2020 and the SSL, a small prediction exercise

Browsers and Certification Authorities, the battle continues.

Cybersecurity - SSL 2020 - Nameshield Blog
Image source : TheDigitalArtist via Pixabay

2019 was a busy year, with growing differences of opinion between browsers makers and Certification Authorities, an explosion in the number of phishing sites encrypted in HTTPS and significant progress on the depreciation of TLS v1.0.

Discussions on extended validation, more generally the visual display of certificates in browsers, and the reduction of the duration of certificates have taken a prominent place. None of these discussions are over, no consensus seems to be emerging, 2020 is looking like a busy year. Time to look ahead…

Will the fate of Extended Validation be determined?

2019 saw the main browsers stop displaying the famous green address bar with the padlock and the name of the company, in favor of a classic and unique display, no longer taking into account the authentication level of the certificates:

SSL 2020 - EV certificate - Nameshield

However, discussions are still ongoing at the CA/B forum level, as well as within the CA Security Council. Both of these certificates regulatory bodies will be looking in 2020 for an intuitive way to display identity information of websites.

Historically approved by everyone, including the financial industry and websites with transactions, EV (the acronym for Extended Validation) was Google’s target in 2019. Other browsers, under the influence of Google, between Mozilla financed by Google and Microsoft and Opera based on Chromium open source, have followed in this direction. Only Apple continues to display EV.

For browsers, the question is whether or not TLS is the best way to present the authentication information of websites. It seems that it is not. Google assumes that it is not up to Certification Authorities to decide the legitimate content of a website and wants the use of certificates for encryption purposes only.

Of course, the Certification Authorities see things differently. One can certainly see a purely mercantile reaction, EV certificates are much more expensive. One can also wonder about the purpose of authentication beyond encryption. The answer seems to lie in the staggering statistics of phishing websites encrypted with HTTPS. Browsers have for the moment imposed an encrypted web indeed… but no longer authenticated!

2020 will therefore be the year of proposals from Certification Authorities: providing better authentication, including identification of legal entities, following the path of PSD2 in Europe… One thing is certain, identity has never been so important on the Internet and it is up to all interested parties to find a solution, including browsers to find a way to display strong authentication of websites. To be continued…

Certificates with a shorter duration: towards one-year certificates

825 days, or 27 months, or 2 years, the maximum duration currently allowed for SSL Certificates. However, since 2017 and a first attempt within the CA/B forum, the industry is moving towards a reduction of this duration to 13 months (1 additional month to cover the renewal period).

Google and browsers came back in 2019 with another vote submitted to the CA/B forum, again rejected but by a smaller majority. The market is on the move. Players like Let’sEncrypt propose certificates with a duration of 3 months, others want to keep long durations to avoid overloads of intervention on servers. One thing is certain, the market does not have the automation systems in place yet to make the management and installation of certificates easier, a delay of one or two more years would otherwise be preferable, or at least judicious.

But all this is without counting on Google threatening to act unilaterally if the regulator does not follow… certainly in 2020.

From TLS 1.0 to TLS 1.3: forced advance

Expected in January 2020, Microsoft, Apple, Mozilla, Google and Cloudflare have announced their intention to depreciate support for TLS 1.0 (a protocol created in 1999 to succeed SSL 3.0, which has become highly exposed) and TLS 1.1 (2006), both of which are currently suffering from too much exposure to security flaws.

While TLS 1.2 (2008) is still considered secure today, the market seems to be pushing for TLS 1.3, the most recent version of the standard, finally released in the summer of 2018. TLS 1.3 abandons support for weak algorithms (MD4, RC4, DSA or SHA-224), allows negotiation in fewer steps (faster), and reduces vulnerability to fallback attacks. Simply put, it is the most secure protocol.

A small problem, however, is that many websites are taking action. At the beginning of 2019, only 17% of the Alexa Top 100,000 websites supported TLS 1.3, while just under 23% (22,285) did not even support TLS 1.2 yet. If the decision to depreciate older versions of the protocol is a good one, the form adopted by the major web players can be criticized, in particular by its unilateral nature. In the meantime, get ready, we are heading there.

The threat of quantum computing

Companies are talking more and more about quantum computing, including Google. But the reality is, while quantum will impact our industry, it certainly won’t be in 2020, or for at least a decade. There are still many questions that need to be answered, such as: What is the best algorithm for quantum resistance? No one has that answer, and until there is a consensus in the industry, you are not going to see any quantum solutions in place.

IoT is growing, but the lack of security remains a problem

IoT is a success, but a number of deployments are being delayed due to a lack of security. In 2020, cloud service providers will provide or partner with security companies to provide a secure provisioning and management of devices, as well as an overall secure IoT ecosystem, for their customers.

The regulatory frameworks for IoT manufacturing and deployments will most certainly be led by the EU, although we will also see an increase in the US. Attacks, compromises and IoT hacking will, unfortunately, continue. In addition, security standards will not be met and we will not even come close to a higher percentage of secure devices. Why is that? Original Equipment Manufacturers (OEMs) are still not willing to pay the costs involved or pass them on to consumers for fear of losing sales.

China’s encryption laws will create a lot of uncertainty

In recent years, part of the digital transformation of the world has led to the codification of rights and restrictions on data in national laws and regional organizations. PSD2, GDPR, CCPA, PIPEDA… a real headache for international companies faced with regulatory standards and compliance.

On January 1, 2020, China’s encryption law was due to come into force. An additional data and… still unclear to those doing business in China. Clarification is still needed on several fronts. For example, commercial encryption for international companies must be approved and certified before it can be used in China – but this certification system has not yet been created. Similarly, there is uncertainty about the key escrow and the data that must be made available to the Chinese government. This has led to a wave of speculation, misinformation and, ultimately, overreaction. Given the opacity of parts of the new Regulation, many companies are opting for a wait-and-see approach. This is a wise tactic, assuming your organization does not have an experienced Chinese legal expert.

In conclusion, the certificates industry continues to change. Nameshield’s certificates team is at your disposal to discuss all these topics.

Best wishes for 2020.

The alarming Kaspersky report: nine times more attacks aiming connected objects than in 2018

The alarming Kaspersky report: nine times more attacks aiming connected objects than in 2018
Image source: TheDigitalArtist via Pixabay

Last October 15, Kaspersky, the antivirus software company, published an edifying report about the volume of cyberattacks directly aiming connected objects.

Although the industry expected that this new generation of objects would be directly targeted by cyberattacks, the increase in the cyberattacks number is alarming and lets easily imagine the security flaws that the connected objects present.

According to the estimation presented by Kaspersky, between the beginning of 2018 until mid-2019, the attacks would have reached the record of 105 million, i.e. nine times more than the previous year as a whole.

In order to conduct this research, Kaspersky used the trap technique by deploying more than 50 honeypots across the world. A Honeypot is a program that imitates the connected objects’ signature specifically created to attract cybercriminals. It was then possible to detect attacks from pirates that fell into the trap set for them. According to Kaspersky, during this experience, more than 20 000 sessions would have been infected every 15 minutes. 105 million attacks from 276 000 unique IP addresses have then been detected (compared to 12 million in 2018).

Furthermore, the report indicates that both in 2018 and 2019, China and Brazil are vying for the top position of the countries that served as the origin of the attacks launched.

The main malwares that use the security flaws of connected objects are well known (Mirai for example) and identified.

While we are aware that IoT is a privileged playground for pirates, the first security measures are far from being systematically applied. It’s essential for example to change the password installed by default for each connected devices’ purchase. For reminder, although technologies of cyber malice are indeed more and more sophisticated, the first gateway for pirates remains the users’ lack of vigilance.

Satori Botnet: The hacker facing up to 10 years imprisonment did not act alone

Satori botnet
Image source: TheDigitalArtist via Pixabay

We now know more about the cyberpirate, Nexus Zeta, whose real name is Kenneth Currin Schuchman, who distinguished himself with the creation of the Satori botnet.

Pleading guilty to the charges regarding Satori botnet creation, his confessions describe the implementation of this attack using IoT flaws.

For reminder, a botnet is a set of infected computers remotely controlled by a cybercriminal. The machines that belong to a botnet are often called “bots” or “zombies”. The aim: to spread a malware or a virus to the greatest number of machines possible.

The hacker Nexus Zeta did not act alone but worked together with two other cybercriminals: Vamp who served as the primary developer/coder of Satori and Drake who managed the botnet sales.

The Satori botnet was created based on the public code of the Mirai IoT malware.

For reminder, in 2016, Mirai was the source of one of the biggest DDoS ever seen in 2016, targeting in particular the American provider DYN. The functioning is based on the permanent research on the Internet, of IP addresses corresponding to connected objects (IoT). Once the vulnerable connected objects identified, Mirai connects to them to install the malware.

If the Satori botnet mainly attacked the devices running with factory-set or easy to guess passwords, in its first month of deployment, it has infected over 100 000 devices.

Between 2017 and 2018, the three hackers continue to develop Satori, which they will rename Okiru and Masuta. The botnet went as far as to infect over 700 000 devices.

Officially accused by the American authorities, Kenneth Currin Schuchman is free until his trial. However, he breaks the pre-trial release conditions by accessing the Internet and developing a new botnet. It is in October 2018 that he is this time arrested and jailed. Pleading guilty, he’s facing up to ten years in prison and a fine of 250 000 dollars.

The Black swan time?

IoT-  The Black swan time?
Image source: abudrian via Pixabay

The actors and utility providers invade the connected world, benefiting from the innovations that the rest of the world opportunely provides them. It wouldn’t be a problem if we didn’t live in an age where hacking a power plant became possible.

In 2015 and 2016, hackers shut down power to thousands of users in the middle of the Ukrainian winter. Since then, the American government openly admitted that foreign powers tried every day to take control of the energy grid control rooms of the United States. And this is important because we are currently connecting decades old infrastructures in an environment which is swimming with threats that it was never designed to protect against.

Engineers have not always played well with computer scientists. These disciplines are different, they are different mindsets with different aims, different cultures and of course, different technologies. Engineers can plan for accidents and failures, while cybersecurity professionals plan for attacks. There are completely different industry standards for each discipline and very few standards for the growing field of the Internet of Things (IoT), which is increasingly weaving its way into utility environments. Those two worlds are now colliding.

Much of the IT used in utilities infrastructure was previously isolated, operating without fear of the hackers, with systems built for availability and convenience, not for security. Their creators didn’t consider how a user might have to authenticate to a network to prove that they are a trusted actor. That might have been acceptable in the past, but now we have a landscape littered with outdated machines weighed down with insecure codes that are unequipped for modern IT threats. The upgrading of these systems and the security afterward, won’t solve all those security problems and replacing them entirely would be too expensive, difficult to envisage and almost utopian for many. And today, this is a real problem to connect them in an environment exposed to threats and adversaries searching for the next easy target.

Today, the world tends to connect more and more, particularly through Internet of Things (IoT), we talk about connected cars, baby monitors connected to a parent’s smartphone and doorbells informing homeowners who is at their doors, fridges, washing machines become connected… and utilities follow the trends, naturally wanting to be part of this world’s evolution towards the increasing computerisation of physical objects.

Exciting as these new innovations might sound, evidence mounts every day of the IoT’s insecurity. Whether it’s hardcoded passwords, an inability to authenticate its outward and inward connections or an inability to update, there is little argument about their security. These products are often rushed to market without a thought for this important factor.

Enterprises and governments are seizing the IoT as a way to transform the way they do business, and utilities are doing the same. Large infrastructures will increasingly be made up of IoT endpoints and sensors – able to relay information to its operators and radically improve the overall function of utilities.

Unfortunately, in the rush to innovation, eager adopters often ignore the glaring security problems that shiny new inventions often bring with them. In an industrial or utilities environment the IoT means something that is similar at a descriptive level, but radically different in real-world impact. A connected doll is one thing, a connected power plant is another entirely!

The risks on utilities are real. There are plenty of examples. Stuxnet, the virus which destroyed the Iranian nuclear program is just one. The aforementioned attacks on the Ukrainian power grid could be another. Furthermore Western governments, including France, now admit that foreign actors are attempting to hack their utilities on a daily basis.

But if this is such a big problem, you might ask, then why hasn’t it happened more often? Why haven’t we heard about such potentially devastating attacks even more? Well, the fact is that many won’t know they’ve already been hacked. Many organizations go for weeks, months and often years without realizing that an attacker has been lurking within their systems. The Ponemon Institute has found that the average time between an organization being breached and the discovery of that fact is 191 days, nearly half a year. This is especially true if one of those aged legacy systems has no way of telling what is anomalous. Others may just hide their breach, as many organizations do. Such attacks are often embarrassing, especially with the regulatory implications and public backlash that a cyberattack on a utility brings with it.

Furthermore, most attacks are often not catastrophic events. They are commonly attempts to gain data or access to a critical system. For most, that’s a valuable enough goal to pursue. Edging into the more destructive possibilities of such an attack would essentially be an act of war and not many cybercriminals want to earn the attention – or the ire – of a nation state.

The theory of the black swan – theorized by Nassim Nicholas Taleb:  a situation that is hard to predict and seems wildly unlikely, but has apocalyptic implications – fits perfectly here. We don’t know when, how or if such an event might happen but we had better start preparing for it. Even if the likelihood of such an event is small, the cost of waiting and not preparing for it will be much higher. The IoT market, particularly in the utilities sector need to start preparing for that black swan.

Public Key Infrastructures (PKI) using certificates will allow utilities to overcome many of these threats, providing unparalleled trust for an often hard to manage network. It’s been built on interoperable and standardized protocols, which have been protecting web-connected systems for decades. It offers the same for the IoT.

PKIs are highly scalable, making them a great fit for industrial environments and utilities. The manner in which many utilities will be seizing hold of the IoT is through the millions of sensors that will feed data back to operators and streamline day-to-day operations, making utilities more efficient. The sheer number of those connections and the richness of the data flowing through them make them hard to manage, hard to monitor and hard to secure.

A PKI ecosystem can secure the connections between devices, the systems and those that use them. The same goes for older systems, which have been designed for availability and convenience, but not for the possibility of attack. Users, devices and systems will also be able to mutually authenticate between each other, ensuring that behind each side of a transaction is a trusted party.

The data that is constantly travelling back and forth over those networks is encrypted under PKI using the latest cryptography. Attackers that want to steal that data will find that their ill-gotten gains are useless when they realize they can’t decrypt it.

Further ensuring the integrity of that data is code signing. When devices need to update over the air, code signing lets you know that the author of the updates is who they say they are and that their code hasn’t been insecurely tampered with since they wrote it. Secure boot will also prevent unauthorized code from loading when a device starts up. PKI will only allow secure, trusted code to run on a device, hamstringing hackers and ensuring the data integrity that utilities require.

The possibilities of an attack on a utility can sometimes seem beyond the pale. Just a few years ago a hack on a power grid seemed almost impossible. Today, news of IoT vulnerabilities regularly fills headlines around the world. The full destructive implications of this new situation have yet to be fully realized, but just because all we see are white swans, it doesn’t mean a black one isn’t on its way.

Users will soon start demanding these security provisions from companies. The Federal Energy Regulatory Commission (FERC) has recently fined a utility company that was found guilty of 127 different security violations $10 million. The company wasn’t named, but pressure groups have recently mounted a campaign, filing a petition with FERC to publicly name and shame it. Moreover, with the advent of the General Data Protection Regulation and the NIS directive last year, utilities now have to look a lot closer at the way they protect their data. All over the world, governments are looking at how to secure the IoT, especially when it comes to the physical safety risks involved. Utilities security matters because utilities hold a critical role in the functioning of society. It is just as important that they be dragged into the 21st century, as they are protected from it. PKIs can offer a way to do just that.

Mike Ahmadi, DigiCert VP of Industrial IoT Security, works closely with automotive, industrial control and healthcare industry standards bodies, leading device manufacturers and enterprises to advance cybersecurity best practices and solutions to protecting against evolving threats.

This article on the publication of Mike Ahmadi, is from an article of Intersec website.

Connected objects: unavoidable in DDoS attacks?

IoT- DDoS attacks

 

Nowadays consumers use and are around connected objects. The Internet of Things (IoT) includes all connected objects like a connected refrigerator, captor, light bulb, security camera, router or even a thermostat control. Their common point? To have an IP address and to be connected to communicate.

According to the American company Gartner, connected objects will reach 20.5 billion units by 2020. We will face an impressive growth of IoT in the years to come.

China, North America and West Europe will represent 67% of IoT in 2017.

However these connected objects are spreading frequently with security flaws, which is an opportunity for DDoS attacks!

Nowadays, Distributed Denial of Service (or DDoS) attacks are frequent. For hackers, it’s quite easy to set up attacks against an unprotected target. These attacks could lead to significant financial loss for companies by disruption of service (website or email) or indirectly, by the harm caused to the target’s image (bad buzz, bad reputation…).

With the arrival of connected objects, chances to be confronted to DDoS attacks are high.

These attacks are making a service unavailable by flooding the system with requests. With the help of digital and connected objects, hackers can send a massive number of requests on one or many DNS servers. They get to remotely control our objects because of their security flaws. If the DNS servers are not protected by a strong anti-DDoS filter, then they are under the risk of not absorbing the high number of requests and as a result, won’t respond to the user’s demands anymore.

In October 2016, DYN Company, DNS service supplier had been the victim of a DDoS attack by connected devices. DNS infrastructure services had been unavailable, which then impacted on their customers’ services: Twitter, Netflix, Spotify…

Many hours offline for these web pure players have a direct impact on sales revenue. DYN affirms that “Ten billion of IP addresses were touched” by this attack.

Last week, Melbourne IT Registrar was also a victim of a DDoS attack. Some of its customers were affected by this service disruption.

We might see more powerful attacks of this kind in 2017.

In the past, attacks were done by computers, today connected devices are a real weapon. Luckily those companies have affirmed wanting to reinforce security on their connected products.

DNS is an absolute priority. It’s essential to secure his strategic domain names by using highly secured DNS, so you can have a high permanent availability.

Nameshield offers a DNS Premium solution to gain performance and assure 100% availability.