Q&A: Researchers find evidence of emerging market for stolen, spoofed machine identities

By Byron V. Acohido

It’s edifying what you can find shopping in the nether reaches of the dark web.

Related: Why government encryption backdoors should never be normalized.

Academic researchers from Georgia State University in the U.S. and the University of Surrey in the U.K. recently teamed up and found evidence of an emerging market for stolen and spoofed machine identities.

Specifically, the researchers found:

•A ready inventory of stolen SSL/TLS certificates, along with a range of related services and products, for sale, priced from $260 to $1,600, depending on the type of certificate offered and the scope of additional services.

•Extended validation certificates, packaged with services to support malicious websites, such as Google-indexed “aged” domains, after-sale support, web design services, and integration with a range of payment processors – including Stripe, PayPal and Square.

•A vendor offering to issue certificates from reputable Certificate Authorities (CAs), along with forged company documentation, as part of a package of services enabling an attacker to credibly present themselves as a trusted U.S. or U.K. company for less than $2,000.

This emerging black market for machine identities is but a mere starting point for cyber criminals who recognize a huge, unguarded exposure when they see one. Thus, threat actors have begun moving with alacrity to capitalize on it, before companies get around to protecting their exposed machine identity.

Repeated missteps

As a famous American sports hero once said, “It’s Déjà vu all over again.” In cobbling together our classic business networks, we did an imperfect job setting up privileged access for human users – and we continue to pay the price.  And yet, we are about to repeat the same missteps with respect to the over-privileging of non-human, or machine, identities.

Machine identities are what make hybrid business networks possible; they are nothing less than the key to stitching together emerging IoT- and 5G-centric systems. Think about the coming generation of smart homes, public venues, utilities and transportation systems. They will require an exploding number of APIs to connect each microservice, to each software container, to each orchestration tool, on up the software stack, to each new mobile app delivering each of our daily digital experiences.

In order to make all of this dynamic, high-velocity innovation possible, the number of highly privileged machine identities has begun to scale – dramatically. And yet, not nearly enough attention is being paid to the profound privacy and security implications.

I’ve had several invigorating conversations with Jeff Hudson, CEO of Venafi, about this.  The Salt Lake City, UT-based machine identity protection leader sponsored the dark web study. Hudson noted that the number of machine identities is rising exponentially, while the speed at which these machines operate is climbing, as well, asymptotically.

Thus, the monitoring, management and protection of machine identities must be ongoing and automated, he argued. For a full drill down on our most recent conversation, at RSA 2019, give a listen to the accompanying podcast. Below are a few excerpts edited for clarity and length:

LW: Can you give us a fix on where the security of machine identities stands today?

Hudson: There are all kinds of machine identities: certificate keys, API keys, code-signing keys. Machine identities are rampant; they’re everywhere. But we’re just getting started protecting machines. We spend $10 billion a year protecting human identities, but for the most part machine identities are out of sight and out of mind.

LW: Cyber criminals certainly seem to be aware of them.

Hudson: Yes, they are packaging machine identities with company names, addresses and phone numbers with so people can set up faked websites to get people to log on. Some of the faked websites we found are well-known brand names . . . So that’s it’s really important for organizations to keep track of what’s out there, representing their brand name because, and getting in the middle of their traffic.

LW: Can you walk us through an example?

Hudson: You can somebody to click on a website, using a falsified machine identity, and then download them some ransomware, or put keystroke stealer, or any kind of information harvesting malware . . . it’s a full package of how to go steal stuff, or lock up computers, or encrypt data and get ransom. Machine identities have become the foundation of these attacks, that’s how important they are.

LW: What’s the big concern, going forward?

Hudson:  The Government Accountability Office examined the Equifax breach. Their report stated that a machine identity expired, which caused the network surveillance to stop working, and this allowed intruders to get in without begin detected to find and exfiltrate 150 million records. At the end of the day the  CSO the CIO and the CEO all left the company.


This is not a unique occurrence; the vast majority of organizations struggle with machine identity protection. Something as simple as that (an expired certificate) is very important, because the bad guys are looking for that. Machine identities are foundational in our digital transformation, because everything that’s going onto the Internet is all built on machines. As a result, protecting machine identities is of paramount importance.

LW: What’s Venafi’s solution all about?

Hudson:  We provide visibility on all of your machine identities, anywhere they appear on the internet – anything that might look like you, give access to you or somehow represent themselves as being part of you. So, visibility is number one.

Then we provide tremendous intelligence around whether an identity is helpful or harmful. And the final thing is automation: machine numbers are exploding, so you have to automate, you can’t really put people into these processing loops. You need to automate. So that’s what we do; we provide visibility, intelligence and automation — in the form of a platform to help corporations protect their machine identities.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone