The NSA have announced a major flaw in Microsoft 10, so what’s the big deal and what does it mean for you and your organisation?
This week’s notification by the National Security Agency (NSA) that they have discovered a major flaw in Windows 10 that could have been used by hackers to create malicious software is an almost unprecedented development.
The problem exists in a core component of Windows known as crypt32.dll. It is a program that allows software developers to access various functions such as digital certificates which are used to sign software. Digital certificates and encrypted keys can be, and are, used for malicious purposes and make up a public key infrastructure (PKI) that has touch points to every single device and user.
Since PKI’s inception in 1978 by Ralph Merkle and the cybersecurity framework global adoption throughout the 1990’s, nobody could have predicted the sheer magnitude, complexity and critical reliance technology and communication would have on digital certificates and encrypted keys. To give you some idea, there are billions and billions of certificates in use every day and this number is dynamically changing, increasing, expiring and numerous certificates being revoked. Without exception you cannot ignore certificates including those that have expired as in the case of Equifax or O2 below.
The flaw within Microsoft 10 may have been exploited over the past few months as, with each and every case listed here, it is usually only when a breach or a service is lost that it comes to light that there has been a problem.
We must be assume that a number of hackers with malicious intent have not already exploited the flaw highlighted by the NSA – in fact it is highly likely as the report below on Equifax shows. Cyber criminals are constantly sending queries and probing attacks to find vulnerabilities.
At the end of 2019 the congressional report on the 2017 theft of 148 million individuals’ data from Equifax was published. It confirmed that an expired certificate on an SSL Visibility Appliance was to blame for the undetected and unmanaged breach.
The report said: "Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted personally identifiable information (PII) data 265 times. The attackers transferred this data out of the Equifax environment, unbeknown to Equifax. Equifax did not see the data ex filtration because the device used to monitor ACIS network traffic had been inactive for 19 months due to an expired security certificate. On July 29, 2017, Equifax updated the expired certificate and immediately noticed suspicious web traffic."
By chance, some 19 months later when overdue security housekeeping was being undertaken, a certificate was renewed revealing that the breach.
The Equifax breach, like the Starwoods and Marriott that went on for four years, was only discovered by good fortune, not good management and could, if not most probably, going on now in many organisations right now completely unbeknown.
Another example is the well publicised Ericsson outage that took down mobile service for millions of customers of O2, Softbank, and others. What each of these incidences confirm is that each of these organisations did not have their PKI well managed and it is only a matter of time before another service outage or breach occurs unless they undertake a full audit and greatly improve their PKI management.
In either case, an expired certificate led to a catastrophic failure that cost the company greatly in terms of reputation, customer trust, and hard dollars. In either case, an automatic system to discover, track, and renew certificates would have prevented the problem.
The critical point to consider on all PKI-related issues is that prior to any of these problems occurring, the organisation in question did not have any warning or foresight that they had a vulnerability, equally, given the sheer volume of certificates, it is only a matter of time before a similar incident occurs. The lack of visibility of an organisation’s PKI leaves them playing a game of chance and with often high costs to remediate and pay fines – the stakes couldn’t be higher.
Digital certificates provide authentication and security, however when poorly managed they are ticking timebombs ready to take down critical applications without warning. Every enterprise must ask itself which critical systems may be due for a similarly disastrous outage today or tomorrow before they become headline news for dropping service or, even worse, enabling a breach.
No one knows how long this flaw has been open ( 5 minutes is too long) and the patch only being available now, it is not unreasonable to assume that some malicious activity has taken place. The course of action we highly recommend is to scan your enterprise and your PKI, identify all certificates and keys and remediate and address as required.
PKI Zero Trust and agility is critical for your organisations security and prevention of service outages and breaches. Instances such as this Windows 10 flaw certainly highlight the major issue.
CIP are delighted to provide Whitethorn® to fully scan and provide assurance across your entire enterprise.
Andrew.jenkinson@cybersecip.com