A digital certificate is a digital ID that is used for two fundamental purposes. Certificates authenticate one machine to another and they encrypt the traffic that flows between the two machines. They are the security backbone of almost everything that happens on the Internet and within organisations.
In the case of Flame, the malware took advantage of and cracked a weak, outdated, known-to-be-useless algorithm (MD5) used in a digital certificate. Once the certificate was compromised, the bad guys were able to open doors to the networks they targeted.
Until organisations find and replace all of the MD5 certificates on their networks, which are virtual open doors, they are going to continue to be hit with this emerging type of certificate-based attack.
Venafi’s Head of Europe Calum MacLeod explained: “We have seen a growing wave of attacks that compromise certificates as a fundamental strategy. First Stuxnet, DuQu, the CA compromises - Comodo, StartSSL, DigiNotar and now Flame prove that this is going to continue. This is just the beginning or the tip of the iceberg – chose your analogy. The reason that it continues is that people are asleep at the wheel and do not manage their certificates. Why would anyone use MD5? Because they don’t understand the critical nature of certificates and their responsibility to manage them accordingly.”
Through Flame, which got the best of one of the most visible high tech companies – Microsoft - the world now knows that certificates using MD5 are available to be compromised and remanufactured as fraudulent certificates. Microsoft closed the door they had opened because they used MD5 based certificates. The rest of the world still has the open door and Microsoft can’t fix that. No one can, except for the organisation that has MD5 certificates on their network. Venafi’s research has shown for a fact that 99 percent of the world’s top corporations and governments have this door wide open to hackers.
Venafi analysed the networks of over 450 Global 2000 organisations and discovered that 17.4 percent of certificates in are signed with unsafe, hackable, MD5 algorithms. Certificates exactly like the ones compromised as part of the Flame malware are used everywhere in organisations worldwide today and are vulnerable to the same compromise. If the bad guys want access, and you have MD5, they can have access.
Every MD5 certificate on a network is an open door. Organizations need to find and replace them immediately, otherwise they will be breached, it’s that simple.
“I often wonder why something so fundamental as knowing which certificates are active on the network, understanding their attributes, and managing the keys associated with the certificates is not a top priority - especially when managing these instruments radically reduces the vulnerability,” said MacLeod. “This isn’t hypothetical, the compromise and threat has happened time and again. Maybe because managing things like certificates isn’t nearly as sexy as having the latest APT detection and amazing firewalls?”