Attacks/Breaches
9/6/2011
10:55 AM
50%
50%

Stolen Digital Certificates Compromised CIA, MI6, Tor

"Operation Black Tulip" security audit launched by the Dutch government finds that some of the 531 bad certificates were used to compromise at least 300,000 Iranian IP addresses.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
On Monday, Fox-IT, the security auditors investigating the false digital certificates issued by Dutch certificate authority DigiNotar, released a preliminary report finding that the extent and duration of the breach was much more severe than had previously been disclosed.

In particular, attackers could have used the stolen certificates to spy on users of popular websites for weeks, without their being able to detect it. "It's at least as bad as many of us thought," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. "DigiNotar appears to have been totally owned for over a month without taking action, and they waited another month to take necessary steps to notify the public."

Likewise, the list of fraudulent digital certificates obtained from DigiNotar has been growing, expanding to include not just Facebook, Google, Microsoft, Skype, Twitter, and WordPress, but also the CIA, MI6, and Mossad intelligence services, as well as the pro-privacy Tor Project.

The first known certificate to be stolen dates from July 10, 2011. But while DigiNotar learned about the fraudulently issued certificates sometime later, it only made a public acknowledgement after Google users began experiencing related attacks. As the scale of the breach became clear, last week the Dutch government--which maintains a digital ID system based on DigiNotar-issued certificates--seized control of the certificate authority, commissioned Fox-IT to begin an immediate audit, dubbed "Operation Black Tulip," and warned Dutch residents that the identity system could no longer be trusted.

The Tor Project, working with the Dutch government, has been maintaining a full list of all compromised certificates, which currently number 531, although security experts expect that number to grow. The list includes intermediary certificate authorities (CAs), including Comodo, Equifax, Thawte, and VeriSign root certificate issuers, which are sites that can be used to issue new certificates.

"We cannot determine whether they succeeded in creating any intermediate CA certs. That's really saying something about the amount of damage a single compromised CA might inflict with poor security practices and regular internet luck," said Jacob Appelbaum, a core member of the Tor Project, on the Tor blog.

Attackers gaining access to digital certificates for Tor is also a worry, because the anonymizing network is often used by human rights activists to mask their activities in oppressive countries.

Meanwhile, on Tuesday, the hacker behind the attacks against the Comodo certificate authority earlier this year claimed credit in a Pastebin post for the successful hack of DigiNotar, saying he'd been able to obtain a "full remote desktop connection" into its network. In addition, he said he'd compromised four more high-profile CAs, but stopped short of naming them.

As with the Comodo hacks, the target of the attacks appears to be Iranian Internet users. "The recent compromise of Dutch certification authority DigiNotar was used to spy on Iranian Internet users on a large scale," said Feike Hacquebord, a senior threat researcher at Trend Micro, in a blog post. "We found that Internet users in more than 40 different networks of ISPs and universities in Iran were met with rogue SSL certificates issued by DigiNotar. Even worse, we found evidence that some Iranians who used software designed to circumvent traffic censorship and snooping were not protected against the massive man-in-the-middle attack."

The preliminary audit of DigiNotar has reached similar results. "Fox-IT analyzed the lookups against DigiNotar's OCSP servers (which browsers check to see if a certificate has been revoked) and determined that during the active attack period more than 99% of queries originated in Iran," said Wisniewski at Sophos. According to the report, at least 300,000 unique IP addresses in Iran used the bad Google certificates.

In response to the attacks, Google, Microsoft, and Mozilla took the unusual step of permanently blocking all DigiNotar certificates. As a result, users of fully patched versions of Chrome, Firefox, and Internet Explorer 7 running on Windows 7 or Vista are protected against related attacks. Apple, however, has yet to patch OS X or Safari, and users of older Microsoft operating systems are also at risk.

On Saturday, Microsoft detailed the risks faced by vulnerable Windows users, as well as techniques they could use to protect themselves. Start by staying away from open wireless networks, since attackers could use such networks to launch man-in-the-middle attacks, said Microsoft. Meanwhile, other attack vectors include an attacker controlling the network infrastructure used by the user, or using DNS--either by controlling the DNS server used by the user's ISP, or tricking the user into using a malicious DNS server.

"Without this type of 'man-in-the-middle' access, an attacker would be unlikely to be successful in carrying out an attack," according to Microsoft. But two of those exploitation techniques are difficult to avoid in countries that heavily control their Internet infrastructure. In addition, successful attacks against Windows XP or Windows Server 2003 users could route them to malicious update sites, warned Microsoft.

Security professionals often view compliance as a burden, but it doesn't have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: " I think Google Doodle is getting a little out of control"
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.