The Internet Storm Center has an interesting diary entry today. Maarten van Horenbeeck discusses targeted malware that scans the compromised host for encryption keys and also includes a key logger to retrieve passphrases.

This is scary stuff; when an attacker is able to obtain both the secret key as well as they key phrase, non-repudiation cannot be guaranteed anymore. If this kind of malware spreads widely, it might even undermine the--rather minimal--level of trust that currently exists on the internet. After all, if an attacker can go after secret keys, they can also go after SSL certificates (most of which are not even password-protected , so the need for a key logger is not even there).

Now, an attacker who is able to obtain an SSL certificate can pull off an invisible man-in-the-middle attack. While not easy to do, the precedences are there: many intrusion detection/prevention systems contain copies of SSL certs to do in-line inspection of traffic traveling over SSL connections. This might just take it one step further.

How do we prepare for this kind of stuff?

  1. Keep your private keys and your SSL certificates on a smart card or some other kind of device that 'does stuff' for you. I've seen those cards, I've used them, and they work.
  2. Use effective antivirus and keep it current.
  3. Patch your systems
  4. Educate your users
  5. Harden your systems to keep the bad guys out. If they can't compromise your machine, they can't get to the data
  6. For PGP keys, make sure that you have a revocation certificate offline in a secure location.
Identification is harder; when private key is stolen and a passphrase is intercepted, the first sign of bad behavior that you will most likely see is complaints sent to your abuse address. If you're brave, you can use custom IDS signatures to scan for parts of your pass phrase, but that becomes near-impossible to do very quickly.

To contain a breach, immediately revoke the passwords of all users on the affected boxes, revoke your keys (you did keep a revocation certificate offline, did you not?), and check other machines for compromise and revoke all involved passwords, certificates and keys. If you are in business, you probably want to notify your business partners too.

To eradicate the problem, you will have to remove all malware of the machine, change all the machine's user's passwords (remember the key logger), and harden the machine even more. Most likely, you're better off doing a full rebuild.

Recovery will be hard; generating new keys and new certificates will be the easy part, but regaining the trust of your business partners will be much harder.

June 15, 2015: Updated for formatting