If you’re a follower of this blog, you’ll be aware that SSL is far from perfect as a method of protecting us from online criminals. Nevertheless, it’s what we’ve got and in most cases it’s more than adequate. It’s hard to overestimate just how much of the Internet’s security depends on SSL certificates. HTTPS — SSL/TLS over HTTP — is the fundamental technology protecting secure communication between users and web services, particularly those where credit card and other sensitive personal or financial information is being sent over the wire. But that’s not it is used for: much of the software and other data we send over the net is digitally signed with SSL certificates to verify the source.
Matthew Rosenquist thinks this is why certificate theft will be the next big market for hackers.
Consider this scenario: A popular software developer releases an update which is downloaded and installed by thousands of users. The application or operating system verifies the validity of the update by checking to see whether it has been digitally signed with the developer’s private key. Very few users will go beyond this level of automated checking when they receive an update notification. In this particular case, the developer’s infrastructure had been compromised and their certificate stolen and used to sign a bogus update that contains a rootkit that will allow the criminal to take control of the device.
Given the current state of online security, there’s no doubt that SSL certificates present a juicy target to attackers. Why bother exfiltrating password lists or credit card numbers when you can go straight for a tool that will open up the devices of thousands of users in one fell swoop? Credit card data and all.
It is in the interest of hackers to be extremely stealthy about attacks of this sort. The longer the certificate theft goes unnoticed, the more money the attacker can make. In much the same way online criminals currently sell botnet access for DDoS attacks, they can sell digital signatures to those who want to target a specific population.
This sort of attack is likely to become more common in the coming years. The “big bang” DDoS attacks will go on; they’re very difficult to defend against, and have become commodities to the level at which anyone with a bit of knowledge and some cash can target a site that they feel has slighted them. But the real money is in advanced persistent threats like this; quiet attacks that rely on the attackers not being discovered.