Slashdot Mirror

← Back to Stories (view on slashdot.org)

How SSL/TLS Encryption Hides Malware (cso.com.au)

Posted by EditorDavid on from the encoded-code dept.

Around 65% of the internet's one zettabyte of global traffic uses SSL/TLS encryption -- but Slashdot reader River Tam shares an article recalling last August when 910 million web browsers were potentially exposed to malware hidden in a Yahoo ad that was hidden from firewalls by SSL/TLS encryption: When victims don't have the right protection measures in place, attackers can cipher command and control communications and malicious code to evade intrusion prevention systems and anti-malware inspection systems. In effect, the SSL/TLS encryption serves as a tunnel to hide malware as it can pass through firewalls and into organizations' networks undetected if the right safeguards aren't in place. As SSL/TLS usage grows, the appeal of this threat vector for hackers too increases.

Companies can stop SSL/TLS attacks, however most don't have their existing security features properly enabled to do so. Legacy network security solutions typically don't have the features needed to inspect SSL/TLS-encrypted traffic. The ones that do, often suffer from such extreme performance issues when inspecting traffic, that most companies with legacy solutions abandon SSL/TLS inspection.

12 of 87 comments (clear)

  1. Disable flash & keep endpoints up to date by NotInHere · · Score: 3, Informative

    The malicious yahoo ad used the angler exploit kit. 75% of the exploits used by angler are flash exploits: http://www.talosintelligence.c...

    Just don't install flash per default, and require exceptions for people who need it for their job (hopefully a small amount).

    1. Re:Disable flash & keep endpoints up to date by The+MAZZTer · · Score: 5, Informative

      Don't forget blocking ads, which would also soundly defeat this malware.

  2. Protecting just the border is simply wrong by 0x000000 · · Score: 4, Interesting

    This mindset of "we just need to protect at the borders; this protects endpoints" is wrong. While it provides some protection, there are so many other avenues of infection or acquiring malware that trying to equate TLS with making things simpler to hide just seems incredible of an assertion to make. These days you absolutely need to make sure that endpoint protection is just as strong, if not stronger than what you deploy on the borders of your network.

    As more corporations allow bring your own device to save costs, and give employees laptops, you can no longer trust in just filtering at the border, because the devices can move, people bring in thumb drives, and other avenues for getting malware. TLS or no TLS, I have a feeling that most HTTP intercepting proxies would not have caught newer malware in ads even if configured to do so, simply by the nature that by the time there is a signature available for it, it is generally already too late and people will have been infected.

    --
    cat /dev/null > .signature
  3. Time to update firewalls. by BitterOak · · Score: 2

    Virtually all modern firewall/IDP systems have SSL decryption. Given that virtually all websites use SSL nowadays, it makes no sense at all to even have an IDP if it can't handle SSL traffic.

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    1. Re:Time to update firewalls. by E-Rock · · Score: 3, Informative

      No, if there was a device that could real time (or even near time) decrypt the traffic for inspection, it would negate the point of having it encrypted in the first place. The only way to inspect SSL/TLS traffic is with a MITM design with a trusted certificate on the client machines.

  4. Blue Coat by Anonymous Coward · · Score: 5, Interesting

    Remember BlueCoat? The company given a cert by Symantec that would let them generate and fake any other certificate.

    BlueCoat's claim to needing that faking ability, was so that it could decrypt TLS sessions, to check for virus's in encrypted traffic.

    a) But if it was installed on a company server, then the *companies* own certificate would be installed on that PC and it wouldn't need to fake the certificate, rather it would intercept the session and substitute its own cert. (A standard 'feature' built into Microsoft Windows).

    and

    b) If the PC had a virus scanner, then that scanner would be checking the memory of the PC.

    http://motherboard.vice.com/read/a-controversial-surveillance-firm-was-granted-a-powerful-encryption-certifica

    Your ISP does NOT scan your internet connection for virus's. It never did when the traffic was unencrypted. It didn't lose the ability to do so in encrypted, because it never did. BlueCoat on the other hand represent a backdoor into all commercial, banking, financial, medical, government secrets, electronic voting machines, business secrets, cloud services, everything.

    And yet somehow Symantec issued the certificate to them and faced no punishment.

  5. Indeed, great master of the obvious! by fuzzyfuzzyfungus · · Score: 2

    Encryption mechanism designed to protect traffic from eavesdropping by 3rd parties has potential to keep 3rd parties from inspecting traffic...

    Was somebody expecting TLS to stop working if the evil bit was set?

  6. A non-story by QuietLagoon · · Score: 2
    If I want my firewall to protect me from malware hidden within TLS encryption, I'll allow that firewall to perform MITM attacks so that it can see my encrypted communications.

    .
    The best prevention against malware sits in front of the PC screen.

    This is one of those articles that takes a non-problem and ascribes importance to it in order to grab headlines.

    1. Re:A non-story by Anonymous Coward · · Score: 2, Interesting

      This is one of those articles that is a part of the ongoing war against encryption.

      FTFY

  7. Don't trust any device by davidwr · · Score: 2

    Don't trust any device inside or outside of your network until you can verify it is trustworthy. Even then, don't trust it any more than you have to.

    Okay, that's the ideal world.

    In the real world such a policy would cripple most enterprises, so we have to compromise somewhere.

    What that compromise should look like will be on a case-by-case basis.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  8. Re:Wouldn't it be nice by Snotnose · · Score: 2, Informative

    It just hit me. Wouldn't it be funny as hell if Snotnose got enough write in votes that the news media had to report it, even though nobody knows who the hell I am? I'm sure it would take them all of a day to track me down, but I'd deny it and there are 4-5 other snotnoses out there so it would take them another day to be sure it's me.

    Even better, I'm old enough to be prez and don't think I have anything disqualifying me from being prez. Just change your vote from Deez Nutz to Snotnose.

  9. It's not the firewall's job to fend of malware by Vliegendehuiskat · · Score: 2

    If you are using a firewall to defeat malware you are just plainly doing things wrong. The only thing a firewall should be doing is to detect and block (D)DoS-attacks and connections to and from ip on ports you don't want or you are sure you don't need, while allowing connections from other ip's and ports you actually do need. If you really need to analyse all the traffic in your network, install your own root-CA in the endpoints and just MITM everything which needs to be on there. But you should seriously consider the implications of what you are doing, because you are basically circumventing everything that groups of people way smarter then you have been putting in place for decades.