Tag Archives: SSL

The Problems With Encryption

Newly released findings from the Ponemon Institute and A10 Networks reveal that nearly half of cyber attacks in the past 12 months used encryption to evade detection and distribute malicious software. These findings challenge how we think about the powerful technology we use to protect privacy, security and authenticity. They also demonstrate very effectively how this security technology has been subverted into a powerful weapon for cyber criminals.

This research is another damning piece of evidence that a significant chunk of enterprise security spending is not effective. Possibly half, or even more, of our security technology is doing little to effectively identify bad guys hiding within encrypted traffic. And because the increasing regulations around encryption will continue to drive a dramatic increase in the volume of encrypted traffic, the number of opportunities for bad guys to hide in plain sight is increasing exponentially. We’re fixing one illness but creating a new disease.

See also: The Costs of Inaction on Encryption

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), encrypt traffic. TLS and SSL turn on the padlock in our web browsers—they are the most widely relied upon indicators for consumers that a transaction is “secure.” This technology is used to hide data traffic from would-be hackers, but it also hides data from the latest, hot-selling security tools.

Because businesses now are being required to turn on encryption by default, encryption keys and certificates are growing at least 20% year over year—with an average of 23,000 TLS/SSL keys and certificates now used in the typical Global 2,000 company.

Volume overwhelms security efforts

As enterprises add more keys and certificates and encrypt more traffic, they are increasingly vulnerable to malicious encrypted traffic. Administrators simply do not have the tools to keep up with the growing number of keys and certificates. Venafi customers reported finding nearly 16,500 unknown TLS/SSL keys and certificates. This discovery represents a huge volume of encrypted traffic on their own networks that organizations don’t even know about.

Sadly, enterprise spending on next-generation firewalls, sandboxing technologies, behavior analytics and other sexy security systems is completely ineffective to detect this kind of malicious activity.

What does a next-generation firewall or sandbox system do with encrypted traffic? It passes the traffic straight through. If a cyber criminal gains access to encrypted traffic, then he is given a free pass by a wide range of sophisticated, state-of-the-art security controls.

Inspection a formidable task

The hard work of SSL/TLS inspection is at the core of today’s cybersecurity dynamics, but it remains largely overlooked in most enterprises. The challenge of gaining a comprehensive picture of how encryption is being used across enterprises and then gathering the keys and certificates that turn on HTTPS is daunting for even the most sophisticated organizations.

See also: How Safe Is Your Data?  

Throw in the challenge of keeping keys and certificates updated as they are renewed and replaced, and most enterprises can’t keep up. Even if multiple full-time employees are applied to the problem, they won’t be able to move at a pace that will enable them to identify bad guys hiding in encrypted traffic.

Unfortunately, as an industry we continue to ignore this gaping blind spot. For example, when the federal government’s chief information officer issued requirements for protecting all government websites with HTTPS by Dec. 31, 2016, no guidance was provided on how to defend against cyber crime that uses encryption as an attack vector.

As an industry, we’ve got to acknowledge and eliminate this blind spot. We need to be able to inspect traffic and automate the secure issuance and distribution of keys and certificates. The technology is available to solve these problems so we can use encryption safely.

But before we can solve any problem we first need to admit that we have one.

This article was written by Kevin Bocek and originally appeared on ThirdCertainty.

IRS Is Stepping Up Anti-Fraud Measures

The Internal Revenue Service is taking as long as 21 days to review tax returns, according to research from fraud prevention vendor iovation, a clear sign that Uncle Sam has stepped up anti-fraud measures.

Even so, tax return scams that pivot off stolen identity data continue to rise for the third consecutive tax season. The latest twist: Tax scammers are increasingly targeting vulnerable populations—low-income, children, seniors and homeless—as well as prisoners, overseas military personnel and the deceased, according to an FBI alert.

Complimentary webinar: How identity theft protection has become a must-have employee benefit

And criminals have gotten very creative about conducting phishing campaigns to fool individual consumers—and key employees at targeted companies—into handing over personal tax-related information, useful for filing fake returns.

Tax software vulnerable

The FBI also says criminals often use online tax software to commit the fraud. That’s particularly troubling, considering what the Online Trust Alliance found in a recent audit of free e-filing services approved by the IRS. Of the 13 services audited, about half failed somewhat basic security protocols, such as email authentication and SSL configurations.

craig
Craig Spiezle, Online Trust Alliance executive director

Craig Spiezle, executive director of Online Trust Alliance, says some of the vulnerabilities, such as unsecure sites, are obvious to the casual person, let alone criminals.

“These sites are such high targets, you’d expect 100% of these to be like Fort Knox,” he says. “There’s no perfect security, but you would expect not to see (simple) vulnerabilities.”

Some e-filing sites, for example, had simple server misconfigurations or didn’t have current secure protocols; one provider failed to adopt an extended validation (EV) SSL certificate, leaving it open to spoofing.

Although not everyone is eligible for the free e-filing services that OTA audited, Spiezle says many of the paid e-filing services are run by some of the same parent companies, and thus use much of the same lightly protected infrastructure. He says it would be fair to assume that many of the paid e-filing sites would have the same 46% failure rate as the free e-filing services audited by OTA.

Personal information trades on black market

Even if cyber criminals don’t use stolen tax-related data for filing fraudulent returns, that information is highly valuable on the black market. Spiezle points out that it’s the only place where this type of rich information—such as income, employer, number of dependents, Social Security numbers and even bank accounts—is available all in one swoop.

“All that data that’s amassed is a treasure chest,” he says. “If you want to create a persona of someone’s identity, you have all the data in one place.”

The IRS expects that, this year, 80% of the estimated 150 million individual tax returns will be prepared with tax software and e-filed—and that’s music to fraudsters’ ears.

One typical avenue for cyber thieves is to file returns as early as possible, claiming refunds as large as $1,000 to $4,000 on untraceable prepaid debit cards. They can fly under the radar by filing very generic returns, and those multiple refunds turn into a lucrative operation.

“They have immediate access to that cash, as opposed to credit card fraud where the value is not as high and the delivery is through a retailer, so they have to figure out what to do with those goods,” says Scott Olson, vice president of product at iovation, a provider of device authentication and mobile security solutions.

Phishing, malware skyrocket

According to the Government Accountability Office, the IRS prevented $24 billion in fraudulent tax refunds related to identity theft in 2013, while paying out $5.8 billion in fraudulent refunds that it didn’t discover until a year later. And the number of fraud attempts is on the rise: As of March 25, the IRS reported a 400% increase in phishing and malware incidents related to the 2016 tax season.

Email phishing campaigns include links to web pages requesting personal information, useful for filing fake returns.

These fake pages often imitate an official-looking website, such as IRS.gov or an e-filing service, and also may carry malware, which can turn over control of the victim’s computer to the attacker. This January alone, the IRS counted 1,026 email-related fraud incidents, compared with 254 a year earlier.

Phishing scams also are targeting employers—because criminals know that’s where they can find large caches of income-related information. One growing trend is the so-called business email compromise (also known as “CEO fraud”), a variation of spear phishing. The phisher does deep research on a targeted company, then impersonates a senior executive to get a subordinate to do something.

vidur

Vidur Apparao, chief technology officer at Agari, which offers an email security platform, says malicious attachments and URLs compromised the bulk of spear phishing emails in the past. But what his company is seeing now is phishing ruses aimed at specific employees that leverage trust to get the recipient to take a specific action. Such attacks do not carry any viral attachments or bad URLs that can be detected. Yet they have proven to be very effective at duping the recipient into forwarding files containing employees’ W2 forms.

“Criminals are leveraging the cloud at three separate points, in ways they couldn’t before: developing social engineering content, sending out spear phishing attacks and getting back a response,” he says.

Basic security helps

According to the OTA, 92% of the publicly reported breaches in 2015 could have been prevented. Take email authentication. It’s almost a basic security tool that prevents emails from being spoofed. Those OTA-audited e-filing services that didn’t use it are contributing to the breaches.

“The lack of email authentication or the slow adoption in some cases has led to the prevalence of this easy type of attack,” Apparao says.

Spiezle says people need to be aware that emails and other tactics are becoming more sophisticated, and protect themselves accordingly.

“The problem is that we are all moving so fast, and we have all these devices and desktops—we are multitasking,” he says. “And the criminals play off that, and they’re getting more precise.”

This article was written by Third Certainty’s Rodika Tollefsen.