Sitting alongside millions of legitimate websites, in the depths of the internet, lurks the 'dark web'. From guns and drugs to credit card details and malware, you can get your hands on anything there – for a price.
Research shows that it only costs £450 to buy a gun on the Dark Web, with a fake US passport and a counterfeit driving licence setting you back £800. It only costs £100 to hack an email account, with reports stating the targeting of emails around Hilary Clinton's 2016 Presidential Election campaign may have originated from the dark web.
Yet there is also a thriving black market for corporate data and information. An investigation conducted by the Cyber Security Research Institute (CSRI), on behalf of Venafi, found code signing certificates for sale at £900 ($1200) each – if these fall into the wrong hands there can be serious implications for organisations. The big question is; how can businesses protect their assets from becoming yet another item for sale on illicit online marketplaces?
A backdoor into your systems
Code signing certificates are used to verify the authenticity and integrity of computer applications and software and make up a vital element of internet and businesses' security. More importantly, code signing certificates help a user's device to determine that all software is authentic by validating that the application and it's developer has been correctly identified by their device.
The same code signing certificate can be used across thousands of computers if they are all running the same piece of software, such as an email application. Imagine the dangers if a cybercriminal can use just one compromised code signing certificate to install malware on thousands of business networks and consumer devices. This makes code signing certificates both extremely valuable to hackers and their sale extremely serious for businesses failing to adequately protect them.
To put the 'value' of code signing certificates into perspective, for the same price as around 25 code signing certificates (£25,000), it is possible to hire an assassin.
Using code signing certificates is one way to construct a 'backdoor' into your applications and ultimately the device you are using to access those systems. A code signing certificate for a mobile operating system, for example, could allow a hacker to move through the various applications installed on your phone which are all trusted by the operating system, which has validated their identity by checking its certificate is authentic. This can allow hackers to see everything happening on your laptop, mobile phone or even your smart heating system.
As well as being used to install malware onto business networks and consumers' devices, code signing certificates can also be used to perform man-in-the-middle attacks, allowing a hacker to siphon data from users.
Locking the backdoor
Thankfully there are ways to defend against fraudulent code signing certificates purchased on the Dark Web and protect against their dangers. Businesses can put procedures in place and use systems to ensure they are the first to know if their code signing certificates have been compromised, allowing them to resolve the situation with minimal impact.
The first step is for businesses to take control of their machine identities. With the rise of IoT and automation, organisations are relying more and more on machines to undertake tasks without the involvement of humans. But this comes with its own risks. There are many certificates used to validate the identities of machines, much as code signing certificates validate software, but often certificates, of all types, are not properly recorded and tracked.
Without insight into where code signing certificates are being used, businesses cannot truly know if they have control over the certificates. This requires accurate, up-to-date information about each machine identity, because it is impossible to protect something when you don't know where it is. This can often make the difference between a business noticing a hacker is using certificates to install malware, and a hacker going undetected for months, or even years.
But recognising where there is are issues is not the whole process. Organisations must also be able to remediate if they find code signing certificates have been compromised. This means being able to regain control, and ensure that the hacker is denied access to their systems from this point forward. It is only possible to mitigate effectively if you know where the compromised code signing certificates are being used – making monitoring them vital.
Can we trust the Internet?
With over 30bn devices expected to need keys and certificates by 2020 – a five-fold increase from 2015 – this market is likely to increase. The proof that there is now a significant criminal market for certificates throws our whole authentication system for the internet into doubt. It also points to an urgent need for the deployment of technology systems to counter the misuse of digital certificates, protecting businesses and consumers alike.
Craig Stewart is VP EMEA of Venafi.