Earlier this week, a European security team published a technical paper (along with several tweets) titled Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels that shows how they were able to breach two common end-to-end email encryption methods, S/MIME (Secure/Multipurpose Internet Mail Extensions)and PGP (Pretty Good Privacy).
In response to the news, the Electronic Frontier Foundation urged anyone using either tool to stop doing so:
“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels ... and temporarily stop sending and especially reading PGP-encrypted email.”
According to the Efail report, threat actors can intercept emails encrypted with PGP and S/MIME and inject malicious code into them, and that malicious code may be used to loot everything in the target’s inbox, so this vulnerability not only affects the email in question but also emails sent days, months and even years ago. In effect, this vulnerability creates a sort of tunnel that threatens to rob the contents of someone’s email without the target even being aware of it.
Several rumblings about the efficacy of these two legacy tools predate the Efail report. Back in 2015, Motherboard reported that the creator of PGP, Phil Zimmerman, hasn’t used PGP since 2010. In that same 2015 article, several other experts, including cryptographer and Johns Hopkins University professor Matthew Green said it’s time for PGP “to die.”
It’s frightening and frustrating whenever a security tool fails, but what does Efail—which has to do with humans using email—have in common with the challenge of machine identity management? Here are a few parallels that come to mind.
1. It reminds us how threat actors can use encryption to their advantage
Cryptographer Green describes Efail as “an extremely cool attack and kind of a masterpiece in exploiting bad crypto, combined with a whole lot of sloppiness on the part of mail client developers.” The researchers fortunately were good guys seeking to warn people about these flaws.
More often, however, the people (and their machines) who discover vulnerabilities in a system, standard or app seek to exploit those weaknesses and do harm. And they only need to be successful once via sophisticated technologies, great hacking skills or savvy use of social engineering to break into your network. To complicate matters further, when they do infiltrate, organizations often don’t know about the initial incursion until days or even months later.
Moreover, Efail is not the only example of encryption methods that may be exploited. A 2016 study by A10 Networks showed that 41% of cyberattacks leveraged encryption technologies to evade detection. And in 2017, Venafi conducted a survey of security professionals attending RSA Conference that showed that 23%of the 1,540 respondents “had no idea how much of their encrypted traffic was decrypted and inspected.”
2. It reminds us that machines, like people, are vulnerable to attacks
Organizations and individuals are vulnerable to attacks, which is why you hear so much about identity and access management (IAM) solutions, anti-phishing education and other security options that involve protecting human identity.
While the aforementioned challenges are undeniably important, organizations too often forget about the machine element of identity management, that need to protect your keys and certificates. And arguably, protecting machines may be more important than protecting people because of the sheer number of machines and their continued exponential growth.
Even small organizations have gone from managing several physical machines a couple of decades ago to thousands of physical and virtual machines, along with mobile devices, IoT devices, cloud services, containers, software emulating physical devices and other operating environments—all of which need certificates to authenticate their identities to the millions of other machines they communicate with.
Our white paper, The Machine Identity Crisis: How the explosion of machines is affecting the security of machine-to-machine communications, discusses the speed at which machines are multiplying relative to humans:
“While the population of humans is projected to grow at a Compound Annual Growth Rate (CAGR) of 1.1 percent, devices and applications will race forward at a CAGR of 10 percent. This rapid growth of machines will even outpace the growth in internet users, (CAGR of 7 percent). ... Overall, IP traffic is expected to grow at a CAGR of 24 percent from 2016 to 2021. Machine-to-machine connections will be the fastest-growing category of IP traffic, more than doubling between 2016 and 2021 to 13.7 billion connections in 2021.”
Even if your company could stop every one of your employees from succumbing to a phishing attack and deployed an IAM solution in place that ensured the principle of least privilege, automatically revoked employee credentials the moment they left the company and everything else you would want in this type of solution, you will be as vulnerable as someone using Windows XP if you haven’t deployed a comparable level of protection for your machines.
3. It reminds us about how hard it is to manage machine identities
We’ve discussed in this blog the many difficulties of securing machine identities. In addition to making sure all your machines have secure identities, you must ensure:
- You know the location of these certificates, especially when so many machines are ephemeral.
- You can make a proper inventory of all these certificates and keys.
- You need continuous intelligence to inform you when certificates are being misused
- You need to know what machine identities must be updated or discarded.
In other words, you need secure, reliable machine authentication to protect your machine-to-machine communications. Our white paper describes the situation best:
“Because machines are now used to control nearly every aspect of our global digital economy, the need to create, install, rapidly assess and ensure the integrity of communications between machines is critical and must be able to scale instantly. However, organizations simply do not have the technology or automation needed to accurately monitor and protect the vast number of machines identities businesses now support. Cybercriminals understand this and target machine identities for use in a wide range of cyberattacks.”
What other parallels come to mind when comparing Efail to machine identity management? Let us know in the comments or on Twitter!