Relevant Items

PROVE IT Why do Malicious Cyber-attacks Have Cute Names | BLOG

Heartbleed Bug”. “Poodle”. “Sea-Surf”. “DROWN”. If these were super villain names, I wouldn’t exactly be sending in Superman to deal with these guys. But, don’t let these catchy names fool you - these are the names of serious cyber-attacks that resulted in millions of people’s data being exposed and financial information compromised. I guess you shouldn’t judge a supervillain by their name. In these cases, each cyber-attack mentioned above may as well have been carried out by a criminal mastermind. When it comes to the motivation behind a cyber-attack, there are countless reasons why these are carried out, from espionage to sabotage. Some attacks require a high level of computing power and sophistication, whereas other breaches can be carried out from your home (as happened when Instagram issued a challenge to be hacked, and was successfully hacked by a 10-year old whom they rewarded $10,000). Two groups of hackers - one called “white hat” (the good guys) and the other “black hat” (the bad guys) - are in a constant competition.. On one hand, white hat hackers look for security vulnerabilities so they can report them and more secure protocols and systems can be designed. On the other hand, black hat hackers are looking to find holes in software and web security that are unknown to the owner, and exploit them before the owner becomes aware and hurries to fix it (also known as a “zero day attack”). Most attacks do not attempt to break HTTPS. My first impression of hacking was the idea of a person sitting behind a computer typing code furiously to break into the Pentagon’s secret Area 51 files. In reality, a much larger degree of social engineering that instead attempt to circumvent your security. Many of the digital safeguards in place are virtually unbreakable so that anyone looking to get through them would need to know at least a little about you to imitate your identity enough to trick a security protocol into letting them through. Think of it this way: the cryptography within HTTPS is so strong that it could take between one and six quadrillion years to break the cryptographic code of an SSL/TLS certificate (for the math used to come up with that number, see this report by Lenestra). Given that enormous time-frame, an attacker is more likely to devise traps that get a cyber-victim to unintentionally expose private information so that there is no need to crack HTTPS. In the hit TV show, Mr. Robot, one attacker gains access to a cybersecurity firm’s system by tricking one of its employees into thinking he is a musician, and asking him to listen to his demo CD (which the employee does at his workstation, thus infecting the network with the attacker’s virus). This points to the fact that while the cryptography within SSL/TLS certificates is strong, problems with implementation leading to bugs due to poor design, as well as supporting old cryptography can create vulnerabilities. In other words, your privacy and security do not start and stop with your HTTPS – it starts and stops with you, and HTTPS is one of the best tools you have at your defense. However, while the cryptography within an SSL/TLS certificate is increasingly impossible to break, the most effective cyber-security attackers realize their best bet in gaining access to your data is to act innocent, play cute, and wait in the bushes for their targets to slip up. It seems as though HTTPS is a strong enough defense to push attackers to find other ways to get into your networks. 161003_prove-it5 HTTPS is currently the standard by which our security and privacy live or die on the Internet, and it has proven to be a reliable protocol. What threats like Heartbleed, POODLE, sea-surf and all other lovable bugs and attacks do is push Certification Authorities and security experts to the frontier of discovering new technologies and protocols. By exposing security flaws in the technologies around HTTPS, these attacks impart extremely useful lessons and push the industry to stay ahead of the curve in the constant cat and mouse game against cyber threats. While some wish for the Internet to be that place of anonymous fun it was in its inception, and for many years since, this is not the future we are moving towards. Security protocols and the attacks carried out against them or the maneuvers taken to sidestep them are the result of the Internet becoming an extension of our real lives, a place where we identify ourselves and have real relationships. As a result, it needs a real, firm security structure to keep people safe. So why the cute names? It comes down to exposure of the vulnerability to the public conscious. If the vulnerabilities were named with a number or more scientific descriptor, it would be boring and the vulnerability will be forgotten. A catchy name attaches itself more easily to the memory as you associated imagery to that name. This helps get the word out about the vulnerability so that any damage it causes can be mitigated. So what does this mean? A recent push for all sites to be secured by HTTPS and to make SSL/TLS certificates more accessible is on the rise. But, given the intelligence and sophistication of those who threaten standardized security protocols, the world needs the best and smartest people working constantly to combat the enemy. Specifically, cryptology will have to improve, and the TLS protocol must be updated on a regular basis. The “good guys” will have the challenge of keeping with vulnerabilities, working to expose flaws in the implementation of SSL/TLS, while vendors who use SSL/TLS security must ensure they are fixing any bugs. CAs can help by offering services and advice so that vendors can implement SSL/TLS effectively and consider best practices when deploying SSL/TLS certificates. *Note: A special thanks to SSL Support Manager, Rob Lauzon, for running me through the basics of cyber-attacks and providing me with endless resources to educate me on this subject.