Get the E-Commerce Minute Newsletter from the E-Commerce Times » View Sample | Subscribe
Welcome Guest | Sign In
Salesforce Industries Summit

The Swift Erosion of Online Trust

By John P. Mello Jr.
Sep 13, 2011 5:00 AM PT

The break-in and theft of security certificates from a Dutch authority brought home, once again, how vulnerable Web browsers can be to hackers pretending to be who they're not.

The Swift Erosion of Online Trust

The authority, DigiNotar, is one of many that issue security certificates for websites. The digital certificates tell a browser to "trust" content coming from a certain site. Certificates for such sites are preloaded into most browsers. If something goes awry at the certificate issuing authority, browser makers usually need to patch their products to address the problem. That can open a window of opportunity for certificate thieves.

What the hacker or hackers did in the DigiNotar case was break into the authority and issue certificates to themselves for popular websites, such as Google. Although the stolen certificates were quickly revoked, one managed to make it to the wild.

"That's the first time that's ever happened that we've known about," Seth Schoen a senior staff technologist with the Electronic Frontier Foundation, told TechNewsWorld.

By using the certificate to set up a server and intercept traffic headed toward a legitimate website, the hacker was able to stage a classic man-in-the-middle attack.

"Someone in Iran was able to spy on hundreds of thousands of people's communications with Google," Schoen said.

Back in Time

"To my knowledge, it's the biggest man-in-the-middle attack that we've ever seen to date," Melih Abdulhayoglu, CEO of certificate authority Comodo, told TechNewsWorld.

In March, a certificate theft similar to the one at DigiNotar took place at some authorities associated with Comodo. In fact, a single hacker, whose handle is "Comodohacker," claimed responsibility for both smash-and-grabs. The purported motive behind the attacks was to punish opponents of the Iranian government and detractors of Islam.

There are several technological solutions in various stages of implementation that could have an impact on the theft of certificates, but Abdulhayoglu argued that the best solution doesn't involve technology at all.

The problem is that the certificate infrastructure connects to the Internet where it can be accessed by hackers, he explained. A gap must be created between the back end of the system, which issues certificates, and the front end, where entities apply for certificates.

That can be done, continued Abdulhayoglu, by disconnecting the system that issues certificates from any network device and issuing certificates manually by a person who could authenticate to whom the certificate is being issued.

"That's how it used to work in the early days," he said. "Then the whole industry automated it to make it cheaper, and now we're seeing the result of that."

Android Security Rapped

Both the Kasperksy Lab and the Yankee Group issued reports last week critical of the security in the Google Android ecosystem. Kaspersky noted in its malware report for August that Android malware was growing as fast as the phones running it were selling.

"In early August 2010, the first-ever malicious program for the Android operating system was detected...," the cybersecurity software maker says in its report. "Today, threats designed for Android represent approximately 23 percent of the overall number of detected threats targeting mobile platforms."

Worse yet, the operating system is becoming a favorite of mobile marauders. In August alone, 85 percent of all smartphone threats were aimed at Android devices.

Just as the 9/11 weekend was about to kick off on Friday, hackers broke into the Twitter account of NBC News and posted a series of tweets declaring that first one passenger plane, then another crashed into Ground Zero in New York City. In less than 10 minutes, though, the intrusion was discovered and the offensive messages removed from the news organization's Twitter feed.

Sony Taps DHS Vet for CSO

Earlier this year, entertainment company Sony was victimized in one of the largest data breaches ever. Personal information from some 77 million users of its PlayStation network was snatched by hackers. Following the incident, Sony vowed to take the security of its systems more seriously. True to that vow, the company announced last week that it was bringing aboard Phil Reitinger as senior vice president and chief information security officer.

Reitinger is a high-profile name in the security community. A former high-ranking official in the U.S. Department of Homeland Security, where he served as Deputy Under Secretary of the National Protection and Programs Directorate (NPPD) and Director of the National Cyber Security Center (NCSC), his responsibilities included protecting the federal government's computer systems from domestic and foreign attacks. He has also done cybersecurity stints with the U.S. Defense and Justice deparments, as well as with Microsoft.

Forrester names NICE inContact CXone a leader in cloud contact center software
When considering a new smartwatch, which feature set is most important to you?
Alerts and Notifications
Calls and Messaging
Clock and Time Tracking
Contactless Payments and Banking
Design and Personalization
GPS and Maps
Health and Fitness
Music and Video
Salesforce Industries Summit
Forrester names NICE inContact CXone a leader in cloud contact center software
Forrester names NICE inContact CXone a leader in cloud contact center software