Venafi

2011 is the year of the “CA compromise”. We have seen 5 compromises/attacks in the last year that have targeted third-party trust providers and/or have compromised the trust they provide to their customers. Stuxnet, Comodo, StartSSL, Diginotar and now DuQu.

DuQu, the so-called “Son of Stuxnet” malware, is a direct, high-priority wakeup call to IT security. According to current analysis of the virus, a rogue SSL certificate was again used to authenticate itself within the environment—to sign driver files—allowing the malware to act as a trusted application that could communicate with other systems and applications. This is the second reported incident of a digital certificate being deployed in this type of attack, and must be viewed as an ominous sign of things to come.

(more…)

News and analysis started coming out Tuesday about the Duqu Trojan and the threat vectors it represents. The two primary sources of information are McAfee and Symantec. Their posts have some notable differences about an important detail of the attack: how the creator of Duqu was able to get a bona fide certificate that allows Duqu to authenticate itself as trusted code.

McAfee says the following: “It is highly likely that this key, just like the previous two known cases, was not really stolen from the actual companies, but instead directly generated in the name of such companies at a CA as part of a direct attack.” (Seehttp://blogs.mcafee.com/mcafee-labs/the-day-of-the-golden-jackal-%e2%80%93-further-tales-of-the-stuxnet-files/comment-page-1#comment-173796).

Symantec says: “Our investigation into the key’s usage leads us to the conclusion that the private key used for signing Duqu was stolen, and not fraudulently generated for the purpose of this malware.” (Seehttp://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet).

We’re hoping to get more information so we can figure out if the authentication certificate was acquired via a private key compromise or CA compromise. That said, since the certificate used in Duqu is used for authentication—much like SSL server- and client-side certificates—either cause should warrant that organizations look closely at their security and operations management processes and response plans. Certificates are used for authentication, in addition to encryption.

Let’s look at both use cases:

CA Compromise

If the Duqu creator compromised a CA to get their certificate, they could have also fraudulently issued other certificates. The security of that CA could be called into question, as well as all the certificates it issued.

To add fuel to the fire, McAfee’s post also says, “McAfee Labs received a kit from an independent team of researchers that is closely related to the original Stuxnet worm, but with a different goal–to be used for espionage and targeted attacks against sites such as Certificate Authorities (CAs).”

They go on to say, “To start with, the attacks are targeting CAs in regions occupied by “Canis Aureus,” the Golden Jackal, to execute professional targeted attacks against sites such as small CAs, industry systems, and others.”
If a CA was compromised, companies with certificates from that CA must replace them and all organizations must ensure they’re not trusting that CA. Going beyond this incident, if Duqu is targeting CAs, that reinforces the importance of preparing for a CA compromise, especially coming on the heels of the DigiNotar CA breach this summer.

If you’re looking for best practices on how to prepare for and/or respond to a CA compromise, we’ve provided detailed best practices in a PDF at www.venafi.com/CACompromise on the steps organizations should take for CA compromises.

Private Key Compromise

If the Duqu creator stole the private key of C-Media Electronics (the Taiwanese company whose certificate is associated with Duqu), that points to another risk that organizations need to address: providing better protection of private keys.

In a Symantec blog responding to Duqu, Fran Rosch (vice president of Trust Services at Symantec) says, “We have long advocated best practices for safeguarding private keys.” He goes on to recommend several best practices, including 1) separating test and release signing keys, 2) using hardware security modules, and 3) physical security. For #3, physical security, he points out, “If it’s possible for an outsider, or malicious insider, to gain unnecessary access to code signing keys then all the cryptography measures are for naught.”

These are good, high-level recommendations. However, the #2 recommendation may not be practical for corporations to implement any time soon (since it would involve purchasing hundreds of HSMs, which are pretty pricey) and most private keys are readily accessible by “insiders” in most organizations, which makes effective implementation of #3 difficult.

Most corporations have hundreds or thousands of private keys (code signing, SSL, etc.). It’s safe to say that over 90% of those private keys used in corporations today are stored on disk, not in hardware security modules (HSMs). Those private keys are largely handled directly by system administrators who can easily make copies of them, increasing the likelihood of a private key compromise when an administrator gets reassigned, fired, etc.

Most organizations assume that when they contract with a CA (e.g. VeriSign, Thawte, Comodo, etc.) that they’re covered from a security perspective. The reality is that these CAs don’t help manage the private keys so administrators have to manage them manually, significantly undermining “physical security.” If organizations are going to implement physical security on private keys, they have to implement automated tools that manage those keys and don’t require administrators to have direct access to them.

Data breaches can be costly to a company’s bottom line and reputation. Organizations should be motivated to protect sensitive data with encryption.

Epsilon, a company that conducts e-mail marketing campaigns, isn’t a household name, but its clients are: Best Buy, Kroger, Hilton and Marriott hotels, Target and Walgreen’s, just to name a few. Epsilon got a black eye and 50 of its 2,500 clients had to do damage control when its computers were hacked and e-mail addresses of those client’s customers were exposed. All the ensuing anxiety and negative publicity could have been avoided if Epsilon had encrypted the e-mail address data. It’s a relatively easy solution to avoid a big problem.

Given the hundreds of data breaches reported annually, organizations should be well motivated to take the necessary steps to protect sensitive, valuable and regulated data by protecting it with encryption, but a troubling number of companies don’t. When data is encrypted, even if it’s exposed to hackers, they can’t do anything with it because without the proper encryption keys and credentials, accessing the data is nearly impossible.

Learn More

Avoiding Compliance, Audit and Operational Risks. Are you Gambling a Successful Audit on Key Management Processes that Fail to Measure up?

You’ve probably met someone like Patrick—the password post-it scribbler. Whenever end-user Pat signs up for an online service, the registration process forces him to create a strong password with special characters. Frustrated with all of the complicated passwords that he has to track, Pat jots the password down on a post-it note, which he sticks to his computer screen—for anyone to find and use.

What would you think if Pat was managing your company’s data security—particularly, if your company must comply with data security regulations such as PCI DSS 2.0, SOX, HIPAA, GLBA, and the European Data Disclosure Act?

Learn More

It seems like we’re infested, or at least so my wife tells me. Apparently the mice are everywhere, although I haven’t seen any myself. While running the domestic Anti-Virus program last weekend – the vacuum cleaner – she came across the tell-tale signs of mice.  So I was dispatched to the stores to buy the mouse destroyer – humane version of course, because no matter how much she hates the mice, we can’t kill them! We just collect them and relocate them to the neighbours!

(more…)

Travel is part of our lives and whether we do it for business or pleasure, one thing that is certain: each time we step on an airplane, we are required to sit through the safety procedures. Now, as someone that spends most of his life doing presentations, I now religiously pay attention to the cabin staff. I know I could stand up and do it word perfect myself, but I find that if for no other reason than simple courtesy, I pay attention and maintain eye contact with the cabin staff.

(more…)

Noted author, speaker and principal analyst Richard Stiennon sat down with Venafi CEO Jeff Hudson to discuss real-world security, operational and compliance issues that enterprise organizations face today encryption.

Jeff Hudson, CEO, Venafi from Richard Stiennon on Vimeo.

(more…)

A company’s brand is among its most valuable assets. A strong brand—one known for providing quality solutions that add value—is essential for organizational success. Companies with the world’s most valuable and well-recognized brands will take on imposters and rivals in high-profile, expensive legal battles to protect their brands from illegal or improper use.

Yet, and I find this very ironic, these same brand stewards do relatively little to ensure against brand damage that comes when their public site goes down or when their customer or partner data is breached. The need for better oversight is not hypothetical. Major corporations like Lockheed Martin, L3, Epsilon, EMC, and others have recently been the subject of significant, mainstream press coverage regarding unauthorized access and data breaches.

(more…)

I’ve just discovered this morning that I’m an illegal alien. My identity card (ID) expired two months ago, so I suppose technically I could be kicked out of the country where I’m currently resident. For obvious reasons I don’t want to mention the country until I resolve this small matter. And if that wasn’t bad enough, my wife is also an illegal – probably the first ‘illegal’ thing she’s ever done, so domestic panic has just taken hold: “We’ll be kicked out, never to see family or friends again!” I don’t think she appreciated my comment that every cloud has a silver lining.

So how did this suddenly come about? Well it seems something fell through the administrative cracks. We should have received a reminder three months prior to expiry, telling us that we would need to renew our residence permit. But for whatever reason, nothing arrived through the post, and since we’re not in the habit of checking our ID cards on a regular basis, it never occurred to us.

(more…)