Bogus Google Certificate Exposes Broader Problem
How reliable is SSL encryption? Not very, when someone can obtain a false certificate and pass themselves off as Google. There are more than 1,500 master keys that can be used to create any digital certificate on the Internet, explained Sophos Security Advisor Chet Wisniewski. "That's a problem. It's why SSL is broken and can't be fixed."
Jan 7, 2013 7:00 AM PT
Google spotted an impostor certificate on Christmas Eve and took quick action, but the event is calling into question the reliability of Secure Socket Layer security.
Turktrust, a Turkish Web certificate authority, acknowledged it gave two entities the power to create certificates when it shouldn't have.
The result was unauthorized parties parading around the Internet pretending to be a Web heavyweight.
Google discovered the problem when its Chrome browser discovered a bogus certificate trying to pass itself off as Google. It was immediately blocked.
Google also notified Mozilla and Microsoft so those companies could program their browsers to block any certificates issued by the rogue companies.
Series of Problems
This certificate breach is just the latest in a series of compromises dating back months. It's another sign that the SSL certificate system needs to be overhauled, according to Sophos Security Advisor Chet Wisniewski.
There are more than 1,500 master keys that can be used to create any digital certificate on the Internet, he explained. "That's a problem," he told TechNewsWorld. "It's why SSL is broken and can't be fixed."
Open WiFi networks are particularly vulnerable to attacks that use bogus certificates, he observed. "If I have one of these certificates that say I'm Google, I can sit in Starbucks all day long and harvest Google credentials, read Gmail and see what's posted to Google+, and there's nothing to stop me," he explained.
There are a number of proposed measures that could address SSL's problems. They go by names like Public Key Pinning Extension for HTTP, Convergence, Trusted Assertions for Certificate Keys (TACK) and DNSSEC-TLS.
Some of those measures -- like DNSSEC -- could take years to implement, but others, like Pinning and TACK, could be rolled out quickly, Wisniewski asserted. "They could literally be implemented in a week."
First Casualty of Cyberwar
By now, many readers' eyes glaze over when they see the word prediction, but here's a prognostication we think is novel: 2013 will be the first year a cyberattack will end in a human death.
The prediction was made by Chiranjeev Bordoloi, CEO of Top Patch, a maker of peer-to-peer security patch management software.
Cyberattacks by nation-states on critical infrastructure will accelerate in 2013, Bordoloi said, and the result will be a human fatality.
It's a wonder that no one has died yet from cyberattacks on industrial systems. In 1982, for instance, a malicious Trojan planted in a natural gas pipeline in Siberia produced an explosion and fireball that could be seen from space.
"That explosion was three kilotons," Bordoloi told TechNewsWorld. "In comparison, the 9/11 explosion was 0.1 kilotons."
Fatalities from a cyberattack need not be from something as dramatic as an explosion, he continued. "If you shut down a power grid in the middle of a heat wave, human lives will be lost," he reasoned.
Bordoloi had some other frightening but less morbid predictions about 2013, including the following:
- Cellphones will be hijacked by hackers who won't relinquish control of the phone until a ransom is paid.
- Criminals will enter homes through smart TVs, primarily seeking to steal content stored on the devices.
- Rogue regimes will use cyber attacks to overthrow their governments.
- Bloggers will come under increased attack from hackers hoping to infect trusted readers with malware.
New Year's Resolutions for Android Owners
Since now's the time to make resolutions for the New Year, owners of Android smartphones may want to turn these security tips from Eset Security Researcher Cameron Camp into resolutions for the coming months:
- Add a password or PIN to your phone to protect the information in it.
- At least peruse the terms and conditions of an app before installing it. Even a quick look can reveal that the app intends to do things with the information on your phone that you don't want done with it.
- While it's convenient to automatically connect to networks with your smartphone, it can also be dangerous. You should resolve to be cautious about what nets you allow your phone to connect to.
- Stick to Google Play for your apps. While the security measures Google has installed in its online store may not be perfect, they will go a long way to insure that you don't download infected apps to your smartphone.
You may also want to consider installing a security app on your phone. "Users that rely exclusively on download-screening are failing to consider the potential malicious behaviors that could be embedded within an app, but do not necessarily qualify as malware," Tony Anscombe, a security evangelist at AVG Technologies told TechNewsWorld.
"An application itself could be completely void of harmful material, which would enable it to pass screening," he added, "but upon download, the app could link users to external websites containing phishing scams or other dangerous content, which would only be detected by third-party security software, if already installed on the device."
Data Breach Diary
- Jan. 3: Hospice of North Idaho becomes first health care organization to pay a settlement with the U.S. Department of Health & Human Services for a data breach affecting fewer than 500 people. The hospice paid the federal agency US$50,000 for a breach that occurred in June 2010 when a laptop was stolen containing unencrypted health information.
- Jan. 3: Omnicell, a provider of automated medication dispensing servcies, begins notifying some 56,000 patients of Sentara Healthcare in Virginia that the theft of one of its devices from an employee's locked car may result in the compromise of personal information, including medication usage and birth dates.
- Jan. 3: The Daily Yomiuri reports that a cyberattack on Japan's Ministry of Agriculture, Forestry and Fishery resulted in the theft of more than 3,000 pieces of information, including 20 top secret documents on sensitive trade negotiations related to the Trans-Pacific Partnership.
- Jan. 4: A spokesperson for South Carolina Credit Union League says in an interview that the group is unaware of any thefts at its institutions that can be attributed to a data breach at the state's Revenue Department that resulted in 74.7GB of taxpayer and business data being stolen. Since the breach, banks and credit unions in the state have launched a mutual assistance program to monitor for fraud and share warnings related to the incident.
Upcoming Security Events
- Jan. 7-9: Redmond Identity, Access & Directory Knowledge Summit 2013. Microsoft Conference Center, Redmond, Wash. Sponsored by Oxford Computer Group. Registration: $650.
- Jan. 10: BYOD: The Trojan Horse On Your Belt Clip. Webinar sponsored by WatchGuard. 1 p.m. ET. Free.
- Jan. 17 Hack.me: There's A Vulnerable Web App for That. Black Hat Webcast sponsored by IBM. 1 p.m. ET. Free with registration.
- Feb. 8-9: Suits and Spooks Conference: Should Private Companies Take Measured Offensive Actions against Attackers? Waterview Conference Center, Washington, D.C. Registration: $595.
- Feb. 24-25: BSides San Francisco. DNA Lounge, 375 Eleventh St., San Francisco.
- Feb. 25-Mar. 1: RSA Conference USA 2013: Security in Knowledge. Moscone Convention Center, San Francisco. Registration: Jan. 25 and before, $1,895. After Jan. 25, $2,295.
- Mar. 12-15: Black Hat Europe. Grand Hotel Krasnapolsky, Amsterdam, Netherlands. Registration: through Jan. 10, Euro 1,095 (US$1,447); through Feb. 28, Euro 1,295 (US$1,711); Mar. 1-15, Euro 1,495 ($US1,975).
- Apr. 23-25: Infosecurity Europe. Earls Court, London, UK.