If communications are monitored and encryption is still Pretty Good, is the bigger challenge not only maintaining control of keys, but ensuring that those deem the websites to be safe are trusted at all?
In FireEye’s 2015 M-Trends report, authentication-based attacks were identified as the third threat for the abuse of VPN certificates. Kevin Bocek, VP of security strategy and threat intelligence at Venafi, said that the problem is the bad guys are using encryption to cloak their activities, and where Edward Snowden said that the problem was not about breaking encryption, but stealing keys, things in that area have not improved. Yet is the issue really one about the attackers when it comes to certificate security?
He said: “Between 2013 and 2014, the perception has been that there is a rise in the number of certificates and what we are using them a bit more. Our survey found that Germany uses 24 per cent fewer certificates than the UK, and these are newly created certificates.
“Certificates come from an authority or are self-signed, and the latter is huge. Our own Trustnet has 100 million certificates in its database and it is adding two million more a month. If you were to make a malicious certificate, you have to make sure the traffic was directed to you and that you poisoned the DNS to resolve the IP address, but with Superfish we saw what a Trojan could do, it allowed you to sign for everything.”
Naturally the use of more keys and certificates makes them a better target for attack, with stolen certificates selling for almost a thousand pounds on underground marketplaces, whilst the misuse of enterprise mobility certificates used for applications like WiFi, VPN, and MDM/EMM is a growing concern for security professionals.
I asked Bocek is mobile was worse, and he agreed, while he said that the experience of an expired certificate is one of a entity that does not show good security, while the most important thing in security is “can I trust this website or not?”
In a recent survey of 2,300 IT security professionals, Venafi found that 100 per cent of UK organisations surveyed suffer multiple attacks on keys and certificates, with 54 percent noting that the trust established by keys and certificates is necessary for online banking, shopping and Government is in jeopardy.
“Whether they realise it or not, every business and Government relies upon cryptographic keys and digital certificates to operate,” Bocek said. “Without the trust established by keys and certificates, we’d be back to the internet ‘stone age’ – not knowing if a website, device, or mobile application can be trusted.”
He referred to the “cryptopocalypse” concept which (now Yahoo CISO) Alex Stamos talked of in 2013, where the standard algorithms of trust like RSA and SHA are compromised and exploited. However said that if a “cryptopocalypse” were to occur, this could be an impact a thousand times worse than the Heartbleed bug due to the trust fallout.
Russian cyber criminals, for instance, recently stole digital certificates from one of the top five global banks, enabling them to steal 80 million records, while another attack allowed hackers to steal data from four and a half million healthcare patients. Bocek also told me that the Flame malware, noted at the time for its sophistication as it was able to self-sign its own Microsoft certificates, was now available for 65 cents on the dark web.
Bocek said that website certificates are now sold for a matter of dollars, but the issue within businesses is that Shadow IT exists, and marketing can get a certificate and it is now known who created the certificate in the first place.
He said: “Matthew Rosenquist, cyber security strategist for Intel Security at Intel said that the sale of certificates will be the next big threat and if marketing can get certificates for a domain, who else can.
“Every day there is a vulnerability in SSL and the problem is no one knows what they are using. The internet is 20 years old and there is not much that has changed. Nothing in IT security lasts for 20 years, let alone two years.”
Kevin Bocek, VP of security strategy and threat intelligence at Venafi, was talking to Dan Raywood