ITC Security Threat of the Week – Who’s got the keys to your CA-stle?

ITC Security Threat of the Week – Week 3: Who’s got the keys to your CA-stle?

It’s a familiar sight to everyone who works in IT – Chrome and its claret red background you, Firefox’s little yellow traffic cop and that red shield in Internet Explorer.

“There is a problem with this website’s security certificate”.

Muscle-memory guides you clicking through the warnings without really thinking and you reach the login page for that firewall that you never quite got around to requesting a proper certificate for. Those warnings are there for a reason. Certificate management matters, and certificate security is today’s threat of the week.

I have a good friend, Shaun. I trust his judgement – I trust that when I meet him and some of his friends at the pub, that those people he trusts as friends aren’t going to try and pickpocket me. If someone impersonating Shaun introduces me to some dodgy looking characters, it’d be pretty obvious something was up – that person would look different, sounds different, walk differently to Shaun. Humans are good at spotting imposters. We’re not really at the same level of multi-factor trust yet when it comes to computers. Certificates are about as good as it gets.

So how do I know when someone’s trying to use a dodgy certificate to impersonate my company’s Outlook Web Access? Yup, that claret red background in Chrome and the “untrusted website” warning. So, if I don’t get that warning everything’s good? Maybe not. Let’s consider where that warning actually comes from…

On my Windows laptop, there’s the “Trusted Root Certification Authorities” store. This is where the list of all the ‘friends’ that my computer trusts is kept. If I browse to a website with a certificate signed by one of these authorities (or worse, connect my VPN client), I probably won’t get that red background or a warning. Taking a look in that list right now, I see that my laptop trusts anything signed by “TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı”. That’s, apparently, a Turkish government entity. Now, I’ve no particular reason to distrust them, but until a minute ago I had no idea that my computer trusted them. More concerningly, I wouldn’t really know if that certificate came built into Windows or just got added last week by a nasty bit of malware…

Do you have any way of monitoring that trusted certificate store on your endpoints? Or, more importantly, your servers? The contents of the CAPI2 operational log on Windows platforms can be invaluable here. Are you centrally logging and monitoring the Windows events logs on your endpoints and servers though? Things like the malicious addition of a trusted root certification authority are very hard to spot, if not.

Ensuring the integrity of your private keys is also critical.

Let’s say that your company deploys a set of load balancers. They’re facing the internet and protecting some public facing websites which use SSL. These boxes need to be able to sign traffic for and all the other critical services you expose to the internet. They’ll be full of private keys, maybe even for wildcard certificates that would enable an attacker to impersonate any server on your entire domain. Obviously a prime targets for hackers.

What auditing of user access to load balancers do you have in place? Where is the syslog output for the devices going? Are you able to quickly and easily correlate suspicious activity on this host with that outbound communication to a far-eastern IP address?

Two of the highest profile pieces of malware, Stuxnet and Flame, both abused certificate trust to propgate. The more recent Bit 9 hack ( yet again shows just how much leverage access to certificates, access to trust, can give an attacker.

Established in 1995, ITC Secure Networking, a leading network and security integrator, provides businesses with assured IT solutions. It designs, builds, optimises and manages network and security infrastructures to enhance network performance, safeguard information and simplify management.