Current security controls at most enterprises are being undermined at this very moment and their security teams might not even know it. Compromised digital keys and certificates weaken the protective capabilities of data loss prevention, next-generation firewalls, strong authentication, sandboxing and other security systems. And most importantly, key and certificate misuse, whether malicious or accidental, can damage the trust that is essential in today’s digital world.
Mobile apps, cloud platforms, websites and virtually anything that’s software, hardware or Internet enabled—including the Internet of Things—rely on digital certificates and cryptographic keys to create the trust that is the foundation of our global economy. When SSL/TLS certificates are forged or compromised, they undermine controls that secure the data of millions of people on the Internet, during online transactions or when transmitting confidential information.
Recent attacks on global enterprises demonstrate the devastating impact a certificate-based breach can have on an organization—from lost productivity and revenue to lawsuits and a loss of trust. To gain access to valuable information, attackers mask their true identities using keys and certificates and hide their actions within encrypted data. Once they attain stolen SSL/TLS certificates, cybercriminals are free to perform spoofing, man-in-the-middle (MITM) attacks, surveillance, and other exploits that result in stolen data.
SSL/TLS traffic comprises a significant percentage of the total web traffic today, and it’s growing fast. In fact, 25% to 35% of all enterprise network traffic is encrypted with SSL/TLS, and experts believe that figure is growing at a rate of 20% per year. With the continuing adoption of open-source SSL-Everywhere, that percentage is expected to rise exponentially.
Cybercriminals steal these digital certificates from companies using malware such as Trojans or buy stolen certificates on the black market. In a single month in 2013, security vendor Symantec found over 800 different Trojans designed to steal keys and certificates. When Mask malware was discovered in 2014, it had already been stealing keys and certificates for more than seven years—and this is just one example of the thousands of malware variants designed for this purpose.
As the availability of stolen certificates grows, so will the problem of these attacks. Stolen certificates are fetching up to $980 each in Russian underground markets—400 times the value of a stolen credit card number. According to Intel, stealing certificates is becoming the next big underground market.
Armed with these trusted SSL/TLS digital certificates, cyber thieves undermine enterprise security controls to spoof servers and divert traffic to their computers, eavesdrop on sensitive communications, and launch Man-in-the-Middle attacks. By the time an enterprise discovers and prevents one avenue of attack, thieves have moved onto another. One common misuse of these stolen SSL/TLS certificates is SSL stripping attacks.
In a two-part blog series, we cover the basics of SSL stripping attacks. The internet is secured by HTTPS protocol, but in an SSL stripping attack, that layer of protection can be peeled away by cybercriminals and leave users exposed.
"[SSL stripping] takes advantage of the way most users come to SSL websites. The majority of visitors connect to a website’s page that redirects through a 302 redirect, or they arrive on an SSL page via a link from a non-SSL site. If the victim wants, for instance, to buy a product and types the URL www.buyme.com in the address bar, the browser connects to the attacker machine and waits for a response from the server. In an SSL Strip, the attacker, in turn, forwards the victim’s request to the online shop’s server and receives the secure HTTPS payment page...
At this point, the attacker has complete control over the secure payment page. He downgrades it from HTTPS to HTTP and sends it back to the victim’s browser. The browser is now redirected to http://www.buyme.com. From now onward, all the victim’s data will be transferred in plain text format, and the attacker will be able to intercept it. Meanwhile, the website’s server will think that it has successfully established the secure connection, which indeed it has—but with the attacker’s machine, not the victim’s.
Stripping away the encryption offered by HTTPS [SSL stripping] is a serious cyber threat to many corporations since their employees are constantly on the move and require access to Internet on-the-go even through open non-secure Wi-Fi hotspots. Once attackers gain access to a network, they can act as a Man-in-the-Middle (MITM) to intercept connections over the network (as we've seen above). These interception tactics can also be deployed against wired networks, provided that someone gains access to an Ethernet port."
SSL/TLS attacks are growing in number because of a lack of effective digital key and certificate management. According the Ponemon Institute, enterprises typically have in excess of 17,000 encryption keys and certificates. Yet most of these organizations lack visibility into how their digital certificates are used or abused within their networks.
Today’s cybercriminals take many forms, but those using digital certificates and keys are financially motivated and are targeting proprietary information. For the most part, skilled professionals are behind the latest SSL/TLS-related security threats. They range from commercially interested cybercriminals who may be part of a larger crime syndicate to espionage perpetrators intent on collecting information that can be used for business purposes.
These intelligence-collection campaigns can also support state intelligence priorities that may be gathering information to provide political, economic, diplomatic, and military advantages. Other players behind key and certificate misuse are motivated by various ideologies, religions, and regional sentiments. Whatever their motivation, all of these players pose a significant threat to enterprise trust and security.