Monday, September 5, 2011

Diginotar notes

SO, over the weekend, we became aware that a Dutch certificate authority had been hacked, and a whole truckload of fake certificates issued for people like google,, and mossad, to mention just a few of the more embarrasing ones. In the fullness of time, it's become clear that the initial result of this is that for at least a day, Iranian Internet users were subject to mass Man In The Middle attacks.

The certificates have now been revoked, but there is a certain amount of damage already done.

What this means to those who have been attacked, is that authorities probably read a whole lot of their supposedly private emails, and may have stolen their login credentials for future use. If you happen to be an Iranian dissident, that's probably not good news for you.

There are a couple of shoes left to drop, however. The first is that some of these certificates could probably be used to sign executable code, which in turn will make it easier to slip targeted malcode into a victim's system. Stuxnet, you might recall, was code signed with stolen certificates, so as to avoid Windows warnings.

I don't like this idea at all, as I'm fond of having electricity, and would prefer if it stayed on. Just saying'

The second, and bigger shoe, is the simple idea that a medium sized Certificate Signing Authority can (a) have so much power, and (b) be so poorly defended.

How many more such authorities are there? It's worth pointing out that this is probably the second hack of a CA by the same guy, and we may be confident that he'll find more.

The really sad thing is that there is no easy solution for this. No single bit of software, like anti virus, will protect us.

The best we can do is to start layering in defenses.

For starters, make CAs show some level of security sense.

From an end user point of view, use only one password for each site.

Create a user-grade account for your PC, and use it on a daily basis, instead of admin level.

If your computer warns you about a dodgy certificate for a website, or for an executable... listen to it.

Keep patched (obviously) and find an av program that doesn't rely on signatures.

Most importantly, more needs to be done by ISPs, and backbone providers. Botnets have to be reduced.

We have probably reached a point where machines cannot be allowed on the Internet if they are showing they are infected. As it is, no one cares,as there is no revenue in it.

This has to change.



Martin Overton said...

Nice post Roger, well thought out and to the point.

Roger Thompson said...

Thanks Mart