Pierluigi Paganini
February 03, 2012
No peace in the cyber space, day after day we read that the computer systems for major corporations and governments are compromised due repeated cyber attacks. This time it was the prestigious Verisign, a name that is our mind we link to the concept of “strong security”, but we are learning that the total security is just an utopia.
The company should defend user’s websites from attacks and form intercepting and hijacking of their traffic.
Once more the situation is really serious, a company that offers security services for authentication has been hacked repeatedly by hackers who stole undisclosed information from the internal infrastructure. After the Symantec case, another company that lives of security is victim of its business, that is the demonstration of how are dangerous the new cyber threats and how burdensome is their impact under an economic profile. The news of VeriSign attacks has been revealed in a quarterly U.S. Securities and Exchange Commission filing in October, but what is puzzling, in my opinion, is that the ex CIO Ken Silva, in charge during last three years until November 2010, said he had not learned of the intrusion until contacted by Reuters. Securities and Exchange Commission Form 10-Q has clarified that security staff has immediately responded to the attacks but has failed to alert top management until September 2011.
In written Senate testimony on Tuesday, U.S. Director of National Intelligence James Clapper called the known certificate breaches of 2011 “a threat to one of the most fundamental technologies used to secure online communications and sensitive transactions, such as online banking.” Others have said SSL as a whole is no longer trustworthy and effective.
Since Q2 2010 Verisign Inc., the company who issued the SEC filing, is no longer associated with authentication or SSL certificates infact going through the product rebranding, Symantec actually owns and runs the authentication business.
Symantec Corp, which has kept the brand name on VeriSign products, immediately took the distances through a statement by the pokesman Nicole Kenyon :
“there is no indication that the 2010 corporate network security breach mentioned by VeriSign Inc was related to the acquired SSL product production systems.”
“Trust Services (SSL), User Authentication (VIP, PKI, FDS) and other production systems acquired by Symantec were NOT compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing. Also, Verisign Inc., the company who issued the SEC filing, is no longer associated with authentication or SSL certificates.”
In the specific case several attacks have been successfully conducted against the Verisign, the first one occurred in 2010 according to a report by Reuters, at the Reston, Virginia based firm. The structure is responsible to reverifies the integrity of top-level domains including all .gov, .com and .net addresses and also it is one of the main provider for Secure Sockets Layer (SSL) authentication certificates, used by most financial sites to ensure the their legitimacy. VeriSign hold sensitive information of a huge quantity of customers, and also its registry services that dispense website addresses would also be a desirable target.
By now we’ve made a clear idea of how important are the certificates within a PKI infrastructure and why the Certification Authorities have been subject to constant attacks, at stake is more than the survival of a protocol like or a technology company, on these services infact is based most of the infrastructures of governments and worldwide leading institutions.
VeriSign’s official have declare “do not believe these attacks breached the servers that support our Domain Name System network”, but in light of what happened recently is normal to feed a lot of doubts about the statements provided.
The situation is embarrassing and dangerous, the systems of Verisign receive more than 50 billion queries daily and their responses are used by users to be addressed to sites that interest them, including government web site. The impairment of these mechanisms could lead to the redirection of requests to bogus sites with serious conseguences and not just this, the compromise of the model itself raises the risk of interception of emails and confidential documents that pass through channels of communication theory, sure.
Eloquent commentary by Stewart Baker, former assistant secretary of the Department of Homeland Security and before that the top lawyer at the National Security Agency.
“Oh my God” “That Could Allow people to imitate Almost any company on the Net”
“assume that it was a nation-state attack that is persistent, very difficult to eradicate and very difficult to put your hands around, so you can’t tell where they went undetected.”
Why steal a certificate or attack a Certification Authority?
Let’s try to answer:
Malware production – Installation for certain types of software could needs that its code is digitally signed with a trusted certificate. By stealing the certificate of a trusted vendor reduces the possibility that the malicious software being detected as quickly. That is exactly what happend for Stuxnet virus.
Economic Frauds – digital signature give a warranty on who signed a document and you can decide if you trust the person or company who signed the file and if you trust the organization who issued the certificate. If a digital certificate is stolen we will suffer of an identity theft, let’s imagine which could be the implication.
Some bot, like happened for the banking with Zeus malware, could be deployed to steal steal site certificates so that they can fool web browsers into thinking that a phishing site is a legitimate bank web site.
Cyber warfare – Criminals or governments could use the stolen certificates to conduct “man-in-the-middle” attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being secretly tampered and intercepted. That is for example what occurred in the DigiNotar case … companies like Facebook, Google and also agencies like CIA, MI6 were targeted in Dutch government certificate hack.
We expect hard times …
Pierluigi Paganini
References
http://www.huffingtonpost.com/2012/02/02/verisign-hack_n_1249275.html
