Tag Archives: WatchGuard Technologies

Hackers Turn HTTPS to Their Advantage

Encryption is a two-edged sword. Over the past few years, the tech sector—led by Google, Facebook and Twitter—has implemented a form of encryption to help secure virtually all of our online searches, social media banter and mobile apps.

When you search for something or use social media online, a robust form of encryption protects your data from being intercepted. It is called HTTPS, for Hypertext Transfer Protocol, with an “S” added to indicate security.

HTTPS has been used since 1994, primarily to protect online financial transactions. But now the tech giants are highly motivated to keep consumers’ trust level high in the murky internet. So they are leading the charge to spread HTTPS usage far and wide. And, generally speaking, that’s a very good thing.

Many government, healthcare and media websites have now jumped on the HTTPS bandwagon, in no small part due to the post-Edward Snowden-era demand for privacy. There’s still a long way to go. But even wider business use of HTTPS to protect sensitive data is inevitable.

But here is where the sword cuts the other way: Hackers have discovered that HTTPS is a perfect mechanism for helping them dodge detection.

See also: When Hackers Take the Wheel  

A recent report from A10 Networks and the Ponemon Institute shows that perhaps as many as half of the cyber attacks aimed at businesses in the past 12 months used malware hidden in encrypted traffic.

Backdoor for criminals

Because firewalls, antimalware suites and intrusion detection systems have not been tuned to this trick, the effect is that criminals are using HTTPS to subvert powerful technology that has taken decades for the good guys to disperse widely.

Most advanced sandboxing technologies and behavior analytics tools are not currently configured to detect and neutralize HTTPS-cloaked malicious traffic. Thus, technology that companies have spent billions to install is being subverted by cyber criminals’ use of HTTPS.

“Sadly, enterprise spending on sexy security systems is completely ineffective to detect this kind of malicious activity,” says Kevin Bocek, security strategist at Venafi, a supplier of encryption-related technologies. “A cyber criminal using encrypted traffic is given a free pass by a wide range of sophisticated, state-of-the-art security controls.”

The A10/Ponemon report outlines how criminals are using HTTPS to go undetected as they carry out phishing and ransomware campaigns, take control of network servers and exfiltrate data. Of the more than 1,000 IT and IT security practitioners surveyed, some 80 percent acknowledged that their organizations had sustained a cyber attack in the past year, and nearly half said their attackers had used encryption to evade detection.

Reading the contents of web traffic

The good news is that there is technology already on the market that can look one level deeper into network traffic to spot malicious, or suspicious, HTTPS content. The technique is called HTTPS deep-packet inspection.

“This is relatively new technology that has been out for about four or five years now,” says Corey Nachreiner, chief technology officer at WatchGuard Technologies. “There are many organizations that don’t have this HTTPS inspection capability yet, so they’re missing around half the attacks out there.”

This is just one more example of why businesses of all sizes need to stay abreast of how cyber criminals innovate to stay one step ahead.

Businesses must set up defense

Small and midsize businesses should begin looking into adding HTTPS protection. This can be done directly on premises or via a managed security services provider. For SMBs, there are many credible security vendors out there worthy of review. But you have to commit to doing the due diligence.

Large enterprises face a bigger challenge. HTTPS uses Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) to encrypt traffic. This revolves around the issuing and managing of encryption keys and digital certificates at a scale that can stir confusion in big companies.

See also: 6 Tricks and Tools for Securing Your Data  

“The challenge of gaining a comprehensive picture of how encryption is being used across the enterprise and then gathering the keys and certificates that turn on HTTPS is daunting for even the most sophisticated organizations,” Venafi’s Bocek says. “Insufficient resources and automated controls are creating a nearly insane situation.”

Again, the good news is that technology to efficiently address this emerging exposure is available. First comes awareness of the problem, followed by continual due diligence by company decision-makers to defend their organization’s digital assets.

The Dangers Lurking in Public WiFi

Free WiFi access points (APs) are a great convenience for consumers and can be a productivity booster for business travelers. But they also present ripe opportunities for hackers. ThirdCertainty asked Corey Nachreiner, WatchGuard Technologies’ director of security strategy, to outline this exposure.

3C: What risks do consumers and business travelers take when using WiFi services in public venues such as airports, hotels and coffee shops?

Nachreiner: The exposure is potentially huge. It’s natural for people to congregate and wait in places like airports and hotels and use public WiFi access. So these are ideal locations for attackers to set up faked WiFi APs.

This is possible because SSIDs (wireless networks) used in these locations are widely trusted; names like AT&T Wi-Fi, XFINITY WiFi, Boingo Wi-Fi and Free WiFi. It is easy for an attacker to broadcast a faked AP using these familiar names to entice victims to connect via the attacker’s AP. Furthermore, if your computer has connected to the legit access point in the past, it may automatically connect to the faked one.

Best practices: 4 steps to using public-access WiFi safely

3C: If I connect to the Internet via a faked WiFi connection, do I still get on the web?

Nachreiner: Yes, but now the attacker can see what you’re doing, infect your computer and set up man-in-the-middle attacks that can steal your account credentials and work files.

3C: Does part of this have to do with the venues – the hotels and book shops – not bothering to lock down the free WiFi access?

Nachreiner: Yes. 80% of hospitality WiFi networks don’t require a unique password, and 50% do not secure or monitor their networks. I can share many stories about how easy it is to set up a faked AP in public areas and watch people join.

3C: This exposure has been out there since WiFi started going public more than a decade ago. So how intensively have the bad guys been exploiting this?

Nachreiner: Bad guys are definitely exploiting this. I’m a fairly regular business traveler. I’ve found suspicious and very likely malicious APs on two out of 10 trips. l’ve been on hotel networks where my security tools show other guests on the network trying to connect to my shares.

Whether they were just curious guests or malicious attackers is hard to say. But hotel networks are the perfect place for attackers to find victims.

3C: Right, that’s what happened in the so-called DarkHotel attack.

Nachreiner: Exactly, one of our partners, Kaspersky, discovered attackers targeting the third-party WiFi vendor of a specific hotel. They were seeking intelligence on certain guests they knew would be staying at the hotel. They used the compromised wireless network to infect the computers of their targeted victims.

This was a very sophisticated attack and not the norm. That said, it’s more common to find basic criminals putting up faked hotel network connections to steal information from guests opportunistically.