Saturday, March 26, 2011

Hack Obtains 9 Bogus Certificates for Prominent Websites; Traced to Iran

From Kim Zetter at Wired's Threat Level Blog,

In a fresh blow to the fundamental integrity of the internet, a hacker last week obtained legitimate web certificates that would have allowed him to impersonate some of the top sites on the internet, including the login pages used by Google, Microsoft and Yahoo e-mail customers.

The hacker, whose March 15 attack was traced to an IP address in Iran, compromised a partner account at the respected certificate authority Comodo Group, which he used to request eight SSL certificates for six domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com.

The certificates would have allowed the attacker to craft fake pages that would have been accepted by browsers as the legitimate websites. The certificates would have been most useful as part of an attack that redirected traffic intended for Skype, Google and Yahoo to a machine under the attacker’s control. Such an attack can range from small-scale Wi-Fi spoofing at a coffee shop all the way to global hijacking of internet routes.

At a minimum, the attacker would then be able to steal login credentials from anyone who entered a username and password into the fake page, or perform a “man in the middle” attack to eavesdrop on the user’s session.

Comodo CEO Melih Abdulhayoglu calls the breach the certificate authority’s version of the Sept. 11 terror attacks.

“Our own planes are being used against us in the C.A. [certificate authority] world,” Abdulhayoglu told Threat Level in an interview. “We have to up the bar and react to these new threat models. This untrusted DNS infrastructure cannot be what drives the internet going forward. If DNS was trusted, none of this would have been an issue.”

Comodo says the attacker was well prepared, and appeared to have a list of targets at the ready when he logged into the company’s system and began requesting certificates.

In addition to the bogus certificates, the attacker created a ninth certificate for a domain of his own under the name “Global Trustee,” according to Abdulhayoglu.

Abdulhayoglu says the attack has all the markings of a state-sponsored intrusion rather than a criminal attack.

“We deal with [cybercriminals] all day long,” he said. But “there are zero footprints of cybercriminals here.”

“If you look at all these domains, every single one of them are communications-related,” he continued. “My personal opinion is that someone is trying to read people’s e-mail communications. [But] the only way for this attack to work [on a large scale] is if you have access to the DNS infrastructure. The certificates on their own are no use, unless they have access to the DNS infrastructure itself, which a state would.”

Though he acknowledges that the attack could have originated anywhere, and been routed through Iranian servers as a proxy, he says Iranian president Mahmoud Ahmadinejad’s regime is the obvious suspect.

Out of the nine fraudulent certificates the hacker requested, only one — for Yahoo — was found to be active. Abdulhayoglu said Comodo tracked it, because the attackers had tried to test the certificate using a second Iranian IP address.

All of the fraudulent certificates have since been revoked, and Mozilla, Google and Microsoft have issued updates to their Firefox, Chrome and Internet Explorer browsers to block any websites from using the fraudulent certificates.

Comodo came clean about the breach this week, after security researcher Jacob Appelbaum noticed the updates to Chrome and Firefox and began poking around. Mozilla persuaded Appelbaum to withhold public disclosure of the information until the situation with the certificates could be resolved, which he agreed to do.

Abdulhayoglu told Threat Level that his company first learned of the breach from the partner that was compromised.

The attacker had compromised the username and password of a registration authority, or R.A., in southern Europe that had been a Comodo Trusted Partner for five or six years, he said. Registration authorities are entities that are authorized to issue certificates after conducting a due-diligence check to determine that the person or entity seeking the certificate is legitimate.

“We have certain checks and balances that alerted the R.A. [about the breach], which brought it to our attention,” he said. “Within hours we were alerted to it, and within hours we revoked everything.”

It’s not the first time that the integrity of web certificates has come into question.

Security researcher Moxie Marlinspike showed in 2009 how a vulnerability in the way that web certificates are issued by authorities and authenticated by web browsers would allow an attacker to impersonate any trusted website with a legitimately issued certificate
.

Hacker Spies Hit Security Firm RSA


via Kim Zetter at Wired's Threat Level Blog,



Top security firm RSA Security revealed on Thursday that it’s been the victim of an “extremely sophisticated” hack.

The company said in a note posted on its website that the intruders succeeded in stealing information related to the company’s SecurID two-factor authentication products. SecurID adds an extra layer of protection to a login process by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password. The number is cryptographically generated and changes every 30 seconds.

“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers,” RSA wrote on its blog, “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”

As of 2009, RSA counted 40 million customers carrying SecurID hardware tokens, and another 250 million using software. Its customers include government agencies.

RSA CEO Art Coviello wrote in the blog post that the company was “confident that no other … products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”

The company also provided the information in a document filed with the Securities and Exchange Commission on Thursday, which includes a list of recommendations for customers who might be affected. See below for a list of the recommendations.

A company spokesman would not provide any details about when the hack occurred, how long it lasted or when the company had discovered it.

“We are not withholding anything that would adversely impact the security of our customer systems,” said spokesman Michael Gallant. “[But] we’re working with government authorities as well so we’re not disclosing any further information besides what’s on the blog post.”

RSA categorized the attack as an advanced persistent threat, or APT. APT attacks are distinctive in the kinds of data the attackers target. Unlike most intrusions that go after financial and identity data, APT attacks tend to go after source code and other intellectual property and often involve extensive work to map a company’s infrastructure.

APT attacks often use zero-day vulnerabilities to breach a company and are therefore rarely detected by antivirus and intrusion programs. The intrusions are known for grabbing a foothold into a company’s network, sometimes for years, even after a company has discovered them and taken corrective measures.

Last year’s hack into Google was considered an APT attack, and, like many intrusions in this category, was linked to China.

RSA, which is owned by EMC, is a leading firm and is most known for the RSA encryption algorithm used to secure e-commerce and other transactions. The company hosts the top-ranked RSA security conference every year.


for more information visit the Wired Threat Level Blog.

Hey AT&T customers: Your Facebook data went to China and S. Korea this morning…

From Barrett Lyons's Blog,

Quietly this morning customers of AT&T browsing Facebook did so by way of China then Korea. Typically AT&T customers’ data would have routed over the AT&T network directly to Facebook’s network provider but due to a routing mistake their private data went first to Chinanet then via Chinanet to SK Broadband in South Korea, then to Facebook. This means that anything you looked at via Facebook without encryption was exposed to anyone operating Chinanet, which has a very suspect Modus operandi.
This morning’s route to Facebook from AT&T:

route-server>show ip bgp 69.171.224.13 (Facebook's www IP address)
BGP routing table entry for 69.171.224.0/20, version 32605349
Paths: (18 available, best #6, table Default-IP-Routing-Table)
Not advertised to any peer
7018 4134 9318 32934 32934 32934

The AS path (routing path) translates to this:

1. AT&T (AS7018)
2. Chinanet (Data in China AS4134)
3. SK Broadband (Data in South Korea AS9318)
4. Facebook (Data back to US 32934)

Current route to Facebook via AT&T:

route-server>sho ip bgp 69.171.224.0/20
BGP routing table entry for 69.171.224.0/20, version 32743195
Paths: (18 available, best #6, table Default-IP-Routing-Table)
Not advertised to any peer
7018 3356 32934 32934, (received & used)

Translated: Your data goes from AT&T’s network to US based Level3 Communications to Facebook’s servers.

What could have happened with your data? Most likely absolutely nothing. Yet, China is well known for it’s harmful networking practices by limiting network functionality and spying on its users, and when your data is flowing over their network, your data could be treated as any Chineese citizens’. Does that include capturing your session ID information, personal information, emails, photos, chat conversations, mappings to your friends and family, etc? One could only speculate, however it’s possible.

This brings up a lot of questions:


  • Should Facebook and or AT&T have notified their customers that their personal information was flowing over a network that they may not trust?
  • Should Facebook enable SSL on all accounts by default?
  • Was this actually a privacy breach or just the way the Internet functions?
  • Does Facebook have an ethical responsibility to buy additional IP connectivity to major broadband and mobile networks to prevent routing mishaps?
  • Is it time to focus on new options within BGP to prevent high profile sites from routing to non-authenticated networks?


This happens all the time — the Internet is just not a trusted network. Yet, I prefer to know that when I am on AT&T’s network, going to US located sites, my packets are not accidentally leaving the country and being subject to another nation’s policies. I guess that’s why you should not use Facebook in “bareback” mode and use HTTPS (SSL) any time you can.

Food for thought.

It’s Tracking Your Every Move and You May Not Even Know

via Noam Cohen at the New York Times,

A favorite pastime of Internet users is to share their location: services like Google Latitude can inform friends when you are nearby; another, Foursquare, has turned reporting these updates into a game.

But as a German Green party politician, Malte Spitz, recently learned, we are already continually being tracked whether we volunteer to be or not. Cellphone companies do not typically divulge how much information they collect, so Mr. Spitz went to court to find out exactly what his cellphone company, Deutsche Telekom, knew about his whereabouts.

The results were astounding. In a six-month period — from Aug 31, 2009, to Feb. 28, 2010, Deutsche Telekom had recorded and saved his longitude and latitude coordinates more than 35,000 times. It traced him from a train on the way to Erlangen at the start through to that last night, when he was home in Berlin.

Mr. Spitz has provided a rare glimpse — an unprecedented one, privacy experts say — of what is being collected as we walk around with our phones. Unlike many online services and Web sites that must send “cookies” to a user’s computer to try to link its traffic to a specific person, cellphone companies simply have to sit back and hit “record.”

“We are all walking around with little tags, and our tag has a phone number associated with it, who we called and what we do with the phone,” said Sarah E. Williams, an expert on graphic information at Columbia University’s architecture school. “We don’t even know we are giving up that data.”

Tracking a customer’s whereabouts is part and parcel of what phone companies do for a living. Every seven seconds or so, the phone company of someone with a working cellphone is determining the nearest tower, so as to most efficiently route calls. And for billing reasons, they track where the call is coming from and how long it has lasted.

“At any given instant, a cell company has to know where you are; it is constantly registering with the tower with the strongest signal,” said Matthew Blaze, a professor of computer and information science at the University of Pennsylvania who has testified before Congress on the issue.

Mr. Spitz’s information, Mr. Blaze pointed out, was not based on those frequent updates, but on how often Mr. Spitz checked his e-mail.

Mr. Spitz, a privacy advocate, decided to be extremely open with his personal information. Late last month, he released all the location information in a publicly accessible Google Document, and worked with a prominent German newspaper, Die Zeit, to map those coordinates over time.

“This is really the most compelling visualization in a public forum I have ever seen,” said Mr. Blaze, adding that it “shows how strong a picture even a fairly low-resolution location can give.”

In an interview from Berlin, Mr. Spitz explained his reasons: “It was an important point to show this is not some kind of a game. I thought about it, if it is a good idea to publish all the data — I also could say, O.K., I will only publish it for five, 10 days maybe. But then I said no, I really want to publish the whole six months.”

In the United States, telecommunication companies do not have to report precisely what material they collect, said Kevin Bankston, a lawyer at the Electronic Frontier Foundation, who specializes in privacy. He added that based on court cases he could say that “they store more of it and it is becoming more precise.”

“Phones have become a necessary part of modern life,” he said, objecting to the idea that “you have to hand over your personal privacy to be part of the 21st century.”

In the United States, there are law enforcement and safety reasons for cellphone companies being encouraged to keep track of its customers. Both the F.B.I. and the Drug Enforcement Administration have used cellphone records to identify suspects and make arrests.

If the information is valuable to law enforcement, it could be lucrative for marketers. The major American cellphone providers declined to explain what exactly they collect and what they use it for.

Verizon, for example, declined to elaborate other than to point to its privacy policy, which includes: “Information such as call records, service usage, traffic data,” the statement in part reads, may be used for “marketing to you based on your use of the products and services you already have, subject to any restrictions required by law.”

AT&T, for example, works with a company, Sense Networks, that uses anonymous location information “to better understand aggregate human activity.” One product, CitySense, makes recommendations about local nightlife to customers who choose to participate based on their cellphone usage. (Many smartphone apps already on the market are based on location but that’s with the consent of the user and through GPS, not the cellphone company’s records.)

Because of Germany’s history, courts place a greater emphasis on personal privacy. Mr. Spitz first went to court to get his entire file in 2009 but Deutsche Telekom objected.

For six months, he said, there was a “Ping Pong game” of lawyers’ letters back and forth until, separately, the Constitutional Court there decided that the existing rules governing data retention, beyond those required for billing and logistics, were illegal. Soon thereafter, the two sides reached a settlement: “I only get the information that is related to me, and I don’t get all the information like who am I calling, who sent me a SMS and so on,” Mr. Spitz said, referring to text messages.

Even so, 35,831 pieces of information were sent to him by Deutsche Telekom as an encrypted file, to protect his privacy during its transmission.

Deutsche Telekom, which owns T-Mobile, Mr. Spitz’s carrier, wrote in an e-mail that it stored six months’ of data, as required by the law, and that after the court ruling it “immediately ceased” storing data.

And a year after the court ruling outlawing this kind of data retention, there is a movement to try to get a new, more limited law passed. Mr. Spitz, at 26 a member of the Green Party’s executive board, says he released that material to influence that debate.

“I want to show the political message that this kind of data retention is really, really big and you can really look into the life of people for six months and see what they are doing where they are.”

While the potential for abuse is easy to imagine, in Mr. Spitz’s case, there was not much revealed.

“I really spend most of the time in my own neighborhood, which was quite funny for me,” he said. “I am not really walking that much around.”

Any embarrassing details? “The data shows that I am flying sometimes,” he said, rather than taking a more fuel-efficient train. “Something not that popular for a Green politician.”