Nominations for NSA's annual Best Science of Cybersecurity paper award are open. Were there any papers published in 2021 that you think were especially good, in the sense that they advanced the foundations of cybersecurity and/or exemplified excellence in scientific study in this multidisciplinary field?

Last year's winning paper was "On One-way Functions and Kolmogorov Complexity" by Yanyi Liu from Cornell University and Rafael Pass from Cornell Tech, published in the 2020 IEEE Symposium on Foundations of Computer Science (FOCS) (talk presenting the paper).

"Retrofitting Fine Grain Isolation in the Firefox Renderer" by Shravan Narayan, Craig Disselhoen, Tal Garfinkel, Nathan Froyd, Sorin Lerner Hovav Shacham and Deian Stefan, published in USENIX Security 2020, received an Honorable Mention award.

To help you remember what's been published in the past year, a table providing links to many of the relevant conferences and journals is available.

Please take a few moments to honor a paper by nominating it for NSA's Best Science of Cybersecurity paper competition, which is described here: https://cps-vo.org/group/sos/papercompetition

Summary:
The RSA public key algorithm is delightfully simple, but in practice there are a host of caveats known to number theorists but usually not to practitioners. One such warning is "p and q shouldn't be close together." One crypto library came under scrutiny by a researcher who discovered that it violated that principle, and as a result, the public keys were easily factored by the "difference of squares" method elucidated by Fermat some centuries ago. Those who do not know number theory should not design crypto libraries.

Summary:
[Ed. This article is behind a paywall, but the magazine will send a one-time free link to an email address. Subsequent "unsubscribe" may be desirable.]

Chris Inglis is the National Cyber Director of the Office of National Cyber Defense. His thoughts on digital safety are interesting.

This article makes the points that cybersecurity is really important, just like safe food and drugs and transportation, so there should be a way for government and industry to work together to assure that the digital world is safe, and this is the key to a bright future. Sounds like a compelling argument. All that stands in the way are some "important adjustments", the like of which we've seen before (i.e., precedented).

Despite this optimistic beginning, the authors go on to talk about solutions that require "unprecedented" achievements in planning and cooperation. The first step along this difficult path seems to be the establishment of an advisory body, Cyber Safety Review Board (one of the authors, Inglis, is a member of the board). Time will tell if they can even begin to develop a "new social contract for cyberspace-based around investments in resilience, new forms of information sharing, and public-private collaboration ..." remains to be seen.

The public's input on what is good seems left out of the authors' vision. Privacy advocates may be surprised to learn that "Individuals' personal data is ... the lifeblood of the digital economy ...". If that is the kind of government-industry sharing that the authors envision in our bright future, then there might be some obstacles raised. However, the authors go on to envision "an absolutely secure digital world" where "a comprehensive privacy regime becomes more practical." Computer security experts might wonder if the US government could lead the country "absolute security."

Summary:
This is a good summary of the Foreign Affairs article mentioned above. It particularly delineates the argument that online safety will foster innovation and commerce while protecting the US from foreign cyberattacks.

Summary:
Trickbot is a notorious botnet that has been used for stealing bank credentials and distributing ransomware. It dates back to 2016 and has been stubbornly resistant to take downs of its command and control infrastructure. Its persistence was partly due to its occupation of MikroTik routers. These routers are made in Latvia and use an open source Linux-based OS.

Lots of people have routers in their home, but few people have any idea what they do. Usually any problem can be solved by a power reset. But sometimes the router is the place where malware lives, carrying out attacks across the Internet while carrying out the relatively minor task of moving network packets across a boundary between a home or enterprise and the Internet service. Microsoft has been working to remove the servers that direct the botnet activities and has finally unraveled exactly how the routers were subverted and how they hid their traffic.

Uncovering Trickbot's use of IoT devices in command-and-control infrastructure, March 16, 2022, Microsoft Defender for IoT Research Team, Microsoft Threat Intelligence Center (MSTIC):
"This continuous evolution has seen Trickbot expand its reach from computers to Internet of Things (IoT) devices such as routers, with the malware updating its C2 infrastructure to utilize MikroTik devices and modules. MikroTik routers are widely used around the world across different industries. By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, Trickbot adds another persistence layer that helps malicious IPs evade detection by standard security systems."

Summary:
There is a new botnet called "Cyclops Blink" that is attributed to a state-sponsored Russian hacking group. It resides in Asus routers and can achieve persistence over factory resets.

"This week, cybersecurity researchers from Trend Micro said that while the malware is "state-sponsored", it does not appear to be inactive use against targets that would have Russia's state interests at heart."

Asus said that it was investigating the problem. Meanwhile Trend Micro recommends that suspect devices be taken out of service.

Summary:
The perfect crime must include some tangible benefit to the perpetrator. Moving ill-gotten gains to The Real World turned out to be the undoing of two crypto thieves. Ilya Lichtenstein and Heather Morgan are charged with the theft of over 100K BTC from the BitFinex exchange in 2016. Some recent news stories have focused on how they were ultimately tripped up by buying a $500 Walmart gift card. This ignores the painstaking investigation that preceded their arrests. This article goes over the FBI report on the facts of their investigation and explains the underlying technology. It's a fascinating story and underscores the sophistication that law enforcement has developed in the digital sphere.

Summary:
STATEMENT OF FACTS:
1.Your affiant, Christopher Janczewski, is a Special Agent assigned to the Internal Revenue Service, Criminal Investigation (IRS-CI). As a Special Agent, my responsibilities include the investigation of criminal violations of the Internal Revenue Code (Title 26, United States Code), the Money Laundering Control Act (Title 18, United States Code, Sections 1956 and 1957), the Bank Secrecy Act (including relevant parts of Title 31, United States Code), and related offenses. ...

Summary:
Rosenthal's observations on crypto currency are incisive. He points out that the entire purpose of a blockchain is to make the cost of a Sybil attack greater than the reward, and this results in a dependence on "externalities" (i.e., real world resources) that is unsustainable.

Two quotes illustrate his pithy expression of the clash between the ideals of crypto currencies and their realities:

"Cryptocurrencies' roots lie deep in the libertarian culture of Silicon Valley and the cypherpunks. Libertarianism's attraction is based on ignoring externalities, and cryptocurrencies are no exception."

"Thus a permissionless blockchain requires a cryptocurrency to function, and this cryptocurrency requires speculation to function."

Summary:
Doctorow's commentary on Rosenthal adds even more clarity to the discussion of how proof-of-work fails to achieve the goals of libertarianism.

Summary:
Russia has a recent history of successes in cyber attacks, particularly against Ukraine in 2015 and 2017. This led to an expectation that the current assault would begin with similar but more destructive cyber attacks. Yet, it has not happened. Experts seem to differ on the reasons. Perhaps there is better infrastructure protection, perhaps Russia fears massive retaliation, maybe leaving a compromised communicaitons infrastructure in place is better than destruction, or perhaps such attacks are yet to come.

Summary:
Some military observers are surprised at Russia's lack of planning for cyber warfare. Although some website harassment against Ukraine occurred, there was no concerted effort to penetrate and disrupt networks. The speculation about this includes the idea that the physical dominance of the Russian military was expected to be sufficient for a quick victory.

Kenneth Geers, a senior fellow at the Atlantic Council and the NATO Cyber Centre ambassador with 20 years of experience with the U.S. Army, the National Security Agency and NATO notes "And at this point, anything cyber-related can't approach the horror and the immediate goals of the war the way bombs and rockets can."

Summary: If nations have avoided waging cyber war, "hacktivist collectives" haven't. The group "Anonymous" has credible claims to have wrecked havoc on a large variety Russian infrastructure that uses the Internet. Of particular note is their ability to put anti-war messages onto various public TV screens in Russia and to interfere with state-controlled information media.

Summary: Unspecified intelligence has led the White House to warn US businesses to gird themselves for Russian cyberattacks in the near future. The warning from the deputy national security advisor seemed directed at critical infrastructure providers. The article notes that on February 24 satellite communications provided by the US company Viastate were interrupted, resulting in tens of thousands of European customers being cut off from the Internet.

Summary:
Last year sensitive information about voting machine credentials were somehow leaked (see FBI joins investigation into QAnon-affiliated leak of voting machine logins in Colorado). What was unclear at the time was whether the leak had been created by outside hacking or insider treachery. Based on the result of the FBI investigation and the recent indictment, the answer seems to be the latter.