- Email: [email protected]
Encryption's Weakest Link
Column Matthew Pascucci, analyst
Hackers understand security awareness better than anyone else
44
Encryption’s Weakest Link Matthew Pascucci As everyone in information security already knows, our field is constantly evolving. The hackers have changed from attacking the perimeter to attacking the users. Now they’re taking the user attack to a whole new level. During the past year we’ve seen security vendors, specifically those offering encryption services like Comodo, DigiNotar and RSA, become victims of targeted advanced persistent threat (APT) attacks. These particular hacks seem to lean toward a dangerous new trend in the security community: attacking the encryption vendors. These attacks on the vendors weren’t intended to release personal identifiable information (PII) or embarrass them, like we’ve seen with the onslaught of hacktivist activity over the past few months. Instead these attacks were aimed at what the vendors are offering – encryption and authentication services. All three of these attacks were hacks that were used as spring boards to attack more people and organizations. By granting themselves illegitimate access to vendor services, hackers have essentially opened up the ability to scam people on a wider scale. Not only are they able to attack a broader swath of people, but the companies and users that employ these services are now unwilling to trust encryption vendors whole-heartedly. When someone sees an SSL certificate or token authentication that’s worked securely in the past, they automatically assume they are secure – no one assumes that these might be counterfeit. The hackers understand security awareness better than anyone else. They know we tell users to employ multi-form-factor authentication to stay secure, or to verify that a site is HTTPS before entering confidential information. Hackers then use this education against us by circumventing the services that we’ve promoted. What we’re seeing here is a paradigm shift in the thinking of hackers. They know they can’t crack the encryption, so what do they do? They steal it (in the case of RSA) or hack into a vendor and issue their own certificates (for example, DigiNotar and Comodo). They know that we heavily rely on encryption and that it’s used to secure communication between most major organizations and popular websites. Our trust in these services has been a major reason that hackers have started targeting them. Not only are these attacks highly technical, but they play off the user’s emotions. They’re taking advantage of the human element of trust for their own malicious benefit, and without this misconception the exploit wouldn’t be as effective. We’ve seen this in the past with phishing and malicious SEO optimization, but these attacks on encryption vendors use security that white hats keep preaching is safe to their users. This just sets the targets up for a harder fall. So what happens now? We need to start taking a better look at the internal security of these encryption service providers. Obviously internal audits have failed these companies and are ineffective when they’re used as check boxes. Should there be regulation that holds companies offering encryption services to a higher standard? I for one think that companies offering authentication/encryption services already should have been held to such a standard. If these vendors can’t secure their own infrastructure, then it’s not only affecting them, but anyone that relies on their services to protect data. In the case of DigiNotar, which was in gross negligence, should they be considered responsible for getting hacked? If a company is selling services to protect others, but leaves these services completely vulnerable, then they should have sanctions placed on them until the issues are resolved. Don’t get me wrong, there will always be hacks into a system, but when you’re not held to a higher standard, companies will get complacent, not compliant. Either way, other encryption or security vendors – in general – should take notice of these attacks and tighten their security belts. They’ve been given a pass, for now.
NOVEMBER/DECEMBER 2011
Hackers understand security awareness better than anyone else
44
Encryption’s Weakest Link Matthew Pascucci As everyone in information security already knows, our field is constantly evolving. The hackers have changed from attacking the perimeter to attacking the users. Now they’re taking the user attack to a whole new level. During the past year we’ve seen security vendors, specifically those offering encryption services like Comodo, DigiNotar and RSA, become victims of targeted advanced persistent threat (APT) attacks. These particular hacks seem to lean toward a dangerous new trend in the security community: attacking the encryption vendors. These attacks on the vendors weren’t intended to release personal identifiable information (PII) or embarrass them, like we’ve seen with the onslaught of hacktivist activity over the past few months. Instead these attacks were aimed at what the vendors are offering – encryption and authentication services. All three of these attacks were hacks that were used as spring boards to attack more people and organizations. By granting themselves illegitimate access to vendor services, hackers have essentially opened up the ability to scam people on a wider scale. Not only are they able to attack a broader swath of people, but the companies and users that employ these services are now unwilling to trust encryption vendors whole-heartedly. When someone sees an SSL certificate or token authentication that’s worked securely in the past, they automatically assume they are secure – no one assumes that these might be counterfeit. The hackers understand security awareness better than anyone else. They know we tell users to employ multi-form-factor authentication to stay secure, or to verify that a site is HTTPS before entering confidential information. Hackers then use this education against us by circumventing the services that we’ve promoted. What we’re seeing here is a paradigm shift in the thinking of hackers. They know they can’t crack the encryption, so what do they do? They steal it (in the case of RSA) or hack into a vendor and issue their own certificates (for example, DigiNotar and Comodo). They know that we heavily rely on encryption and that it’s used to secure communication between most major organizations and popular websites. Our trust in these services has been a major reason that hackers have started targeting them. Not only are these attacks highly technical, but they play off the user’s emotions. They’re taking advantage of the human element of trust for their own malicious benefit, and without this misconception the exploit wouldn’t be as effective. We’ve seen this in the past with phishing and malicious SEO optimization, but these attacks on encryption vendors use security that white hats keep preaching is safe to their users. This just sets the targets up for a harder fall. So what happens now? We need to start taking a better look at the internal security of these encryption service providers. Obviously internal audits have failed these companies and are ineffective when they’re used as check boxes. Should there be regulation that holds companies offering encryption services to a higher standard? I for one think that companies offering authentication/encryption services already should have been held to such a standard. If these vendors can’t secure their own infrastructure, then it’s not only affecting them, but anyone that relies on their services to protect data. In the case of DigiNotar, which was in gross negligence, should they be considered responsible for getting hacked? If a company is selling services to protect others, but leaves these services completely vulnerable, then they should have sanctions placed on them until the issues are resolved. Don’t get me wrong, there will always be hacks into a system, but when you’re not held to a higher standard, companies will get complacent, not compliant. Either way, other encryption or security vendors – in general – should take notice of these attacks and tighten their security belts. They’ve been given a pass, for now.
NOVEMBER/DECEMBER 2011