SSL-based threats and how to protect yourself
Cyber attacks are a daily issue for companies but when you face an SSL threat you are in big troubles. While most users believe that encryption offers an impenetrable shield for hackers, security experts know perfectly that hackers can manipulate SSL certificates to send any kind of malware without being detected. Take a look at the following list of threats that may infect your communication over the internet.
- 30. 04. 2019
- 6 min read
What is an SSL threat?
Nowadays, most internet communications use Secure Sockets Layers (SSL) and Transport Layer Security (TSL) to encrypt data. This way, privacy and data integrity are ensured. For instance, when you send an email, data is encrypted until reaches its destiny.
Unfortunately, these encryption protocols don’t distinguish if data is malicious or not. So hackers have taken advantage of this and started using the SSL protocol to send bugs and exploits that are not detected unless the package is decrypted first for inspection. Otherway the attack will go through infecting the victim. So basically, we can say an SSL threat is an encrypted attack.
Do you know that..?
In Master Internet, we will arrange the SSL certificate for you and notify you well in advance before its expiration. Assure your customers that they really are on your website.
SSL-based threat sources
There has been a remarkable increase in phishing attacks with SSL. Nothing strange since every day legitimate sites accepting SSL increase. Although many companies have invested in resolving vulnerabilities at the hardware level, just a few of them perform a total SSL inspection. Unless an organization can inspect 100% of all but specifically exempted SSL traffic, it is at risk of a potential cyber-attack.
According to research conducted by Zcaler, the most aggressive malware that currently use SSL to infect their victims is the following:
Vawtrack
Vawtrack is a Trojan also known as banking malware because it is one of the main threats that attack online banking portals. When Vawtrack is installed on the device, it can create VNC and socks servers that allows the attacker access. Although this malware is capable of capturing screenshots and videos, its main purpose is to steal login credentials through various device sources, such as FTP clients, email clients, web browsers, etc. Vawtrack can also create fake templates and web forms to induce the victim to reveal their confidential data. This malware allows to download and validate SSL certificates to initiate HTTPS connections.
Adware
Adware is able to distribute scripts to redirect exploits. Although this threat is possible to control through SSL encryption, there are cases in which malicious software has managed to destroy the security barriers to place unwanted publicity in HTTPS traffic. Adware, such as Superfish and PrivDog, can install CA (certification authority) certificates on victims’ devices to capture their web traffic and insert ads while surfing the Internet. An example of the aggressivity of this adware is PrivDog which redirects users to websites with fake SSL certificates. InstallCore is another adware that induces users to install Flash plugins or Java updates that do nothing but insert malicious scripts to manipulate home pages and search engines in the user´s device.
Gootkit
Gootkit is a Trojan specialized in the infection of Windows devices. Gootkit turns the infected device into a zombie that becomes part of a botnet. Its main objective is the theft of banking information. This malware captures user data by placing a malicious script in HTTPS traffic. Goodkit executes via SSL without files installation.
Dridex
Dridex is another banking malware that joins the list of dangerous Trojans such as TrickLoader, Dyre and Bugat. Essentially, this type of malware monitors the activity of the Internet browser (HTTP and HTTPS) towards specific URLs determined by the configuration of a string list. When the Trojan detects activity according to its parameters, it begins to steal the information flow.
50% of all network attacks used encrypted traffic in 2017. Gartner
Open doors that can cause an SSL attack
- Malware infection and data exfiltration: Typically, this vulnerability occurs when company employees perform web browsing through HTTPS and this traffic is not inspected.
- Expansion of infected hosts: occurs when traffic is not inspected while employees connect to servers from an internal network.
- Lack of basic protection technology to analyze incoming traffic: this failure in traffic inspection occurs when an Internet user connects to the public servers of the company using encrypted protocols.
How to perform an SSL inspection?
1. Implement a total SSL inspection plan
Most companies choose to track only a percentage of HTTPS requests from users, however, this is like placing two fire extinguishers in a 20-story building. A total SSL inspection allows the organization to create secure channels between the user and the server.
2. Configure your SSL inspection service
To achieve effective traffic monitoring it is necessary to configure your inspection service with exception policies for cases in which it is necessary to decipher or decrypt traffic. In addition, you must establish a whitelist and a blacklist to catalog the level of risk of the websites according to threats potential.
3. A scalable and updated inspection system
When an SSL inspection system is adopted, it must be scaled to the cloud to track remote users. Therefore, it is necessary to have an updated threat data network to quickly detect dangerous SSL certificates and block them immediately.
4. Use specialized software for detection of SSL-based threats
Some companies like Cisco have developed traffic analytic tools such as Stealthwatch Enterprise, which uses machine learning techniques to improve the detection of threats.
Specific actions to prevent an attack based on SSL
Certified algorithms
Do not trust self-signed certificates. A reliable certificate should use ideally the SHA-2 hash algorithm. In addition, Extended Validation (EV) certificates offer a higher level of trust to websites. Websites with EV are marked in green by most browsers
Get rid of previous versions of SSL
SSL protocols have demonstrated several vulnerabilities, especially SSL 2.0. On the other hand, the strength of SSL 3.0 has also been questioned after being successfully violated. The safest protocol today is the TLS, although that does not mean that it is not vulnerable. However, it offers more guarantees than its predecessors and is accepted by most browsers.
According to the Ponemon Institute report, 51% of companies are planning to install some form of traffic decryption while 62% said they don’t make any inspection of decrypted traffic.
Ciphers and renegotiation of clients
Ciphers of less than128 bits do not offer enough security due to the weakness of its encryption. You should preferably change to ECDHE encryption. When you do, do not forget to enable the forward secrecy option to avoid intercepted communications.
On the other hand, by disabling the renegotiation of clients, you can stop at any time the exchange of information via SSL between the client and the server.
Avoid the CRIME attack.
The crime attack is known for its ability to decipher a secure connection through the TLS compression process. To avoid this, the step is obvious: disable TLS compression.
Enable HSTS and verify the security of cookies
All cookies involved in user´s sessions must be protected with special attributes. This will prevent them from being intercepted. You must also enable HSTS (Strict Transport Security) on HTTP to expand your security and avoid unencrypted communications to other websites.
