Trends & Threats Briefing, April 2019

Welcome to your source for April 2019’s news about TLS, SSL, PKI, IoT, encryption, identity, and digital certificates.

Click on any headline below to jump to its summary and external news source.

If you’d prefer having this news presented to you, view/hear the on-demand recorded webcast here. Also check out the rest of our webinars and videos on DigiCert’s channel on the BrightTalk network.

Co-brandable versions (focusing on TLS & SSL, financial impacts, and miscellaneous news) are available to our Certified Partners as an .MP4 for marketing purposes or as an .M4A for podcast usage.

Beginning with the April 2019 briefing, we will also host the .MP4, the .M4A and the slides/sources (new!) on our new DigiCert Partner Portal at digicertpartners.com.

If you have any corrections or suggestions, please contact us.

Digital Certificates

High-assurance certs (OV, EV) linked to e-commerce revenue

Tumblr goes HTTPS, leaving 13% non-secured among Alexa top 100

ASUS software updates installed signed malware

ACME – from popular protocol to supported standard

(in)$€¢ure£¥ – The financial impact of (in)security

Connecting compliance dots to save US$1M via incident response planning

Internal network offline = broadcast network off-air

Imprisonment legislation targets breached enterprises’ CEOs

Up Next – Trends and industry buzzwords

Blockchain burglar guessed US$7.7M worth of cryptocurrency private keys

Using color tricks to help QKD photons survive “optical fiber obstacle course”

AES survives PQC research

Hash – News that’s fit to cover, but doesn’t fit above

Long live Apache (and now nginx) web servers

IE zero-day exploitable, even if IE isn’t used

Stranger Than Fiction!

When hackers doxx hackers

Killing the messenger’s messages — twice

Why pull a fire alarm when you can pull down a Wi-Fi network?

Undercover agent undone by unscheduled event’s unwelcome attendee

Good News

Midwest US city offers residents free internet security training

UK businesses & charities prioritize cybersecurity, see fewer cyberattacks

CryptoPokemon? I choose… free decryption!

US legislation for federal funding of state/local cybersecurity

Digital Certificates

High-assurance certs (OV, EV) linked to e-commerce revenue

According to a new white paper from industry research group Frost & Sullivan, the number of consumers using digital payment methods continues to increase worldwide—and so do concerns about online fraud. With 6.17 million data records stolen every day by cybercriminals, companies doing business on the internet have two choices: win the digital trust of consumers or lose revenue. And that win/lose choice has never been so stark, as 48% of consumers say they stop using an organization’s services if they believe it compromised their data. Although many consumers may not understand what encryption is or how it works, a growing number of consumers understand encryption’s role in protecting their data and privacy online. Web browsers Google Chrome and Mozilla Firefox began notifying users in 2018 that websites without TLS/SSL certificates are “not secure.” At a time when domain-validated TLS and SSL certificates are often available for little to no cost, savvy online consumers—whether they’re banking, shopping, or searching for information—know the signs of a secure site, including HTTPS and other visual indicators in or near the browser address bar, plus presence of a trust mark (like a security seal) which are shown by the use of high-assurance certificates, like organization validated or extended validation certificates. As organizations look to cut costs, they must also be positively affecting levels of digital trust and driving meaningful consumer behavior—because what’s the use of an encrypted website if people don’t trust it? Hence, it’s important for online businesses and IT professionals to choose TLS/SSL certificates, which will build and maintain digital trust—and price alone should never, ever be the deciding factor. You can read more about the findings and details in the Frost & Sullivan report, “The Global TLS Certificate Authority Market: Key Insights for Enterprise End Users.”

https://www.digicert.com/resources/Frost-and-Sullivan_Key-Insights-for_Enterprise-End-Users.pdf

Tumblr goes HTTPS, leaving 13% non-secured among Alexa top 100

Let’s welcome DigiCert TLS certificate customer Tumblr to the list of notable sites that have implemented HTTPS sitewide. Tumblr commented via their engineering blog that HTTPS is now a default across their sites, following a soft rollout in 2017 which required Tumblr users to enable the feature. Tumblr’s move to go all-HTTPS all-the-time leaves 13 of the Alexa top 100 sites still not using HTTPS ubiquitously on their sites; notably, 7 of those non-secured sites are based in China, 3 in the USA, and 2 based elsewhere.

https://techcrunch.com/2019/04/23/https-tumblr/

https://whynohttps.com/

ASUS software updates installed signed malware

In January, attackers compromised a server used to push out updates legitimately and automatically by computer vendor ASUS, and in the process, the attackers also got control of likewise-legitimate ASUS code signing certificates. The end result was for about a million of ASUS users’ computers to receive trojanized updates that installed trusted but malicious backdoors directly onto users’ systems. The attack remained undetected for at least five months, and has been confirmed by both Symantec and Kaspersky Lab. While use of code signing certificates is common in today’s enterprises, their storage and usage are often poorly controlled, and signings are rarely tracked. As a result, it’s becoming less and less uncommon to see malware being signed with carelessly controlled code signing certificates, leaving organizations with the terrible choice of having to revoke trust of all of their legitimate signed code just to kill off one bad signing, or permit trusted malware to exist as signed by them in order to keep distributed legitimate code running. Close to a shameless plug here: there are better alternatives for code signing on the marketplace than mere usage of code signing certificates, and DigiCert would be happy to help you learn about them.

https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers

https://securelist.com/operation-shadowhammer/89992/

https://www.websecurity.symantec.com/code-signing/secure-app

ACME – from popular protocol to supported standard

The Internet Engineering Task Force has finalized the ACME protocol for automated certificate issuance, and now it’s codified as IETF RFC 8555. Although it’s the first standardized version, it’s actually the second version of the protocol. The old ACME v1 protocol will be deprecated, a slow untangling process to be undertaken by its chief propagator. In Let’s Encrypt’s announcement of the standardization and deprecation, a representative of its sponsoring organization commented that “a standardized protocol makes switching from one CA to another easier by minimizing technical dependency lock-in.” We can’t agree more. We envision a world wherein you’re not just locked-in to one platform for automated certificate management, so we suggest you come on over to the DigiCert website and search for “ACME in CertCentral” then click on the first search result and envision the added flexibility along with us.

https://tools.ietf.org/html/rfc8555

https://letsencrypt.org/2019/03/11/acme-protocol-ietf-standard.html

https://www.digicert.com/search-results/?q=CertCentral%20ACME

https://www.digicert.com/news/digicert-announces-certcentral-enterprise-an-all-in-one-certificate-management-solution-for-tls-ssl/

Back to top

(in) $€¢ure£¥

Connecting compliance dots to save US$1M via incident response planning

Remember last month when we said that organizations are seeing both business and competitive benefits from GDPR compliance? The data is in. Well, the data was in last month, but even more is in, courtesy of the Ponemon Institute. Their recent research titled “The 2019 Cyber Resilient Organization” took input from over 3,600 security and IT professionals globally, surveying their organizations’ ability to maintain their purpose and integrity in the face of cyber-attacks. Nearly 2/3 of surveyed participants confirmed that aligning their individual organizations’ cybersecurity and privacy teams is “essential to achieving resilience,” so much so that data privacy has become a top priority in organizations worldwide. This seems no surprise as last year’s corresponding study of the cost of a data breach showed that companies which respond efficiently and quickly to contain a cyber-attack within 30 days save over US$1 million on average.

https://www.natlawreview.com/article/incident-response-plan-saves-money

https://www.digicert.com/blog/trends-threats-briefing-march-2019/#Hash2

Internal network offline = broadcast network off air

We usually think of malware knocking an organization’s networks offline. But in the first-ever instance of such an impact to a global cable TV network, The Weather Channel network was knocked off air last week. The trusted American source of meteorological data fell victim to a “malicious software attack” on its digital network, directly affecting its live broadcast operations for about 90 minutes. The network was able to partially recover at that point. The network’s Twitter feed confirmed that they “experienced issues with today’s live broadcast following a malicious software attack on the network… We were able to restore live programming quickly through backup mechanisms.” Later, a notable weather anchor of theirs confirmed a similar diagnosis, once the network was back on-air. A day later, several business and IT media sources confirmed that the attack was specifically related to ransomware. The incident demonstrated that broadcasting is now just vulnerable to attackers as any other segment which rides on internet protocol (IP), and that includes video distribution networks and cloud-based media processing, too. The US federal government is investigating the attack, as this has broadened the idea of what critical infrastructure might actually mean, since a takedown of a specialty TV network implies that a takedown of a larger entertainment network’s broadcast operations is possible. So why have we covered this in our insecurely news? Because the cost of the attack includes not just the IT cost to recover, but also the hit to ad revenue, which spiraled into hundreds of thousands of US dollars for every minute spent off air. And that’s aside from the damage to the network’s trusted brand.

https://threatpost.com/weather-channel-off-air-hack/143936/

Imprisonment legislation targets breached enterprises’ CEOs

United States Senator Elizabeth Warren introduced a bill to punish corporate CEOs whose organizations’ security is breached due to negligence. Calling it “The Corporate Executive Accountability Act,” the law as proposed would impose up to a year of prison time for first offenses and more for repeated breaches. The qualification for the penalty is rather specific, applying only to companies convicted of violating the law or which have settled claims with regulators, whose annual revenue exceeds US $1 billion, and only to those companies’ CEOs who “negligently permit or fail to prevent” a breach which “affects the health, safety, finances or personal data” of 1% of the population of any US state. Critics (who notably are not CEOs) questioned the law’s necessity, as executive heads often roll in the aftermath of breaches of that size, scope and impact; as such, there’s a suspicion that such a law, if passed, would be elevated through the US courts and found to be a violation of the US Constitution’s 8th Amendment which prevents infliction of excessive fines or cruel and unusual punishments.

https://arstechnica.com/tech-policy/2019/04/elizabeth-warren-wants-to-jail-negligent-ceos-in-some-data-breaches/

Back to top

Up Next

Blockchain burglar guessed US$7.7M worth of cryptocurrency private keys

This is one of those rare stories which we could cover in multiple sections, including (in)$€¢ure£¥, Hash, and Stranger than Fiction!, but we’ve chosen to cover it here in Up Next since it demonstrates how current hacks collide with future-facing technologies—in this case, with blockchain. …Cryptocurrencies rely on blockchain technologies. If anyone knows a cryptocurrency user’s private key, they can that key to derive the associated public address that the key unlocks. And since we already know that too many people are still shockingly lazy about their passwords (specifically including usage of simple and common passwords), it just might be easy to assume that such habits would apply to the private keys which such users would choose when setting up their cryptocurrency accounts. That’s just what happened as a single Ethereum account appears to have drained a staggering 45,000 Ether (currently valued at ~US$7.7 million) by guessing other users’ private keys. Security consultancy Independent Security Evaluators scanned 34 billion blockchain addresses for weak keys, finding 732 guessable keys which had been emptied to 0 Ether, and 12 of those show that they were emptied by the same account holder. Adrian Bednarek, who works at the consultancy, commented that whoever this bandit is “they’re spending a lot of computing time sniffing for new wallets, watching every transaction, and seeing if they have the key to them.” What’s more, Mr. Bednarek transferred a small amount of money into one of those drained accounts, as well as a newly created account with a weak-keyed address, and saw both accounts drained back to 0 Ether in mere seconds—leading Mr. Bednarek to suppose that the bandit (or bandits) hold a massive list of private keys, constantly and rapidly scanning for them.

https://www.wired.com/story/blockchain-bandit-ethereum-weak-private-keys/

Using color tricks to help QKD photons survive “optical fiber obstacle course”

Last month, we covered quantum key distribution (QKD) and the principle of entanglement which Einstein called “spooky action at a distance.” While that usage of entanglement was in terms of physics, a figurative usage of entanglement would describe the physical “obstacle course of spliced fiber segments and junction boxes” that photons would need to navigate during QKD. Making things worse, photons also suffer from dispersion, where they effectively spread out, negatively affecting the QKD. Working to resolve this, clever researchers from the National University of Singapore and Singtel (Asia’s leading communications technology group) have figured out a trick to keep entangled photons in sync as they travel different twists and turns as they path through a network. By identifying by the gap between the photons’ arrival times at the detector, the researchers were able to “link pairs of detection events together. Preserving this correlation will help us to create encryption keys faster,” according to James Grieve, a researcher on the team. By designing the photon source to create pairs of light particles with colors on opposing sides of a known feature of optical fiber called the “zero-dispersion wavelength,” it’s possible to match the speeds through the photons’ time-energy entanglement, thereby preserving the timing. Even if we totally lost you there, rest assured that the research boosted expectations for QKD over commercial fiber.

https://www.sciencedaily.com/releases/2019/04/190404114447.htm

https://www.digicert.com/blog/trends-threats-briefing-march-2019/#Trends2

AES survives PQC research

In last month’s briefing, we discussed the varying, yet fretful prognostications about how fast quantum computing will wreck seemingly everything about today’s TLS encryption. Not so fast, figuratively and literally speaking, say researchers Xavier Bonnetain, María Naya-Plasencia and André Schrottenloher. They analyzed the post-quantum security of the Advanced Encryption Standard (AES) cipher, which is the most popular and widely used block cipher in the world and was established as the encryption standard by NIST in 2001. Without going into a ton of dizzying detail, the researchers concluded that “AES seems a resistant primitive in the post-quantum world as well as in the classical one.” In other words, quantum computing won’t wreck everything we use today after all. See our sources for the researchers’ abstract and link to their findings.

https://eprint.iacr.org/2019/272

https://www.digicert.com/blog/trends-threats-briefing-march-2019/#Trends1

Back to top

Hash

Long live Apache (and now nginx) web servers

Remember, way back when it seems like the Internet was in black-and-white, AIM was the thing, and most connections to the new Worldwide Web were preceded by the fax-machine-esque screeching of 56k modems? Back in those days, the National Center for Supercomputing Applications (NCSA) gave us two notable gifts—the Mosaic web browser, which became Netscape Navigator and arguably begat Mozilla Firefox, and the NCSA HTTPd web browser, which was eventually morphed into the Apache web server in 1995. Since April 1996, no other web server has served up more web sites than the Apache HTTP Server, except for a brief period when Microsoft took the market reins 5 years ago. As records are made to be broken (and replaced by cassette tapes, CDs, MP3s and music streaming, tee hee), the crown seems starting to pass from Apache to nginx. Of course, that’s only by the measure of number of active websites. Apache still retains the leadership position with a 30.3% share of active sites, 31.5% of all domains, and the workhorse of 32.2% of the top million websites.

https://news.netcraft.com/archives/2019/04/22/april-2019-web-server-survey.html

IE zero-day exploitable, even if IE isn’t used

A standard setting of Microsoft Windows is to use Internet Explorer to open MHT files—even if IE isn’t the default browser—and that opens up an easy-to-exploit vulnerability. For example, an attacker could craft an MHT file to exfiltrate data or install malware. All it takes is for that file to be delivered by email, IM, or other vector, and for a user to open it, before the infected MHT file could spring into nefarious action. A researcher successfully confirmed the exploit’s success in the latest IE version 11 with all the recent security patches, as installed on Windows 7, Windows 10, and even Windows Server 2012 R2. As our source notes, perhaps the only bright spot in the vulnerability disclosure is that Internet Explorer’s market share has dwindled to under 8% according to NetMarketShare.

https://www.helpnetsecurity.com/2019/01/25/gdpr-ready-organizations/

Back to top

Stranger Than Fiction!

When hackers doxx hackers

For a month, a channel served by the messaging service Telegram has been methodically bloodletting a suspected Iranian hacker group known as APT34 or alternately OilRig. The Telegram channel, named Read My Lips (or Lab Dookhtegan in Farsi, which translates roughly to “lips sewn shut”), has seen the systematic leakage of a collection of the APT34’s crown jewels, including their tools, the identities and photographs of their alleged hackers, evidence of their intrusion points for 66 victim organizations around the world, and even the IP addresses of Iranian intelligence-controlled servers. It’s unclear who’s doing the dumping and doxing, but their declared motive is exposing Iranian governmental leadership. According to the hackers exposing the hackers, “We are exposing here the cyber tools that the ruthless Iranian Ministry of Intelligence has been using against Iran’s neighboring countries, including names of the cruel managers, and information about the activities and the goals of these cyber-attacks… We hope that other Iranian citizens will act for exposing this regime’s real ugly face!” Quoting Brandon Levene, head of applied intelligence at the security firm Chronicle, “It looks like either a disgruntled insider is leaking tools from APT34 operators, or it’s a Shadow Brokers–esque sort of entity interested in disrupting operations for this particular group… They do seem to have something out for these guys. They’re naming and shaming, not just dropping tools.”

https://www.wired.com/story/iran-hackers-oilrig-read-my-lips/

Killing the messenger’s messages—twice

Perhaps we’re covering this with a strange degree of risk: a long-established website named TorrentFreak, covering news of P2P and piracy, recently ran a feature story about a new profusion of pirated TV shows. The story named a number of shows whose unreleased episodes were leaked on privacy sites, including “American Gods” from the Starz entertainment network. In an ironic misread of both the story and TorrentFreak’s intentions, Starz reacted by having Twitter take down tweets to the story, effectively taking copyright enforcement action on news about copyright infringement. Since TorrentFreak’s article didn’t provide links to any leaked episodes nor even mention which sites hosting the leaked shows, TorrentFreak protested by writing a follow-up article about the takedowns …and then bizarrely saw its protest tweets get taken down as well. The Starz mistaken overreactions saw wide criticism, including this from the Electronic Frontier Foundation: “The article reported that there are people on the internet infringing copyright, but that’s a far cry from being an infringement itself.” Starz has since apologized, explaining that the “techniques and technologies employed in these efforts are not always perfect, and as such it appears that in this case, some posts were inadvertently caught up in the sweep that may fall outside the DMCA [Digital Millennium Copyright Act] guidelines… That was never our intention and we apologize to those who were incorrectly targeted.”

https://variety.com/2019/digital/news/starz-torrentfreak-tweet-take-down-apology-1203189742//

Why pull a fire alarm when you can pull down a Wi-Fi network?

Some kids reportedly have dogs that eat homework. Some kids somehow get toothaches and phantom illnesses right before midterms. But those are so last century. Two 9th-grade boys at Secaucus High School in Hudson County, New Jersey, used a specially designed denial-of-service app to hammer their school’s Wi-Fi network into submission—all in order to avoid homework and tests. It’s not clear whether the teenage perps were avoiding such schoolwork and exams themselves or on behalf of other students, but their repeated DOS attacks on the school’s Wi-Fi network also blocked the school’s multiple online curricula, along with teachers’ ability to post test results. The environment remained unstable for several days, leading the school administrators to contact the local police, who subsequently identified the duo and arrested them on charges of computer criminal activity and conspiracy to commit computer criminal activity.

https://www.hackread.com/2-students-arrested-for-disrupting-school-wifi-to-skip-exam/

Undercover agent undone by unscheduled event’s unwelcome attendee

We don’t even know where to start with this one, because it gets weirder by the word. Ms. Zhang Yujing, a Chinese citizen, decided to visit the Mar-A-Lago resort in Florida, which is the vacation resort of US President Trump. When she arrived there, she initially claimed that she was only there to swim in the pool, but she changed her story later to attending a United Nations Friendship Event, despite having no swimsuit with her, and also despite that being the event’s wrong name and date. That caught the attention of the US Secret Service, tasked with guarding the American president and his inner circle. The Secret Service arrested Ms. Zhang on charges of lying to a federal officer and entering restricted property, but the mystery doesn’t end there. Instead of a swimsuit, an event invitation and a correctly-dated calendar, she was carrying two Chinese passports, four mobile phones, and a malware-packed USB thumb drive. Back at her nearby hotel, she had other electronic equipment in her room, including a fifth mobile phone, nine more USB thumb drives, five SIM cards, a signal-detection device for finding hidden cameras, and US$8,000 in cash. Apparently not getting a straight answer to explain the odd equipment and claims, a Secret Service agent decided to violate sensible tradecraft in order to determine the contents of the first thumb drive and discovered its malicious payload when he plugged the drive into his PC and it immediately began installing malware files. The story continues to unfold in Florida to this day.

https://www.miamiherald.com/news/local/crime/article228738969.html

Back to top

Good News

Midwest US city offers residents free internet security training

Back in our final briefing of 2018, we predicted that breach wariness would yield to breach weariness among users, and they’d begin to take back their internet security and privacy. And that’s just what the US city of Aurora, Illinois, is assisting. The hometown of Wayne Campbell is offering city residents a free 8-lesson course in home internet security. Michael Pegues, the city’s Chief IT Officer, explained that his department has “heightened our online security throughout the city and provide(s) ongoing training for all employees… We are encouraging our families to take those same precautions and providing the tools to do so.” The curriculum’s design assists all family members in making solid internet usage decisions. Using examples, the course’s interactive videos demonstrate online dangers, alongside the corresponding measures which families must take to stay safe, covering topics such as Passwords, Keeping Your Identity Safe, Keeping Personal Information Confidential, Protecting Children Online, and Email and Attachments Safety.

https://www.chicagotribune.com/suburbs/aurora-beacon-news/news/ct-abn-aurora-safety-st-0422-story.html

UK businesses & charities prioritize cybersecurity, see fewer cyberattacks

Reports in the UK are showing a refreshing 43% drop in breaches and cyber-attacks on business, comparing year-on-year data. The drop is suspected to stem from tough new data laws under GDPR and the UK’s Data Protection Act, for which about a third of businesses and charities have made changes to their cyber security policies and processes. Meanwhile, cybersecurity’s priority is increasing among charities, as those charities who treat it as a priority has risen over the past year from 53% to 75%, a level equal to that among UK businesses. According to Ms. Margot James, the UK Minister responsible for all things Digital, “it’s encouraging to see that business and charity leaders are taking cyber security more seriously than ever before… We know that tackling cyber threats is not always at the top of business and charities list of things to do, but with the rising costs of attacks, it’s not something organizations can choose to ignore any longer.”

https://www.cybersecurityintelligence.com/blog/attacks-on-uk-business-and-charities-decreasing-4234.html

CryptoPokemon? I choose…free decryption!

Ransomware developer just couldn’t leave a good brand name alone, and now we have CryptoPokemon out in the wild. Having nothing to do with the characters, TV show, or Go game, the ransomware encrypts victims’ files then demands ransom payment of 0.02 Bitcoin (~US$100) for decryption. But following Pokemon’s Aska Hayashi, victims seemingly just needed to “close your eyes, believe, and make a wish” because security experts at Emsisoft identified a flaw in the ransomware’s code, allowing them to create and share a decrypter for CryptoPokemon-affected files. You’ll recall Emsisoft from our February briefing’s mention of the Aurora ransomware decrypter, and the CryptoPokemon ransomware decrypter is likewise available for free.

https://securityboulevard.com/2019/04/emsisoft-used-decrypter-on-cryptopokemon-ransomware-its-super-effective/

https://decrypter.emsisoft.com/cryptopokemon

https://www.digicert.com/blog/trends-threats-briefing-february-2019/#GoodNews3

US legislation for federal funding of state/local cybersecurity

We’ve already covered the US Senate’s jealously punitive Corporate Executive Accountability Act earlier in this month’s briefing, but there’s another recent Senate bill which deserves some positive attention. Introduced as the Cyber Resiliency Act, it would direct the Department of Homeland Security (DHS) to fund approved cybersecurity enhancements for state and local governments. If enacted, the Cyber Resiliency Act would allow states to develop and propose cyber resiliency plans with the goal of receiving up to two federal grants to develop those plans. Should a plan meet approval by the secretary of the DHS, the submitting state can apply for grants for implementation. As the populations and budgets of US states vary wildly across the country, the DHS grant funds might seem small for a large state like California, for example. However, the bill allows for grant funds to be specified for local or tribal government usage, which makes the money go further in a targeted area. A corresponding companion bill has been introduced in the US House of Representatives.

https://www.nextgov.com/cybersecurity/2019/04/lawmakers-want-fund-cyber-upgrades-state-and-local-governments/156196/

https://www.scribd.com/document/405089202/Cyber-Resiliency-Act

Back to top

Posted in Partner Blog