About these ads

Archive

Posts Tagged ‘Comodo’

What Security Vendors Said One Year Ago…

January 10, 2012 2 comments

I did not resist, so after publishing the summary of Security Predictions for 2012, I checked out what security vendors predicted one year ago for 2011. Exactly as I did in my previous post, at the beginning of 2011 I collected the security predictions in a similar post (in Italian). I also published in May an update (in English) since, during the Check Point Experience in Barcelona held in May 2011, the Israeli security firm published its predictions. Even if the latters have been published nearly at the half of 2011, for the sake of completeness, I decided to insert them as well in this year-to-year comparison.

Then, I included Symantec (for which this year I did not find any prediction), McAfee, Trend Micro, Kaspersky, Sophos and Cisco. I included Check Point in a second time and I did not include Fortinet, At that time I missed their five security predictions, which I only discovered later so I decided to provide an addendum for this post including Fortinet as well in order to provide a deeper perspective.

The security predictions for 2011 are summarized in the following chart, which reports what the vendors (with the partial above described exception of Checkpoint) expected for the past year in terms of Information Security trends.

But a strict side-by-side comparison with the 2012 information security predictions (extracted by my previous post) is more helpful and meaningful:

As you may notice mobile threats were on top even among the predictions for 2011. This prediction came easily true most of all for Android which suffered (and keeps on suffering) a huge increase in malware detection samples (even if the overall security risk remains contained). Social Media were on top as well: they have been crucial for the Wind of the Changes blown by the Arab Spring but in the same time Social Media have raised many security concerns for reputation, the so called Social Network Poisoning (who remembers Primoris Era?). Although 2011 was the year of the Anonymous, hacktvism ranked “only” at number 4, behind Advanced Persistent Threats, which however played a crucial role for information security (an APT was deployed for the infamous RSA Breach, but it was not an isolated case).

Also botnets, web threats and application vulnerabilities ranked at the top of Security predictions for last year (and came true). As far as botnets are concerned, fortunately 2011 was a very important year for their shutdown (for instance Hlux/Kelihos, Coreflood, Rustock). In several cases the botnets were taken down thanks to joint operations between private sectors and law enforcement agencies (another prediction came true). On the application side, this prediction came true most of all thanks to the Sony breach, the Liza Moon infection and the huge rate of SQLi based attacks and ASP.NET vulnerabilities. We have also assisted to an hard blow to SSL/TLS and XML Encryption.

But what is more surprising (and amusing) in my opinion is not to emphasize which predictions were correct, but rather to notice  which predictions were dramatically wrong: it looks like that, against the predictions, virtualization threats were snubbed by cybercrookers in 2011 (and nearly do not appear in 2012). But the most amusing fact is that no security vendor (among the ones analyzed) was able to predict the collapse of the Certification Authority model thanks most of all to the Comodo and Diginotar Breaches.

About these ads

One Year Of Lulz (Part I)

December 15, 2011 2 comments

Update December 26: 2011 is nearly gone and hence, here it is One Year Of Lulz (Part II)

This month I am a little late for the December Cyber Attacks Timeline. In the meantime, I decided to collect on a single table the main Cyber Attacks for this unforgettable year.

In this post I cover the first half (more or less), ranging from January to July 2011. This period has seen the infamous RSA Breach, the huge Sony and Epsilon breaches, the rise and fall of the LulzSec Group and the beginning of the hot summer of Anonymous agsainst the Law Enforcement Agencies and Cyber Contractors. Korea was also affected by a huge breach. The total cost of all the breaches occurred inthis period (computed with Ponemon Institute’s estimates according to which the cost of a single record is around 214$) is more than 25 billion USD.

As usual after the page break you find all the references.

Read more…

Another Certification Authority Breached (the 12th!)

December 10, 2011 1 comment

2011 CA Attacks Timeline (Click To Enlarge)This year is nearly at the end but it looks like it is really endless, at least from an Information Security Perspective. As a matter of fact this 2011 will leave an heavy and embarassing heritage to Information Security: the Certification Authority authentication model, which has been continuously under siege in this troubled year; a siege that seems endless and which has shown its ultimate expression on the alleged compromise of yet another Dutch Certification Authority: Gemnet.

Gemnet, an affiliate of KPN, has suspended certificate signing operation after an intrusion on its publicly accessible instance of phpMyAdmin (a web interface for managing SQL Database) which was, against any acceptable best practice, exposed on the Internet and not protected by password. As in case of Diginotar, another Dutch Certification Authority which declared Bankrupt few days after being compromised by the infamous Comodo Hacker, Gamnet has  the Dutch government among its customers including the Ministry of Security and Justice, Bank of Dutch Municipalities and the police.

After the intrusion, the attacker claimed to have manipulated the databases, and to allegedly have been able to gain control over the system and all of the documents contained on it, although KPN, claims the documents contained on the server were all publicly available. Moreover the attacker claimed the attack was successful since he could obtain the password (braTica4) used for administrative tasks on the server. As a precaution, while further information is collected about the incident, Gemnet CSP, KPN’s certificate authority division, has also suspended access to their website.

The breach is very different, in purpose and motivations, from the one occurred to Diginotar, at the end of July, which led to the issuance of more than 500 bogus Certificates (on behalf of Google, Microsoft, and other companies). In case of Diginotar the certificates were used to intercept about 300,000 Iranians, as part of what was called “Operation Black Tulip“, a campaign aimed to eavesdrop and hijack dissidents’ emails. For the chronicles, the same author of the Diginotar hack, the Infamous Comodo Hacker, had already compromised another Certification Authority earlier this year, Comodo (which was at the origin of his nickname). In both cases, the hacks were performed for political reasons, respectively as a retaliation for the Massacre of Srebrenica (in which the Comodo Hacker claimed the Dutch UN Blue Helmets did not do enough to prevent it), and as a retaliation for Stuxnet, allegedly developed in a joint effort by Israel and US to delay Iranian Nuclear Program.

But although resounding, these are not the only examples of attacks or security incidents targeting Certification Authorities: after all, the attacks against CAs started virtually in 2010 with the infamous 21th century weapon Stuxnet, that could count among its records, the fact to be the first malware using a driver signed with a valid certificate belonging to Realtek Semiconductor Corps. A technique also used by Duqu, the so called Duqu’s son.

Since then, I counted 11 other breaches, perpetrated for different purposes: eavesdropping (as is the case of the Infamous Comodo Hacker), malware driver signatures, or “simple” compromised servers (with DDoS tools as in case of KPN).

At this point I wonder what else we could deploy to protect our identity, given that two factor authentication has been breached, CAs are under siege, and also SSL needs a substantial revision. Identity protection is getting more and more important, since our privacy is constantly under attack, but we are dangerously running out of ammunitions.

(Click below for references)

Read more…

An Industry Wide Attack

September 9, 2011 3 comments

9/9/2011: Globalsign admitted evidence of a breach to the web server hosting the www website:

Today we found evidence of a breach to the web server hosting the www website. The breached web server has always been isolated from all other infrastructure and is used only to serve the http://www.globalsign.com website. At present there is no further evidence of breach other than the isolated www web server. As an additional precaution, we continue to monitor all activity to all services closely. The investigation and high threat approach to returning services to normal continues.

Starting from March 2011, one might say that the authentication bastions have been crumbling one after another. In hindsight, one event in particular occurred during March 2011 has been mostly underestimated. Of course I am not referring to the RSA affair, but to the Comodo Hack, whose only blame was to happen too close in time to the RSA Breach, which ended up obfuscating its impact for the Information Security Landscape … At least until August 2011.

As a matter of fact when, immediately after the Comodo Hack, the so called Comodo Hacker published on pastebin his declaration of Cyberwar, no one considered the hypothesis that other Certification Authorities could have been equally compromised. Consequently, although the hack was classified as a serious cyberattack, driven by a political matrix and capable to establish a new (unwelcome) record, it was considered an isolated episode, mainly due to the scarce attention to application security by the targeted Comodo partner. Moreover the final target (Google) and the political reasons behind the attack deserved much more attention than the means used to perpetrate the attack itself: the first-time compromission of a Certification Authority, a completely inedited attack vector.

Nearly four months later, the Diginotar hack (again an attack with alleged political reasons behind although according to Trend Micro it targeted Iranian Internet users) has shown to the world the weaknesses of our authentication model and its chain of trust. Not only the hacker was able to forge more than 500 fake Code Sign and SSL certificates, but he also claimed to have access to other four CAs, quoting explicitly GlobalSign, and indirectly another one StartCom, which was able to avoid the hack since its CEO was sitting in front of the HSM during the attack, although the Comodo Hacker claims to own email, DB Backup and Customer data.

Trust in Diginotar Certificate Authority has been revoked from all browsers and OSes, permanently from all Mozilla Products, but not from Smartphones, with heavy consequences for the Dutch government’s PKIoverheid (PKIgovernment) program. Of course, easily predictable, the assertions from Comodo Hacker triggered panic between cert providers. On September the 6th GlobalSign decided to temporary cease issuance of all certificates as a precautionary measure and appointed Fox-IT to perform an intensive audit (Fox-IT is the same Dutch Cybsersecurity Company which performed the audit on Diginotar); on September the 7th Symantec released a statement to reassure their customers their infrastructure has been audited and it is not compromised. A similar announcement has been published by Thawte after an erroneous report from a Dutch Government agency according to which the Security firm had been breached. Unfortunately the story does not end here and although the Comodo Hacker promises further disclosures.

If I can spend few words on the question, the best way to describe it is to quote a statement from GlobalSign: “these claims (from Comodo Hacker) represent an industry wide attack”. Said in simple words: the aftermaths of the Diginotar hack will force to rethink the current authentication model and chain of trust (even because authentication technologies and vendors are increasingly tied) even if we seriously risk to run out of ammo: in this year we lost tokens and CAs… Now What Else?

Strong Authentication: Back To The Future

The month of March will go into the annals of Information security. First the breach of RSA, then the issue of fake Comodo Certificates (with the subsequent claim by the Iranian Comodo Hacker) have gradually brought down the (few) certainties the Strong Authentication technologies relied on.

While commenting the beginning of this new era made of very few certainties for our digital identity, I could not help thinking about the (apparently) downward trend to which I was getting used with regards to the strong authentication mechanism adopted for my home banking (be quiet I do not currently have any RSA SecurID tokens, fortunately). Hindsight it could be interpreted as a strange omen (I would suggest RSA to follow the same path).

My first E-Banking contract dates back to 2005, and it was signed with a Regional Italian Bank. In that year, for perfoming operations such as money transfer, I was given a digital certificate stored in a floppy disk (in 2005 sigh!) for electronically signing every transaction. At that time I was firmly convinced that Digital Certificates were the most secure method to strong authenticate transactions, but I never used that certificate since, back in far 2005, a floppy disk was already a thing of the past.

A couple of years later the same bank made a Copernican (r)evolution and decided to dismiss all the certificates in exchange of OTP tokens (not manufactured by RSA but from competitor). Despite some scattered small issues due to a poor IT governance (in a couple of circumstances there was no way to make the PIN to be recognized  and I also was victim of a data loss related to the electronic transactions of the previous four months (of course rigorously without backup, even if the operations had effectively been made), I was quite satisfied with the tokens (but not with the bank). Of course needless to say that these kinds of incidents always happened when I desperately needed to complete the transaction.

Five months ago I changed my bank (looking for better conditions) and decided to open a brand new completely on-line account. Well! Guess what kind of device I was given to authenticate the transactions? After a digital certificate and a token, I would have expected at least a PKCS#11 OTP USB Key… Not at all, I was given instead an efficient (but not very elegant or technological) card with a numerical grid composed by 24 triplets. Nowadays for each operation I am asked to insert three numbers each of them belonging to a different triplet randomically chosen between the 24 printed in one face of the card.

Of course even the most fervid imagination could not imagine that the parable of the strong authentication methods for my bank accounts during these years, could be interpreted as a premonition. Actually banks always know more than the devil, especially when it comes to other people’s money, but I must confess, that, although my initial disappointment for the progressive weakening of the authenticated mechanism necessary to sign transactions, in the last month I changed my mind and now I feel more comfortable with a card having impressed a kind of Caesar Cipher (yes I know that is just not the same thing but the comparison is appealing: back to the future!) than with an OTP Token or a certificate.

I was almost thinking of trying the strong authentication via SMS, but just today I realized that it is not particularly advisable, most of all on the iPhone, where the 2FA (Two Factor Authentication) mechanism has just been compromised. Ok I have an Android terminal but maybe is better not to use any mobile terminals, the threats like Zitmo (Zeus in The Mobile), are always around the corner.

Will Energy Facilities Be The Next Targets Of Cyber-War?

April 3, 2011 6 comments

I spent some time in reading the declarations of Comodo Hacker, the alleged author of the fake Certificates issued by mean of the compromising of a couple of (sigh!) Italian Comodo Partners, and I found some very interesting points far beyond the single event.

Actually, it had been clear from the beginning that the attack had been performed from an Iranian ISP, feeding the hypothesis of an Iranian Cyber Army action aimed to intercept emails from dissidents in a quite troubled moment from the Middle East after the winds of change blowing from the Maghreb.

Anyway Comodo Hacker was anxious to quickly put the record straight, declaring he was the only author of the attack, and, if one just wanted to involve an army on the event, had to consider that he was the only army, being able to rely on his own experience of 1000 programmers, 1000 project managers, 1000 hackers:

Now, even if the political connotation of the message still makes me think that behind this act there might be a real cyber army (but this is my personal opinion), this is not the real point. The real point is that this attack occurred as a kind of revenge against Stuxnet, and more in general the fact, supported by Comodo Hacker, that the U.S. and Israel where behind it.

Fight fire with fire, fight code with code…

The attack to Comodo Certificates has left a wide impact in the INFOSEC world and probably things will not be the same anymore since in few days  all the strongholds, the identity security model relied on, have been miserably compromised (I took the liberty to add the RSA affaire to this event even if there is no evidence so far of a political matrix behind it). But there is another interesting point, and it is the third law of motion (you will not probably know I was a physic in my previous life) which, with not too much imagination, could be applied to infosec as well, if one considers the events that are happening: “the mutual forces of action and reaction between two bodies are equal, opposite and collinear”, which, in few and simple words should sound as: “to every cber-action corresponds an equal and opposite cyber-reaction”. If this is true, this means to me, as an infosec professional, that we will have to get used to similar cyber actions. Also from this point of view things will not be the same anymore…

Armed with this awareness, my mind runs inevitably among the dunes of the Libyan desert, where a civil war is being fought, now sadly familiar to all. Let me fly (but not too much) with my imagination and think that the Civil War will end up with the exile of Mr. Muammar Gaddafi. In this case it is likely to expect that he will find his revenge, not only with real terrorists act, but also with (cyber)terrorist acts, in the wake of the Comodo affaire, which, even if related to Iran, is the first known example of a cyber-terrorist act strictly related not only to the Stuxnet attack, but also to the movements flooding from Maghreb to Middle East, what I called the Mobile Warfare due to the primary role played by the mobile technologies inside these events.

We don’t have privacy in internet, we don’t have security in digital world, just wait and see… These lines can be considered as a kind of Declaration of Cyber-war against everything…

Targets of Cyberwar

Nowadays everything has a stream of bit inside and as a matter of fact is vulnerable to malware. What is happening in Libya (and the consequences on our energy bills), together with the risk of nuclear meltdown in Fukushima is pushing the so called Western world to reconsider its energy policy and accelerate the development of Smart Grids in order to promote a better, wiser use of energy. In these circumstances compromising an energy facility would have a huge practical and symbolic impact (do you remember the Night Dragon APT, tailored specifically for Oil Facilities?), that is the reason why, in my opinion, the first targets of this Cyber-terrorism reaction will be energy utilities. Few weeks ago I wrote an article (in Italian) concerning vulnerabilities and security of Smart Grids, which can be considered the “world of unknown” from a security perspective since they adopt an Internet open model to interconnect old legacy SCADA systems and, to make matters worse, the structures that govern the IT world and the SCADA world have a silo-ed approach being often mutually suspicious against each other. As a dark omen, few days later, a list of 34 0-day SCADA vulnerabilities was released by Luigi Auriemma, an Italian Researcher.

Think about it: compromising a smart grid with a SCADA malware could have potentially devastating consequences and should sound as a kind of dark revenge: imagine an Iranian SCADA malware sabotaging the energy facilities of U.S., and more in general the facilities the Western World is building to cut the umbilical cord that ties him strictly to the Middle East countries (that often are also the hottest as far as the political temperature is concerned).

Moreover, the development of electric vehicles will further complicate the scenario since they will be able to interconnect Directly to Home Area Networks (the borderline of Smart Grids), offering an unexpected (and probably not so complicated) ingress point for Cyber-Terrorists to Smart Grids, if it is true that nowadays a small car owns 30-50 ECU (Electronic Control Units) interconnected by a bidirectional Synchronous bus and governed by something like 100 millions of lines of codes. My dear friend and colleague, ICT Security expert and Aviation Guru, David Cenciotti will be glad to know that an F-22 Raptor owns about one tenth of lines of codes (“only” 1.7 millions), the F-35 Joint Strike Fighter about 5.7 millions and Boeing 787 Dreamliner about 6.5 millions used to manage avionics and on-board systems. Of course one may not exclude a priori that these systems may be target as well of specific tailored malware (do you remember the intrepid Jeff Goldbum injecting on the mother ship of Aliens on Independence Day?)

Prepare ourselves for a Smart Grid Stuxnet? I think there is enough to be worried about for the next years…

Mobile Warfare… Certified…

March 30, 2011 3 comments

In this post I explained that, what I called the mobile warfare (that is social protest driven by mobile technologies and social networks), is rapidly spreading all over the Middle East, apparently with a systematic time scale (so far events in Tunisia, Egypt and Libya have been separated by approximately a month).

Many observers claim that, in the shorter term, Syria and Bahrain could be the next targets of internal protests (last week 150 people were killed in Syria and today the government led by PM Naji Otri has resigned, apparently a quantum shift).

But the wave coming from Maghreb, led by the mobile warfare, seems unstoppable and in the longer term, also Iran and Iraq, the main barriers of fundamentalism, could be affected as well.

Of course, one of the most exciting things of Infosec, is the fact that the reality is always one step ahead of the imagination. As a matter of fact I tried to imagine different ways in which bad guys from totalitarian regimes could prevent mobile technologies and social networks from achieving their scope to encourage citizens to join the protests, including DDoS, Internet connectivity disruption and so on… I could not imagine, however, that one could think to issue rogue certificates for some high profile websites used for email and chat in order, maybe, to intercept cumbersome and subversive communications.

That is exactly what happened with the Comodo Affaire in which some fraudulent certificates were issued by the Comodo Certificate Authority, exploiting a vulnerability of a couple of Italian affiliates (sigh!) globaltrust.it and instantssl.it allowing to issue a legitimate signed certificate on behalf of any requesting entity. This vulnerability was used in order to issue rogue Certificate Signing Request (CSR), that is false request to obtain legitimate SSL certificates for the following web sites:

  • login.live.com
  • mail.google.com
  • http://www.google.com
  • login.yahoo.com
  • login.skype.com
  • addons.mozilla.org

For those of you, who are not too much practical with Public Key infrastructure and Cryptography, this means that, in simple words, once obtained a rogue certificate one may build a false web site (for instance a false mail.google.com website) to capture precious information normally “traveling” on the web encrypted, for instance username and password of private email. This is called a man-in-the-middle attack.

Since it was discovered that the rogue Certificate Signing Request originated from an ISP located in Iran, an alleged political origin for the attack was proposed, motivating it with the attempt of the Iranian government (enforced by a Cyber Army), to intercept communications and more in general emails and chats belonging to political leaders not “too close” to the positions of Mr. Mahmoud Ahmadinejad (mmhh.. at least for the alleged purpose, to me it reminds Operation Aurora, doesn’t it?)

Now, it looks like that a lonely ranger Iranian hacker, not belonging to any army, claimed the to be the only author of hack (at this link the complete history and a detailed analysis of the event). Probably a real Iranian involvement will not ever been confirmed, but to me, the doubt that this action was planned to stop the mobile warfare remains intact. Otherwise I would not be able to understand why only certificates related to secure communication methods were affected, often used by dissidents to organize protests and share news with the world.

Follow

Get every new post delivered to your Inbox.

Join 2,714 other followers