Mad Max Here We Come: Heartbleed shows how much we blindly trust keys and certificates (and take them for granted)
Blog Article Published: 04/10/2014
KEVIN BOCEK, VP, SECURITY STRATEGY & THREAT INTELLIGENCE, VENAFI The race is on to respond and remediate by replacing keys and certificates in use with millions of applications because patching won't help. The world runs on the trust established by digital certificates and cryptographic keys. Every business, every government. It’s the way the architects of the Internet solved the problem of securing data, keeping communications private and knowing a server, device, cloud is authenticated. Because keys and certificates provide the foundation for almost everything we know in our highly digital world, if you attack the trust established by keys and certificates then all our other security defenses become at best less effective. At worst completely ineffective. It's why Forrester Research found: "Advanced threat detection provides an important layer of protection but is not a substitute for securing keys and certificates then that can provide an attacker trusted status that evades detection." We’re now seeing how a single vulnerability in OpenSSL named Heartbleed, present since 2011 and in use with tens of thousands of applications that make commerce and communications work online and offline, exposes keys and certificates to attack and compromise. Yes, it exposes the keys and certificates that every business and government use to bank, purchase, and communicate with online and offline. And it doesn't require an attacker to breach firewalls and other security defenses! The Cryptopocalypse has arrived, and it's probably much sooner and worse than researchers at Black Hat 2013 dreamed of. The scope of the problem is massive: just one application that uses OpenSSL, Apache, is used to run 346M public websites or about 47% of the Internet today. And the problem is even larger since this doesn't include the tens of millions of behind-the-firewall applications, devices, appliances, and things that run Apache and use OpenSSL. And it's just one application that relies on OpenSSL. The consequences of this vulnerability and exposure of keys and certificates is scary. Attackers can spoof trusted websites and decrypt private communications. Accomplish this and it's game over, cybercriminals win. Live Webinar: Remediating Heartbleed Vulnerability — Register Now Researchers that identified the vulnerability sum up the impact simply: "Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed." You must assume keys and certificates are compromised and immediately replace them to remediate. While the vulnerable code has been fixed, sadly most organizations will remain vulnerable. They are unable to change out their keys and certificates — the thousands of keys and certificates in every Global 2000 enterprise and modern government. The continued exposed vulnerability means attackers can spoof legitimate websites or decrypt private communications. But, this isn’t the first attack of keys and certificate and it won’t be the last. We’ve seen APT groupsstealing keys and certificates, most recently the Mask APT group, breached organizations not remediating to change keys and certificates, and remaining owned by the attackers. The infamous Stuxnet attacks used stolen certificates to attack Iran nuclear facilities. And as a leaked NSA memo showed, Edward Snowden used compromised keys and certificates to execute his breach of the NSA. All of this and more is why back in December 2012 Gartner concluded: "Certificates can no longer be blindly trusted." Now Heartbleed. The success in using compromised keys and certificates has proven there will be only more attacks and more vulnerabilities. The value of IT security is measured in how fast security teams can respond and remediate – to create new, trusted and uncompromised keys, revoke current certificates, create new trusted certificates, and get them installed and trusted before they can be misused. It's not, as some have understood, about how can we setup a good process to optimize procedures and best practices. Nor is it just about patching software. The researchers that exposed Heartbleed further identified the requirements to remediate: "revocation of the compromised keys and reissuing and redistributing new keys." Respected John Hopkins cryptographer Matthew Green explained further: "It’s a nightmare vulnerability, since it potentially leaks your long term secret key — the one that corresponds with your server certificate. Worse, there’s no way to tell if you’ve been exploited. That means the prudent thing to do now is revoke your certificate and get a new one." Live Webinar: Remediating Heartbleed Vulnerability — Register Now
Respond & Remediate Now Before It's Too LateThe clock is on. Our adversaries know about these vulnerabilities. Following the example set by NIST's guidance on responding to a CA compromise, remediation for keys and certificates can be simplified as:
- Know where all keys and certificates are located
- Revoke, replace, install, and verify keys and certificates with new ones
Mad Max Here We Come: Heartbleed shows how much we blindly trust keys and certificatesThe stage is set: attackers know that we can’t secure the trust that everything digital we know depends upon — we can’t secure keys and certificates and we can’t respond and remediate when attacked. The world Gartner painted — an almost Mad Max world — of “Living in a World Without Trust” is about to become reality if we don't take securing keys and certificates seriously, and put automated capabilities in place to respond and remediate immediately. One thing is for certain: this won't be the last time we're in this same position and need to respond quickly. Contact Venafi now to get help responding and remediating to Heartbleed and be ready for attacks to come on keys and certificates.
Share this content on your favorite social network today!