Mobile // Mobile Applications
Commentary
9/9/2011
03:29 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

DigiNotar Attack A Reminder To Focus On Basics

Sure, it's a big, scary world right now, but IT leaders need to stay focused on comprehensive security programs.

There's a lot of angst about the DigiNotar certificate authority breach, and how the incident may signal the End Of The Web As We Know It. Should IT leaders run for the hills, making sure they have enough guns and ammo? Having worked in private sector information security for a number of years, I formed my own conclusions and then, in the glorious tradition of security practitioners, asked other current experts to knock holes in my theories and offer their own. Here's the scoop.

First, some background. DigiNotar, a Dutch certificate authority (similar to GoDaddy and Verisign), was breached by an attacker some months ago. Users of Google's services found false SSL certificates, meaning that a user could be presented with a fake google.com site and the browser would still give a thumbs up via the "secure, trusted connection" icon. An ensuing investigation found that, naturally, the intruder had issued even more fake certificates, for high-profile organizations such as Mossad and MI-6.

While IT leaders don't necessarily need all the gory details of how the attack happened, it's helpful to review how SSL is supposed to work, and how the attacker likely subverted it. When an SSL session begins, the browser gets a digital certificate from the site. That certificate has a public key to start an encrypted session, much like SSH. But unlike SSH, which asks the user "should I trust the endpoint?", public key infrastructure automates the trust.

That certificate is signed by the certificate authority, meaning that the certificate is trusted. For many CAs, the certificate (with an associated public key) is built into the browser's certificate store. So it's easy for the browser to verify that signature.

MSNBC said yesterday that cracked digital certificates endanger the "web of trust." But is there a web of trust? Not according to Mike Fratto, editor of InformationWeek's sister site NWC.com and a long-time security expert. "This is not PGP," Fratto says. "A PKI is a tree and all trust runs down a single path from the root to the leaf. A website certificate isn't trusted if it is poorly formatted, doesn't have a public key, the signing CA or self-signed cert isn't already known, the name is different from the URL, or the browser date is outside the validity period." But web of trust? Not so much.

So how did the attack happen? Well, the attacker couldn't hack a site's existing certificate (like one for bankofamerica.com) because the certificate authority doesn't have the site's private key. But after compromising a trusted CA like DigiNotar, the attacker could create a new certificate for that site. That still doesn't seem to do any good--the DNS isn't pointing toward that site, is it?

According to Michael A. Davis, CEO of Savid Technologies and author of "Hacking Exposed," someone who hacks a CA could easily take the following steps:

-- Create a new private/public key for a website (such as the aforementioned bankofamerica.com), and use the CA's own tools and keys to digitally sign it as a trusted certificate so that a user's browser will trust it.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

-- Hack or build a Web server masquerading as the target site (bankofamerica.com) and put the new certificate and key on that server.

-- Take steps to compromise the DNS so that users are redirected to the new, fake site instead of the real bankofamerica.com.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 27, 2014
Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS. Providers must focus on support, not undercutting rivals.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Howard Marks talks about steps to take in choosing the right cloud storage solutions for your IT problems
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.