Cybersecurity News & Commentary - March 2018

The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.

March 30, 2018

A Tour of China's Internet Governance Landscape

What’s going on in China? I was invited there for a series of lectures at Beijing’s Communication University of China (CUC) during the week of March 18. Thanks to Professor Xu Peixi, who organized the tour, I got a chance to meet most of the academics, researchers and policy analysts involved in Internet governance at Beijing think tanks, as well as many students. There were also some discussions with Chinese Internet businesses and a lecture at Tsinghua University’s Journalism and Communication Department. By coincidence, the visit occurred shortly after the conclusion of the National Peoples’ Congress and overlapped with news of the Facebook breach and President Trump’s Section 301 actions against China. As China threatened tariffs of its own, the U.S. stock market plummeted in anticipation of the damage of a U.S.-China trade war. While most of the news was not good, it was certainly an “interesting time” to engage in discussions of Internet governance and U.S.-China relations in cyberspace...

Read the full piece by Milton Mueller, professor at the Georgia Tech's School of Public Policy.


Why the CLOUD Act is Good for Privacy and Human Rights

A dozen privacy and human rights groups have opposed the bipartisan CLOUD Act intended to regulate cross-border data access, claiming that it will erode basic liberties. They describe the bill as helping “empower” foreign governments to commit human rights abuses; endangering constitutional rights; and even, in an email sent to the Hill, undercutting LGBT rights around the world. We respectfully disagree. Contrary to these claims, the bill would improve privacy and civil liberties protections compared to a world without such legislation...

Read the full piece by Peter Swire, associate director of policy for IISP, professor of Law and Ethics at Georgia Tech's Scheller College of Business, and senior counsel at Alston & Bird LLP.


New Cyber Report a Handy Reference of Govt Directives

Congressional Research Service (CRS) released a report, entitled, Cybersecurity: Selected Issues for the 115th Congress. The non-partisan report reviews a broad cross-section of key concerns facing the United States today from securing critical infrastructure, encryption, data breaches and security, securing Internet of Things (IoT) devices, and even cybersecurity insurance. Intended to inform lawmakers in the current session of Congress by amassing a digestible review of relevant previous Presidential Directives, Executive Orders, and Congressional Committee hearings on the topic, the document serves as a handy reference tool for both the industry novice and the academic researcher.


IISP Analyst Holly Dragoo"The document succinctly covers 11 policy issues that will be relevant throughout the year, fairly accurately. While it does have a section on barriers to international trade, such as the new Chinese cybersecurity law passed in 2016, it actually does not mention the General Data Privacy Regulations (GDPR) even once – which is a bit surprising. Unsurprisingly however, some aspects of the 30-page document are a bit dry, such as the overview section on definitions and types of attacks. It gets a bit more interesting in the cyber terrorism and federal roles and responsibilities sections where definitions and actors are changing in this space annually. With such an unwieldy bureaucracy, it is actually useful to have a breakout of which offices within the Department of Justice, Homeland Security, etc. have mandates in the cybersecurity arena."


Just Pay the Bad 'IT Tax'

In late March, the City of Atlanta was the latest victim of a large ransomware attack.  Most cyberattacks in the news have a primary goal of exfiltrating data in order to sell it on the dark web. Even if IT security departments don’t detect the malware, they will likely notice a large flow of information leaving their networks and will grow suspicious. Ransomware on the other hand, once gaining access, will generally encrypt critical data and leave it on the victim’s network.  This can be done very quickly and covertly. The attackers then offer to sell the decryption key for some sum of money. The Atlanta attack has made it impossible for residents to pay traffic tickets, water bills, and report potholes on the roads. To be extra cautious, city workers were not allowed to turn on their computers for days and Hartsfield-Jackson Airport even shutdown their Wi-Fi. The City has been reduced to using pen and paper again, which obviously slowed productivity and cost money. To add insult to injury, word of an extensive cybersecurity audit of the city’s IT infrastructure listed thousands of severe and critical vulnerabilities, which indicates that the City knew they were at risk for months.


IISP Analyst Chris M. Roberts"The attackers in this case requested $51,000 to be paid in the form of a crypto-currency.  The City’s 2018 operating budget is set at $2.1 billion and, as of late last year, had cash reserves of more than $170 million.  This begs the question, should they have just paid the $51,000, which is less than 0.000025% of the budget and only 0.0003% of their cash reserve? This is about the equivalent of someone holding a family’s data hostage for the price of a lunch. So far, the City has decided not to pay the ransom and would rather have their employees use pen and paper. 

 The cost of not paying the ransom (or should I call it, “Bad IT Tax”?) likely already has exceeded the cost of ransom. Of course, the fear is that the attacker doesn’t give you the encryption key or they ask for more money. However, Indiana-based hospital Hancock Health was hit with a very similar attack, quickly paid the $55,000 ransom, and got back to work. In either case, nothing is stopping another ransomware attack until the vulnerabilities are patched. So what’s stopping Atlanta from paying up? Seems like at this point it’s one of two things: fear or pride. Atlanta, you’ve just been forced to heavily invest in your IT security. Maybe you should be thanking your attackers. A different style of cyberattack could have cost you much more money. Maybe now you will be able to prevent those kinds of attacks. For the time being, it looks like potholes will remain."


Lt. Gen. Paul Nakasone to Head NSA/CYBERCOM

Lt. Gen. Paul Nakasone delivered a second testimony before the U.S. Senate this month as President Trump’s nominee to be the next director of the National Security Agency (DIRNSA). If confirmed, he would replace ADM Mike Rogers as director upon his retirement this April. Rogers also has been onboard as Commander of U.S. Cyber Command in the dual-hatted role since 2014. The Agency experienced much turmoil in recent years, with talent drain, low morale, and a series of leaks, so much is riding on firm leadership of the next officer in charge. 


IISP Analyst Holly Dragoo"After two Senate confirmation hearings, it’s looking inevitable that Lt. Gen. Nakasone will be the next DIRNSA, and not a bad one at that. We get 30 years of intelligence experience with Nakasone, and great familiarity with cybersecurity and the complexity with which combat and espionage activities exist in that space – which is great (and percentage wise, somewhat rare among staff at that rank). There’s no policy in place to mandate that the next DIRNSA should be an Air Force general, but it is a bit out of turn to select an Army official when there was one (Gen. Keith Alexander) as recently as 2014. It likely won’t detract too much from the confirmation process, if it does at all."


Nine Iranian Hackers Charged with Stealing Massive Dataset through Spear-phising Attacks

Nine Iranians were charged with hacking and stealing secrets from American government agencies, companies and universities, on Friday, March 23rd. The individuals were working for the Mabna Institute, which is based in Iran, as contractors and hackers for hire. The massive dataset collected by the hackers (31.5 terabytes in size) was sold in Iran, a transaction that the U.S. Department of Justice (DoJ) characterizes as "one of the largest state-sponsored hacking campaigns ever prosecuted by the DoJ." The attackers used well-known techniques, such as spear-phishing attacks, to acquire user credentials and infiltrate systems with the data.


IISP Analyst Panagiotis Kintis: "Social engineering attacks have been around since almost the beginning of time. Computers have made it far easier for people to communicate and, therefore, much easier for individuals to be targeted by social engineering. Phishing and spear-phishing attacks are a form of social engineering, where an individual is tricked into providing their credentials to a third party, through (usually) a fraudulent website.

This time, attackers managed to acquire credentials for almost 8,000 user accounts, from 320 universities (in 22 countries), approximately half of which (3,768) were used in the 144 American universities* that were targeted. After getting user accounts, the attackers simply started copying anything they could get their hands on.

The unfortunate event would have been prevented if users could understand the difference between a phishing and a real email. Of course, once again, this is far from the users' fault. Users are (mostly) going through security training, and phishing is one of the most important topics. However, phishing exercises prove that the users still can be tricked. Probably, the way phishing training is taking place might not provide the ideal outcome. When the user understands how important phishing is, it is too late. Training should become more engaging and speak the users' language. It is not "yet another exercise"; it is probably one of the most important exercises and that should be reflected.

Inarguably, attackers are getting smarter every day. Sometimes, it is really hard to differentiate between a normal email and a phishing one. If you don't believe me, try some phishing quizzes here and here. I will not lie; I did not get a perfect score at some of them! Phishing attacks, and especially spear-phishing ones, can be very sophisticated, thoroughly thought through, and flawlessly executed. They are the attackers' "way in" your network.

My advice would be to consider email as your front door. Would you open it to a stranger, or someone you did not expect? When in doubt, ignore the email. Someone knocking on your door will eventually call if it is important. Email is no different."


Vulnerabilities in AMD Chips Highlight Trend Toward Hardware-based Attacks

According to hardware security firm CTS-Labs, several widely-deployed AMD microprocessors contain vulnerabilities that allow attackers to take a successful attack to a more advanced level. The vulnerabilities, disclosed in a 20-page white paper entitled, "Severe Security Advisory on AMD Processors," all require an attacker to gain full control of a target's operating system before the AMD attacks may be employed. This means that a successful attack against an operating system would allow attackers to pivot the attack to the hardware, where the attack will be more persistent, more difficult to detect, and where the attacks can reach to parts of the victim's hardware that would normally be out of reach from purely software-based attacks.


IISP Analyst Joel Odom"The past few years have seen an increase in cyberattacks against hardware.  Last year, Chris M. Roberts and I commented on the AnC Attack, which defeats Address Space Layout Randomization (ASLR).  I also wrote about a problem that allows attackers to take over a PC via USB.  Most recently, Spectre and Meltdown have demonstrated how difficult it is to secure a modern microprocessor. It is my opinion that this upward trend in hardware-based attacks will continue.

The manner by which these particular AMD vulnerabilities were disclosed is noteworthy. The standard practice in the security industry is to give companies at least 90 days to fix a vulnerability before public disclosure. In this case, CTS-Labs (an Israeli research organization that published the white paper) gave AMD just one day of notice. The disclosure report also has a disclaimer that states, "The  report  and  all  statements  contained  herein  are  opinions  of  CTS  and  are  not  statements  of fact," and that CTS may hold "an  economic  interest  in  the  performance  of  the  securities  of  the companies whose products are the subject of our reports."  The cybersecurity world has noted that CTS's handling of the disclosure smells foul. That said, other side discussions that I have been tracking in the information security community lead me to believe that the disclosed flaws are serious problems and warrant immediate attention."


Regulating Cyber through Trade Regimes

The international trade in hardware, software, and content complicates many cybersecurity challenges. Domestic regulations and enforcement may fall short of their intended aims when foreign criminals and governments are out of their jurisdiction, and cheap insecure technologies proliferate worldwide. In response, some security experts have looked to restricting trade as a mechanism to promote cybersecurity, or to implement some form of arms control. And yet, as with any restriction on trade, these proposals have major, potentially detrimental economic consequences. What follows is a typology of trade regimes and the expected economic challenges associated with their use...

Read the full piece by Karl Grindal, Ph.D. student at Georgia Tech's School of Public Policy.


ICANN’s Whois Reforms Are on a Path to Failure

The conflict between ICANN’s contracts and data protection law is dominating discourse and policy making at the ICANN 61 meeting in San Juan Puerto Rico. ICANN requires registries and registrars to provide a public directory service, known as Whois, that gives anyone in the world immediate access to personal data about domain registrants if they type in the domain. ICANN has ignored warnings about the illegality of this for nearly two decades. The implementation of the European Union’s General Data Protection Regulation (GDPR) in May of this year has prompted it to start throwing together some reforms.  This is the last big public meeting before GDPR comes into force. ICANN has a chance, or rather had a chance, to bring the community together to forge a path towards compliance.

Unfortunately, after several days on the ground in Puerto Rico we have to report that ICANN org is in all likelihood going to blow this opportunity. Key members of ICANN’s board and staff, and certain stakeholder constituencies, simply are not prepared to make the changes required to ensure GDPR compliance...

Read the full piece by Milton Mueller, Professor at Georgia Tech's School of Public Policy.