The Week When Attackers Started Winning The War On Trust by Kevin Bocek.
Kevin details four news stories:
- DarkHotel: Intercepted traveling executive traffic.
- Heartbleed requires changing all keys and certificates. At least 87% have not been changed.
- WireLurker, a malware Trojan targeting iOS.
- MD5 certificates broken for $0.65
And concludes:
This is important because …
All of these news stories should be a serious wake-up call for the infosec industry. The threatscape has changed. Attackers need trusted status, and they know they can get it by misusing keys and certificates. What else does this mean? Unfortunately, it means almost every single security control that you’ve spent millions on to protect your network, apps, and data can be undermined and circumvented.
Kevin has a good argument. The compromise of identity (identity being a favorite theme of topic maps) strikes deep into the first assumption of any security system. The first assumption being an identified user has a right to be on the system. Once an intruder gets past that hurdle, …. damage will follow.
Kevin advises to stop blindly trusting certificates and keys. OK, then what?
In a separate post from April of this year, Kevin advises:
- Know where all keys and certificates are located
- Revoke, replace, install, and verify keys and certificates with new ones
Not without difficulty, particularly if you don’t know where all the keys and certificates are located but necessary steps none the less.
The admonition to “not to blindly trust certificates” sounds great but in practice will be a question of the potential loses from blind trust. In some cases the risk may be low enough that blind trust is a reasonable choice. In others, like traveling executives, there will be a need for hardware based encryption by default with no user intervention.