Breached CA Underscores Need To Examine Who You Trust

  /     /     /  
Publicated : 22/11/2024   Category : security


Breached CA Underscores Need To Examine Who You Trust


Companies need to know who their software is trusting to close vulnerabilities



The latest breach at a certificate authority (CA) demonstrates how companies need to keep track of who their software is trusting so they wont be vulnerable to a host of attacks enabled by false digital certificates.
On Tuesday, Dutch security firm DigiNotar
acknowledged
that a July breach led to the issuance of false digital certificates. The grudging admission
came three days
after an online post showed that the company issued a certificate for Google, possibly allowing fraudsters to create fake websites mimicking the online search giants services or to insert themselves in otherwise secure communications.
While browser makers scramble to revoke all of the certificates, companies need to survey their software and systems to minimize the impact of such attacks in the future, says Jeff Hudson, CEO of Venafi, a maker of certificate management systems. More than half of all companies have little idea of the extent that they rely on certificates to secure their systems, according to a recent survey by the firm.
Now companies are saying, Holy mackerel, we have this stuff everywhere, and we are not prepared to deal with a third-party compromise at an organizational level, Hudson says. This is not something that you want to leave to a system administrator who is managing 40 systems -- it is an organizationwide issue.
Breaches at third-party trust providers have become a major issue this year. DigiNotar is the latest CA to acknowledge a breach of its systems. In March, online security company Comodo
acknowledged
it had issued a number of high-value certificates to fraudsters. The admission came the same month that security giant RSA
discovered a breach
that leaked sensitive information about the companys SecurID tokens, which secure a variety of online transactions and communications.
Security experts estimate than more than 270 certificates were falsely issued in the DigiNotar case, but its unknown for which domains or whether the attackers created an intermediate CA, which would give them the ability to issue a large number of untraceable certificates. The discovery of the fake Google certificate came because the companys Chrome browser is coded with knowledge of the limited number of real and valid Google certificates.
Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services, Google said
in a statement on Monday
. The people affected were primarily located in Iran.
The attack appears to have been aimed at eavesdropping on Internet users located in Iran, which has fueled speculation that the attacks were conducted by that nations government. The issuance of certificates for the pro-privacy Tor network appears to support the theory, as well.
What is unusual here is not that a CA was compromised, but that someone noticed -- this is happening all the time, says Moxie Marlinspike, CTO and co-founder of Whisper Systems, a firm focusing on securing mobile communications. The only reason we noticed was the attacker was not smart enough to fingerprint the browsers they were attacking.
If certificate breaches are occurring without being detected, then a companys best defense is to limit its exposure to CAs that might not have adequately secured their systems and processes, Venafis Hudson says.
You have to know where all the certificates are installed, so you know the people that you trust, he says.
In addition, companies should not just deal with a single CA, but have multiple backups. Even those firms that self-sign their certificates should have some redundancy built in, he says. Finally, companies should have mechanisms in place to allow certificates to be replaced quickly in the event of a breach at a trusted third party.
Thats not always simple, however, Whisper Systems Marlinspike says.
While companies might only use a few CAs to sign their own systems, online transactions through the browser have a broad list of more than 600 CAs, leaving their trust models in the hands of the least secure third-party company. Removing untrusted third parties from the browser can lead to problems, he says.
You can go into the trust database and remove companies you dont trust, but if I go in and say I dont trust VeriSign -- and I dont -- I still cant remove them because it breaks the Internet, says Marlinspike.
With all of the breaches in the past year, the browser trust model
needs to be fixed, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Breached CA Underscores Need To Examine Who You Trust