Author: Tim O'Connor
Impersonation, often called “spoofing” in information security lingo, is one of the most used and critical techniques in the toolboxes of both con artists and evil hackers. Evil hackers can impersonate people, equipment (such as computers or phones) and even websites or wifi hotspots. When an evil hacker successfully impersonates something you are communicating with, you have no idea that the information you are sending is compromised.
The “good guys,” such as security professionals and cryptography experts, use a number of tools to help protect organizations and individuals against evil hackers who are using impersonation attacks. Perhaps the most important of these tools is known as Public Key Infrastructure or PKI.
PKI is a system in which a trusted third party, called a Certificate Authority or CA, verifies the identity of an organization or person and issues that party a “digital ID badge” called a certificate. You can think of this certificate as a digital passport ID that is almost implicitly trusted. This digital certificate can be used to prove to your customers, employees or partners that your website, mobile phone, computer or almost any electronic resource belongs to you and no one else. For example, the digital certificate used by your bank proves to your web browser that you are doing business with your bank’s web server and not the web server of an evil hacker.
At the time of this writing, there are no known flaws in the internationally established framework for using PKI known as X.509. There have been only a few problems-not in PKI but rather how some programmers implemented the tool.
Because of the power and reliability of PKI, the world of ecommerce has placed a great deal of trust in PKI and nearly every commercial web server and email system in the world uses PKI in some way.
A recent finding by Georgia State University has uncovered a new, severe problem with the world’s implementation of PKI that puts all ecommerce, email systems and anything using PKI at risk. Like the flaws mentioned above, this flaw is not with PKI itself but with its implementation and management.
The university researchers used the Tor Network (often called “the dark web”) to look for stolen PKI certificates for sale on the digital black market. For reference, the Tor Network is an anonymous network system that can be used, like most tools, for good or for bad. It can protect your personal information; it can also hide some of the online activities of the evil hacker social networks and marketplaces.
The researchers’ findings surprised them, as well as the security community, and they are just now disseminating their findings. As of this writing we only have the first part of three reports being released by the researchers. What we know so far is of critical importance to any organization that uses ecommerce or other common systems that rely on PKI.
The first report tells us that there are THOUSANDS of apparently valid PKI certificates for sale on the digital black market and the price to acquire one is surprisingly low ($260-$2,000).
What does this mean and what are the ramifications?
If an evil hacker were to acquire your CA issued PKI certificate it would be much like someone stealing your wallet and passport and being able to make all of the ID photos look just like them. They can now impersonate you in communications and interactions with your customers, partners, banks, email servers or almost any modern system. The damage goes beyond any money or assets stolen and includes your reputation. Once you find out they are impersonating you, it is possible to stop them but it will take some time, especially if you have not planned for such a catastrophe.
How did this happen? I thought PKI was secure and trustworthy?
PKI is secure and trustworthy, but like any tool it can be misused. The key findings of the university researchers state that the reason these certificates ending up on the black market is because the companies that purchased the certificates did not understand how to protect them and or did not understand the basic workings of PKI itself. The result is that many organizations’ PKI certificates are poorly protected.
This is surprising because PKI is relatively easy to learn even if you have only a little technical knowledge and it is also easy to properly secure. In other words, the loss of these certificates is completely preventable with just a basic amount of training and best practices when using the technology.
What can I do to protect my personal or organization’s PKI identity?
The good news is that learning PKI is not rocket science. Anyone involved in managing, supporting, developing or designing your web services, email services or anything using encryption and authentication or protecting your company’s reputation should take a half or full day class on PKI fundamentals. These classes are often affordable and can be taken live online remotely or in person in most major cities. If you don’t have employees to send to this training or you are looking for other options, you could hire the services of a trusted security advisor that is fluent in PKI systems.
Considering the stakes at hand when losing your PKI identity, it is nearly inexcusable to be uninformed or to not implement basic protection of your organization’s digital identity. Depending on the circumstances this could be considered a liability of due care or due diligence which means responsibility could go all the way up to C-level positions or even the board.
Remember to check back to this blog series as we report on the findings that continue to come out of this project by Georgia State University.
Sources: Georgia State University (First Report)
To learn more visit: Introduction to PKI