Cybersecurity News & Commentary - April 2018

The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.

April 30, 2018


Blowback: An Overlooked Truth about Russian Information Operations

At the International Studies Association convention in San Francisco, at an especially interesting panel on cybersecurity, we were privileged to hear excerpts from a forthcoming book by Michael Warner, historian for the United States Cyber Command, and John Childress. Warner examined the last 20 years of U.S.-Russia relationships in the cyber domain and made some important observations about how that context can provide insight into the present situation...

Read the full piece by Milton Mueller, professor at the Georgia Tech's School of Public Policy.


Orangeworm Proves How Cyber Damage Can Be Done to Those Not Using Computers

For the past few years, a new attack group, dubbed "Orangeworm," has been deploying malware that is found to target the healthcare sector around the world. According to Symantec, the hacker group has been targeting organizations as part of a broader supply-chain attack against the healthcare industry. After a network has been infiltrated, a trojan named Kwampirs is being used by the attackers to collect information about the compromised hosts. If the hosts are of interest to Orangeworm, the malware starts deploying itself to other hosts in the same network, trying to gain access to as many systems as possible. Unsurprisingly, the malware was identified on devices that control high-tech medical equipment, like X-Ray and MRI machines, and several terminals used by patients.


IISP Analyst Panagiotis Kintis: "The highly targeted nature of the attack shows that adversaries are not only using sophisticated techniques to facilitate Advanced Persistent Threats (APT) to one -- or a few -- targets, but they have started focusing their efforts on broader sectors. This time, we see a group attacking an entire industry on three different continents and trying to take control of computer systems that operate highly sophisticated medical equipment. The healthcare sector is part of the critical Infrastructure and compromises can be devastating.

While we have seen attacks focusing on the critical infrastructure before, they have been limited to a few businesses within one or more sectors. The novelty of Orangeworm's operation demonstrates that even broader attacks can be rendered against arbitrary targets to affect an entire industry. Moreover, according to Symantec's assumption of a supply-chain targeting model, we might be witnessing adversaries who are determined to maximize their damage across a sector.

This is one of the few cases were even a small attack against a sector like healthcare can have disastrous outcomes for individuals, even when they do not operate a computer. Computer terminals used by patients at hospitals can leak private information, including medical records and insurance or banking information. This can easily lead to insurance and banking fraud, even identity theft. Unfortunately, such attacks grow even worse: X-Ray and MRI machines that are rendered unusable can result in the loss of lives when the equipment is critical for patient care. One can argue that backup and contingency plans should be or are in place. However, as long as computer systems are involved in the way healthcare professionals perform, there is always a potential for failure. We saw that Orangeworm made sure to take control of as many systems as possible within a network.

Advanced threats and attacks, like the one described, need to be identified and mitigated as soon as possible. At this point we are talking about the possibility of losing human lives. If a small group of hackers can render such attacks, I cannot imagine what a state-sponsored actor could potentially do."


New House Bill to Create a 'Hackers Most Wanted' List

Earlier this month, the Representative Ted Yoho (R-Fla.) introduced House Bill 5576, the “Cyber Deterrence and Response Act of 2018” to committee for consideration. If passed, the bipartisan measure would require the White House to identify specific state-sponsored hackers by name in a “critical cyber threat” list that would in turn be used to issue sanctions or take other diplomatic or economic actions against them. 


IISP Analyst Holly Dragoo"In a way, this kind of reminds me of a 'hackers most wanted' list. If that is an inaccurate interpretation of the purpose of the bill, then I’m a little unclear about what ultimate goals it intends to achieve. If it is, however, then it’s a little unclear why the responsibility of maintaining this list resides with the White House (or rather, the U.S. Department of State). I get that the sanctions are clearly a State department function, and the criminals in question are international citizens – but so are terrorists on the 'FBI Most Wanted' list. I’m excited about the prospect of what this bill can add to international norms and institution-building in a very fluid policy space, but it won’t stop cyberattacks from happening, nor will it effectively cripple the malicious actors."


Microsoft Announces Azure Sphere, a Promising Approach to IoT Security

At the recent RSA 2018 conference, Microsoft announced Azure Sphere, a free and open-source security solution that promises to help secure the Internet of Things (IoT).  Azure sphere is a holistic approach to IoT security that includes cloud services, a special-purpose operating system, and a custom microntroller that acts as a hardware root of trust for each device using Azure Sphere.


IISP Analyst Joel Odom"I've spent some time reviewing the material that Microsoft has published about Azure Sphere, and, from a security standpoint, their solution appears to be promising. The nature of our fast-paced, competitive consumer IoT market means that devices have to be developed quickly and at low cost, and they tend to have short support lifespans.  Real security is slow, costly, and requires long-term support. The security community has had decades to learn the best practices required to secure desktop and mobile computers. Azure Sphere brings these best practices into a system that is targeted to meet the specific requirements of IoT.

The security of Azure Sphere starts with a microcontroller that includes a security subsystem ("Pluton") which serves as a hardware root of trust. The Pluton security subsystem isolates the security functions of the microcontroller so that the microcontroller can verify the integrity of the operating system when the device starts, and so that the operating system and applications can utilize the built-in security features. The isolation of security functions into a subsystem means that cryptographic keys and other important security components are difficult to compromise, even if the operating system is compromised. The Azure Sphere microcontroller also provides a handful of other bells and whistles that IoT devices typically require. The last component of the Azure Sphere security system is a cloud service from which the Azure Sphere OS can receive up-to-date security certificates, software updates, and other services. Azure Sphere OS is a Linux-based operating system (yes, this is a Microsoft product!) built to utilize the security features of the hardware.

IoT security is a hard problem.  We have learned that to do security right we need features like hardware roots of trust, software updates, strong process isolation, and authentication that includes a well-maintained public-key infrastructure. My phone has these features, but it is manufactured by a company who has the budget and know-how to implement good security, and I paid hundreds of dollars for it. The Azure Sphere solution appears to be Microsoft's attempt to help IoT vendors do security right, and they appear to have a free and open-source approach that will do exactly that. Kudos."


Cybersecurity Industry Leaders Sign a Pact To…Be Security Leaders

At the RSA conference 34 international technology firms – including Cisco, Facebook, HP, Juniper, Microsoft, and Oracle – signed a public pledge to defend consumers against malicious hijacking of their products and services, regardless of origin of the user or attacker. The Cybersecurity Tech Accord, as it is known, is comprised of four primary commitments:  1) stronger defense against cyberattacks; 2) no offensive aid or action supporting governments of any kind launch cyberattacks; 3) assist users in building their own capacity to defend their own digital assets; and 4) partner with cybersecurity industry and researchers to share threat intelligence and coordinate vulnerability disclosures.


IISP Analyst Holly Dragoo"This Accord is far from a 'digital Geneva Convention' as The New York Times might suggest. A values statement? Yes. A commitment to adhere to a set of values centered on assisting cyberattack/cybercrime victims? Sure. But a set of internationally binding laws it is not. An unenforceable public trust accord (or more cynically, a marketing ploy – but that’s highly doubtful) among companies doesn’t make them suddenly able to refuse court orders or the laws of another country. Maybe that’s why we don’t see notable tech players like Google, Amazon or IBM racing to sign up yet. However small, the accord is another step towards badly needed international norms in cyberspace; made ever more poignant without waiting for a government endorsement."


Defusing the Cybersecurity Dilemma Game through Attribution and Network Monitoring

States are stuck in a “cybersecurity dilemma”. They can’t reliably distinguish between other states’ offensive and defensive activities (e.g., surveillance or probing being used by a state for defense might look like offensive measures to those states being surveilled or probed). As a result, cyber powers engage in a never-ending ratcheting up of attacks threatening each other and the broader Internet. Given this seemingly intractable situation, how can we defuse it? In this post, we lay out the cybersecurity dilemma as a strategic game and look at one proposed solution. We then suggest a way to alter the payoffs by using alternative governance structures dealing with attribution and network monitoring...

Read the full piece by Brenden Kuerbis, postdoctoral fellow at the Georgia Tech's School of Public Policy.


ICANN Will Not Get a Moratorium on GDPR Compliance

I remember one of my first conversations about ICANN and WHOIS General Data Protection Regulation (GDPR) compliance with the ICANN CEO. The CEO told me (as he repeatedly told others) that ICANN should consult with the Data Protection Authorities about how to comply with GDPR. I agreed. The boundaries of WHOIS GDPR compliance are set by law and not by ICANN. The community can take a role within those boundaries to make policies, but if ICANN is to avoid penalties and fines it must be compliant with GDPR. Aside from that, the data protection guidelines mandated by GDPR are justified and reasonable protections of individual rights...

Fast forward, the Data Protection Authorities’ guidance is out. No surprise: the Data Protection Authorities, that ICANN rightly insisted on seeking guidance from, told ICANN exactly what the Noncommercial Stakeholders Group (NCSG) and the Internet Governance Project had been telling them all along...

Read the full piece by Farzaneh Badiei, research associate at the Georgia Tech's School of Public Policy, and the executive director of Internet Governance Project (IGP).