The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.
2017 Year-End Special Edition
The Best Cybersecurity Stories of 2017
I love working in cybersecurity. Not only are the technical topics a lot of fun, but cybersecurity is an area where I feel like my work makes a meaningful impact for my project sponsors, for the students at Georgia Tech, and for the public at large. Also, to be completely frank, it's nice to know that I'm in a field that has so many problems to solve that I will never be out of a job. Hardly a week goes by where some aspect of computer security doesn't make headline news. Here are a few of my favorite stories from 2017.
Best Industry Response to a Vulnerability
A few weeks ago, I wrote about a vulnerability that allowed an attacker with USB access to infect a computer and take complete control of the system -- from the hardware layer up -- due to a weaknesses in Intel's Management Engine. I still think that having a "tiny homunculus computer" embedded on motherboards is a bad idea from a security standpoint, but kudos to Intel for their thorough response.
- Intel PCs Vulnerable to Attack Over USB: http://cyber.gatech.edu/intel-based-pcs-may-be-widely-vulnerable-attack-over-usb
- Intel Response: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
Worst Industry Response to a Breach
Early in the year, Holly Dragoo wrote about how, to their credit, Uber pushed back against New York City's request for private data about Uber customers. To their discredit, it recently emerged that Uber paid $100,000 in hush money to cover up a 2016 hack that revealed the private data of 57 million customers, including about 600,000 driver's licenses.
- Uber Privacy Data Again in the Crosshairs: https://cyber.gatech.edu/ubers-data-privacy-again-crosshairs
- Uber Pays to Hide Breach: http://www.zdnet.com/article/uber-paid-20-year-old-man-to-hide-data-breach-destroy-information/
Most Aggravating Cybersecurity Story
This award goes to the Equifax breach, which compromised the data of 143 million Americans, yet was not reported for months after its discovery. Now Equifax encourages consumers to embed themselves even more deeply in products and services provided by the credit industry (to protect themselves from the very failures of the credit industry). A decade ago, Professor Annie Anton warned Congress that overuse of social security numbers as identifiers would lead to trouble. Wenke Lee, co-director of the Institute for Information Security & Privacy, argues that it's time to employ better methods for authentication.
- Overuse of Social Security Numbers: https://apnews.com/47b70ffc0d3943719020efcb0badc1e6
- New Developments in User Authentication: https://cyber.gatech.edu/its-time-make-personal-data-meaningless
The runner up in the aggravating stories category is the meteoric rise of Bitcoin's value, which Holly Dragoo wrote about in January. Every time Bitcoin's value jumps another 500%, I relive the pain of having sold all of my Bitcoins in 2011; along with them I sold my ability to buy that private island I've always dreamed of.
- Bitcoin Surges: https://cyber.gatech.edu/bitcoin-surges-past-gold-value
Most Worrisome Cybersecurity Story
The power grid remains in the news year after year as being vulnerable to attack, and most of those in the industry that I have talked with about this problem believe that the problem is real. My understanding is that power companies are reluctant to upgrade vulnerable systems due to concerns that upgrades could negatively impact the availability of power service. That alone should tell us something...
- Congressional Report Finds Grid Vulnerable to Attack: https://cyber.gatech.edu/congressional-report-finds-grid-still-vulnerable-cyberattacks
Biggest Story in Cryptography
In March, I wrote about the death of SHA-1 -- a technique that uses 80 rounds of cryptographic operations to encrypt and secure the object. Cryptography buffs like to benchmark the strength of cryptographic primitives by calculating how many times in the lifespan of the universe it would take to crack the primitive with brute force. Unfortunately, theoretical and implementation weaknesses cut 100,000,000,000 years down to a couple of decades. Although once the gold standard of cryptographic hash functions, now the SHA-1 lives in the graveyard of broken primitives.
- First Collision of Cryptographic Technique Occurs: https://cyber.gatech.edu/rip-sha-1
Coolest Technical Attack
Back in March, Chris Roberts and I commented on an amazing attack on the fundamental architecture of microprocessors that defeats important protections on an array of processors from different vendors. The "AnC Attack" by researchers from VU Amsterdam exploits the physical hardware and the data leaked by memory management units. To quote a colleague, the attack "demonstrates how security is hard. Mitigations must be seriously contemplated to be effective, and even when they are, the complexity of microprocessors deceives our understanding."
Most Annoying Hack
I imagine that the conversation went something like this... Engineer Anne: "Let's enable wireless activation of the city's emergency sirens so that we can trigger them remotely in the event of a communications failure." Engineer Bob: "That seems like a good idea, but how are we going to secure the wireless protocol?" Engineer Anne: "Why do we need to do that? We can just use a proprietary system that is hard to reverse-engineer." Engineer Bob: "Good point, Anne. Besides, who would want to hack our emergency sirens anyway?"
- Hackers Activate Dallas Emergency Sirens: https://cyber.gatech.edu/hacked-emergency-infrastructure-dallas-lesson-its-too-late
Looking Into 2018: the Biggest Unresolved Cybersecurity Matters Ahead
Tough cybersecurity policy issues cropped up in 2017, and the response could bring new privacy laws in 2018 with wide-reaching, cross-border effects. Highlights from the past year included how to respond to allegations of Russian election tampering, the great FCC/net neutrality debate, and mandatory clauses in the Chinese Cybersecurity Law (CCL). Yet arguably the most important privacy story of 2017 is still unresolved and likely will be among the most thunderous in 2018: Carpenter vs United States (more below). Also, looking ahead to 2018, another big story for cybersecurity policy will be the European Union’s enforcement of the new General Data Privacy Regulations (GDPR) which affect how private information may or may not flow among global businesses.
Guarding the Privacy of Cell Phone Data
The Supreme Court recently heard arguments for Carpenter vs. United States, a case about cell phone locational data privacy. At stake is the right for the government to be able to track a cell phone user without a warrant using cell-site locational data that the cell network needs to relay calls and billing information. Both liberal and conservative judges made statements indicating their interpretations will favor citizen privacy -- citing concerns that if the government were allowed to track citizen movements without a warrant, it would be similar to the general warrants of the 18th century that contributed to the first sparks of the Revolutionary War. If those remarks are any sign of things to come, before the close of 2018, we may see that law enforcement will have more hoops to jump through when pursuing locational data as evidence. A reading of the final verdict has yet to be assigned a date, but it’s sure to be noteworthy.
- The Atlantic: https://www.theatlantic.com/politics/archive/2017/11/bipartisanship-supreme-court/547124/
- Supreme Court Oral Argument Transcripts: https://www.supremecourt.gov/oral_arguments/argument_transcripts/2017/16-402_3f14.pdf
- Carpenter vs United States: http://www.scotusblog.com/case-files/cases/carpenter-v-united-states-2/
Guarding the Privacy of Europeans
Promulgation of the new General Data Privacy Regulations (GDPR) by the European Union will have extraterritorial effects, meaning non-EU citizens doing business with EU citizens – regardless of either party’s location – will be subject to comply or risk steep penalties. An example might be that the American company selling widgets online (to customers who include European citizens) soon will have to employ a privacy advocate staff member, provide opportunities for customers to both have their data removed and have access to their data for verification of accuracy. Many established commercial networks are not configured to allow for this (plus an extensive list of additional GDPR specifications), so the costs to transform business networks toward compliance will not be insignificant. Small-scale industries may turn away from EU clientele if the costs are prohibitive, but my guess is that will be short-lived. The EU is too great a market to leave behind, and the investment is a one-time sunk cost. Depending on how strong the lobby is for delaying the May 25, 2018 enforcement date, I predict we will see a prolonged and perhaps costly adjustment phase as companies adopt the regulations into their infrastructures, but the majority of businesses will comply.
- Understanding GDPR: https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection
- Preparations for Businesses: https://www.ntsc.org/resources/ntsc-blog/u.s.-businesses-need-to-prepare-now-to-align-with-eu-privacy-law.html
Normalization of Demand for Transnational Internet Governance
Whether looking broadly at issues like cybersecurity, privacy & surveillance, free expression or digital trade, or at the governing of specific technologies like Internet domain names or Internet connected devices, what became clear in 2017 was the constant tension between state(s) and the need for new transnational Internet governance institutions, or sets of rules that govern human activity online... In some cases, states are trying to impose their will on Internet governance in order to achieve domestic objectives... It’s also become increasingly clear that traditional forms of statecraft and intergovernmental cooperation are simply not up to the task of Internet governance in a connected world... As we’ve said before, we think there is a fundamental re-ordering between public and private power underway, as well as reactionary trends towards nationalism, re-aligning state jurisdictions and cyberspace, and identity politics. The takeaway this year is that demand for transnational forms of Internet governance has normalized. Here’s to making progress on the institutional front in 2018.
- Read more and find a complete list of the most-viewed 2017 Cybersecurity Policy stories at the Internet Governance Project website, by Brenden Kuerbis with Farzaneh Badii and Milton Mueller: https://www.internetgovernance.org/2017/12/22/year-review-normalization-demand-transnational-internet-governance/