Find out in this part of the lecture at FSU about the most outrageous certificate authority attacks of the last years and the consequences they could lead to.So, about securing the Internet. Let’s go over some important certificate authority attacks (see right-hand image). Now in this first slide I used attacks in finger quotes, because the following people that we know about so far were just able to attain major certificates without any hacking.
Mike Zussman obtained login.live.com, which is run by Microsoft, because he just asked for it. He didn’t provide any fraudulent information; they were just like: “Ok, here”. There’s no VA or RA in the mix, it was a certificate provided to existing user, and they gave it to that Mike Zussman guy. And all he was doing was security research. Apparently he didn’t have to do much research, really, at all to prove that: “Hey, this system doesn’t work”.
Eddy Nigg was able to do the same with Mozilla.com. No validation authority stopped him. He was simply investigating unethical CA practices and basically hit the jackpot on his first try. You can read about it there.
Then, at some other point, VeriSign issued a code signing certificate for the entity in Microsoft Corporation unknowingly to unknown hackers that still have not been found out today. This allowed them to sign kernel mode drivers, Windows updates, applications, etc.Now let’s talk about actual attacks (see right-hand image). A really noteworthy one was in 2010; RSA got hacked. It’s not really SSL, but the RSA sold this service called SecureID. In essence, it’s providing the same thing SSL does; a secure communications protocol that provides secrecy, integrity and authentication. And in this model there’s one root certificate authority, RSA.
Now, in 2010 this totally makes sense. For a Fortune 500 company I don’t want to use the SSL system and can probably afford the best price for my corporation. Everyone in this room realizes that yes, this system is broken, when you sign it’s easier to lockdown and easier to trust. So, this became a popular program. However, when RSA was hacked, SecureID was compromised, and, essentially, a massive hack hit 760 companies. It hit 20% of the Fortune 100 list, so 20 companies in the Fortune 100, because 20% of the 760 is… well, you can do the math. So, it also hit many more of the Fortune 500. It hit Google, Facebook, Microsoft.… Which brings me to Comodo (see right-hand image). The reason I’m going to talk about Comodo so much is solely because of the drama. When Comodo got hacked in March 2011, it was a big deal. They came out and news reports stated that Comodo suspects that it was hacked by Iran. It’s a pretty bold claim; attribution when getting hacked is hard. People can be behind proxies, IPs can be spoofed, people can move around, people can hack others and frame them. So they outright claimed that they believed that Iran hacked them. And they published the IP address for the hacker and the longitude and latitude, and this is in Iran. The attacker made off with some important certs that allowed them to sign things: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, etc. Immediately after the attack was discovered, the CEO issued the following statement: “This attack was extremely sophisticated and critically executed… it was a very well orchestrated, very clinical attack, and the attacker knew exactly what they needed to do and how fast they had to operate”. Again, I urge you to watch the video for today, because it covers this in depth. He also claimed that all the IP addresses involved in the attack were in Iran, and this sparked a debate on cyber war (see right-hand image above).
So, Comodo secures about 25% of the Internet. If one state was to compromise 25% of the Internet, imagine what they could do. They could do a lot. They can attack a lot of people. They can have a lot of power. And he went on to say in a later statement, after many statements, the following: “All of the above leads us to one conclusion only: that this was likely to be a state-driven attack”. So… drama, because you’re now talking about, essentially, cyber war.
After that first CEO statement the attacker posted something on Pastebin. It was basically a response to the CEO, and he posted many following responses to the CEO and rambled a lot. I believe the majority of his responses are impacted by knowing buzzwords and having bad English, because it’s my opinion that it’s a script kiddie who just can talk a really big game. He strung together technical concepts and attack concepts that don’t make sense. I urge you to check out the ramblings, because it’s actually pretty hilarious.Surely there must be consequences to something like this. An amateur breaking 25% of the Internet, and Comodo got attacked 3 times later that year. Surely something happened to Comodo, right? I mean, we’re placing a lot of trust in them. They’re securing your bank account. If you had money in a bank downtown and 25% of your money was just stolen, and they were caught and they were investigated – wouldn’t you do business with someone else? Turned out nothing happened, no one cared, and CEO of Comodo was named Entrepreneur of the Year at RSA 2011. No consequences; it’s like you’re too big to fail. … Which brings us to DigiNotar (see right-hand image). DigiNotar ran into an issue when they noticed that it signed a rouge *.google.com certificate. And this was presented to a number of users in Iran. When this came to the attention of DigiNotar, because it didn’t intentionally issue this certificate, they quickly revoked it and they claimed: “Hackers!”
If an attacker did this, which, it turns out, an attacker did, they were able to compromise the private key for DigiNotar and they were able to sign any certificate. And DigiNotar was a root CA that, at the time, your browser trusted; it was one of those 40.
This particular case is important, because the entire Dutch government runs off of DigiNotar certificates. So, the attackers were able to compromise the entire Dutch government! Problem? Even if they didn’t attack the great people of the Netherlands, it still poses a serious problem and is a big wake up call. What if this happened to the entire American government or the entire government of China and so on?
This time the attacker posted more stuff on Pastebin and he named himself as Comodo hacker, saying it’s the same guy: “I can 0day your mobo, fear me, and I have tons of SSL certs, I can sign for anything”.What happened is the Dutch government seized the company and took over it. That same month the company was declared bankrupt. The lesson learned here is: if you’re a CA, you can often be too big to fail. However, when you fail, if you cause someone bigger than you to fail, then you’re screwed. It’s game over. Essentially, this was highlighted as a complete compromise of the CA system.
2011 was a bad year. In Israel StartCom was rumored to be breached – I don’t think it actually happened. GlobalSign was also rumored to be breached by the same hacker that got DigiNotar, but their reports concluded there was no evidence of any breach.
I’m bringing these rumors up because it’s important to know that in a network of trust rumors can diminish the actual trust. And think about how that should affect your decisions if you were to make these decisions on your own. If there is some rumor that, say, you’re working with your teammate and your systems just got completely hacked and you’re working on the stuff that’s for your Master’s thesis or dissertation, and it all gets stolen. You probably wouldn’t share any more information with them. However… we’ll talk about that later.Another important thing that I want to talk about now, not because it happened, but because of how it was handled, was VeriSign was repeatedly hacked in 2010 (see right-hand image). When they were discovered by the security and incident response team, the CEO and the management was not notified. So there was no public statement. In fact, there never was any public statement made by VeriSign saying: “Sorry customers, we were hacked”.
Now, it’s important to know that at the time, in the summer of 2010, VeriSign sold its SSL business to Symantec. But no one really knows when the attacks began again in 2010. VeriSign at the time, when it had its SSL business, secured over 50% of the Internet, which means .com, .net, .gov. Essentially, an attacker with a signed certificate for those top level domains could impersonate almost any company on the Internet.
These reports came out only because new SEC guidelines required reporting security breaches to investors. These new guidelines have subsequently resulted in an explosion of reports and filings about security breaches and breach risks. And you can read about that on that Reuters post.
VeriSign also runs other important services like DNS. And their DNS system processes 50 billion queries a day. So, instead of going to google.com, if I compromise that as a hacker, I can make you go to a website that I have malware on to own your box just by visiting it, perhaps.
At that scale, being able to own the Internet, people start throwing around the word “cyber”. And “cyber” to politicians means: “Oh my god, cyber war, I don’t understand anything”. Attacks of this scale would be extremely valuable to advanced persistent threats. Advanced persistent threats need not be state organized or state run. It can be a well-resourced and well-established underground group that really knows what it’s doing. It’s perhaps made of ex-government Special Forces and really ‘good’ people that just want to make a ton of money by robbing everyone blind.
Read previous: Web Application Hacking 3: Hurdles for Securing the Internet