A Sneaky Online Security Threat: Encrypted Malware in SSL – Hashed Out by The SSL Store – Hashed Out by The SSL Store

Posted on by

Unfortunately, the bad guys use encryption, too

Every time you connect to theinternet, whether its from a phone, tablet, or computer, you accept a certainlevel of risk. Hackers continue to find new ways to exploit security flaws andcompromise your device or data. You need to be on alert at all times in orderto avoid dangerous malware and other attacks that sometimes come from where youleast expect them.

When you see a padlock icon at the top of your browser, it means that youre communicating with the site you are viewing via a connection encrypted with a valid SSL/TLS certificate. But many people make the mistake of assuming that as long as an SSL certificate is present, then they are safe from all forms of attack, end of story. In this article, well explore how new types of malware are actually being hidden behind this trusted symbol.

SSL encryption is critical for any site or application that requiressensitive information to be transferred. This includes passwords, credit cardnumbers, and other financial data. SSL certificates are an excellent defensetactic against intruders whore trying to eavesdrop on your internet activity,protecting your data from criminals. Heres the thing, though: bad guys can useencryption, too. And hackers and cybercriminals are using SSL/HTTPS to hidemalicious code.

Lets hash it out.

Companies and organizationsspend a lot of money and resources on IT security solutions. One popularapproach is to combine intrusion detection systems and firewalls to monitor andanalyze all incoming traffic to your local network. The idea is for the systemto automatically detect and block cyber attacks and hacking threats before anyusers become vulnerable.

For example, lets say Bob incustomer service clicks on a link in a phishing email that leads to a URL withmalware. The organizations security systemscould detect and block this visit before Bobs machine can become infected withmalware.

However, there is an inherentloophole in how intrusion detection systems are built to operate. They involvethe scanning of network traffic to identify patterns that correspond to malwareor other malicious attacks. If the systems are unable to decode the full bodyof each incoming network request, then they remain blind to a certain portionof traffic.

For example, when youdownload a document from an external website, your firewall or intrusiondetection system can inspect the packets of data that come through the localnetwork. But if that communication is happening over an SSL connection, thenthe system cannot see through the encryption to detect what is really insidethe document.

Some newer intrusion detection solutions are introducing the concept of deep packet inspection, where the tool looks at the lower levels of each network request to understand more about its content. But not many organizations have this option available to them, which means that data passing over HTTPS could be a threat.

Another technique for detecting the presence of SSL malware is SSL inspection. This is the process of intercepting SSL/TLS-encrypted internet communication between the client and server. Interception can be executed between the sender and the receiver, and vice versa (receiver to sender). This, strangely, is the same technique used in man-in-the-middle (MitM) attacks, but if deployed carefully can be used to filter out malware in SSL. (The key difference between inspection and a man-in-the-middle attack is that with SSL inspection, the network administrator modifies the computers to allow inspection only by the authorized device/certificate.)

To understand how hackers encrypt malware with SSL, we need to look at the Transport Layer Security (or TLS,) which refers to the encryption process that goes on behind SSL. The latest Google numbers tell us that 93% of the internet is now encrypted. As discussed, it is designed to be locked to all outside parties, including firewalls that dont support deep packet inspection.

When it comes to SSL malware, hackers are not able to inject directly into existing streams of HTTPS content. For example, if you are shopping on Amazon and submit your credit card number to pay for a book, that information is transmitted over SSL. If a hacker tries to modify that traffic and inject malware, your browser will notice that the keys have changed and will automatically reject the request.

However, there are ways around this problem. One of the most common is for cybercriminals to get free SSL certificates for their sites that contain malware. Though legitimate SSL certificates are not expensive particularly given their importance in protecting data from theft hackers may find it easier to get a free certificate without using any financial info that could be used to track them.

Another variation on this technique for the delivery of SSL malware is for criminals to use SSL certificates on phishing sites that deliver malicious code to victims systems while looking like a legitimate websites. The hacker will send out a series of fraudulent emails that look like they are coming from a reputable sources. If users click on them, they will be directed to websites that look secure because they have free SSL certificates. At that point, the hackers can embed their malware into the encrypted traffic and try to bypass any firewall system.

These types of attack are becoming worryingly prevalent. Security Week reported in 2017 that in the first half of that year, Zscalers products blocked roughly 600,000 threats hidden in encrypted traffic every day. That number grew to 800,000 in the second half of the year, which represents an increase of 30%.

Other security analysts have also raised concerns. As Bill Conner, CEO of SonicWall, told TechRepublic earlier this year, SSL is now implicated in 4.2% of malware. That represents, he says, a 400% increase over the previous year. Thats because of the ease of finding bad SSL certificates, he continued, but also because only 5% of customers are turning on DPI, deep packet inspection for SSL.

The important thing to remember is that SSL does not guarantee safety. It simply ensures that your requests are encrypted. But the actual data being transmitted can still contain dangerous elements, including viruses and other forms of malware. Therefore, you should always be suspicious when visiting a new website. (Note: If the website in question is using an organization validation [OV] or extended validation [EV] SSL certificate, which are very hard for hackers to get, you can check their certificate details to get additional details about the organization thats running the website.)

Staying safe online requiresa consistent level of diligence. Your best bet is to take proactive steps tocontrol and protect your online privacy. Here are a few tips to protect againstSSL malware and other threats:

Dont make the mistake of blaming this on SSL. Without it, the internet would be a MUCH more dangerous place. With the current level of hacking, going anywhere online would be hazardous. You would not be able to trust that your passwords and credit card numbers were being sent safely anywhere. The larger point here is that even when an SSL connection is present, remain aware that you still can be a target thanks to malware or other threats hidden inside of SSL traffic.

No need to be afraid. Just be vigilant with your cybersecurity strategy.

As always, leave any questions or thoughts in the comments!

Read the rest here:
A Sneaky Online Security Threat: Encrypted Malware in SSL - Hashed Out by The SSL Store - Hashed Out by The SSL Store

Related Posts
This entry was posted in $1$s. Bookmark the permalink.