Digital certificate hack reveals threat to U.S. government websites
Connecting state and local government leaders
Security experts say the attack may have been orchestrated by the Iranian government to track and shut down dissidents, and that certificate threat has become a favored tactic of foreign governments.
The recent hack that put nine fraudulent digital certificates into circulation has caused little real damage, but it demonstrates U.S. government websites’ vulnerabilities to foreign government cyber warfare attacks, security experts say.
A single Iranian, in a blog post, claimed credit for hacking into digital certificate provider Comodo, obtaining fraudulent certificates for websites operated by Google, Yahoo, Microsoft, Skype and Mozilla.
However, security experts say the attack may have actually been orchestrated by Iran's government to track and shut down dissidents, according to reports in InformationWeek and the New York Times.
Related coverage:
9 fraudulent digital certificates on the loose, Microsoft warns
“Everything points to this being an intelligence operation,” Roel Schouwenberg, a senior researcher at the security firm Kaspersky, said in the New York Times article. Schouwenberg said theft of certificates has become a favored tactic among governments.
Further compounding the problem are the vast numbers of certificate issuers – approximately 650 organizations, not all of which may follow proper security procedures, reported CNET
"There is this problem that exists today where there are a very large number of certificate authorities that are trusted by everyone and everything," Peter Eckersley, senior staff technologist at the Electronic Frontier Foundation, told CNET.
All these certification organizations possess master keys – currently about 1,500 -- that can be used to impersonate any website on the Internet, including those of the Treasury and Homeland Security departments, according to CNET. Foreign governments could then capture passwords, read e-mail messages and monitor other user activity – even with Secure Sockets Layer encryption.
Upon discovering the breach, Comodo revoked the nine fraudulent certificates, and Microsoft, Google and Mozilla released patches and updates to their individual browsers.
The affected sites were:
- addons.mozilla.org
- login.skype.com
- login.live.com
- mail.google.com
- google.com
- login.yahoo.com (three certificates)
- "Global Trustee"
Damage from the fake certificates was minimal: two Online Certificate Status Protocol (OCSP) hits, reported InformationWeek. A blog post from Mozilla stated that “"this suggests that the certificates have not been deployed in an attack, though it is possible that the attackers would block OCSP requests as well.”
The hacker who claimed responsibility for the hack said it was in retaliation for Stuxnet, a worm that may have been created by the United States and/or Israel to disrupt Iran’s nuclear weapons program, and denied working with the Iranian government, reported InformationWeek. In his blog, the hacker also claims to have securely deleted Comodo's Microsoft IIS server and multiple backups.
There is no automated process to revoke fraudulent certificates, no public list of issued certificates or who has duplicate master keys, noted CNET.
"These organizations act as cornerstones of security and trust on the Internet, but it seems like they're not doing basic due diligence that other organizations are expect to do, like the banks," Mike Zusman, managing consultant at the Web app security firm of Intrepidus Group, said to CNET.