Two recent hacking incidents have highlighted the increasing fragility of the Internet’s core infrastructure and serve as a stark reminder that security on the Internet is somewhat illusory. The weaknesses have been known about for some time but the motivation to implement solutions has not had enough momentum to spur everyone to action.
The recent events of the past few months, however, may have pushed Internet providers to a tipping point.
Comodo Hacker breaks SSL
The more serious of the two incidents was carried out by a hacker called the Comodo Hacker, or Ich Sun as his Twitter account was known.
In March of 2011, he hacked a company called Comodo, which is responsible for issuing certificates that underpin the secure Internet protocol SSL. You can see a certificate when the padlock icon appears on a browser URL when you are connected to a secure site, for example your bank.
Essentially, the hacker was able to use Comodo to create fake certificates for sites like google.com and long.yahoo.com. This particular hack was detected and disclosed early and the consequences of it were limited.
At the time, the hacker was identified as a 21-year-old Iranian national from information that he released. The hacker wanted to impress the world with his skill and sought to justify the hack as retaliation against what he perceived as actions by the US and Israel, in particular, in their role in the Stuxnet virus attack against an Iranian nuclear facility. He insisted that he was working alone and not, as allegations had claimed, that the attack was organised by the Iranian Government.
Comodo Hacker Reprised
The Comodo hacker promised more to come. In this, he was true to his word and in August a security company, Fox-IT, was asked to investigate the appearance on the internet of a rogue certificate for google.com. Although the certificate had been identified and revoked (effectively cancelled) on the 29th of August, the hacker had actually compromised the company responsible, DigiNotar for issuing the certificate, during the period from the 27th June to 22nd July.
There is evidence that the google.com certificate had been used in Iran to fool Google users there into thinking that they were connecting securely to Google sites when in fact, they were probably logging into sites controlled by the Iranian Government. All communication, emails, usernames and passwords would have been available in unencrypted form.
The fact that the certificates were being used to spy on the Iranian people was bad enough, but the problems didn’t stop there. It turned out that DigiNotar, based in the Netherlands, was also responsible for issuing certificates for the Netherlands Government, amongst many other companies and organisations.
The hacker had issued 531 certificates from DigiNotar. This caused the browser manufacturers, Google, Mozilla (Firefox), Microsoft and eventually Apple to remove DigiNotar from their list of trusted Certificate Authorities (CAs) and issue patches to their software.
The Dutch Government and other DigiNotar customers will need to replace all of their DigiNotar certificates with certificates from another CA.
TurkGuvenligi breaks DNS
Another hacker (group) was, in the meantime, subverting a different piece of the Internet. This hack was by someone calling himself TurkGuvenligi (The Legend) and basically involved a technique of DNS Hijacking.
The Domain Name System (DNS) is the way names such as www.google.com are translated into numbers, allowing programs to communicate with each other over the Internet. DNS Hijacking involves substituting the real address for another one.
So in the case of the TurkGuvenligi hack, sites such as Vodafone, The Register, The Telegraph and National Geographic were pointed to a website with the TurkGuvenligi name and a statement celebrating “World Hackers Day”.
The importance of the TurkGuvenligi hack is that, combined with fake SSL certificates, it means that a person would have no idea that they were not at the real site.
In the past, security professionals have claimed that a spoofed DNS would not matter so much because if you used a secure SSL connection, the browser would alert you to the fact that the certificate wasn’t correct.
By combining the Comodo Hacker’s exploit with that of TurkGuvenligi’s DNS attack you have a situation where literally anyone could fool a very large number of people into thinking there was nothing wrong.
The Internet is Broken
Modern society has increasingly come to rely on the Internet for almost every aspect of life, from commerce, through to health, personal expression and political dissent.
In turn, a great deal of this relies on being able to operate securely when needed.When you are using your bank account, buying something online or organising a demonstration against a policy you don’t agree with, you need a secure connection to a legitimate site.
The events of the past few months have highlighted that we cannot rely on the current infrastructure to provide any sort of guarantee to a secure environment.
Solutions to fix the Internet?
So, are there any alternatives to the current infrastructure that would be better?
On the SSL side, the Perspectives Project from Carnegie Mellon University has released a solution called “Convergence”.
In this scheme, instead of having a list of Certificate Authorities that are dictated by the browser, you can nominate people you trust (such as your local university) to validate a site that you are visiting. The benefit of this is that you can change the list and have as many or as few “notaries” validate the site for you.
Another alternative to DNS that also helps with the SSL problem, but does not completely solve it, is DNSSEC . This provides security extensions to DNS and attempts to resolve the underlying problems with DNS hijacking.
Unlike Convergence, DNSSEC requires governments and Internet providers to implement the fix. Coordination is only beginning to happen
Whatever the full extent of the motives of these hackers, a clear outcome is that the Internet is vulnerable to exploitation by governments, terrorists, criminals, activists and lulz-seekers.
Staying secure on the Internet can certainly be helped by awareness and good security practice, but at the end of the day, security is down to the good fortune that you weren’t in the wrong place at the wrong time.
—
Photo Credits: Flickr CC ShellyS
💬 Discussion
No comments yet. Be the first to comment!