Tag Archives: edward snowden

Hackers Turn HTTPS to Their Advantage

Encryption is a two-edged sword. Over the past few years, the tech sector—led by Google, Facebook and Twitter—has implemented a form of encryption to help secure virtually all of our online searches, social media banter and mobile apps.

When you search for something or use social media online, a robust form of encryption protects your data from being intercepted. It is called HTTPS, for Hypertext Transfer Protocol, with an “S” added to indicate security.

HTTPS has been used since 1994, primarily to protect online financial transactions. But now the tech giants are highly motivated to keep consumers’ trust level high in the murky internet. So they are leading the charge to spread HTTPS usage far and wide. And, generally speaking, that’s a very good thing.

Many government, healthcare and media websites have now jumped on the HTTPS bandwagon, in no small part due to the post-Edward Snowden-era demand for privacy. There’s still a long way to go. But even wider business use of HTTPS to protect sensitive data is inevitable.

But here is where the sword cuts the other way: Hackers have discovered that HTTPS is a perfect mechanism for helping them dodge detection.

See also: When Hackers Take the Wheel  

A recent report from A10 Networks and the Ponemon Institute shows that perhaps as many as half of the cyber attacks aimed at businesses in the past 12 months used malware hidden in encrypted traffic.

Backdoor for criminals

Because firewalls, antimalware suites and intrusion detection systems have not been tuned to this trick, the effect is that criminals are using HTTPS to subvert powerful technology that has taken decades for the good guys to disperse widely.

Most advanced sandboxing technologies and behavior analytics tools are not currently configured to detect and neutralize HTTPS-cloaked malicious traffic. Thus, technology that companies have spent billions to install is being subverted by cyber criminals’ use of HTTPS.

“Sadly, enterprise spending on sexy security systems is completely ineffective to detect this kind of malicious activity,” says Kevin Bocek, security strategist at Venafi, a supplier of encryption-related technologies. “A cyber criminal using encrypted traffic is given a free pass by a wide range of sophisticated, state-of-the-art security controls.”

The A10/Ponemon report outlines how criminals are using HTTPS to go undetected as they carry out phishing and ransomware campaigns, take control of network servers and exfiltrate data. Of the more than 1,000 IT and IT security practitioners surveyed, some 80 percent acknowledged that their organizations had sustained a cyber attack in the past year, and nearly half said their attackers had used encryption to evade detection.

Reading the contents of web traffic

The good news is that there is technology already on the market that can look one level deeper into network traffic to spot malicious, or suspicious, HTTPS content. The technique is called HTTPS deep-packet inspection.

“This is relatively new technology that has been out for about four or five years now,” says Corey Nachreiner, chief technology officer at WatchGuard Technologies. “There are many organizations that don’t have this HTTPS inspection capability yet, so they’re missing around half the attacks out there.”

This is just one more example of why businesses of all sizes need to stay abreast of how cyber criminals innovate to stay one step ahead.

Businesses must set up defense

Small and midsize businesses should begin looking into adding HTTPS protection. This can be done directly on premises or via a managed security services provider. For SMBs, there are many credible security vendors out there worthy of review. But you have to commit to doing the due diligence.

Large enterprises face a bigger challenge. HTTPS uses Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) to encrypt traffic. This revolves around the issuing and managing of encryption keys and digital certificates at a scale that can stir confusion in big companies.

See also: 6 Tricks and Tools for Securing Your Data  

“The challenge of gaining a comprehensive picture of how encryption is being used across the enterprise and then gathering the keys and certificates that turn on HTTPS is daunting for even the most sophisticated organizations,” Venafi’s Bocek says. “Insufficient resources and automated controls are creating a nearly insane situation.”

Again, the good news is that technology to efficiently address this emerging exposure is available. First comes awareness of the problem, followed by continual due diligence by company decision-makers to defend their organization’s digital assets.

3 Ways to Protect Sensitive Messages

“Delete this email if you are not the intended recipient.”

That and similar language theoretically sounds imposing but essentially does nothing to protect sensitive data from any nefarious actors who view it (though they may get a good chuckle before reading the email).

Yet almost 90% of attorneys surveyed by LexisNexis for a study it published in May 2014 on law firm security acknowledged using email to communicate with clients and privileged third parties. The vast majority of attorneys surveyed also acknowledged the increasingly important role of various file sharing services and the inherent risk that someone other than a client or privileged third party could gain access to shared documents. Yet only 22% use encrypted email, and 13% use secure file sharing sites, while 77% of firms rely on the effectively worthless “confidentiality statements” within the body of emails.

Technology Basics

To explain the right approach, I need to start with some technology basics.

How does email actually work?

By its nature, email is not a terribly secure way to share information. When you send an email, it goes through a powerful, centralized computer called a server on its way to a corresponding email server associated with the recipient’s computer or mobile device. The email passes through any number of servers along the way, like a flat stone skipping across a pond. If that email isn’t encrypted, anyone with access to any one of those servers can read it.

What is encryption?

Encryption is the use of an algorithm to scramble normal data into an indecipherable mishmash of letters, numbers and symbols (referred to as “ciphertext”). An encryption key (essentially a long string of characters) is used to scramble the text, pictures, videos, etc. into the ciphertext. Depending on how the encryption is set up, either the same key (symmetrical encryption) or a different key (asymmetrical encryption) is used to decrypt the data back into its original state (called “plaintext”). Under most privacy and data breach notification laws, encrypted data is considered secure and typically doesn’t have to be reported as a data breach if it’s lost or stolen (so long as the decryption key isn’t taken, as well).

Three Methods to Secure Email

1) Encrypted email. Properly encrypted email messages should be converted to ciphertext before leaving the sender’s computer or mobile device and stay encrypted until they are delivered to the recipient (remaining indecipherable as they pass through each server along the way). This approach is referred to as end-to-end encryption.

Until fairly recently, email encryption has been a somewhat technical and cumbersome process, often requiring both sender and recipient to use matching encryption programs and carefully manage their own encryption keys. Now, there are plenty of encrypted email offerings from larger commercial companies, as well as a number of new and interesting email encryption services that have become available in the wake of disclosures made by Edward Snowden.

When choosing one, be mindful of where the service you use is located (including where the servers handling the emails on the system actually are). Snowden used a well-regarded U.S.-based encrypted email provider called Lavabit. Not long after Snowden’s revelations came to light, federal law enforcement forced Lavabit to secretly turn over the encryption keys safeguarding its users’ private communications. Lavabit’s founder tried to resist but was overwhelmed in federal court.  As a result, he shut down the service. Another well-regarded service called Silent Mail followed suit shortly thereafter as it felt it could no longer ensure its customers’ privacy. Both have since relocated to Switzerland and are planning to introduce a new encrypted email service called Dark Mail.

Larger companies offering encrypted email services typically control the encryption keys and will decrypt data before turning it over in response to a warrant or subpoena (including one coupled with a gag order). In addition, email service providers can legally read any email using their systems under Title II of the Electronic Communications Privacy Act, referred to as the Stored Communications Act. Moreover, emails remaining on a third-party server for more than 180 days are considered abandoned. Any American law enforcement agency can gain access to them with a simple subpoena.

Accordingly, if you choose to use a service based in the U.S. or another jurisdiction with similar privacy protections, be mindful of who controls the encryption keys.

2) Secure cloud storage. Another way to securely communicate or share files with a client or privileged third party is to place communication and files in encrypted cloud storage and allow the client or third party to have password-protected access to them. Rather than a direct email with possible attachments, the client or third party would receive a link to the securely stored data. The cloud service you select should be designed for security. Before you ask: DropBox and Google Drive would not be suitable options. There are a number of services offering well-protected cloud storage, and it’s important to do your due diligence before selecting one. If it all seems a bit much to figure out, two services I would recommend looking into are Cubby and Porticor.

3) Secure Web portal. A third approach is to place communications and files in a secure portion of your firm’s network that selected clients and privileged third parties can access. As with the secure cloud storage option, the email sent to the client or third party would have a link back to the secure Web portal’s log-in page. An advantage to this approach is that the communications and files do not actually leave your computer network and should be easier to protect.

An additional consideration: A government snoop or competent hacker doesn’t necessarily have to target a message while it’s encrypted. A message that is protected by strong encryption when it’s sent or held in secure cloud storage can still be intercepted and read once it has been opened or accessed using a mobile device or computer that has been compromised. The same holds true for intercepting a message before it’s encrypted initially. What steps can you take to protect yourself? The software on any computer or other device that can potentially access confidential data should be kept as up-to-date as possible. Devices should be protected against possible data loss if they are lost or stolen. And all firm personnel should have regular security awareness training with respect to social engineering and other threats.

At the end of the day, there is no single silver bullet to provide perfect security. But there are genuinely helpful steps that you can take to better protect your electronic communications and keep your sensitive data confidential.