Late last year, hackers seized control of a Brazilian bank's DNS hosting service, 36 domains and its corporate email - siphoning off details from customers who logged in to the legitimate-looking operations that were in fact being run by the hackers.
Kaspersky detailed the process in a blog post - and noted the homepage was showing a valid SSL certificate from Let's Encrypt, a free Certificate Authority. The heist highlights the dangers of improperly securing machine identities, a topic that's lately attracted rigorous debate from the web browser communities, arguing Symantec's tranche of certificates are unsafe, with both Google and Mozilla wading in.
Put crudely, machine identities can be compared to usernames and passwords used by people - when machines communicate with one another, they rely on certificates that confirm each machine is trusted.
Computerworld UK reported in March that nearly a quarter of all public websites were still using the insecure SHA-1 certificates, past the migration deadline after Google researchers proved it was possible to compromise them with a collision attack.
"You can't have security unless you have identity, and if you don't protect your identities, your identities aren't valuable," says Jeff Hudson, CEO of Venafi, a keys and certificates security business for private networks that counts many of the world's top banks as its customers.
According to Hudson, a lot of industries have started to wake up to the threats that come with not properly securing machine identities. But there are still many other businesses where certificates and keys are treated solely as an instance for network engineers to work with.
He explains why, in Venafi's view, machine identity is a fundamental part of internet security: "We spend a lot of time, money, and energy protecting usernames and passwords and all the rotation stuff but we hardly spend any protecting machine identities. If you look at the number of people in the world it's kind of flat, but the number of machines is going through the roof."
Take the passport as an example: an expiration date is good security because every so often that identity has to be reconfirmed. Machine identities also have expiration dates, and as machines grow exponentially so do their identities - but Hudson believes people are at risk of losing track of these.
"People create machine identities because they can, and what happens is that machine identity expires," he says. "You may have seen it when you go to a website - it says the certificate is expired. Do you want to proceed anyway? Most people do. You see that little thing and you click proceed anyway.
"On the other hand, if machines are talking and one expires, the machine won't respond anymore - they stop - and big systems break. The big wakeup call is somebody says a certificate expired and all of a sudden an airline doesn't fly for four hours. But that's not the problem, that's the symptom. A lot of people don't even know where these machine identities are: they couldn't keep track of where they were on the date, much less has it been forged? Has it been stolen? Is it about to be cracked like SHA-1, SHA-2?
Sign up for CIO Asia eNewsletters.