Cybersecurity News & Commentary - December 2017

The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.

December 1, 2017


What Jurisdiction Does ICANN Belong To?

How far can ICANN go to escape the nation-state? ICANN 60 made important progress on what has become known as “the jurisdiction issue.” ICANN is taking steps to reduce or eliminate the effect that U.S. sanctions against foreign governments would have on ordinary Internet users and businesses in sanctioned countries. It also will introduce choice of law provisions in their registry and registrar contracts, and open up continuing discussions of whether additional immunities are needed.

Read the full piece by Milton Mueller, Professor at the Georgia Tech School of Public Policy.


User Whereabouts on Trial

The U.S. Supreme Court is reviewing a groundbreaking case about consumer privacy laws concerning citizen Timothy Carpenter, who alleges his rights were infringed upon when investigators obtained global positioning system (GPS) data from his mobile phone provider without a warrant. The U.S. is arguing that Carpenter has no expectation of privacy because he signed a user agreement with his provider, which allows the vendor to access his location data. A final ruling on the case is expected in December.


IISP Analyst Holly Dragoo: "Fallout from this ruling could range on a spectrum from new end-user license agreements with vendors outlining data handling specifics to tougher requirements to meet for law enforcement to obtain warrants. Personally speaking, while location data can be sensitive in nature, it’s naive to think it has any expectation of privacy when someone can verify your whereabouts visually (yes, an oversimplification), but I am no lawyer. It’s not unlike your address being public information, but you will likely take steps to keep the information relatively private. From what I’ve read about the case, it only concerns the metadata - GPS, IP, cell phone records - not the actual content of calls, emails stored in the cloud, data from wearable technology, etc., -- contrary to what some news sites are claiming."


Intel-based PCs May be Widely Vulnerable to an Attack Over USB

Security researchers from Positive Technologies report having found a serious flaw in Intel-based PCs that allows an attacker to take complete control of an affected computer via its USB interface.  The vulnerability, which Positive Technologies will fully disclose in December at Blackhat Europe, allows an attacker with USB port access to take over a PC's Intel Management Engine (IME).  Since IME has broad control of a computer's hardware, the vulnerability offers full control of any affected computer. The researchers' initial claims indicate that the flaw exists on most Intel-based PCs manufactured since 2015.


IISP Analyst Joel Odom: "Though we will have to wait on Positive Technologies to disclose the full details of this vulnerability, it looks like this is the real deal. The attack path apparently uses the Joint Test Action Group (JTAG) debugging features on a vulnerable PC's USB port to gain access to the IME. The IME is a "tiny homunculus computer" (thanks to the Electronic Frontier Foundation for that delightful term) embedded into Intel-based PCs manufactured in the last 10 years that allows enterprises to remotely control their computers. Unfortunately, this embedded master controller can also be used by attackers to take control of a computer, which is exactly what Positive Technologies claims to have done.

The Electronic Frontier Foundation has an excellent writeup on IME and how it is ripe for misuse.  In May, researchers demonstrated a remotely-exploitable IME vulnerability that allowed attackers to take control of some affected PCs, and there are certainly more undiscovered vulnerabilities lurking in IME. IME is a clever idea, but clever ideas are often the enemies of security.

Does the fact that physical access to a computer's USB port mitigate this vulnerability? Yes, it does, if you are only interested in remotely-exploitable vulnerabilities. The problem is that physical access to a system is often easy to achieve. For a USB-based attack to work, all you may have to do is to plug into a computer for a few seconds while the user is not looking, or maneuver the user into inserting a USB device for you.  Modified USB devices sold via online vendors could leave enterprises vulnerable to compromise via the supply chain. We will have to wait for full disclosure at Blackhat to know the full impact of this vulnerability, but it looks like it's going to be another big one."


Why Aren't We Fixing Route Leaks?

Earlier in November, Level 3 began globally announcing thousands of BGP routes that were intended to remain internal. By doing so, internet traffic to large networks or content providers, like Comcast and Netflix, was mistakenly sent through Level 3’s misconfigured routers, thus redirecting traffic from its normal best path. In networking lingo, a “Type 6 route leak” had occurred, which resulted in significant traffic congestion for millions of users in different parts of the world. 


IISP Analyst Brenden Kuerbis: "Route leaks are a fact of life on the Internet. According to one ISP’s observations, on any given day of the week, between 10-20% of announcements are actually leaks...

[read Brendan's suggestions for potential remedies to this problem]

...Regardless of the solution(s) implemented, the complexity of the problem space highlights the ongoing importance of understanding routing data governance and operator incentives to engage in filtering. We also need to be able to empirically assess over time whether or not specific approaches relate to observed variance in different types of route leaks."


De-Neutralizing the Net

Chairman of the Federal Communications Commission (FCC) Ajit Pai issued a statement on "Internet Freedom" this month announcing the intention to roll back regulations that he says “micromanage” the options that Internet service providers (ISPs) are able to offer customers. The concept is better known as "net neutrality," or the idea that all ISPs must offer services equally, regardless of factors like bandwidth, content, or finances. The draft order goes to vote among the FCC members on December 14 and is expected to pass, split along party lines.


IISP Analyst Holly Dragoo: "Pai claims Internet investment is being hurt by current regulations, but there are no numbers being shown to support this. This draft order has potentially wide-reaching ramifications, especially for consumers. Depending on how the bill is written, consumers could be charged additionally for services they currently enjoy for ‘free’ with Internet access -- such as streaming video, map services, or a favorite search engine. The only real accountability for ISPs included in this proposal is the mandatory disclosure of how much (if) they throttle service bandwidth. In theory, a boutique ISP may start up that will honor the ideals of net neutrality, but market capitalization likely will not tolerate that model well; the setting is ripe for a small ISP oligarchy to develop, making it difficult for entrepreneurial firms to sprout up. Even more troubling, if rumors are true, measures are being written into the order to limit the ability of states to make their own net neutrality laws – which seems inconsistent with traditional Republican party goals."


Cryptocurrencies: Why Bubble Machines Crash the Party

A former Secret Service Agent, Shaun Bridges, recently was given additional time in prison after pleading guilty to stealing Bitcoins from a government wallet. The wallet was seized as part of the 2015 take-down of Silk Road, an online marketplace for dealing illicit substances and contraband. Bridges already was serving a prison sentence for an earlier theft from the same digital wallet. At the initial time of the theft, his ill-gotten Bitcoins were worth approximately $350,000 but dramatically rose in value over the following year to nearly $820,000 -- or 234% of the initial value. The rise and Bridges' own greed seemed to have instigated the second theft, however Bridges appeared repentant in court (as noted by his judge in the case), leading to a concurrent sentence. Regardless of his motives, Bridges will serve the better part of a decade in a federal penitentiary.


IISP Analyst Stone Tillotson: "The meteoric rise in Bitcoin value has fueled these kinds of dodgy stunts at an increasing rate. When cryptocurrency exchanges fold with all-too-common frequency, the simple loss of private keys permanently seals off their e-coin wallets. Also, the theft and sequestering of e-coins -- as in this case -- remove crypto-currencies from the digital economy, and those losses exert a deflationary pressure on a currency's overall value. Why is this a concern? Digital currencies are, by virtue of design, much more susceptible to deflationary pressure than their non-'e' counterparts. Basically, once a currency is hot, there's no pressure valve for the steam. As Bridges himself realized, the proceeds of his theft more than doubled in a year, prompting his relapse. It's easy to see how this funnels into the self-sustaining spiral, hence, the dramatic rise in value that we're now seeing. Since the total number of Bitcoin -- most cryptocurrencies in general, for that matter -- is invariant on a day-to-day basis, this means the gains of any theft becomes more valuable over time, and the theft itself by virtue of removing coins from circulation also makes itself more valuable. Indeed, Bridges' original $350,000 haul in 2015 would now be worth $198 million at the time of this writing, and sadly, that kind of money often exerts a corrupting influence."