Late last year, hackers seized control of a Brazilian bank's DNS hosting service, 36 domains and its corporate email – siphoning off details from customers who logged in to the legitimate-looking operations that were in fact being run by the hackers.
Kaspersky detailed the process in a blog post – and noted the homepage was showing a valid SSL certificate from Let's Encrypt, a free Certificate Authority. The heist highlights the dangers of improperly securing machine identities, a topic that's lately attracted rigorous debate from the web browser communities, arguing Symantec's tranche of certificates are unsafe, with both Google and Mozilla wading in.
Put crudely, machine identities can be compared to usernames and passwords used by people – when machines communicate with one another, they rely on certificates that confirm each machine is trusted.
Computerworld UK reported in March that nearly a quarter of all public websites were still using the insecure SHA-1 certificates, past the migration deadline after Google researchers proved it was possible to compromise them with a collision attack.
"You can't have security unless you have identity, and if you don't protect your identities, your identities aren't valuable," says Jeff Hudson, CEO of Venafi, a keys and certificates security business for private networks that counts many of the world's top banks as its customers.
According to Hudson, a lot of industries have started to wake up to the threats that come with not properly securing machine identities. But there are still many other businesses where certificates and keys are treated solely as an instance for network engineers to work with.
He explains why, in Venafi's view, machine identity is a fundamental part of internet security: "We spend a lot of time, money, and energy protecting usernames and passwords and all the rotation stuff but we hardly spend any protecting machine identities. If you look at the number of people in the world it's kind of flat, but the number of machines is going through the roof."
Take the passport as an example: an expiration date is good security because every so often that identity has to be reconfirmed. Machine identities also have expiration dates, and as machines grow exponentially so do their identities – but Hudson believes people are at risk of losing track of these.
"People create machine identities because they can, and what happens is that machine identity expires," he says. "You may have seen it when you go to a website – it says the certificate is expired. Do you want to proceed anyway? Most people do. You see that little thing and you click proceed anyway.
"On the other hand, if machines are talking and one expires, the machine won't respond anymore – they stop – and big systems break. The big wakeup call is somebody says a certificate expired and all of a sudden an airline doesn't fly for four hours. But that's not the problem, that's the symptom. A lot of people don't even know where these machine identities are: they couldn't keep track of where they were on the date, much less has it been forged? Has it been stolen? Is it about to be cracked like SHA-1, SHA-2?
"Twenty-five percent of the world's certificates today still use SHA-1 and we know that these things are vulnerable. People just don't know."
Symantec first issued a statement of confidence in its certificates and has since released its messages to customers about its ongoing meetings with Google to address the latter's proposals. The company said that meeting Google's initial proposal of a maximum nine-month validity to newly issued certificates could cause significant business disruption to customers, but that talks are ongoing.
"Symantec issues machine identities and we've all agreed there's a policy it needs to follow to keep them safe," says Hudson. "Google, which arguably knows more about the internet than anybody, has said: ‘you know those 35,000 machine identities you created? They're not safe and we're not going to trust them anymore.'
"Google has said those are really important but they're no good and we're not going to trust them – that is huge. Now, all of a sudden, somebody that really knows a lot about how the world works is saying these things are really important, and they went after the world's largest creator of certificates and said, ‘don't do that anymore, in fact, we're not even going to trust those because you haven't been following the policy'."
"Every large corporation will have to sneak around inside their organisation and see where all the certificates are that don't conform to policy, and not trust them," Hudson says. "Google is leading the way, we all have to pay attention to that."
But according to Hudson, there are plenty of CISOs in both small and large organisations that aren't paying attention to machine identity.
Yet this problem is only set to be compounded with the twin trends of an emerging internet of things and the exponential growth of on-demand software-powered compute. The vast new networks of virtual machines being created will also create vast new networks of machine identities. And the IoT is creating its own set of enormous networks, sometimes without security as a first consideration.
Hudson explains: "If you look at the infrastructure that creates virtual machines and containers, that is code. You push a button and these machines run off and create other machines, so the speed at which new things get created and the numbers at which they get created in the virtual world – I'm talking about software that runs on AWS or Azure or an internal data centre – boom, you can create 10,000 machines.
"You used to have to get the purchasing guy, do the budgeting, get the money, and six months later a computer warehouse would deliver a server. You had all that time to get ready to secure it. Now, within minutes you can get 10,000 servers running. The speed at which machines are being created, software defined machines and virtual machines, is just like nothing anybody had ever thought about. The opportunity for chaos to explode is huge, and we see it happening."