Fake SSL Certificates Uncovered: The Tip of the Iceberg and Weaponized Trust
Published 02/19/2014
KEVIN BOCEK, VP, SECURITY STRATEGY & THREAT INTELLIGENCE, VENAFI
Cybercriminals are moving faster than we think to weaponize the core element of trust on the Internet: digital certificates. The many fake certificates identified by Netcraft are just the tip of the iceberg. Cybercriminals are amping their attacks on trust because the results are so powerful.
Already over a quarter of Android malware are enabled by compromised certificates and there are hundreds of trojans infecting millions of computersdesigned to steal keys and certificates for resale and criminal use. Today a stolen certificate is worth over 500 times more than a credit card or personal identity.
By attacking the trust established by digital certificates, cybercriminals aren’t making a quick hit. No, their intent is to own their target. Fake, compromised, stolen, misused, illicitly obtained certificates give cybercriminals the power to impersonate, surveil, and monitor—and to do so undetected.
Just recently The Mask group infiltrated hundreds of organizations. The group’s malware stole encryption keys, digital certificates, and SSH keys. While their collection efforts have just now been identified and stopped after 7 years, the real impact is yet to come.
The attackers now own thousands of keys and certificates and as result own the networks, servers, and applications of the breached. They can impersonate websites with stolen keys and certificates and have root-level access with SSH keys. Game over for these breach organizations. If they don’t fight back and change all of their keys and certificates immediately.
If businesses and governments don’t get a handle on the ways they are using certificate and can’t respond to these attacks, we all might as well be investing in bulldozers. Our data centers are worthless when the basic, foundational element of trust on the Internet—digital certificates—are compromised.
We can’t tell the good from the bad and so just need to bulldoze and start new. But, we don’t have a replacement technology for digital certificates so we have to stand and fight. Otherwise, the reality Gartner painted of “living in a world without trust” will come true (Gartner ID: G00238476).