Digital certificate hack reveals threat to U.S. government websites

Exploit could be used as cyber warfare tactic, experts say

The recent hack that put nine fraudulent digital certificates into circulation has caused little real damage, but it demonstrates U.S. government websites’ vulnerabilities to foreign government cyber warfare attacks, security experts say.

A single Iranian, in a blog post, claimed credit for hacking into digital certificate provider Comodo, obtaining fraudulent certificates for websites operated by Google, Yahoo, Microsoft, Skype and Mozilla.

However, security experts say the attack may have actually been orchestrated by Iran's government to track and shut down dissidents, according to reports in InformationWeek and the New York Times.


Related coverage:

9 fraudulent digital certificates on the loose, Microsoft warns


“Everything points to this being an intelligence operation,” Roel Schouwenberg, a senior researcher at the security firm Kaspersky, said in the New York Times article. Schouwenberg said theft of certificates has become a favored tactic among governments.

Further compounding the problem are the vast numbers of certificate issuers – approximately 650 organizations, not all of which may follow proper security procedures, reported CNET

"There is this problem that exists today where there are a very large number of certificate authorities that are trusted by everyone and everything," Peter Eckersley, senior staff technologist at the Electronic Frontier Foundation, told CNET.

All these certification organizations possess master keys – currently about 1,500 -- that can be used to impersonate any website on the Internet, including those of the Treasury and Homeland Security departments, according to CNET. Foreign governments could then capture passwords, read e-mail messages and monitor other user activity – even with Secure Sockets Layer encryption.

Upon discovering the breach, Comodo revoked the nine fraudulent certificates, and Microsoft, Google and Mozilla released patches and updates to their individual browsers.

The affected sites were:

  • addons.mozilla.org
  • login.skype.com
  • login.live.com
  • mail.google.com
  • google.com
  • login.yahoo.com (three certificates)
  • "Global Trustee"


Damage from the fake certificates was minimal: two Online Certificate Status Protocol (OCSP) hits, reported InformationWeek. A blog post from Mozilla stated that “"this suggests that the certificates have not been deployed in an attack, though it is possible that the attackers would block OCSP requests as well.”

The hacker who claimed responsibility for the hack said it was in retaliation for Stuxnet, a worm that may have been created by the United States and/or Israel to disrupt Iran’s nuclear weapons program, and denied working with the Iranian government, reported InformationWeek. In his blog, the hacker also claims to have securely deleted Comodo's Microsoft IIS server and multiple backups. 


There is no automated process to revoke fraudulent certificates, no public list of issued certificates or who has duplicate master keys, noted CNET.

"These organizations act as cornerstones of security and trust on the Internet, but it seems like they're not doing basic due diligence that other organizations are expect to do, like the banks," Mike Zusman, managing consultant at the Web app security firm of Intrepidus Group, said to CNET.

 

About the Author

Kathleen Hickey is a freelance writer for GCN.

inside gcn

  • smart city (jamesteohart/Shutterstock.com)

    Toolkit for building a smart city plan

Reader Comments

Fri, Apr 1, 2011

"the vast numbers of certificate issuers – approximately 650 organizations, not all of which may follow proper security procedures" Who needs lax security, if you own an issuer -- like, how many are "companies" associated with the Chinese government?

Fri, Apr 1, 2011 Larry Frank DC

Who is not doing "due diligence" - the company that issued the certificates or the companies that include the trust anchor in the certificate store without carefully evaluating the trust level of the PKI issuer. The real security fault here is that Comodo apparently uses USERNAME/PASSWORD to authenticate registration authorities to approve the issuance of PKI certificates. That is a pretty LOW level of security for authentication of such a highly valued trusted role. Did the companies that included the trust anchor weigh that in their decision to include them in the trust store? I doubt it. Organization that act "as cornerstones of security and trust" need to be held to a standard - and companies that include the trust anchor for them are the ones who need to do it!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group