You would think that with all the money pouring into technology these days, we would figure out a way to stem the flood of hacking attempts, but it seems the tech bros are more focused on figuring out how replace humans with AI than keeping humans safe. And sadly, email compromises, and even more importantly, business email compromises are big business for cybercrime, so they are pouring just as much money, humans and AI into stealing their way into your email.
What this means for you
First off, you may be wondering how it is, with all the existing tools and money aimed at security, we can’t do a better job filtering out all the myriad of ways hackers keep inventing to steal our passwords, and why multi-factor doesn’t seem to make any difference in stopping them. Lately a popular method of getting access to your 2FA-protected accounts is by cloning the cookie that is created when you authenticate with your multifactor, and this is accomplished by sending you links from actual legitimate websites, like Docusign for example, where the authentication process is expected. Most people, even hardened internet warriors, aren’t trained to spot when an authentication request is “out of context” – in this case, using your Microsoft credentials to log into the Docusign website, and may also be thinking, “Even if this isn’t legit, I have 2FA so the password being stolen doesn’t matter.” Normally they would be right, but the hacker is actually counting on that 2FA prompt to print them out a fake ID that gets them past the bouncer who is only trained to check ID’s and not whether the holder presenting them is legitimate. That’s an oversimplification of what happens, but the point is that the process they use to fake you out is actually a legitimate service (and hence ignored or passed through by usual malware checks) and even the documents you might actually be granted access to are harmless, because it was all a distraction to mask the real crime of bypassing your multifactor and gaining access to your email account undetected. And from there, the mayhem begins.
How do you combat this? Aside from being ultravigilent and deeply cautious to the point of paranoia, this particular type of attack is difficult to defend against, especially for personal email accounts. As a company, there are services that can be implemented that can detect certain types of unauthorized access once they have already occurred, but as many of you probably realize, the horse is already out of the barn, and this is damage control, not prevention. This type of unauthorized access detection is only one layer of a multilayered approach to security that all companies should have to keep their employees and themselves safe.
When you sell as many computers as Dell does, all it takes is one small screw-up to create a security catastrophe. In this case, computers sold as far back as August of this year may have shipped with a compromised security certificate that could lead to a complete breach through a trivial exploitation of that certificate. So far, Dell has refused to disclose exactly which products are affected, but reports are confirming their Inspiron, XPS, Precision and Latitude lines are shipping with this problem. They are admitting that the problem exists, have published instructions on how to manually remove the compromised certificate, and will be releasing a software update to remove the certificate altogether. If you’ve purchased a Dell since Spring of this year, you should probably read on.
What this means for (some of) you:
In case the above didn’t contain enough technical jargon to convince you of how serious this is, let me unload on you: Dell shipped a slew of computers with a self-signed security certificate installed as a root trusted authority, and left the private encrpytion key on the devices. Even if you only understood part of that sentence, I’m betting you can intuit what publishing a private key does to the certificate. Yes, that’s right, it’s like sending everyone keys to your front door with your address printed on the key. Why this is a big deal is also fairly simple to explain. Because this key is essentially available for anyone to use, any reasonably proficient hacker could set up a fake hotspot at your local coffee shop, wait for a Dell computer to walk in, and then pretend to be Dell while unencrypting all of your network traffic. If that sounds bad, then you are picking up what I’m putting down. What do you do if you have an affected computer? Here are the instructions on manually removing the bad certificate, or wait for Dell to release a fix, which is schedule to arrive as of the time of this writing.
Full Disclosure: C2 Technology Partners, Inc. is a Dell Partner, meaning we sell Dell equipment and services, though after this particular goof, perhaps not as much as we had in the past.
Want to know more about security certificates? Here’s a reasonably straight-forward explanation of what they are and how they work.