Last month I wrote about the use of digital certificates and encryption keys used nefariously against organizations. In the time it takes you read this blog, 1388 new malicious programs would have been submitted to AV-Test for analysis. With a percentage of these malicious programs stealing private keys and digital certificates, it’s imperative that you understand where and how these assets are being used within your organizations. In one month of malware analysis Symantec found over 800 samples that had been designed to steal keys and certificates. The growth rate of malware using digital keys and certificates is staggering. Compared to the growth rate of apps submitted to Apple every day, digital certificates used in malware is 5 times that – in the last year by 600%.
Organized criminals are using encryption keys and digital certificates against you on a daily basis. We’ve all come to trust that we securely communicate with websites as we go about our daily online transactions. The green address bar in our browsers gives us a sense of confidence that the transfer of information is secure. However, many times when our browsers popup with a warning that something is wrong with the website certificate, we ignore it and proceed anyway. Cryptographic keys and certificates are the core of trust in digital communication. But what happens when that trust is used for nefarious action against you?
The recent news about the looming generic top-level domain (gTLDs) names that the Internet Corporation for Assigned Names and Numbers (ICANN) is adding has sparked mixed emotions. Dot-anything domain extensions are already being auctioned off and should be seen as early as April 23, 2013. Despite growing contention from organizations such as the CA Security Council, it seems evident that gTLDs like “.local”, “.corp”, “.internal” to name a few will probably come to pass.
Caesar, infrastructure, outsourcing and offshoring
I never wanted to spend my life in IT. I passed a programming exam at high school because I promised the teacher I would never return. It was the hardest 50% I ever had to work for! My passions were history and literature, and especially Latin, which I was actually quite good at. And little did I realise all these years later that the “dead” civilisation would come back to haunt me!
Security has its foundation in trust, but trust and control over the source of trust go hand in hand. What happens when a lack of control over the technologies on which trust is built means you can no longer trust them?
Take a look, for example, at our reliance on cryptographic keys and digital certificates—technologies that were once thought of as intrinsically trustworthy. Case after case has shown how easily malicious individuals can usurp control of those technologies. Keys can be stolen and certificates forged.
Earlier this week Amazon Web Services announced their new CloudHSM offering. Essentially the service is a Luna SA appliances offered by SafeNet for each tenant, and can take at least two days to provision once ordered. The cryptographic assets are not accessible to AWS as they hold the admin credentials and the customer keeps both the HSM Admin and HSM Partition Owner credentials.
Microsoft is a trusted partner for some of the world’s largest enterprises – providing the software, and now cloud services, they use to build and run their businesses. Unfortunately, like so many other enterprises have learned, failed key and certificate management put a dent in special trust Microsoft enjoys. During last week’s unplanned Azure outage, Microsoft and its customers learned that it only takes a single oversight, in this case an expiring digital certificate, to bring down a service that tens thousands of customers rely on for almost half a day.
At last week’s RSA Conference 2013 in San Francisco, a clear consensus emerged: attacks on the trust established by cryptographic keys and certificates are on the rise and important element in today’s threat landscape. In the Microsoft keynote, Scott Charney, corporate vice president for Trustworthy Computing, declared “PKI is under attack.” Charney explained how criminals are obtaining unauthorized digital certificates or misusing cryptographic keys to enable further attacks.
In recent news SSHD (SSH daemon) backdoors have been all the buzz, though SSHD rootkits are nothing new. What’s interesting with the new SSHD rootkit is the level of sophistication where the ssh, ssh-agent, and sshd binaries were all replaced. As a result, changing the password on a compromised system will do you no good, the attacker already has root access! As is well known, the main goal of the rootkit is to steal passwords, but this is not the end goal. The end goal is to use the stolen credentials to access systems for their data, and to sell the information for profit.
Every Global 2000 enterprise faces a total exposure of almost U.S. $400 million over 24 months due to new and evolving attacks on failed cryptographic key and digital certificate management. And adjusting for probability established by survey participants, we found every enterprise risks losing $35 million.
This findings cap our First Annual Cost of Failed Trust Report: Trusts and Attacks, which quantifies, for the first time, the financial impact of impact of new threats and attacks on our ability to control trust.
Postings By Category
- Expired Certificate (11)
- IBM (2)
- Industry Movement (15)
- Key Management (34)
- Market Observations (32)
- Venafi Encryption Director (10)
- CA Compromise (8)
- EKCM Best Practices (4)
- Flame Malware (6)
Postings by Author
- Measurable Successful Results
- Best Practices
- Function
- Problems
