Where Angels Fear to Tread

The average large enterprise (>2,000 employees) spends $16.7 million annually on security software and salaries of the cybersecurity professionals who maintain it while the global cost of cyber-crime damage continues to climb, with estimates of six trillion dollars by 2021, doubling the three trillion in damages incurred in 2015.

A casual observer might conclude that our current technologies aren't working and that the ability of the cybersecurity profession to protect businesses isn't improving. That observation would be correct, yet we continue to pour money and energy down the same sink hole expecting somehow that we will get a different outcome.

Unless and until we recreate the entire IT infrastructure model into some form of a trustworthy execution environment with embedded native integrity-verification, the outcome will simply continue to get worse.

Recent examples of our porous infrastructure core provide strong evidence in support of that thesis.

Researchers at Fidelis released a framework last week for a covert channel for data exchange using the Transport Layer Security (TLS) protocol – as a proof-of-concept for TLS exploitation techniques. In other words, they just proved that a hacker could use the most widely deployed communications security protocol in use today to create C2 (Command & Control) communication and data exfiltration that would go completely unnoticed by modern network perimeter defense technologies.

TLS has been the predominant and ubiquitous network perimeter protection that provides privacy and data integrity between two communicating applications (like a Web browser and an on-line application) that require data to be securely exchanged over a network (like file transfers, VPN connections, instant messaging and voice over IP) since virtually the beginning of modern Internet commerce.

This covert exploit leverages the TLS handshake when public key certificates are exchanged. The technique doesn’t require nor does it even establish, a TLS session, but instead exchange is executed as the clients are negotiating the handshake using the TLS X.509 (standard) extension. To modern network monitoring and inspection technologies, the exchange looks banal.

The TLS X.509 certificates have many fields where strings can be stored, and the Fidelis team used one of them to hide the data transfer. That field is never discovered because the security technologies that inspect certificates for anomalies would have to be looking specifically for that data, and they don’t. Since the certificate exchange happens before the TLS session is established, it appears on inspection that a data transfer never occurred, when in reality the data was transferred within the certificate exchange itself.

According to Fidelis, they were able to store 60 kilobytes of data in each TLS X.509 exchange, demonstrating that a hacker could establish this channel and perform rapid certificate negotiations enabling the data transfer of large – really large – amounts of data --- like credit card data, social security numbers and scores of other sensitive PII.

So, in essence, the Fidelis team just created and published a framework that demonstrates how the communications security protocol standard (along with Secure Sockets Layer - SSL) that we all use to transmit private communications via the Internet can be easily exploited.

This comes on the heels of the discovery of similar DNS tunneling exploits, the sudden exposure of every computing device on the planet to "Meltdown" and "Spectre" vulnerabilities and the cybersecurity research project at the University of Michigan that demonstrated how a manufacturing line worker could embed a hardware back-door into a chip by adding a single component to the mask during fabrication.

In summary, we have discovered in the past few months that the backbone of all of our Internet communications, both commercial and consumer is flawed and exploitable, the DNS service that we all use for email and web browsing can be tunneled to steal account data and the microchip that every one of our computing devices including our smart phones depend on can easily be compromised at the hardware level to enable malware penetration into everything.

All of this is the digital equivalent of discovering that our roads can no longer safely support automobile or truck traffic, our airports can no longer safely land a plane and our cars, trucks and planes are no longer safe to operate. Yet we continue to drive and fly with abandon.

Next up? IoT and self-driving cars, driver’s licenses on smartphones and wearables linked to our networks through mobile devices, data manipulation instead of theft, extortionware instead of ransomware, fully Internet-dependent autonomous systems, a gold-rush toward the digitalization of businesses, robotics, more smartphones, more data, more network traffic, more complexity – all dependent upon a defenseless non-secure infrastructure with a porous core.

If we keep doing this, it is a certainty that more Equifax-class attacks will continue to happen, at a greater frequently and with increasingly severe consequences. In addition, since our government agencies are not exempt (they of course also use Intel processors, DNS and TLS), we will continue to see increased state-sponsored cyber-attacks at the Federal and State levels as well.

China and many other foreign governments are far along in developing advanced bio-metric, exascale super-computing, and quantum capabilities that are transforming not just their digital infrastructure but their manufacturing, communications and production systems while creating an absolute threat to our national security and positioning our adversaries to undermine the entire U.S. economy at the same time.

It’s as if our definition of sanity is to disregard the chaos that is life and pretend instead that only an infinitesimal segment of it is reality.