Security and trust. gabriel waller, nokia siemens networks.
1. Security and Trust Gabriel Waller Nokia Siemens Networks September 2011 Primary colors:
2. Resent real-life examples Fraudulent SSL certificate for *.google.com [August 29] we received reports of man-in-the-middle attacks against Google users, whereby someone get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that normally do not issue certificates for Google. - Why to attack google.com? - Attacker could intercept end-users’ communication. The Dutch government has been using only Diginotar-supplied certificates. The breach leaves all government websites with invalid certificates while a new supplier is being searched for. The minister of internal affairs recommends people not to use the websites.
Example of real proffessioinal and targeted cybercrime, attacking Google! Also impacting the National Security in Holland, as Dutch Government was depending on the miss-used Diginotar
The defaced pages dating back to 2009 found by F-secure appear to have been copied during a re-installation of the web server in August. The OCSP server's working at DigiNotar has been reversed since Sept 1st. Normally these servers respond with good to all certificates except those on the CRL (a blacklist). The OCSP now operates in whitelist mode: it will call all unknown certificates signed by DigiNotar as revoked (a whitelist). Hence we need to make sure to use the OCSP server to validate DigiNotar certificates -should we want/need to- and not rely on the published CRLs anymore. DigiNotar operates multiple CA servers, all of them seem to have been compromised by the hackers and having had Administrator level access, including those used for Qualified certificates and PKIOverheid certificates. Some of the CA servers have had parts of their logs deleted, leading to DigiNotar not knowing what certificates were issued. Hacker tools including Cain&Abel as well as specialized dedicated scripts -written in a language specific to the PKI environment- were found. Intentional fingerprints left in one of the scripts links it back to the Comodo breach. There is a list of 6 CAs that have been found to have emitted rogue certificates There is an incomplete list of 24 additional CAs that have had their security compromised but have not shown to have emitted rogue certificates The rogue certificate for *.google.com detected in the wild was verified against the DigiNotar OCSP service from August 4th till it was revoked on August 29th. 300 000 different IP addresses verified that certificate. More than 99% of those addresses trace back to Iran. The report notes that those who had their connections to gmail intercepted could have exposed their authentication cookies and that would expose their email itself, and through that also allow access to reset functionality of other services such as e.g. facebook. It is recommended that those in Iran logout and change passwords. 2 certificates were found on the PKIOverheid and Qualified environment that cannot be related to a valid certificate.Yet the logs appear to be intact and do not show rogue certificates created. There is a list of failures of basic best security practices that have clearly not worked, implemented badly or were omitted. Yet the servers are housed in a tempest protected room. The hackers breached the systems possible June 6th already, this got detected by DigiNotar on June 19th, The rogue certificates were created in July and the first time the *.google.com certificate that was detected in the wild was presented on July 27th to the OCSP server. Yet it took till DigiNotar was notified by govCERT.nl before they revoked the certificate. The letter [in Dutch] summarizes the report itself, and contains some additional information not in the report that is of interest: There is now an inquiry into DigiNotar for possible responsibility and negligence The search for the hackers continues DigiNotar filed an official reported the incident on September 5th They suggest leniency and agreements for those cases where the revocation of trust in DigiNotar leads to problems such as with the timely filing of tax information in the Netherlands
The browser trusts many sites, as indicated in the ”trusted Root Certificate Authorities If one Root CA is compromised, browser remain trusing whatever malicious site creted with that CA. Security update of borwser/operating system required to mitigate the threat