GreenPages Blog

As an IT professional, you need to stay current on all things tech; with articles from industry experts and GreenPages' staff, you get the info you need to help your organization compete and succeed!

Cybersecurity is a Constantly Evolving Puzzle

Posted by: Robert Fitzgerald
Read More
All Posts

Cybersecurity is a Constantly Evolving Puzzle

One of the things I enjoy thinking through is how malicious actors will evolve and what their next attack will look like.

In a recent post, Sophos thought ahead to where the new landmines were going to be, understanding that bad actors are smart enough to move laterally across industries as well as adopt protective tools and styles that Cybersecurity practitioners employ.

This is an important point.

Malicious actors are rarely independent hackers with an axe to grind. More often than not, they are affiliated, or even organized, to execute attacks against a wide range of organizations across industries.  As they learn what works (aka successful attacks), they evolve and tweak the attacks against more and more organizations, regardless of size, maturity, or industry. And when an attack fails, these hackers are watching and learning how their attack was deflected so that they can improve.

Something to think about as we move forward is that while we, the defenders of networks, have the luxury of knowing and understanding our environments, we are limited in learning about the attacks we experience. Where businesses will rarely contact a competitor to ask for help or share data; attackers have marketplaces and chat boards that share and sell information.

So, while reading this interesting blog about how HTTPS is now being used by malicious actors, challenge yourself to think through what the next steps are going to look like:

  • What are we, the defenders, going to implement to identify and stop attacks?

  • Where will the hackers pivot to next?

Sophos offers a great blog series that allows both technical and non-technical readers to absorb and learn new information. Check out this blog and let me know your thoughts!

Stay safe out there.

-Rob


Malware and HTTPS - a growing love affair
by Paul Ducklin, courtesy of Sophos's naked security blog

If you’re a regular Naked Security reader, you’ll know that we’ve been fans of HTTPS for years.

In fact, it’s nearly nine years since we published an open letter to Facebook urging the social networking giant to adopt HTTPS everywhere.

HTTPS is short for HTTP-with-Security, and it means that your browser, which uses HTTP (hypertext transport protocol) for fetching web pages, doesn’t simply hook up directly to a web server to exchange data.

Instead, the HTTP information that flows between your browser and the server is wrapped inside a data stream that is encrypted using TLS, which stands for Transport Layer Security.

In other words, your browser first sets up a secure connection to-and-from the server, and only then starts sending requests and receiving replies inside this secure data tunnel.

As a result, anyone in a position to snoop on your connection – another user in the coffee shop, for example, or the Wi-Fi router in the coffee shop, or the ISP that the coffee shop is connected to, or indeed almost anyone in the network path between you and the other end – just sees shredded cabbage instead of the information you’re sending and receiving.

HTML source code of simple web page.
HTML source code of simple web page.
The HTML source above, rendered in a browser.
The HTML source above, rendered in a browser.
Web page ‘on the wire’ without TLS – raw HTTP data can be snooped. Blue: HTTP ‘200’ reply. Red: HTTP headers. Green: page content.
Web page ‘on the wire’ without TLS – raw HTTP data can be snooped.
Blue: HTTP ‘200’ reply. Red: HTTP headers. Green: page content.
Web page fetched using HTTPS via a TLS connection – encrypted content can’t be snooped.
Web page fetched using HTTPS via a TLS connection – encrypted content can’t be snooped.

Why everywhere?

But why HTTPS everywhere?

Nine years ago, Facebook was already using HTTPS at the point where you logged in, thus keeping your username and password unsnoopable, and so were many other online services.

The theory was that it would be too slow to encrypt everything, because HTTPS adds a layer of encryption and decryption at each end, and therefore just encrypting the “important” stuff would be good enough.

We disagreed.

Even if you didn’t have an account on the service you were visiting, and therefore never needed to login, eavesdroppers could track what you looked at, and when.

As a result, they’d end up knowing an awful lot about you – just the sort of stuff, in fact, that makes phishing attacks more convincing and identity theft easier.

Even worse, without any encryption, eavesdroppers can not only see what you’re looking at, but also tamper with some or all of your traffic, both outbound and inbound.

If you were downloading a new app, for example, they could sneakily modify the download in transit, and thereby infect you with malware.

Anyway, all those years ago, we were pleasantly surprised to find that many of the giant cloud companies of the day – including Facebook, and others such as Google – seemed to agree with our disagreement.

The big players ended up switching all their web traffic from HTTP to HTTPS, even when you were uploading content that you intended to publish for the whole world to see anyway.

Fast forward to 2020, and you’ll hardly see any HTTP websites left at all.

Search engines now rate unencrypted sites lower than encrypted equivalents, and browsers do their best to warn you away from sites that won’t talk HTTP.

Left: Safari on iOS warning about a non-HTTPS web page. Right: Firefox notification for the same page.
Left: Safari on iOS warning about a non-HTTPS web page.
Right: Firefox notification for the same page.

Even the modest costs associated with acquiring the cryptographic certificates needed to convert your webserver from HTTP to HTTPS have dwindled to nothing.

These days, many hosting providers will set up encryption at no extra charge, and services such as Let’s Encrypt will issue web certificates for free for web servers you’ve set up yourself.

HTTP is no longer a good look, even for simple websites that don’t have user accounts, logins, passwords or any important secrets to keep.

Of course, HTTPS only applies to the network traffic – it doesn’t provide any sort of warranty for the truth, accuracy or correctness of what you ultimately see or download. An HTTPS server with malware on it, or with phishing pages, won’t be prevented from committing cybercrimes by the presence of HTTPS. Nevertheless, we urge you to avoid websites that don’t do HTTPS, if only to reduce the number of danger-points between the server and you. In an HTTP world, any and all downloads could be poisoned after they leave an otherwise safe site, a risk that HTTPS helps to minimize.

Goose and gander

Sadly, what’s good for the goose is good for the gander.

As you can probably imagine, the crooks are following where Google and Facebook led, by adopting HTTPS for their cybercriminality, too.

In fact, SophosLabs set out to measure just how much the crooks are adopting it, and over the past six months have kept track of the extent to which malware uses HTTPS.

Well, the results are out, and it makes for interesting – and useful! – reading.

In the paper, we didn’t look at how many download sites or phishing pages are now using HTTPS, but instead at how widely malware itself is using HTTPS encryption.

Ironically, perhaps, as fewer and fewer legitimate sites are left behind to talk plain old HTTP (usually done on TCP port 80), the more and more suspicious that traffic starts to look.

Indeed, the time might not be far off where blocking plain HTTP entirely at your firewall will be a reliable and unexceptionable way of improving cybersecurity.

The good news is that by comparing malware traffic via port 80 (usually allowed through firewalls and almost entirely used for HTTP connections) and port 443 (the TCP port that’s commonly used for HTTPS traffic), SophosLabs found that the crooks are still behind the curve when it comes to HTTPS adoption…

…but the bad news is they’re already using HTTPS for nearly one-fourth of their malware-related traffic.

Malware often uses standard-looking web connections for many reasons, including:

  • Downloading additional or updated malware versions. Many, if not most, malware samples include some sort of auto-updating feature, often used by the crooks to sell access to infected computers onwards to the next wave of criminals by “upgrading” to a new malware infection.
  • Fetching command-and-control (C&C or C2) instructions. Many, if not most, modern malware “calls home” in order to find out what to do next. Crooks may have thousands, tens of thousands or more computers all waiting for commands from the same source, giving the criminals a powerful “zombie army”, known as a botnet (short for robot network), of devices that can be harnessed for evil simultaneously.
  • Uploading stolen data. Data stealing is known in the jargon as exfiltration, and by hiding uploads in encrypted network connections, crooks can not only make it look like routine web browsing, but also make it much harder for you to scan and verify the data before it leaves your network.

What to do?

  • Read the report. You will learn how various contemporary malware strains are using HTTPS, along with other tricks, to look more like legitimate traffic.
  • Use layered protection. Stopping malware before it gets in at all should be your top-level goal.
  • Consider HTTPS filtering at your network gateway. A lot of sysadmins avoid HTTPS filtering for a mixture of privacy and performance reasons. But with a nuanced web filtering product you don’t need to peek inside all the encrypted traffic on your network – you can leave online banking connections alone, for example – and you won’t bring your network to its knees due to the overhead of decrypting network packets.
Robert Fitzgerald
Robert Fitzgerald
As GreenPages’ Risk and Security Practice Lead, Rob is responsible for designing and building GreenPages’ overall program, including all of the risk and security services and offerings GreenPages brings to market. Rob has spent the past 20 years building and supporting security programs, with a specialty in Cyber Security and InfoSec Operations. He advises organizations on the threat landscape, builds and grows teams, develops risk mitigation plans, architects security solutions, remediates events, provides testimony…and cleans up messes.

Comments

Related Posts

Tech News Recap for the Week of 03/23/20

If you had a busy week and need to catch up, here’s our recap of tech stories you may have missed the week of 03/23/20!

An Update from GreenPages' CEO Ron Dupler

Our world has changed dramatically and suddenly over the past weeks, affecting each of us profoundly in both our personal lives and business endeavors. I’ve addressed our team internally at GreenPages, but I want to reach out to all of you—whether you’re a new or a long-standing client, or a customer we’ve yet to work with. This message may be reaching you digitally, but its sentiment comes from an honest and genuine place. As technologists, like all of you, we thrive on solving problems. Taking a particularly difficult challenge, holding it up to the light, measuring, calculating, testing, proving, and ultimately solving that problem is a reward in itself. These actions, performed with agility, creativity, and velocity, all push us to innovate beyond what we often think capable. It’s an intellectual pursuit; we’ve trained to be good at and we’re proud when we succeed. But as this global crisis caused by COVID-19 continues testing us at the national, state, business, family, and individual level, we’re reminded that true innovation is driven by human character, and qualities such as listening, collaboration, support, encouragement, and sacrifice, are its fuel. Throughout GreenPages’ 28 years in business, we’ve aspired to be the kind of company that customers trust and turn to for technology expertise. As such, I want to share with you some examples of how, just in the past several weeks, we’re helping customers support and maintain their organizational mandates and missions: Deploying IT personnel onsite at two of our enterprise medical center clients to augment their security and networking teams Rapid creation of comprehensive business continuity and pandemic response plans for local government agencies to support work-from-home environments Securing additional software licensing to help several clients scale applications for their users within their contract and budget Sourcing, configuring, and supplying hardware and additional laptops for key clients to support remote employees and contractors Expanded Help Desk Managed Services for several clients to burst phone and ticket support due to increased demand from end users as they moved rapidly to work-from-home stances The list is long and evolving; the main point is that we have numerous ways we can help you continue to provide essential services to your own users and customers. As I told our team the other day, I am proud of how they have risen to this unprecedented challenge—by working around the clock for our clients, assuming responsibilities outside of job descriptions, and being the kind of people eager to take up the mantle and do what’s necessary. It’s still too early to tell what the economic and personal impact of COVID-19 will be, but we do know it will be material. So, as IT leaders, we must continue to operate and prove that technology-enabled, digital-era companies can perform well through disruption, while also being a shining example of what we can accomplish together as colleagues and friends despite the major challenges that each of us are facing. If there’s anything we can do to help, or anything I can personally facilitate for you, please reach out. We are all on the front lines and in this together. Take Care, Ron Ron Dupler Chief Executive Officer GreenPages Technology Solutions

Tech News Recap for the Week of 03/16/20

If you had a busy week and need to catch up, here’s our recap of tech stories you may have missed the week of 03/16/20!