Many experts have been following the evolution of the recently discovered threat known as Flame, Flamer or Skywiper, especially since many believe that it has the potential to become the next Stuxnet.
One of the cleverest techniques implemented by the malware’s creators is the fact that it uses rogue Microsoft certificates
to validate its components.
Since once again we’re presented with a situation in which digital certificates are misused, we’ve asked Jeff Hudson, the CEO of Venafi
, a certificate management company, to provide some insight on the matter.
He believes that the industry should have expected something like Flame because in this field major events tend to repeat themselves.
“First there was Stuxnet, then Duqu, now Flame. Microsoft has joined the ranks of compromised third-party trust providers. RSA, Verisign, Comodo, DigiNotar and now Microsoft. If someone uses certificates for security and authentication they need to plan for more breaches and compromises,” Hudson explained.
“They need to have recovery and business continuity plans in place. There will be more certificate authority (CA) compromises in the future, and more users, companies and governments agencies will be affected if organizations don’t have actionable, recovery plans in place.”
The CEO went on to explain the bad practices he and his company witnessed each day when it came to the inventory of digital certificates.
“Most enterprises have glaring holes in their certificate inventories. In many cases organizations tell us they have say some 3,000 certificates installed, for instance, and by the time we’ve fully assessed the situation, the number of certificates and keys ends up being two or three times that large. That many unidentified certificates represents significant unmanaged and unquantified risk.”
The main problem is, according to Hudson, the fact that most originations don’t have a management platform in place that gives them the power to replace compromised certificates quickly.
When the replacement of compromised certificates is done manually, this can take even months, during which many companies might be forced to operate in risky conditions or even shut down their activities completely.
As far as the mitigation of the threat is concerned, the expert claims that this is just the beginning.
“Flame pointed to large vulnerabilities that exist in every organization. First Microsoft themselves used old outdated technology (the MD5 algorithm was proven hackable in 2005) in the certificates in their update and licensing service. The majority of companies in the world do the very same thing today. They had a major failure in complying with policies (they didn’t enforce the policy).”
He continued by adding, “Most corporations have no idea if their certificates conform to policy. They also allowed an expired certificate to be used to sign code. Every corporation has expired certificates on their networks. The problem is they don’t know where they are installed and how many are in use.”
An interesting observation he makes is that, while Microsoft have fixed their problem, they haven’t fixed “the problem.”
“This is a very dire situation. Every bad guy that is looking to exploit a vulnerability is now looking exactly where Flame pointed them. Most organizations do not know about their vulnerabilities and I will go out on a limb and say every organization in the world today has the vulnerabilities. The only way to handle this is to get an automated certificate management system in place ASAP.”
Finally, if you own a company and you make use of digital certificates, here’s some advice from the expert on what you can do to remove these types of risks:
1) maintain a current inventory of where all your security certificates are and who oversees them;
2) use multiple CAs so that if one is compromised, the other non-compromised CA and its issued certificates and keys are available for continued use;
3) And finally, every organization must have an actionable and comprehensive plan in place to recover from a CA compromise. The time to recover needs to be measured in hours, not weeks or months.