Welcome to this month’s news and insights regarding the trends and threats in digital certificates (including TLS, SSL and code signing), plus PKI, IoT, encryption, identity and trust.
Click on any headline below to jump to its summary and external news source.
If you’d prefer having this news presented to you, view/hear the on-demand recorded webcast on the BrightTalk network here. Also check out the rest of our webinars and videos on DigiCert’s channel on the BrightTalk network.
Co-brandable versions and visual/script components are available to DigiCert Certified Partners in .MP4 and .M4A for your own marketing, vlog or podcast usage. Please find a comprehensive kit our new DigiCert Partner Portal at digicertpartners.com, or reach out to your regional partner marketer contact for details.
(in)$€¢ure£¥ – The financial impact of (in)security
Up Next – Trends and industry buzzwords
Hash – News that’s fit to cover, but doesn’t fit above
Stranger Than Fiction!
>11% of financial services sites collect data without HTTPS, more
Over 11% of active websites of legitimate financial services organizations are insecurely collecting site visitors’ personally identifiable information (PII) during login & data entry. According to research by RiskIQ, those lapses are primarily in using HTTP instead of HTTPS, collecting data in clear text, and using expired or misconfigured TLS/SSL certificates. Quoting RiskIQ vice president Fabian Libeau, “This research shows that organizations are continuing to make progress in ensuring that personal data entered online is collected in a secure manner… However, that we still see instances serves to highlight that there is more to be done. Most organizations are continuing to expand their web presence and it’s vitally important that they maintain a complete inventory of those sites and the PII collecting pages they contain.”
Firefox addins wiped out by expired intermediate ..of code signing certs
Earlier this month, users of Mozilla Firefox (as well as browsers based upon Firefox, like the TOR browser) were alarmed to discover that their addons “could not be verified for use in Firefox” and were disabled. This was all thanks to expiration of a code signing intermediate certificate used for Firefox addons. Worse, user attempts to reinstall the addons from their official Mozilla source were greeted with “Download failed. Please check your connection.” Until the code signings could re-chain to an active, different or cross-signed intermediate, several user options surfaced, including manually backdating the system clock to a date before May 4, installing Firefox Nightly or Developer builds, enabling addon debugging, or signing up for Mozilla Studies and seeking certain hotfixes.
Firefox adds intermediate pre-fetching …for TLS/SSL certs
Mozilla announced it will enable preloading of intermediate TLS & SSL certs in Firefox, assuming those intermediates were disclosed as part of Mozilla’s CA program. As long as we can recall, uninstalled intermediates remain among the top support drivers for TLS & SSL tech support. As a result, the time saved in troubleshooting is complemented by avoiding multiple extra network requests to download missing intermediate certificates.
Cert-related outages affect enterprise-critical services & customer experience
A recent Venafi study of over 500 CIOs from Australia, France, Germany, the UK and the US revealed rather prominent impacts and attitudes surrounding digital certificate outages. The study found that 60% of organizations experience certificate-related outages impacting business-critical services or applications within the past year, but that percentage shot up to 74% for the past two years. Mind you, that such outages harm the reliability and availability of entire enterprise environments, not just the servers on which the certificates are used. Frighteningly, 85% of the CIOs studied believe that the increasing intricacies of interconnected IT systems will make these outages even more painful in the future, as a majority of those CIOs are concerned that such outages will have an impact on customer experience. Kevin Bocek, vice president, security strategy and threat intelligence at Venafi, commented “Ultimately, companies must get control of all of their certificates; otherwise, it’s simply a matter of time until one expires and causes a debilitating outage.” At DigiCert, we agree, and would love to help organizations of any size discover, control and automate their certificate inventories.
Back to top
Value costs of average megabreach: US$5.4B market cap loss + 7.5% stock price drop
CASB vendor Bitglass released their “Kings of the Monster Breaches” report, which analyzed the top 3 breaches from the past 3 years, and the average effects of a megabreach are staggering. One which jumps out is the average cost of US$347M, which doesn’t necessarily include any associate penalties from violating the EU GDPR as a result of a breach’s revelation. That cost also necessarily include a subsequent price drop in the breached company’s public stock price, which averaged a shocking 7.5% and equated to a mean loss of US$5.4B in market capitalization loss of $5.4B. According to Rich Campagna, CMO at Bitglass, “The largest breaches over the past three years have caused massive and irreparable damage to large enterprises and their stakeholders around the globe. This should serve as a stark warning to organizations everywhere. If massive companies with seemingly endless resources are falling victim to external attacks, then companies of all sizes must remain vigilant in their cybersecurity efforts. It is only by taking a proactive approach to security that breaches can be prevented, and data can truly be kept safe.”
US$1.3B and climbing: Costs to Equifax for 2017 breach
Among the most notable of the last few years’ megabreaches was the devastating one incurred by Equifax in 2017. The costs of that breach haven’t stopped rising, and now they total over US$1.3B “related to the incident, incremental technology and data security costs, and an accrual for losses associated with legal proceedings and investigations”, according to Equifax’ Q1 2019 earnings statement. According to Infosecurity Magazine, “the latest revelations can be seen as a cautionary tale of what happens when organizations fail to implement adequate cybersecurity.”
US businesses lost US$2.7B to cybercrime in 2018
The annual Internet Crime Report from the United State Federal Bureau of Investigations (FBI) reveals that cyber-attacks on American organizations by overseas criminals and terrorists and cyber-crime drove a collective US$2.7B in costs in 2018. Among the 20,000+ cybercrime complaints received by the FBI, the most frequently reported complaints from consumers were for non-payment/non-delivery scams, extortion, and personal data breaches – but that’s not what cost businesses the most. Organizations claimed that business email compromise (BEC), confidence fraud where identity and trust were faked, and investment scams were the costliest. As we’ve reported in previous Trends & Threats Briefings, hackers can make a good living, exemplified by a New Jersey town paying $1 million to a fraudulent account over a BEC scam, although those funds were eventually frozen and returned. “Our No. 1 piece of advice to companies would be to have an incident response plan … and No. 2, and probably very close second if not tied, is to notify us,” said Amy Hess, executive director of the FBI’s Criminal, Cyber, Response and Services branch.
Back to top
US legislators increase Quantum R&D funding by 10%
The United States Congress’ House Appropriations Committee boosted the American National Institute of Standards & Technology (NIST) 2020 funding for research and development in AI, cybersecurity, quantum computing, 3D printing, and 5G telecommunications. These 5 technologies were already slated to receive US$611M in funding as requested by American President Trump, but the congressional committee generously increased them to US$751M – nearly ¾ of NIST’s total appropriation – as they’re considered critically important by the Defense Department and Intelligence Community. In particular, funding for quantum computing information science was funded at “no less than” $8 million above the 2019 level… to support and expand basic and applied quantum information science and technology research and development (R&D) of measurement science and standards – and to expand NIST collaboration with industry, universities, and federal laboratories.
FCC proposes default blockage of robocalls
As automated SPAM phone calls, aka robocalls, are on the rise, the American Federal Communications Commission wants to make it legal for phone companies (including wireline and wireless carriers) to block unwanted robocalls by default. If a circulated FCC ruling is adopted, American telephony carriers would be permitted to develop robocall blocking tools. One method in particular, known by its acronym “STIR/SHAKEN”, is modeled after the way TLS/SSL certificates are used to tell a browser’s user “yes, this really is the site you think it is.” While testing and implementation of STIR/SHAKEN are underway, there’s already anticipation of two other pages torn from the TLS playbook: the need for uniform trust indicators in phone user interfaces, and the need for carriers to agree upon those trust indicators. Knowing how difficult it’s been to drive uniform meaning and signaling of security and trust in web browsers, perhaps phone OS & app developers and phone carriers can build exemplary best practices for collaboration.
Cybersecurity budgeting’s future: CxO/IT collaboration & prioritized investments
Organizations worldwide are increasing their cybersecurity budgets – and striving to keep company leadership and cybersecurity staff on the same page – in order to remain compliant and decrease incident response times. Corporate investments in cybersecurity budgets have increased 141% between 2010 and 2018, with an expectation of reaching a total of US$124B globally in 2019, and onwards to US$133.7B in 2022, according to security vendor Varonis. However, those worldwide total would need to be considerably higher to get corporate IT professionals to feel as confident about their implemented cybersecurity solutions as their C-level executives do; fully 60% of CxOs believe that current solutions are doing a complete or excellent job of keeping organizations safe, but only 29% of IT professionals in those organizations believe so. Several efforts and tips are noted in the Varonis report, prioritizing regular reporting and investing towards protecting the most sensitive data and against advanced threats.
Back to top
How to clash with a (Google) Titan
Thanks to a misconfiguration found in Titan, Google’s Bluetooth Low Energy 2FA security key product, attackers within 30 feet could hijack the Titan by exploiting the key or the device to which the key is paired. There’s a slice of time between when a Titan user presses its single activation button to identify himself or herself and when that identification is received by a paired device, and that slice is just big enough for a nearby attacker to connect their own device instead. Since this is 2FA and the Titan fulfills the “something you have” role, the attacker would need to fulfill the “something you know” role by already having the associated user’s username and password. Titans vulnerable to the attack are back-labeled “T1” or ”T2”, and affected users can get a replacement for free from Google.
Gmail supports MTA-STS & TLS Reporting; first among major email providers
In a reminder that TLS doesn’t only find valued implementation between web servers and browsers, Google’s free webmail product Gmail became the first major email provider to support MTA-STS and TLS Reporting technologies, which allow two email providers to connect securely while exchanging emails and avoid man-in-the-middle attacks in the process. MTA-STS requires that a mail server make a secure TLS connection to a web server, guided by a required web server file which lists which MX servers are allowed for the domain. To validate that any transaction between the servers was successful or not, TLS Reporting allows the email servers to request reports about the delivery of emails.
Inception Bar fakes legitimate URL – and security indicator
Independent security researcher James Fisher discovered a method for twiddling a mobile browser’s address bar behavior such that its URL and its HTTPS security indicator can be faked. Calling the method “the inception bar”, Fisher demonstrated the hack when a Chrome mobile user scrolls down on a webpage, and the browser automatically conserves space by hiding the URL bar and handing the URL bar’s screen space over to the web page’s control – and that’s when a phishing site can then pose as a different site by displaying an inception bar. In Fisher’s example, he popped an image of a legitimate address bar accessing the HSBC bank website as the inception bar. With the user visually seeing that they’re on the inception bar’s claimed website, Fisher was able to trick Chrome so that it never re-displays the true URL bar. The user should be able to scroll to the top of the webpage (at which point Chrome should re-display the URL bar) but by inserting a very tall padding element at the top of the UI, an attacker could automatically scroll them back down to the start of their spoofed content – and atop that content is the spoofed site’s inception bar. The only time the user can verify the true URL is when the page first loads, specifically before they scroll down the page.
Back to top
Stranger Than Fiction!
Download this seal & upload your keystrokes
The Best of the Web, a portal site self-described as the Internet’s oldest directory, offers a security seal for a fee. Imagine their surprise to discover that Willem de Groot, a Dutch forensic analyst, reported that the Best of the Web security seal had been hacked. Twice. And as a result, was infected with 2 different Trojans – which were both keyloggers. Although the irony of it had many snickering away, the Best of the Web didn’t find it so funny that the script they used to display their seals from their Amazon S3 bucket had been compromised. Great trust requires great security and great validation, so the Best of the Web got busy mopping all that up.
Pay Over Time might soon also allow “Pay Across Space”
Remember when Wimpy (from old Popeye cartoons) would issue verbal IOUs with the line “for which I will gladly pay you Tuesday?” Professor Adrian Kent of Cambridge University has drafted a theoretical framework for a new quantum-computing-resistant type of money which greatly expand when and even where Tuesday might be. The new type of money allows users to make monetary, payment and value decisions based on information arriving at different locations and times. According to Professor Kent, “instead of something that we hold in our hands or in our bank accounts, money could be thought of as something that you need to get to a certain point in space and time, in response to data that’s coming from lots of other points in space and time”. By harnessing both quantum theory and relativity, the theoretical framework (called ‘S-money’) could conceivably make it possible to conduct commerce clear across our Solar System. If you have an interstellar debtor coming after you (or if you plan to), S-money might be the thing for you. Until then, researchers plan to test its practicality here on Earth, although there’s already suspicion that S-money will need the quantum computing power which it would probably be able to resist. …and how that even makes sense is why some people are professors, while others get to convey interesting news to you.
Why steal lunch money when you can steal lunch data?
Back when we were young, our moms would pack our lunches every day before school, and she’d have to pack things we liked and avoid things we’d throw away or (worse) bring home uneaten. Now there’s companies which take all that off mom’s hands. And in this case, they’ve also kinda taken the role of schoolyard bully by stealing lunch valuables – except in this day and age, it’s lunch data. Keith Wesley Cosbey of California company Choicelunch is accused of hacking the website of San Francisco Bay Area competitor The LunchMaster to steal the lunch data of hundreds of students, with the suspected intention of sending the information to the school lunch program governmental department, all in order to weaken or discredit The LunchMaster. But the Choicelunch hacker didn’t realize that sending the data to a governmental department was effectively a breach notification, to which the California Department of Education responded by notifying the breach victim. The LunchMaster tracked the intruder via IP address to the physical address of Choicelunch, reported things to the FBI, and now Mr Cosbey faces up to 3 years in prison if found guilty. Commenting on the accused being a CxO, San Mateo County’s deputy district attorney Vishal Jangla said, “Someone who’s an executive… It’s a first for me.”
Flak whack-back at hack attack
Sometimes what’s strange isn’t actually funny, but it nevertheless makes you blink very hard. In the past, we’ve covered national cyber defense policies about hacking back. In the first report of its kind ever, a country’s military has answered a cyberattack with a physical counterattack. The Israel Defense Forces (IDF) responded to an alleged digital incursion by their nemesis Hamas, aimed at “harming the way of life of Israeli citizens” according to the commander of the IDF’s cyber division. The Israeli IDF didn’t hack back; instead, they pounded the Hamas building from which the cyber combatants launched their attack. Referencing the electronic investigative prowess needed to locate the hacktion perpetrators, the security head of AmTrust Europe stated that “Israel would not have targeted the building and presumably those in it without a lot more due diligence and intelligence than ‘a cyber-attack was coming from the building.’”
Back to top
ARIN whacks IP address scams – and 758K fraudulently-obtained IPv4 addresses
The American Registry for Internet Numbers (ARIN) has discovered (and has since revoked) nearly 758,000 IPv4 addresses which had been fraudulently obtained in a 2018 cybercrime scheme. Two unnamed parties created an entity called Channel Partners “which purported to consist of several individual businesses, all of whom acquired the right to IP addresses from (ARIN)”, according to the US Department of Justice. With a value of between about US$10-14M, the IPv4 addresses were mostly resold to spammers by Channel Partners, who was charged in United States federal court with 20 counts of wire fraud and ordered to pay ARIN USA $350,000 to recoup legal fees. ARIN’s President and CEO stated, “Fraud will not be tolerated. The vast majority of organizations obtain their address space from ARIN in good faith according to the policies set out by the community. …We are stepping up our efforts to actively investigate suspected cases of fraud against ARIN and will revoke resources and report unlawful activity to law enforcement whenever appropriate.”
New CPU architecture outsmarts hackers with unpursuable moving target
Researchers at the University of Michigan in the United States have developed a new computer processor architecture which can block every known variant of control-flow attacks (among hackers’ most dangerous and widely used techniques); in turn, the architecture’s methodology renders the current electronic security model of reporting-and-patching obsolete. The architecture blocks potential attacks by encrypting and randomly reshuffling key bits of its own code and data 20 times per second – that’s thousands of times faster than the most advanced current hacking techniques.The developer of the architecture, Todd Austin, commented “even if a hacker finds a bug, the information needed to exploit it vanishes 50 milliseconds later. It’s perhaps the closest thing to a future-proof secure system. Imagine trying to solve a Rubik’s Cube that rearranges itself every time you blink.”
IoT, phone home? See who’s calling who.
Princeton University has released a nifty app for Apple MacOS called IoT Inspector, which easily generates a list of all IoT devices on your home network, along with their names. Moreover, IoT Inspector determines whether and when those devices communicate with an external server, plus it reveals whether the data is encrypted in transit. Obviously IoT Inspector can expose whether any unknown devices or rogue services are using your network. However, crafty thinkers at Gizmodo have theorized that the software can also sniff-out hidden cameras at shared lodging locations such as Airbnbs, assuming the temporary tenant would have access to the rental’s wifi network. Princeton IoT Inspector is free.
Back to top