Slashdot Mirror

← Back to Stories (view on slashdot.org)

How SSL/TLS Encryption Hides Malware (cso.com.au)

Posted by EditorDavid on from the encoded-code dept.

Around 65% of the internet's one zettabyte of global traffic uses SSL/TLS encryption -- but Slashdot reader River Tam shares an article recalling last August when 910 million web browsers were potentially exposed to malware hidden in a Yahoo ad that was hidden from firewalls by SSL/TLS encryption: When victims don't have the right protection measures in place, attackers can cipher command and control communications and malicious code to evade intrusion prevention systems and anti-malware inspection systems. In effect, the SSL/TLS encryption serves as a tunnel to hide malware as it can pass through firewalls and into organizations' networks undetected if the right safeguards aren't in place. As SSL/TLS usage grows, the appeal of this threat vector for hackers too increases.

Companies can stop SSL/TLS attacks, however most don't have their existing security features properly enabled to do so. Legacy network security solutions typically don't have the features needed to inspect SSL/TLS-encrypted traffic. The ones that do, often suffer from such extreme performance issues when inspecting traffic, that most companies with legacy solutions abandon SSL/TLS inspection.

5 of 87 comments (clear)

  1. Disable flash & keep endpoints up to date by NotInHere · · Score: 3, Informative

    The malicious yahoo ad used the angler exploit kit. 75% of the exploits used by angler are flash exploits: http://www.talosintelligence.c...

    Just don't install flash per default, and require exceptions for people who need it for their job (hopefully a small amount).

    1. Re:Disable flash & keep endpoints up to date by The+MAZZTer · · Score: 5, Informative

      Don't forget blocking ads, which would also soundly defeat this malware.

  2. Protecting just the border is simply wrong by 0x000000 · · Score: 4, Interesting

    This mindset of "we just need to protect at the borders; this protects endpoints" is wrong. While it provides some protection, there are so many other avenues of infection or acquiring malware that trying to equate TLS with making things simpler to hide just seems incredible of an assertion to make. These days you absolutely need to make sure that endpoint protection is just as strong, if not stronger than what you deploy on the borders of your network.

    As more corporations allow bring your own device to save costs, and give employees laptops, you can no longer trust in just filtering at the border, because the devices can move, people bring in thumb drives, and other avenues for getting malware. TLS or no TLS, I have a feeling that most HTTP intercepting proxies would not have caught newer malware in ads even if configured to do so, simply by the nature that by the time there is a signature available for it, it is generally already too late and people will have been infected.

    --
    cat /dev/null > .signature
  3. Blue Coat by Anonymous Coward · · Score: 5, Interesting

    Remember BlueCoat? The company given a cert by Symantec that would let them generate and fake any other certificate.

    BlueCoat's claim to needing that faking ability, was so that it could decrypt TLS sessions, to check for virus's in encrypted traffic.

    a) But if it was installed on a company server, then the *companies* own certificate would be installed on that PC and it wouldn't need to fake the certificate, rather it would intercept the session and substitute its own cert. (A standard 'feature' built into Microsoft Windows).

    and

    b) If the PC had a virus scanner, then that scanner would be checking the memory of the PC.

    http://motherboard.vice.com/read/a-controversial-surveillance-firm-was-granted-a-powerful-encryption-certifica

    Your ISP does NOT scan your internet connection for virus's. It never did when the traffic was unencrypted. It didn't lose the ability to do so in encrypted, because it never did. BlueCoat on the other hand represent a backdoor into all commercial, banking, financial, medical, government secrets, electronic voting machines, business secrets, cloud services, everything.

    And yet somehow Symantec issued the certificate to them and faced no punishment.

  4. Re:Time to update firewalls. by E-Rock · · Score: 3, Informative

    No, if there was a device that could real time (or even near time) decrypt the traffic for inspection, it would negate the point of having it encrypted in the first place. The only way to inspect SSL/TLS traffic is with a MITM design with a trusted certificate on the client machines.