Malware

SPOTLIGHT ON SECURITY

Malware Munches on Mitsubishi, and Certificates Can Lie

In the wake of repeated hacker attacks on defense contractors in the United States comes news that the systems of Mitsubishi Heavy Industries, Japan’s biggest defense contractor, have been breached.

Mitsubishi’s submarine, missile and nuclear power plant component factories were reportedly targeted by the attackers.

Meanwhile, the security community is warning that digital certificates can’t be trusted following the revelation earlier this month that Dutch certificate authority DigiNotar had several certificates compromised.

The discovery came when Google learned that some users of its encrypted services in Iran were targeted by an attacker using a fake DigiNotar certificate.

The ripple effect from the DigiNotar hack continues.

A hacker in Iran calling himself “ComodoHacker” has claimed that he can issue fake Windows updates, a statement that drew an emphatic denial from Microsoft.

Still, some security experts are now expressing concern that the widely used public key infrastructure, which lies at the heart of digital certificates, may not be secure enough.

Little Things May Mean a Lot

About 80 computers were reportedly infected with at least eight different kinds of malware in the attack on Mitsubishi.

The infected computers are reportedly located at the company’s headquarters in Tokyo and manufacturing and research and development sites in Kobe, Nagasaki and Nagoya.

The Kobe site reportedly builds submarines and makes components for nuclear power stations, the Nagasaki site makes escort ships, and the Nagoya plant makes guided missiles and rocket engines.

Mitsubishi has also been working closely with Boeing, but it’s not yet clear whether that association was one of the factors that played into the attack.

Are Digital Certs Just Empty Claims?

In the wake of the DigiNotar attack, Iranian hacker ComodoHacker has claimed that he owns about 300 code signing certificates and “a lot” of SSL certificates with code-signing permission. He also claimed to be able to issue fake Windows updates.

However, those claims are false, Jerry Bryant, group manager of trustworthy computing at Microsoft, told TechNewsWorld.

“Windows Update is not at risk from fraudulent certificates, as the update client will only install binaries signed by our own root certificate authority certificate,” Bryant explained.

That’s backed up by Don DeBolt, director of threat research at Total Defense.

“Based on publicly available information, I believe ComodoHacker can issue fraudulent certificates, but not manipulate the Windows Update process as he claims,” DeBolt told TechNewsWorld.

However, in security, “there is no such thing as 100 percent secure,” DeBolt warned.

If the Windows update client code can be tricked somehow into believing update packages are signed by the Microsoft Root Certificate Authority when they’re not, then attackers could install their own software through Windows update, DeBolt suggested.

PKI May Not Be Enough

In cryptography, public key infrastructure (PKI) is an arrangement that binds public keys with specific user identities through certificate authorities.

PKI is based on public key cryptography, which requires two separate keys to decrypt a message and access its contents.

Either the encryption or decryption key is publicly available, while the other isn’t, and you can’t deduce either key if you have the other.

PKI is the underlying technology for Internet standards such as Transport Layer Security, which is the successor to the Secure Sockets Layer (SSL); Pretty Good Privacy (PGP); and Gnu Privacy Guard (GPG), a GPL-licensed alternative to PGP.

Flaws in PKI, therefore, will reverberate through the Internet.

“For all the infrastructure advantages and business benefits of PKI, it doesn’t actually deliver the security most people assumes it provides,” Mark Yakabuski, a vice president at SafeNet, told TechNewsWorld.

“As many recent breaches have proven, most IT security personnel overlook the fact that their keys are protected in softwarel, and this leaves them vulnerable,” Yakabuski explained.

Digital certificates signed by a certificate authority are at the heart of PKI and, if the certificate’s compromised, the entire PKI environment’s compromised, Yakabuski said.

IT should add hardware security modules to protect certificate private keys, Yakabuski recommended.

1 Comment

  • Since I don’t have much room I’ll have to be brief:

    From the article I wasn’t clear on what you were proposing the weakness in PKI was. From what I’ve read here and elsewhere it seems that the problem is in key access control, the security of the signing facilities and time required to revoke compromised keys. For things like web certs vetting of the applicant is also critical. But nothing actually wrong with the PKI mechanism itself.

    I use PKI to allow access to VPNs. But I usually keep the signing computer on a separate network or disconnected, using sneaker-net to get certs signed. The root signing key has to be guarded like Fort Knox!

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Malware

Technewsworld Channels