Saturday, March 26, 2011

Hack Obtains 9 Bogus Certificates for Prominent Websites; Traced to Iran

From Kim Zetter at Wired's Threat Level Blog,

In a fresh blow to the fundamental integrity of the internet, a hacker last week obtained legitimate web certificates that would have allowed him to impersonate some of the top sites on the internet, including the login pages used by Google, Microsoft and Yahoo e-mail customers.

The hacker, whose March 15 attack was traced to an IP address in Iran, compromised a partner account at the respected certificate authority Comodo Group, which he used to request eight SSL certificates for six domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com.

The certificates would have allowed the attacker to craft fake pages that would have been accepted by browsers as the legitimate websites. The certificates would have been most useful as part of an attack that redirected traffic intended for Skype, Google and Yahoo to a machine under the attacker’s control. Such an attack can range from small-scale Wi-Fi spoofing at a coffee shop all the way to global hijacking of internet routes.

At a minimum, the attacker would then be able to steal login credentials from anyone who entered a username and password into the fake page, or perform a “man in the middle” attack to eavesdrop on the user’s session.

Comodo CEO Melih Abdulhayoglu calls the breach the certificate authority’s version of the Sept. 11 terror attacks.

“Our own planes are being used against us in the C.A. [certificate authority] world,” Abdulhayoglu told Threat Level in an interview. “We have to up the bar and react to these new threat models. This untrusted DNS infrastructure cannot be what drives the internet going forward. If DNS was trusted, none of this would have been an issue.”

Comodo says the attacker was well prepared, and appeared to have a list of targets at the ready when he logged into the company’s system and began requesting certificates.

In addition to the bogus certificates, the attacker created a ninth certificate for a domain of his own under the name “Global Trustee,” according to Abdulhayoglu.

Abdulhayoglu says the attack has all the markings of a state-sponsored intrusion rather than a criminal attack.

“We deal with [cybercriminals] all day long,” he said. But “there are zero footprints of cybercriminals here.”

“If you look at all these domains, every single one of them are communications-related,” he continued. “My personal opinion is that someone is trying to read people’s e-mail communications. [But] the only way for this attack to work [on a large scale] is if you have access to the DNS infrastructure. The certificates on their own are no use, unless they have access to the DNS infrastructure itself, which a state would.”

Though he acknowledges that the attack could have originated anywhere, and been routed through Iranian servers as a proxy, he says Iranian president Mahmoud Ahmadinejad’s regime is the obvious suspect.

Out of the nine fraudulent certificates the hacker requested, only one — for Yahoo — was found to be active. Abdulhayoglu said Comodo tracked it, because the attackers had tried to test the certificate using a second Iranian IP address.

All of the fraudulent certificates have since been revoked, and Mozilla, Google and Microsoft have issued updates to their Firefox, Chrome and Internet Explorer browsers to block any websites from using the fraudulent certificates.

Comodo came clean about the breach this week, after security researcher Jacob Appelbaum noticed the updates to Chrome and Firefox and began poking around. Mozilla persuaded Appelbaum to withhold public disclosure of the information until the situation with the certificates could be resolved, which he agreed to do.

Abdulhayoglu told Threat Level that his company first learned of the breach from the partner that was compromised.

The attacker had compromised the username and password of a registration authority, or R.A., in southern Europe that had been a Comodo Trusted Partner for five or six years, he said. Registration authorities are entities that are authorized to issue certificates after conducting a due-diligence check to determine that the person or entity seeking the certificate is legitimate.

“We have certain checks and balances that alerted the R.A. [about the breach], which brought it to our attention,” he said. “Within hours we were alerted to it, and within hours we revoked everything.”

It’s not the first time that the integrity of web certificates has come into question.

Security researcher Moxie Marlinspike showed in 2009 how a vulnerability in the way that web certificates are issued by authorities and authenticated by web browsers would allow an attacker to impersonate any trusted website with a legitimately issued certificate
.

14 comments:

Diana said...

What this hacker did is outrageous and very incredible. I find it to be unbelievable that a hacker obtained legitimate web certificates that would have allowed him to impersonate some of the top sites such as Google, Microsoft and Yahoo. Sites like Google and Yahoo are top-notch companies and I feel that it will be hard to hack into but reading this change that thought. All of these top sites are sites i usually login into everyday. How was he able to craft fake pages and not get caught? He is that good that his attack can range from a small scale wi-fi spoofing at a coffee shop all the way to global hijacking of Internet routes (WOW). Other hackers may find this to be a piece of cake to do but with me not having that type of computerizing skills, I find this hacker's work to be very impressive. I believe people needs to be careful using the Internet while technology is advancing so are the minds of the hackers. Nobody knows what they are capable of doing next.

Katie said...

This post reminds me of the class where we discussed which was worse: a threat to confidentiality, a threat to integrity, or a threat to availability. I argued that the threat to integrity was the worst of the three. I still hold this to be true. When someone is taking over a plane, I would rather have the pilot know that something is wrong rather than remain oblivious until it is too late. It is the same way with these popular sites. We all know what information we are releasing and can take legal action if that information is used wrongly. If availability is taken away, we just can't use email for a few hours. If, however, we are giving all of our information to a third party without realizing it, there is no way for us to be proactive. That is the scariest threat in my opinion. This post reminds me just how careful one needs to be on the web. You can never truly know whether or not you are getting “owned”.

Chris Heller said...

Sure, it's troubling how this hacker could've pulled all sorts of attacks with the legitimate SSL certificates.

But, isn't it scarier that these massive companies don't maintain complete control over their security mechanisms? While it's unreasonable to suggest that DNS needs to be completely overhauled, we need to recognize that even the Googles and Yahoos of the world face serious vulnerabilities outside of their authority.

Are there any measures that can be put in place to strengthen the defenses of private certificate authority companies like Comodo Group? I'm not sure, but I also don't know what sort of relationship these kinds of companies have with information privacy and security firms.

Holly said...

This news article touches on a number of topics that we have discussed in class. The article is really frightening because it shows that even if you take every precaution online, you are still at risk for being hacked. In this case, educating the public might cause more harm than good as it would incite panic. The article also discusses that the perpetrator is likely a nation state because of the the coordination of the attack and the information the hackers were targeting. Instead of looking for bank login information to make a profit, they might be looking for government or corporate innovations or information that they can use to their own advantage. Lastly, it raises the question of attribution. The hack has been traced back to Iran, but is that the actual starting point? And even if the US is able to determine the perpetrator, how can you prosecute him or her if Iran is unwilling to cooperate? Clearly, policies and legislation are not keeping up with cyber issues. Articles like this one really demonstrate why policy makers need to make legislation dealing with cyberspace a priority. Everyone's security is at risk.

Ana S. said...

I agree with Katie that the threat to integrity is the most dangerous one of the three threats. It is remarkable that such an individual managed to obtain legitimate web certificates and I cannot imagine the consequences of the operation, had it succeeded. The speed at which operations are conducted on the Internet would make such an attack turn into a disaster because it would take time to realize that a third party is stealing our private information.

Andrew Glass said...

This post reminded me of our class discussion about security researchers and a codified code of ethics. Jacob Appelbaum, the security researcher that first discovered the bogus certificates, came directly to Mozilla when he discovered the problems. In turn, Mozilla worked to remedy the problems in exchange for Appelbaum not taking the bogus certificates public.

The partnership between the research community and the corporations worked successfully in this case. Appelbaum, probably a respected professional, did what Ned said the research community does: takes the vulnerabilities to the corporations first, thus allowing a grace period to remedy the problem before either party breaks the news to the public.

This code of ethics ensures mutual respect and cooperation between the two industries. It also keeps the corporations honest because they become aware of the consequences of not addressing their problem: that the researcher will take the vulnerability public and embarrass the company.

Katie McCafferty said...

I agree with what both of you said and I think that looking back at this post after having numerous class discussions about ways in which we can solve these incidences of cyber attacks, it is imperative that we keep in mind the sort of implications that can arise, especially since they are happening at such a large scale without many people even aware that they are.
The fact that such large scale companies such as Google, Microsoft, and Yahoo can be targeted so successfully I feel has looming implications for the future for attacks on vital sources of information pertaining to our national security. Though it is definitely a large problem that we have on our hands, especially since the technology is rapidly advancing each day, there needs to be some general awareness spread about these sorts of attacks and the capabilities of the hackers in order to inform the American people what is truly going on in Cyberspace. In that way, individuals can at least start to take personal action in trying to be more secure. And hopefully with enough awareness, we can get some proactive responses from the Government as well.

Jen said...

I wonder how often this happens and we aren’t aware of it. And as for invasion of privacy to our email accounts, I feel it’s na├»ve to believe that free email accounts such as yahoo and gmail aren’t already being monitored to some degree. Perhaps the majority of us have nothing in our email accounts that anyone would really care to read, but there is a reason major companies don’t use free email accounts and websites. While clearly this hacker used illegal means of obtaining these certificates and more than likely meant to do something less than honorable with the information, it doesn’t mean we should think this sort of illegal activity is the only threat to our privacy in cases such as email. We talk about this a lot in class, about what type of information you put out onto the internet and if you care if anyone sees it. Clearly we don’t expect some criminal to obtain fake web certificates and use it to monitor our accounts, and in this case the certificates were revoked, but this isn’t the only way your account can be monitored. It’s obvious for us to see this incident as wrong and illegal, and it is. But it’s also not the only way our activity can be monitored. On a company level, this type of breach is about protecting your intellectual property, and for companies such as google, this is one of the most crucial aspects of their business. For individuals like us, this type of attack should warn us that all types of information we put on the internet can be monitored, but we can’t always assume it is through means such as “the bad guys” stealing web credentials. While that is the most obvious, I doubt it’s the most common.

Katharina said...

I agree that it is very scary to see that website vulnerabilities allow an attacker to masquerade as any website and trick a computer into providing sensitive personal information. While it is scary to see that this hacker obtained certificates to top websites like Google, Microsoft and yahoo, I think it is more frightening to know that this type of hack or “man in the middle attack” can also occur on financial websites. As we saw in a class demo, it is important to always review the exact domain name of a site to make sure our web browser is not being fooled into entering a malicious or fraudulent imitation site. This is particularly dangerous with regards to online banking. A “man in the middle attack” for example on bank of America could potentially intercept and transfer passwords or sensitive bank account information to criminals who can then easily steal the costumer’s money.
It’s good to hear that these vulnerabilities were fixed and eventually disclosed to the public. It’s also great that researchers like Dan Kaminsky and Moxie Marlinspike are working to create solutions to these problems. Nevertheless, I think most people today are completely unaware of what is going on and the majority of users need to be better informed about online risks and threats. For example, when Mozilla offered this recent web browser update I had no idea that this was done to block websites from using the fraudulent certificates. I chose to install the update but I’m sure many online users did not bother to update their browsers immediately because they didn’t know how that it was issued to protect their online security.

Shelby said...

This post only further stresses the increasing problem of cyber espionage that we discussed in class. Clearly we are lacking from the strength to protect ourselves from these hacking attacks, as the article admits that this is not the first attack we have experienced. This is incredibly troubling, as cyber attacks such as this post happen on a too often basis, indicating that policy makers are either unaware of this problem or indifferent to act. Considering that an overwhelming number of people use these top internet sites that are being attacked, I believe that these numbers alone are compelling evidence for the policy makers to act. To not recognize this cyber espionage as a significant problem is simply unreasonable at this point. The article states that this attack was on a cyber scale of a 9/11 attack, using our own planes against us. It is by mere luck that the attack was not as fully successful as planned, given that we seemingly had a limited defense protecting our cyber integrity. Because the United States is known to rely on information systems the most, this only emphasizes how vulnerable of a target we are becoming to these nation states' attacks. Seemingly our only defense against these attacks is the sheer volume of information that is being stolen from us, making it difficult for the hackers to distinguish which information they need. This is not a very promising defense, as this article illustrates that the United States still proves to be an easy target for cyber espionage. In response, policy makers therefore, need to make a greater effort in deterrence in cyber warfare acts such as this one. An attempt needs to be made to further develop and articulate red lines, banning the hacking of critical infrastructure such as these frequently used sites. There needs to be a greater risk for the adversaries in place to discourage any future cyber attacks. Currently there is no reason for these adversaries not to attack us, as doing so only helps them rather than create harm. Since we have reason to believe this attack can be traced to Iran, this allows for us to confront and begin clearly articulating red lines to prevent the next attack. If we can provide sufficient evidence that Iran is the responsible actor of these attacks, we can more directly address this problem; attempting to deter by establishing lines of value with corresponding responses. Although I recognize that these policy acts are not as easy to immediately implement,I still feel that there is a crucial need for at least an attempt to be made to protect our internet users that are currently at a constant risk. Policy makers need to realize that this cyber espionage is a problem that is not going to be solved by itself. This problem requires the time, energy, and patience of policy makers - something that frankly isn't being seen.

pjk52 said...

I believe of all the cons used by hackers, this one is the most frightening. After reading this article, I reflected on how often I go on Gmail or Facebook without checking the safety or certificate of the website. This is because I assume that the website is legitimate due to the size of the organization and its daily use.

I like the tactics utilized by some banks where there is a specific picture and phrase associated with every log-in allowing you to double check that the site is legitimate before signing on. I don't know if this is difficult to spoof, but I hope not.

The amount of effort going into hacking leads me to question why these people don't try legitimate means of making money on the internet... is it due to country restrictions?

Kirsten said...

Yes, it is more than slightly disconcerting that a hacker would obtain SSL certificates to feign legitimacy and steal information from unsuspecting individuals. I think that Google, Microsoft, and Yahoo should take measures to try to enhance security on behalf of their customers. I likewise believe that individuals should exercise greater discretion regarding what they communicate over the Internet.

Darion Parker said...

Again, this further proves to users that we are never really safe online. Generally people, myself included, are prone to believe that with a prestigious/respectable name comes a level of security. This is perhaps one of the biggest myths. If anything with a prestigious, well-known name comes the desire to take them down from hackers. At this rate, no one is 100% safe, however, the trade off in convenience is enough to keep users. Honestly, Google could get hacked every other day and users would not shift because of the dependency on the site.

C. Kent said...

How exactly was he able to obtain legitimate web certificates? Whether it was easy or hard, what is important is that it is possible, which is incredibly scary. People's lives consists and rely on sites such as Google, Microsoft, and Yahoo. This is only a reminder of how careful everyday users need to be when using the internet. Whether they are browsing or working on something confidential, you are never safe on the internet.