Why Abuse of Digital Certs and Crypto Keys is the Biggest Security Threat for 2016

padlockIf there’s one major security trend of 2015 I’d predict causing even more trouble next year it’s abuse of crypto keys and digital certificates. Cybercriminals have simply found that abusing this layer of the internet is far easier, cheaper and often more effective than more traditional forms of attack.

Digital certificates stolen from Sony Pictures were later used to sign malware in order to make attacks more effective; and the same technique was linked to the Anthem and Premera healthcare breaches in the States.

And of course it was a similar strategy which contributed to the success of the Stuxnet attack.

Kaspersky Lab even said this week that the number of new malware files it detected this year have actually dropped, as hackers instead use stolen or bought digital certs to achieve the same ends.

Kevin Bocek is chief security strategist at Venafi – a firm which helps secure cryptographic keys and digital certs. He told me these foundational layers of trust on which the internet rests are being undermined by the latest developments in the black hat community.

“We’ve all seen that movie scene where the bad guy dresses up as a painter to gain access to a building; this is now what is happening in the cyberworld,” he told me.

“Bad guys are trading keys and certificates on the dark web and using them to crack into company systems – just look at Sony, the Snowden revelations and Stuxnet. They all involved stolen or misused keys and certificates.”

It doesn’t bode well for the future, with even current systems being architected in the same way – based on digital certificates.

“My concern is that moving forward industrial control centre malware could become bioweapons,” Bocek claimed. “This is because the moment you sign the malware with a valid certificate, it is essentially like a bio weapon. In the current climate, that’s frightening.”

That’s not all. The burgeoning Internet of Things space is ripe for exploitation in the same way, with cybercriminals likely to hold firms ransom by effectively taking over their smart devices.

“By taking a code-signing certificate and changing the entity it obeys, a hacker can change the firmware on a smart device to take control of it. Now when that sensor or smart device calls back to the ‘mothership’ who does it trust? The bad guy,” he explained.

“From a single point of compromise – the digital certificate – hackers and cybercriminals can take over a whole network of hundreds, thousands or even millions of smart ‘things’. This can then be used to blackmail companies – either cease operations, take on huge disruption, or pay up.”

Now, Venafi certainly has a vested interest to talk up the potential damage that abuse of certs and keys could effect.

But this is already happening in the wild with real consequences for organizations and their customers around the world.

Unfortunately 2016 is likely to see things get a lot worse before CISOs start to give this their full attention.


Will Apple’s China pivot come back to haunt it?

chinese flagApple had a rip-roaring second quarter, as I’ve just reported here for IDG Connect. But the financials were about more than putting yet more dollars in the bank. In years to come, the quarter may well be seen as a tipping point – the point when the Cupertino giant came to rely way too much on China.

Although sales in China have yet to surpass the Americas, that point is not too far away. But the quarter did see iPhone sales from the Middle Kingdom overtake the US, and it also witnessed total revenue from China leapfrog that of Europe – two pretty significant milestones.

Apple is in a position that its American rivals and counterparts – Google, Microsoft, Amazon, Facebook etc – would dearly love. They’ve all been either banned or investigated for anti-trust dealings – in other words harangued by the authorities. These firms face an uncertain future in the world’s soon-to-be largest technology market. But while Apple is largely loved by consumers still in style-obsessed China, its days too could be numbered.

Certainly the government has been making life difficult for US tech firms over the past year or two. The revelations from NSA whistleblower Edward Snowden has given it the perfect excuse to request stringent security checks on products destined for the public sector market. It’s a de facto ban for many providers. Beijing is trying to do the same with the banking industry. And it will get its way, eventually.

Kowtow time

What does it mean for Apple? Yes the firm is a large investor in the country. But that won’t count for much if or when Beijing wants to apply some pressure. Apple has already been forced to comply with its unpalatable censorship demands, withdrawing apps from its store. It was notably silent when the authorities launched a Man in the Middle attack on iCloud last year. And CEO Tim Cook was forced to make a grovelling apology when a state TV-led witch hunt found issues with its customer service in the country. Cook has reportedly also agreed to give the government access to its source code in a bid to pacify regulators and ensure its devices are approved. This in itself could backfire if Beijing uses that intelligence to create backdoors to spy on Apple users outside the country.

Then there’s the issue of growth. China is not necessarily the license to print money many think it is for Apple.

IDC analyst Xiaohan Tay told me smartphone growth will begin to slow in the country over the coming years.

“Most of the growth in the smartphone market will come from the lower end segment of the market. As Apple is a high-end product in the China market, most of its growth will come from replacement users which are the Apple fans, as well as those who may be using the higher end Android phones at the moment,” she added.

“The new iPhones were a hit in the Chinese market as consumers were awaiting the release of the larger screen sized phones from Apple for the longest time, and this helped to drive growth in the past two quarters since the new iPhones were launched in China.”

Growth will continue, but at a slower rate, although the Apple Watch represents a great opportunity to arrest that slide, she added.

“The die-hard Apple fans as well as the middle and upper-middle class consumers in the cities will help to sustain the growth,” said Tay. “I believe that Apple’s high prices actually makes its phones more desirable for the consumers. Owning an iPhone represents a status symbol that the average consumer wants to work towards.”

Plenty of positives for the future for Apple in China, then. But what the Middle Kingdom giveth it can also taketh away. In my opinion, Cupertino had better disperse its eggs into other BRIC baskets if it wants to avoid a nasty surprise down the road.