Organized criminals are using encryption keys and digital certificates against you on a daily basis. We’ve all come to trust that we securely communicate with websites as we go about our daily online transactions. The green address bar in our browsers gives us a sense of confidence that the transfer of information is secure. However, many times when our browsers popup with a warning that something is wrong with the website certificate, we ignore it and proceed anyway. Cryptographic keys and certificates are the core of trust in digital communication. But what happens when that trust is used for nefarious action against you?
For years now organized groups have been using encryption keys and digital certificates to steal information. Stuxnet and Flame are two commonly known examples of malware that took advantage of weaknesses in MD5 and were signed by forged certificates. Why do this? To make the malware appear as if it comes from a legitimate source. In doing so the operating system will allow the installation of the malware without any warning.
One does not even need to go to the extent to forge a certificate. It’s much easier to simply steal one to sign the malicious code. So far, for the month of April, the Common Computing Security Standards (CCSS) forum has logged sixteen legitimate digital certificates associated with malware. Doesn’t sound too bad compared to the number of nodes on the internet, right? Wrong, take into account that there is an average of 200,000 new malicious programs found every day, the problem is quite serious!
If forging or stealing a digital certificate sounds like too much work, why not setup a fake company, and deceive a public certificate authority (CA) into issuing you a legitimate certificate? That is exactly what the creators of Brazilian banking malware did. A fake company was setup to successfully dupe the CA DigiCert into issuing the nonexistent company Buster Paper Comercial Ltda with a legitimate certificate. 1
The advent of new gTLDs makes obtaining a legitimate certificate all too easy for top level domain names. These new certificates can be used for man-in-the-middle attacks. Read more on gTLD security woes.
The Mandiant APT1 report (http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf) released earlier this year showed that 100% of attacks identified were based on compromised credentials – from laptops to servers. Attackers are compromising and misusing keys and certificates used for authentication all the time. They are using keys and certificates to encrypt Command & Control traffic. It’s no surprise that every organization surveyed by the Ponemon Institute has had to respond to at least 1 attack on keys and certificates over the last 2 years.
Despite the multi-layer defense in depth strategies deployed by organizations, we clearly see that targeted attacks are taking advantage of trust, breaking it down, and using it against us. We need new strategies to protect our data—the new currency.
In an effort to address the breakdown in trust, earlier this month the National Institute of Standards and Technology (NIST) released a baseline set of security controls and practices to support the secure issuance of certificates. This is specifically aimed at CAs as a result of analysis of the continuous security breaches showing “insufficient security controls being in place on the computer systems and networks at these CAs, and sometimes exacerbated by weak record keeping” (http://csrc.nist.gov/publications/drafts/nistir-7924/draft_nistir_7924.pdf).
One in five organizations expect to respond to an attack related to encryption keys and digital certificates in the next two years. Attackers are looking two things: 1) where there is little visibility of a vulnerability 2) there is little ability to respond. On average, enterprises have over 17,000 keys 3. Sixty percent of attendees at RSA2013 said it would take one or more days to respond to an attack that took advantage of encryption keys or certificates.
Trust can only be established and maintained if you have a clear understanding where your organization is vulnerable, and are able to respond to an attack—they are inevitable—with the least amount of damage. To do this you need to understand the source of the encryption keys and certificates, how they are being used, and managed.
With a clear understanding and control over your key and certificate inventory you can trust in the internet, and respond to the rise in malware that takes advantage of keys and certificates.