Posts Tagged ‘ cybersecurity ’

Hackers Forge Certificates to Break into Spy Agencies

Sep 5th, 2011 | By | Category: News

By Andreas Udo de Haes, webwereld.nl-    Sep 4, 2011 11:33 pm

 

After breaching the Dutch CA (Certification Authority) DigiNotar, Iranian hackers managed to sign forged certificates for the domains of spy agencies CIA, Mossad and MI6. Leading certification authorities like VeriSign and Thawte were also targeted, as were Iranian dissident sites.

 

The cyber attack on DigiNotar, a Dutch subsidiary of VASCO Data Security International Inc, is much more serious than previously thought. In July, hackers gained access to the network and infrastructure of several of DigiNotar’s CAs. Once inside, they generated hundreds of forged certificates for third-party domains.

With these certificates hackers can potentially syphon off user login credentials by spoofing a legitimate site, complete with a functioning but forged SSL-certificate, apparently issued by DigiNotar.

The forged certificates match domains of the U.S. Central Intelligence Agency, the Israeli secret service Mossad, and the British spy agency MI6. On top of that, the hackers created false certificates of other CA’s like VeriSign and Thawte, in an attempt to also misuse their trusted position in securing Internet communications.

Vulnerable Domains Revealed

The partial list of domains with forged certificates was published on Saturday by Gervase Markham, programmer at Mozilla. Sources close to the investigation into the DigiNotar hack have confirmed to Webwereld that the list is authentic. Chrome engineer Adam Langley also told Webwereld Google has the same list.

Later, the Dutch public broadcaster NOS published the full list of over fifty domains for which false certificates were issued. Among them are Google, Yahoo, Microsoft and Skype, as well as numerous sites popular among Iranian dissidents. The cyber attackers even created fake certificates with messages praising the Iranian Revolutionary Guard, NOS reported.

It’s still unknown how successful the hackers have been in harvesting logins and spying on e-mail and chat messages. Most certificates have either elapsed or were revoked after DigiNotar discovered the breach in mid July.

Chris Soghoian, security and privacy researcher at Indiana University and Graduate Fellow at the Center for Applied Cybersecurity Research, said the list is a “very interesting set of sites.” However, he’s skeptical that the hackers could have penetrated into the networks of the spy agencies with the forged certificates.

“Actually I think the secret service domains are the least alarming part. It’s sexy, and will probably lead to a lot of questions and interest from government agencies. Of course, nobody wants to get caught with their pants down, but there’s really no classified information on these domains. Those are on separate, secured internal networks. So the practical security impact of the Iranian government getting a certificate for the CIA is nill. It’s really just very embarrassing, that’s all,” said Soghoian in an interview with Webwereld.

Still, the cyber hack at DigiNotar has a very high profile. “What is alarming is that they forged certificates for other CA’s, like VeriSign and Thawte. But the most problematic are sites like Google and Facebook. And also Walla, which is one the biggest mail providers in Israel.” Through forged SSL certificates of these sites the Iranian regime would be able to syphon the accounts and online communications of countless people, explained Soghoian.

Sites Block Access

Google has already updated its Chrome browser so it blocks access to any site which uses a DigiNotar certificate. Mozilla and Microsoft are expected to issue patches for their browsers soon. The Microsoft Security Response team tweeted earlier: “We’re in the process of moving all DigiNotar CAs to the Untrusted Root Store which will deny access to any website using DigiNotar CAs.”

This means hundreds of Dutch government sites will become inaccessible by browsers over the coming days if the agencies don’t switch to another certificate issuer in time.

Last week, Dutch security company Fox-IT carried out a forensic examination of the cyber hack at DigiNotar. The preliminary results prompted the government in The Hague to go into crisis mode, putting in effect an immediate stop to any DigiNotar services, and taking over the operational management of the DigiNotar Certification Authority.

The report on this investigation will be sent to the Parliament and made public on Monday.

DigiNotar did not respond to a request to comment on this story.

 



Obama administration moves forward with “Unique Internet ID” for all Americans

Jan 10th, 2011 | By | Category: News

The Obama administration is drafting a paper called the “National Strategy for Trusted Identities”, which investigates ways that web users can protect their online identities.

But Commerce Secretary Gary Locke was quick to reassure people that it wasn’t a guise for more big brother government.

Posted by Declan McCullagh (This story originally appeared on CNET)

STANFORD, Calif. – President Obama is planning to hand the U.S. Commerce Department authority over a forthcoming cybersecurity effort to create an Internet ID for Americans, a White House official said here today.

It’s “the absolute perfect spot in the U.S. government” to centralize efforts toward creating an “identity ecosystem” for the Internet, White House Cybersecurity Coordinator Howard Schmidt said.

That news, first reported by CNET, effectively pushes the department to the forefront of the issue, beating out other potential candidates including the National Security Agency and the Department of Homeland Security. The move also is likely to please privacy and civil liberties groups that have raised concerns in the past over the dual roles of police and intelligence agencies.

The announcement came at an event today at the Stanford Institute for Economic Policy Research, where U.S. Commerce Secretary Gary Locke and Schmidt spoke.

The Obama administration is currently drafting what it’s calling the National Strategy for Trusted Identities in Cyberspace, which Locke said will be released by the president in the next few months. (An early version was publicly released last summer.)

“We are not talking about a national ID card,” Locke said at the Stanford event. “We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities.”

The Commerce Department will be setting up a national program office to work on this project, Locke said.

Details about the “trusted identity” project are unusually scarce. Last year’s announcement referenced a possible forthcoming smart card or digital certificate that would prove that online users are who they say they are. These digital IDs would be offered to consumers by online vendors for financial transactions.

Schmidt stressed today that anonymity and pseudonymity will remain possible on the Internet. “I don’t have to get a credential if I don’t want to,” he said. There’s no chance that “a centralized database will emerge,” and “we need the private sector to lead the implementation of this,” he said.

Inter-agency rivalries to claim authority over cybersecurity have exited ever since many responsibilities were centralized in the Department of Homeland Security as part of its creation nine years ago. Three years ago, proposals were were circulating in Washington to transfer authority to the secretive NSA, which is part of the U.S. Defense Department.

In March 2009, Rod Beckstrom, director of Homeland Security’s National Cybersecurity Center, resigned through a letter that gave a rare public glimpse into the competition for budgetary dollars and cybersecurity authority. Beckstrom said at the time that the NSA “effectively controls DHS cyber efforts through detailees, technology insertions,” and has proposed moving some functions to the agency’s Fort Meade, Md., headquarters.