It was just a few short years ago that the tech sector, led by Google, Mozilla and Microsoft, commenced a big push to increase the use of HTTPS and its underlying TLS authentication and encryption protocol.

Related: Why Googles HTTPS push is a good thing

At the time, just 50 % of Internet traffic used encryption. Today the volume of encrypted network traffic is well over 80% , trending strongly toward 100%, according to Google.

There is no question that TLS is essential, going forward. TLS is the glue that holds together not just routine website data exchanges, but also each of the billions of machine-to-machine handshakes occurring daily to enable DevOps, cloud computing and IoT systems. Without TLS, digital transformation would come apart at the seams.

However, the sudden, super-saturation of TLS, especially over the past two years, has had an unintended security consequence. Threat actors are manipulating TLS to obscure their attack footprints from enterprise network defenses. The bad guys know full well that legacy security systems were designed mainly to filter unencrypted traffic. So cyber criminals, too, have begun regularly using TLS to encrypt their attacks.

TLS functions as the confidentiality and authenticity cornerstone of digital commerce. It authenticates connections that take place between a smartphone and a mobile app, for instance, as well as between an IoT device and a control server, and even between a microservice and a software container. It does this by verifying that the server involved is who it claims to be, based on the digital certificate issued to the server. It then also encrypts the data transferred between the two digital assets.

TLS gap

At this moment, threat actors are taking full advantage of a TLS encryption gap. The level of sophistication and scope of harm in play is vividly illustrated by criminal activity at the leading edge. For instance, the Russian Turla hacking ring was recently spotted spreading an innovative Trojan, called Reductor, designed to alter the way Chrome and Firefox browsers handle HTTPS connections. The Turla ring has been able to compromise TLS handshakes so as to give themselves the ability to identify, intercept, and decrypt TLS traffic from any computer they infect.

But its not just the elite hackers causing concern. The TLS gap is so wide open that threat actors of average skill are also having a field day; they are using tried-and-true tools and techniques to steal, spoof and otherwise abuse digital certificates.

Wisniewski

Criminals have been known to simply hack into a website that is already configured to use TLS and simply piggyback on their infrastructure, says Chester Wisniewski, principal research scientist at Sophos, a longstanding supplier of network security systems, based in Oxford, England. Certificates are now being made freely available from Lets Encrypt, so there is less reason than in the past for threat actors to buy or steal certificates. Still, sometimes impersonating a legitimate, known certificate can assist with blending into the environment the threat actor wants to hide in.

Surge of encrypted attacks

The good news is that the cybersecurity community has begun to respond. Sophos moved into the advance guard today by launching a new version of its XG Firewall with Xstream architecture that is specifically designed to efficiently reduce a companys exposure to malicious encrypted network traffic. The new firewall is capable of inspecting encrypted traffic and detecting encrypted attacks, on the fly, without onerous performance penalties, Sophos says.

Were at an early stage of mitigating TLS-facilitated attacks. History tells us that the TLS gap will eventually narrow. But thats obviously going to take some time. This is a vast new tier of exposures, and legacy systems never get changed overnight. Sophos new XG Firewall is a good start to the improved technologies that are needed. But its going to take more than tech advances. Shifts in processes and security culture must be brought to bear, as well. In the meantime, we very well may be in for a long run of major network breaches aided and abetted, if not directly carried out, by encrypted attacks.

I had a terrific discussion about this with Sophos Wisniewski. Here are a few excerpts of that interview, edited for clarity and length:

LW: For context, can you outline the major moves and counter moves made by threat actors vs. companies over the past, say, 15 years?

Wisniewski: Early on, companies had basic perimeter firewalls blocking traffic from known bad IP addresses. To subvert those early firewalls, threat actors began distributing malware that caused an infected computer to call home to centralized command and control infrastructure. Then came next-gen firewalls, which were designed to inspect the content of traffic; the bad guys countered by employing high degrees of polymorphism. Then came real time sandbox inspection to detonate potential threats, which was countered by elaborate schemes to test and confirm that the delivered malware landed on a real computer, not a test bed.

LW: What were the key drivers behind the sharp overall rise in encrypted traffic in the past few years?

Wisniewski: I believe it was mostly driven by Edward Snowdens disclosures about the secret NSA PRISM project designed to spy on Internet communications, at scale. This drove privacy-concerned companies to take encryption more seriously, and it drove Google and others to more aggressively use their muscle to force the world to come along with what they wanted to do.

LW: To what extent do legacy TLS inspection tools fall short?

Wisniewski: Simply having a capability is very different from being able to effectively deploy it. Most solutions today are too slow and complicated for enterprises to seriously consider enabling. Quality solutions need to have as little impact as possible, as well as the flexibility to only inspect what is necessary.

LW: Whats going to happen over the next couple of years?

Wisniewski: Clearly criminals will continue to use and abuse encryption to attempt to cover their tracks, conceal their thefts and hold our data hostage. While many companies have the technology to inspect TLS traffic, they often dont bother, as most products are complicated to deploy, seamlessly, in complex environments. With certificates being available at little to no cost, I imagine we will see a steady increase in TLS adoption by criminals, similar to what we saw for legitimate purposes in the years following Snowdens leaks.

Q: Assuming it remains true that there is no silver bullet, what does the way forward look like?

Wisniewski: As attacks continue to increase in sophistication, it is critical to have layers of defense and to compartmentalize information. This requires combining prevention with an eagle eye for detecting anything you might have missed. The ability to respond quickly and decisively is crucial. As always, this balancing act is forever changing, so having simple, reliable tools allows for the flexibility necessary to stay on top of the latest threats.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/my-take-why-new-tools-tactics-are-needed-to-mitigate-risks-introduced-by-widespread-encryption/

See the original post here:
MY TAKE: Why new tools, tactics are needed to mitigate risks introduced by widespread encryption - Security Boulevard

If youre a regular Naked Security reader, youll know that weve been fans of HTTPS for years.

In fact, its nearly nine years since we published an open letter to Facebook urging the social networking giant to adopt HTTPS everywhere.

HTTPS is short for HTTP-with-Security, and it means that your browser, which uses HTTP (hypertext transport prototol) for fetching web pages, doesnt simply hook up directly to a web server to exchange data.

Instead, the HTTP information that flows between your browser and the server is wrapped inside a data stream that is encrypted using TLS, which stands for Transport Layer Security.

In other words, your browser first sets up a secure connection to-and-from the server, and only then starts sending requests and receiving replies inside this secure data tunnel.

As a result, anyone in a position to snoop on your connection another user in the coffee shop, for example, or the Wi-Fi router in the coffee shop, or the ISP that the coffee shop is connected to, or indeed almost anyone in the network path between you and the other end just sees shredded cabbage instead of the information youre sending and receiving.

But why HTTPS everywhere?

Nine years ago, Facebook was already using HTTPS at the point where you logged in, thus keeping your username and password unsnoopable, and so were many other online services.

The theory was that it would be too slow to encrypt everything, because HTTPS adds a layer of encryption and decryption at each end, and therefore just encrypting the important stuff would be good enough.

We disagreed.

Even if you didnt have an account on the service you were visiting, and therefore never needed to login, eavesdroppers could track what you looked at, and when.

As a result, theyd end up knowing an awful lot about you just the sort of stuff, in fact, that makes phishing attacks more convincing and identity theft easier.

Even worse, without any encryption, eavesdroppers can not only see what youre looking at, but also tamper with some or all of your traffic, both outbound and inbound.

If you were downloading a new app, for example, they could sneakily modify the download in transit, and thereby infect you with malware.

Anyway, all those years ago, we were pleasantly surprised to find that many of the giant cloud companies of the day including Facebook, and others such as Google seemed to agree with our disagreement.

The big players ended up switching all their web traffic from HTTP to HTTPS, even when you were uploading content that you intended to publish for the whole world to see anyway.

Fast forward to 2020, and youll hardly see any HTTP websites left at all.

Search engines now rate unencrypted sites lower than encrypted equivalents, and browsers do their best to warn you away from sites that wont talk HTTP.

Even the modest costs associated with acquiring the cryptographic certificates needed to convert your webserver from HTTP to HTTPS have dwindled to nothing.

These days, many hosting providers will set up encryption at no extra charge, and services such as Lets Encrypt will issue web certificates for free for web servers youve set up yourself.

HTTP is no longer a good look, even for simple websites that dont have user accounts, logins, passwords or any important secrets to keep.

Of course, HTTPS only applies to the network traffic it doesnt provide any sort of warranty for the truth, accuracy or correctness of what you ultimately see or download. An HTTPS server with malware on it, or with phishing pages, wont be prevented from committing cybercrimes by the presence of HTTPS. Nevertheless, we urge you to avoid websites that dont do HTTPS, if only to reduce the number of danger-points between the server and you. In an HTTP world, any and all downloads could be poisoned after they leave an otherwise safe site, a risk that HTTPS helps to minimise.

Sadly, whats good for the goose is good for the gander.

As you can probably imagine, the crooks are following where Google and Facebook led, by adopting HTTPS for their cybercriminality, too.

In fact, SophosLabs set out to measure just how much the crooks are adopting it, and over the past six months have kept track of the extent to which malware uses HTTPS.

Well, the results are out, and it makes for interesting and useful! reading.

In the this paper, we didnt look at how many download sites or phishing pages are now using HTTPS, but instead at how widely malware itself is using HTTPS encryption.

Ironically, perhaps, as fewer and fewer legitimate sites are left behind to talk plain old HTTP (usually done on TCP port 80), the more and more suspicious that traffic starts to look.

Indeed, the time might not be far off where blocking plain HTTP entirely at your firewall will be a reliable and unexceptionable way of improving cybersecurity.

The good news is that by comparing malware traffic via port 80 (usually allowed through firewalls and almost entirely used for HTTP connections) and port 443 (the TCP port thats commonly used for HTTPS traffic), SophosLabs found that the crooks are still behind the curve when it comes to HTTPS adoption

but the bad news is theyre already using HTTPS for nearly one-fourth of their malware-related traffic.

Malware often uses standard-looking web connections for many reasons, including:

See the original post here:
Malware and HTTPS a growing love affair - Naked Security

Sophos,a global leader in next-generation cybersecurity, today introduced a new Xstream architecture forSophos XG Firewall with high-performance Transport Layer Security (TLS) traffic decryption capabilities.

This enables it eliminate significant security risks associated withencrypted network traffic, which is often overlooked by security teams due to performance and complexity concerns.

XG Firewall now also featuresAI-enhanced threat analysis fromSophosLabsand accelerated application performance.

Sophos today also published the SophosLabs Uncut article, Nearly a Quarter of Malware now Communicates Using TLS, which explains how23%of malware families use encrypted communication for Command and Control (C2) or installation.

The article details,for example, threecommon and ever-present Trojans Trickbot, IcedID and Dridex that leverage TLS during the course of their attacks.Cybercriminals also use TLS to hide their exploits, payloads and stolen content and to avoid detection.

In fact, 44% of prevalent information stealers use encryption to sneak hijacked data, including bank and financial account passwords and other sensitive credentials, out from under organizations.

AsSophosLabsresearch demonstrates,cybercriminalsare boldlyembracingencryptionin anattempt to bypass security products.Unfortunately, most firewalls lack scalable TLS crypto capabilities and are unable to inspect encrypted traffic without causing applications to break or degrade network performance

With the new Xstream architecture in XG Firewall, Sophos isproviding critical visibility into an enormous blind spot while eliminating frustrating latency and compatibility issues with full support for the latest TLS 1.3 standard. Sophos internal benchmark tests have clocked a two-fold performance boost in the new XG TLS inspection engine as compared to previous XG versions. This is a game-changer.

Latency too often deters IT admins from using decryption, as seen in an independent Sophos survey of 3,100 IT managers in 12 countries. The survey white paper,The Achilles Heel of Next-Gen Firewalls, reports that while 82% of respondents agreed TLS inspection is necessary, only 3.5% of organizations are decrypting their traffic to properly inspect it.

Inspection of TLS 1.3 to detect cloaked malware:New port-agnostic TLS engine doubles crypto operation performance over previous XG versions

Optimized critical application performance:New FastPath policy controls accelerate the performance of SD-WAN applications and traffic, including Voice over IP, SaaS and others, to up to wire speed

Adaptivetraffic scanning: The newly enhancedDeep Packet Inspection (DPI)engine dynamically risk-assesses traffic streams and matches them to the appropriate threat scanning level, enhancing throughput by up to 33% across most network environments

Threat analysis with SophosLabs intelligence: Provides network administrators with the SophosLabs AI-enhanced threat analysis needed to understand and adjust defences to protect against a constantly changing threat landscape

Comprehensive cloud management and reporting in Sophos Central: Centralized management and reporting capabilities in Sophos Central provide customers with group firewall management and flexible cloud reporting across an entire estate without additional charge

Integration withSophos Managed Threat Response (MTR)service: Customers of XG Firewall who also subscribe to the Sophos MTR Advanced service will have deeper actionable intelligence to prevent, detect and respond to threats, as a result of the integration

Sophos new XG Firewall offers a wide array of enterprise-calibre features, with a growing installed base that is now one of the industrys most widely deployed next-generation firewalls, Eric Parizo, senior analyst for enterprise IT strategy, (according to Omdia, Enterprise Decision Maker, January 2020.

Results are not an endorsement of Sophos or SophosLabs. Any reliance on these results is at the third-partys own risk. XG Firewall can win against industry competitors in large part because of Sophos Central, its SaaS-based, single-pane-of-glass management system for overseeing the deployment, management, policy, updates, and response, with optional log management and analytics.

This cloud management platform with the Firewall Management and Reporting feature, plus the TLS inspection, position Sophos XG Firewall as a compelling option for a wide variety of organizations.

At Convergent Information Security Solutions, we are engaged in the management and monitoring of both perimeter and internal cybersecurity for our customers, and until now we were somewhat limited in ourability to monitor SSL/TLS encrypted data streams. Sophos XG Firewallhelps us solve this problem efficiently and affordably with thenew accelerated DPI engine in thelatestversion.

This,combined with new automatically-managed custom IPS rule sets, gives us much more visibility into encrypted traffic going through the network than we ever had before. This feature will immensely improve our customers security and we consider this to be critical, based how broadly cybercriminals are capitalizing on TLS encryption to cover-up and carry out their attacks, Bruce Kneece concludes.

Were also aware of how fast cyberattacks are morphing. With the ability to scan for potentially dangerous files transported inside of SSL/TLS tunnels, in addition to thezero-day detection engine of Sandstorm, we can provide better, faster customer protection, detection and service.

Sophos XG Firewall is available in the cloud-basedSophos Centralplatformalongside Sophos entire portfolio of next-generation cybersecurity solutions. Sophos uniqueSynchronized Securityapproach empowers these solutions to work together for real-time information sharing and threat response.

SUBSCRIBE

Get latest Technology news, reviews, business-related content with a deliberate emphasis on the African narrative and insightful analysis in Nigeria straight to your inbox.

More here:
Cybersecurity Company, Sophos Unveils Xstream Version of its XG Firewall to Secure Encrypted Network Traffic - Technext

In this day and age, cybersecurity and privacy on the internet are becoming more and more prominent. A messaging app, called Signal, was only for the cybersecurity nerds and some activists once, as it offered end-to-end encryption and improved privacy protection with very limited number of features. It is considered one of the worlds most secure messaging apps for Android and iOS. Now, its aiming for its audience to change - it is trying to reach the masses.Cryptographer Moxie Marlinspike, Signals creator, is working with WhatsApp cofounder, Brian Acton, who left WhatsApp soon after the app was bought by Facebook. Acton has invested $50 million into Marlinspikes project in order to develop it more. Its important to note that WhatsApp used Signals open-source encryption protocol for the end-to-end encryption of its messages.

In the beginning, Signal was a simple messaging app that relied on its security reputation to attract users - it had only a couple of simple features, such as messages and calls, but nothing more interesting. However, Signal Foundations plans seem to change now as they are bringing more mainstream features such as group messaging, stickers, support for iPad, and working on an option for encrypted contacts to be stored in the cloud, inaccessible to Signals servers and thus only available to the user they belong to.

Brian Acton is actually the one responsible for Signals ambitious growth plan. He says that he has the confidence that the app can reach a bigger audience (it has now been downloaded 10 million times on Google Play and additionally, another 40% of the apps users are on iOS) in the next five years. "Id like for Signal to reach billions of users. I know what it takes to do that. I did that," says Acton to Wired magazine.

Overall, Signals owners expect the secure messaging app to reach more users and become more user-friendly, so its great security and privacy protecting features can be used by more people. After all, who wouldnt want to have whats private remain private while experiencing all the features modern technology has to offer?

Read more:
Encrypted messaging app Signals ambition to become as famous as WhatsApp - PhoneArena

Section 230 of the Communications Decency Act is widely criticized, widely praised, and widely misunderstood. The policy allows basically every major website from YouTube to Wikipedia to exist in its current form. Depending on who you ask, this is either a wonderful development or a complete disaster. Thats made Section 230 a fixture of recent internet policy debates, particularly at the US Department of Justice, where there is a growing interest in changing the law.

The Justice Department publicly kicked off that process today, assembling three panels of experts to lay out reasons for changing or preserving Section 230. Attorney General Bill Barr emphasized that this wasnt a policy-making workshop, but the panels still hinted at which arguments the US government finds most compelling. And while this might sound like a low bar, they were actually arguments about the law not the weird fantasy rules that dominate similar debates in Congress and mainstream press. That made it an unusually vivid window into the way prosecutors and lawmakers think about the 230 and how to change it.

Here are the five points that stood out the most.

Section 230 has been invoked for a lot of bad content libel, shady gun sales, even defective dog collars. But todays workshop workshop centered three particularly ugly issues: non-consensual pornography, harassment, and child sexual abuse material.

The Justice Department panelists included lawyer Carrie Goldberg, who started a high-profile fight with Grindr over a horrific harassment campaign; University of Miami professor Mary Anne Franks, who helped draft the first revenge porn law; and Yiota Souras of the National Center for Missing and Exploited Children. All laid out sometimes in graphic detail ways that abusive partners and sexual predators have weaponized the web.

Some of the wonkier and less dramatic cases got short shrift. Panelists only briefly mentioned a brewing fight over how Section 230 covers online marketplaces, for instance although it has huge implications for sites like Amazon and Airbnb.

The tight focus helped ground an abstract legal debate in human terms. At one point Souras objected to a flippant mention of death by ten thousand duck-bites a reference to websites being inundated with legal complaints under a weakened law. We need to be careful with this terminology, she argued. I know there is a business cost to that, but there is a person who has been harmed online behind every single one of those duck bites.

But weve seen heart-wrenching issues get cynically coopted to pass bad laws before. The FOSTA-SESTA rule, which cut Section 230 protections for prostitution-related material, was billed as a fight against human trafficking while glossing over its very real collateral damage among sex workers. Interestingly, FOSTA-SESTAs impact didnt get discussed extensively during the panels although Souras said its passage has roughly correlated with a drop in child abuse material.

In a short opening speech, Attorney General Bill Barr called the Section 230 workshop an outgrowth of antitrust investigations into big tech companies. Not all of the concerns raised about online platforms clearly fall within antitrust, he explained so Section 230 changes might fill in some regulatory gaps.

Panelists largely echoed that framing, focusing on how giants like Google or Facebook were failing at moderation. But they also periodically referenced the other end of the spectrum: small sites devoted to noxious content like revenge porn. These sites test the limits of Section 230. At best, theyre encouraging abuse with a wink and nod. At worst, theyre actively participating in the abuse Hunter Moore, who founded the infamous website Is Anyone Up, was convicted of hiring a hacker to get nude photos. As industry group Tech:NYCs founder Julie Samuels noted in one panel, these fall outside the normal Big Tech debate lines: just because youre small doesnt mean youre automatically good.

But beyond periodic complaints from Samuels and a few others, critics didnt really address the potential challenges for medium-sized sites like Reddit or Craigslist which dont have the financial resources or lobbying power of Facebook or Google. Section 230 is not just for Big Tech, argued Patrick Carome, who has defended a long list of Section 230 cases. If sites can only operate with armies of moderators or sophisticated automation, thats functionally an advantage for the biggest and wealthiest companies.

The Justice Department has tentatively supported a bill called the EARN IT Act, which many see as a Trojan horse for encryption bans. Todays workshop didnt allay that concern. Barr referenced how Section 230 might hurt efforts to combat lawless spaces online, warning that platforms could use the policy to lock out law enforcement. And Assistant Attorney General Beth Williams, who moderated a panel, specifically asked how encryption could hurt efforts to find child sexual abuse material. There simply has to be a compromise in how encryption gets rolled out, responded Souras.

But the Justice Department has been asking for concessions on encryption for years, and its still not clear what such a compromise might look like. In response to the same question, CCIA president Matt Schruers broadly expounded on balancing encryption with law enforcement access, but more as a general principle than a legal doctrine.

The vagueness isnt exactly surprising. The EARN IT Act doesnt even mention encryption, and even without the issue, theres plenty of disagreement on how to change Section 230.

A lot of big tech policy fights can be summarized as one big, clear demand. Pass a net neutrality law. Repeal mass surveillance rules. Stop a bad intellectual property bill.

But the Section 230 debate is harder to pin down. Should anybody be able to sue a website for hosting illegal content? Should state prosecutors just have more power? Do only certain kinds of website get protections?

Neil Chilson, a fellow at the Charles Koch Institute, grouped reform proposals into two categories. One is a carveout approach that strips protection from certain categories of content like FOSTA-SESTA did for sex work-related material. The other is a bargaining chip system that ties liability protection to meeting certain standards like the EARN IT Act, which (as its name suggests) makes sites prove theyre fighting child sex abuse.

These are vastly different visions for the internet, even before you define what the categories and standards are. Its easy to articulate a flat opposition to changes. But even some of Section 230s biggest proponents, like panelist and legal scholar Jeff Kosseff, are open to tweaking its language. The clearest rhetorical strategy might focus on what kind of terrible thing you want to scrub off the internet however thats accomplished.

A handful of conservative politicians have promoted the notion that Section 230 should (or already does) require websites to be politically neutral platforms. Last year, Sen. Josh Hawley (R-MO) sponsored a proposal for making sites earn the approval of a government committee before getting liability protections effectively turning tech policy into a cudgel to punish companies with opposing political views.

Thankfully, the Justice Department seems to have another approach in mind. This proposal earned one brief, slightly mocking aside during the nearly four-hour workshop. Barr complained that decreasing competition was hurting the diversity of political discourse, but he didnt tie that to Section 230 changes. Neither did panel moderators from the Justice Department. Policing Facebooks political slant might be a crowd-pleasing goal for politicians and pundits, but it simply wasnt a serious conversation topic. Neither was the popular misconception that Section 230 defines websites as publishers or platforms and polices them differently.

This created space to address more nuanced points. Barr, for example, tried to explain why the Justice Department cares so much about Section 230 reform despite the existing exemption for federal criminal prosecutions. (Federal criminal prosecution is powerful, but necessarily, its a limited tool that addresses only the most serious conduct, and civil liability can work hand in hand with it to offer more recourse for victims.) Several panelists asked for more evidence that Section 230 had actually incentivized good moderation or whether, in Souras words, that goal is kind of aspirational.

You can reasonably disagree with these claims. But unlike a lot of the broadsides against Section 230, theyre arguments that can be actually disputed not just debunked as nonsense.

Read the original here:
Five lessons from the Justice Departments big debate over Section 230 - The Verge