The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.
Catalonia Under Fire: Internet vs. Political Identities
Spain is undergoing a traumatic crackdown on freedom of expression, as part of a larger political convulsion over the Catalan province’s attempt to hold a binding referendum on independence... Officers from the Guardia Civil entered the .CAT registry’s offices in downtown Barcelona in late September and seized all computers. The move came a few days after a Spanish court ordered the domain registry to take down all .cat domain names being used by the upcoming Catalan referendum... In this case we wish to highlight the freedom of expression and proportionality issues. On that, we take the side of PuntCAT.
Read the full piece by Milton Mueller, Professor at the Georgia Tech School of Public Policy.
It's Time to Make Personal Data Meaningless
Information that is leaked or stolen even once, even partially, is no longer “personal” -- making one’s identity easier to impersonate to gain access to financial accounts, medical histories, school records and more. This is bad enough. Even worse, the common counter-solutions that help victims set up new privacy guards today rely on that same “personal” data. It is time to worry less about keeping data private and worry more about creating the next best technology to prove you are you...
Read the full piece by Wenke Lee, co-director of the Institute for Information Security & Privacy, professor, and John P. Imlay Jr., Chair in Software at the Georgia Tech School of Computer Science.
Combosquatting Domain Abuse and Adversarial Graph Clustering Identify New Tricks
On September 27, Georgia Tech hosted the 15th Annual Georgia Tech Cyber Security Summit, where attribution of malicious campaigns was front and center. Two academic papers released from the Astrolavos Lab were presented as posters and during the breakout session. The first described a new class of domain name abuse and the second demonstrated an adversarial attack against a popular machine learning system. Both will be presented in October at ACM CCS 2017, one of the top conferences for academic security.
The first paper described combosquatted domains, which combine a popular trademark with one or more phrases, like betterfacebook.com or youtube-live.com. These domains masquerade as their trademark -- typically for abusive purposes, such as phishing, social engineering, affiliate abuse and even advanced persistent threats (APTs). The authors found that over 60% of these domains are active for more than 1,000 days.
The second paper breaks the graph clustering component of Pleiades, a machine-learning network detector. The authors showed that clever attackers can not only completely evade Pleiades, but can do so at low cost using only the knowledge extracted from their infected hosts. However, clever tuning of the models allows some of the damage to be mitigated.
- Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse: https://arxiv.org/pdf/1708.08519.pdf
- Practical Attacks Against Graph-based Clustering [paper]: http://iisp.gatech.edu/sites/default/files/images/practical_attacks_against_graph-based_clustering_-_arxiv.pdf
IISP Analyst Yacin Nadji : (Full disclosure: both papers are from the lab I am a member of and I am a co-author of the second paper.)
"The two best parts of the combosquatting paper are 1.) these domains can readily be found to protect your company's customers and 2.) combosquatted domains can be directly tied to substantial abuse. It also shows that not only is the problem on the rise, but it is a serious one. Worse still, these domains are masquerading as a legitimate trademark, which may cause customers to lose faith. Thankfully, the abuse technique is simple, so trademark holders can easily find likely candidates, complain to ICANN and protect their customers from phishing attempts.
Adversarial machine learning in security is blowing up, and this second paper provides some nice contributions to the space: particularly introducing the concepts of the adversary's evasion cost and knowledge levels. In many security scenarios, an attacker evading detection comes at a cost, e.g., reduced connectivity to their infected machines. What is interesting is the authors demonstrate that in Pleiades' case, attackers can sometimes have more connected infrastructure while still evading detection. Second, they introduce a more realistic version of the attacker's knowledge level. In the simple case, they consider an attacker that only has knowledge a botmaster would have. But in the most advanced case (think nation-state actors), attackers possess the data used by the defenders themselves to construct their models. In the system-level case, this may be malware, which is not that scary. But in the network case, this would be network data from major ISPs. Considering such sophistication in attackers is, in my honest opinion, a direction that needs to be explored in the adversarial machine learning literature."
'BlueBorne' Exploit Endangers All Major Bluetooth Devices
Armis Labs revealed a new attack vector endangering major mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux, and the devices using them. The new vector is named “BlueBorne” and is spread through the air to attack devices via Bluetooth. The vector is a culmination of eight related zero-day vulnerabilities, four of which are critical. The BlueBorne exploit allows attackers to take full control of devices and spread malware laterally to adjacent devices.
Armis research: https://www.armis.com/blueborne/
IISP Analyst Chris M. Roberts: "This discovery of multiple vulnerabilities within Bluetooth is a major problem for a number of reasons. To begin with, the sheer number of Bluetooth devices in use today exceeds 8 billion (yes, BILLION with a ‘B’) which results in an absurdly large attack surface that would need to be patched to remove these vulnerabilities. Secondly, the attack is powerful because the vulnerabilities don’t rely on a target device to be in discovery mode or to be paired with the attack device; they also don’t rely on the users to mistakenly activate the exploit. The only way to prevent a vulnerable device from being attacked is to turn off Bluetooth all together, something many aren’t willing to do.
Vulnerabilities as serious as this should cause a lot of concern. Bluetooth has long been trusted in preventing unauthorized communications and encrypting data being shared between devices. Both of those assumptions are no longer accurate. It’s unlikely that all your Bluetooth devices will ever have patches developed to prevent these attacks, which opens up another discussion: Should companies be liable if they don’t produce a patch for their devices and users are attacked, or is it the user’s responsibility to stop using the device?"
IISP Analyst Stone Tillotson: "BlueBorne should be distinguished from singular, cohesive exploits like Heartbleed, since it represents a collection of problems in common Bluetooth implementations. While the researchers point to an overly complex Bluetooth stack as the culprit, and while it is certainly contributory (to this researcher's eyes), none of newly described flaws depart from common attack vectors. Most of the flaws center on buffer overflow conditions or equivalent, with two sections devoted to a replay of the WiFi Pineapple attack vector on Bluetooth. None of this is intended to diminish the achievements of the Armis team, but only to point out that developers and protocol designers should have been well aware of, and actively looking for, these problems. Fortunately, of the ones found, many should be straightforward to fix or mitigate. The tragedy here though, and of the compromises in the wild we're soon to see, is that much of this was foreseeable and experience was not used as a guide."
WikiLeaks Finally Pokes the Russian Bear
The website famous for leaking international state secrets, WikiLeaks.org, has released information that appears to show how Russia monitors Internet and phone users. According to the site, a Russian billing software company called PETER-SERVICE allegedly works with state law enforcement to enable electronic surveillance through its telecommunication client roster. This is a departure from previous leaks as the organization has demonstrated reluctance to publish Russian documents in years past. The latest revelations are not necessarily novel in content, but might imply a change of internal WikiLeaks policy or indicate more information is coming.
- Washington Post: https://www.washingtonpost.com/news/worldviews/wp/2017/09/19/wikileaks-releases-files-that-appear-to-offer-details-of-russian-surveillance-system/?utm_term=.b16abd1b3e66
- RussiaToday: https://www.rt.com/news/403937-wikileaks-russia-spy-files/
- WikiLeaks: https://wikileaks.org/spyfiles/russia/
- About SORM: https://en.wikipedia.org/wiki/SORM
IISP Analyst Holly Dragoo: "The Russian national surveillance System for Operative Investigative Activities (SORM, in Russian) has been around in some form since 1995, and is well documented. The fact that a private company outside the service provider industry is involved and has access to or is potentially developing intrusive software or cultivating a more in-depth relationship with Russian authorities also is not surprising. The technical specs provided are not terribly detailed enough to be meaningful; deep packet inspection is practiced world-wide, for many legitimate purposes. Also, privacy is culturally not as valued in Russia as it is in the West. It’s actually hard to guess what WikiLeaks’ goal is by revealing this information, especially since it is publicly available. Is it to show they can? Is it somehow trying to counter all the complaints that it is a pro-Russia organization? I’m actually baffled."
Safari Browser Incorporates Intelligent Tracking Prevention
The new versions of the Safari web browser included with iOS 11 and macOS High Sierra, both being released by Apple this month, include a new feature called Intelligent Tracking Prevention. Web browsers have long included the ability to prevent installation of tracking cookies from third-party advertisers, but disabling third-party cookies also blocks some useful web features, such as the ability to use third-party authentication. Intelligent Tracking Prevention tries to block unwanted tracking while retaining wanted third-party website interactions by learning users' behavior to determine which cookies are wanted and which are unwanted. A consortium of advertising companies criticized the feature, saying, "Apple's Safari move breaks [generally applicable] standards and replaces them with an amorphous set of shifting rules that will hurt the user experience and sabotage the economic model for the Internet."
- ArsTechnica: https://arstechnica.com/tech-policy/2017/09/ad-industry-deeply-concerned-about-safaris-new-ad-tracking-restrictions/
IISP Analyst Joel Odom: "People care about privacy. There is enough smart writing by the likes of Bruce Schneier, Peter Swire, and Sherry Turkle that I don't need to rehash the value of privacy here, except to note that corporations like Google, Facebook, Equifax and Comcast certainly understand how to turn our personal habits into value.
Because consumers want a rich web browsing experience, full of valuable content and features, web sites have a legitimate need to remember some kind of state between clicks on the website. Small bits of information pushed from websites to users' browsers, called cookies, are one of the main ways that websites maintain state. However, it's these same cookies, especially third-party cookies delivered from websites other than the one being visited, that not only keep track of activity on a particular website, but that are used to track consumers' long-term habits as they surf. This allows advertisers to build a dossier of a user's interests, habits, and other personal information. It's almost as if advertisers had video cameras installed on your shoulder that allowed them to watch everything you do online. The analogy isn't perfect, but it gives you an idea of the power of unrestricted cookies.
Different security experts follow different practices when browsing the internet, depending on their personal balance between privacy and features. I've heard some experts say that they accept all cookies, but that they have their browser clear them every time they close the browser. I've heard others say that they disable cookies altogether. My approach is to use Chrome for web applications that I use routinely such as e-mail access, document sharing, banking, and applications for my job. I use Firefox in private browsing mode for general surfing, reading news, research, and other activities that generate a broad digital trail. My Firefox configuration clears my cookies every time I close the browser, and I manually keep my Chrome data clean by deleting cookies from time to time. This gives me a semi-permanent online persona (via Chrome) as well as an evanescent persona that is decoupled from what I do (via Firefox private browsing). The new Safari approach uses machine intelligence to achieve something similar without requiring as much manual attention."
Senate Says No More Kaspersky
The U.S. Senate passed the Defense Authorization Act, including an amendment banning cybersecurity firm Kaspersky Labs from use by federal agencies. This comes after briefings from the U.S. Department of Homeland Security and a White House directive alleging the software has both political and digital connections to Russian government stakeholders. Kaspersky denies any governmental ties and has offered to testify before Congress, stating there are no “backdoors” or covert channels for secret use in their products.
- U.S. Senator Jeanne Shaheen: https://www.shaheen.senate.gov/news/press/shaheens-legislation-to-ban-kaspersky-software-government-wide-passes-senate-as-part-of-annual-defense-bill-
- The New York Times: https://www.nytimes.com/2017/09/04/opinion/kapersky-russia-cybersecurity.html?mcubz=1&_r=0
- RussiaToday: https://www.rt.com/business/403814-kaspersky-lab-reaction-us-ban/
IISP Analyst Holly Dragoo: "Kaspersky’s anti-virus products and Threat Post blog have been increasingly used in U.S. markets in recent years, including government offices, in spite of CEO Eugene Kaspersky’s well-known KGB training and Russian government milieu. This is in part due to an aggressive marketing push by the company, and possibly because these types of products have been (naively) perceived as non-threatening since it’s industry standard to share threat information with a cybersecurity vendor for aggregate analysis. I would argue this alone should be cause for concern; 'backdoors' are unnecessary when your internal network data is being routed to a vendor’s headquarters in a hostile country. Never mind that Russian law requires service providers like KL to install monitoring equipment accessible to the FSB – an actual 'front door.' When Kaspersky branched out into developing operating systems and SCADA/ICS system software, however, I think people started to wake up and pump the brakes on procurement. It’s about time."