Slashdot Mirror

← Back to Stories (view on slashdot.org)

How SSL/TLS Encryption Hides Malware (cso.com.au)

Posted by EditorDavid on from the encoded-code dept.

Around 65% of the internet's one zettabyte of global traffic uses SSL/TLS encryption -- but Slashdot reader River Tam shares an article recalling last August when 910 million web browsers were potentially exposed to malware hidden in a Yahoo ad that was hidden from firewalls by SSL/TLS encryption: When victims don't have the right protection measures in place, attackers can cipher command and control communications and malicious code to evade intrusion prevention systems and anti-malware inspection systems. In effect, the SSL/TLS encryption serves as a tunnel to hide malware as it can pass through firewalls and into organizations' networks undetected if the right safeguards aren't in place. As SSL/TLS usage grows, the appeal of this threat vector for hackers too increases.

Companies can stop SSL/TLS attacks, however most don't have their existing security features properly enabled to do so. Legacy network security solutions typically don't have the features needed to inspect SSL/TLS-encrypted traffic. The ones that do, often suffer from such extreme performance issues when inspecting traffic, that most companies with legacy solutions abandon SSL/TLS inspection.

4 of 87 comments (clear)

  1. Disable flash & keep endpoints up to date by NotInHere · · Score: 3, Informative

    The malicious yahoo ad used the angler exploit kit. 75% of the exploits used by angler are flash exploits: http://www.talosintelligence.c...

    Just don't install flash per default, and require exceptions for people who need it for their job (hopefully a small amount).

    1. Re:Disable flash & keep endpoints up to date by The+MAZZTer · · Score: 5, Informative

      Don't forget blocking ads, which would also soundly defeat this malware.

  2. Re:Time to update firewalls. by E-Rock · · Score: 3, Informative

    No, if there was a device that could real time (or even near time) decrypt the traffic for inspection, it would negate the point of having it encrypted in the first place. The only way to inspect SSL/TLS traffic is with a MITM design with a trusted certificate on the client machines.

  3. Re:Wouldn't it be nice by Snotnose · · Score: 2, Informative

    It just hit me. Wouldn't it be funny as hell if Snotnose got enough write in votes that the news media had to report it, even though nobody knows who the hell I am? I'm sure it would take them all of a day to track me down, but I'd deny it and there are 4-5 other snotnoses out there so it would take them another day to be sure it's me.

    Even better, I'm old enough to be prez and don't think I have anything disqualifying me from being prez. Just change your vote from Deez Nutz to Snotnose.