unnamednewbie13
Moderator
+2,053|7011|PNW

Will growing cyber-crime affect your online shopping habits?

Cracked digital certificates endanger 'web of trust'
Authentication breach could signal new cyber crime threat

============================================================

One stolen Google website authentication certificate would have been reason enough for Web users to worry, but it turns out last week's security breach at the Dutch certificate authority DigiNotar is far more damaging than first thought, and could signal a new and extremely dangerous cyber crime threat.

On Aug. 30, the news broke that a hacker calling himself "Comodohacker" made off with a Google authentication certificate on July 19, which allowed him to set up fraudulent Web pages under a legitimate Google domain name and harvest the personal information of anyone who visited his spoofed sites.

A bit of background on authentication certificates: DigiNotar, like all certificate authorities, issues digital Secure Sockets Layer (SSL) certificates of trust to websites that authenticate themselves to browsers, which is necessary to establish a secure, HTTPS connection.

Every time you start a secure session online, your computer gets a digital certificate from that site authenticating that it is indeed Google or Amazon or Facebook, and not some hacker just pretending to be those sites. Your browser accepts that certificate, because it has been issued by a trustworthy certificate authority.

The entire online economy depends upon this so-called 'web of trust,' where all digitally certified sites agree to trust one another, and for Web browsers to trust them. It's this trust that allows online businesses like Amazon and the iTunes Store to flourish, and if there's a single rip in that web, the whole thing could come apart.

The DigiNotar problem, it turns out, extends beyond Google: Hackers stole not just one SSL certificate, but 531, including ones for Facebook, Skype, Mozilla, Microsoft Yahoo, Android, Twitter, and Web domains owned by the CIA, Israel's Mossad and the UK's M16, Computerworld reported.

Who is behind this monstrous hack?
In a message posted on Pastebin, the Iranian man who in March hacked into the certificate authority Comodo to steal SSL certificates for Google, Yahoo, Skype and Microsoft took credit for the DigiNotar breach.

In broken English, Comodohacker, as he calls himself, claimed that the hack was in retaliation for the Dutch involvement in the Srebrenica massacre in 1995, in which, he wrote, the "Dutch government exchanged 8,000 Muslim for 30 Dutch soldiers and Animal Serbian soldiers killed 8,000 Muslims in same day.

"Dutch government have to pay for it, nothing is changed, just 16 years has been passed," he wrote.

Comodohacker wrote that DigiNotar is just the beginning, and that he has access to four more high-profile CAs, including GlobalSign. (GlobalSign Sept. 6 stopped issuing all certificates until the investigation is complete.)

How devastating is this?
"The attack on DigiNotar will put cyber war on or near the top of the political agenda for Western governments," said Roel Schouwenberg, senior anti-virus researcher for the security firm Kaspersky Lab.

Schouwenberg believes that, although the "attack on DigiNotar doesn't rival Stuxnet in terms of sophistication or coordination," its consequences will "far outweigh those of Stuxnet," the worm that last year disrupted operations at an Iranian nuclear power plant.

[Why We Won't Soon See Another Stuxnet Attack]

What Comodohacker hacker did, in one swift move, was fracture the implicit trust Web users have when logging on to a site, especially one as high profile as Google or Facebook.

How did it happen?
The DigiNotar hack essentially blew a hurricane-strength breeze at the fragile house of cards built by certificate authorities. There are too many of them around the world, and many of them subcontract the issuing of certificates to third parties who aren't thoroughly vetted.

One would think DigiNotar, which was so prominent that the Dutch government had it handle its own certificates, would take extra precautions to keep itself secure, seeing as so many important Web domains rely on it, but clearly, that wasn't the case.

A report from Fox-IT, the security auditors hired to investigate the DigiNotar breach — Fox-IT called the hack "Operation Black Tulip" — found that DigiNotar had been compromised for more than a month without taking action.

That's not the most glaring oversight; all of the SSL certificates belonged to a single Windows domain with a weak password, allowing the hacker to access them all in one swoop, Fox-IT found.

Perhaps the most disturbing findings: "The software installed on the public Web servers was outdated and not patched," Fox-IT wrote, and "No anti-virus protection was present on the investigated servers."
Advertise | AdChoices

What now?
The Dutch government has since taken control of DigiNotar, and with DigiNotar down and out, government business in the Netherlands has taken an interesting step into a pre-Internet world.

While the incident is under investigation, Dutch courts have advised lawyers to use fax machines and snail mail instead of email, the Wall Street Journal reported.

"Most of our work is digital. But now we have to use notes, which is like a step back in time," Diederik Maat, a lawyer, told the WSJ. "For courts and law firms, this is an administrative nightmare."
NeXuS
Shock it till ya know it
+375|6581|Atlanta, Georgia
It wont really affect my buying habits. I do all my shopping through either newegg or amazon. So they can fake their certificates all day but that doesn't mean i'm shopping in other places that I don't trust.
KEN-JENNINGS
I am all that is MOD!
+2,979|6872|949

NeXuS wrote:

It wont really affect my buying habits. I do all my shopping through either newegg or amazon. So they can fake their certificates all day but that doesn't mean i'm shopping in other places that I don't trust.
You could be browsing a site that looks like newegg or amazon but really just steals your data.
unnamednewbie13
Moderator
+2,053|7011|PNW

Bank tellers (in my experience) seem to have been bullying people into banking online lately. Personally, I just keep track of transactions about a couple times per week and have spotted nothing that I can't identify from memory or inquiry. With the amount of stuff traveling over wire, I'd recommend that anyone do this.
KEN-JENNINGS
I am all that is MOD!
+2,979|6872|949

unnamednewbie13 wrote:

Bank tellers (in my experience) seem to have been bullying people into banking online lately. Personally, I just keep track of transactions about a couple times per week and have spotted nothing that I can't identify from memory or inquiry. With the amount of stuff traveling over wire, I'd recommend that anyone do this.
It's a calculated plan by the banks to automate everything to lower employee overhead.  That's why they are pushing toward automation, online banking, etc.

I have a separate account for online transactions.  I transfer money into the account as I need it.  This is how I limit my liability in online monetary transactions.  I may get burned (haven't yet), but at least I only lose that transaction amount as opposed to having my whole account wiped clean.
Jay
Bork! Bork! Bork!
+2,006|5598|London, England

KEN-JENNINGS wrote:

unnamednewbie13 wrote:

Bank tellers (in my experience) seem to have been bullying people into banking online lately. Personally, I just keep track of transactions about a couple times per week and have spotted nothing that I can't identify from memory or inquiry. With the amount of stuff traveling over wire, I'd recommend that anyone do this.
It's a calculated plan by the banks to automate everything to lower employee overhead.  That's why they are pushing toward automation, online banking, etc.

I have a separate account for online transactions.  I transfer money into the account as I need it.  This is how I limit my liability in online monetary transactions.  I may get burned (haven't yet), but at least I only lose that transaction amount as opposed to having my whole account wiped clean.
Your bank doesn't cover fraud? I just have to call Chase and they take care of it.
"Ah, you miserable creatures! You who think that you are so great! You who judge humanity to be so small! You who wish to reform everything! Why don't you reform yourselves? That task would be sufficient enough."
-Frederick Bastiat
KEN-JENNINGS
I am all that is MOD!
+2,979|6872|949

Fraud is different.  Purchasing something from a website that you aren't sure about isn't fraud.  That's like expecting your bank to cover you if you buy counterfeit tickets to a sporting event.

But yes, my bank covers fraud.  I'd rather not have to rely on my bank when I can control certain parameters.
SEREMAKER
BABYMAKIN EXPERT √
+2,187|6808|Mountains of NC

mail order catalog


nothing to worry about
https://static.bf2s.com/files/user/17445/carhartt.jpg
13rin
Member
+977|6719

SEREMAKER wrote:

mail order catalog brides


nothing to worry about
Fixed.

@ ken...

Well, there's your problem, you said your bank.... Don't use your own money to begin with.

Last edited by 13rin (2011-09-07 19:37:19)

I stood in line for four hours. They better give me a Wal-Mart gift card, or something.  - Rodney Booker, Job Fair attendee.
unnamednewbie13
Moderator
+2,053|7011|PNW

Jay wrote:

KEN-JENNINGS wrote:

unnamednewbie13 wrote:

Bank tellers (in my experience) seem to have been bullying people into banking online lately. Personally, I just keep track of transactions about a couple times per week and have spotted nothing that I can't identify from memory or inquiry. With the amount of stuff traveling over wire, I'd recommend that anyone do this.
It's a calculated plan by the banks to automate everything to lower employee overhead.  That's why they are pushing toward automation, online banking, etc.

I have a separate account for online transactions.  I transfer money into the account as I need it.  This is how I limit my liability in online monetary transactions.  I may get burned (haven't yet), but at least I only lose that transaction amount as opposed to having my whole account wiped clean.
Your bank doesn't cover fraud? I just have to call Chase and they take care of it.
Whatever the bank does, Ken has a good point. I also keep a separate account active for online purchases. That way if it gets burnt, your main's more likely to remain untouched.
Shahter
Zee Ruskie
+295|7015|Moscow, Russia
so, let me get this straight:

somebody hacks into extremely important security web, gets the ability to fish for ungodly amounts of personal data and via that immeasurable kewl stuff and then that person/group just... blows all that up by leaving an "all your base are belong to us" message?

k.

Last edited by Shahter (2011-09-07 23:10:12)

if you open your mind too much your brain will fall out.
FEOS
Bellicose Yankee Air Pirate
+1,182|6651|'Murka

Shahter wrote:

so, let me get this straight:

somebody hacks into extremely important security web, gets the ability to fish for ungodly amounts of personal data and via that immeasurable kewl stuff and then that person/group just... blows all that up by leaving an "all your base are belong to us" message?

k.
Fortunately, many hackers can't NOT brag about their exploits (no pun intended). It's how many of them get discovered, not forensically.
“Everybody is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid.”
― Albert Einstein

Doing the popular thing is not always right. Doing the right thing is not always popular

Board footer

Privacy Policy - © 2024 Jeff Minard