Skip to main content
banner image
venafi logo

“Make Encryption Boring Again” [Encryption Digest 21]

“Make Encryption Boring Again” [Encryption Digest 21]

picture of a young man sitting on the couch, head in his hand, bored
December 5, 2019 | Katrina Dobieski

We don’t want to think about it.

When there’s something that needs our attention, tell us about it, but no bells and whistles for what comes standard. At least that’s what Scott Helme argues when it comes to encryption. Why he believes internet-wide safety shouldn’t come with a green padlock, and what’s already been done to get us there. Also, Google sends out thousands of warning emails to those at risk of being phished by Russian state-backed Sandworm – for the third year in a row. Discover why you should really protect your code signing keys and learn how Macy’s fell victim to a card skimming attack that should have been stopped at the door.



Russian-Backed Sandworm Keeps Phishing You. Successfully.

For the third year in a row, Google’s Threat Analysis Group (TAG) has sent out roughly the same number of “you might be phished by a state-sponsored hacking group” emails to thousands of YouTube, Drive and Gmail users in dozens of countries.

For the third year in a row, Russian-backed hackers monikered Sandworm (aka Telebots, Quedagh Group, BE2 APT, Black Energy, and Iridium, among others) have decided to go phishing with credential-baiting emails.

For the third year in a row, people continue to fall for it. So watch out.

In one case, an unfortunate employee opened an indiscreet email (senders have included “Goolge”) and was conned into giving away code signing credentials. With these, Sandworm was able to build a backdoor and float it in a clean app.

Kevin Bocek, Threat Intelligence VP at Venafi, elucidates: “As more and more hackers see the potential of malicious code signing, and ease for misusing keys and certificates, we'll see more of these attacks. We must ensure in the software build process code signing and machine identities are protected.”

As the hacking group capitalizes on credentials, Google has identified individuals within 149 countries that might have drawn the eye of these Russian black hats.

Best advice? Stay alert. Let’s do everything we can to avoid a fourth year.

Related posts




"Make Encryption Boring Again”

Scott Helme argues that we shouldn’t alert people when things on the internet are fine, we should alert them when things on the internet are wrong.

That makes sense.

In his address at the SANS and NCSC Cyber Threat conference in London, Scott Helme claimed that encryption should not be the exception, but the rule. "We need it to become so ingrained and embedded into everything that we do that it's boring ... Encryption should be the boring default.”

Comparing it to a car, he said a light only flashes when something is amiss, not when the car is functioning as usual.

And therein lies the problem.

When the internet came about, non-encryption was the usual. As part of a long-waged push to change the narrative, Scott declaims, "The lack of encryption on the web is actually a bug. And what we're doing now isn't adding a new feature for an improvement or a new thing: we're going back and fixing a mistake we made in the beginning."

Several steps have been taken, including the much lauded TLS1.3 update, HTTP to HTTPS and Mozilla’s decided change to DoH (whose full merits are still being debated). The point is that the issue is being recognized, and that the InfoSec community is leading the charge.

Ironically, some of the “encrypt the internet” movement’s most devoted followers are unlikely candidates. As the green padlock has become ubiquitously synonymous with trust, bad actors are quick to take advantage of any favorable lead—purchasing TLS certificates on the Dark Web and registering legitimate, protected domains. 

"Cyber criminals started to use HTTPS and their trust scores can be higher than normal websites, they really care about this stuff," commented James Lyne, CTO at SANS Institute.

Hopefully the rest of the web’s users aren’t too far behind.

 Related posts



Macy’s POS Site Possibly Unencrypted – 1 Week of Card Skimming

“All I want for Christmas are the 3 numbers on the back of your card.”

And for many happy hackers this season, that might just happen.

Macy’s, the billion-dollar retailer, suffered one week of blatant card skimming off the POS site they use to enact transactions. Contracting with a third-party (yet unnamed), it appears an unencrypted sales portal is a likely cause for the breach.

According to Charity Wright, cyber threat intelligence advisor with IntSights, a website passing credit card information in 2019 without encryption is asking for trouble.

Two pages of the retailer were infected with card-skimming technology, and the personal data losses included, as is expected, sensitive payment information.

"The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two pages: the checkout page - if credit card data was entered and "place order" button was hit; and the wallet page - accessed through My Account” wrote the company.

"The threat actors are going after those unencrypted sources for credit card data, stealing them and then selling them on the dark web,” says Wright.

Unfortunately, the worst isn’t over. The long-tail effects may only be beginning, but here are some ways to stay smart.

With all the loose information obtained in the sweep (banking location, CC numbers, personal contact information), unfortunately those targeted may yet be the brunt of more phishing campaigns as the hackers capitalize on the scare. Malicious sites designed to skim more information may maraud as legitimate reconciliation sites from Macy’s or the victim’s bank, and unfortunately the value of the information already out there doesn’t diminish.

For retailers wanting to avoid a similar fate, Monique Becenti, channel and product specialist of SiteLock suggests using SSL certificates, which protects information going from an eCommerce platform to the server. Third party audits and basic encryption of POS systems remain best practices.

Wright hopes Macy’s will become an example to other vendors using third-party POS vendors. She suggested they lead "by saying that in order to work with us or work with our IT infrastructure, you have to follow all of these security protocols."

In either event, encrypting POS traffic, like encrypting internet traffic, should be standard.

Venafi's Jing Xie on t
he dangers of open source libraries and why the development community is just starting to take notice.






Related posts


Like this blog? We think you will love this.
Featured Blog

Microsoft Backs Off Internet Office Macro Ban [Update]

Microsoft disabled macro years ago by default

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Katrina Dobieski
Katrina Dobieski

Katrina writes for Venafi's blog and helps optimize Venafi's online presence to advance awareness of Machine Identity Protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more