easily be used as part of a DDoS attack because the device's host network would block the unexpected behavior. The NCCoE project currently is seeking technology vendors to participate in a demonstration that would show how MUD could provide security in a home and commercial setting.
- NCCoE "Mitigating IoT-based DDoS" Project: https://nccoe.nist.gov/projects/building-blocks/mitigating-iot-based-ddos
IISP Analyst Joel Odom: "The internet is designed to carry arbitrary digital information and to move that information at the highest speed possible. This is because traditional computing devices run different kinds of programs, and it is generally impossible to anticipate what programs may run and what information any possible program may need to exchange. The IoT world is different. IoT devices typically perform a limited function and communicate with a limited number of endpoints. For example, an internet-connected HVAC system in a residence probably only needs to communicate with core networking features such as DHCP, a set of update servers to receive updates, and a small set of endpoints that enable smart features. The HVAC system doesn't need to communicate with arbitrary endpoints on the internet, the HVAC system doesn't need arbitrary protocols, and the HVAC system doesn't need a lot of bandwidth.
Using MUD, a network can understand the communication needs of the HVAC system in this example and limit the endpoints that the HVAC system can talk to based on the description provided by MUD. This would make the HVAC system harder to compromise because communication with the system could not come from arbitrary endpoints. Furthermore, if the HVAC system is compromised, the network can prevent the attacker from pivoting to other systems in the home, and the network can limit denial-of-service attacks from the compromised system by dropping packets to unexpected endpoints and by limiting the bandwidth that the system can use. I think that this is a smart idea that could make the IoT world safer."
Net Neutrality Repeal? This Isn't The Cybersecurity You're Looking For
Although many voiced concern over the Federal Communications Commission's December vote to repeal "net neutrality," others believed the action could improve our cybersecurity protection. Shane Tews, a visiting fellow at the American Enterprise Institute (AEI), explained why. Her position rested primarily on longstanding telecom industry practices for blocking and throttling network traffic when necessary to protect quality of service. Identifying and limiting network traffic that appears to be malicious or excessive is often performed to protect the integrity of the wider network or to derail cyberattacks. Tews argued that banning these practices (and claimed the FCC's 2015 net neutrality rules did), effectively made it "open season" for any group that wanted to launch a denial of service attack against the United States. She wrote:
[...] the best ways to mitigate a cyberattack such as a DDoS attack is to throttle, block, and potentially prioritize traffic for a specific reason, all forbidden [practices]....
Tews suggested that the repeal of net neutrality would allow Internet Service Providers (ISPs) to respond more effectively to emerging cyberthreats, mitigate any incipient regulatory overreach, and encourage industry innovation. Her views echoed that of the AEI and formed part of their argument which helped to successfully repeal the prior net neutrality requirements.
- AEI report: https://www.aei.org/publication/repealing-net-neutrality-implications-cybersecurity/
- FCC's 2015 net neutrality rule: http://transition.fcc.gov/Daily_Releases/Daily_Business/2015/db0312/FCC-15-24A1.pdf
IISP Analyst Stone Tillotson: "Since emerging as a public policy issue, net neutrality has consistently fueled heated debate. Much of it was driven by the core principles of 'no blocking' and 'no throttling,' and the consequences they entail. A complete ban on traffic blocking, throttling, and degrading would indeed have undermined one of the best tools ISPs have to mitigate cyberattacks, especially distributed denial of service (DDoS) attacks, but the FCC was not so Draconian in their (now defunct) 2015 order. From Report 15-24, Paragraph 112:
[...] broadband providers may implement network management practices that are primarily used for, and tailored to, ensuring network security and integrity, including by addressing traffic that is harmful to the network, such as traffic that constitutes a denial-of-service attach [....]
The 2015 rules expressly allowed ISPs to undertake steps to reasonably manage and protect their networks. To paraphrase an oft repeated admonition, the FCC didn't intend net neutrality to be a suicide pact. In each rule from the 2015 order, the FCC specifically exempted 'reasonable network management' from the ban. A cursory reading would seem to rebut all arguments forwarded in the AEI paper about net neutrality's impact to the cybersecurity landscape. Over the seven years preceding the December 2017 repeal, the rules were first partially and then later fully adopted, without any of the speculated consequences having been observed. The AEI paper might make for good lobbying, but from dire, non-existent consequences to elusive, hypothetical gains, their real message seems to be 'fear, uncertainty, doubt'."