What 2020 paper did most to advance the science of cybersecurity?

Nominations for NSA's annual Best Science of Cybersecurity paper award are open. Were there any papers published in 2020 that you think were especially good, in the sense that they advanced the foundations of cybersecurity and/or exemplified excellence in scientific study in this multidisciplinary field?

To help you remember what's been published in the past year, a table providing links to many of the relevant conferences and journals is available here: https://cps-vo.org/sos/papercompetition/sources-2020

Last year's winning paper was was "Spectre Attacks: Exploiting Speculative Execution," by Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom published at the 2019 IEEE Security & Privacy Symposium.

Please take a few moments to honor a paper by nominating it for NSA's Best Science of Cybersecurity paper competition, which is described here: https://cps-vo.org/group/sos/papercompetition.

Submit your nomination here: https://cps-vo.org/group/sos/papercompetition/submit Nominations close 15 April 2021.

Summary:
An employee at a water treatment facility said that his computer screen showed that someone was accessing it via Teamviewer, a remote access tool used for technical support. He said that the unknown remote user commanded the system to put a massive amount of lye into the water supply. Other operators at the plant reversed the command, and they asked for help from local law enforcement. The operators of the water treatment facility say that the lye (which is used in small quantities to neutralize the pH of the water) increased only minimally, and "additional" controls would have prevented further damage. [Ed.: Despite involvement by the FBI and Secret Service, there is no further information available about this incident.]

Summary:
Malware that infects Apple's new M1 chip has shown up on Mac computers around the globe. Known as Silver Sparrow, the software seems to do nothing malign, but its quick ubiquity is unsettling to security experts. It may signal ongoing development of a new attack tool.

Summary:
In a nod to the skill of US intelligence services, malware developers in China appear to have used NSA's hacking software as the basis for a new project. From the article:

Tel Aviv-based Check Point Software Technologies issued a report noting that some features in a piece of China-linked malware it dubs "Jian" were so similar they could only have been stolen from some of the National Security Agency break-in tools leaked to the internet in 2017.

Summary:
The Solarwinds hack provided backdoor access to thousands of systems in the US, including some at US agencies. The instigator and beneficiary of the attack appears to be Russia. At a Congressional hearing on the matter, the president of Microsoft said that creation of the software must have been the work of at least 1000 skilled engineers. Either this speaks to tremendous inefficiancy by Microsoft's engineer or the hackers must have been a well-organized software production company, perhaps government financed. Although Microsoft itself was victimized, the company's president nonetheless blamed the victim's for poor security practices.

Summary:
In Congressional hearings about the SolarWinds hack, Microsoft was on the defensive about its failure to provide protection against known vulnerabilities in its Office360 product. The company said the few victims were compromised through that pathway, but because one of them was the US Department of Justice, U.S. Senator Ron Wyden took Microsoft to task over its failings.

Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council faulted large computing companies of "perhaps failing to adequately mitigate the risk of high impact, low probability failures in systems at the root of their security model" In the SolarWinds case, part of the attack required inside access to a victim's network. Security experts often discount such attacks on the grounds that if the network has been compromised, then there must be some greater security flaw elsewhere. Nonetheless, Microsoft knew about the flaws and could have fixed them before they were exploited.

Summary:
This article has a good and thorough analysis of the SolarWinds attack. It briefly describes, among other things, the "Golden SAML" trick for mimicing a trusted server inside a corporate network. This is the flaw that Microsoft rated as a low priority target for patching.

Summary:
Microsoft discovered that its on-premises Exchange servers (NOT its cloud servers) were being hacked through four zero-day exploits. These are unrelated to the SolarWinds vulnerabilities. At the time of the announcement, Microsoft believed that only one group, Hafnium, was behind the attacks, but the patches reveal enough about the problems that other groups will be likely to pounce on them and to develop their own attacks.

Summary:
Microsoft Corp security program manager Phillip Misner announced via Twitter that security flaws in its Exchange mail server product were being avidly exploited by a variety of bad actors. Ransomware is being spread via that mechanism. Small businesses without up-to-date security patches are suspected of being particularly tasty targets for the exploiters who are suspected of being a state-sponsored group ("Hafnium") operating out of China.

Microsoft released a slew of patches for the problems on March 2 (see Microsoft says a group of cyberattackers tied to China hit its Exchange email servers). Woe betide any organizations that have failed to apply them.

Summary:
The Federal Reserve banking system provides a funds transfer system "Fedwire" that banks use to move money for payment services. The system suffered an "operational error" on Feb. 24 and was unusable for most of the day. Associated services problems lingered through at least the next day.

The Fedwire system can take 2 days to clear transactions, and there was concern that the backlog due to the outage would increase that lag. Experts note that instant transfers are the norm in some other countries.

There seemed to be no follow-ups about cascading problems or malicious software. The failure seemed to be unique.

Summary:
No one really knows who is using those creepy surveillance cameras, and the revelation of poor security by one of the suppliers of the devices added to the worry about unsuspected access.

According to a hacker insider, Verkada cameras at hundreds of businesses, including a Tesla factory in Shanghai, were accessed for live video feeds, unbeknownst to the businesses involved. The hackers were able to use the administrative access to the cameras. Verkada says it was able to disable the access path quickly after being notified.

What 2020 paper did most to advance the science of cybersecurity?

Nominations for NSA's annual Best Science of Cybersecurity paper award are open. Were there any papers published in 2020 that you think were especially good, in the sense that they advanced the foundations of cybersecurity and/or exemplified excellence in scientific study in this multidisciplinary field?

To help you remember what's been published in the past year, a table providing links to many of the relevant conferences and journals is available here: https://cps-vo.org/sos/papercompetition/sources-2020

Last year's winning paper was was "Spectre Attacks: Exploiting Speculative Execution," by Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom published at the 2019 IEEE Security & Privacy Symposium.

Please take a few moments to honor a paper by nominating it for NSA's Best Science of Cybersecurity paper competition, which is described here: https://cps-vo.org/group/sos/papercompetition.

Submit your nomination here: https://cps-vo.org/group/sos/papercompetition/submit Nominations close 15 April 2021.

Summary:
An employee at a water treatment facility said that his computer screen showed that someone was accessing it via Teamviewer, a remote access tool used for technical support. He said that the unknown remote user commanded the system to put a massive amount of lye into the water supply. Other operators at the plant reversed the command, and they asked for help from local law enforcement. The operators of the water treatment facility say that the lye (which is used in small quantities to neutralize the pH of the water) increased only minimally, and "additional" controls would have prevented further damage. [Ed.: Despite involvement by the FBI and Secret Service, there is no further information available about this incident.]

Summary:
Malware that infects Apple's new M1 chip has shown up on Mac computers around the globe. Known as Silver Sparrow, the software seems to do nothing malign, but its quick ubiquity is unsettling to security experts. It may signal ongoing development of a new attack tool.

Summary:
In a nod to the skill of US intelligence services, malware developers in China appear to have used NSA's hacking software as the basis for a new project. From the article:

Tel Aviv-based Check Point Software Technologies issued a report noting that some features in a piece of China-linked malware it dubs "Jian" were so similar they could only have been stolen from some of the National Security Agency break-in tools leaked to the internet in 2017.

Summary:
The Solarwinds hack provided backdoor access to thousands of systems in the US, including some at US agencies. The instigator and beneficiary of the attack appears to be Russia. At a Congressional hearing on the matter, the president of Microsoft said that creation of the software must have been the work of at least 1000 skilled engineers. Either this speaks to tremendous inefficiancy by Microsoft's engineer or the hackers must have been a well-organized software production company, perhaps government financed. Although Microsoft itself was victimized, the company's president nonetheless blamed the victim's for poor security practices.

Summary:
In Congressional hearings about the SolarWinds hack, Microsoft was on the defensive about its failure to provide protection against known vulnerabilities in its Office360 product. The company said the few victims were compromised through that pathway, but because one of them was the US Department of Justice, U.S. Senator Ron Wyden took Microsoft to task over its failings.

Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council faulted large computing companies of "perhaps failing to adequately mitigate the risk of high impact, low probability failures in systems at the root of their security model" In the SolarWinds case, part of the attack required inside access to a victim's network. Security experts often discount such attacks on the grounds that if the network has been compromised, then there must be some greater security flaw elsewhere. Nonetheless, Microsoft knew about the flaws and could have fixed them before they were exploited.

Summary:
This article has a good and thorough analysis of the SolarWinds attack. It briefly describes, among other things, the "Golden SAML" trick for mimicing a trusted server inside a corporate network. This is the flaw that Microsoft rated as a low priority target for patching.

Summary:
Microsoft discovered that its on-premises Exchange servers (NOT its cloud servers) were being hacked through four zero-day exploits. These are unrelated to the SolarWinds vulnerabilities. At the time of the announcement, Microsoft believed that only one group, Hafnium, was behind the attacks, but the patches reveal enough about the problems that other groups will be likely to pounce on them and to develop their own attacks.

Summary:
Microsoft Corp security program manager Phillip Misner announced via Twitter that security flaws in its Exchange mail server product were being avidly exploited by a variety of bad actors. Ransomware is being spread via that mechanism. Small businesses without up-to-date security patches are suspected of being particularly tasty targets for the exploiters who are suspected of being a state-sponsored group ("Hafnium") operating out of China.

Microsoft released a slew of patches for the problems on March 2 (see Microsoft says a group of cyberattackers tied to China hit its Exchange email servers). Woe betide any organizations that have failed to apply them.

Summary:
The Federal Reserve banking system provides a funds transfer system "Fedwire" that banks use to move money for payment services. The system suffered an "operational error" on Feb. 24 and was unusable for most of the day. Associated services problems lingered through at least the next day.

The Fedwire system can take 2 days to clear transactions, and there was concern that the backlog due to the outage would increase that lag. Experts note that instant transfers are the norm in some other countries.

There seemed to be no follow-ups about cascading problems or malicious software. The failure seemed to be unique.

Summary:
No one really knows who is using those creepy surveillance cameras, and the revelation of poor security by one of the suppliers of the devices added to the worry about unsuspected access.

According to a hacker insider, Verkada cameras at hundreds of businesses, including a Tesla factory in Shanghai, were accessed for live video feeds, unbeknownst to the businesses involved. The hackers were able to use the administrative access to the cameras. Verkada says it was able to disable the access path quickly after being notified.

Summary:
There's little privacy on the Internet, a fact that was underscored by the exposure of databases from the social media site Gab. Hackers twice gained access to the site, in one case taking over the accounts of 178 users. The databases of user accounts, postings, and direct messages have provided a great deal of insight into QAnon investors, for example. Interesting reading for anyone interested in the extremist groups that seem to favor Gab.