Comment: Encryption Vendors May Be the Weakest Link

Encryption and security vendors should be held to a higher standard when it comes to their own in-house security, says Pascucci
Encryption and security vendors should be held to a higher standard when it comes to their own in-house security, says Pascucci

As everyone in information security already knows, our field is constantly evolving. The hackers have changed from attacking the perimeter to attacking the users. Now they’re taking the user attack to a whole new level.

During the past year we've seen security vendors, specifically those offering encryption services like Comodo, DigiNotar and RSA, become victims of targeted advanced persistent threat (APT) attacks. These particular hacks seem to lean toward a dangerous new attack trend in the security community: attacking the encryption vendors.

These attacks on the vendors weren't aimed to release personal identifiable information (PII) or embarrass them, like we’ve seen with the onslaught of hacktivist activity over the past few months. Instead these attacks were aimed at what the vendors are offering, encryption and authentication services.

All three of these attacks were hacks that were used as spring boards to attack more people and organizations. By granting themselves illegitimate access to vendor services, hackers have essentially opened up the ability to scam people on a wider scale. Not only are they able to attack people on a wider scale, but the companies and users that employ these services are now unwilling trusting them whole-heartily.

When someone sees an SSL certificate or token authentication that’s worked securely in the past, they automatically assume they are secure – no one assumes that these might be counterfeit. The hackers understand security awareness better than anyone else. They know we tell users to use multi-form-factor authentication to stay secure, or to verify that a site is HTTPS before entering confidential information. Hackers then use this education against us by circumventing the services that we’ve promoted.

What we’re seeing here is a paradigm shift in the thinking of hackers. They know they can't crack the encryption, so what do they do? They steal it (RSA) or hack into a vendor and issue their own certificates (DigiNotar and Comodo). They know that we heavily rely on encryption and that it’s used to secure communication between most major organizations and popular websites.

Our trust in these services has been a major reason that hackers have started targeting them. Not only are these attacks highly technical, but they play off the user’s emotions. They’re taking advantage of the human element of trust for their own malicious benefit, and without this misconception the exploit wouldn’t be as effective. We’ve seen this in the past with phishing and malicious SEO optimization, but these attacks on encryption vendors use security that white hats keep preaching is safe to their users. This just sets the targets up for a harder fall.

So what happens now? We need to start taking a better look at the internal security of these encryption service providers. Obviously internal audits have failed these companies and are ineffective when they’re used as check boxes.

Should there be regulation that makes companies offering encryption services to be held to a higher standard? I for one think that companies offering authentication/encryption services already should have been held to a higher standard. If these vendors can’t secure their own infrastructure, then it’s not only affecting them, but anyone that relies on their services to protect their data.

In the case of Diginotar, which was in gross negligence, should they be considered responsible for getting hacked? If a company is selling services to protect others, but leaves these services completely vulnerable, then they should have sanctions placed on them until the issues are resolved.

Don’t get me wrong, there will always be hacks into a system, but when you’re not held to a higher standard, companies will get complacent, not compliant.

Either way, other encryption or security vendors – in general – should take notice of these attacks and tighten their security belts. They've been given a pass, for now.

Matthew Pascucci has more than 10 years of experience in IT and is currently an information security analyst. He holds multiple certifications and is actively involved with InfraGard to help educate others in information security. You can follow him at his blog or on Twitter.

What’s hot on Infosecurity Magazine?