Hackers steal SSL certificates for CIA, MI6, Mossad
Criminals acquired over 500 DigiNotar digital certificates; Mozilla and Google issue 'death sentence'
Computerworld - The tally of digital certificates stolen from a Dutch company in July has exploded to more than 500, including ones for intelligence services like the CIA, the U.K.'s MI6 and Israel's Mossad, a Mozilla developer said Sunday.
The confirmed count of fraudulently-issued SSL (secure socket layer) certificates now stands at 531, said Gervase Markham, a Mozilla developer who is part of the team that has been working to modify Firefox to blocks all sites signed with the purloined certificates.
Among the affected domains, said Markham, are those for the CIA, MI6, Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter and Microsoft's Windows Update service.
"Now that someone (presumably from Iran) has obtained a legit HTTPS cert for CIA.gov, I wonder if the US gov will pay attention to this mess," Christopher Soghoian, a Washington D.C.-based researcher noted for his work on online privacy, said in a tweet Saturday.
Soghoian was referring to assumptions by many experts that Iranian hackers, perhaps supported by that country's government, were behind the attack. Google has pointed fingers at Iran, saying that attacks using an ill-gotten certificate for google.com had targeted Iranian users.
All the certificates were issued by DigiNotar, a Dutch issuing firm that last week admitted its network had been hacked in July.
The company claimed that it had revoked all the fraudulent certificates, but then realized it had overlooked one that could be used to impersonate any Google service, including Gmail. DigiNotar went public only after users reported their findings to Google.
Criminals or governments could use the stolen certificates to conduct "man-in-the-middle" attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being secretly intercepted.
Google and Mozilla said this weekend that they would permanently block all the digital certificates issued by DigiNotar, including those used by the Dutch government.
Their decisions come less than a week after Google, Mozilla and Microsoft all revoked more than 200 SSL (secure socket layer) certificates for use in their browsers, but left untouched hundreds more, many of which were used by the Dutch government to secure its websites.
"Based on the findings and decision of the Dutch government, as well as conversations with other browser makers, we have decided to reject all of the Certificate Authorities operated by DigiNotar," Heather Adkins, an information security manager for Google, said in a Saturday blog post.
Johnathan Nightingale, director of Firefox engineering, echoed that late on Friday.
"All DigiNotar certificates will be untrusted by Mozilla products," said Nightingale, who also said that the Dutch government had reversed its position of last week -- when it had asked browser makers to exempt its DigiNotar certificates.
- The new security perimeter: Human Sensors
- Cyberattacks could paralyze U.S., former defense chief warns
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Everything You Know About Enterprise Security Is Wrong
- UK man charged with hacking Federal Reserve
- McAfee Offers Global Response to Nationalized Malware
- Tech Industry Praises Cybersecurity Framework From White House
- Ransomware like Cryptolocker uses Bitcoin, other virtual currencies for payment
- Trial for alleged Silk Road creator Ross Ulbricht set for November
- Target attack shows danger of remotely accessible HVAC systems
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts