Last year at Black Hat we had an interesting conversation with Tammy Moskites from Venafi. Although Tammy is both the CIO and CISO of Venafi the conversation did not focus on that company or the product as a whole. Instead we talked at length about trust and controlling the keys to data and devices. This conversation is still a very important one as continue to see attacks and vulnerabilities in the systems that control access to and the encryption of important data.
Have you ever lost your keys and had that moment of panic where you are not sure who might have them? This is not a good feeling. You do not know if someone has them and might use them to gain access to your things. This is the same feeling that should be running through the minds of every IT security professional right now when they think about their certificates and keys, but sadly this is just not happening. The reason that there is not more concern is that far too many even realize just how vulnerable they are.
Encryption is an interesting thing. On the surface it offers protection from prying eyes and sense of security in protecting your communication and files. At least that is what you should feel when talking about encryption. The problem is that encryption is only as secure as the protocol and API that is in use. Even if you have a rock solid certificate the protocol and APIs that you use to connect can be compromised to by-pass this. This is what has happened to almost every major SSL/TLS stack. So far in 2014 we have watched them fall one at a time to the dismay of security experts.
DEF CON 22, Las Vegas, NV 2014 - Yesterday at DEF CON we had the chance to listen to Christopher Soghoian, Principal Technologist, American Civil Liberties Union talk about the state of the surveillance state and how we can help fight against it. Of course you might think that his talk would be about the use of spy proof technologies, but oddly enough very little of that was talked about except to make it clear that talk of spy-proof technology makes people in Washington nervous.
A couple of days ago Google started pushing encryption for e-mail. No, we are not talking about the typical https connection required for Gmail. We are talking about actually encryption of email as it moves from server to server using TLS (Transport Layer Security). In simplest terms this method creates connections between servers using a secure tunnel to each other for the purposes of transmitting the message. Once the message has been passed to the destination server the tunnel closes. However, despite the length of time TLS has been around not many companies use.
You know, the Internet is a scary enough place with all of the Malware, scams, hackers and other crap. No one needs to be worried about the government looking over their shoulders as well. However, this is what we reminded is happening when Edward Snowden released his cache of documents to the world (through the Guardian and other news sites). We found that under the guise of protecting us from terrorism and other real and imagined threats the US government has been collecting all of our internet data for a number of years. Now this was a great surprise to many people although it should not have been.
Microsoft has had its share of flaws to deal with over a wide range of products. So it is no surprise when we read that there is another “flaw” making the rounds that is related to an older flaw that someone exposed about a year ago. The first flaw was a laughable encryption scheme that was intended to protect the username and password when using PEAP-MSCHAPv2 authentication. In this flaw someone was able to quickly break the encryption and access the credentials used to log on. This flaw does require access to the device that the user was connecting to (RAIDUS server, Firewall, etc.) so it is a little harder to pull off. Now it looks like there is a further flaw that will remove the need to compromise other equipment.
We have a new winner of the “what were they thinking award” the CA/Browser Forum have won this one by changing the way that certificates are issued. Normally such changes are not intrusive and are intended to ensure better security for users. However, in this case the changes published in July of this year (and set to take effect in November 2015) will probably break a significant number of corporate networks simply because the changes are in direct opposition to the best practices that Microsoft and many others have been recommending for years. This is the practice of separating internal and external domain names for security and identification. The CA/Browser Forum announced back in July that they are going to put an end to this practice by November 2015.
This morning as a powered up the systems I use to get on the internet and research the day’s articles I found that I was not able to get anywhere although everything appeared to be working the way it should. My Cable modem was working, my edge firewall had an valid IP address, and DNS all looked ok. Still no traffic was being routed out. I flushed the IP address and DNS resolvers internally and externally to no avail. Finally I power cycled the modem, after an unusually long period of time the modem came back up, but with an IP address that was nothing like the ones I have be receiving from RoadRunner for the past several years. It was not even close to the same subnet.
The internet is not a safe and secure place (I know this is a HUGE surprise to everyone), but many do not know just how insecure the system is and how continued legislation to “make it more secure” is actually hurting. Although we could write a small novel about the dangers of allowing corporate interests and government officials who have no working knowledge of how the internet works to change things, we will concentrate on one issue here and one that many people do not even know is broken.