The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.
February 28, 2018
The CLOUD Act: A Welcome Legislative Fix for Cross-Border Data Problems
Lawfare readers are familiar with the perennial regulatory challenge of determining which country’s law enforcement agents ought to be able to access internet data stored in the cloud. This is a considerable problem in two distinct contexts: (1) American law enforcement officers seeking access to data held abroad and (2) law enforcement officers around the world seeking access to data held by American firms. The Stored Communications Act (SCA) is problematic in both cases, because it does not specify whether it allows the American government to compel U.S. providers to produce content they have chosen to store abroad (the first problem), and it has been interpreted to prohibit American firms from complying with foreign government requests for user content (the second problem)...
Senators Orrin Hatch, Christopher Coons, Lindsey Graham and Sheldon Whitehouse announced a bill that would clarify overseas use of customer data... This bill does not resolve the cross-border data problem, but it is good start. Privacy and human rights groups will argue that the bill offers insufficient protections for foreign-held data. If you compare the due process protections in this bill with those provided under the Fourth Amendment, it is likely less privacy-protective—meaning that foreign governments will get access to more information than they do currently. But that is not the right comparison. We are heading towards a world in which a growing number of foreign governments force providers to store data locally in order to comply with local orders, regardless of whatever strictures apply under U.S. law. As compared to that world, this bill—which might forestall or prevent localization efforts—offers privacy advocates quite a lot...
Read the full piece by Peter Swire, associate director of policy for IISP, the Huang Professor of Law and Ethics at the Georgia Tech Scheller College of Business, a Senior Counsel to Alston & Bird LLP.
Goodbye and Good Riddance to 'Enhanced Cooperation'
Probably few people involved with the Internet, either as users or suppliers, have ever heard of the Working Group on Enhanced Cooperation (WGEC). In fact, on January 31 this United Nations-based working group with grand ambitions for making “global public policy” for the Internet terminated its activities without accomplishing anything. The WGEC held five meetings over two years, based on a mandate that was established in 2005. But in the end it was unable to agree on any recommendations. For those in the know, this failure is completely unsurprising...
The WGEC provides an object lesson in how not to do global internet governance. More specifically, it shows why it is futile to rely on states and intergovernmental processes for the development of global public policies for the Internet. It also shows why diplomatic attempts to obscure hard choices with vague words don’t succeed – they just waste everyone’s time.
Read the full piece by Milton Mueller, Professor at the Georgia Tech School of Public Policy.
New Cryptomining Attacks Force Re-evaluation of Trust in Websites
- The Guardian: https://www.theguardian.com/technology/2018/feb/11/government-websites-hit-by-cryptocurrency-mining-malware
- TechCrunch: https://techcrunch.com/2018/02/12/browsealoud-coinhive-monero-mining-hack/
- BBC: http://www.bbc.com/news/technology-43025788
- Monero: http://cyber.gatech.edu/cyber-criminals-getting-leary-bitcoin-adopting-monero
- Cryptojacking: https://www.wired.com/story/cryptojacking-cryptocurrency-mining-browser/
IISP Analyst Panagiotis Kintis: "Last month, Stone Tillotson wrote an article discussing how cybercriminals are leaving Bitcoin in an attempt to adopt the more private Monero currency. At the same time, "cryptojacking" or "coinjacking" attacks (which refer to an attempt by a website to use a visitor's computer to mine cryptocurrency) have been on the rise. In fact, there have been several websites, which usually served controversial content, that have been found to exhibit such behavior. What makes the attack with Browseraloud particularly interesting is the attackers' decision to limit themselves to cryptocurrency mining. The attack resembles cross-site scripting (XSS) attacks, which give the attacker the power to do virtually anything to the user's browser. In XSS attacks, a benign website is forced to provide a malicious piece of code that is run on the client side. XSS attacks have been used to deliver malware, steal users' private data, and deploy botnets. Surprisingly, this time, the attackers appear to have deviated from well-known practices and only exploit clients for Monero mining.
The websites affected by the attack -- through the Browseraloud plugin -- included the City University of New York, Indiana's government website (in.gov), United States Courts (uscourts.gov), Washington's Metropolitan Area Transit Authority (wmata.com), the National Health Service in the UK (nhs.uk), and many other popular destinations. A list of more than 4,000 websites that include the Browseraloud plugin can be found here. The very high popularity of the affected websites shows that the impact and the magnitude of the attack was significant.
One might think, "So what if they used my computer to harvest some coins?" Unfortunately, when government and critical infrastructure websites are being weaponized by adversaries, mining cryptocurrency can only be the beginning. The discussion would have been much different if the websites were deploying new ransomware; then, it would have been everywhere in the news. Could this be a new not-so-invasive attack that can still fund illicit activities but stay under the "mainstream" radar? They most definitely will not use the money to fund education and schools.
In any case, using the Internet nowadays can be troublesome with new headaches from attacks such as this. Users can protect themselves by utilizing browser extensions and plugins that stop scripts. For myself, I use AdBlock (with the "Cryptocurrency (Bitcoin) Mining Protection List" filter on), JS Blocker, and uBlock in Safari. In Chrome, I have AdBlock and ScriptSafe installed. My Firefox has AdBlock and Policy Control running. My suggestion is to use something similar to keep adversaries away from your computers.
It used to be that 'shady' websites might be the ones that cause harm. Now, we see that the adversaries are brave enough to compromise some of the most trusted websites online. We are living in an era where users are actively trained to not click links they do not know or open email they did not expect. However, third party libraries, plugins, and resources can be as harmful. Even worse, visitors are not aware of a website’s dependencies and cannot predict the outcome when they point their browser to a trusted website. We, as a security community, should identify means to create a more robust trust model, through which verification and validation will be automatic, correct, and transparent to the end user."
Better Biometric-based Authentication
Authentication is the process of a computer verifying the identity of a user. The authentication process may happen when a user unlocks his phone, when s/he logs into a website, or when s/he initiates a sensitive activity, such as an electronic payment. Historically, biometric-based authentication schemes, such as voice or facial recognition, are difficult to implement because a determined attacker can use tricks such as voice recordings or photographs to fool naive biometric-based authentication schemes. However, researchers from Georgia Tech recently demonstrated "rtCaptcha," a biometric-based authentication scheme that uses real-time video, voice, and a challenge question for account access, which hackers would have to crack in 0.75 seconds in order to forge a response.
- rtCAPTCHA, research paper by Georgia Tech School of Computer Science: http://www.rh.gatech.edu/news/602606/real-time-captcha-technique-improves-biometric-authentication
IISP Analyst Joel Odom: "Authentication is a hard problem. Humans are designed with the natural capability to recognize other humans with ease, but computers don't naturally have the ability to distinguish me from my brother or from Julie Andrews. Because it's difficult for humans to remember good, highly-entropic passwords, currently the best practice for computer authentication (recognizing the right individual) is two-factor authentication. Nevertheless, two-factor authentication can fail when an attacker is determined enough. For example, SMS-based authentication is known to be weak against attackers who have the capability to spoof a target's phone. Furthermore, standard two-factor authentication doesn't have a good way to verify that an entity being authenticated is actually a human other than by presenting a CAPTCHA as an additional step in the process.
A good authentication scheme must balance ease of usability for humans against system security. The new combination of CAPTCHAs and biometric authentication presented by "rtCaptcha" is a clever way to achieve this goal. I don't see this completely replacing typical, rolling code-based authentication, but I do see using rtCaptcha as a third factor in certain cases. High-value targets such as corporate executives, political leaders, or system administrators could benefit from using rtCaptcha as a third factor to protect to critical accounts under their control. Or, if a login appeared to be suspicious (based on heuristic factors), the authenticating computer could employ rtCaptcha to raise the barrier against a successful attack. The future of authentication will combine multiple factors combined in various ways that are natural for humans to use but that still make it difficult for impostors to gain illegitimate access.
For the purposes of full disclosure, I should point out that I know some of the paper authors personally, though I was not involved in this research."
Compliance Does Not Equal Security
A new interagency report released by the U.S. government seeks to develop cybersecurity standards for Internet of Things (IoT) systems. Authors are requesting public comment through April 18, 2018. Ideally, the IoT standards borne from this report ("NIST Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things") will ensure that IoT systems and devices are developed with cybersecurity at the forefront. The report clusters IoT devices into one of five major technology application areas: Vehicle, Consumer, Health, Infrastructure, and Manufacturing. Authors explore the potential reuse of standards and identify current gaps in standards.
- NIST draft report: https://csrc.nist.gov/CSRC/media/Publications/nistir/8200/draft/documents/nistir8200-draft.pdf
IISP Analyst Chris M. Roberts: "The IoT rush to market is one of the primary reasons there is giant hole in security. The International Data Corporation estimates worldwide spending on IoT will reach $772 billion dollars this year. Last time I checked, that’s a lot of money. When the market is that large, companies don’t think much about security because it does nothing but slow down their product release and cost them lost revenue.
This report is an attempt to encourage IoT developers to consider security in multiple ways such as encryption, incident response, hardware assurance, access management, and many other domains that need to be addressed. In all, I believe that the document provides solid guidance for the cybersecurity of IoT devices. However, until consumers demand it or until regulators enforce restrictions, companies will keep producing vulnerable devices.
Cybersecurity of embedded systems is not an simple topic. There are usually a multitude of attack vectors into a system that need to be addressed and many are often overlooked. This report details the areas that IoT developers should be concerned about, but without clear guidance on how to enable these cyber protections, I fear that many companies will just do their best to comply. Remember, compliance does not equal security. Cybersecurity of embedded systems is still in its infancy and many companies simply don’t understand the risk and aren’t equipped to develop or test secure solutions. This leads to custom security that often looks secure on the outside, but is full of holes on the inside. Guidance needs to be provided on how to handle every input to the processor within the device, from the WiFi data, to the physical ports like USB, and even out to the sensors like accelerometers. Each input to a processor should be guarded and scrutinized at all times to ensure only valid and expected data is being passed."
The Flaws and Risk in the Kaspersky Case
The U.S. Department of Homeland Security’s Binding Operational Directive 17-01 (BOD), released for comment in September 2017, ordered all USG agencies to remove all Kaspersky information security products, solutions, and services from their networks. The Final Decision by DHS in December came right after Congress’s National Defense Authorization Act for FY 2018 (NDAA) which stated that “[n]o department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part,” by Kaspersky or related entities.” (Section 1634(a)). In its Final Decision, DHS alleged that its ban was necessary because of:
 the broad access to files and elevated privileges of anti-virus software, including Kaspersky software;  ties between Kaspersky officials and Russian government agencies; and  requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting between Kaspersky operations in Russia and Kaspersky customers, including U.S. government customers...
Kaspersky first attempted to engage the administrative process and dissuade DHS from enforcing the BOD. When DHS decided to enforce the BOD anyway, Kaspersky challenged it in court, and now they have additionally challenged the legality of the NDAA...
- Internet Governance Project: https://www.internetgovernance.org/2018/02/19/flaws-risk-kaspersky-case/
IISP Analyst Brenden Kuerbis: "There is a constant drumbeat of Russian threat stories these days, but none is more important to Internet governance than the legal battle between Kaspersky Labs and the United States. It highlights the dangers of nation-states inserting themselves into cybersecurity governance, and shows why the alignment of cybersecurity with nation states puts at risk companies and economies built around a global Internet...
To be clear, governments have legitimate concerns when it comes to cybersecurity. USG agencies are required to assess risk to their own networks. And like other network operators, they use a variety of private information security products and services. But the USG actors pushing this effort should seriously consider the ramifications of the attack on Kaspersky. The DHS argument that “the broad access to files and elevated privileges provided by antivirus products and services…can be exploited by malicious cyber actors to compromise information systems” could be applied to any anti-virus service. If the standard it’s using were applied reciprocally, it could lead to a ban on software produced by US-based companies in many other jurisdictions.
Alignment of cybersecurity practices with government(s) national security subjects the Internet and information services to national rivalries. As the Kaspersky case and others (like the recent ANT-Moneygram) show, it can kick off a reaction-counterreaction that runs the risk of fragmenting global information services and the Internet. In the end, the USG’s tactics of ex ante, pseudo-attribution could be devastating to multi-national private enterprises and economies increasingly dependent on information services. It’s important to remember this as we watch the case develop."