The break-in and theft of security certificates from a Dutch authority brought home, once again, how vulnerable Web browsers can be to hackers pretending to be who they’re not.
The authority, DigiNotar, is one of many that issue security certificates for websites. The digital certificates tell a browser to “trust” content coming from a certain site. Certificates for such sites are preloaded into most browsers. If something goes awry at the certificate issuing authority, browser makers usually need to patch their products to address the problem. That can open a window of opportunity for certificate thieves.
What the hacker or hackers did in the DigiNotar case was break into the authority and issue certificates to themselves for popular websites, such as Google. Although the stolen certificates were quickly revoked, one managed to make it to the wild.
“That’s the first time that’s ever happened that we’ve known about,” Seth Schoen a senior staff technologist with the Electronic Frontier Foundation, told TechNewsWorld.
By using the certificate to set up a server and intercept traffic headed toward a legitimate website, the hacker was able to stage a classic man-in-the-middle attack.
“Someone in Iran was able to spy on hundreds of thousands of people’s communications with Google,” Schoen said.
Back in Time
“To my knowledge, it’s the biggest man-in-the-middle attack that we’ve ever seen to date,” Melih Abdulhayoglu, CEO of certificate authority Comodo, told TechNewsWorld.
In March, a certificate theft similar to the one at DigiNotar took place at some authorities associated with Comodo. In fact, a single hacker, whose handle is “Comodohacker,” claimed responsibility for both smash-and-grabs. The purported motive behind the attacks was to punish opponents of the Iranian government and detractors of Islam.
There are several technological solutions in various stages of implementation that could have an impact on the theft of certificates, but Abdulhayoglu argued that the best solution doesn’t involve technology at all.
The problem is that the certificate infrastructure connects to the Internet where it can be accessed by hackers, he explained. A gap must be created between the back end of the system, which issues certificates, and the front end, where entities apply for certificates.
That can be done, continued Abdulhayoglu, by disconnecting the system that issues certificates from any network device and issuing certificates manually by a person who could authenticate to whom the certificate is being issued.
“That’s how it used to work in the early days,” he said. “Then the whole industry automated it to make it cheaper, and now we’re seeing the result of that.”
Android Security Rapped
Both the Kasperksy Lab and the Yankee Group issued reports last week critical of the security in the Google Android ecosystem. Kaspersky noted in its malware report for August that Android malware was growing as fast as the phones running it were selling.
“In early August 2010, the first-ever malicious program for the Android operating system was detected…,” the cybersecurity software maker says in its report. “Today, threats designed for Android represent approximately 23 percent of the overall number of detected threats targeting mobile platforms.”
Worse yet, the operating system is becoming a favorite of mobile marauders. In August alone, 85 percent of all smartphone threats were aimed at Android devices.
Another problem in Android Land is piracy. More than a quarter (27 percent) of developers participating in a Yankee/Skyhook survey saw piracy as a huge problem, and another 26 percent saw it as “somewhat of a problem.” Worse yet, more than half the developers (53 percent) felt Google was contributing to the problem with its lax Android Market policies.
Hackers Celebrate 9/11
Thankfully, commemorative ceremonies for the 10th anniversary of the terrorist attacks on New York City and Washington, D.C., were held without a hitch last weekend. While things were copacetic in the real world, it was less so in the virtual realm.
Just as the 9/11 weekend was about to kick off on Friday, hackers broke into the Twitter account of NBC News and posted a series of tweets declaring that first one passenger plane, then another crashed into Ground Zero in New York City. In less than 10 minutes, though, the intrusion was discovered and the offensive messages removed from the news organization’s Twitter feed.
Sony Taps DHS Vet for CSO
Earlier this year, entertainment company Sony was victimized in one of the largest data breaches ever. Personal information from some 77 million users of its PlayStation network was snatched by hackers. Following the incident, Sony vowed to take the security of its systems more seriously. True to that vow, the company announced last week that it was bringing aboard Phil Reitinger as senior vice president and chief information security officer.
Reitinger is a high-profile name in the security community. A former high-ranking official in the U.S. Department of Homeland Security, where he served as Deputy Under Secretary of the National Protection and Programs Directorate (NPPD) and Director of the National Cyber Security Center (NCSC), his responsibilities included protecting the federal government’s computer systems from domestic and foreign attacks. He has also done cybersecurity stints with the U.S. Defense and Justice deparments, as well as with Microsoft.