Imagine the following: You are at home, ready to head out… You do the triple-tap on the pant pockets and immediately notice that you are missing the car keys. Sure enough you check everywhere, and after turning every piece of furniture like a madman, you think to yourself – “Darn it! Maybe I left them inside the car!”. You run outside and to your amazement, the car is no longer even there. Let’s assume that the cause is simple, you left the keys on the seat, someone noticed and grabbed them along with your car.
Is the car manufacturer to blame? Or the roads that let the bandit travel with the stolen car? The alarm manufacturer? Or yourself, for not handling your keys properly and safely?
Recent attacks, such as the ones performed on Opera recently, and previous to other corporations are similar. Having read multiple sources, it does not seem that anyone is even looking at the way the keys were protected. Most people think that keys are protected by default with some magical OS features, but the reality software is software, for things that are as important as cryptographic keys that relate your company to a digital publisher identity, you need something more. This is where special purpose hardware devices come into play. Widely known as Hardware Security Modules, or HSMs; these devices are incapable of leaking keys, even when the software that uses the keys is compromised. The reason for this is that most of these have hardware that prevents this from happening, regardless of whether you are an domain admin or hacker. I have to admit setting these up is not completely straightforward, and there is a cost associated around it. There is also a price to pay when your software gets hacked and is responsible for letting hackers steal people’s information (see PSN hacks for reference). Simple mechanisms ARE available, an example is a $10 smart card. With some research and smarts those $10 will net you a lot of ROI down the road.
Some of the comments I have read include this one: “It’s become clear that certificate-based attacks have become the attack vector of choice. Organizations must implement effective controls to ensure the safety of their network.” – Jeff Hudson, CEO Venafi. This completely overlooks the key management as an issue, and exemplifies the common thinking around organizations. There is nothing bad about securing your infrastructure, but the cryptographic keys are misunderstood individuals, they require much more care, so they must be protected at rest, in use and in transit (well NO transit is preferred). As long as the IT Security Pro’s keep making these mistakes, the statement from Mr. Hudson around certificates being used as an attack vector will remain true. Its the most bang for buck, if you had 37 minutes (see: Opera hacking @ http://threatpost.com/opera-hack-certificate-theft-redirects-thousands-to-malware/#comment-93022) what would you take? The jewels! Of course, the most valuable assets.