Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:04 PM
Kevin Bocek
Kevin Bocek
Connect Directly
E-Mail vvv

The Week When Attackers Started Winning The War On Trust

The misuse of keys and certificates is not exotic or hypothetical. It's a real threat that could undermine most, if not all, critical security controls, as recent headlines strongly show.

There are always surprises in the field of cyber security. But this past week, something different seemed to happen that is really disconcerting. We saw four major news stories about how adversaries’ campaigns and methods hit the web with one common theme: The trust established by cryptographic keys and digital certificates is being misused everywhere.

What actually happened?

First, Kaspersky released a report on DarkHotel -- a very effective APT campaign enabled by dozens of misused digital certificates used to target traveling executives using hotel WiFi networks. These executives thought they were transmitting data privately, in an authenticated way, but the malware operators used compromised certificates to get in between unsuspecting executives and their businesses.

Then researchers at the University of Maryland issued interesting research on Heartbleed that verified what we at Venafi have been saying all along: You have to change all the keys and certificates. These UMD researchers found that within 3 weeks of the Heartbleed incident, at least 87% of certificates had not been fully remediated (private keys changed, certificates reissued, and bad ones revoked). It’s not an option to ignore Heartbleed any longer. The Community Health Systems breach subsequently demonstrated how exploiting Heartbleed-vulnerable certificates is not theoretical. Attackers will choose when and where to use their exploits. What are people waiting for?

Next came the news of WireLurker, a malware Trojan targeting iOS where the keys and certificates used to sign apps for an iOS enterprise app store were compromised. With this new threat, attackers can load software onto an Apple device that isn’t jailbroken. This is no surprise to anyone watching changes in the threatscape. Intel Security has been raising this issue since at least 2013: “The rapid escalation of malicious signed binaries quarter-over-quarter and year-over-year brings into question the viability of the Certificate Authority model.”

Finally, news broke earlier this month that, for a mere $0.65, researchers (and guaranteed bad guys) can perform collisions needed to compromise a digital certificate using an Amazon Web Services EC2. In this instance, the crypto-attack was against the widely used MD5 algorithm. And it only took 10 hours using a single instance. Remember Flame? The exploit of the Windows update service using a compromised certificate? Unfortunately, this is not just a problem for Microsoft. In every Global 2000 organization Venafi works with, we still find vulnerable MD5 certificates leaving the door open to very powerful spoofing and man-in-the-middle attacks.

This is important because ...
All of these news stories should be a serious wake-up call for the infosec industry. The threatscape has changed. Attackers need trusted status, and they know they can get it by misusing keys and certificates. What else does this mean? Unfortunately, it means almost every single security control that you’ve spent millions on to protect your network, apps, and data can be undermined and circumvented.

Why? Because hackers know they can get around your strong authentication with spoofing and man-in-the-middle attacks. They know you can’t decrypt all incoming SSL traffic and can’t see their new attack because your threat detection systems don’t have all of the keys to decrypt traffic. They know your privileged access management systems don’t know the difference between a good and rogue SSH keys. They know all of your data protection systems can be foiled with the compromise of just one SSL key and certificate that won’t be changed for years.

[Read about how to Stop Trusting Signed Malware in three steps.]

The foundation of trust of our digital systems -- from banking, to the cloud, to mobile apps, to your business -- is all based on keys and certificates, and it's under attack. It may appear that the world is coming to an end. Some have wondered, is the cryptoapolcalypse upon us? No, it’s not. But the threatscape has changed, and we all need to respond. Edward Snowden’s comment from earlier this year is just one example of how we’re waking up to this problem: To circumvent security like encryption, the best method is to “try to steal their keys and bypass the encryption. That happens today and that happens every day. That is the way around it.”

I know many CISOs, security architects, and security operations teams will continue to spend more money on strong authentication, DLP, threat detection, SSL traffic decryption, privileged access management, and more. However, if we continue to blindly trust keys and certificates -- if we don’t know how many we have, don’t know what they’re used for, can’t enforce policy, can’t detect anomalous certificates, can’t safely deliver them to threat detection systems to inspect traffic, and can’t replace one or many in seconds, not weeks (incident response teams: remember Heartbleed?), then we’ll continue to undermine and devalue all other critical security controls. It’s why the SANS20 Critical Security list has been updated to now include guidance on securing keys and certificates. It’s why the PCI Security Standards Council considered it a high priority in 2015 Special Interest Group selection to improve security for cardholder data.

Over the last month I’ve met with CISOs and their teams from Berlin to Sydney. The message is the same: The threatscape has changed and the risk posed by the misuse of keys and certificates is very high. CISOs, security architects, and security operations teams need to wake up and realize the root of the problem: You simply can no longer blindly trust certificates. Gartner’s Neil MacDonald simply described this as “living in a world without trust” where “certificates can no longer be blindly trusted” -- a reality that security professionals cannot tolerate if we expect to stay ahead of the bad guys and defend our businesses and customers.

Kevin Bocek is Vice President of Security Strategy and Threat Intelligence at cyber security firm Venafi. He is responsible for Venafi's product positioning, go-to-market strategy, and sales enablement. He brings more than 15 years of experience in encryption and key ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
11/24/2014 | 8:04:16 AM
current practice skips the Critical Step: recognition
the current practice of blasting x.509 certificates out to browsers en masse skips the critical step in security: recognition.

an invalid certificate or incorrectly selected certificate may look "OK" -- but most of us will be unable to tell if the XYZ Company or the X Y Z Company -- is the correct certificate.      combine this with the habit of companies to change things around on occasion and the safety of the x.509 certificate is reduced to Hope and Prayer.

x.509 certificates should be broadcast with magninal trust only.

each of use should vet the certificates we need to use on critical applications -- and then countersign the certificate, bringing it to Full Trust.

Vendors have been attempting to automate the x.509 for customers.   But they have made a mess by skipping the Critical Step.

Places like Credit Unions and other Financial offices would provide the  "fingerprints"  needed to verify a certificate.
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version You can get the update to regularly via the Auto-U...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below We recommend to update to the current version You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions o...